X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=purchasing%2Finquiry%2Fpo_search.php;h=a82a37435ff8c68eef47e7b7a179b3db9f06e8f3;hb=510d6e1925c4d1621ae3efd85e117cc9bb4320f0;hp=e8f9f0c6318abb12c5529181cd6eb9c5e5a67b9c;hpb=80dd97a37f674cc3691fa04af4c29607067566b2;p=fa-stable.git

diff --git a/purchasing/inquiry/po_search.php b/purchasing/inquiry/po_search.php
index e8f9f0c6..a82a3743 100644
--- a/purchasing/inquiry/po_search.php
+++ b/purchasing/inquiry/po_search.php
@@ -140,7 +140,7 @@ $sql = "SELECT
 
 if (isset($order_number) && $order_number != "")
 {
-	$sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+	$sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
 }
 else
 {
@@ -152,12 +152,12 @@ else
 
 	if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
 	{
-		$sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+		$sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
 	}
 
 	if (isset($selected_stock_item))
 	{
-		$sql .= " AND line.item_code='". $selected_stock_item ."' ";
+		$sql .= " AND line.item_code=".db_escape($selected_stock_item);
 	}
 } //end not order number selected
 
@@ -187,10 +187,6 @@ if (get_post('StockLocation') != $all_items) {
 $table =& new_db_pager('orders_tbl', $sql, $cols);
 $table->set_marker('check_overdue', _("Marked orders have overdue items."));
 
-if (get_post('SearchOrders')) {
-	$table->set_sql($sql);
-	$table->set_columns($cols);
-}
 $table->width = "80%";
 start_form();