Security update merged from 2.1.

[fa-stable.git] / sales / inquiry / sales_orders_view.php

diff --git a/sales/inquiry/sales_orders_view.php b/sales/inquiry/sales_orders_view.php
index d9e993a56d527e03f75b0f793883949bf86da275..dac158eaf7c133aa31679c9a2611f13ba8f25982 100644 (file)
--- a/sales/inquiry/sales_orders_view.php
+++ b/sales/inquiry/sales_orders_view.php
@@ -16,7 +16,7 @@ include($path_to_root . "/includes/session.inc");
 include($path_to_root . "/sales/includes/sales_ui.inc");
 include_once($path_to_root . "/reporting/includes/reporting.inc");
 
-$page_security = 'SA_TRANSVIEW';
+$page_security = 'SA_SALESTRANSVIEW';
 
 set_page_security( @$_POST['order_view_mode'],
        array(  'OutstandingOnly' => 'SA_SALESDELIVERY',
@@ -35,10 +35,8 @@ if (get_post('type'))
        $trans_type = $_POST['type'];
 elseif (isset($_GET['type']) && $_GET['type'] == ST_SALESQUOTE)
        $trans_type = ST_SALESQUOTE;
-elseif (isset($_GET['type']) && $_GET['type'] == ST_SALESORDER)
-       $trans_type = ST_SALESORDER;
 else
-       $page_security = 'SA_DENIED';
+       $trans_type = ST_SALESORDER;
 
 if ($trans_type == ST_SALESORDER)
 {
@@ -277,8 +275,9 @@ $sql = "SELECT
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       // search orders with number like ...
-       $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'"
+       // search orders with number like 
+       $number_like = "%".$_POST['OrderNumber'];
+       $sql .= " AND sorder.order_no LIKE ".db_escape($number_like)
                        ." GROUP BY sorder.order_no";
 }
 else   // ... or select inquiry constraints
@@ -294,13 +293,13 @@ else      // ... or select inquiry constraints
        if ($trans_type == 32 && !check_value('show_all'))
                $sql .= " AND sorder.delivery_date >= '".date2sql(Today())."'";
        if ($selected_customer != -1)
-               $sql .= " AND sorder.debtor_no='" . $selected_customer . "'";
+               $sql .= " AND sorder.debtor_no=".db_escape($selected_customer);
 
        if (isset($selected_stock_item))
-               $sql .= " AND line.stk_code='". $selected_stock_item ."'";
+               $sql .= " AND line.stk_code=".db_escape($selected_stock_item);
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
-               $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation']);
 
        if ($_POST['order_view_mode']=='OutstandingOnly')
                $sql .= " AND line.qty_sent < line.quantity";