From 46d3debec422c5ad5ee99c4acfe42bfa60308afb Mon Sep 17 00:00:00 2001 From: Joe Hunt Date: Fri, 18 Apr 2008 12:37:53 +0000 Subject: [PATCH] Changed db_escape function to avoid XSS attacks via js db injection --- CHANGELOG.txt | 20 ++++- includes/db/comments_db.inc | 22 +++--- includes/db/inventory_db.inc | 78 +++++++++---------- includes/db/references_db.inc | 22 +++--- inventory/includes/db/items_category_db.inc | 32 ++++---- inventory/includes/db/items_db.inc | 6 +- inventory/includes/db/items_locations_db.inc | 54 ++++++------- inventory/includes/db/items_units_db.inc | 32 ++++---- inventory/includes/db/movement_types_db.inc | 26 +++---- manufacturing/includes/db/work_centres_db.inc | 26 +++---- .../includes/db/work_order_issues_db.inc | 4 +- .../db/work_order_produce_items_db.inc | 2 +- manufacturing/includes/db/work_orders_db.inc | 6 +- .../includes/db/work_orders_quick_db.inc | 2 +- 14 files changed, 174 insertions(+), 158 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3da93512..619b82fe 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -19,8 +19,24 @@ Legend: ! -> Note $ -> Affected files -18-Apr-08 Janusz Dobrwolski -! Changed db_escape function to avoid XSS atacks via js db injection +18-Apr-2008 Joe Hunt +! Changed db_escape function to avoid XSS attacks via js db injection +$ /includes/db/comments_db.inc + /includes/db/inventory_db.inc + /includes/db/references_db.inc + /inventory/includes/db/items_category_db.inc + /inventory/includes/db/items_db.inc + /inventory/includes/db/items_locations_db.inc + /inventory/includes/db/items_units_db.inc + /inventory/includes/db/movement_types_db.inc + /manufacturing/includes/db/work_centres_db.inc + /manufacturing/includes/db/work_orders_db.inc + /manufacturing/includes/db/work_orders_quick_db.inc + /manufacturing/includes/db/work_order_issues_db.inc + /manufacturing/includes/db/work_order_produce_items_db.inc + +18-Apr-2008 Janusz Dobrwolski +! Changed db_escape function to avoid XSS attacks via js db injection $ /includes/db/connect_db.inc # Database inserts/updates secured against js injection $ /admin/db/maintenance_db.inc diff --git a/includes/db/comments_db.inc b/includes/db/comments_db.inc index 27e4405d..6f9ba120 100644 --- a/includes/db/comments_db.inc +++ b/includes/db/comments_db.inc @@ -5,7 +5,7 @@ function get_comments($type, $type_no) { $sql = "SELECT * FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no"; - + return db_query($sql, "could not query comments transaction table"); } @@ -13,29 +13,29 @@ function get_comments($type, $type_no) function add_comments($type, $type_no, $date_, $memo_) { - if ($memo_ != null && $memo_ != "") - { + if ($memo_ != null && $memo_ != "") + { $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_) - VALUES ($type, $type_no, '$date', '$memo_')"; - + VALUES ($type, $type_no, '$date', ".db_quote($memo_).")"; + db_query($sql, "could not add comments transaction entry"); - } + } } //-------------------------------------------------------------------------------------------------- function update_comments($type, $id, $date_, $memo_) { - if ($date_ == null) + if ($date_ == null) { delete_comments($type, $id); add_comments($type, $id, '', $memo_); - } - else + } + else { $date = date2sql($date_); - $sql = "UPDATE ".TB_PREF."comments SET memo_='$memo_' WHERE type=$type AND id=$id AND date_='$date'"; + $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_quote($memo_)." WHERE type=$type AND id=$id AND date_='$date'"; db_query($sql, "could not update comments"); } } @@ -45,7 +45,7 @@ function update_comments($type, $id, $date_, $memo_) function delete_comments($type, $type_no) { $sql = "DELETE FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no"; - + db_query($sql, "could not delete from comments transaction table"); } diff --git a/includes/db/inventory_db.inc b/includes/db/inventory_db.inc index 57234f4c..84893a11 100644 --- a/includes/db/inventory_db.inc +++ b/includes/db/inventory_db.inc @@ -4,31 +4,31 @@ function get_qoh_on_date($stock_id, $location=null, $date_=null) { if ($date_ == null) $date_ = Today(); - + $date = date2sql($date_); - - $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves + + $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves WHERE stock_id='$stock_id' AND tran_date <= '$date'"; - + if ($location != null) $sql .