From bf5d5cdb2dde526a228d101ca6aad4044c2ed759 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Thu, 21 Oct 2010 10:07:59 +0000
Subject: [PATCH] Additional sq parameters cleanup.

---
 sales/includes/db/cust_trans_db.inc  | 56 ++--------------------------
 sales/includes/db/custalloc_db.inc   |  4 +-
 sales/includes/db/sales_order_db.inc | 14 +++----
 sales/includes/sales_db.inc          |  8 +++-
 4 files changed, 19 insertions(+), 63 deletions(-)

diff --git a/sales/includes/db/cust_trans_db.inc b/sales/includes/db/cust_trans_db.inc
index 13493b73..2b3cd451 100644
--- a/sales/includes/db/cust_trans_db.inc
+++ b/sales/includes/db/cust_trans_db.inc
@@ -38,7 +38,7 @@ function get_customer_trans_version($type, $trans_no) {
 			WHERE type='.db_escape($type).' AND (';
 
 	foreach ($trans_no as $key=>$trans)
-		$trans_no[$key] = 	'trans_no='.$trans_no[$key];
+		$trans_no[$key] = 	'trans_no='.db_escape($trans_no[$key]);
 
 	$sql .= implode(' OR ', $trans_no) . ')';
 
@@ -84,7 +84,7 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo,
 		ov_gst, ov_freight, ov_freight_tax,
 		rate, ship_via, alloc,
 		dimension_id, dimension2_id, payment_terms
-		) VALUES ($trans_no, ".db_escape($trans_type).",
+		) VALUES (".db_escape($trans_no).", ".db_escape($trans_type).",
 		".db_escape($debtor_no).", ".db_escape($BranchNo).",
 		'$SQLDate', '$SQLDueDate', ".db_escape($reference).",
 		".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax,
@@ -102,7 +102,7 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo,
 		ship_via=".db_escape($ship_via).", alloc=$AllocAmt,
 		dimension_id=".db_escape($dimension_id).", dimension2_id=".db_escape($dimension2_id).",
 		payment_terms=".db_escape($payment_terms)."
-		WHERE trans_no=$trans_no AND type=".db_escape($trans_type);
+		WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type);
 	}
 	db_query($sql, "The debtor transaction record could not be inserted");
 
@@ -110,54 +110,6 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo,
 
 	return $trans_no;
 }
-
-//----------------------------------------------------------------------------------------
-
-function reinsert_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo,
-	$date_, $reference, $Total, $discount=0, $Tax=0, $Freight=0, $FreightTax=0,
-	$sales_type=0, $order_no=0, $ship_via=0, $due_date="",
-	$AllocAmt=0, $rate=0, $dimension_id=0, $dimension2_id=0)
-{
-	if ($trans_no == '')
-		display_db_error('Invalid call to function reinsert_customer_trans');
-		
-	$curr = get_customer_currency($debtor_no);
-	if ($rate == 0)
-		$rate = get_exchange_rate_from_home_currency($curr, $date_);
-
-	$SQLDate = date2sql($date_);
-	if ($due_date == "")
-		$SQLDueDate = "0000-00-00";
-	else
-		$SQLDueDate = date2sql($due_date);
-	
-	if ($trans_type == ST_BANKPAYMENT)
-		$Total = -$Total;
-
-	$sql = "INSERT INTO ".TB_PREF."debtor_trans (
-		trans_no, type,
-		debtor_no, branch_code,
-		tran_date, due_date,
-		reference, tpe,
-		order_, ov_amount, ov_discount,
-		ov_gst, ov_freight, ov_freight_tax,
-		rate, ship_via, alloc,
-		dimension_id, dimension2_id
-		) VALUES ($trans_no, ".db_escape($trans_type).",
-		".db_escape($debtor_no).", ".db_escape($BranchNo).",
-		'$SQLDate', '$SQLDueDate', ".db_escape($reference).",
-		".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax,
-		".db_escape($Freight).",
-		$FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt,
-		".db_escape($dimension_id).", ".db_escape($dimension2_id).")";
-
-	db_query($sql, "The debtor transaction record could not be inserted");
-
-	add_audit_trail($trans_type, $trans_no, $date_, _("Updated."));
-
-	return $trans_no;
-}
-
 //----------------------------------------------------------------------------------------
 
 function get_customer_trans($trans_id, $trans_type)
@@ -206,7 +158,7 @@ function get_customer_trans($trans_id, $trans_type)
 
