{
begin_transaction();
- $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no;
+ $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=".db_escape($order_no);
db_query($sql, "order Header Delete");
- $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
+ $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =".db_escape($order_no);
db_query($sql, "order Detail Delete");
commit_transaction();
begin_transaction();
- $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
+ $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." ,
debtor_no = " . db_escape($order->customer_id) . ",
branch_code = " . db_escape($order->Branch) . ",
customer_ref = ". db_escape($order->cust_ref) .",
FROM ".TB_PREF."loc_stock, "
.TB_PREF."locations
WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
- AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "'
- AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'";
+ AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)."
+ AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location);
$res = db_query($sql,"a location could not be retreived");
$loc = db_fetch($res);
if ($loc['email'] != "")
AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no
AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc
AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via
- AND ".TB_PREF."sales_orders.order_no = " . $order_no ;
+ AND ".TB_PREF."sales_orders.order_no = ".db_escape($order_no);
$result = db_query($sql, "order Retreival");
$num = db_num_rows($result);
.TB_PREF."stock_master.overhead_cost AS standard_cost
FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master
WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id
- AND order_no =" . $order_no . " ORDER BY id";
+ AND order_no =".db_escape($order_no)." ORDER BY id";
return db_query($sql, "Retreive order Line Items");
}
function sales_order_has_deliveries($order_no)
{
$sql = "SELECT SUM(qty_sent) FROM ".TB_PREF.
- "sales_order_details WHERE order_no=$order_no";
+ "sales_order_details WHERE order_no=".db_escape($order_no);
$result = db_query($sql, "could not query for sales order usage");
{
// set the quantity of each item to the already sent quantity. this will mark item as closed.
$sql = "UPDATE ".TB_PREF."sales_order_details
- SET quantity = qty_sent WHERE order_no = $order_no";
+ SET quantity = qty_sent WHERE order_no = ".db_escape($order_no);
db_query($sql, "The sales order detail record could not be updated");
}
}
$sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master,
".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND
- ".TB_PREF."debtors_master.debtor_no = '$debtorno'";
+ ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno);
$result = db_query($sql,"The customer details could not be retrieved");
$myrow = db_fetch($result);
WHERE ".TB_PREF."debtors_master.sales_type="
.TB_PREF."sales_types.id
AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id
- AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'";
+ AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
$result =db_query($sql,"Customer Record Retreive");
return db_fetch($result);
.TB_PREF."locations
WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id
AND ".TB_PREF."locations.loc_code=default_location
- AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "'
- AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'";
+ AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)."
+ AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id);
return db_query($sql,"Customer Branch Record Retreive");
}