Security update merged from 2.1.

[fa-stable.git] / purchasing / po_entry_items.php

diff --git a/purchasing/po_entry_items.php b/purchasing/po_entry_items.php
index ec3f619b5bdfce68702d019e19b91b22ec049647..2f903ba12be839caa38e95236ec79283cf17f080 100644 (file)
--- a/purchasing/po_entry_items.php
+++ b/purchasing/po_entry_items.php
@@ -9,8 +9,8 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
-$page_security = 4;
-$path_to_root="..";
+$page_security = 'SA_PURCHASEORDER';
+$path_to_root = "..";
 include_once($path_to_root . "/purchasing/includes/po_class.inc");
 include_once($path_to_root . "/includes/session.inc");
 include_once($path_to_root . "/purchasing/includes/purchasing_ui.inc");
@@ -42,16 +42,17 @@ check_db_has_purchasable_items(_("There are no purchasable inventory items defin
 if (isset($_GET['AddedID'])) 
 {
        $order_no = $_GET['AddedID'];
-       $trans_type = systypes::po();   
+       $trans_type = ST_PURCHORDER;    
 
        if (!isset($_GET['Updated']))
                display_notification_centered(_("Purchase Order has been entered"));
        else
                display_notification_centered(_("Purchase Order has been updated") . " #$order_no");
-       display_note(get_trans_view_str($trans_type, $order_no, _("&View this order")));
-       echo '<br>';
-       display_note(print_document_link($order_no, _("&Print This Order"), true, $trans_type));
-       display_note(print_document_link($order_no, _("&Email This Order"), true, $trans_type, false, "", "", 1),0, 1);
+       display_note(get_trans_view_str($trans_type, $order_no, _("&View this order")), 0, 1);
+
+       display_note(print_document_link($order_no, _("&Print This Order"), true, $trans_type), 0, 1);
+
+       display_note(print_document_link($order_no, _("&Email This Order"), true, $trans_type, false, "", "", 1));
 
        hyperlink_params($path_to_root . "/purchasing/po_receive_items.php", _("&Receive Items on this Purchase Order"), "PONumber=$order_no");
 
@@ -227,7 +228,7 @@ function handle_add_new_item()
                if ($allow_update == true)
                {
                        $sql = "SELECT description, units, mb_flag
-                               FROM ".TB_PREF."stock_master WHERE stock_id = '". $_POST['stock_id'] . "'";
+                               FROM ".TB_PREF."stock_master WHERE stock_id = ".db_escape($_POST['stock_id']);
 
                    $result = db_query($sql,"The stock details for " . $_POST['stock_id'] . " could not be retrieved");
 
@@ -260,6 +261,8 @@ function handle_add_new_item()
 
 function can_commit()
 {
+       global $Refs;
+
        if (!is_date($_POST['OrderDate'])) 
        {
                display_error(_("The entered order date is invalid."));
@@ -269,14 +272,14 @@ function can_commit()
        
        if (!$_SESSION['PO']->order_no) 
        {
-       if (!references::is_valid(get_post('ref'))) 
+       if (!$Refs->is_valid(get_post('ref'))) 
        {
                display_error(_("There is no reference entered for this purchase order."));
                        set_focus('ref');
                return false;
        } 
        
-       if (!is_new_reference(get_post('ref'), systypes::po())) 
+       if (!is_new_reference(get_post('ref'), ST_PURCHORDER)) 
        {
                display_error(_("The entered reference is already in use."));
                        set_focus('ref');