From 83d7715f9571cc167be7d54b7f4807ec19d7aa5c Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Fri, 18 Apr 2008 09:59:34 +0000
Subject: [PATCH] Databse INSERT/UPDATE secured against db javscript injection

---
 admin/db/maintenance_db.inc          |  2 +-
 gl/includes/db/gl_db_accounts.inc    |  4 +--
 purchasing/includes/db/po_db.inc     | 32 ++++++++---------
 sales/includes/db/sales_order_db.inc | 51 +++++++++++++++-------------
 sales/sales_order_entry.php          |  2 +-
 5 files changed, 48 insertions(+), 43 deletions(-)

diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc
index 49073666..27d36f21 100644
--- a/admin/db/maintenance_db.inc
+++ b/admin/db/maintenance_db.inc
@@ -415,7 +415,7 @@ function db_export($conn, $filename, $zip='no', $comment='')
 						if ($field_type[$k] != "" && $field_type[$k] != "NO" && $row2[$k] == "")
 							$out .= "NULL";
 						else
-							$out .= "'" . db_escape($row2[$k]) . "'";
+							$out .= db_escape($row2[$k]);
 						if ($k < ($nf - 1))
 							$out .= ", ";
 					}
diff --git a/gl/includes/db/gl_db_accounts.inc b/gl/includes/db/gl_db_accounts.inc
index 920facba..27503708 100644
--- a/gl/includes/db/gl_db_accounts.inc
+++ b/gl/includes/db/gl_db_accounts.inc
@@ -6,7 +6,7 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co
 	$account_name = db_escape($account_name);
 	$sql = "INSERT INTO ".TB_PREF."chart_master (account_code, account_code2, account_name, account_type,
 		tax_code) 
-		VALUES ('$account_code', '$account_code2', '$account_name', $account_type, $tax_code)";
+		VALUES ('$account_code', '$account_code2', $account_name, $account_type, $tax_code)";
 
 	db_query($sql, "could not add gl account");
 }
@@ -14,7 +14,7 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co
 function update_gl_account($account_code, $account_name, $account_type, $account_code2, $tax_code)
 {
 	$account_name = db_escape($account_name);
-    $sql = "UPDATE ".TB_PREF."chart_master SET account_name='$account_name',
+    $sql = "UPDATE ".TB_PREF."chart_master SET account_name=$account_name,
 		account_type=$account_type, account_code2='$account_code2',
 		tax_code=$tax_code WHERE account_code = '$account_code'";
 
diff --git a/purchasing/includes/db/po_db.inc b/purchasing/includes/db/po_db.inc
index 7e813e04..b8ef5ada 100644
--- a/purchasing/includes/db/po_db.inc
+++ b/purchasing/includes/db/po_db.inc
@@ -19,13 +19,13 @@ function add_po(&$po_obj)
 
      /*Insert to purchase order header record */
      $sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES(";
-     $sql .= "'" . $po_obj->supplier_id . "', '" .
-         db_escape($po_obj->Comments) . "','" .
+     $sql .= "' ". $po_obj->supplier_id . "'," .
+         db_escape($po_obj->Comments) . ",'" .
          date2sql($po_obj->orig_order_date) . "', '" .
-		 $po_obj->reference . "', '" .
-         $po_obj->requisition_no . "', '" .
-         $po_obj->Location . "', '" .
-         $po_obj->delivery_address . "')";
+		 $po_obj->reference . "', " .
+         db_escape($po_obj->requisition_no) . ", " .
+         db_escape($po_obj->Location) . ", " .
+         db_escape($po_obj->delivery_address) . ")";
 
 	db_query($sql, "The purchase order header record could not be inserted");
 
@@ -38,8 +38,8 @@ function add_po(&$po_obj)
      	if ($po_line->Deleted == false)
      	{
     		$sql = "INSERT INTO ".TB_PREF."purch_order_details (order_no, item_code, description, delivery_date,	unit_price,	quantity_ordered) VALUES (";
-    		$sql .= $po_obj->order_no . ", '" . $po_line->stock_id . "','" .
-    			$po_line->item_description . "','" .
+    		$sql .= $po_obj->order_no . ", " . db_escape($po_line->stock_id). "," .
+    			db_escape($po_line->item_description). ",'" .
     			date2sql($po_line->req_del_date) . "'," .
     			$po_line->price . ", " .
     			$po_line->quantity . ")";
@@ -63,11 +63,11 @@ function update_po(&$po_obj)
 	begin_transaction();
 
     /*Update the purchase order header with any changes */
-    $sql = "UPDATE ".TB_PREF."purch_orders SET Comments='" . db_escape($po_obj->Comments) . "',
-		requisition_no= '" . $po_obj->requisition_no . "',
-		into_stock_location='" . $po_obj->Location . "',
+    $sql = "UPDATE ".TB_PREF."purch_orders SET Comments=" . db_escape($po_obj->Comments) . ",
+		requisition_no= " db_escape(. $po_obj->requisition_no). ",
+		into_stock_location=" . db_escape($po_obj->Location). ",
 		ord_date='" . date2sql($po_obj->orig_order_date) . "',
-		delivery_address='" . $po_obj->delivery_address . "'";
+		delivery_address=" . db_escape($po_obj->delivery_address);
     $sql .= " WHERE order_no = " . $po_obj->order_no;
 	db_query($sql, "The purchase order could not be updated");
 
