Security update merged from 2.1.

[fa-stable.git] / sales / manage / customer_branches.php

diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php
index af6cd9968724a2edda2f99569cd7d9f6f33ecdf4..849ac557786c42867421968265c7e6958ed49f73 100644 (file)
--- a/sales/manage/customer_branches.php
+++ b/sales/manage/customer_branches.php
@@ -148,7 +148,7 @@ elseif ($Mode == 'Delete')
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
        $result = db_query($sql,"could not query debtortrans");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0)
@@ -158,7 +158,7 @@ elseif ($Mode == 'Delete')
        }
        else
        {
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
                $result = db_query($sql,"could not query sales orders");
 
                $myrow = db_fetch_row($result);
@@ -168,7 +168,7 @@ elseif ($Mode == 'Delete')
                }
                else
                {
-                       $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'";
+                       $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']);
                        db_query($sql,"could not delete branch");
                        display_notification(_('Selected customer branch has been deleted'));
                }
@@ -232,7 +232,7 @@ $num_branches = db_customer_has_branches($_POST['customer_id']);
                AND b.tax_group_id=t.id
                AND b.area=a.area_code
                AND b.salesman=s.salesman_code
-               AND b.debtor_no = '" . $_POST['customer_id']. "'";
+               AND b.debtor_no = ".db_escape($_POST['customer_id']);
 
        if (!get_post('show_inactive')) $sql .= " AND !b.inactive";
 //------------------------------------------------------------------------------------------------
@@ -280,8 +280,8 @@ if ($selected_id != -1)
 
                //editing an existing branch
        $sql = "SELECT * FROM ".TB_PREF."cust_branch
-                       WHERE branch_code='" . $_POST['branch_code'] . "'
-                       AND debtor_no='" . $_POST['customer_id'] . "'";
+                       WHERE branch_code=".db_escape($_POST['branch_code'])."
+                       AND debtor_no=".db_escape($_POST['customer_id']);
                $result = db_query($sql,"check failed");
            $myrow = db_fetch($result);
                set_focus('br_name');
@@ -314,7 +314,7 @@ elseif ($Mode != 'ADD_ITEM')
 { //end of if $SelectedBranch only do the else when a new record is being entered
        if(!$num_branches) {
                $sql = "SELECT name, address, email, debtor_ref
-                       FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'";
+                       FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
                $result = db_query($sql,"check failed");
                $myrow = db_fetch($result);
                $_POST['br_name'] = $myrow["name"];