Security sql statements update against sql injection attacks.

[fa-stable.git] / reporting / rep209.php

diff --git a/reporting/rep209.php b/reporting/rep209.php
index b9a8a049509fd75b3252f9abc339b2bced951cd1..9015a1b2564b35525de8bca02450a0f504e00788 100644 (file)
--- a/reporting/rep209.php
+++ b/reporting/rep209.php
@@ -35,7 +35,7 @@ function get_po($order_no)
                FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations
                WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id
                AND ".TB_PREF."locations.loc_code = into_stock_location
-               AND ".TB_PREF."purch_orders.order_no = " . $order_no;
+               AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no);
        $result = db_query($sql, "The order cannot be retrieved");
     return db_fetch($result);
 }
@@ -46,7 +46,7 @@ function get_po_details($order_no)
                FROM ".TB_PREF."purch_order_details
                LEFT JOIN ".TB_PREF."stock_master
                ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id
-               WHERE order_no =$order_no ";
+               WHERE order_no =".db_escape($order_no)." ";
        $sql .= " ORDER BY po_detail_item";
        return db_query($sql, "Retreive order Line Items");
 }