From: Janusz Dobrowolski Date: Thu, 22 Oct 2009 17:11:03 +0000 (+0000) Subject: Additional security fixes in sql statements. X-Git-Tag: v2.4.2~19^2~1093 X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=d67f3efea0aa65cea4f875e2b46d0dacc3e838ef;p=fa-stable.git Additional security fixes in sql statements. --- diff --git a/gl/manage/bank_accounts.php b/gl/manage/bank_accounts.php index fb57c0f5..83d425f8 100644 --- a/gl/manage/bank_accounts.php +++ b/gl/manage/bank_accounts.php @@ -63,10 +63,10 @@ elseif( $Mode == 'Delete') //the link to delete a selected record was clicked instead of the submit button $cancel_delete = 0; - + $acc = db_escape($selected_id); // PREVENT DELETES IF DEPENDENT RECORDS IN 'bank_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_trans WHERE bank_act='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_trans WHERE bank_act=$acc"; $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -74,7 +74,7 @@ elseif( $Mode == 'Delete') $cancel_delete = 1; display_error(_("Cannot delete this bank account because transactions have been created using this account.")); } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_account='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_account=$acc"; $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/gl/manage/currencies.php b/gl/manage/currencies.php index 689389de..bb83098a 100644 --- a/gl/manage/currencies.php +++ b/gl/manage/currencies.php @@ -86,8 +86,10 @@ function check_can_delete() if ($selected_id == "") return false; + $curr = db_escape($selected_id); + // PREVENT DELETES IF DEPENDENT RECORDS IN debtors_master - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE curr_code = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE curr_code = $curr"; $result = db_query($sql); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -96,7 +98,7 @@ function check_can_delete() return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE curr_code = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE curr_code = $curr"; $result = db_query($sql); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -105,7 +107,7 @@ function check_can_delete() return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE curr_default = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE curr_default = $curr"; $result = db_query($sql); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -115,7 +117,7 @@ function check_can_delete() } // see if there are any bank accounts that use this currency - $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE bank_curr_code = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE bank_curr_code = $curr"; $result = db_query($sql); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/gl/manage/exchange_rates.php b/gl/manage/exchange_rates.php index e7a7f574..0127b40b 100644 --- a/gl/manage/exchange_rates.php +++ b/gl/manage/exchange_rates.php @@ -186,7 +186,7 @@ set_global_curr_code($_POST['curr_abrev']); $sql = "SELECT date_, rate_buy, id FROM " .TB_PREF."exchange_rates " - ."WHERE curr_code='".$_POST['curr_abrev']."' + ."WHERE curr_code=".db_escape($_POST['curr_abrev'])." ORDER BY date_ DESC"; $cols = array( diff --git a/gl/manage/gl_account_types.php b/gl/manage/gl_account_types.php index e6445a56..27141d53 100644 --- a/gl/manage/gl_account_types.php +++ b/gl/manage/gl_account_types.php @@ -77,8 +77,10 @@ function can_delete($selected_id) { if ($selected_id == -1) return false; + $type = db_escape($selected_id); + $sql= "SELECT COUNT(*) FROM ".TB_PREF."chart_master - WHERE account_type=$selected_id"; + WHERE account_type=$type"; $result = db_query($sql, "could not query chart master"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -88,7 +90,7 @@ function can_delete($selected_id) } $sql= "SELECT COUNT(*) FROM ".TB_PREF."chart_types - WHERE parent=$selected_id"; + WHERE parent=$type"; $result = db_query($sql, "could not query chart types"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/gl/manage/gl_accounts.php b/gl/manage/gl_accounts.php index 1f6786ef..37a90047 100644 --- a/gl/manage/gl_accounts.php +++ b/gl/manage/gl_accounts.php @@ -106,7 +106,9 @@ function can_delete($selected_account) { if ($selected_account == "") return false; - $sql= "SELECT COUNT(*) FROM ".TB_PREF."gl_trans WHERE account='$selected_account'"; + $acc = db_escape($selected_account); + + $sql= "SELECT COUNT(*) FROM ".TB_PREF."gl_trans WHERE account=$acc"; $result = db_query($sql,"Couldn't test for existing transactions"); $myrow = db_fetch_row($result); @@ -116,18 +118,18 @@ function can_delete($selected_account) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE debtors_act='$selected_account' - OR pyt_discount_act='$selected_account' - OR creditors_act='$selected_account' - OR freight_act='$selected_account' - OR default_sales_act='$selected_account' - OR default_sales_discount_act='$selected_account' - OR default_prompt_payment_act='$selected_account' - OR default_inventory_act='$selected_account' - OR default_cogs_act='$selected_account' - OR default_adj_act='$selected_account' - OR default_inv_sales_act='$selected_account' - OR default_assembly_act='$selected_account'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE debtors_act=$acc + OR pyt_discount_act=$acc + OR creditors_act=$acc + OR freight_act=$acc + OR default_sales_act=$acc + OR default_sales_discount_act=$acc + OR default_prompt_payment_act=$acc + OR default_inventory_act=$acc + OR default_cogs_act=$acc + OR default_adj_act=$acc + OR default_inv_sales_act=$acc + OR default_assembly_act=$acc"; $result = db_query($sql,"Couldn't test for default company GL codes"); $myrow = db_fetch_row($result); @@ -137,7 +139,7 @@ function can_delete($selected_account) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE account_code='$selected_account'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE account_code=$acc"; $result = db_query($sql,"Couldn't test for bank accounts"); $myrow = db_fetch_row($result); @@ -148,10 +150,10 @@ function can_delete($selected_account) } $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE - inventory_account='$selected_account' - OR cogs_account='$selected_account' - OR adjustment_account='$selected_account' - OR sales_account='$selected_account'"; + inventory_account=$acc + OR cogs_account=$acc + OR adjustment_account=$acc + OR sales_account=$acc"; $result = db_query($sql,"Couldn't test for existing stock GL codes"); $myrow = db_fetch_row($result); @@ -161,7 +163,7 @@ function can_delete($selected_account) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_types WHERE sales_gl_code='$selected_account' OR purchasing_gl_code='$selected_account'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_types WHERE sales_gl_code=$acc OR purchasing_gl_code=$acc"; $result = db_query($sql,"Couldn't test for existing tax GL codes"); $myrow = db_fetch_row($result); @@ -172,10 +174,10 @@ function can_delete($selected_account) } $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE - sales_account='$selected_account' - OR sales_discount_account='$selected_account' - OR receivables_account='$selected_account' - OR payment_discount_account='$selected_account'"; + sales_account=$acc + OR sales_discount_account=$acc + OR receivables_account=$acc + OR payment_discount_account=$acc"; $result = db_query($sql,"Couldn't test for existing cust branch GL codes"); $myrow = db_fetch_row($result); @@ -186,9 +188,9 @@ function can_delete($selected_account) } $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE - purchase_account='$selected_account' - OR payment_discount_account='$selected_account' - OR payable_account='$selected_account'"; + purchase_account=$acc + OR payment_discount_account=$acc + OR payable_account=$acc"; $result = db_query($sql,"Couldn't test for existing suppliers GL codes"); $myrow = db_fetch_row($result); @@ -199,7 +201,7 @@ function can_delete($selected_account) } $sql= "SELECT COUNT(*) FROM ".TB_PREF."quick_entry_lines WHERE - dest_id='$selected_account' AND UPPER(LEFT(action, 1)) <> 'T'"; + dest_id=$acc AND UPPER(LEFT(action, 1)) <> 'T'"; $result = db_query($sql,"Couldn't