X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Fmanage%2Fcustomers.php;h=0f101574c17c033ef101dc59e8eae0e2f5f25302;hb=59233fde6a6ea38e17c1ce5b089cb0b798a98e2d;hp=bba429660282b90b88c392efd39cda1b4df3a34f;hpb=0ad7b92c6cf2e4e65ca0fa94ba31f30f7b292ba8;p=fa-stable.git diff --git a/sales/manage/customers.php b/sales/manage/customers.php index bba42966..0f101574 100644 --- a/sales/manage/customers.php +++ b/sales/manage/customers.php @@ -9,7 +9,6 @@ page(_("Customers")); include_once($path_to_root . "/includes/date_functions.inc"); include_once($path_to_root . "/includes/banking.inc"); include_once($path_to_root . "/includes/ui.inc"); -include_once($path_to_root . "/includes/data_checks.inc"); if (isset($_GET['New']) || !isset($_POST['customer_id']) || $_POST['customer_id'] == "") { @@ -63,20 +62,20 @@ function handle_submit() if (!isset($_POST['New'])) { - $sql = "UPDATE ".TB_PREF."debtors_master SET name='" . $_POST['CustName'] . "', - address='" . $_POST['address'] . "', - tax_id='" . $_POST['tax_id'] . "', - curr_code='" . $_POST['curr_code'] . "', - email='" . $_POST['email'] . "', - dimension_id=" . $_POST['dimension_id'] . ", - dimension2_id=" . $_POST['dimension2_id'] . ", - credit_status='" . $_POST['credit_status'] . "', - payment_terms='" . $_POST['payment_terms'] . "', + $sql = "UPDATE ".TB_PREF."debtors_master SET name=" . db_escape($_POST['CustName']) . ", + address=".db_escape($_POST['address']) . ", + tax_id=".db_escape($_POST['tax_id']) . ", + curr_code=".db_escape($_POST['curr_code']) . ", + email=".db_escape($_POST['email']) . ", + dimension_id=".db_escape($_POST['dimension_id']) . ", + dimension2_id=".db_escape($_POST['dimension2_id']) . ", + credit_status=".db_escape($_POST['credit_status']) . ", + payment_terms=".db_escape($_POST['payment_terms']) . ", discount=" . input_num('discount') / 100 . ", pymt_discount=" . input_num('pymt_discount') / 100 . ", credit_limit=" . input_num('credit_limit') . ", - sales_type = '" . $_POST['sales_type'] . "' - WHERE debtor_no = '" . $_POST['customer_id'] . "'"; + sales_type = ".db_escape($_POST['sales_type']) . " + WHERE debtor_no = '". $_POST['customer_id'] . "'"; db_query($sql,"The customer could not be updated"); display_notification(_("Customer has been updated.")); @@ -90,10 +89,12 @@ function handle_submit() $sql = "INSERT INTO ".TB_PREF."debtors_master (name, address, tax_id, email, dimension_id, dimension2_id, curr_code, credit_status, payment_terms, discount, pymt_discount,credit_limit, - sales_type) VALUES ('" . $_POST['CustName'] ."', '" . $_POST['address'] . "', '" . $_POST['tax_id'] . "', - '" . $_POST['email'] . "', " . $_POST['dimension_id'] . ", " . $_POST['dimension2_id'] . ", '" . $_POST['curr_code'] . "', - " . $_POST['credit_status'] . ", '" . $_POST['payment_terms'] . "', " . input_num('discount')/100 . ", - " . input_num('pymt_discount')/100 . ", " . $_POST['credit_limit'] . ", '" . $_POST['sales_type'] . "')"; + sales_type) VALUES (".db_escape($_POST['CustName']) .", " + .db_escape($_POST['address']) . ", " . db_escape($_POST['tax_id']) . "," + .db_escape($_POST['email']) . ", ".db_escape($_POST['dimension_id']) . ", " + .db_escape($_POST['dimension2_id']) . ", ".db_escape($_POST['curr_code']) . ", + " . db_escape($_POST['credit_status']) . ", ".db_escape($_POST['payment_terms']) . ", " . input_num('discount')/100 . ", + " . input_num('pymt_discount')/100 . ", " . input_num('credit_limit') . ", ".db_escape($_POST['sales_type']) . ")"; db_query($sql,"The customer could not be added");