projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security update merged from 2.1.
[fa-stable.git] / sales / includes / db / sales_order_db.inc
diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc
index a6c7610637fa06b4eae24b5a28aaaa3e437e9baa..0d8c618aaae685396a96ceb2c3951214febd3256 100644 (file)
--- a/sales/includes/db/sales_order_db.inc
+++ b/sales/includes/db/sales_order_db.inc
@@ -1,72 +1,45 @@
 <?php
-
+/**********************************************************************
+    Copyright (C) FrontAccounting, LLC.
+       Released under the terms of the GNU General Public License, GPL, 
+       as published by the Free Software Foundation, either version 3 
+       of the License, or (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
+***********************************************************************/
 //----------------------------------------------------------------------------------------
-function get_demand_qty($stockid, $location)
-{
-       $sql = "SELECT SUM(".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent) AS QtyDemand
-                               FROM ".TB_PREF."sales_order_details,
-                                       ".TB_PREF."sales_orders
-                               WHERE ".TB_PREF."sales_order_details.order_no=".TB_PREF."sales_orders.order_no AND
-                                       ".TB_PREF."sales_orders.from_stk_loc ='$location' AND
-                                       ".TB_PREF."sales_order_details.stk_code = '$stockid'";
-
-       $TransResult = db_query($sql,"No transactions were returned");
-       $DemandRow = db_fetch($TransResult);
-       return $DemandRow['QtyDemand'];
-}
-
-function get_demand_asm_qty($stockid, $location)
-{
-       $sql = "SELECT SUM((".TB_PREF."sales_order_details.quantity-".TB_PREF."sales_order_details.qty_sent)*".TB_PREF."bom.quantity)
-                               AS Dem
-                               FROM ".TB_PREF."sales_order_details,
-                                               ".TB_PREF."sales_orders,
-                                               ".TB_PREF."bom,
-                                               ".TB_PREF."stock_master
-                               WHERE ".TB_PREF."sales_order_details.stk_code=".TB_PREF."bom.parent AND
-                               ".TB_PREF."sales_orders.order_no = ".TB_PREF."sales_order_details.order_no AND
-                               ".TB_PREF."sales_orders.from_stk_loc='$location' AND
-                               ".TB_PREF."sales_order_details.quantity-".TB_PREF."sales_order_details.qty_sent > 0 AND
-                               ".TB_PREF."bom.component='$stockid' AND
-                               ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.parent AND
-                               ".TB_PREF."stock_master.mb_flag='A'";
-
-       $TransResult = db_query($sql,"No transactions were returned");
-       if (db_num_rows($TransResult)==1)
-       {
-               $DemandRow = db_fetch_row($TransResult);
-               $DemandQty = $DemandRow[0];
-       }
-       else
-               $DemandQty = 0.0;
-
-       return $DemandQty;
-}
-
 function add_sales_order(&$order)
 {
-       global $loc_notification, $path_to_root;
+       global $loc_notification, $path_to_root, $Refs;
 
        begin_transaction();
 
+       $order_no = get_next_trans_no($order->trans_type);
        $del_date = date2sql($order->due_date);
        $order_type = 0; // this is default on new order
-       $sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date,
+       $sql = "INSERT INTO ".TB_PREF."sales_orders (order_no, type, debtor_no, trans_type, branch_code, customer_ref, reference, comments, ord_date,
                order_type, ship_via, deliver_to, delivery_address, contact_phone,
                contact_email, freight_cost, from_stk_loc, delivery_date)
-               VALUES ('" . $order_type . "', '" . $order->customer_id . "', '" . $order->Branch . "', '".
-                       $order->cust_ref ."','". db_escape($order->Comments) ."','" .
-                       date2sql($order->document_date) . "', '" .
-                       $order->default_sales_type . "', " .
-                       $_POST['ship_via'] .",'" . $order->deliver_to . "', '" .
-                       $order->delivery_address . "', '" .
-                       $order->phone . "', '" . $order->email . "', " .
-                       $order->freight_cost .", '" . $order->Location ."', '" .
-                       $del_date . "')";
+               VALUES (" .db_escape($order_no) . "," .db_escape($order_type) . "," . db_escape($order->customer_id) .
+                ", " .db_escape($order->trans_type) . "," .db_escape($order->Branch) . ", ".
+                       db_escape($order->cust_ref) .",". 
+                       db_escape($order->reference) .",". 
+                       db_escape($order->Comments) .",'" . 
+                       date2sql($order->document_date) . "', " .
+                       db_escape($order->sales_type) . ", " .
+                       db_escape($order->ship_via)."," . 
+                       db_escape($order->deliver_to) . "," .
+                       db_escape($order->delivery_address) . ", " .
+                       db_escape($order->phone) . ", " . 
+                       db_escape($order->email) . ", " .
+                       db_escape($order->freight_cost) .", " . 
+                       db_escape($order->Location) .", " .
+                       db_escape($del_date) . ")";
 