test for existing suppliers GL codes"); $myrow = db_fetch_row($result); diff --git a/includes/db/audit_trail_db.inc b/includes/db/audit_trail_db.inc index e7958805..f9efe9a0 100644 --- a/includes/db/audit_trail_db.inc +++ b/includes/db/audit_trail_db.inc @@ -14,7 +14,7 @@ function add_audit_trail($trans_type, $trans_no, $trans_date, $descr='') { $sql = "INSERT INTO ".TB_PREF."audit_trail" . " (type, trans_no, user, fiscal_year, gl_date, description, gl_seq) - VALUES($trans_type, $trans_no," + VALUES(".db_escape($trans_type).", ".db_escape($trans_no)."," . $_SESSION["wa_current_user"]->user. "," . get_company_pref('f_year') ."," . "'". date2sql($trans_date) ."'," @@ -25,7 +25,8 @@ function add_audit_trail($trans_type, $trans_no, $trans_date, $descr='') // all audit records beside latest one should have gl_seq set to NULL // to avoid need for subqueries (not existing in MySQL 3) all over the code $sql = "UPDATE ".TB_PREF."audit_trail SET gl_seq = NULL" - . " WHERE type=$trans_type AND trans_no=$trans_no AND id!=".db_insert_id(); + . " WHERE type=".db_escape($trans_type)." AND trans_no=" + .db_escape($trans_no)." AND id!=".db_insert_id(); db_query($sql, "Cannot update audit gl_seq"); } @@ -33,7 +34,8 @@ function add_audit_trail($trans_type, $trans_no, $trans_date, $descr='') function get_audit_trail_all($trans_type, $trans_no) { $sql = "SELECT * FROM ".TB_PREF."audit_trail" - ." WHERE type=$trans_type AND trans_no=$trans_no"; + ." WHERE type=".db_escape($trans_type)." AND trans_no=" + .db_escape($trans_no); return db_query($sql, "Cannot get all audit info for transaction"); } @@ -41,7 +43,8 @@ function get_audit_trail_all($trans_type, $trans_no) function get_audit_trail_last($trans_type, $trans_no) { $sql = "SELECT * FROM ".TB_PREF."audit_trail" - ." WHERE type=$trans_type AND trans_no=$trans_no AND NOT ISNULL(gl_seq)"; + ." WHERE type=".db_escape($trans_type). + " AND trans_no=".db_escape($trans_no)." AND NOT ISNULL(gl_seq)"; $res = db_query($sql, "Cannot get last audit info for transaction"); if ($res) @@ -125,7 +128,9 @@ function open_transactions($fromdate) { */ function is_closed_trans($type, $trans_no) { $sql = "SELECT gl_seq FROM ".TB_PREF."audit_trail" - . " WHERE type=$type AND trans_no=$trans_no AND gl_seq>0"; + . " WHERE type=".db_escape($type) + ." AND trans_no=".db_escape($trans_no) + ." AND gl_seq>0"; $res = db_query($sql, "Cannot check transaction"); diff --git a/includes/db/comments_db.inc b/includes/db/comments_db.inc index d431e97d..4e61dd49 100644 --- a/includes/db/comments_db.inc +++ b/includes/db/comments_db.inc @@ -13,7 +13,8 @@ function get_comments($type, $type_no) { - $sql = "SELECT * FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no"; + $sql = "SELECT * FROM ".TB_PREF."comments WHERE type=" + .db_escape($type)." AND id=".db_escape($type_no); return db_query($sql, "could not query comments transaction table"); } @@ -26,7 +27,8 @@ function add_comments($type, $type_no, $date_, $memo_) { $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_) - VALUES ($type, $type_no, '$date', ".db_escape($memo_).")"; + VALUES (".db_escape($type).", ".db_escape($type_no) + .", '$date', ".db_escape($memo_).")"; db_query($sql, "could not add comments transaction entry"); } @@ -44,7 +46,9 @@ function update_comments($type, $id, $date_, $memo_) else { $date = date2sql($date_); - $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)." WHERE type=$type AND id=$id AND date_='$date'"; + $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_) + ." WHERE type=".db_escape($type)." AND id=".db_escape($id) + ." AND date_='$date'"; db_query($sql, "could not update comments"); } } @@ -53,7 +57,8 @@ function update_comments($type, $id, $date_, $memo_) function delete_comments($type, $type_no) { - $sql = "DELETE FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no"; + $sql = "DELETE FROM ".TB_PREF."comments WHERE type=".db_escape($type) + ." AND id=".db_escape($type_no); db_query($sql, "could not delete from comments transaction table"); } diff --git a/includes/db/inventory_db.inc b/includes/db/inventory_db.inc index 4fcc7a41..3695166b 100644 --- a/includes/db/inventory_db.inc +++ b/includes/db/inventory_db.inc @@ -17,11 +17,11 @@ function get_qoh_on_date($stock_id, $location=null, $date_=null, $exclude=0) $date = date2sql($date_); $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves - WHERE stock_id='$stock_id' + WHERE stock_id=".db_escape($stock_id)." AND tran_date <= '$date'"; if ($location != null) - $sql .