Security sql statements update against sql injection attacks.

[fa-stable.git] / sales / manage / customers.php

diff --git a/sales/manage/customers.php b/sales/manage/customers.php
index d1f358ec5a9b49f6b590e9a5697932273cb0c7c2..bb18cdd0d6ba91f05c27e6e9a1835abaca623af7 100644 (file)
--- a/sales/manage/customers.php
+++ b/sales/manage/customers.php
@@ -84,7 +84,7 @@ function handle_submit()
             pymt_discount=" . input_num('pymt_discount') / 100 . ", 
             credit_limit=" . input_num('credit_limit') . ", 
             sales_type = ".db_escape($_POST['sales_type']) . " 
-            WHERE debtor_no = '". $_POST['customer_id'] . "'";
+            WHERE debtor_no = ".db_escape($_POST['customer_id']);
 
                db_query($sql,"The customer could not be updated");
                display_notification(_("Customer has been updated."));