MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
-$page_security = 'SA_STEMPLATE';
$path_to_root = "../..";
include($path_to_root . "/includes/db_pager.inc");
include($path_to_root . "/sales/includes/sales_ui.inc");
include_once($path_to_root . "/reporting/includes/reporting.inc");
+$page_security = 'SA_SALESTRANSVIEW';
+
+set_page_security( @$_POST['order_view_mode'],
+ array( 'OutstandingOnly' => 'SA_SALESDELIVERY',
+ 'InvoiceTemplates' => 'SA_SALESINVOICE'),
+ array( 'OutstandingOnly' => 'SA_SALESDELIVERY',
+ 'InvoiceTemplates' => 'SA_SALESINVOICE')
+);
+
$js = "";
if ($use_popup_windows)
$js .= get_js_open_window(900, 600);
$trans_type = ST_SALESQUOTE;
else
$trans_type = ST_SALESORDER;
+
if ($trans_type == ST_SALESORDER)
{
if (isset($_GET['OutstandingOnly']) && ($_GET['OutstandingOnly'] == true))
if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
{
- // search orders with number like ...
- $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'"
+ // search orders with number like
+ $number_like = "%".$_POST['OrderNumber'];
+ $sql .= " AND sorder.order_no LIKE ".db_escape($number_like)
." GROUP BY sorder.order_no";
}
else // ... or select inquiry constraints
if ($trans_type == 32 && !check_value('show_all'))
$sql .= " AND sorder.delivery_date >= '".date2sql(Today())."'";
if ($selected_customer != -1)
- $sql .= " AND sorder.debtor_no='" . $selected_customer . "'";
+ $sql .= " AND sorder.debtor_no=".db_escape($selected_customer);
if (isset($selected_stock_item))
- $sql .= " AND line.stk_code='". $selected_stock_item ."'";
+ $sql .= " AND line.stk_code=".db_escape($selected_stock_item);
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
- $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+ $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation']);
if ($_POST['order_view_mode']=='OutstandingOnly')
$sql .= " AND line.qty_sent < line.quantity";
_("Currency") => array('align'=>'center')
);
if ($_POST['order_view_mode'] == 'OutstandingOnly') {
- //array_replace($cols, 3, 1, _("Cust Order Ref"));
+ //array_substitute($cols, 3, 1, _("Cust Order Ref"));
array_append($cols, array(array('insert'=>true, 'fun'=>'dispatch_link')));
} elseif ($_POST['order_view_mode'] == 'InvoiceTemplates') {
- array_replace($cols, 3, 1, _("Description"));
+ array_substitute($cols, 3, 1, _("Description"));
array_append($cols, array( array('insert'=>true, 'fun'=>'invoice_link')));
} else if ($_POST['order_view_mode'] == 'DeliveryTemplates') {
- array_replace($cols, 3, 1, _("Description"));
+ array_substitute($cols, 3, 1, _("Description"));
array_append($cols, array(
array('insert'=>true, 'fun'=>'delivery_link'))
);