X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sales%2Fmanage%2Fsales_people.php;h=ff45e3e043ce9fb215c84ddaded95e25149d240a;hb=8fd0c50cc4a19a07c61ee87a632377419d096a5a;hp=e2c4ed4398307aca8796849b480216d29c70afeb;hpb=0ad7b92c6cf2e4e65ca0fa94ba31f30f7b292ba8;p=fa-stable.git

diff --git a/sales/manage/sales_people.php b/sales/manage/sales_people.php
index e2c4ed43..ff45e3e0 100644
--- a/sales/manage/sales_people.php
+++ b/sales/manage/sales_people.php
@@ -30,17 +30,27 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM']))
 		$input_error = 1;
 		display_error(_("The sales person name cannot be empty."));
 	}
-
+	$pr1 = check_num('provision', 0,100);
+	if (!$pr1 || !check_num('provision2', 0, 100)) {
+		$input_error = 1;
+		display_error( _("Salesman provision cannot be less than 0 or more than 100%."));
+		set_focus(!$pr1 ? 'provision' : 'provision2');
+	}
+	if (!check_num('break_pt', 0)) {
+		$input_error = 1;
+		display_error( _("Salesman provision breakpoint must be numeric and not less than 0."));
+		set_focus('break_pt');
+	}
 	if ($input_error != 1)
 	{
     	if (isset($selected_id))
     	{
     		/*selected_id could also exist if submit had not been clicked this code would not run in this case cos submit is false of course  see the delete code below*/
 
-    		$sql = "UPDATE ".TB_PREF."salesman SET salesman_name='" . $_POST['salesman_name'] . "',
-    			salesman_phone='" . $_POST['salesman_phone'] . "',
-    			salesman_fax='" . $_POST['salesman_fax'] . "',
-    			salesman_email='" . $_POST['salesman_email'] . "',
+    		$sql = "UPDATE ".TB_PREF."salesman SET salesman_name=".db_escape($_POST['salesman_name']) . ",
+    			salesman_phone=".db_escape($_POST['salesman_phone']) . ",
+    			salesman_fax=".db_escape($_POST['salesman_fax']) . ",
+    			salesman_email=".db_escape($_POST['salesman_email']) . ",
     			provision=".input_num('provision').",
     			break_pt=".input_num('break_pt').",
     			provision2=".input_num('provision2')."
@@ -51,8 +61,12 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM']))
     		/*Selected group is null cos no item selected on first time round so must be adding a record must be submitting new entries in the new Sales-person form */
     		$sql = "INSERT INTO ".TB_PREF."salesman (salesman_name, salesman_phone, salesman_fax, salesman_email,
     			provision, break_pt, provision2)
-    			VALUES ('" . $_POST['salesman_name'] . "', '" .$_POST['salesman_phone'] . "', '" . $_POST['salesman_fax'] . "', '" . $_POST['salesman_email'] . "', ".
-    			input_num('provision').", ".input_num('break_pt').", ".input_num('provision2').")";
+    			VALUES (".db_escape($_POST['salesman_name']) . ", "
+				  .db_escape($_POST['salesman_phone']) . ", "
+				  .db_escape($_POST['salesman_fax']) . ", "
+				  .db_escape($_POST['salesman_email']) . ", ".
+    			input_num('provision').", ".input_num('break_pt').", "
+				.input_num('provision2').")";
     	}
 
     	//run the sql from either of the above possibilites
@@ -147,9 +161,9 @@ text_row_ex(_("Sales person name:"), 'salesman_name', 30);
 text_row_ex(_("Telephone number:"), 'salesman_phone', 20);
 text_row_ex(_("Fax number:"), 'salesman_fax', 20);
 text_row_ex(_("Email:"), 'salesman_email', 40);
-percent_row(_("Provision"), 'provision');
+percent_row(_("Provision").':', 'provision');
 amount_row(_("Break Pt.:"), 'break_pt');
-percent_row(_("Provision")." 2", 'provision2');
+percent_row(_("Provision")." 2:", 'provision2');
 end_table(1);
 
 submit_add_or_update_center(!isset($selected_id));