From e29ab37ef51f39c200c3772e07eeceef0ce39214 Mon Sep 17 00:00:00 2001 From: Joe Hunt Date: Thu, 15 Oct 2009 16:01:09 +0000 Subject: [PATCH] Security sql statements update against sql injection attacks. --- CHANGELOG.txt | 53 +++++++++++++++++++ reporting/rep101.php | 4 +- reporting/rep102.php | 6 +-- reporting/rep103.php | 10 ++-- reporting/rep104.php | 4 +- reporting/rep105.php | 6 +-- reporting/rep108.php | 4 +- reporting/rep201.php | 2 +- reporting/rep202.php | 2 +- reporting/rep203.php | 2 +- reporting/rep204.php | 2 +- reporting/rep209.php | 4 +- reporting/rep301.php | 4 +- reporting/rep302.php | 4 +- reporting/rep303.php | 4 +- reporting/rep304.php | 6 +-- reporting/rep401.php | 4 +- reporting/rep501.php | 4 +- reporting/rep705.php | 4 +- sales/create_recurrent_invoices.php | 6 +-- sales/customer_payments.php | 2 +- sales/includes/db/branches_db.inc | 8 +-- sales/includes/db/credit_status_db.inc | 8 +-- sales/includes/db/cust_trans_db.inc | 39 +++++++------- sales/includes/db/cust_trans_details_db.inc | 10 ++-- sales/includes/db/custalloc_db.inc | 23 ++++---- sales/includes/db/customers_db.inc | 12 ++--- sales/includes/db/sales_order_db.inc | 26 ++++----- sales/includes/db/sales_points_db.inc | 8 +-- sales/includes/db/sales_types_db.inc | 13 ++--- sales/includes/sales_db.inc | 24 ++++----- sales/inquiry/customer_allocation_inquiry.php | 2 +- sales/inquiry/customer_inquiry.php | 2 +- sales/inquiry/sales_deliveries_view.php | 9 ++-- sales/inquiry/sales_orders_view.php | 11 ++-- sales/manage/credit_status.php | 2 +- sales/manage/customer_branches.php | 14 ++--- sales/manage/customers.php | 2 +- sales/manage/recurrent_invoices.php | 8 +-- sales/manage/sales_areas.php | 8 +-- sales/manage/sales_groups.php | 8 +-- sales/manage/sales_people.php | 8 +-- sales/manage/sales_types.php | 4 +- sales/view/view_sales_order.php | 6 +-- taxes/db/item_tax_types_db.inc | 17 +++--- taxes/db/tax_groups_db.inc | 14 ++--- taxes/db/tax_types_db.inc | 8 +-- taxes/item_tax_types.php | 2 +- taxes/tax_calc.inc | 2 +- taxes/tax_groups.php | 4 +- taxes/tax_types.php | 2 +- 51 files changed, 249 insertions(+), 192 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 96e38056..7ae36953 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -19,6 +19,59 @@ Legend: ! -> Note $ -> Affected files +15-Oct-2009 Joe Hunt +# Security sql statements update against sql injection attacks. +$ /reporting/rep101.php + /reporting/rep102.php + /reporting/rep103.php + /reporting/rep104.php + /reporting/rep105.php + /reporting/rep106.php + /reporting/rep201.php + /reporting/rep202.php + /reporting/rep203.php + /reporting/rep204.php + /reporting/rep209.php + /reporting/rep301.php + /reporting/rep302.php + /reporting/rep303.php + /reporting/rep304.php + /reporting/rep401.php + /reporting/rep501.php + /reporting/rep705.php + /sales/create_recurrent_invoices.php + /sales/customer_payments.php + /sales/includes/sales_db.inc + /sales/includes/db/branches_db.inc + /sales/includes/db/credit_status_db.inc + /sales/includes/db/custalloc_db.inc + /sales/includes/db/customers_db.inc + /sales/includes/db/cust_trans_db.inc + /sales/includes/db/cust_trans_details_db.inc + /sales/includes/db/sales_order_db.inc + /sales/includes/db/sales_points_db.inc + /sales/includes/db/sales_types_db.inc + /sales/inquiry/customer_allocation_inquiry.php + /sales/inquiry/customer_inquiry.php + /sales/inquiry/sales_deliveries_view.php + /sales/inquiry/sales_orders_view.php + /sales/manage/credit_status.php + /sales/manage/customers.php + /sales/manage/customer_branches.php + /sales/manage/recurrent_invoices.php + /sales/manage/sales_areas.php + /sales/manage/sales_groups.php + /sales/manage/sales_people.php + /sales/manage/sales_types.php + /sales/view/view_sales_order.php + /taxes/item_tax_types.php + /taxes/tax_groups.php + /taxes/tax_types.php + /taxes/tax_calc.php + /taxes/db/item_tax_types_db.inc + /taxes/db/tax_groups_db.inc + /taxes/db/tax_types_db.inc + 15-Oct-2009 Janusz Dobrowolski ! Added html_entity_decode() in db_escape() for correct INSERT>SELECT>INSERT sequences. $ /includes/db/connect_db.inc diff --git a/reporting/rep101.php b/reporting/rep101.php index 59bb026b..cce4be02 100644 --- a/reporting/rep101.php +++ b/reporting/rep101.php @@ -40,7 +40,7 @@ function get_transactions($debtorno, $date) AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue FROM ".TB_PREF."debtor_trans, ".TB_PREF."sys_types WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' - AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno' + AND ".TB_PREF."debtor_trans.debtor_no = $debtorno AND ".TB_PREF."debtor_trans.type != 13 AND ".TB_PREF."debtor_trans.type = ".TB_PREF."sys_types.type_id ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -100,7 +100,7 @@ function print_customer_balances() $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master "; if ($fromcust != reserved_words::get_all_numeric()) - $sql .= "WHERE debtor_no=$fromcust "; + $sql .= "WHERE debtor_no=".db_escape($fromcust)." "; $sql .= "ORDER BY name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep102.php b/reporting/rep102.php index dfe44570..91425cb7 100644 --- a/reporting/rep102.php +++ b/reporting/rep102.php @@ -27,7 +27,7 @@ include_once($path_to_root . "/gl/includes/gl_db.inc"); print_aged_customer_analysis(); -function get_invoices($costomer_id, $to) +function get_invoices($customer_id, $to) { $todate = date2sql($to); $PastDueDays1 = get_company_pref('past_due_days'); @@ -54,7 +54,7 @@ function get_invoices($costomer_id, $to) AND ".TB_PREF."debtor_trans.type <> 13 AND ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no - AND ".TB_PREF."debtor_trans.debtor_no = $costomer_id + AND ".TB_PREF."debtor_trans.debtor_no = $customer_id AND ".TB_PREF."debtor_trans.tran_date <= '$todate' AND ABS(".TB_PREF."debtor_trans.ov_amount + ".TB_PREF."debtor_trans.ov_gst + ".TB_PREF."debtor_trans.ov_freight + ".TB_PREF."debtor_trans.ov_freight_tax + ".TB_PREF."debtor_trans.ov_discount) > 0.004 ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -133,7 +133,7 @@ function print_aged_customer_analysis() $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master "; if ($fromcust != reserved_words::get_all_numeric()) - $sql .= "WHERE debtor_no=$fromcust "; + $sql .= "WHERE debtor_no=".db_escape($fromcust)." "; $sql .= "ORDER BY name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep103.php b/reporting/rep103.php index f7ae195e..e68027fd 100644 --- a/reporting/rep103.php +++ b/reporting/rep103.php @@ -56,13 +56,13 @@ function get_customer_details_for_report($area=0, $salesid=0) if ($area != 0) { if ($salesid != 0) - $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid' - AND ".TB_PREF."areas.area_code='$area'"; + $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid)." + AND ".TB_PREF."areas.area_code=".db_escape($area); else - $sql .= " WHERE ".TB_PREF."areas.area_code='$area'"; + $sql .= " WHERE ".TB_PREF."areas.area_code=".db_escape($area); } elseif ($salesid != 0) - $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'"; + $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid); $sql .= " ORDER BY description, ".TB_PREF."salesman.salesman_name, ".TB_PREF."debtors_master.debtor_no, @@ -81,7 +81,7 @@ function getTransactions($debtorno, $branchcode, $date) WHERE debtor_no='$debtorno' AND branch_code='$branchcode' AND (type=10 or type=11) - AND trandate >='$date'"; + AND tran_date >='$date'"; $result = db_query($sql,"No transactions were returned"); diff --git a/reporting/rep104.php b/reporting/rep104.php index 42eed722..de7d5400 100644 --- a/reporting/rep104.php +++ b/reporting/rep104.php @@ -40,7 +40,7 @@ function fetch_items($category=0) ".TB_PREF."stock_category WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_category.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_category.category_id = ".db_escape($category); $sql .= " ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id"; @@ -57,7 +57,7 @@ function get_kits($category=0) ON i.category_id=c.category_id"; $sql .= " WHERE !i.is_foreign AND i.item_code!=i.stock_id"; if ($category != 0) - $sql .= " AND c.category_id = '$category'"; + $sql .= " AND c.category_id = ".db_escape($category); $sql .