projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security sql statements update against sql injection attacks.
[fa-stable.git] / sales / inquiry / sales_deliveries_view.php
diff --git a/sales/inquiry/sales_deliveries_view.php b/sales/inquiry/sales_deliveries_view.php
index 4ea1a8241aa8d770f7ef9e9d3a8b8aa123399da2..0004d19191f995991abcdd4e8a87c912dd2c5c9d 100644 (file)
--- a/sales/inquiry/sales_deliveries_view.php
+++ b/sales/inquiry/sales_deliveries_view.php
@@ -204,7 +204,8 @@ if ($_POST['OutstandingOnly'] == true) {
 //figure out the sql required from the inputs available
 if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "")
 {
-       $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'";
+       $delivery = "%".$_POST['DeliveryNumber'];
+       $sql .= " AND trans.trans_no LIKE ".db_escape($delivery);
        $sql .= " GROUP BY trans.trans_no";
 }
 else
@@ -213,13 +214,13 @@ else
        $sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'";
 
        if ($selected_customer != -1)
-               $sql .= " AND trans.debtor_no='" . $selected_customer . "' ";
+               $sql .= " AND trans.debtor_no=".db_escape($selected_customer)." ";
 
        if (isset($selected_stock_item))
-               $sql .= " AND line.stock_id='". $selected_stock_item ."' ";
+               $sql .= " AND line.stock_id=".db_escape($selected_stock_item)." ";
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all())
-               $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." ";
 
        $sql .= " GROUP BY trans.trans_no ";
 
FrontAccounting stable branch