= " AND loc_code = '$location'"; + $sql .= " AND loc_code = ".db_escape($location); $result = db_query($sql, "QOH calulcation failed"); @@ -29,9 +29,9 @@ function get_qoh_on_date($stock_id, $location=null, $date_=null, $exclude=0) if ($exclude > 0) { $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves - WHERE stock_id='$stock_id' - AND type=$exclude - AND tran_date = '$date'"; + WHERE stock_id=".db_escape($stock_id) + ." AND type=".db_escape($exclude) + ." AND tran_date = '$date'"; $result = db_query($sql, "QOH calulcation failed"); $myrow2 = db_fetch_row($result); @@ -48,8 +48,8 @@ function get_item_edit_info($stock_id) { $sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units, decimals FROM ".TB_PREF."stock_master,".TB_PREF."item_units - WHERE stock_id='$stock_id' - AND ".TB_PREF."stock_master.units=".TB_PREF."item_units.abbr"; + WHERE stock_id=".db_escape($stock_id) + ." AND ".TB_PREF."stock_master.units=".TB_PREF."item_units.abbr"; $result = db_query($sql, "The standard cost cannot be retrieved"); return db_fetch($result); @@ -60,7 +60,7 @@ function get_item_edit_info($stock_id) function get_standard_cost($stock_id) { $sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost - FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'"; + FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id); $result = db_query($sql, "The standard cost cannot be retrieved"); $myrow = db_fetch_row($result); @@ -73,7 +73,7 @@ function get_standard_cost($stock_id) function is_inventory_item($stock_id) { $sql = "SELECT stock_id FROM ".TB_PREF."stock_master - WHERE stock_id='$stock_id' AND mb_flag <> 'D'"; + WHERE stock_id=".db_escape($stock_id)." AND mb_flag <> 'D'"; $result = db_query($sql, "Cannot query is inventory item or not"); return db_num_rows($result) > 0; @@ -87,7 +87,7 @@ Function get_stock_gl_code($stock_id) $sql = "SELECT inventory_account, cogs_account, adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM - ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; + ".TB_PREF."stock_master WHERE stock_id = ".db_escape($stock_id); $get = db_query($sql,"retreive stock gl code"); return db_fetch($get); @@ -112,9 +112,13 @@ function add_stock_move($type, $stock_id, $trans_no, $location, $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code, tran_date, person_id, reference, qty, standard_cost, visible, price, - discount_percent) VALUES ('$stock_id', $trans_no, $type, - ".db_escape($location).", '$date', '$person_id', ".db_escape($reference).", $quantity, $std_cost, - $show_or_hide, $price, $discount_percent)"; + discount_percent) VALUES (".db_escape($stock_id) + .", ".db_escape($trans_no).", ".db_escape($type) + .", ".db_escape($location).", '$date', " + .db_escape($person_id).", ".db_escape($reference).", " + .db_escape($quantity).", ".db_escape($std_cost)."," + .db_escape($show_or_hide).", ".db_escape($price).", " + .db_escape($discount_percent).")"; if ($error_msg == "") $error_msg = "The stock movement record cannot be inserted"; @@ -128,8 +132,11 @@ function update_stock_move_pid($type, $stock_id, $from, $to, $pid, $cost) { $from = date2sql($from); $to = date2sql($to); - $sql = "UPDATE ".TB_PREF."stock_moves SET standard_cost=$cost WHERE type=$type - AND stock_id='$stock_id' AND tran_date>='$from' AND tran_date<='$to' AND person_id = $pid"; + $sql = "UPDATE ".TB_PREF."stock_moves SET standard_cost=".db_escape($cost) + ." WHERE type=".db_escape($type) + ." AND stock_id=".db_escape($stock_id) + ." AND tran_date>='$from' AND tran_date<='$to' + AND person_id = ".db_escape($pid); db_query($sql, "The stock movement standard_cost