= " GROUP BY i.item_code"; return db_query($sql,"No kits were returned"); } diff --git a/reporting/rep105.php b/reporting/rep105.php index bc367e6a..e3cd6de7 100644 --- a/reporting/rep105.php +++ b/reporting/rep105.php @@ -55,11 +55,11 @@ function GetSalesOrders($from, $to, $category=0, $location=null, $backorder=0) WHERE ".TB_PREF."sales_orders.ord_date >='$fromdate' AND ".TB_PREF."sales_orders.ord_date <='$todate'"; if ($category > 0) - $sql .= " AND ".TB_PREF."stock_master.category_id=$category"; + $sql .= " AND ".TB_PREF."stock_master.category_id=".db_escape($category); if ($location != null) - $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc='$location'"; + $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc=".db_escape($location); if ($backorder) - $sql .= "AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0"; + $sql .= " AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0"; $sql .= " ORDER BY ".TB_PREF."sales_orders.order_no"; return db_query($sql, "Error getting order details"); diff --git a/reporting/rep108.php b/reporting/rep108.php index 8e0316d7..e07e49fe 100644 --- a/reporting/rep108.php +++ b/reporting/rep108.php @@ -37,7 +37,7 @@ function getTransactions($debtorno, $date) ((".TB_PREF."debtor_trans.type = 10) AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue FROM ".TB_PREF."debtor_trans, ".TB_PREF."sys_types - WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno' + WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = $debtorno AND ".TB_PREF."debtor_trans.type = ".TB_PREF."sys_types.type_id AND ".TB_PREF."debtor_trans.type <> 13 ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -86,7 +86,7 @@ function print_statements() $sql = "SELECT debtor_no, name AS DebtorName, address, tax_id, email, curr_code, curdate() AS tran_date, payment_terms FROM ".TB_PREF."debtors_master"; if ($customer != reserved_words::get_all_numeric()) - $sql .= " WHERE debtor_no = $customer"; + $sql .= " WHERE debtor_no = ".db_escape($customer); else $sql .= " ORDER by name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep201.php b/reporting/rep201.php index 29f54332..0e5f774e 100644 --- a/reporting/rep201.php +++ b/reporting/rep201.php @@ -99,7 +99,7 @@ function print_supplier_balances() $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers "; if ($fromsupp != reserved_words::get_all_numeric()) - $sql .= "WHERE supplier_id=$fromsupp "; + $sql .= "WHERE supplier_id=".db_escape($fromsupp)." "; $sql .= "ORDER BY supp_name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep202.php b/reporting/rep202.php index fbb803db..5b47bec7 100644 --- a/reporting/rep202.php +++ b/reporting/rep202.php @@ -141,7 +141,7 @@ function print_aged_supplier_analysis() $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers "; if ($fromsupp != reserved_words::get_all_numeric()) - $sql .= "WHERE supplier_id=$fromsupp "; + $sql .= "WHERE supplier_id=".db_escape($fromsupp)." "; $sql .= "ORDER BY supp_name"; $result = db_query($sql, "The suppliers could not be retrieved"); diff --git a/reporting/rep203.php b/reporting/rep203.php index c276188f..f61e4bbf 100644 --- a/reporting/rep203.php +++ b/reporting/rep203.php @@ -107,7 +107,7 @@ function print_payment_report() $sql = "SELECT supplier_id, supp_name AS name, curr_code, ".TB_PREF."payment_terms.terms FROM ".TB_PREF."suppliers, ".TB_PREF."payment_terms WHERE "; if ($fromsupp != reserved_words::get_all_numeric()) - $sql .= "supplier_id=$fromsupp AND "; + $sql .= "supplier_id=".db_escape($fromsupp)." AND "; $sql .= "".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator ORDER BY supp_name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep204.php b/reporting/rep204.php index c0efd034..07e84e73 100644 --- a/reporting/rep204.php +++ b/reporting/rep204.php @@ -49,7 +49,7 @@ function getTransactions($fromsupp) AND ".TB_PREF."grn_items.po_detail_item = ".TB_PREF."purch_order_details.po_detail_item AND qty_recd-quantity_inv <>0 "; if ($fromsupp != reserved_words::get_all_numeric()) - $sql .= "AND ".TB_PREF."grn_batch.supplier_id ='" . $fromsupp . "' "; + $sql .= "AND ".TB_PREF."grn_batch.supplier_id =".db_escape($fromsupp)." "; $sql .= "ORDER BY ".TB_PREF."grn_batch.supplier_id, ".TB_PREF."grn_batch.id"; diff --git a/reporting/rep209.php b/reporting/rep209.php index b9a8a049..9015a1b2 100644 --- a/reporting/rep209.php +++ b/reporting/rep209.php @@ -35,7 +35,7 @@ function get_po($order_no) FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id AND ".TB_PREF."locations.loc_code = into_stock_location - AND ".TB_PREF."purch_orders.order_no = " . $order_no; + AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no); $result = db_query($sql, "The order cannot be retrieved"); return db_fetch($result); } @@ -46,7 +46,7 @@ function get_po_details($order_no) FROM ".TB_PREF."purch_order_details LEFT JOIN ".TB_PREF."stock_master ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id - WHERE order_no =$order_no "; + WHERE order_no =".db_escape($order_no)." "; $sql .= " ORDER BY po_detail_item"; return db_query($sql, "Retreive order Line Items"); } diff --git a/reporting/rep301.php b/reporting/rep301.php index 2b18d24b..a576b0f0 100644 --- a/reporting/rep301.php +++ b/reporting/rep301.php @@ -52,9 +52,9 @@ function getTransactions($category, $location) ".TB_PREF."stock_master.description HAVING SUM(".TB_PREF."stock_moves.qty) != 0"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'"; + $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location); $sql .= " ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id"; diff --git a/reporting/rep302.php b/reporting/rep302.php index e92c27c5..d4f29975 100644 --- a/reporting/rep302.php +++ b/reporting/rep302.php @@ -44,9 +44,9 @@ function getTransactions($category, $location) WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')"; + $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")"; $sql .= " GROUP BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_category.description, ".TB_PREF."stock_master.stock_id, diff --git a/reporting/rep303.php b/reporting/rep303.php index 19be2ee9..e3ffbc6b 100644 --- a/reporting/rep303.php +++ b/reporting/rep303.php @@ -44,9 +44,9 @@ function getTransactions($category, $location) WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')"; + $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")"; $sql .= " GROUP BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_category.description, ".TB_PREF."stock_master.stock_id, diff --git a/reporting/rep304.php b/reporting/rep304.php index bb4006f1..661e56e2 100644 --- a/reporting/rep304.php +++ b/reporting/rep304.php @@ -59,11 +59,11 @@ function getTransactions($category, $location, $fromcust, $from, $to) AND ((".TB_PREF."debtor_trans.type=13 AND ".TB_PREF."debtor_trans.version=1) OR ".TB_PREF."stock_moves.type=11) AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'"; + $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location); if ($fromcust != -1) - $sql .= " AND ".TB_PREF."debtors_master.debtor_no = $fromcust"; + $sql .= " AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($fromcust); $sql .= " GROUP BY ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name"; return db_query($sql,"No transactions were returned"); diff --git a/reporting/rep401.php b/reporting/rep401.php index 8ae240e3..fc1468fc 100644 --- a/reporting/rep401.php +++ b/reporting/rep401.php @@ -40,8 +40,8 @@ function getTransactions($from, $to) ".TB_PREF."stock_master, ".TB_PREF."bom WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component - AND ".TB_PREF."bom.parent >= '$from' - AND ".TB_PREF."bom.parent <= '$to' + AND ".TB_PREF."bom.parent >= ".db_escape($from)." + AND ".TB_PREF."bom.parent <= ".db_escape($to)." ORDER BY ".TB_PREF."bom.parent, ".TB_PREF."bom.component"; diff --git a/reporting/rep501.php b/reporting/rep501.php index b697925f..0435dafb 100644 --- a/reporting/rep501.php +++ b/reporting/rep501.php @@ -32,8 +32,8 @@ function getTransactions($from, $to) $sql = "SELECT * FROM ".TB_PREF."dimensions - WHERE reference >= '$from' - AND reference <= '$to' + WHERE reference >= ".db_escape($from)." + AND reference <= ".db_escape($to)." ORDER BY reference"; diff --git a/reporting/rep705.php b/reporting/rep705.php index a9ca35ea..0f088182 100644 --- a/reporting/rep705.php +++ b/reporting/rep705.php @@ -62,9 +62,9 @@ function getPeriods($year, $account, $dimension, $dimension2) FROM ".TB_PREF."gl_trans WHERE account='$account'"; if ($dimension > 0) - $sql .