X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=dimensions%2Finquiry%2Fsearch_dimensions.php;h=752b5507ab2574ab164425d76aa1efd8583a5d90;hb=510d6e1925c4d1621ae3efd85e117cc9bb4320f0;hp=5498097a71b9e148762a5e202698f5e3cdb09a79;hpb=f0f460043b9bcb6153c0f6f82d4a74433efe4ad8;p=fa-stable.git

diff --git a/dimensions/inquiry/search_dimensions.php b/dimensions/inquiry/search_dimensions.php
index 5498097a..752b5507 100644
--- a/dimensions/inquiry/search_dimensions.php
+++ b/dimensions/inquiry/search_dimensions.php
@@ -141,7 +141,7 @@ $sql = "SELECT dim.id,
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-	$sql .= " AND reference LIKE '%". $_POST['OrderNumber'] . "%'";
+	$sql .= " AND reference LIKE ".db_escape("%". $_POST['OrderNumber'] . "%");
 } else {
 
 	if ($dim == 1)
@@ -154,14 +154,14 @@ if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 
 	if (isset($_POST['type_']) && ($_POST['type_'] > 0))
 	{
-   		$sql .= " AND type_=" . $_POST['type_'];
+   		$sql .= " AND type_=".db_escape($_POST['type_']);
 	}
 
 	if (isset($_POST['OverdueOnly']))
 	{
 		$today = date2sql(Today());
 
-	   	$sql .= " AND due_date < '$today' ";
+	   	$sql .= " AND due_date < '$today'";
 	}
 
 	$sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "'