if (isset($order_number) && $order_number != "")
{
- $sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+ $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
}
else
{
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
{
- $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+ $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
}
if (isset($selected_stock_item))
{
- $sql .= " AND line.item_code='". $selected_stock_item ."' ";
+ $sql .= " AND line.item_code=".db_escape($selected_stock_item);
}
} //end not order number selected
$table =& new_db_pager('orders_tbl', $sql, $cols);
$table->set_marker('check_overdue', _("Marked orders have overdue items."));
-if (get_post('SearchOrders')) {
- $table->set_sql($sql);
- $table->set_columns($cols);
-}
$table->width = "80%";
start_form();
projects / fa-stable.git / blobdiff