        db_query($sql, "order Cannot be Added");
 
-       $order_no = db_insert_id();
        $order->trans_no = array($order_no=>0);
 
        if ($loc_notification == 1)
@@ -104,17 +77,18 @@ function add_sales_order(&$order)
                        }
                }
 
-               $sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, stk_code, description, unit_price, quantity, discount_percent) VALUES (";
-               $sql .= $order_no .
-                               ",'$line->stock_id', '$line->item_description', $line->price,
+               $sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, trans_type, stk_code, description, unit_price, quantity, discount_percent) VALUES (";
+               $sql .= $order_no . ",".$order->trans_type .
+                               ",".db_escape($line->stock_id).", "
+                               .db_escape($line->item_description).", $line->price,
                                $line->quantity,
                                $line->discount_percent)";
                db_query($sql, "order Details Cannot be Added");
 
        } /* inserted line items into sales order details */
 
-       add_forms_for_sys_type(systypes::sales_order(), $order_no);
-
+       add_audit_trail($order->trans_type, $order_no, $order->document_date);
+       $Refs->save($order->trans_type, $order_no, $order->reference);
        commit_transaction();
 
        if ($loc_notification == 1 && count($st_ids) > 0)
@@ -140,29 +114,31 @@ function add_sales_order(&$order)
 
 //----------------------------------------------------------------------------------------
 
-function delete_sales_order($order_no)
+function delete_sales_order($order_no, $trans_type)
 {
        begin_transaction();
 
-       $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no;
+       $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . db_escape($order_no) 
+               . " AND trans_type=".db_escape($trans_type);
+
        db_query($sql, "order Header Delete");
 
-       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
+       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" 
+               .db_escape($order_no) . " AND trans_type=".db_escape($trans_type);
        db_query($sql, "order Detail Delete");
 
-       delete_forms_for_systype(systypes::sales_order(), $order_no);
-
+       add_audit_trail($trans_type, $order_no, Today(), _("Deleted."));
        commit_transaction();
 }
 
 //----------------------------------------------------------------------------------------
 // Mark changes in sales_order_details
 //
-function update_sales_order_version($order) 
+function update_sales_order_version($order)
 {
   foreach ($order as $so_num => $so_ver) {
   $sql= 'UPDATE '.TB_PREF.'sales_orders SET version=version+1 WHERE order_no='. $so_num.
-       ' AND version='.$so_ver;
+       ' AND version='.$so_ver . " AND trans_type=30";
   db_query($sql, 'Concurrent editing conflict while sales order update');
   }
 }
@@ -171,7 +147,7 @@ function update_sales_order_version($order)
 
 function update_sales_order($order)
 {
-       global $loc_notification, $path_to_root;
+       global $loc_notification, $path_to_root, $Refs;
 
        $del_date = date2sql($order->due_date);
        $ord_date = date2sql($order->document_date);
@@ -180,28 +156,28 @@ function update_sales_order($order)
 
        begin_transaction();
 
