Security sql statements update against sql injection attacks.

[fa-stable.git] / reporting / rep201.php

diff --git a/reporting/rep201.php b/reporting/rep201.php
index 380af70de90695a291a7237e9ec257671aeb3605..0e5f774e79599b43b0fe51dfcc8f104e56207e44 100644 (file)
--- a/reporting/rep201.php
+++ b/reporting/rep201.php
@@ -99,7 +99,7 @@ function print_supplier_balances()
 
        $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
        if ($fromsupp != reserved_words::get_all_numeric())
-               $sql .= "WHERE supplier_id=$fromsupp ";
+               $sql .= "WHERE supplier_id=".db_escape($fromsupp)." ";
        $sql .= "ORDER BY supp_name";
        $result = db_query($sql, "The customers could not be retrieved");
 
@@ -149,7 +149,7 @@ function print_supplier_balances()
                        else
                                $item[3] = ($trans['TotalAmount'] + $trans['Allocated']) * $rate;
                        */      
-                       if ($trans['type'] == 20)
+                       if ($trans['type'] == 20 || $trans['type'] == 2)
                                $item[3] = $item[0] + $item[1] - $item[2];
                        else    
                                $item[3] = $item[0] - $item[1] + $item[2];