X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=inventory%2Fpurchasing_data.php;h=de9ed65e000d3a155f244ae3b1a3dc982db2503f;hb=510d6e1925c4d1621ae3efd85e117cc9bb4320f0;hp=3d64db513b7f32b31dc0de489400e11ea0ca48fd;hpb=95303d7b5280820af76ddbd8908b120813f1e763;p=fa-stable.git diff --git a/inventory/purchasing_data.php b/inventory/purchasing_data.php index 3d64db51..de9ed65e 100644 --- a/inventory/purchasing_data.php +++ b/inventory/purchasing_data.php @@ -9,8 +9,8 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the License here . ***********************************************************************/ -$page_security = 4; -$path_to_root=".."; +$page_security = 'SA_PURCHASEPRICING'; +$path_to_root = ".."; include_once($path_to_root . "/includes/session.inc"); page(_("Supplier Purchasing Data")); @@ -58,20 +58,21 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom, conversion_factor, supplier_description) VALUES ("; - $sql .= "'".$_POST['supplier_id']."', '" . $_POST['stock_id'] . "', " . - input_num('price',0) . ", '" . $_POST['suppliers_uom'] . "', " . - input_num('conversion_factor') . ", " . db_escape($_POST['supplier_description']) . ")"; + $sql .= db_escape($_POST['supplier_id']).", ".db_escape($_POST['stock_id']). ", " + .input_num('price',0) . ", ".db_escape( $_POST['suppliers_uom'] ). ", " + .input_num('conversion_factor') . ", " + .db_escape($_POST['supplier_description']) . ")"; db_query($sql,"The supplier purchasing details could not be added"); display_notification(_("This supplier purchasing data has been added.")); } else { $sql = "UPDATE ".TB_PREF."purch_data SET price=" . input_num('price',0) . ", - suppliers_uom='" . $_POST['suppliers_uom'] . "', + suppliers_uom=".db_escape($_POST['suppliers_uom']) . ", conversion_factor=" . input_num('conversion_factor') . ", supplier_description=" . db_escape($_POST['supplier_description']) . " - WHERE stock_id='" . $_POST['stock_id'] . "' AND - supplier_id='$selected_id'"; + WHERE stock_id=".db_escape($_POST['stock_id']) . " AND + supplier_id=".db_escape($selected_id); db_query($sql,"The supplier purchasing details could not be updated"); display_notification(_("Supplier purchasing data has been updated.")); @@ -85,8 +86,8 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') if ($Mode == 'Delete') { - $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id='$selected_id' - AND stock_id='" . $_POST['stock_id'] . "'"; + $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id=".db_escape($selected_id)." + AND stock_id=".db_escape($_POST['stock_id']); db_query($sql,"could not delete purchasing data"); display_notification(_("The purchasing data item has been sucessfully deleted.")); @@ -130,10 +131,11 @@ if ($mb_flag == -1) else { - $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name,".TB_PREF."suppliers.curr_code + $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name," + .TB_PREF."suppliers.curr_code FROM ".TB_PREF."purch_data INNER JOIN ".TB_PREF."suppliers ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id - WHERE stock_id = '" . $_POST['stock_id'] . "'"; + WHERE stock_id = ".db_escape($_POST['stock_id']); $result = db_query($sql, "The supplier purchasing details for the selected part could not be retrieved"); div_start('price_table'); @@ -187,8 +189,8 @@ if ($Mode =='Edit') $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name FROM ".TB_PREF."purch_data INNER JOIN ".TB_PREF."suppliers ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id - WHERE ".TB_PREF."purch_data.supplier_id='$selected_id' - AND ".TB_PREF."purch_data.stock_id='" . $_POST['stock_id'] . "'"; + WHERE ".TB_PREF."purch_data.supplier_id=".db_escape($selected_id)." + AND ".TB_PREF."purch_data.stock_id=".db_escape($_POST['stock_id']); $result = db_query($sql, "The supplier purchasing details for the selected supplier and item could not be retrieved");