-       $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
-               debtor_no = '" . $order->customer_id . "',
-               branch_code = '" . $order->Branch . "',
-               customer_ref = '". $order->cust_ref ."',
-               comments = '". db_escape($order->Comments) ."',
-               ord_date = '" . $ord_date . "',
-               order_type = '" . $order->default_sales_type . "',
-               ship_via = " . $order->ship_via .",
-               deliver_to = '" . $order->deliver_to . "',
-               delivery_address = '" . $order->delivery_address . "',
-               contact_phone = '" . $order->phone . "',
-               contact_email = '" . $order->email . "',
-               freight_cost = " . $order->freight_cost .",
-               from_stk_loc = '" . $order->Location ."',
-               delivery_date = '" . $del_date . "',
+       $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." ,
+               debtor_no = " . db_escape($order->customer_id) . ",
+               branch_code = " . db_escape($order->Branch) . ",
+               customer_ref = ". db_escape($order->cust_ref) .",
+               reference = ". db_escape($order->reference) .",
+               comments = ". db_escape($order->Comments) .",
+               ord_date = " . db_escape($ord_date) . ",
+               order_type = " .db_escape($order->sales_type) . ",
+               ship_via = " . db_escape($order->ship_via) .",
+               deliver_to = " . db_escape($order->deliver_to) . ",
+               delivery_address = " . db_escape($order->delivery_address) . ",
+               contact_phone = " .db_escape($order->phone) . ",
+               contact_email = " .db_escape($order->email) . ",
+               freight_cost = " .db_escape($order->freight_cost) .",
+               from_stk_loc = " .db_escape($order->Location) .",
+               delivery_date = " .db_escape($del_date). ",
                version = ".($version+1)."
         WHERE order_no=" . $order_no ."
-        AND version=".$version;
-
+        AND trans_type=".$order->trans_type." AND version=".$version;
        db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict");
 
-       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
+       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no . " AND trans_type=".$order->trans_type;
 
        db_query($sql, "Old order Cannot be Deleted");
 
@@ -223,8 +199,8 @@ function update_sales_order($order)
                                FROM ".TB_PREF."loc_stock, "
                                  .TB_PREF."locations
                                WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
-                                AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "'
-                                AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'";
+                                AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)."
+                                AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location);
                        $res = db_query($sql,"a location could not be retreived");
                        $loc = db_fetch($res);
                        if ($loc['email'] != "")
@@ -242,22 +218,25 @@ function update_sales_order($order)
                                }
                        }
                }
-               $sql = "INSERT INTO ".TB_PREF."sales_order_details 
-                (order_no, stk_code,  description, unit_price, quantity, 
-                 discount_percent, qty_sent) 
+               $sql = "INSERT INTO ".TB_PREF."sales_order_details
+                (order_no, trans_type, stk_code,  description, unit_price, quantity,
+                 discount_percent, qty_sent)
                 VALUES (";
-               $sql .= $order_no . ",'"
-                 .$line->stock_id . "','"
-                 .$line->item_description . "', "
-                 .$line->price . ", "
-                 .$line->quantity . ", "
-                 .$line->discount_percent . ", "
-                 .$line->qty_done ." )";
+               $sql .= $order_no . ",".$order->trans_type.","
+                 .db_escape($line->stock_id) . ","
+                 .db_escape($line->item_description) . ", "
+                 .db_escape($line->price) . ", "
+                 .db_escape($line->quantity) . ", "
+                 .db_escape($line->discount_percent) . ", "
+                 .db_escape($line->qty_done) ." )";
 
                db_query($sql, "Old order Cannot be Inserted");
 