 	if ($trans_type == ST_CUSTPAYMENT) {
 		// it's a payment so also get the bank account
-		$sql .= " AND ".TB_PREF."bank_trans.trans_no =$trans_id
+		$sql .= " AND ".TB_PREF."bank_trans.trans_no =".db_escape($trans_id)."
 			AND ".TB_PREF."bank_trans.type=$trans_type
 			AND ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act ";
 	}
diff --git a/sales/includes/db/custalloc_db.inc b/sales/includes/db/custalloc_db.inc
index 4c92ad98..16f9227e 100644
--- a/sales/includes/db/custalloc_db.inc
+++ b/sales/includes/db/custalloc_db.inc
@@ -140,8 +140,8 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ
 	{
 		$sql = get_alloc_trans_sql("amt", "trans.trans_no = alloc.trans_no_to
 			AND trans.type = alloc.trans_type_to
-			AND alloc.trans_no_from=$trans_no
-			AND alloc.trans_type_from=$type
+			AND alloc.trans_no_from=".db_escape($trans_no)."
+			AND alloc.trans_type_from=".db_escape($type)."
 			AND trans.debtor_no=".db_escape($customer_id),
 			"".TB_PREF."cust_allocations as alloc");
 	}
diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc
index ff10cb59..509ee89e 100644
--- a/sales/includes/db/sales_order_db.inc
+++ b/sales/includes/db/sales_order_db.inc
@@ -141,7 +141,7 @@ function delete_sales_order($order_no, $trans_type)
 function update_sales_order_version($order)
 {
   foreach ($order as $so_num => $so_ver) {
-  $sql= 'UPDATE '.TB_PREF.'sales_orders SET version=version+1 WHERE order_no='. $so_num.
+  $sql= 'UPDATE '.TB_PREF.'sales_orders SET version=version+1 WHERE order_no='. db_escape($so_num).
 	' AND version='.$so_ver . " AND trans_type=30";
   db_query($sql, 'Concurrent editing conflict while sales order update');
   }
@@ -179,11 +179,11 @@ function update_sales_order($order)
 		version = ".($version+1).",
 		payment_terms = " .db_escape($order->payment). ",
 		total = ". db_escape($total) ."
-	 WHERE order_no=" . $order_no ."
+	 WHERE order_no=" . db_escape($order_no) ."
 	 AND trans_type=".$order->trans_type." AND version=".$version;
 	db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict");
 
-	$sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no . " AND trans_type=".$order->trans_type;
+	$sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . db_escape($order_no) . " AND trans_type=".$order->trans_type;
 
 	db_query($sql, "Old order Cannot be Deleted");
 
@@ -242,7 +242,7 @@ function update_sales_order($order)
 	} /* inserted line items into sales order details */
 
 	add_audit_trail($order->trans_type, $order_no, $order->document_date, _("Updated."));
-	$Refs->update($order->trans_type, $order_no, $order->reference);
+	$Refs->save($order->trans_type, $order_no, $order->reference);
 	commit_transaction();
 	if ($loc_notification == 1 && count($st_ids) > 0)
 	{
@@ -385,7 +385,7 @@ function sales_order_has_deliveries($order_no)
 {
 	$sql = "SELECT SUM(qty_sent) FROM ".TB_PREF.
 	"sales_order_details WHERE order_no=".db_escape($order_no)
-	." AND trans_type=".ST_SALESORDER."";
+	." AND trans_type=".ST_SALESORDER;
 
 	$result = db_query($sql, "could not query for sales order usage");
 
@@ -405,7 +405,7 @@ function close_sales_order($order_no)
 	// set the quantity of each item to the already sent quantity. this will mark item as closed.
 	$sql = "UPDATE ".TB_PREF."sales_order_details
 		SET quantity = qty_sent WHERE order_no = ".db_escape($order_no)
-		." AND trans_type=".ST_SALESORDER."";
+		." AND trans_type=".ST_SALESORDER;
 
 	db_query($sql, "The sales order detail record could not be updated");
 }
@@ -508,7 +508,7 @@ function get_sql_for_sales_orders_view($selected_customer, $trans_type)
 			.TB_PREF."cust_branch as branch
 			WHERE sorder.order_no = line.order_no
 			AND sorder.trans_type = line.trans_type
-			AND sorder.trans_type = $trans_type
+			AND sorder.trans_type = ".db_escape($trans_type)."
 			AND sorder.debtor_no = debtor.debtor_no
 			AND sorder.branch_code = branch.branch_code
 			AND debtor.debtor_no = branch.debtor_no";
diff --git a/sales/includes/sales_db.inc b/sales/includes/sales_db.inc
index 260ba9b1..db81a3e7 100644
--- a/sales/includes/sales_db.inc
+++ b/sales/includes/sales_db.inc
@@ -317,10 +317,13 @@ function get_sales_child_lines($trans_type, $trans_no, $lines=true)
 	if (!is_array($trans_no)) {
 		$trans_no = array($trans_no);
 	}
-	
+
 	$par_tbl = $trans_type == ST_SALESORDER ? "sales_order_details" : "debtor_trans_details";
 	$par_no = $trans_type == ST_SALESORDER ? "trans.order_no" : "trans.debtor_trans_no";
 
+	foreach($trans_no as $n => $trans) {
+		$trans_no[$n] = db_escape($trans);
+	}
 	$sql = "SELECT child.*
 			FROM
 				".TB_PREF."debtor_trans_details child
@@ -361,7 +364,8 @@ function get_sales_parent_lines($trans_type, $trans_no, $lines=true)
 			LEFT JOIN ".TB_PREF."debtor_trans_details trans 
 				ON trans.src_id=parent.id
 			WHERE
-				trans.debtor_trans_type=$trans_type AND trans.debtor_trans_no=$trans_no";
+				trans.debtor_trans_type=".db_escape($trans_type)
+				." AND trans.debtor_trans_no=".db_escape($trans_no);
 	if (!$lines)
 		$sql .= " GROUP BY $par_no";
 	
-- 
2.30.2