X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Fmanage%2Fcustomers.php;h=16581f55f2d5dc5f774c38e21c523a27d51b20bc;hb=9a6be31598b20ab95541e4c89db43ff56a105cc2;hp=578fbc5205666d502bd3909de1011406e371579e;hpb=47cdc160884d49ca90e9470a609cd42eac0a709e;p=fa-stable.git

diff --git a/sales/manage/customers.php b/sales/manage/customers.php
index 578fbc52..16581f55 100644
--- a/sales/manage/customers.php
+++ b/sales/manage/customers.php
@@ -142,8 +142,8 @@ if (isset($_POST['delete']))
 	$cancel_delete = 0;
 
 	// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
-
-	$sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE debtor_no='" . $_POST['customer_id'] . "'";
+	$sel_id = db_escape($_POST['customer_id']);
+	$sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE debtor_no=$sel_id";
 	$result = db_query($sql,"check failed");
 	$myrow = db_fetch_row($result);
 	if ($myrow[0] > 0) 
@@ -153,7 +153,7 @@ if (isset($_POST['delete']))
 	} 
 	else 
 	{
-		$sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE debtor_no='" . $_POST['customer_id'] . "'";
+		$sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE debtor_no=$sel_id";
 		$result = db_query($sql,"check failed");
 		$myrow = db_fetch_row($result);
 		if ($myrow[0] > 0) 
@@ -163,7 +163,7 @@ if (isset($_POST['delete']))
 		} 
 		else 
 		{
-			$sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE debtor_no='" . $_POST['customer_id'] . "'";
+			$sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE debtor_no=$sel_id";
 			$result = db_query($sql,"check failed");
 			$myrow = db_fetch_row($result);
 			if ($myrow[0] > 0) 
@@ -177,7 +177,7 @@ if (isset($_POST['delete']))
 	
 	if ($cancel_delete == 0) 
 	{ 	//ie not cancelled the delete as a result of above tests
-		$sql = "DELETE FROM ".TB_PREF."debtors_master WHERE debtor_no='" . $_POST['customer_id'] . "'";
+		$sql = "DELETE FROM ".TB_PREF."debtors_master WHERE debtor_no=$sel_id";
 		db_query($sql,"cannot delete customer");
 
 		display_notification(_("Selected customer has been deleted."));
@@ -227,7 +227,7 @@ if ($new_customer)
 else 
 {
 
-	$sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id'] . "'";
+	$sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
 	$result = db_query($sql,"check failed");
 
 	$myrow = db_fetch($result);