        } /* inserted line items into sales order details */
 
+       add_audit_trail($order->trans_type, $order_no, $order->document_date, _("Updated."));
+       $Refs->delete($order->trans_type, $order_no);
+       $Refs->save($order->trans_type, $order_no, $order->reference);
        commit_transaction();
        if ($loc_notification == 1 && count($st_ids) > 0)
        {
@@ -269,8 +248,8 @@ function update_sales_order($order)
                $subject = _("Stocks below Re-Order Level at " . $loc['location_name']);
                $msg = "\n";
                for ($i = 0; $i < count($st_ids); $i++)
-                       $msg .= $st_ids[$i] . " " . $st_names[$i] . ", " 
-                         . _("Re-Order Level") . ": " . $st_reorder[$i] . ", " 
+                       $msg .= $st_ids[$i] . " " . $st_names[$i] . ", "
+                         . _("Re-Order Level") . ": " . $st_reorder[$i] . ", "
                          . _("Below") . ": " . $st_num[$i] . "\n";
                $msg .= "\n" . _("Please reorder") . "\n\n";
                $msg .= $company['coy_name'];
@@ -283,11 +262,12 @@ function update_sales_order($order)
 
 //----------------------------------------------------------------------------------------
 
-function get_sales_order_header($order_no)
+function get_sales_order_header($order_no, $trans_type)
 {
        $sql = "SELECT ".TB_PREF."sales_orders.*, "
          .TB_PREF."debtors_master.name, "
          .TB_PREF."debtors_master.curr_code, "
+         .TB_PREF."debtors_master.email AS master_email, "
          .TB_PREF."locations.location_name, "
          .TB_PREF."debtors_master.payment_terms, "
          .TB_PREF."debtors_master.discount, "
@@ -310,7 +290,9 @@ function get_sales_order_header($order_no)
                AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no
                AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc
                AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via
-               AND ".TB_PREF."sales_orders.order_no = " . $order_no ;
+               AND ".TB_PREF."sales_orders.trans_type = " . db_escape($trans_type) ."
+               AND ".TB_PREF."sales_orders.order_no = " . db_escape($order_no );
+
        $result = db_query($sql, "order Retreival");
 
        $num = db_num_rows($result);
@@ -329,10 +311,10 @@ function get_sales_order_header($order_no)
 
 //----------------------------------------------------------------------------------------
 
-function get_sales_order_details($order_no) {
+function get_sales_order_details($order_no, $trans_type) {
        $sql = "SELECT id, stk_code, unit_price, "
                .TB_PREF."sales_order_details.description,"
-               .TB_PREF."sales_order_details.quantity, 
+               .TB_PREF."sales_order_details.quantity,
                  discount_percent,
                  qty_sent as qty_done, "
                .TB_PREF."stock_master.units,
@@ -341,40 +323,43 @@ function get_sales_order_details($order_no) {
                        .TB_PREF."stock_master.overhead_cost AS standard_cost
        FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master
        WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id
-       AND order_no =" . $order_no . " ORDER BY id";
+       AND order_no =" . db_escape($order_no) 
+               ." AND trans_type = " . db_escape($trans_type) . " ORDER BY id";
 
        return db_query($sql, "Retreive order Line Items");
 }
 //----------------------------------------------------------------------------------------
 
-function read_sales_order($order_no, &$order)
+function read_sales_order($order_no, &$order, $trans_type)
 {
-       $myrow = get_sales_order_header($order_no);
+       $myrow = get_sales_order_header($order_no, $trans_type);
 
-       $order->trans_type = 30;
+       $order->trans_type = $myrow['trans_type'];
        $order->so_type =  $myrow["type"];
        $order->trans_no = array($order_no=> $myrow["version"]);
 
-       $order->set_customer($myrow["debtor_no"], $myrow["name"], 
+       $order->set_customer($myrow["debtor_no"], $myrow["name"],
          $myrow["curr_code"], $myrow["discount"]);
 
        $order->set_branch($myrow["branch_code"], $myrow["tax_group_id"],
          $myrow["tax_group_name"], $myrow["contact_phone"], $myrow["contact_email"]);
 
-       $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], $myrow["tax_included"]);
+       $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], 
+           $myrow["tax_included"], 0); // no default price calculations on edit
 
        $order->set_location($myrow["from_stk_loc"], $myrow["location_name"]);
 
