A couple of security issues fixed.

[fa-stable.git] / taxes / db / tax_types_db.inc

diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc
index e57ffb356bfbb171d10ca0bec47a695c5d0aca7b..a9325b60b10fd8b561beffc2ff19394e0e5da2d6 100644 (file)
--- a/taxes/db/tax_types_db.inc
+++ b/taxes/db/tax_types_db.inc
@@ -83,7 +83,7 @@ function delete_tax_type($type_id)
        db_query($sql, "could not delete tax type");
 
        // also delete any item tax exemptions associated with this type
-       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=$type_id";
+       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=".db_escape($type_id);
 
        db_query($sql, "could not delete item tax type exemptions");
 
@@ -113,4 +113,18 @@ function is_tax_gl_unique($gl_code, $gl_code2=-1, $selected_id=-1) {
 
        return $gl_code2 == -1 ? ($row[0] <= 1) : ($row[0] == 0);
 }
-?>
\ No newline at end of file
+
+function is_tax_account($account_code)
+{
+       $sql= "SELECT id FROM ".TB_PREF."tax_types WHERE 
+               sales_gl_code=".db_escape($account_code)." OR purchasing_gl_code=".db_escape($account_code);
+       $result = db_query($sql, "checking account is tax account");
+       if (db_num_rows($result) > 0) {
+               $acct = db_fetch($result);
+               return $acct['id'];
+       } else
+               return false;
+}
+
+
+?>