Security sql statements update against sql injection attacks.

[fa-stable.git] / reporting / rep201.php

diff --git a/reporting/rep201.php b/reporting/rep201.php
index 29f543324aa6b070c4a12bd195de904fc0437232..0e5f774e79599b43b0fe51dfcc8f104e56207e44 100644 (file)
--- a/reporting/rep201.php
+++ b/reporting/rep201.php
@@ -99,7 +99,7 @@ function print_supplier_balances()
 
        $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
        if ($fromsupp != reserved_words::get_all_numeric())
-               $sql .= "WHERE supplier_id=$fromsupp ";
+               $sql .= "WHERE supplier_id=".db_escape($fromsupp)." ";
        $sql .= "ORDER BY supp_name";
        $result = db_query($sql, "The customers could not be retrieved");