$js .= get_js_open_window(900, 500);
if ($use_date_picker)
$js .= get_js_date_picker();
-page(_("Search Purchase Orders"), false, false, "", $js);
+page(_($help_context = "Search Purchase Orders"), false, false, "", $js);
if (isset($_GET['order_number']))
{
submit_cells('SearchOrders', _("Search"),'',_('Select documents'), 'default');
end_row();
end_table();
-end_form();
//---------------------------------------------------------------------------------------------
if (isset($_POST['order_number']))
{
if (isset($order_number) && $order_number != "")
{
- $sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+ $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
}
else
{
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
{
- $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+ $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
}
if (isset($selected_stock_item))
{
- $sql .= " AND line.item_code='". $selected_stock_item ."' ";
+ $sql .= " AND line.item_code=".db_escape($selected_stock_item);
}
} //end not order number selected
$table =& new_db_pager('orders_tbl', $sql, $cols);
$table->width = "80%";
-start_form();
display_db_pager($table);