X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Fincludes%2Fdb%2Fsales_order_db.inc;h=cbefe7aa09994fa82699e39be027b64a3d44cfcc;hb=3d8405dc9f78b3141d63c574e53b21ba38e45c10;hp=cb8e416b4ec4b610185a7c6ab69c20a18f38e333;hpb=83d7715f9571cc167be7d54b7f4807ec19d7aa5c;p=fa-stable.git diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc index cb8e416b..cbefe7aa 100644 --- a/sales/includes/db/sales_order_db.inc +++ b/sales/includes/db/sales_order_db.inc @@ -54,20 +54,20 @@ function add_sales_order(&$order) $sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date, order_type, ship_via, deliver_to, delivery_address, contact_phone, contact_email, freight_cost, from_stk_loc, delivery_date) - VALUES (" .db_quote($order_type) . "," . db_quote($order->customer_id) . - ", " . db_quote($order->Branch) . ", ". - db_quote($order->cust_ref) .",". - db_quote($order->Comments) .",'" . + VALUES (" .db_escape($order_type) . "," . db_escape($order->customer_id) . + ", " . db_escape($order->Branch) . ", ". + db_escape($order->cust_ref) .",". + db_escape($order->Comments) .",'" . date2sql($order->document_date) . "', " . - db_quote($order->sales_type) . ", " . - $_POST['ship_via'] ."," . - db_quote($order->deliver_to) . "," . - db_quote($order->delivery_address) . ", " . - db_quote($order->phone) . ", " . - db_quote($order->email) . ", " . - db_quote($order->freight_cost) .", " . - db_quote($order->Location) .", " . - db_quote($del_date) . ")"; + db_escape($order->sales_type) . ", " . + db_escape($order->ship_via)."," . + db_escape($order->deliver_to) . "," . + db_escape($order->delivery_address) . ", " . + db_escape($order->phone) . ", " . + db_escape($order->email) . ", " . + db_escape($order->freight_cost) .", " . + db_escape($order->Location) .", " . + db_escape($del_date) . ")"; db_query($sql, "order Cannot be Added"); @@ -111,7 +111,8 @@ function add_sales_order(&$order) $sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, stk_code, description, unit_price, quantity, discount_percent) VALUES ("; $sql .= $order_no . - ",'$line->stock_id', '$line->item_description', $line->price, + ",".db_escape($line->stock_id).", " + .db_escape($line->item_description).", $line->price, $line->quantity, $line->discount_percent)"; db_query($sql, "order Details Cannot be Added"); @@ -182,24 +183,23 @@ function update_sales_order($order) begin_transaction(); $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." , - debtor_no = " . db_quote($order->customer_id) . ", - branch_code = " . db_quote($order->Branch) . ", - customer_ref = ". db_quote($order->cust_ref) .", - comments = ". db_quote($order->Comments) .", - ord_date = " . db_quote($ord_date) . ", - order_type = " .db_quote($order->sales_type) . ", - ship_via = " . db_quote($order->ship_via) .", - deliver_to = " . db_quote($order->deliver_to) . ", - delivery_address = " . db_quote($order->delivery_address) . ", - contact_phone = " .db_quote($order->phone) . ", - contact_email = " .db_quote($order->email) . ", - freight_cost = " .db_quote($order->freight_cost) .", - from_stk_loc = " .db_quote($order->Location) .", - delivery_date = " .db_quote($del_date). ", + debtor_no = " . db_escape($order->customer_id) . ", + branch_code = " . db_escape($order->Branch) . ", + customer_ref = ". db_escape($order->cust_ref) .", + comments = ". db_escape($order->Comments) .", + ord_date = " . db_escape($ord_date) . ", + order_type = " .db_escape($order->sales_type) . ", + ship_via = " . db_escape($order->ship_via) .", + deliver_to = " . db_escape($order->deliver_to) . ", + delivery_address = " . db_escape($order->delivery_address) . ", + contact_phone = " .db_escape($order->phone) . ", + contact_email = " .db_escape($order->email) . ", + freight_cost = " .db_escape($order->freight_cost) .", + from_stk_loc = " .db_escape($order->Location) .", + delivery_date = " .db_escape($del_date). ", version = ".($version+1)." WHERE order_no=" . $order_no ." AND version=".$version; - db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict"); $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no; @@ -247,13 +247,13 @@ function update_sales_order($order) (order_no, stk_code, description, unit_price, quantity, discount_percent, qty_sent) VALUES ("; - $sql .= $order_no . ",'" - .$line->stock_id . "','" - .$line->item_description . "', " - .$line->price . ", " - .$line->quantity . ", " - .$line->discount_percent . ", " - .$line->qty_done ." )"; + $sql .= $order_no . "," + .db_escape($line->stock_id) . "," + .db_escape($line->item_description) . ", " + .db_escape($line->price) . ", " + .db_escape($line->quantity) . ", " + .db_escape($line->discount_percent) . ", " + .db_escape($line->qty_done) ." )"; db_query($sql, "Old order Cannot be Inserted"); @@ -362,7 +362,8 @@ function read_sales_order($order_no, &$order) $order->set_branch($myrow["branch_code"], $myrow["tax_group_id"], $myrow["tax_group_name"], $myrow["contact_phone"], $myrow["contact_email"]); - $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], $myrow["tax_included"]); + $order->set_sales_type($myrow["sales_type_id"], $myrow["sales_type"], + $myrow["tax_included"], 0); // no default price calculations on edit $order->set_location($myrow["from_stk_loc"], $myrow["location_name"]); @@ -449,10 +450,14 @@ function get_customer_to_order($customer_id) { .TB_PREF."debtors_master.address, " .TB_PREF."credit_status.dissallow_invoices, " .TB_PREF."debtors_master.sales_type AS salestype, " + .TB_PREF."debtors_master.dimension_id, " + .TB_PREF."debtors_master.dimension2_id, " .TB_PREF."sales_types.sales_type, " .TB_PREF."sales_types.tax_included, " + .TB_PREF."sales_types.factor, " .TB_PREF."debtors_master.curr_code, " - .TB_PREF."debtors_master.discount + .TB_PREF."debtors_master.discount," + .TB_PREF."debtors_master.pymt_discount FROM ".TB_PREF."debtors_master, " .TB_PREF."credit_status, " .TB_PREF."sales_types