@@ -88,16 +88,16 @@ function update_po(&$po_obj)
 		{
 			// Sherifoz 21.06.03 Handle adding new lines vs. updating. if no key(po_detail_rec) then it's a new line
 			$sql = "INSERT INTO ".TB_PREF."purch_order_details (order_no, item_code, description, delivery_date, unit_price,	quantity_ordered) VALUES (";
-			$sql .= $po_obj->order_no . ", '" .
-				$po_line->stock_id . "','" .
-				$po_line->item_description . "','" .
+			$sql .= $po_obj->order_no . "," .
+				db_escape($po_line->stock_id). "," .
+				db_escape($po_line->item_description). ",'" .
 				date2sql($po_line->req_del_date) . "'," .
 				$po_line->price . ", " . $po_line->quantity . ")";
 		}
 		else
 		{
 			$sql = "UPDATE ".TB_PREF."purch_order_details SET item_code='" . $po_line->stock_id . "',
-				description ='" . $po_line->item_description . "',
+				description =" . db_escape($po_line->item_description). ",
 				delivery_date ='" . date2sql($po_line->req_del_date) . "',
 				unit_price=" . $po_line->price . ",
 				quantity_ordered=" . $po_line->quantity . "
diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc
index 1b0273df..cb8e416b 100644
--- a/sales/includes/db/sales_order_db.inc
+++ b/sales/includes/db/sales_order_db.inc
@@ -54,15 +54,20 @@ function add_sales_order(&$order)
 	$sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date,
 		order_type, ship_via, deliver_to, delivery_address, contact_phone,
 		contact_email, freight_cost, from_stk_loc, delivery_date)
-		VALUES ('" . $order_type . "', '" . $order->customer_id . "', '" . $order->Branch . "', '".
-			$order->cust_ref ."','". db_escape($order->Comments) ."','" .
-			date2sql($order->document_date) . "', '" .
-			$order->sales_type . "', " .
-			$_POST['ship_via'] .",'" . $order->deliver_to . "', '" .
-			$order->delivery_address . "', '" .
-			$order->phone . "', '" . $order->email . "', " .
-			$order->freight_cost .", '" . $order->Location ."', '" .
-			$del_date . "')";
+		VALUES (" .db_quote($order_type) . "," . db_quote($order->customer_id) .
+		 ", " . db_quote($order->Branch) . ", ".
+			db_quote($order->cust_ref) .",". 
+			db_quote($order->Comments) .",'" . 
+			date2sql($order->document_date) . "', " .
+			db_quote($order->sales_type) . ", " .
+			$_POST['ship_via'] ."," . 
+			db_quote($order->deliver_to) . "," .
+			db_quote($order->delivery_address) . ", " .
+			db_quote($order->phone) . ", " . 
+			db_quote($order->email) . ", " .
+			db_quote($order->freight_cost) .", " . 
+			db_quote($order->Location) .", " .
+			db_quote($del_date) . ")";
 
 	db_query($sql, "order Cannot be Added");
 
@@ -177,20 +182,20 @@ function update_sales_order($order)
 	begin_transaction();
 
 	$sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
-		debtor_no = '" . $order->customer_id . "',
-		branch_code = '" . $order->Branch . "',
-		customer_ref = '". $order->cust_ref ."',
-		comments = '". db_escape($order->Comments) ."',
-		ord_date = '" . $ord_date . "',
-		order_type = '" . $order->sales_type . "',
-		ship_via = " . $order->ship_via .",
-		deliver_to = '" . $order->deliver_to . "',
-		delivery_address = '" . $order->delivery_address . "',
-		contact_phone = '" . $order->phone . "',
-		contact_email = '" . $order->email . "',
-		freight_cost = " . $order->freight_cost .",
-		from_stk_loc = '" . $order->Location ."',
-		delivery_date = '" . $del_date . "',
+		debtor_no = " . db_quote($order->customer_id) . ",
+		branch_code = " . db_quote($order->Branch) . ",
+		customer_ref = ". db_quote($order->cust_ref) .",
+		comments = ". db_quote($order->Comments) .",
+		ord_date = " . db_quote($ord_date) . ",
+		order_type = " .db_quote($order->sales_type) . ",
+		ship_via = " . db_quote($order->ship_via) .",
+		deliver_to = " . db_quote($order->deliver_to) . ",
+		delivery_address = " . db_quote($order->delivery_address) . ",
+		contact_phone = " .db_quote($order->phone) . ",
+		contact_email = " .db_quote($order->email) . ",
+		freight_cost = " .db_quote($order->freight_cost) .",
+		from_stk_loc = " .db_quote($order->Location) .",
+		delivery_date = " .db_quote($del_date). ",
 		version = ".($version+1)."
 	 WHERE order_no=" . $order_no ."
 	 AND version=".$version;
diff --git a/sales/sales_order_entry.php b/sales/sales_order_entry.php
index 16098b0f..25d381a4 100644
--- a/sales/sales_order_entry.php
+++ b/sales/sales_order_entry.php
@@ -135,7 +135,7 @@ function copy_to_cart()
 	if ($cart->trans_type!=30) {
 		$cart->reference = $_POST['ref'];
 	}
-	$cart->Comments =  str_replace("'", "\\'", $_POST['Comments']);
+	$cart->Comments =  $_POST['Comments'];
 
 	$cart->document_date = $_POST['OrderDate'];
 	$cart->due_date = $_POST['delivery_date'];
-- 
2.30.2