X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=admin%2Fshipping_companies.php;h=ec9f89536d93744df579f8c28963a36cdfa508cc;hb=b32d16b2c0c6c43e569ebe87e2a13ceb892b5788;hp=7d4e530c7cb0a424742928a86d821c1a15f11a42;hpb=da8311619dd73feae101d246a1957b972e00cbd2;p=fa-stable.git

diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php
index 7d4e530c..ec9f8953 100644
--- a/admin/shipping_companies.php
+++ b/admin/shipping_companies.php
@@ -24,6 +24,7 @@ function can_process()
 	if (strlen($_POST['shipper_name']) == 0) 
 	{
 		display_error(_("The shipping company name cannot be empty."));
+		set_focus('shipper_name');
 		return false;
 	}
 	return true;
@@ -35,10 +36,10 @@ if (isset($_POST['ADD_ITEM']) && can_process())
 {
 
 	$sql = "INSERT INTO ".TB_PREF."shippers (shipper_name, contact, phone, address)
-		VALUES ('" . $_POST['shipper_name'] . "', '" .
-		$_POST['contact'] . "', '" .
-		$_POST['phone'] . "', '" .
-		$_POST['address'] . "')";
+		VALUES (" . db_escape($_POST['shipper_name']) . ", " .
+		db_escape($_POST['contact']). ", " .
+		db_escape($_POST['phone']). ", " .
+		db_escape($_POST['address']) . ")";
 
 	db_query($sql,"The Shipping Company could not be added");
 	meta_forward($_SERVER['PHP_SELF']);
@@ -49,10 +50,10 @@ if (isset($_POST['ADD_ITEM']) && can_process())
 if (isset($_POST['UPDATE_ITEM']) && can_process()) 
 {
 
-	$sql = "UPDATE ".TB_PREF."shippers SET shipper_name='" . $_POST['shipper_name'] . "' ,
-		contact ='" . $_POST['contact'] . "' ,
-		phone ='" . $_POST['phone'] . "' ,
-		address ='" . $_POST['address'] . "'
+	$sql = "UPDATE ".TB_PREF."shippers SET shipper_name=" . db_escape($_POST['shipper_name']). " ,
+		contact =" . db_escape($_POST['contact']). " ,
+		phone =" . db_escape($_POST['phone']). " ,
+		address =" . db_escape($_POST['address']). "
 		WHERE shipper_id = $selected_id";
 
 	db_query($sql,"The shipping company could not be updated");