Security update merged from 2.1.

[fa-stable.git] / sales / includes / db / sales_points_db.inc

diff --git a/sales/includes/db/sales_points_db.inc b/sales/includes/db/sales_points_db.inc
index 35d220dd7bb0c4f8c27de9499c776dcf25d41014..c7ff404b9eb832b48b6d7b0a443c1dd0f8b6e71d 100644 (file)
--- a/sales/includes/db/sales_points_db.inc
+++ b/sales/includes/db/sales_points_db.inc
@@ -25,7 +25,7 @@ function update_sales_point($id, $name, $location, $account, $cash, $credit)
                                .",pos_account=".db_escape($account)
                                .",cash_sale =$cash"
                                .",credit_sale =$credit"
-                               ." WHERE id = $id";
+                               ." WHERE id = ".db_escape($id);
        
        db_query($sql, "could not update sales type");                  
 }
@@ -47,7 +47,7 @@ function get_sales_point($id)
                .TB_PREF."sales_pos as pos
                LEFT JOIN ".TB_PREF."locations as loc on pos.pos_location=loc.loc_code
                LEFT JOIN ".TB_PREF."bank_accounts as acc on pos.pos_account=acc.id
-               WHERE pos.id='$id'";
+               WHERE pos.id=".db_escape($id);
        
        $result = db_query($sql, "could not get POS definition");
        
@@ -56,7 +56,7 @@ function get_sales_point($id)
 
 function get_sales_point_name($id)
 {
-       $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=$id";
+       $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
        
        $result = db_query($sql, "could not get POS name");
        
@@ -66,7 +66,7 @@ function get_sales_point_name($id)
 
 function delete_sales_point($id)
 {
-       $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=$id";
+       $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
        db_query($sql,"The point of sale record could not be deleted");
 }