= " AND loc_code = '$location'"; - - $result = db_query($sql, "QOH calulcation failed"); - + + $result = db_query($sql, "QOH calulcation failed"); + $myrow = db_fetch_row($result); - - return $myrow[0]; + + return $myrow[0]; } //-------------------------------------------------------------------------------------- function get_item_edit_info($stock_id) { - $sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units + $sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'"; $result = db_query($sql, "The standard cost cannot be retrieved"); - + return db_fetch($result); } @@ -36,12 +36,12 @@ function get_item_edit_info($stock_id) function get_standard_cost($stock_id) { - $sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost + $sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'"; $result = db_query($sql, "The standard cost cannot be retrieved"); - + $myrow = db_fetch_row($result); - + return $myrow[0]; } @@ -49,11 +49,11 @@ function get_standard_cost($stock_id) function is_inventory_item($stock_id) { - $sql = "SELECT stock_id FROM ".TB_PREF."stock_master + $sql = "SELECT stock_id FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id' AND mb_flag <> 'D'"; $result = db_query($sql, "Cannot query is inventory item or not"); - - return db_num_rows($result) > 0; + + return db_num_rows($result) > 0; } //------------------------------------------------------------------- @@ -62,8 +62,8 @@ Function get_stock_gl_code($stock_id) { /*Gets the GL Codes relevant to the item account */ - $sql = "SELECT inventory_account, cogs_account, - adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM + $sql = "SELECT inventory_account, cogs_account, + adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; $get = db_query($sql,"retreive stock gl code"); @@ -78,43 +78,43 @@ Function get_stock_gl_code($stock_id) // $price - in $person_id's currency function add_stock_move($type, $stock_id, $trans_no, $location, - $date_, $reference, $quantity, $std_cost, $person_id=null, $show_or_hide=1, + $date_, $reference, $quantity, $std_cost, $person_id=null, $show_or_hide=1, $price=0, $discount_percent=0, $error_msg="") { // do not add a stock move if it's a non-inventory item if (!is_inventory_item($stock_id)) return null; - + $date = date2sql($date_); - - $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code, - tran_date, person_id, reference, qty, standard_cost, visible, price, - discount_percent) VALUES ('$stock_id', $trans_no, $type, - '$location', '$date', '$person_id', '$reference', $quantity, $std_cost, + + $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code, + tran_date, person_id, reference, qty, standard_cost, visible, price, + discount_percent) VALUES ('$stock_id', $trans_no, $type, + ".db_quote($location).", '$date', '$person_id', ".db_quote($reference).", $quantity, $std_cost, $show_or_hide, $price, $discount_percent)"; - + if ($error_msg == "") $error_msg = "The stock movement record cannot be inserted"; - + db_query($sql, $error_msg); - - return db_insert_id(); -} + + return db_insert_id(); +} //-------------------------------------------------------------------------------------------------- function get_stock_moves($type, $type_no, $visible=false) { - $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units, + $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units, ".TB_PREF."locations.location_name, ".TB_PREF."stock_master.material_cost + ".TB_PREF."stock_master.labour_cost + ".TB_PREF."stock_master.overhead_cost AS FixedStandardCost FROM ".TB_PREF."stock_moves,".TB_PREF."locations,".TB_PREF."stock_master - WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id - AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code + WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id + AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code AND type=$type AND trans_no=$type_no ORDER BY trans_id"; if ($visible) $sql .