$sql = "INSERT INTO ".TB_PREF."cust_allocations (
amt, date_alloc,
trans_type_from, trans_no_from, trans_no_to, trans_type_to)
- VALUES ($amount, Now(), $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)";
+ VALUES ($amount, Now(), ".db_escape($trans_type_from).", ".db_escape($trans_no_from).", ".db_escape($trans_no_to)
+ .", ".db_escape($trans_type_to).")";
db_query($sql, "A customer allocation could not be added to the database");
}
function delete_cust_allocation($trans_id)
{
- $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = " . $trans_id;
+ $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = ".db_escape($trans_id);
return db_query($sql, "The existing allocation $trans_id could not be deleted");
}
{
$sql = "SELECT (ov_amount+ov_gst+ov_freight+ov_freight_tax-ov_discount-alloc) AS BalToAllocate
- FROM ".TB_PREF."debtor_trans WHERE trans_no=$trans_no AND type=$trans_type";
+ FROM ".TB_PREF."debtor_trans WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type);
$result = db_query($sql,"calculate the allocation");
$myrow = db_fetch_row($result);
function update_debtor_trans_allocation($trans_type, $trans_no, $alloc)
{
$sql = "UPDATE ".TB_PREF."debtor_trans SET alloc = alloc + $alloc
- WHERE type=$trans_type AND trans_no = $trans_no";
+ WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no);
db_query($sql, "The debtor transaction record could not be modified for the allocation against it");
}
{
// clear any allocations for this transaction
$sql = "SELECT * FROM ".TB_PREF."cust_allocations
- WHERE (trans_type_from=$type AND trans_no_from=$type_no)
- OR (trans_type_to=$type AND trans_no_to=$type_no)";
+ WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+ OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
$result = db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
while ($row = db_fetch($result))
// remove any allocations for this transaction
$sql = "DELETE FROM ".TB_PREF."cust_allocations
- WHERE (trans_type_from=$type AND trans_no_from=$type_no)
- OR (trans_type_to=$type AND trans_no_to=$type_no)";
+ WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+ OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
}
}
$cust_sql = "";
if ($customer_id != null)
- $cust_sql = " AND trans.debtor_no = $customer_id";
+ $cust_sql = " AND trans.debtor_no = ".db_escape($customer_id);
$sql = get_alloc_trans_sql("round(ov_amount+ov_gst+ov_freight+ov_freight_tax+ov_discount-alloc,6) <= 0 AS settled",
"(type=".ST_CUSTPAYMENT." OR type=".ST_CUSTCREDIT." OR type=".ST_BANKDEPOSIT.") AND (trans.ov_amount > 0) " . $settled_sql . $cust_sql);
AND trans.type = alloc.trans_type_to
AND alloc.trans_no_from=$trans_no
AND alloc.trans_type_from=$type
- AND trans.debtor_no=$customer_id",
+ AND trans.debtor_no=".db_escape($customer_id),
"".TB_PREF."cust_allocations as alloc");
}
else
AND trans.type <> " . ST_BANKDEPOSIT . "
AND trans.type <> " . ST_CUSTCREDIT . "
AND trans.type <> " . ST_CUSTDELIVERY . "
- AND trans.debtor_no=$customer_id");
+ AND trans.debtor_no=".db_escape($customer_id));
}
return db_query($sql." ORDER BY trans_no", "Cannot retreive alloc to transactions");