Security update merged from 2.1.

[fa-stable.git] / purchasing / po_receive_items.php

diff --git a/purchasing/po_receive_items.php b/purchasing/po_receive_items.php
index 601e5d5f0458f83e388be565080646e0343b9c06..1c6e6d627a0280aff0a50deafff18578e7160f5b 100644 (file)
--- a/purchasing/po_receive_items.php
+++ b/purchasing/po_receive_items.php
@@ -121,7 +121,7 @@ function check_po_changed()
        // Otherwise if you try to fullfill item quantities separately will give error.
        $sql = "SELECT item_code, quantity_ordered, quantity_received, qty_invoiced
                FROM ".TB_PREF."purch_order_details
-               WHERE order_no=" . $_SESSION['PO']->order_no 
+               WHERE order_no=".db_escape($_SESSION['PO']->order_no)
                ." ORDER BY po_detail_item";
 
        $result = db_query($sql, "could not query purch order details");