X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=inventory%2Fincludes%2Fdb%2Fitems_codes_db.inc;h=5169e2d02348a28da83bdfd6311c14fdc9348cad;hb=8ea6c4dd0d9b31b3456d012b0c94339b801bee0c;hp=dda5ec711bef5c3158eea184f069cd6b7a6e5554;hpb=818719f38b8327cdca616d58b13913dbd174d96a;p=fa-stable.git

diff --git a/inventory/includes/db/items_codes_db.inc b/inventory/includes/db/items_codes_db.inc
index dda5ec71..5169e2d0 100644
--- a/inventory/includes/db/items_codes_db.inc
+++ b/inventory/includes/db/items_codes_db.inc
@@ -1,13 +1,13 @@
 <?php
 /**********************************************************************
     Copyright (C) FrontAccounting, LLC.
-	Released under the terms of the GNU Affero General Public License,
-	AGPL, as published by the Free Software Foundation, either version 
-	3 of the License, or (at your option) any later version.
+	Released under the terms of the GNU General Public License, GPL, 
+	as published by the Free Software Foundation, either version 3 
+	of the License, or (at your option) any later version.
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
-    See the License here <http://www.gnu.org/licenses/agpl-3.0.html>.
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 /*
 	item_codes table is used to store both multiply foreign codes and 
@@ -19,7 +19,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $
 	 	item_code = ".db_escape($item_code).",
 	 	stock_id = ".db_escape($stock_id).",
 	 	description = ".db_escape($description).",
-	 	category_id = $category,
+	 	category_id = ".db_escape($category).",
 	 	quantity = ".db_escape($qty).",
 	 	is_foreign = ".db_escape($foreign)."
         	WHERE ";
@@ -28,7 +28,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $
 	 	$sql .= "item_code = ".db_escape($item_code)
 		." AND stock_id = ".db_escape($stock_id);
 	else
-		$sql .= "id = $id";
+		$sql .= "id = ".db_escape($id);
 
 	db_query($sql,"an item code could not be updated");
 }
@@ -38,20 +38,21 @@ function add_item_code($item_code, $stock_id, $description, $category, $qty, $fo
 	$sql = "INSERT INTO ".TB_PREF."item_codes
 			(item_code, stock_id, description, category_id, quantity, is_foreign) 
 			VALUES( ".db_escape($item_code).",".db_escape($stock_id).",
-	  		".db_escape($description).",$category,".db_escape($qty).",".$foreign.")";
+	  		".db_escape($description).",".db_escape($category)
+	  		.",".db_escape($qty).",".db_escape($foreign).")";
 
 	db_query($sql,"an item code could not be added");
 }
 
 function delete_item_code($id)
 {
-	$sql="DELETE FROM ".TB_PREF."item_codes WHERE id='$id'";
+	$sql="DELETE FROM ".TB_PREF."item_codes WHERE id=".db_escape($id);
 	db_query($sql,"an item code could not be deleted");
 }
 
 function get_item_code($id)
 {
-	$sql="SELECT * FROM ".TB_PREF."item_codes WHERE id='$id'";
+	$sql="SELECT * FROM ".TB_PREF."item_codes WHERE id=".db_escape($id);
 
 	$result = db_query($sql,"item code could not be retrieved");
 
@@ -63,9 +64,9 @@ function get_all_item_codes($stock_id, $foreign=1)
 	$sql="SELECT i.*, c.description as cat_name FROM "
 		.TB_PREF."item_codes as i,"
 		.TB_PREF."stock_category as c
-		WHERE stock_id='$stock_id'
+		WHERE stock_id=".db_escape($stock_id)."
 		AND i.category_id=c.category_id
-		AND i.is_foreign=$foreign";
+		AND i.is_foreign=".db_escape($foreign);
 
 	$result = db_query($sql,"all item codes could not be retrieved");
 
@@ -74,7 +75,7 @@ function get_all_item_codes($stock_id, $foreign=1)
 
 function delete_item_kit($item_code)
 {
-	$sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code='$item_code'";
+	$sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code=".db_escape($item_code);
 	db_query($sql,"an item kit could not be deleted");
 }
 
@@ -90,7 +91,7 @@ function get_item_kit($item_code)
 			item.stock_id=comp.item_code
 		WHERE
 			kit.stock_id=comp.item_code
-			AND kit.item_code='$item_code'";
+			AND kit.item_code=".db_escape($item_code);
 
 	$result = db_query($sql,"item kit could not be retrieved");
 
@@ -101,7 +102,7 @@ function get_item_code_dflts($stock_id)
 {
 	$sql = "SELECT units, decimals, description, category_id
 		FROM ".TB_PREF."stock_master,".TB_PREF."item_units
-		WHERE stock_id='$stock_id'";
+		WHERE stock_id=".db_escape($stock_id);
 
 	$result = db_query($sql,"item code defaults could not be retrieved");
 	return db_fetch($result);
@@ -137,7 +138,7 @@ function check_item_in_kit($old_id, $kit_code, $item_code, $recurse=false)
 function get_kit_props($kit_code)
 {
 	$sql = "SELECT description, category_id FROM ".TB_PREF."item_codes "
-		. " WHERE item_code='$kit_code'";
+		. " WHERE item_code=".db_escape($kit_code);
 	$res = db_query($sql, "kit name query failed");
 	return db_fetch($res);
 }
@@ -145,8 +146,8 @@ function get_kit_props($kit_code)
 function update_kit_props($kit_code, $name, $category)
 {
 	$sql = "UPDATE ".TB_PREF."item_codes SET description="
-		. db_escape($name).",category_id=".db_escape($category)		
-		. " WHERE item_code='$kit_code'";
+		. db_escape($name).",category_id=".db_escape($category)
+		. " WHERE item_code=".db_escape($kit_code);
 	db_query($sql, "kit name update failed");
 }
 
@@ -154,8 +155,8 @@ function get_where_used($item_code)
 {
 	$sql = "SELECT item_code, description FROM "
 		.TB_PREF."item_codes "
-		. " WHERE stock_id='$item_code'
-			AND item_code!='$item_code'";
+		. " WHERE stock_id=".db_escape($item_code)."
+			AND item_code!=".db_escape($item_code);
 	return db_query($sql, "where used query failed");
 }
 ?>
\ No newline at end of file