= " AND dimension_id = $dimension"; + $sql .= " AND dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND dimension2_id = $dimension2"; + $sql .= " AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql, "Transactions for account $account could not be calculated"); diff --git a/sales/create_recurrent_invoices.php b/sales/create_recurrent_invoices.php index 603eef15..413ef192 100644 --- a/sales/create_recurrent_invoices.php +++ b/sales/create_recurrent_invoices.php @@ -26,7 +26,7 @@ page(_("Create and Print Recurrent Invoices"), false, false, "", $js); function set_last_sent($id, $date) { $date = date2sql($date); - $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=".db_escape($id); db_query($sql,"The recurrent invoice could not be updated or added"); } @@ -60,7 +60,7 @@ function create_recurrent_invoices($customer_id, $branch_id, $order_no, $tmpl_no if (isset($_GET['recurrent'])) { $invs = array(); - $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".$_GET['recurrent']; + $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($_GET['recurrent']); $result = db_query($sql,"could not get recurrent invoice"); $myrow = db_fetch($result); @@ -95,7 +95,7 @@ if (isset($_GET['recurrent'])) //------------------------------------------------------------------------------------------------- function get_sales_group_name($group_no) { - $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no"; + $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no); $result = db_query($sql, "could not get group"); $row = db_fetch($result); return $row[0]; diff --git a/sales/customer_payments.php b/sales/customer_payments.php index 8a391032..92e44b50 100644 --- a/sales/customer_payments.php +++ b/sales/customer_payments.php @@ -162,7 +162,7 @@ function read_customer_data() ".TB_PREF."credit_status.dissallow_invoices FROM ".TB_PREF."debtors_master, ".TB_PREF."credit_status WHERE ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '" . $_POST['customer_id'] . "'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql, "could not query customers"); diff --git a/sales/includes/db/branches_db.inc b/sales/includes/db/branches_db.inc index 72a96565..97d6fa20 100644 --- a/sales/includes/db/branches_db.inc +++ b/sales/includes/db/branches_db.inc @@ -14,7 +14,7 @@ function get_branch($branch_id) $sql = "SELECT ".TB_PREF."cust_branch.*,".TB_PREF."salesman.salesman_name FROM ".TB_PREF."cust_branch, ".TB_PREF."salesman WHERE ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code - AND branch_code=$branch_id"; + AND branch_code=".db_escape($branch_id); $result = db_query($sql, "Cannot retreive a customer branch"); @@ -24,7 +24,7 @@ function get_branch($branch_id) function get_branch_accounts($branch_id) { $sql = "SELECT receivables_account,sales_account, sales_discount_account, payment_discount_account - FROM ".TB_PREF."cust_branch WHERE branch_code=$branch_id"; + FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($branch_id); $result = db_query($sql, "Cannot retreive a customer branch"); @@ -34,7 +34,7 @@ function get_branch_accounts($branch_id) function get_branch_name($branch_id) { $sql = "SELECT br_name FROM ".TB_PREF."cust_branch - WHERE branch_code = '$branch_id'"; + WHERE branch_code = ".db_escape($branch_id); $result = db_query($sql,"could not retreive name for branch" . $branch_id); @@ -45,7 +45,7 @@ function get_branch_name($branch_id) function get_cust_branches_from_group($group_no) { $sql = "SELECT branch_code, debtor_no FROM ".TB_PREF."cust_branch - WHERE group_no = '$group_no'"; + WHERE group_no = ".db_escape($group_no); return db_query($sql,"could not retreive branches for group " . $group_no); } diff --git a/sales/includes/db/credit_status_db.inc b/sales/includes/db/credit_status_db.inc index 411cdfd5..e60d8cfa 100644 --- a/sales/includes/db/credit_status_db.inc +++ b/sales/includes/db/credit_status_db.inc @@ -12,7 +12,7 @@ function add_credit_status($description, $disallow_invoicing) { $sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices) - VALUES (".db_escape($description).",$disallow_invoicing)"; + VALUES (".db_escape($description).",".db_escape($disallow_invoicing).")"; db_query($sql, "could not add credit status"); } @@ -20,7 +20,7 @@ function add_credit_status($description, $disallow_invoicing) function update_credit_status($status_id, $description, $disallow_invoicing) { $sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).", - dissallow_invoices=$disallow_invoicing WHERE id=$status_id"; + dissallow_invoices=".db_escape($disallow_invoicing)." WHERE id=".db_escape($status_id); db_query($sql, "could not update credit status"); } @@ -34,7 +34,7 @@ function get_all_credit_status() function get_credit_status($status_id) { - $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=$status_id"; + $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id); $result = db_query($sql, "could not get credit status"); @@ -43,7 +43,7 @@ function get_credit_status($status_id) function delete_credit_status($status_id) { - $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=$status_id"; + $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id); db_query($sql, "could not delete credit status"); } diff --git a/sales/includes/db/cust_trans_db.inc b/sales/includes/db/cust_trans_db.inc index dbfa8572..6fd381a9 100644 --- a/sales/includes/db/cust_trans_db.inc +++ b/sales/includes/db/cust_trans_db.inc @@ -16,7 +16,7 @@ function get_parent_trans($trans_type, $trans_no) { $sql = 'SELECT trans_link FROM '.TB_PREF.'debtor_trans WHERE - (trans_no=' .$trans_no. ' AND type='.$trans_type.' AND trans_link!=0)'; + (trans_no='.db_escape($trans_no).' AND type='.db_escape($trans_type).' AND trans_link!=0)'; $result = db_query($sql, 'Parent document numbers cannot be retrieved'); @@ -28,7 +28,7 @@ function get_parent_trans($trans_type, $trans_no) { // invoice: find batch invoice parent trans. $sql = 'SELECT trans_no FROM '.TB_PREF.'debtor_trans WHERE - (trans_link='.$trans_no.' AND type='. get_parent_type($trans_type) .')'; + (trans_link='.db_escape($trans_no).' AND type='. get_parent_type($trans_type) .')'; $result = db_query($sql, 'Delivery links cannot be retrieved'); @@ -47,11 +47,10 @@ function get_parent_trans($trans_type, $trans_no) { function update_customer_trans_version($type, $versions) { $sql= 'UPDATE '.TB_PREF. 'debtor_trans SET version=version+1 - WHERE type='.$type. ' AND ('; + WHERE type='.db_escape($type).' AND ('; foreach ($versions as $trans_no=>$version) - $where[] = '(trans_no='.$trans_no. - ' AND version='.$version.')'; + $where[] = '(trans_no='.db_escape($trans_no).' AND version='.$version.')'; $sql .= implode(' OR ', $where) .')'; @@ -68,7 +67,7 @@ function get_customer_trans_version($type, $trans_no) { $trans_no = array( $trans_no ); $sql= 'SELECT trans_no, version FROM '.TB_PREF. 'debtor_trans - WHERE type='.$type.' AND ('; + WHERE type='.db_escape($type).' AND ('; foreach ($trans_no as $key=>$trans) $trans_no[$key] = 'trans_no='.$trans_no[$key]; @@ -116,23 +115,23 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo, ov_gst, ov_freight, ov_freight_tax, rate, ship_via, alloc, trans_link, dimension_id, dimension2_id - ) VALUES ($trans_no, $trans_type, + ) VALUES ($trans_no, ".db_escape($trans_type).", ".db_escape($debtor_no).", ".db_escape($BranchNo).", '$SQLDate', '$SQLDueDate', ".db_escape($reference).", - ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax, + ".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax, ".db_escape($Freight).", $FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link).", - $dimension_id, $dimension2_id)"; + ".db_escape($dimension_id).", ".db_escape($dimension2_id).")"; } else { // may be optional argument should stay unchanged ? $sql = "UPDATE ".TB_PREF."debtor_trans SET debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).", tran_date='$SQLDate', due_date='$SQLDueDate', - reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no, + reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=".db_escape($order_no).", ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax, ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate, ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link, - dimension_id=$dimension_id, dimension2_id=$dimension2_id - WHERE trans_no=$trans_no AND type=$trans_type"; + dimension_id=".db_escape($dimension_id).", dimension2_id=".db_escape($dimension2_id)." + WHERE trans_no=$trans_no AND type=".db_escape($trans_type); } db_query($sql, "The debtor transaction record could not be inserted"); @@ -178,8 +177,8 @@ function get_customer_trans($trans_id, $trans_type) $sql .