X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Finquiry%2Fsales_orders_view.php;h=9a49fe512f974e7244e2eae61d50410ddb75076c;hb=e29ab37ef51f39c200c3772e07eeceef0ce39214;hp=a9741fa2bd3e86b1311573fef06913ed030f5c18;hpb=7d9fe15f85c15572535c5fa4555b9a72e9d93f04;p=fa-stable.git

diff --git a/sales/inquiry/sales_orders_view.php b/sales/inquiry/sales_orders_view.php
index a9741fa2..9a49fe51 100644
--- a/sales/inquiry/sales_orders_view.php
+++ b/sales/inquiry/sales_orders_view.php
@@ -221,8 +221,9 @@ $sql = "SELECT
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-	// search orders with number like ...
-	$sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'"
+	// search orders with number like 
+	$number_like = "%".$_POST['OrderNumber'];
+	$sql .= " AND sorder.order_no LIKE ".db_escape($number_like)
  			." GROUP BY sorder.order_no";
 }
 else	// ... or select inquiry constraints
@@ -236,13 +237,13 @@ else	// ... or select inquiry constraints
 				." AND sorder.ord_date <= '$date_before'";
   	}
 	if ($selected_customer != -1)
-		$sql .= " AND sorder.debtor_no='" . $selected_customer . "'";
+		$sql .= " AND sorder.debtor_no=".db_escape($selected_customer);
 
 	if (isset($selected_stock_item))
-		$sql .= " AND line.stk_code='". $selected_stock_item ."'";
+		$sql .= " AND line.stk_code=".db_escape($selected_stock_item);
 
 	if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all())
-		$sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+		$sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." ";
 
 	if ($_POST['order_view_mode']=='OutstandingOnly')
 		$sql .= " AND line.qty_sent < line.quantity";