-       $order->set_delivery($myrow["ship_via"], $myrow["deliver_to"], 
+       $order->set_delivery($myrow["ship_via"], $myrow["deliver_to"],
          $myrow["delivery_address"], $myrow["freight_cost"]);
-         
+
        $order->cust_ref = $myrow["customer_ref"];
-       $order->default_sales_type =$myrow["order_type"];
+       $order->sales_type =$myrow["order_type"];
+       $order->reference = $myrow["reference"];
        $order->Comments = $myrow["comments"];
        $order->due_date = sql2date($myrow["delivery_date"]);
        $order->document_date = sql2date($myrow["ord_date"]);
 
-       $result = get_sales_order_details($order_no);
+       $result = get_sales_order_details($order_no, $order->trans_type);
        if (db_num_rows($result) > 0)
        {
                $line_no=0;
@@ -395,7 +380,8 @@ function read_sales_order($order_no, &$order)
 function sales_order_has_deliveries($order_no)
 {
        $sql = "SELECT SUM(qty_sent) FROM ".TB_PREF.
-       "sales_order_details WHERE order_no=$order_no";
+       "sales_order_details WHERE order_no=".db_escape($order_no)
+       ." AND trans_type=".ST_SALESORDER."";
 
        $result = db_query($sql, "could not query for sales order usage");
 
@@ -410,9 +396,8 @@ function close_sales_order($order_no)
 {
        // set the quantity of each item to the already sent quantity. this will mark item as closed.
        $sql = "UPDATE ".TB_PREF."sales_order_details
-               SET quantity = qty_sent,
-                       type = 0,
-                       WHERE order_no = $order_no";
+               SET quantity = qty_sent WHERE order_no = ".db_escape($order_no)
+               ." AND trans_type=".ST_SALESORDER."";
 
        db_query($sql, "The sales order detail record could not be updated");
 }
@@ -423,11 +408,11 @@ function get_invoice_duedate($debtorno, $invdate)
 {
        if (!is_date($invdate))
        {
-               return Today();
+               return new_doc_date();
        }
        $sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master,
                ".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND
-               ".TB_PREF."debtors_master.debtor_no = '$debtorno'";
+               ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno);
 
        $result = db_query($sql,"The customer details could not be retrieved");
        $myrow = db_fetch($result);
@@ -448,24 +433,28 @@ function get_customer_to_order($customer_id) {
                  .TB_PREF."debtors_master.address, "
                  .TB_PREF."credit_status.dissallow_invoices, "
                  .TB_PREF."debtors_master.sales_type AS salestype, "
+                 .TB_PREF."debtors_master.dimension_id, "
+                 .TB_PREF."debtors_master.dimension2_id, "
                  .TB_PREF."sales_types.sales_type, "
                  .TB_PREF."sales_types.tax_included, "
+                 .TB_PREF."sales_types.factor, "
                  .TB_PREF."debtors_master.curr_code, "
-                 .TB_PREF."debtors_master.discount
+                 .TB_PREF."debtors_master.discount,"
+                 .TB_PREF."debtors_master.pymt_discount
                FROM ".TB_PREF."debtors_master, "
                  .TB_PREF."credit_status, "
                  .TB_PREF."sales_types
                WHERE ".TB_PREF."debtors_master.sales_type="
                  .TB_PREF."sales_types.id
                AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id
-               AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'";
+               AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
 
        $result =db_query($sql,"Customer Record Retreive");
        return  db_fetch($result);
 }
 
 function get_branch_to_order($customer_id, $branch_id) {
-               
+
        // the branch was also selected from the customer selection so default the delivery details from the customer branches table cust_branch. The order process will ask for branch details later anyway
                $sql = "SELECT ".TB_PREF."cust_branch.br_name, "
                        .TB_PREF."cust_branch.br_address, "
@@ -480,8 +469,8 @@ function get_branch_to_order($customer_id, $branch_id) {
                          .TB_PREF."locations
                        WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id
                                AND ".TB_PREF."locations.loc_code=default_location
-                               AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "'
-                               AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'";
+                               AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)."
+                               AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id);
 
            return db_query($sql,"Customer Branch Record Retreive");
 }
FrontAccounting stable branch