X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=inventory%2Fincludes%2Fdb%2Fitems_prices_db.inc;h=9b670d2499fb55dbf7ed68ceb5df4a6515bcb48c;hb=e98dad8c105182b946fd58518710d86214f94c91;hp=8746b121ac9acb26d6a8d93267bc779299a8ca89;hpb=818719f38b8327cdca616d58b13913dbd174d96a;p=fa-stable.git

diff --git a/inventory/includes/db/items_prices_db.inc b/inventory/includes/db/items_prices_db.inc
index 8746b121..9b670d24 100644
--- a/inventory/includes/db/items_prices_db.inc
+++ b/inventory/includes/db/items_prices_db.inc
@@ -1,35 +1,35 @@
 <?php
 /**********************************************************************
     Copyright (C) FrontAccounting, LLC.
-	Released under the terms of the GNU Affero General Public License,
-	AGPL, as published by the Free Software Foundation, either version 
-	3 of the License, or (at your option) any later version.
+	Released under the terms of the GNU General Public License, GPL, 
+	as published by the Free Software Foundation, either version 3 
+	of the License, or (at your option) any later version.
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
-    See the License here <http://www.gnu.org/licenses/agpl-3.0.html>.
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 function add_item_price($stock_id, $sales_type_id, $curr_abrev, $price)
 {
 	$sql = "INSERT INTO ".TB_PREF."prices (stock_id, sales_type_id, curr_abrev, price) 
-		VALUES ('$stock_id', $sales_type_id, '$curr_abrev', $price)";
+		VALUES (".db_escape($stock_id).", ".db_escape($sales_type_id)
+		.", ".db_escape($curr_abrev).", ".db_escape($price).")";
 	
 	db_query($sql,"an item price could not be added");		
 }
 
 function update_item_price($price_id, $sales_type_id, $curr_abrev, $price)
 {
-	$sql = "UPDATE ".TB_PREF."prices SET sales_type_id=$sales_type_id, 
-		curr_abrev='$curr_abrev', 
-		price=$price 
-		WHERE id=$price_id";
+	$sql = "UPDATE ".TB_PREF."prices SET sales_type_id=".db_escape($sales_type_id).", 
+		curr_abrev=".db_escape($curr_abrev).", 
+		price=".db_escape($price)." WHERE id=".db_escape($price_id);
 	
 	db_query($sql,"an item price could not be updated");		
 }
 
 function delete_item_price($price_id)
 {
-	$sql="DELETE FROM ".TB_PREF."prices WHERE id= $price_id";
+	$sql="DELETE FROM ".TB_PREF."prices WHERE id= ".db_escape($price_id);
 	db_query($sql,"an item price could not be deleted");			
 }
 
@@ -38,14 +38,15 @@ function get_prices($stock_id)
 	$sql = "SELECT ".TB_PREF."sales_types.sales_type, ".TB_PREF."prices.* 
 		FROM ".TB_PREF."prices, ".TB_PREF."sales_types 
 		WHERE ".TB_PREF."prices.sales_type_id = ".TB_PREF."sales_types.id 
-		AND stock_id='$stock_id' ORDER BY curr_abrev, sales_type_id";	
+		AND stock_id=".db_escape($stock_id)
+		." ORDER BY curr_abrev, sales_type_id";	
 	
 	return db_query($sql,"item prices could not be retreived");
 }
 
 function get_stock_price($price_id)
 {
-	$sql = "SELECT * FROM ".TB_PREF."prices	WHERE id=$price_id";	
+	$sql = "SELECT * FROM ".TB_PREF."prices WHERE id=".db_escape($price_id);
 	
 	$result = db_query($sql,"price could not be retreived");