= ", ".TB_PREF."shippers, ".TB_PREF."sales_types, ".TB_PREF."cust_branch, ".TB_PREF."tax_groups "; } - $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=$trans_id - AND ".TB_PREF."debtor_trans.type=$trans_type + $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=".db_escape($trans_id)." + AND ".TB_PREF."debtor_trans.type=".db_escape($trans_type)." AND ".TB_PREF."debtor_trans.debtor_no=".TB_PREF."debtors_master.debtor_no"; if ($trans_type == systypes::cust_payment()) { @@ -220,8 +219,8 @@ function get_customer_trans($trans_id, $trans_type) function exists_customer_trans($type, $type_no) { - $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=$type - AND trans_no=$type_no"; + $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." + AND trans_no=".db_escape($type_no); $result = db_query($sql, "Cannot retreive a debtor transaction"); @@ -234,7 +233,7 @@ function exists_customer_trans($type, $type_no) function get_customer_trans_order($type, $type_no) { - $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=$type AND trans_no=$type_no"; + $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); $result = db_query($sql, "The debtor transaction could not be queried"); @@ -249,7 +248,7 @@ function get_customer_details_from_trans($type, $type_no) { $sql = "SELECT ".TB_PREF."debtors_master.name, ".TB_PREF."debtors_master.curr_code, ".TB_PREF."cust_branch.br_name FROM ".TB_PREF."debtors_master,".TB_PREF."cust_branch,".TB_PREF."debtor_trans - WHERE ".TB_PREF."debtor_trans.type=$type AND ".TB_PREF."debtor_trans.trans_no=$type_no + WHERE ".TB_PREF."debtor_trans.type=".db_escape($type)." AND ".TB_PREF."debtor_trans.trans_no=".db_escape($type_no)." AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no AND ".TB_PREF."cust_branch.branch_code = ".TB_PREF."debtor_trans.branch_code"; @@ -263,7 +262,7 @@ function void_customer_trans($type, $type_no) { // clear all values and mark as void $sql = "UPDATE ".TB_PREF."debtor_trans SET ov_amount=0, ov_discount=0, ov_gst=0, ov_freight=0, - ov_freight_tax=0, alloc=0, version=version+1 WHERE type=$type AND trans_no=$type_no"; + ov_freight_tax=0, alloc=0, version=version+1 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); } @@ -291,7 +290,7 @@ function post_void_customer_trans($type, $type_no) function get_customer_trans_link($type, $type_no) { $row = db_query("SELECT trans_link from ".TB_PREF."debtor_trans - WHERE type=$type AND trans_no=$type_no", + WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no), "could not get transaction link for type=$type and trans_no=$type_no"); return $row[0]; } diff --git a/sales/includes/db/cust_trans_details_db.inc b/sales/includes/db/cust_trans_details_db.inc index 17c30c19..86310ffa 100644 --- a/sales/includes/db/cust_trans_details_db.inc +++ b/sales/includes/db/cust_trans_details_db.inc @@ -30,7 +30,7 @@ if (!is_array($debtor_trans_no)) $sql .= implode(' OR ', $tr); - $sql.= ") AND debtor_trans_type=$debtor_trans_type + $sql.= ") AND debtor_trans_type=".db_escape($debtor_trans_type)." AND ".TB_PREF."stock_master.stock_id=".TB_PREF."debtor_trans_details.stock_id ORDER BY id"; return db_query($sql, "The debtor transaction detail could not be queried"); @@ -42,8 +42,8 @@ function void_customer_trans_details($type, $type_no) { $sql = "UPDATE ".TB_PREF."debtor_trans_details SET quantity=0, unit_price=0, unit_tax=0, discount_percent=0, standard_cost=0 - WHERE debtor_trans_no=$type_no - AND debtor_trans_type=$type"; + WHERE debtor_trans_no=".db_escape($type_no)." + AND debtor_trans_type=".db_escape($type); db_query($sql, "The debtor transaction details could not be voided"); @@ -64,12 +64,12 @@ function write_customer_trans_detail_item($debtor_trans_type, $debtor_trans_no, unit_tax=$unit_tax, discount_percent=$discount_percent, standard_cost=$std_cost WHERE - id=$line_id"; + id=".db_escape($line_id); else $sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no, debtor_trans_type, stock_id, description, quantity, unit_price, unit_tax, discount_percent, standard_cost) - VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id). + VALUES (".db_escape($debtor_trans_no).", ".db_escape($debtor_trans_type).", ".db_escape($stock_id). ", ".db_escape($description).", $quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)"; diff --git a/sales/includes/db/custalloc_db.inc b/sales/includes/db/custalloc_db.inc index e9695bbc..80bc9213 100644 --- a/sales/includes/db/custalloc_db.inc +++ b/sales/includes/db/custalloc_db.inc @@ -17,7 +17,8 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from, $sql = "INSERT INTO ".TB_PREF."cust_allocations ( amt, date_alloc, trans_type_from, trans_no_from, trans_no_to, trans_type_to) - VALUES ($amount, Now(), $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)"; + VALUES ($amount, Now(), ".db_escape($trans_type_from).", ".db_escape($trans_no_from).", ".db_escape($trans_no_to) + .", ".db_escape($trans_type_to).")"; db_query($sql, "A customer allocation could not be added to the database"); } @@ -27,7 +28,7 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from, function delete_cust_allocation($trans_id) { - $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = " . $trans_id; + $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = ".db_escape($trans_id); return db_query($sql, "The existing allocation $trans_id could not be deleted"); } @@ -37,7 +38,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no) { $sql = "SELECT (ov_amount+ov_gst+ov_freight+ov_freight_tax-ov_discount-alloc) AS BalToAllocate - FROM ".TB_PREF."debtor_trans WHERE trans_no=$trans_no AND type=$trans_type"; + FROM ".TB_PREF."debtor_trans WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type); $result = db_query($sql,"calculate the allocation"); $myrow = db_fetch_row($result); @@ -49,7 +50,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no) function update_debtor_trans_allocation($trans_type, $trans_no, $alloc) { $sql = "UPDATE ".TB_PREF."debtor_trans SET alloc = alloc + $alloc - WHERE type=$trans_type AND trans_no = $trans_no"; + WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no); db_query($sql, "The debtor transaction record could not be modified for the allocation against it"); } @@ -66,8 +67,8 @@ function clear_cust_alloctions($type, $type_no, $date="") { // clear any allocations for this transaction $sql = "SELECT * FROM ".TB_PREF."cust_allocations - WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).") + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; $result = db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); while ($row = db_fetch($result)) @@ -86,8 +87,8 @@ function clear_cust_alloctions($type, $type_no, $date="") // remove any allocations for this transaction $sql = "DELETE FROM ".TB_PREF."cust_allocations - WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).") + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); } @@ -136,7 +137,7 @@ function get_allocatable_from_cust_sql($customer_id, $settled) } $cust_sql = ""; if ($customer_id != null) - $cust_sql = " AND trans.debtor_no = $customer_id"; + $cust_sql = " AND trans.debtor_no = ".db_escape($customer_id); $sql = get_alloc_trans_sql("round(ov_amount+ov_gst+ov_freight+ov_freight_tax+ov_discount-alloc,6) <= 0 AS settled", "(type=12 OR type=11 OR type=2) AND (trans.ov_amount > 0) " . $settled_sql . $cust_sql); @@ -154,7 +155,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ AND trans.type = alloc.trans_type_to AND alloc.trans_no_from=$trans_no AND alloc.trans_type_from=$type - AND trans.debtor_no=$customer_id", + AND trans.debtor_no=".db_escape($customer_id), "".TB_PREF."cust_allocations as alloc"); } else @@ -164,7 +165,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ AND trans.type != " . systypes::bank_deposit() . " AND trans.type != 11 AND trans.type != 13 - AND trans.debtor_no=$customer_id"); + AND