Security update merged from 2.1.

[fa-stable.git] / sales / create_recurrent_invoices.php

diff --git a/sales/create_recurrent_invoices.php b/sales/create_recurrent_invoices.php
index cdd656bd38ba75144726285c3b777d13fb9b0251..492d8482e8c4e0e0bf6d147eb0168836ee25c061 100644 (file)
--- a/sales/create_recurrent_invoices.php
+++ b/sales/create_recurrent_invoices.php
@@ -26,7 +26,7 @@ page(_("Create and Print Recurrent Invoices"), false, false, "", $js);
 function set_last_sent($id, $date)
 {
        $date = date2sql($date);
-       $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=$id";
+       $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=".db_escape($id);
        db_query($sql,"The recurrent invoice could not be updated or added");
 }      
 
@@ -62,7 +62,7 @@ function create_recurrent_invoices($customer_id, $branch_id, $order_no, $tmpl_no
 if (isset($_GET['recurrent']))
 {
        $invs = array();
-       $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".$_GET['recurrent'];
+       $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($_GET['recurrent']);
 
        $result = db_query($sql,"could not get recurrent invoice");
        $myrow = db_fetch($result);
@@ -99,7 +99,7 @@ if (isset($_GET['recurrent']))
 //-------------------------------------------------------------------------------------------------
 function get_sales_group_name($group_no)
 {
-       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no";
+       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no);
        $result = db_query($sql, "could not get group");
        $row = db_fetch($result);
        return $row[0];