X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fdb%2Fcomments_db.inc;h=0a9a53e9d7a6d90a5e9eae59b9d1bb8fd00eabf9;hb=630e99edecc3eabe708a9e7bda94eaa60bf16db7;hp=d431e97d108a2d3f72ff322e65327097749338eb;hpb=a5242af68e65661edb7175412444dce536a7f311;p=fa-stable.git

diff --git a/includes/db/comments_db.inc b/includes/db/comments_db.inc
index d431e97d..0a9a53e9 100644
--- a/includes/db/comments_db.inc
+++ b/includes/db/comments_db.inc
@@ -13,7 +13,8 @@
 
 function get_comments($type, $type_no)
 {
-	$sql = "SELECT * FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
+	$sql = "SELECT * FROM ".TB_PREF."comments WHERE type="
+		.db_escape($type)." AND id=".db_escape($type_no);
 
 	return db_query($sql, "could not query comments transaction table");
 }
@@ -26,7 +27,8 @@ function add_comments($type, $type_no, $date_, $memo_)
 	{
     	$date = date2sql($date_);
     	$sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_)
-    		VALUES ($type, $type_no, '$date', ".db_escape($memo_).")";
+    		VALUES (".db_escape($type).", ".db_escape($type_no)
+			.", '$date', ".db_escape($memo_).")";
 
     	db_query($sql, "could not add comments transaction entry");
 	}
@@ -44,7 +46,9 @@ function update_comments($type, $id, $date_, $memo_)
 	else
 	{
 		$date = date2sql($date_);
-    	$sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)." WHERE type=$type AND id=$id AND date_='$date'";
+    	$sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)
+			." WHERE type=".db_escape($type)." AND id=".db_escape($id)
+			." AND date_='$date'";
     	db_query($sql, "could not update comments");
 	}
 }
@@ -53,11 +57,11 @@ function update_comments($type, $id, $date_, $memo_)
 
 function delete_comments($type, $type_no)
 {
-	$sql = "DELETE FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
+	$sql = "DELETE FROM ".TB_PREF."comments WHERE type=".db_escape($type)
+		." AND id=".db_escape($type_no);
 
 	db_query($sql, "could not delete from comments transaction table");
 }
 
 //--------------------------------------------------------------------------------------------------
 
-?>
\ No newline at end of file