X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Fmanage%2Fcustomer_branches.php;h=849ac557786c42867421968265c7e6958ed49f73;hb=8ea6c4dd0d9b31b3456d012b0c94339b801bee0c;hp=af6cd9968724a2edda2f99569cd7d9f6f33ecdf4;hpb=3ff9ed87cb909f19c8fe3e7dfda5df79d0c01a6c;p=fa-stable.git

diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php
index af6cd996..849ac557 100644
--- a/sales/manage/customer_branches.php
+++ b/sales/manage/customer_branches.php
@@ -148,7 +148,7 @@ elseif ($Mode == 'Delete')
 
 	// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
 
-	$sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+	$sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
 	$result = db_query($sql,"could not query debtortrans");
 	$myrow = db_fetch_row($result);
 	if ($myrow[0] > 0)
@@ -158,7 +158,7 @@ elseif ($Mode == 'Delete')
 	}
 	else
 	{
-		$sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+		$sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
 		$result = db_query($sql,"could not query sales orders");
 
 		$myrow = db_fetch_row($result);
@@ -168,7 +168,7 @@ elseif ($Mode == 'Delete')
 		}
 		else
 		{
-			$sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'";
+			$sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']);
 			db_query($sql,"could not delete branch");
 			display_notification(_('Selected customer branch has been deleted'));
 		}
@@ -232,7 +232,7 @@ $num_branches = db_customer_has_branches($_POST['customer_id']);
 		AND b.tax_group_id=t.id
 		AND b.area=a.area_code
 		AND b.salesman=s.salesman_code
-		AND b.debtor_no = '" . $_POST['customer_id']. "'";
+		AND b.debtor_no = ".db_escape($_POST['customer_id']);
 
 	if (!get_post('show_inactive')) $sql .= " AND !b.inactive";
 //------------------------------------------------------------------------------------------------
@@ -280,8 +280,8 @@ if ($selected_id != -1)
 
 		//editing an existing branch
     	$sql = "SELECT * FROM ".TB_PREF."cust_branch
-			WHERE branch_code='" . $_POST['branch_code'] . "'
-			AND debtor_no='" . $_POST['customer_id'] . "'";
+			WHERE branch_code=".db_escape($_POST['branch_code'])."
+			AND debtor_no=".db_escape($_POST['customer_id']);
 		$result = db_query($sql,"check failed");
 	    $myrow = db_fetch($result);
 		set_focus('br_name');
@@ -314,7 +314,7 @@ elseif ($Mode != 'ADD_ITEM')
 { //end of if $SelectedBranch only do the else when a new record is being entered
 	if(!$num_branches) {
 		$sql = "SELECT name, address, email, debtor_ref
-			FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'";
+			FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
 		$result = db_query($sql,"check failed");
 		$myrow = db_fetch($result);
 		$_POST['br_name'] = $myrow["name"];