X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;ds=sidebyside;f=gl%2Fincludes%2Fdb%2Fgl_db_rates.inc;h=bd0775eaa746ca7fa74a0e72b0622f9561cfffa8;hb=54d84ff9a67620ab38c676cdbcf87853632724f0;hp=0c9ae6863b5d81d572f404ddff4789bbf7c37322;hpb=2829455fee1259fb5013f382309cb3e61e9381ef;p=fa-stable.git

diff --git a/gl/includes/db/gl_db_rates.inc b/gl/includes/db/gl_db_rates.inc
index 0c9ae686..bd0775ea 100644
--- a/gl/includes/db/gl_db_rates.inc
+++ b/gl/includes/db/gl_db_rates.inc
@@ -12,7 +12,7 @@
 //---------------------------------------------------------------------------------------------
 function get_exchange_rate($rate_id)
 {
-	$sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+	$sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
 	$result = db_query($sql, "could not get exchange rate for $rate_id");	
 
 	return db_fetch($result);
@@ -22,8 +22,8 @@ function get_exchange_rate($rate_id)
 function get_date_exchange_rate($curr_code, $date_)
 {
 	$date = date2sql($date_);
-	$sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code' 
-		AND date_='$date'";
+	$sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code)
+	." AND date_='$date'";
 	$result = db_query($sql, "could not get exchange rate for $curr_code - $date_");	
 
 	if(db_num_rows($result) == 0) 
@@ -41,8 +41,8 @@ function update_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 			
 	$date = date2sql($date_);
 		
-	$sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
-		WHERE curr_code='$curr_code' AND date_='$date'";
+	$sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+	." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
 				
 	db_query($sql, "could not add exchange rate for $curr_code");				
 }
@@ -57,7 +57,8 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 	$date = date2sql($date_);
 		
 	$sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
-		VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+		VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+		.", ".db_escape($sell_rate).")";
 	db_query($sql, "could not add exchange rate for $curr_code");				
 }
 
@@ -65,7 +66,7 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 
 function delete_exchange_rate($rate_id)
 {
-	$sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+	$sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
 	db_query($sql, "could not delete exchange rate $rate_id");		
 }