= " AND ".TB_PREF."stock_moves.visible=1"; - + return db_query($sql, "Could not get stock moves"); } @@ -124,7 +124,7 @@ function void_stock_move($type, $type_no) { $sql = "UPDATE ".TB_PREF."stock_moves SET qty=0, price=0, discount_percent=0, standard_cost=0 WHERE type=$type AND trans_no=$type_no"; - + db_query($sql, "Could not void stock moves"); } @@ -133,15 +133,15 @@ function void_stock_move($type, $type_no) function get_location_name($loc_code) { $sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code='$loc_code'"; - + $result = db_query($sql, "could not retreive the location name for $loc_code"); - + if (db_num_rows($result) == 1) { $row = db_fetch_row($result); return $row[0]; } - + display_db_error("could not retreive the location name for $loc_code", $sql, true); } diff --git a/includes/db/references_db.inc b/includes/db/references_db.inc index 77e688a5..9b769859 100644 --- a/includes/db/references_db.inc +++ b/includes/db/references_db.inc @@ -5,7 +5,7 @@ function get_reference($type, $id) { $sql = "SELECT * FROM ".TB_PREF."refs WHERE type=$type AND id=$id"; - + return db_query($sql, "could not query reference table"); } @@ -14,8 +14,8 @@ function get_reference($type, $id) function add_reference($type, $id, $reference) { $sql = "INSERT INTO ".TB_PREF."refs (type, id, reference) - VALUES ($type, $id, '" . trim($reference) . "')"; - + VALUES ($type, $id, " . db_quote(trim($reference)) . ")"; + db_query($sql, "could not add reference entry"); } @@ -24,7 +24,7 @@ function add_reference($type, $id, $reference) function delete_reference($type, $id) { $sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=$id"; - + return db_query($sql, "could not delete from reference table"); } @@ -33,9 +33,9 @@ function delete_reference($type, $id) function find_reference($type, $reference) { $sql = "SELECT id FROM ".TB_PREF."refs WHERE type=$type AND reference='$reference'"; - + $result = db_query($sql, "could not query reference table"); - + return (db_num_rows($result) > 0); } @@ -43,9 +43,9 @@ function find_reference($type, $reference) function save_next_reference($type, $reference) { - $sql = "UPDATE ".TB_PREF."sys_types SET next_reference='" . trim($reference) . "' WHERE type_id = $type"; - - db_query($sql, "The next transaction ref for $type could not be updated"); + $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_quote(trim($reference)) . " WHERE type_id = $type"; + + db_query($sql, "The next transaction ref for $type could not be updated"); } //-------------------------------------------------------------------------------------------------- @@ -53,9 +53,9 @@ function save_next_reference($type, $reference) function get_next_reference($type) { $sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = $type"; - + $result = db_query($sql,"The last transaction ref for $type could not be retreived"); - + $row = db_fetch_row($result); return $row[0]; } diff --git a/inventory/includes/db/items_category_db.inc b/inventory/includes/db/items_category_db.inc index 5c93e317..5372e0af 100644 --- a/inventory/includes/db/items_category_db.inc +++ b/inventory/includes/db/items_category_db.inc @@ -3,43 +3,43 @@ function add_item_category($description) { - $sql = "INSERT INTO ".TB_PREF."stock_category (description) - VALUES ('$description')"; - + $sql = "INSERT INTO ".TB_PREF."stock_category (description) + VALUES (".db_quote($description).")"; + db_query($sql,"an item category could not be added"); } function update_item_category($ItemCategory, $description) { - $sql = "UPDATE ".TB_PREF."stock_category SET description = '$description' - WHERE category_id = '$ItemCategory'"; - - db_query($sql,"an item category could not be updated"); + $sql = "UPDATE ".TB_PREF."stock_category SET description = ".db_quote($description)." + WHERE category_id = '$ItemCategory'"; + + db_query($sql,"an item category could not be updated"); } function delete_item_category($ItemCategory) { - $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'"; - - db_query($sql,"an item category could not be deleted"); + $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'"; + + db_query($sql,"an item category could not be deleted"); } function get_item_category($ItemCategory) { - $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'"; - + $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'"; + $result = db_query($sql,"an item category could not be retrieved"); - - return db_fetch($result); + + return db_fetch($result); } function get_category_name($id) { $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=$id"; - + $result = db_query($sql, "could not get sales type"); - + $row = db_fetch_row($result); return $row[0]; } diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc index a4645584..3e5e860e 100644 --- a/inventory/includes/db/items_db.inc +++ b/inventory/includes/db/items_db.inc @@ -4,8 +4,8 @@ function update_item($stock_id, $description, $long_description, $category_id, $ $sales_account, $inventory_account, $cogs_account, $adjustment_account, $assembly_account, $dimension_id, $dimension2_id) { - $sql = "UPDATE ".TB_PREF."stock_master SET long_description='$long_description', - description='$description', + $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_quote($long_description).", + description=".db_quote($description).", category_id='$category_id', sales_account='$sales_account', inventory_account='$inventory_account', @@ -27,7 +27,7 @@ function add_item($stock_id, $description, $long_description, $category_id, $tax $sql = "INSERT INTO ".TB_PREF."stock_master (stock_id, description, long_description, category_id, tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account, adjustment_account, assembly_account, dimension_id, dimension2_id) - VALUES ('$stock_id', '$description', '$long_description', + VALUES (".db_quote($stock_id).", ".db_quote($description).", ".db_quote($long_description).", '$category_id', $tax_type_id, '$units', '$mb_flag', '$sales_account', '$inventory_account', '$cogs_account', '$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id)"; diff --git a/inventory/includes/db/items_locations_db.inc b/inventory/includes/db/items_locations_db.inc index 0cdb1e0c..aeaee0df 100644 --- a/inventory/includes/db/items_locations_db.inc +++ b/inventory/includes/db/items_locations_db.inc @@ -2,16 +2,16 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact) { - $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, fax, email, contact) - VALUES ('$loc_code', '$location_name', '$delivery_address', '$phone', '$fax', '$email', '$contact')"; - + $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, fax, email, contact) + VALUES (".db_quote($loc_code).", ".db_quote($location_name).", ".db_quote($delivery_address).", ".db_quote($phone).", ".db_quote($fax).", ".db_quote($email).", ".db_quote($contact).")"; + db_query($sql,"a location could not be added"); - + /* Also need to add loc_stock records for all existing items */ - $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level) + $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level) SELECT '$loc_code', ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master"; - - db_query($sql,"a location could not be added"); + + db_query($sql,"a location could not be added"); } //------------------------------------------------------------------------------------ @@ -19,54 +19,54 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone, function update_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact) { - $sql = "UPDATE ".TB_PREF."locations SET location_name='$location_name', - delivery_address='$delivery_address', - phone='$phone', fax='$fax', - email='$email', contact='$contact' + $sql = "UPDATE ".TB_PREF."locations SET location_name=".db_quote($location_name).", + delivery_address=".db_quote($delivery_address).", + phone=".db_quote($phone).", fax=".db_quote($fax).", + email=".db_quote($email).", contact=".db_quote($contact)." WHERE loc_code = '$loc_code'"; - - db_query($sql,"a location could not be updated"); + + db_query($sql,"a location could not be updated"); } //------------------------------------------------------------------------------------ function delete_item_location($item_location) { - $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; + $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; db_query($sql,"a location could not be deleted"); - + $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code ='$item_location'"; - db_query($sql,"a location could not be deleted"); + db_query($sql,"a location could not be deleted"); } //------------------------------------------------------------------------------------ function get_item_location($item_location) { - $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; - + $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; + $result = db_query($sql,"a location could not be retrieved"); - - return db_fetch($result); + + return db_fetch($result); } //------------------------------------------------------------------------------------ function set_reorder_level($stock_id, $loc_code, $reorder_level) { - $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level - WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'"; - - db_query($sql,"an item reorder could not be set"); + $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level + WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'"; + + db_query($sql,"an item reorder could not be