X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=admin%2Fattachments.php;h=0e1b4e28a61bfacdbf9e26505eb00f2a08f3f05b;hb=7d9fe15f85c15572535c5fa4555b9a72e9d93f04;hp=fca578674cb948799f04b882ac5f97e54182215f;hpb=869e336c7335d984c9ae87d0b810f5c1b3744798;p=fa-stable.git

diff --git a/admin/attachments.php b/admin/attachments.php
index fca57867..0e1b4e28 100644
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -112,25 +112,27 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
 	if ($Mode == 'ADD_ITEM')
 	{
 		$sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name,
-			filesize, filetype, tran_date) VALUES (".$_POST['filterType'].",".$_POST['trans_no'].",".
-			db_escape($_POST['description']).", '$filename', '$unique_name', '$filesize', '$filetype', '$date')";
+			filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType']).","
+			.db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", "
+			.db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize)
+			.", ".db_escape($filetype).", '$date')";
 		db_query($sql, "Attachment could not be inserted");		
 		display_notification(_("Attachment has been inserted.")); 
 	}
 	else
 	{
 		$sql = "UPDATE ".TB_PREF."attachments SET
-			type_no=".$_POST['filterType'].",
-			trans_no=".$_POST['trans_no'].",
+			type_no=".db_escape($_POST['filterType']).",
+			trans_no=".db_escape($_POST['trans_no']).",
 			description=".db_escape($_POST['description']).", ";
 		if ($filename != "")
 		{
-			$sql .= "filename='$filename',
-			unique_name='$unique_name',
-			filesize='$filesize',
-			filetype='$filetype', ";
+			$sql .= "filename=".db_escape($filename).",
+			unique_name=".db_escape($unique_name).",
+			filesize=".db_escape($filesize).",
+			filetype=".db_escape($filetype);
 		}	
-		$sql .= "tran_date='$date' WHERE id=$selected_id";
+		$sql .= "tran_date='$date' WHERE id=".db_escape($selected_id);
 		db_query($sql, "Attachment could not be updated");		
 		display_notification(_("Attachment has been updated.")); 
 	}
@@ -143,7 +145,7 @@ if ($Mode == 'Delete')
 	$dir =  $comp_path."/".user_company(). "/attachments";
 	if (file_exists($dir."/".$row['unique_name']))
 		unlink($dir."/".$row['unique_name']);
-	$sql = "DELETE FROM ".TB_PREF."attachments WHERE id = $selected_id";
+	$sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id);
 	db_query($sql, "Could not delete attachment");
 	display_notification(_("Attachment has been deleted.")); 
 	$Mode = 'RESET';
@@ -173,13 +175,14 @@ function viewing_controls()
 
 function get_attached_documents($type)
 {
-	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=$type ORDER BY trans_no";
+	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type)
+	." ORDER BY trans_no";
 	return db_query($sql, "Could not retrieve attachments");
 }
 
 function get_attachment($id)
 {
-	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=$id";
+	$sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id);
 	$result = db_query($sql, "Could not retrieve attachments");
 	return db_fetch($result);
 }