Security update merged from 2.1.

[fa-stable.git] / purchasing / inquiry / po_search.php

diff --git a/purchasing/inquiry/po_search.php b/purchasing/inquiry/po_search.php
index 39ba20d8dd92f294371ebfe6c30e8aea1bbdf63d..a82a37435ff8c68eef47e7b7a179b3db9f06e8f3 100644 (file)
--- a/purchasing/inquiry/po_search.php
+++ b/purchasing/inquiry/po_search.php
@@ -140,7 +140,7 @@ $sql = "SELECT
 
 if (isset($order_number) && $order_number != "")
 {
-       $sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+       $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
 }
 else
 {
@@ -152,12 +152,12 @@ else
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
        {
-               $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
        }
 
        if (isset($selected_stock_item))
        {
-               $sql .= " AND line.item_code='". $selected_stock_item ."' ";
+               $sql .= " AND line.item_code=".db_escape($selected_stock_item);
        }
 } //end not order number selected