trans.debtor_no=".db_escape($customer_id)); } return db_query($sql." ORDER BY trans_no", "Cannot retreive alloc to transactions"); diff --git a/sales/includes/db/customers_db.inc b/sales/includes/db/customers_db.inc index db0e47af..1670c426 100644 --- a/sales/includes/db/customers_db.inc +++ b/sales/includes/db/customers_db.inc @@ -43,7 +43,7 @@ function get_customer_details($customer_id, $to=null) WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = $customer_id + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id)." AND ".TB_PREF."debtor_trans.tran_date <= '$todate' AND ".TB_PREF."debtor_trans.type <> 13 AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no @@ -74,7 +74,7 @@ function get_customer_details($customer_id, $to=null) WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '$customer_id'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id); $result = db_query($sql,"The customer details could not be retrieved"); @@ -100,7 +100,7 @@ function get_customer_details($customer_id, $to=null) function get_customer($customer_id) { - $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id"; + $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id); $result = db_query($sql, "could not get customer"); @@ -109,7 +109,7 @@ function get_customer($customer_id) function get_customer_name($customer_id) { - $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id"; + $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id); $result = db_query($sql, "could not get customer"); @@ -120,7 +120,7 @@ function get_customer_name($customer_id) function get_area_name($id) { - $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=$id"; + $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -130,7 +130,7 @@ function get_area_name($id) function get_salesman_name($id) { - $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=$id"; + $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($id); $result = db_query($sql, "could not get sales type"); diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc index 3cdceada..dc5ce48b 100644 --- a/sales/includes/db/sales_order_db.inc +++ b/sales/includes/db/sales_order_db.inc @@ -115,10 +115,10 @@ function delete_sales_order($order_no) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no; + $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=".db_escape($order_no); db_query($sql, "order Header Delete"); - $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no; + $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =".db_escape($order_no); db_query($sql, "order Detail Delete"); commit_transaction(); @@ -149,7 +149,7 @@ function update_sales_order($order) begin_transaction(); - $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." , + $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." , debtor_no = " . db_escape($order->customer_id) . ", branch_code = " . db_escape($order->Branch) . ", customer_ref = ". db_escape($order->cust_ref) .", @@ -191,8 +191,8 @@ function update_sales_order($order) FROM ".TB_PREF."loc_stock, " .TB_PREF."locations WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code - AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "' - AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'"; + AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)." + AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location); $res = db_query($sql,"a location could not be retreived"); $loc = db_fetch($res); if ($loc['email'] != "") @@ -279,7 +279,7 @@ function get_sales_order_header($order_no) AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via - AND ".TB_PREF."sales_orders.order_no = " . $order_no ; + AND ".TB_PREF."sales_orders.order_no = ".db_escape($order_no); $result = db_query($sql, "order Retreival"); $num = db_num_rows($result); @@ -310,7 +310,7 @@ function get_sales_order_details($order_no) { .TB_PREF."stock_master.overhead_cost AS standard_cost FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id - AND order_no =" . $order_no . " ORDER BY id"; + AND order_no =".db_escape($order_no)." ORDER BY id"; return db_query($sql, "Retreive order Line Items"); } @@ -365,7 +365,7 @@ function read_sales_order($order_no, &$order) function sales_order_has_deliveries($order_no) { $sql = "SELECT SUM(qty_sent) FROM ".TB_PREF. - "sales_order_details WHERE order_no=$order_no"; + "sales_order_details WHERE order_no=".db_escape($order_no); $result = db_query($sql, "could not query for sales order usage"); @@ -380,7 +380,7 @@ function close_sales_order($order_no) { // set the quantity of each item to the already sent quantity. this will mark item as closed. $sql = "UPDATE ".TB_PREF."sales_order_details - SET quantity = qty_sent WHERE order_no = $order_no"; + SET quantity = qty_sent WHERE order_no = ".db_escape($order_no); db_query($sql, "The sales order detail record could not be updated"); } @@ -395,7 +395,7 @@ function get_invoice_duedate($debtorno, $invdate) } $sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master, ".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND - ".TB_PREF."debtors_master.debtor_no = '$debtorno'"; + ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno); $result = db_query($sql,"The customer details could not be retrieved"); $myrow = db_fetch($result); @@ -430,7 +430,7 @@ function get_customer_to_order($customer_id) { WHERE ".TB_PREF."debtors_master.sales_type=" .TB_PREF."sales_types.id AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id); $result =db_query($sql,"Customer Record Retreive"); return db_fetch($result); @@ -452,8 +452,8 @@ function get_branch_to_order($customer_id, $branch_id) { .TB_PREF."locations WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id AND ".TB_PREF."locations.loc_code=default_location - AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "' - AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'"; + AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)." + AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id); return db_query($sql,"Customer Branch Record Retreive"); } diff --git a/sales/includes/db/sales_points_db.inc b/sales/includes/db/sales_points_db.inc index 9feae5aa..55e579ef 100644 --- a/sales/includes/db/sales_points_db.inc +++ b/sales/includes/db/sales_points_db.inc @@ -25,7 +25,7 @@ function update_sales_point($id, $name, $location, $account, $cash, $credit) .",pos_account=".db_escape($account) .",cash_sale =$cash" .",credit_sale =$credit" - ." WHERE id = $id"; + ." WHERE id = ".db_escape($id); db_query($sql, "could not update sales type"); } @@ -46,7 +46,7 @@ function get_sales_point($id) .TB_PREF."sales_pos as pos LEFT JOIN ".TB_PREF."locations as loc on pos.pos_location=loc.loc_code LEFT JOIN ".TB_PREF."bank_accounts as acc on pos.pos_account=acc.id - WHERE pos.id='$id'"; + WHERE pos.id=".db_escape($id); $result = db_query($sql, "could not get POS definition"); @@ -55,7 +55,7 @@ function get_sales_point($id) function get_sales_point_name($id) { - $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=$id"; + $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id); $result = db_query($sql, "could not get POS name"); @@ -65,7 +65,7 @@ function get_sales_point_name($id) function delete_sales_point($id) { - $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=$id"; + $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id); db_query($sql,"The point of sale record could not be deleted"); } diff --git a/sales/includes/db/sales_types_db.inc b/sales/includes/db/sales_types_db.inc index f5237476..3c40ba63 100644 --- a/sales/includes/db/sales_types_db.inc +++ b/sales/includes/db/sales_types_db.inc @@ -11,7 +11,8 @@ ***********************************************************************/ function add_sales_type($name, $tax_included, $factor) { - $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).",'$tax_included',$factor)"; + $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name)."," + .db_escape($tax_included).",".db_escape($factor).")"; db_query($sql, "could not add sales type"); } @@ -19,7 +20,7 @@ function update_sales_type($id, $name, $tax_included, $factor) { $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).", - tax_included =$tax_included, factor=$factor WHERE id = $id"; + tax_included =".db_escape($tax_included).", factor=".db_escape($factor)." WHERE id = ".db_escape($id); db_query($sql, "could not update sales type"); } @@ -33,7 +34,7 @@ function get_all_sales_types() function get_sales_type($id) { - $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -42,7 +43,7 @@ function get_sales_type($id) function get_sales_type_name($id) { - $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -52,10 +53,10 @@ function get_sales_type_name($id) function delete_sales_type($id) { - $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); db_query($sql,"The Sales type record could not be deleted"); - $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id='$id'"; + $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id=".db_escape($id); db_query($sql,"The Sales type prices could not be deleted"); } diff --git a/sales/includes/sales_db.inc b/sales/includes/sales_db.inc index 4a746940..fed326ea 100644 --- a/sales/includes/sales_db.inc +++ b/sales/includes/sales_db.inc @@ -70,9 +70,9 @@ function get_price ($stock_id, $currency, $sales_type_id, $factor=null, $date=nu $sql = "SELECT price FROM ".TB_PREF."prices - WHERE stock_id = '" . $stock_id . "' " - ." AND sales_type_id = " . $sales_type_id - ." AND curr_abrev = '$currency'"; + WHERE stock_id = ".db_escape($stock_id) + ." AND sales_type_id = ".db_escape($sales_type_id) + ." AND curr_abrev = ".db_escape($currency); $msg = "There was a problem retrieving the pricing information for the part $stock_id for customer"; $result = db_query($sql, $msg); @@ -93,11 +93,11 @@ function get_price ($stock_id, $currency, $sales_type_id, $factor=null, $date=nu // alternative is make up to 2 additional sql queries $sql = "SELECT price, curr_abrev, sales_type_id FROM ".TB_PREF."prices - WHERE stock_id = '" . $stock_id . "' " - ." AND (sales_type_id = " . $sales_type_id - ." OR sales_type_id = " . $base_id.")" - ." AND (curr_abrev = '$currency'" - ." OR curr_abrev = '$home_curr')"; + WHERE stock_id = ".db_escape($stock_id) + ." AND (sales_type_id = ".db_escape($sales_type_id) + ." OR sales_type_id = ".db_escape($base_id).")" + ." AND (curr_abrev = ".db_escape($currency) + ." OR curr_abrev = ".db_escape($home_curr).")"; $result = db_query($sql, $msg); @@ -174,7 +174,7 @@ function set_document_parent($cart) $del_no = reset(array_keys($cart->src_docs)); $sql = 'UPDATE '.TB_PREF.'debtor_trans SET trans_link = ' . $del_no . - ' WHERE type='.$cart->trans_type.' AND trans_no='. $inv_no ; + ' WHERE type=".db_escape($cart->trans_type)." AND trans_no='. $inv_no ; db_query($sql, 'Child document link cannot be updated'); } @@ -222,11 +222,11 @@ function update_parent_line($doc_type, $line_id, $qty_dispatched) if ($doc_type==30) $sql = "UPDATE ".TB_PREF."sales_order_details SET qty_sent = qty_sent + $qty_dispatched - WHERE id=$line_id"; + WHERE id=".db_escape($line_id); else $sql = "UPDATE ".TB_PREF."debtor_trans_details SET qty_done = qty_done + $qty_dispatched - WHERE id=$line_id"; + WHERE id=".db_escape($line_id); } db_query($sql, "The parent document detail record could not be updated"); return true; @@ -239,7 +239,7 @@ function get_location(&$cart) { $sql = "SELECT ".TB_PREF."locations.* FROM ".TB_PREF."stock_moves," .TB_PREF."locations". - " WHERE type=".$cart->trans_type. + " WHERE type=".db_escape($cart->trans_type). " AND trans_no=".key($cart->trans_no). " AND qty!=0 ". " AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code"; diff --git a/sales/inquiry/customer_allocation_inquiry.php b/sales/inquiry/customer_allocation_inquiry.php index 325d848f..e0567644 100644 --- a/sales/inquiry/customer_allocation_inquiry.php +++ b/sales/inquiry/customer_allocation_inquiry.php @@ -159,7 +159,7 @@ function fmt_credit($row) AND trans.tran_date <= '$date_to'"; if ($_POST['customer_id'] != reserved_words::get_all()) - $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'"; + $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']); if (isset($_POST['filterType']) && $_POST['filterType'] != reserved_words::get_all()) { diff --git a/sales/inquiry/customer_inquiry.php b/sales/inquiry/customer_inquiry.php index 85a8d70d..f4491e08 100644 --- a/sales/inquiry/customer_inquiry.php +++ b/sales/inquiry/customer_inquiry.php @@ -230,7 +230,7 @@ function check_overdue($row) AND trans.branch_code = branch.branch_code"; if ($_POST['customer_id'] != reserved_words::get_all()) - $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'"; + $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']); if ($_POST['filterType'] != reserved_words::get_all()) { diff --git a/sales/inquiry/sales_deliveries_view.php b/sales/inquiry/sales_deliveries_view.php index 4ea1a824..0004d191 100644 --- a/sales/inquiry/sales_deliveries_view.php +++ b/sales/inquiry/sales_deliveries_view.php @@ -204,7 +204,8 @@ if ($_POST['OutstandingOnly'] == true) { //figure out the sql required from the inputs available if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "") { - $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'"; + $delivery = "%".$_POST['DeliveryNumber']; + $sql .= " AND trans.trans_no LIKE ".db_escape($delivery); $sql .= " GROUP BY trans.trans_no"; } else @@ -213,13 +214,13 @@ else $sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'"; if ($selected_customer != -1) - $sql .= " AND trans.debtor_no='" . $selected_customer . "' "; + $sql .= " AND trans.debtor_no=".db_escape($selected_customer)." "; if (isset($selected_stock_item)) - $sql .= " AND line.stock_id='". $selected_stock_item ."' "; + $sql .= " AND line.stock_id=".db_escape($selected_stock_item)." "; if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all()) - $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' "; + $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." "; $sql .= " GROUP BY trans.trans_no "; diff --git a/sales/inquiry/sales_orders_view.php b/sales/inquiry/sales_orders_view.php index a9741fa2..9a49fe51 100644 --- a/sales/inquiry/sales_orders_view.php +++ b/sales/inquiry/sales_orders_view.php @@ -221,8 +221,9 @@ $sql = "SELECT if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "") { - // search orders with number like ... - $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'" + // search orders with number like + $number_like = "%".$_POST['OrderNumber']; + $sql .= " AND sorder.order_no LIKE ".db_escape($number_like) ." GROUP BY sorder.order_no"; } else // ... or select inquiry constraints @@ -236,13 +237,13 @@ else // ... or select inquiry constraints ." AND sorder.ord_date <= '$date_before'"; } if ($selected_customer != -1) - $sql .= " AND sorder.debtor_no='" . $selected_customer . "'"; + $sql .= " AND sorder.debtor_no=".db_escape($selected_customer); if (isset($selected_stock_item)) - $sql .= " AND line.stk_code='". $selected_stock_item ."'"; + $sql .= " AND line.stk_code=".db_escape($selected_stock_item); if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all()) - $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' "; + $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." "; if ($_POST['order_view_mode']=='OutstandingOnly') $sql .= " AND line.qty_sent < line.quantity"; diff --git a/sales/manage/credit_status.php b/sales/manage/credit_status.php index 8d9400cc..998da84b 100644 --- a/sales/manage/credit_status.php +++ b/sales/manage/credit_status.php @@ -59,7 +59,7 @@ if ($Mode=='UPDATE_ITEM' && can_process()) function can_delete($selected_id) { $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master - WHERE credit_status=$selected_id"; + WHERE credit_status=".db_escape($selected_id); $result = db_query($sql, "could not query customers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php index 85eb72bb..55c5a0a5 100644 --- a/sales/manage/customer_branches.php +++ b/sales/manage/customer_branches.php @@ -136,7 +136,7 @@ elseif ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"could not query debtortrans"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -146,7 +146,7 @@ elseif ($Mode == 'Delete') } else { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"could not query sales orders"); $myrow = db_fetch_row($result); @@ -156,7 +156,7 @@ elseif ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'"; + $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']); db_query($sql,"could not delete branch"); display_notification(_('Selected customer branch has been deleted')); } @@ -189,7 +189,7 @@ if ($num_branches) AND ".TB_PREF."cust_branch.tax_group_id=".TB_PREF."tax_groups.id AND ".TB_PREF."cust_branch.area=".TB_PREF."areas.area_code AND ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code - AND ".TB_PREF."cust_branch.debtor_no = '" . $_POST['customer_id']. "'"; + AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"could not get customer branches"); @@ -234,8 +234,8 @@ if ($selected_id != -1) //editing an existing branch $sql = "SELECT * FROM ".TB_PREF."cust_branch - WHERE branch_code='" . $_POST['branch_code'] . "' - AND debtor_no='" . $_POST['customer_id'] . "'"; + WHERE branch_code=".db_escape($_POST['branch_code'])." + AND debtor_no=".db_escape($_POST['customer_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch($result); set_focus('br_name'); @@ -264,7 +264,7 @@ elseif ($Mode != 'ADD_ITEM') { //end of if $SelectedBranch only do the else when a new record is being entered if(!