set"); } //------------------------------------------------------------------------------------ function get_loc_details($stock_id) { - $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name - FROM ".TB_PREF."loc_stock, ".TB_PREF."locations - WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code + $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name + FROM ".TB_PREF."loc_stock, ".TB_PREF."locations + WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code AND ".TB_PREF."loc_stock.stock_id = '" . $stock_id . "' ORDER BY ".TB_PREF."loc_stock.loc_code"; return db_query($sql,"an item reorder could not be retreived"); } diff --git a/inventory/includes/db/items_units_db.inc b/inventory/includes/db/items_units_db.inc index f755fed5..05cb544c 100644 --- a/inventory/includes/db/items_units_db.inc +++ b/inventory/includes/db/items_units_db.inc @@ -4,40 +4,40 @@ function write_item_unit($selected, $abbr, $description, $decimals) { if($selected!='') $sql = "UPDATE ".TB_PREF."item_units SET - abbr = '$abbr', - name = '$description', + abbr = ".db_quote($abbr).", + name = ".db_quote($description).", decimals = $decimals WHERE abbr = '$selected'"; else $sql = "INSERT INTO ".TB_PREF."item_units - (abbr, name, decimals) VALUES( '$abbr', - '$description', $decimals)"; - - db_query($sql,"an item unit could not be updated"); + (abbr, name, decimals) VALUES( ".db_quote($abbr).", + ".db_quote($description).", $decimals)"; + + db_query($sql,"an item unit could not be updated"); } function delete_item_unit($unit) { - $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'"; - - db_query($sql,"an unit of measure could not be deleted"); + $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + + db_query($sql,"an unit of measure could not be deleted"); } function get_item_unit($unit) { - $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'"; - + $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + $result = db_query($sql,"an unit of measure could not be retrieved"); - - return db_fetch($result); + + return db_fetch($result); } function get_unit_descr($unit) { - $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$id'"; - + $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + $result = db_query($sql, "could not unit description"); - + $row = db_fetch_row($result); return $row[0]; } diff --git a/inventory/includes/db/movement_types_db.inc b/inventory/includes/db/movement_types_db.inc index de9626f8..28021719 100644 --- a/inventory/includes/db/movement_types_db.inc +++ b/inventory/includes/db/movement_types_db.inc @@ -2,41 +2,41 @@ function add_movement_type($name) { - $sql = "INSERT INTO ".TB_PREF."movement_types (name) - VALUES ('$name')"; - - db_query($sql, "could not add item movement type"); + $sql = "INSERT INTO ".TB_PREF."movement_types (name) + VALUES (".db_quote($name).")"; + + db_query($sql, "could not add item movement type"); } function update_movement_type($type_id, $name) { - $sql = "UPDATE ".TB_PREF."movement_types SET name='$name' + $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_quote($name)." WHERE id=$type_id"; - - db_query($sql, "could not update item movement type"); + + db_query($sql, "could not update item movement type"); } function get_all_movement_type() { $sql = "SELECT * FROM ".TB_PREF."movement_types"; - + return db_query($sql, "could not get all item movement type"); -} +} function get_movement_type($type_id) { $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=$type_id"; - + $result = db_query($sql, "could not get item movement type"); - + return db_fetch($result); } function delete_movement_type($type_id) { $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=$type_id"; - - db_query($sql, "could not delete item movement type"); + + db_query($sql, "could not delete item movement type"); } ?> \ No newline at end of file diff --git a/manufacturing/includes/db/work_centres_db.inc b/manufacturing/includes/db/work_centres_db.inc index a1cffa01..a2255c32 100644 --- a/manufacturing/includes/db/work_centres_db.inc +++ b/manufacturing/includes/db/work_centres_db.inc @@ -2,41 +2,41 @@ function add_work_centre($name, $description) { - $sql = "INSERT INTO ".TB_PREF."workcentres (name, description) - VALUES ('$name','$description')"; - - db_query($sql, "could not add work centre"); + $sql = "INSERT INTO ".TB_PREF."workcentres (name, description) + VALUES (".db_quote($name).",".db_quote($description).")"; + + db_query($sql, "could not add work centre"); } function