Security sql statements update against sql injection attacks.

[fa-stable.git] / taxes / db / tax_types_db.inc

diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc
index 672a4e3613a53a327eeb32e4e64edc83fb7b74b7..71096f32743c72be92210ab39b03247a4aa344b1 100644 (file)
--- a/taxes/db/tax_types_db.inc
+++ b/taxes/db/tax_types_db.inc
@@ -24,7 +24,7 @@ function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $
                sales_gl_code=".db_escape($sales_gl_code).",
                purchasing_gl_code=".db_escape($purchasing_gl_code).",
                rate=$rate
-               WHERE id=$type_id";
+               WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not update tax type");
 }
@@ -57,7 +57,7 @@ function get_tax_type($type_id)
                FROM ".TB_PREF."tax_types, ".TB_PREF."chart_master AS Chart1,
                ".TB_PREF."chart_master AS Chart2
                WHERE ".TB_PREF."tax_types.sales_gl_code = Chart1.account_code
-               AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=$type_id";
+               AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get tax type");
        return db_fetch($result);
@@ -65,7 +65,7 @@ function get_tax_type($type_id)
 
 function get_tax_type_default_rate($type_id)
 {
-       $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=$type_id";
+       $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get tax type rate");
 
@@ -77,7 +77,7 @@ function delete_tax_type($type_id)
 {
        begin_transaction();
 
-       $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=$type_id";
+       $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not delete tax type");