X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=manufacturing%2Fsearch_work_orders.php;h=447dbd0782cbedf4013bb08fda3e87a99426356c;hb=54d84ff9a67620ab38c676cdbcf87853632724f0;hp=ea3aae225683a22587d6e307bf4457dfc6687276;hpb=3dc709543cc713810811d269a8b2ce035146a559;p=fa-stable.git

diff --git a/manufacturing/search_work_orders.php b/manufacturing/search_work_orders.php
index ea3aae22..447dbd07 100644
--- a/manufacturing/search_work_orders.php
+++ b/manufacturing/search_work_orders.php
@@ -183,17 +183,17 @@ if (check_value('OpenOnly') || $outstanding_only != 0)
 
 if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
 {
-	$sql .= " AND workorder.loc_code='" . $_POST['StockLocation'] . "' ";
+	$sql .= " AND workorder.loc_code=".db_escape($_POST['StockLocation']);
 }
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-	$sql .= " AND workorder.wo_ref LIKE '%". $_POST['OrderNumber'] . "%'";
+	$sql .= " AND workorder.wo_ref LIKE ".db_escape('%'.$_POST['OrderNumber'].'%');
 }
 
 if (isset($_POST['SelectedStockItem']) && $_POST['SelectedStockItem'] != $all_items)
 {
-	$sql .= " AND workorder.stock_id='". $_POST['SelectedStockItem'] . "'";
+	$sql .= " AND workorder.stock_id=".db_escape($_POST['SelectedStockItem']);
 }
 
 if (check_value('OverdueOnly'))