$num_branches) { $sql = "SELECT name, address, email - FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'"; + FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch($result); $_POST['br_name'] = $myrow["name"]; diff --git a/sales/manage/customers.php b/sales/manage/customers.php index d1f358ec..bb18cdd0 100644 --- a/sales/manage/customers.php +++ b/sales/manage/customers.php @@ -84,7 +84,7 @@ function handle_submit() pymt_discount=" . input_num('pymt_discount') / 100 . ", credit_limit=" . input_num('credit_limit') . ", sales_type = ".db_escape($_POST['sales_type']) . " - WHERE debtor_no = '". $_POST['customer_id'] . "'"; + WHERE debtor_no = ".db_escape($_POST['customer_id']); db_query($sql,"The customer could not be updated"); display_notification(_("Customer has been updated.")); diff --git a/sales/manage/recurrent_invoices.php b/sales/manage/recurrent_invoices.php index eace174d..9b35aea7 100644 --- a/sales/manage/recurrent_invoices.php +++ b/sales/manage/recurrent_invoices.php @@ -49,7 +49,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') monthly=".input_num('monthly', 0).", begin='".date2sql($_POST['begin'])."', end='".date2sql($_POST['end'])."' - WHERE id = '$selected_id'"; + WHERE id = ".db_escape($selected_id); $note = _('Selected recurrent invoice has been updated'); } else @@ -75,7 +75,7 @@ if ($Mode == 'Delete') if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id); db_query($sql,"could not delete recurrent invoice"); display_notification(_('Selected recurrent invoice has been deleted')); @@ -91,7 +91,7 @@ if ($Mode == 'RESET') //------------------------------------------------------------------------------------------------- function get_sales_group_name($group_no) { - $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no"; + $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no); $result = db_query($sql, "could not get group"); $row = db_fetch($result); return $row[0]; @@ -149,7 +149,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id); $result = db_query($sql,"could not get recurrent invoice"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_areas.php b/sales/manage/sales_areas.php index c7baeee5..e5b06a14 100644 --- a/sales/manage/sales_areas.php +++ b/sales/manage/sales_areas.php @@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') { if ($selected_id != -1) { - $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'"; + $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = ".db_escape($selected_id); $note = _('Selected sales area has been updated'); } else @@ -57,7 +57,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -67,7 +67,7 @@ if ($Mode == 'Delete') } if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."areas WHERE area_code='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id); db_query($sql,"could not delete sales area"); display_notification(_('Selected sales area has been deleted')); @@ -117,7 +117,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id); $result = db_query($sql,"could not get area"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_groups.php b/sales/manage/sales_groups.php index 0fb676c6..2fce1a9b 100644 --- a/sales/manage/sales_groups.php +++ b/sales/manage/sales_groups.php @@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') { if ($selected_id != -1) { - $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = '$selected_id'"; + $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = ".db_escape($selected_id); $note = _('Selected sales group has been updated'); } else @@ -57,7 +57,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -67,7 +67,7 @@ if ($Mode == 'Delete') } if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."groups WHERE id='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id); db_query($sql,"could not delete sales group"); display_notification(_('Selected sales group has been deleted')); @@ -117,7 +117,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."groups WHERE id='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id); $result = db_query($sql,"could not get group"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_people.php b/sales/manage/sales_people.php index 04e1948d..731c5522 100644 --- a/sales/manage/sales_people.php +++ b/sales/manage/sales_people.php @@ -56,7 +56,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') provision=".input_num('provision').", break_pt=".input_num('break_pt').", provision2=".input_num('provision2')." - WHERE salesman_code = '$selected_id'"; + WHERE salesman_code = ".db_escape($selected_id); } else { @@ -86,7 +86,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -95,7 +95,7 @@ if ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'"; + $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id); db_query($sql,"The sales-person could not be deleted"); display_notification(_('Selected sales person data have been deleted')); } @@ -151,7 +151,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing Sales-person - $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id); $result = db_query($sql,"could not get sales person"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_types.php b/sales/manage/sales_types.php index 1c4071bf..7e795e89 100644 --- a/sales/manage/sales_types.php +++ b/sales/manage/sales_types.php @@ -66,7 +66,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe=".db_escape($selected_id); $result = db_query($sql,"check failed"); check_db_error("The number of transactions using this Sales type record could not be retrieved", $sql); @@ -79,7 +79,7 @@ if ($Mode == 'Delete') else { - $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type='$selected_id'"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type=".db_escape($selected_id); $result = db_query($sql,"check failed"); check_db_error("The number of customers using this Sales type record could not be retrieved", $sql); diff --git a/sales/view/view_sales_order.php b/sales/view/view_sales_order.php index 77d41175..524c7ad6 100644 --- a/sales/view/view_sales_order.php +++ b/sales/view/view_sales_order.php @@ -77,7 +77,7 @@ display_heading2(_("Delivery Notes")); $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); -$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=13 AND order_=" . $_GET['trans_no']; +$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=13 AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related delivery notes could not be retreived"); $delivery_total = 0; @@ -110,7 +110,7 @@ display_heading2(_("Sales Invoices")); $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); -$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=10 AND order_=" . $_GET['trans_no']; +$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=10 AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related invoices could not be retreived"); $invoices_total = 0; @@ -142,7 +142,7 @@ start_table($table_style); $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); -$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=11 AND order_=" . $_GET['trans_no']; +$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=11 AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related credit notes could not be retreived"); $credits_total = 0; diff --git a/taxes/db/item_tax_types_db.inc b/taxes/db/item_tax_types_db.inc index 3a99f9ba..7e034e4b 100644 --- a/taxes/db/item_tax_types_db.inc +++ b/taxes/db/item_tax_types_db.inc @@ -14,7 +14,7 @@ function add_item_tax_type($name, $exempt, $exempt_from) begin_transaction(); $sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt) - VALUES (".db_escape($name).",$exempt)"; + VALUES (".db_escape($name).",".db_escape($exempt).")"; db_query($sql, "could not add item tax type"); @@ -31,7 +31,7 @@ function update_item_tax_type($id, $name, $exempt, $exempt_from) begin_transaction(); $sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name). - ", exempt=$exempt WHERE id=$id"; + ", exempt=".db_escape($exempt)." WHERE id=".db_escape($id); db_query($sql, "could not update item tax type"); @@ -51,7 +51,7 @@ function get_all_item_tax_types() function get_item_tax_type($id) { - $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get item tax type"); @@ -60,7 +60,8 @@ function get_item_tax_type($id) function get_item_tax_type_for_item($stock_id) { - $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE ".TB_PREF."stock_master.stock_id='$stock_id' + $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE + ".TB_PREF."stock_master.stock_id=".db_escape($stock_id)." AND ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id"; $result = db_query($sql, "could not get item tax type"); @@ -72,7 +73,7 @@ function delete_item_tax_type($id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=$id"; + $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id); db_query($sql, "could not delete item tax type"); // also delete all exemptions @@ -86,21 +87,21 @@ function add_item_tax_type_exemptions($id, $exemptions) for ($i = 0; $i < count($exemptions); $i++) { $sql = "INSERT INTO ".TB_PREF."item_tax_type_exemptions (item_tax_type_id, tax_type_id) - VALUES ($id, " . $exemptions[$i] . ")"; + VALUES (".db_escape($id).", ".db_escape($exemptions[$i]).")"; db_query($sql, "could not add item tax type exemptions"); } } function delete_item_tax_type_exemptions($id) { - $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id"; + $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id); db_query($sql, "could not delete item tax type exemptions"); } function get_item_tax_type_exemptions($id) { - $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id"; + $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id); return db_query($sql, "could not get item tax type exemptions"); } diff --git a/taxes/db/tax_groups_db.inc b/taxes/db/tax_groups_db.inc index 5abe4333..2c0b6b02 100644 --- a/taxes/db/tax_groups_db.inc +++ b/taxes/db/tax_groups_db.inc @@ -21,7 +21,7 @@ function add_tax_group($name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)"; + $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", ".db_escape($tax_shipping).")"; db_query($sql, "could not add tax group"); $id = db_insert_id(); @@ -38,7 +38,7 @@ function update_tax_group($id, $name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=".db_escape($tax_shipping)." WHERE id=".db_escape($id); db_query($sql, "could not update tax group"); delete_tax_group_items($id); @@ -56,7 +56,7 @@ function get_all_tax_groups() function get_tax_group($type_id) { - $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=$type_id"; + $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=".db_escape($type_id); $result = db_query($sql, "could not get tax group"); @@ -67,7 +67,7 @@ function delete_tax_group($id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=$id"; + $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=".db_escape($id); db_query($sql, "could not delete tax group"); @@ -81,14 +81,14 @@ function add_tax_group_items($id, $items, $rates) for ($i=0; $i < count($items); $i++) { $sql = "INSERT INTO ".TB_PREF."tax_group_items (tax_group_id, tax_type_id, rate) - VALUES ($id, " . $items[$i] . ", " . $rates[$i] .")"; + VALUES (".db_escape($id).", ".db_escape($items[$i]).", " . $rates[$i] .")"; db_query($sql, "could not add item tax group item"); } } function delete_tax_group_items($id) { - $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=$id"; + $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=".db_escape($id); db_query($sql, "could not delete item tax group items"); } @@ -98,7 +98,7 @@ function get_tax_group_items($id) $sql = "SELECT ".TB_PREF."tax_group_items.*, ".TB_PREF."tax_types.name AS tax_type_name, ".TB_PREF."tax_types.sales_gl_code, ".TB_PREF."tax_types.purchasing_gl_code FROM ".TB_PREF."tax_group_items, ".TB_PREF."tax_types - WHERE tax_group_id=$id + WHERE tax_group_id=".db_escape($id)." AND ".TB_PREF."tax_types.id=tax_type_id"; return db_query($sql, "could not get item tax type group items"); diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc index 672a4e36..71096f32 100644 --- a/taxes/db/tax_types_db.inc +++ b/taxes/db/tax_types_db.inc @@ -24,7 +24,7 @@ function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $ sales_gl_code=".db_escape($sales_gl_code).", purchasing_gl_code=".db_escape($purchasing_gl_code).", rate=$rate - WHERE id=$type_id"; + WHERE id=".db_escape($type_id); db_query($sql, "could not update tax type"); } @@ -57,7 +57,7 @@ function get_tax_type($type_id) FROM ".TB_PREF."tax_types, ".TB_PREF."chart_master AS Chart1, ".TB_PREF."chart_master AS Chart2 WHERE ".TB_PREF."tax_types.sales_gl_code = Chart1.account_code - AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=$type_id"; + AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=".db_escape($type_id); $result = db_query($sql, "could not get tax type"); return db_fetch($result); @@ -65,7 +65,7 @@ function get_tax_type($type_id) function get_tax_type_default_rate($type_id) { - $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=$type_id"; + $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id); $result = db_query($sql, "could not get tax type rate"); @@ -77,7 +77,7 @@ function delete_tax_type($type_id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=$type_id"; + $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id); db_query($sql, "could not delete tax type"); diff --git a/taxes/item_tax_types.php b/taxes/item_tax_types.php index 91f21c97..96742971 100644 --- a/taxes/item_tax_types.php +++ b/taxes/item_tax_types.php @@ -72,7 +72,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=$selected_id"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=".db_escape($selected_id); $result = db_query($sql, "could not query stock master"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/taxes/tax_calc.inc b/taxes/tax_calc.inc index 1209d621..7107cdca 100644 --- a/taxes/tax_calc.inc +++ b/taxes/tax_calc.inc @@ -210,7 +210,7 @@ function get_tax_for_items($items, $prices, $shipping_cost, $tax_group, $tax_inc function is_tax_account($account_code) { $sql= "SELECT id FROM ".TB_PREF."tax_types WHERE - sales_gl_code='$account_code' OR purchasing_gl_code='$account_code'"; + sales_gl_code=".db_escape($account_code)." OR purchasing_gl_code=".db_escape($account_code); $result = db_query($sql, "checking account is tax account"); if (db_num_rows($result) > 0) { $acct = db_fetch($result); diff --git a/taxes/tax_groups.php b/taxes/tax_groups.php index bc947284..cf4177c6 100644 --- a/taxes/tax_groups.php +++ b/taxes/tax_groups.php @@ -96,7 +96,7 @@ function can_delete($selected_id) { if ($selected_id == -1) return false; - $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=$selected_id"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=".db_escape($selected_id); $result = db_query($sql, "could not query customers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -105,7 +105,7 @@ function can_delete($selected_id) return false; } - $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=$selected_id"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=".db_escape($selected_id); $result = db_query($sql, "could not query suppliers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/taxes/tax_types.php b/taxes/tax_types.php index 20369be7..e7aa9240 100644 --- a/taxes/tax_types.php +++ b/taxes/tax_types.php @@ -72,7 +72,7 @@ if ($Mode=='UPDATE_ITEM' && can_process()) function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=$selected_id"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=".db_escape($selected_id); $result = db_query($sql, "could not query tax groups"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) -- 2.30.2