X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=purchasing%2Fincludes%2Fpurchasing_db.inc;h=51b456a216ec01346ce42f059894b6c4e15c1941;hb=1466764d49233238c6097c95341875be552d7487;hp=da038358b1faf5fb95d3cf13e42f1745a6112f88;hpb=8e3567f6952033224a613d9b5a42017bc6295aef;p=fa-stable.git

diff --git a/purchasing/includes/purchasing_db.inc b/purchasing/includes/purchasing_db.inc
index da038358..51b456a2 100644
--- a/purchasing/includes/purchasing_db.inc
+++ b/purchasing/includes/purchasing_db.inc
@@ -32,14 +32,14 @@ include_once($path_to_root . "/purchasing/includes/db/suppliers_db.inc");
 // $amount is in SUPPLIERS'S currency
 
 function add_gl_trans_supplier($type, $type_no, $date_, $account, $dimension, $dimension2,  
-	$amount, $supplier_id, $err_msg="", $rate=0)
+	$amount, $supplier_id, $err_msg="", $rate=0, $memo="")
 {
 	if ($err_msg == "")
 		$err_msg = "The supplier GL transaction could not be inserted";	
 		
-	return add_gl_trans($type, $type_no, $date_, $account, $dimension, $dimension2, "", 
+	return add_gl_trans($type, $type_no, $date_, $account, $dimension, $dimension2, $memo, 
 		$amount, get_supplier_currency($supplier_id), 
-		payment_person_types::supplier(), $supplier_id, $err_msg, $rate);
+		PT_SUPPLIER, $supplier_id, $err_msg, $rate);
 }
 
 //----------------------------------------------------------------------------------------
@@ -47,8 +47,8 @@ function add_gl_trans_supplier($type, $type_no, $date_, $account, $dimension, $d
 function get_purchase_price($supplier_id, $stock_id)
 {
 	$sql = "SELECT price, conversion_factor FROM ".TB_PREF."purch_data 
-		WHERE supplier_id = '" . $supplier_id . "' 
-		AND stock_id = '". $stock_id . "'";
+		WHERE supplier_id = ".db_escape($supplier_id) . " 
+		AND stock_id = ".db_escape($stock_id);
 	$result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
 	if (db_num_rows($result) == 1)
@@ -65,8 +65,8 @@ function get_purchase_price($supplier_id, $stock_id)
 function get_purchase_conversion_factor($supplier_id, $stock_id)
 {
 	$sql = "SELECT conversion_factor FROM ".TB_PREF."purch_data 
-		WHERE supplier_id = '" . $supplier_id . "' 
-		AND stock_id = '". $stock_id . "'";
+		WHERE supplier_id = ".db_escape($supplier_id)." 
+		AND stock_id = ".db_escape($stock_id);
 	$result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
 	if (db_num_rows($result) == 1)
@@ -84,8 +84,8 @@ function get_purchase_conversion_factor($supplier_id, $stock_id)
 function get_purchase_data($supplier_id, $stock_id)
 {
 	$sql = "SELECT * FROM ".TB_PREF."purch_data 
-		WHERE supplier_id = '" . $supplier_id . "' 
-		AND stock_id = '". $stock_id . "'";
+		WHERE supplier_id = ".db_escape($supplier_id) . "
+		AND stock_id = ".db_escape($stock_id);
 	$result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
 	return db_fetch($result);
@@ -97,18 +97,19 @@ function add_or_update_purchase_data($supplier_id, $stock_id, $price, $descripti
 	if ($data === false)
 	{
 		$sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom,
-			conversion_factor, supplier_description) VALUES ('$supplier_id', '$stock_id', 
-			$price, '$uom', 1, '$description')";
+			conversion_factor, supplier_description) VALUES (".db_escape($supplier_id)
+			.", ".db_escape($stock_id).", ".db_escape($price).", "
+			.db_escape($uom).", 1, ".db_escape($description).")";
 		db_query($sql,"The supplier purchasing details could not be added");
 		return;
 	}	
-	$price = round($price * $data['conversion_factor'], user_price_dec());	
-	$sql = "UPDATE ".TB_PREF."purch_data SET price=$price";
+	$price = round($price * $data['conversion_factor'], user_price_dec());
+	$sql = "UPDATE ".TB_PREF."purch_data SET price=".db_escape($price);
 	if ($uom != "")
-		$sql .= ",suppliers_uom='$uom'";
+		$sql .= ",suppliers_uom=".db_escape($uom);
 	if ($description != "")	
-		$sql .= ",supplier_description='$description'";
-	$sql .= " WHERE stock_id='$stock_id' AND supplier_id='$supplier_id'";
+		$sql .= ",supplier_description=".db_escape($description);
+	$sql .= " WHERE stock_id=".db_escape($stock_id)." AND supplier_id=".db_escape($supplier_id);
 	db_query($sql,"The supplier purchasing details could not be updated");
 	return true;
 }