X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;ds=inline;f=gl%2Fincludes%2Fdb%2Fgl_db_rates.inc;h=02a782296ae03e54b976049cf30f02659f8f7ac5;hb=0bf933423b9645bcb57390c478d4fdaf0c895049;hp=fa5926b6559fa04a67d548c1eefc4f6302f18405;hpb=f4737ea725de62440c8bf58a7b4d7b187268fe93;p=fa-stable.git

diff --git a/gl/includes/db/gl_db_rates.inc b/gl/includes/db/gl_db_rates.inc
index fa5926b6..02a78229 100644
--- a/gl/includes/db/gl_db_rates.inc
+++ b/gl/includes/db/gl_db_rates.inc
@@ -12,7 +12,7 @@
 //---------------------------------------------------------------------------------------------
 function get_exchange_rate($rate_id)
 {
-	$sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+	$sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
 	$result = db_query($sql, "could not get exchange rate for $rate_id");	
 
 	return db_fetch($result);
@@ -22,8 +22,8 @@ function get_exchange_rate($rate_id)
 function get_date_exchange_rate($curr_code, $date_)
 {
 	$date = date2sql($date_);
-	$sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code' 
-		AND date_='$date'";
+	$sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code)
+	." AND date_='$date'";
 	$result = db_query($sql, "could not get exchange rate for $curr_code - $date_");	
 
 	if(db_num_rows($result) == 0) 
@@ -41,8 +41,8 @@ function update_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 			
 	$date = date2sql($date_);
 		
-	$sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
-		WHERE curr_code='$curr_code' AND date_='$date'";
+	$sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+	." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
 				
 	db_query($sql, "could not add exchange rate for $curr_code");				
 }
@@ -57,7 +57,8 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 	$date = date2sql($date_);
 		
 	$sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
-		VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+		VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+		.", ".db_escape($sell_rate).")";
 	db_query($sql, "could not add exchange rate for $curr_code");				
 }
 
@@ -65,7 +66,7 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 
 function delete_exchange_rate($rate_id)
 {
-	$sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+	$sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
 	db_query($sql, "could not delete exchange rate $rate_id");		
 }
 
@@ -145,4 +146,14 @@ function get_ecb_rate($curr_b)
 	return $val;
 }  // end function get_ecb_rate
 
+//-----------------------------------------------------------------------------
+
+function get_sql_for_exchange_rates()
+{
+	$sql = "SELECT date_, rate_buy, id FROM "
+		.TB_PREF."exchange_rates "
+		."WHERE curr_code=".db_escape($_POST['curr_abrev'])."
+		 ORDER BY date_ DESC";
+	return $sql;	 
+}
 ?>
\ No newline at end of file