{
if (isset($selected_id))
{
- $sql = "UPDATE ".TB_PREF."areas SET description='" . $_POST['description'] . "' WHERE area_code = '$selected_id'";
+ $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'";
}
else
{
- $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES ('" . $_POST['description'] . "')";
+ $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES (".db_escape($_POST['description']) . ")";
}
db_query($sql,"The sales area could not be updated or added");