Security update merged from 2.1.

[fa-stable.git] / reporting / rep304.php

diff --git a/reporting/rep304.php b/reporting/rep304.php
index 3958536fe9440c5f8526b793a16d778b7a65f532..f1262a1873730d0d5602e7d2769d647cec0feb90 100644 (file)
--- a/reporting/rep304.php
+++ b/reporting/rep304.php
@@ -59,11 +59,11 @@ function getTransactions($category, $location, $fromcust, $from, $to)
                AND ((".TB_PREF."debtor_trans.type=".ST_CUSTDELIVERY." AND ".TB_PREF."debtor_trans.version=1) OR ".TB_PREF."stock_moves.type=".ST_CUSTCREDIT.")
                AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
                if ($category != 0)
-                       $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+                       $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
                if ($location != 'all')
-                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'";
+                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location);
                if ($fromcust != -1)
-                       $sql .= " AND ".TB_PREF."debtors_master.debtor_no = $fromcust";
+                       $sql .= " AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($fromcust);
                $sql .= " GROUP BY ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name ORDER BY ".TB_PREF."stock_master.category_id,
                        ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name";
     return db_query($sql,"No transactions were returned");