update_work_centre($type_id, $name, $description) { - $sql = "UPDATE ".TB_PREF."workcentres SET name='$name', description='$description' + $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_quote($name).", description=".db_quote($description)." WHERE id=$type_id"; - - db_query($sql, "could not update work centre"); + + db_query($sql, "could not update work centre"); } function get_all_work_centres() { $sql = "SELECT * FROM ".TB_PREF."workcentres"; - + return db_query($sql, "could not get all work centres"); -} +} function get_work_centre($type_id) { $sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=$type_id"; - + $result = db_query($sql, "could not get work centre"); - + return db_fetch($result); } function delete_work_centre($type_id) { $sql="DELETE FROM ".TB_PREF."workcentres WHERE id=$type_id"; - - db_query($sql, "could not delete work centre"); + + db_query($sql, "could not delete work centre"); } ?> \ No newline at end of file diff --git a/manufacturing/includes/db/work_order_issues_db.inc b/manufacturing/includes/db/work_order_issues_db.inc index f59f8893..a2a6a418 100644 --- a/manufacturing/includes/db/work_order_issues_db.inc +++ b/manufacturing/includes/db/work_order_issues_db.inc @@ -25,8 +25,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w // insert the actual issue $sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id) - VALUES ($woid, '$ref', '" . - date2sql($date_) . "', '$location', $workcentre)"; + VALUES ($woid, ".db_quote($ref).", '" . + date2sql($date_) . "', ".db_quote($location).", $workcentre)"; db_query($sql,"The work order issue could not be added"); $number = db_insert_id(); diff --git a/manufacturing/includes/db/work_order_produce_items_db.inc b/manufacturing/includes/db/work_order_produce_items_db.inc index 6339e87d..8c3f8d07 100644 --- a/manufacturing/includes/db/work_order_produce_items_db.inc +++ b/manufacturing/includes/db/work_order_produce_items_db.inc @@ -22,7 +22,7 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo) $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."wo_manufacture (workorder_id, reference, quantity, date_) - VALUES ($woid, '$ref', $quantity, '$date')"; + VALUES ($woid, ".db_quote($ref).", $quantity, '$date')"; db_query($sql,"A work order manufacture could not be added"); diff --git a/manufacturing/includes/db/work_orders_db.inc b/manufacturing/includes/db/work_orders_db.inc index 408fcc05..58f3d82d 100644 --- a/manufacturing/includes/db/work_orders_db.inc +++ b/manufacturing/includes/db/work_orders_db.inc @@ -42,7 +42,7 @@ function add_work_order($wo_ref, $loc_code, $units_reqd, $stock_id, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, stock_id, type, date_, required_by) - VALUES ('$wo_ref', '$loc_code', $units_reqd, '$stock_id', + VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, '$stock_id', $type, '$date', '$required')"; db_query($sql, "could not add work order"); @@ -70,7 +70,7 @@ function update_work_order($woid, $loc_code, $units_reqd, $stock_id, $date = date2sql($date_); $required = date2sql($required_by); - $sql = "UPDATE ".TB_PREF."workorders SET loc_code='$loc_code', + $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_quote($loc_code).", units_reqd=$units_reqd, stock_id='$stock_id', required_by='$required', date_='$date' @@ -116,7 +116,7 @@ function get_work_order($woid, $allow_null=false) $result = db_query($sql, "The work order issues could not be retrieved"); if (!$allow_null && db_num_rows($result) == 0) - display_db_error("Could not find work order $workOrder", $sql); + display_db_error("Could not find work order $woid", $sql); return db_fetch($result); } diff --git a/manufacturing/includes/db/work_orders_quick_db.inc b/manufacturing/includes/db/work_orders_quick_db.inc index 940145af..a687837d 100644 --- a/manufacturing/includes/db/work_orders_quick_db.inc +++ b/manufacturing/includes/db/work_orders_quick_db.inc @@ -18,7 +18,7 @@ function add_work_order_quick($wo_ref, $loc_code, $units_reqd, $stock_id, $type, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, units_issued, stock_id, type, additional_costs, date_, released_date, required_by, released, closed) - VALUES ('$wo_ref', '$loc_code', $units_reqd, $units_reqd, '$stock_id', + VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, $units_reqd, '$stock_id', $type, $additional_costs, '$date', '$date', '$date', 1, 1)"; db_query($sql, "could not add work order"); -- 2.30.2