X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=gl%2Fbank_account_reconcile.php;h=2fca2b34c41805bf9fdd141d89d5fd74bf25811d;hb=fbdfe3f3da62ecf86e3ad978b89efbb6c317a47a;hp=b91bed9eb612c17f5710c0452af92193f078ff93;hpb=f0f460043b9bcb6153c0f6f82d4a74433efe4ad8;p=fa-stable.git

diff --git a/gl/bank_account_reconcile.php b/gl/bank_account_reconcile.php
index b91bed9e..2fca2b34 100644
--- a/gl/bank_account_reconcile.php
+++ b/gl/bank_account_reconcile.php
@@ -30,7 +30,7 @@ if ($use_date_picker)
 
 add_js_file('reconcile.js');
 
-page(_("Reconcile Bank Account"), false, false, "", $js);
+page(_($help_context = "Reconcile Bank Account"), false, false, "", $js);
 
 check_db_has_bank_accounts(_("There are no bank accounts defined in the system."));
 
@@ -117,14 +117,15 @@ function change_tpl_flag($reconcile_id)
 	$_POST['bank_date'] = date2sql(get_post('reconcile_date'));
 	$reconcile_value = check_value("rec_".$reconcile_id) 
 						? ("'".$_POST['bank_date'] ."'") : 'NULL';
-	$sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=$reconcile_value WHERE id=$reconcile_id";
+	$sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=".db_escape($reconcile_value)
+	." WHERE id=".db_escape($reconcile_id);
 
   	db_query($sql, "Can't change reconciliation status");
 	// save last reconcilation status (date, end balance)
     $sql2="UPDATE ".TB_PREF."bank_accounts SET last_reconciled_date='"
 			.date2sql($_POST["reconcile_date"])."',
     	    ending_reconcile_balance=".input_num("end_balance")
-			." WHERE id=".$_POST["bank_account"];
+			." WHERE id=".db_escape($_POST["bank_account"]);
 
 	$result = db_query($sql2,"Error updating reconciliation information");
 	$Ajax->activate('reconciled');
@@ -182,7 +183,7 @@ $sql = "SELECT MAX(reconciled) as last_date,
 		 SUM(IF(reconciled<'$date', amount, 0)) as beg_balance,
 		 SUM(amount) as total
 	FROM ".TB_PREF."bank_trans trans
-	WHERE bank_act=".$_POST['bank_account'];
+	WHERE bank_act=".db_escape($_POST['bank_account']);
 //	." AND trans.reconciled IS NOT NULL";
 
 $result = db_query($sql,"Cannot retrieve reconciliation data");
@@ -197,8 +198,8 @@ if ($row = db_fetch($result)) {
 		if (get_post('bank_date')) {
 			// if it is the last updated bank statement retrieve ending balance
 			$sql = "SELECT ending_reconcile_balance
-				FROM ".TB_PREF."bank_accounts WHERE id=".$_POST['bank_account']
-				. " AND last_reconciled_date='".$_POST['bank_date']."'";
+				FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($_POST['bank_account'])
+				. " AND last_reconciled_date=".db_escape($_POST['bank_date']);
 			$result = db_query($sql,"Cannot retrieve last reconciliation");
 			$row = db_fetch($result);
 			if($row) {
@@ -244,7 +245,7 @@ if (!isset($_POST['bank_account']))
 $sql = "SELECT	type, trans_no, ref, trans_date, 
 				amount,	person_id, person_type_id, reconciled, id
 		FROM ".TB_PREF."bank_trans
-		WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "'
+		WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . "
 			AND (reconciled IS NULL OR reconciled='". $date ."')
 		ORDER BY trans_date,".TB_PREF."bank_trans.id";
 // or	ORDER BY reconciled desc, trans_date,".TB_PREF."bank_trans.id";