cannot be updated"); } @@ -137,13 +144,15 @@ function update_stock_move_pid($type, $stock_id, $from, $to, $pid, $cost) function get_stock_moves($type, $type_no, $visible=false) { - $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units, - ".TB_PREF."locations.location_name, - ".TB_PREF."stock_master.material_cost + ".TB_PREF."stock_master.labour_cost + ".TB_PREF."stock_master.overhead_cost AS FixedStandardCost + $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, " + .TB_PREF."stock_master.units,".TB_PREF."locations.location_name," + .TB_PREF."stock_master.material_cost + " + .TB_PREF."stock_master.labour_cost + " + .TB_PREF."stock_master.overhead_cost AS FixedStandardCost FROM ".TB_PREF."stock_moves,".TB_PREF."locations,".TB_PREF."stock_master WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code - AND type=$type AND trans_no=$type_no ORDER BY trans_id"; + AND type=".db_escape($type)." AND trans_no=".db_escape($type_no)." ORDER BY trans_id"; if ($visible) $sql .= " AND ".TB_PREF."stock_moves.visible=1"; @@ -155,7 +164,7 @@ function get_stock_moves($type, $type_no, $visible=false) function void_stock_move($type, $type_no) { $sql = "UPDATE ".TB_PREF."stock_moves SET qty=0, price=0, discount_percent=0, - standard_cost=0 WHERE type=$type AND trans_no=$type_no"; + standard_cost=0 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); db_query($sql, "Could not void stock moves"); } @@ -164,7 +173,8 @@ function void_stock_move($type, $type_no) function get_location_name($loc_code) { - $sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code='$loc_code'"; + $sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code=" + .db_escape($loc_code); $result = db_query($sql, "could not retreive the location name for $loc_code"); diff --git a/includes/db/references_db.inc b/includes/db/references_db.inc index 16d599e0..7764c534 100644 --- a/includes/db/references_db.inc +++ b/includes/db/references_db.inc @@ -13,7 +13,7 @@ function get_reference($type, $id) { - $sql = "SELECT * FROM ".TB_PREF."refs WHERE type=$type AND id=$id"; + $sql = "SELECT * FROM ".TB_PREF."refs WHERE type=".db_escape($type)." AND id=".db_escape($id); $result = db_query($sql, "could not query reference table"); $row = db_fetch($result); @@ -25,7 +25,8 @@ function get_reference($type, $id) function add_reference($type, $id, $reference) { $sql = "INSERT INTO ".TB_PREF."refs (type, id, reference) - VALUES ($type, $id, " . db_escape(trim($reference)) . ")"; + VALUES (".db_escape($type).", ".db_escape($id).", " + . db_escape(trim($reference)) . ")"; db_query($sql, "could not add reference entry"); } @@ -34,7 +35,7 @@ function add_reference($type, $id, $reference) function delete_reference($type, $id) { - $sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=$id"; + $sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=".db_escape($id); return db_query($sql, "could not delete from reference table"); } @@ -43,7 +44,8 @@ function delete_reference($type, $id) function find_reference($type, $reference) { - $sql = "SELECT id FROM ".TB_PREF."refs WHERE type=$type AND reference='$reference'"; + $sql = "SELECT id FROM ".TB_PREF."refs WHERE type=".db_escape($type) + ." AND reference=".db_escape($reference); $result = db_query($sql, "could not query reference table"); @@ -54,7 +56,8 @@ function find_reference($type, $reference) function save_next_reference($type, $reference) { - $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_escape(trim($reference)) . " WHERE type_id = $type"; + $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_escape(trim($reference)) + . " WHERE type_id = ".db_escape($type); db_query($sql, "The next transaction ref for $type could not be updated"); } @@ -63,7 +66,7 @@ function save_next_reference($type, $reference) function get_next_reference($type) { - $sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = $type"; + $sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = ".db_escape($type); $result = db_query($sql,"The last transaction ref for $type could not be retreived");