$myrow = get_sales_type($sales_type_id);
$factor = $myrow['factor'];
}
-
+
$add_pct = get_company_pref('add_pct');
$base_id = get_base_sales_type();
$home_curr = get_company_currency();
// AND (sales_type_id = $sales_type_id OR sales_type_id = $base_id)
$sql = "SELECT price, curr_abrev, sales_type_id
FROM ".TB_PREF."prices
- WHERE stock_id = '$stock_id'
- AND (curr_abrev = '$currency' OR curr_abrev = '$home_curr')";
+ WHERE stock_id = ".db_escape($stock_id)."
+ AND (curr_abrev = ".db_escape($currency)." OR curr_abrev = ".db_escape($home_curr).")";
$result = db_query($sql, "There was a problem retrieving the pricing information for the part $stock_id for customer");
$num_rows = db_num_rows($result);
$del_no = reset(array_keys($cart->src_docs));
$sql = 'UPDATE '.TB_PREF.'debtor_trans SET trans_link = ' . $del_no .
- ' WHERE type='.$cart->trans_type.' AND trans_no='. $inv_no ;
+ ' WHERE type=".db_escape($cart->trans_type)." AND trans_no='. $inv_no ;
db_query($sql, 'Child document link cannot be updated');
}
if ($doc_type==ST_SALESORDER)
$sql = "UPDATE ".TB_PREF."sales_order_details
SET qty_sent = qty_sent + $qty_dispatched
- WHERE id=$line_id";
+ WHERE id=".db_escape($line_id);
else
$sql = "UPDATE ".TB_PREF."debtor_trans_details
SET qty_done = qty_done + $qty_dispatched
- WHERE id=$line_id";
+ WHERE id=".db_escape($line_id);
}
db_query($sql, "The parent document detail record could not be updated");
return true;
{
$sql = "SELECT ".TB_PREF."locations.* FROM ".TB_PREF."stock_moves,"
.TB_PREF."locations".
- " WHERE type=".$cart->trans_type.
+ " WHERE type=".db_escape($cart->trans_type).
" AND trans_no=".key($cart->trans_no).
" AND qty!=0 ".
" AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code";