projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixed session name to avoid conflicts during multiuser debugging.
[fa-stable.git] / sales / includes / db / sales_order_db.inc
diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc
index 1b0273dfd7ff953fa81946102c4d3b551739b16f..25e39abf579fb66c7da65065ffd856a96d810421 100644 (file)
--- a/sales/includes/db/sales_order_db.inc
+++ b/sales/includes/db/sales_order_db.inc
@@ -54,15 +54,20 @@ function add_sales_order(&$order)
        $sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date,
                order_type, ship_via, deliver_to, delivery_address, contact_phone,
                contact_email, freight_cost, from_stk_loc, delivery_date)
-               VALUES ('" . $order_type . "', '" . $order->customer_id . "', '" . $order->Branch . "', '".
-                       $order->cust_ref ."','". db_escape($order->Comments) ."','" .
-                       date2sql($order->document_date) . "', '" .
-                       $order->sales_type . "', " .
-                       $_POST['ship_via'] .",'" . $order->deliver_to . "', '" .
-                       $order->delivery_address . "', '" .
-                       $order->phone . "', '" . $order->email . "', " .
-                       $order->freight_cost .", '" . $order->Location ."', '" .
-                       $del_date . "')";
+               VALUES (" .db_escape($order_type) . "," . db_escape($order->customer_id) .
+                ", " . db_escape($order->Branch) . ", ".
+                       db_escape($order->cust_ref) .",". 
+                       db_escape($order->Comments) .",'" . 
+                       date2sql($order->document_date) . "', " .
+                       db_escape($order->sales_type) . ", " .
+                       db_escape($order->ship_via)."," . 
+                       db_escape($order->deliver_to) . "," .
+                       db_escape($order->delivery_address) . ", " .
+                       db_escape($order->phone) . ", " . 
+                       db_escape($order->email) . ", " .
+                       db_escape($order->freight_cost) .", " . 
+                       db_escape($order->Location) .", " .
+                       db_escape($del_date) . ")";
 
        db_query($sql, "order Cannot be Added");
 
@@ -106,7 +111,8 @@ function add_sales_order(&$order)
 
                $sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, stk_code, description, unit_price, quantity, discount_percent) VALUES (";
                $sql .= $order_no .
-                               ",'$line->stock_id', '$line->item_description', $line->price,
+                               ",".db_escape($line->stock_id).", "
+                               .db_escape($line->item_description).", $line->price,
                                $line->quantity,
                                $line->discount_percent)";
                db_query($sql, "order Details Cannot be Added");
@@ -177,24 +183,23 @@ function update_sales_order($order)
        begin_transaction();
 
        $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
-               debtor_no = '" . $order->customer_id . "',
-               branch_code = '" . $order->Branch . "',
-               customer_ref = '". $order->cust_ref ."',
-               comments = '". db_escape($order->Comments) ."',
-               ord_date = '" . $ord_date . "',
-               order_type = '" . $order->sales_type . "',
-               ship_via = " . $order->ship_via .",
-               deliver_to = '" . $order->deliver_to . "',
-               delivery_address = '" . $order->delivery_address . "',
-               contact_phone = '" . $order->phone . "',
-               contact_email = '" . $order->email . "',
-               freight_cost = " . $order->freight_cost .",
-               from_stk_loc = '" . $order->Location ."',
-               delivery_date = '" . $del_date . "',
+               debtor_no = " . db_escape($order->customer_id) . ",
+               branch_code = " . db_escape($order->Branch) . ",
+               customer_ref = ". db_escape($order->cust_ref) .",
+               comments = ". db_escape($order->Comments) .",
+               ord_date = " . db_escape($ord_date) . ",
+               order_type = " .db_escape($order->sales_type) . ",
+               ship_via = " . db_escape($order->ship_via) .",
+               deliver_to = " . db_escape($order->deliver_to) . ",
+               delivery_address = " . db_escape($order->delivery_address) . ",
+               contact_phone = " .db_escape($order->phone) . ",
+               contact_email = " .db_escape($order->email) . ",
+               freight_cost = " .db_escape($order->freight_cost) .",
+               from_stk_loc = " .db_escape($order->Location) .",
+               delivery_date = " .db_escape($del_date). ",
                version = ".($version+1)."
         WHERE order_no=" . $order_no ."
         AND version=".$version;
-
        db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict");
 
        $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
@@ -242,13 +247,13 @@ function update_sales_order($order)
                 (order_no, stk_code,  description, unit_price, quantity,
                  discount_percent, qty_sent)
                 VALUES (";
-               $sql .= $order_no . ",'"
-                 .$line->stock_id . "','"
-                 .$line->item_description . "', "
-                 .$line->price . ", "
-                 .$line->quantity . ", "
-                 .$line->discount_percent . ", "
-                 .$line->qty_done ." )";
+               $sql .= $order_no . ","
+                 .db_escape($line->stock_id) . ","
+                 .db_escape($line->item_description) . ", "
+                 .db_escape($line->price) . ", "
+                 .db_escape($line->quantity) . ", "
+                 .db_escape($line->discount_percent) . ", "
+                 .db_escape($line->qty_done) ." )";
 
                db_query($sql, "Old order Cannot be Inserted");
 
@@ -357,7 +362,8 @@ function read_sales_order($order_no, &$order)
        $order->set_branch($myrow["branch_code"], $myrow["tax_group_id"],
          $myrow["tax_group_name"], $myrow["contact_phone"], $myrow["contact_email"]);
 
-       $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], $myrow["tax_included"]);
+       $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], 
+           $myrow["tax_included"], 0); // no default price calculations on edit
 
        $order->set_location($myrow["from_stk_loc"], $myrow["location_name"]);
 
@@ -446,8 +452,10 @@ function get_customer_to_order($customer_id) {
                  .TB_PREF."debtors_master.sales_type AS salestype, "
                  .TB_PREF."sales_types.sales_type, "
                  .TB_PREF."sales_types.tax_included, "
+                 .TB_PREF."sales_types.factor, "
                  .TB_PREF."debtors_master.curr_code, "
-                 .TB_PREF."debtors_master.discount
+                 .TB_PREF."debtors_master.discount,"
+                 .TB_PREF."debtors_master.pymt_discount
                FROM ".TB_PREF."debtors_master, "
                  .TB_PREF."credit_status, "
                  .TB_PREF."sales_types
FrontAccounting stable branch