Security sql statements update against sql injection attacks.

[fa-stable.git] / reporting / rep105.php

diff --git a/reporting/rep105.php b/reporting/rep105.php
index bc367e6aaa08019ba5be4c27ee42cd9484dbeff5..e3cd6de775a3becf785c7271ad8335b34e357954 100644 (file)
--- a/reporting/rep105.php
+++ b/reporting/rep105.php
@@ -55,11 +55,11 @@ function GetSalesOrders($from, $to, $category=0, $location=null, $backorder=0)
             WHERE ".TB_PREF."sales_orders.ord_date >='$fromdate'
                 AND ".TB_PREF."sales_orders.ord_date <='$todate'";
        if ($category > 0)
-               $sql .= " AND ".TB_PREF."stock_master.category_id=$category";
+               $sql .= " AND ".TB_PREF."stock_master.category_id=".db_escape($category);
        if ($location != null)
-               $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc='$location'";
+               $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc=".db_escape($location);
        if ($backorder)
-               $sql .= "AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
+               $sql .= " AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
        $sql .= " ORDER BY ".TB_PREF."sales_orders.order_no";
 
        return db_query($sql, "Error getting order details");