X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=gl%2Fgl_budget.php;h=c1236d182ca7bdcfa006d99bceda1ae8cb519464;hb=8ea6c4dd0d9b31b3456d012b0c94339b801bee0c;hp=ca4927ba51ea6e76a75080240f4e6aadaa199435;hpb=818719f38b8327cdca616d58b13913dbd174d96a;p=fa-stable.git diff --git a/gl/gl_budget.php b/gl/gl_budget.php index ca4927ba..c1236d18 100644 --- a/gl/gl_budget.php +++ b/gl/gl_budget.php @@ -1,16 +1,16 @@ . + See the License here . ***********************************************************************/ -$page_security = 10; -$path_to_root=".."; +$page_security = 'SA_BUDGETENTRY'; +$path_to_root = ".."; include($path_to_root . "/includes/session.inc"); add_js_file('budget.js'); @@ -27,8 +27,9 @@ check_db_has_gl_account_groups(_("There are no account groups defined. Please de function exists_gl_budget($date_, $account, $dimension, $dimension2) { - $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account='$account' AND tran_date='$date_' AND - dimension_id=$dimension AND dimension2_id=$dimension2"; + $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account) + ." AND tran_date='$date_' AND + dimension_id=".db_escape($dimension)." AND dimension2_id=".db_escape($dimension2); $result = db_query($sql, "Cannot retreive a gl transaction"); return (db_num_rows($result) > 0); @@ -39,12 +40,16 @@ function add_update_gl_budget_trans($date_, $account, $dimension, $dimension2, $ $date = date2sql($date_); if (exists_gl_budget($date, $account, $dimension, $dimension2)) - $sql = "UPDATE ".TB_PREF."budget_trans SET amount=$amount WHERE account='$account' AND - dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'"; + $sql = "UPDATE ".TB_PREF."budget_trans SET amount=".db_escape($amount) + ." WHERE account=".db_escape($account) + ." AND dimension_id=".db_escape($dimension) + ." AND dimension2_id=".db_escape($dimension2) + ." AND tran_date='$date'"; else $sql = "INSERT INTO ".TB_PREF."budget_trans (tran_date, account, dimension_id, dimension2_id, amount, memo_) VALUES ('$date', - '$account', $dimension, $dimension2, $amount, '')"; + ".db_escape($account).", ".db_escape($dimension).", " + .db_escape($dimension2).", ".db_escape($amount).", '')"; db_query($sql, "The GL budget transaction could not be saved"); } @@ -53,8 +58,10 @@ function delete_gl_budget_trans($date_, $account, $dimension, $dimension2) { $date = date2sql($date_); - $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account='$account' AND - dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'"; + $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account) + ." AND dimension_id=".db_escape($dimension) + ." AND dimension2_id=".db_escape($dimension2) + ." AND tran_date='$date'"; db_query($sql, "The GL budget transaction could not be deleted"); } @@ -65,8 +72,10 @@ function get_only_budget_trans_from_to($from_date, $to_date, $account, $dimensio $to = date2sql($to_date); $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans - WHERE account='$account' AND tran_date >= '$from' AND tran_date <= '$to' - AND dimension_id = $dimension AND dimension2_id = $dimension2"; + WHERE account=".db_escape($account) + ." AND tran_date >= '$from' AND tran_date <= '$to' + AND dimension_id = ".db_escape($dimension) + ." AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql,"No budget accounts were returned"); $row = db_fetch_row($result); @@ -142,7 +151,7 @@ if (db_has_gl_accounts()) table_header($th); $year = $_POST['fyear']; if (get_post('update') == '') { - $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year"; + $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year); $result = db_query($sql, "could not get current fiscal year"); @@ -185,7 +194,7 @@ if (db_has_gl_accounts()) end_table(1); div_end(); submit_center_first('update', _("Update"), '', null); - submit('add', _("Save"), true, '', true); + submit('add', _("Save"), true, '', 'default'); submit_center_last('delete', _("Delete"), '', true); } end_form();