Security sql statements update against sql injection attacks.

[fa-stable.git] / reporting / rep103.php

diff --git a/reporting/rep103.php b/reporting/rep103.php
index f7ae195e8ab2fa9b164487647d511deb439e9013..e68027fdcc9993cb20888840bff906c9d608803d 100644 (file)
--- a/reporting/rep103.php
+++ b/reporting/rep103.php
@@ -56,13 +56,13 @@ function get_customer_details_for_report($area=0, $salesid=0)
        if ($area != 0)
        {
                if ($salesid != 0)
-                       $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid' 
-                               AND ".TB_PREF."areas.area_code='$area'";
+                       $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid)." 
+                               AND ".TB_PREF."areas.area_code=".db_escape($area);
                else            
-                       $sql .= " WHERE ".TB_PREF."areas.area_code='$area'";
+                       $sql .= " WHERE ".TB_PREF."areas.area_code=".db_escape($area);
        }
        elseif ($salesid != 0)
-               $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'";
+               $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid);
        $sql .= " ORDER BY description,
                        ".TB_PREF."salesman.salesman_name,
                        ".TB_PREF."debtors_master.debtor_no,
@@ -81,7 +81,7 @@ function getTransactions($debtorno, $branchcode, $date)
                WHERE debtor_no='$debtorno'
                AND branch_code='$branchcode'
                AND (type=10 or type=11)
-               AND trandate >='$date'";
+               AND tran_date >='$date'";
                
     $result = db_query($sql,"No transactions were returned");