// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"could not query debtortrans");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
else
{
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"could not query sales orders");
$myrow = db_fetch_row($result);
}
else
{
- $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'";
+ $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']);
db_query($sql,"could not delete branch");
display_notification(_('Selected customer branch has been deleted'));
}
AND b.tax_group_id=t.id
AND b.area=a.area_code
AND b.salesman=s.salesman_code
- AND b.debtor_no = '" . $_POST['customer_id']. "'";
+ AND b.debtor_no = ".db_escape($_POST['customer_id']);
if (!get_post('show_inactive')) $sql .= " AND !b.inactive";
//------------------------------------------------------------------------------------------------
//editing an existing branch
$sql = "SELECT * FROM ".TB_PREF."cust_branch
- WHERE branch_code='" . $_POST['branch_code'] . "'
- AND debtor_no='" . $_POST['customer_id'] . "'";
+ WHERE branch_code=".db_escape($_POST['branch_code'])."
+ AND debtor_no=".db_escape($_POST['customer_id']);
$result = db_query($sql,"check failed");
$myrow = db_fetch($result);
set_focus('br_name');
{ //end of if $SelectedBranch only do the else when a new record is being entered
if(!$num_branches) {
$sql = "SELECT name, address, email, debtor_ref
- FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'";
+ FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"check failed");
$myrow = db_fetch($result);
$_POST['br_name'] = $myrow["name"];