From c55119ade6f4c6bd4acdfa55c46870187f408978 Mon Sep 17 00:00:00 2001 From: Joe Hunt Date: Fri, 18 Apr 2008 15:19:27 +0000 Subject: [PATCH] Committed with db_escape instead of db_quote --- includes/db/comments_db.inc | 4 ++-- includes/db/inventory_db.inc | 2 +- includes/db/references_db.inc | 4 ++-- inventory/includes/db/items_category_db.inc | 4 ++-- inventory/includes/db/items_db.inc | 6 +++--- inventory/includes/db/items_locations_db.inc | 10 +++++----- inventory/includes/db/items_units_db.inc | 8 ++++---- inventory/includes/db/movement_types_db.inc | 4 ++-- manufacturing/includes/db/work_centres_db.inc | 4 ++-- manufacturing/includes/db/work_order_issues_db.inc | 4 ++-- .../includes/db/work_order_produce_items_db.inc | 2 +- manufacturing/includes/db/work_orders_db.inc | 4 ++-- manufacturing/includes/db/work_orders_quick_db.inc | 2 +- 13 files changed, 29 insertions(+), 29 deletions(-) diff --git a/includes/db/comments_db.inc b/includes/db/comments_db.inc index 6f9ba120..fd7af9c5 100644 --- a/includes/db/comments_db.inc +++ b/includes/db/comments_db.inc @@ -17,7 +17,7 @@ function add_comments($type, $type_no, $date_, $memo_) { $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_) - VALUES ($type, $type_no, '$date', ".db_quote($memo_).")"; + VALUES ($type, $type_no, '$date', ".db_escape($memo_).")"; db_query($sql, "could not add comments transaction entry"); } @@ -35,7 +35,7 @@ function update_comments($type, $id, $date_, $memo_) else { $date = date2sql($date_); - $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_quote($memo_)." WHERE type=$type AND id=$id AND date_='$date'"; + $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)." WHERE type=$type AND id=$id AND date_='$date'"; db_query($sql, "could not update comments"); } } diff --git a/includes/db/inventory_db.inc b/includes/db/inventory_db.inc index 84893a11..562c8d1b 100644 --- a/includes/db/inventory_db.inc +++ b/includes/db/inventory_db.inc @@ -90,7 +90,7 @@ function add_stock_move($type, $stock_id, $trans_no, $location, $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code, tran_date, person_id, reference, qty, standard_cost, visible, price, discount_percent) VALUES ('$stock_id', $trans_no, $type, - ".db_quote($location).", '$date', '$person_id', ".db_quote($reference).", $quantity, $std_cost, + ".db_escape($location).", '$date', '$person_id', ".db_escape($reference).", $quantity, $std_cost, $show_or_hide, $price, $discount_percent)"; if ($error_msg == "") diff --git a/includes/db/references_db.inc b/includes/db/references_db.inc index 9b769859..a41597f9 100644 --- a/includes/db/references_db.inc +++ b/includes/db/references_db.inc @@ -14,7 +14,7 @@ function get_reference($type, $id) function add_reference($type, $id, $reference) { $sql = "INSERT INTO ".TB_PREF."refs (type, id, reference) - VALUES ($type, $id, " . db_quote(trim($reference)) . ")"; + VALUES ($type, $id, " . db_escape(trim($reference)) . ")"; db_query($sql, "could not add reference entry"); } @@ -43,7 +43,7 @@ function find_reference($type, $reference) function save_next_reference($type, $reference) { - $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_quote(trim($reference)) . " WHERE type_id = $type"; + $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_escape(trim($reference)) . " WHERE type_id = $type"; db_query($sql, "The next transaction ref for $type could not be updated"); } diff --git a/inventory/includes/db/items_category_db.inc b/inventory/includes/db/items_category_db.inc index 5372e0af..8883b5f2 100644 --- a/inventory/includes/db/items_category_db.inc +++ b/inventory/includes/db/items_category_db.inc @@ -4,7 +4,7 @@ function add_item_category($description) { $sql = "INSERT INTO ".TB_PREF."stock_category (description) - VALUES (".db_quote($description).")"; + VALUES (".db_escape($description).")"; db_query($sql,"an item category could not be added"); } @@ -12,7 +12,7 @@ function add_item_category($description) function update_item_category($ItemCategory, $description) { - $sql = "UPDATE ".TB_PREF."stock_category SET description = ".db_quote($description)." + $sql = "UPDATE ".TB_PREF."stock_category SET description = ".db_escape($description)." WHERE category_id = '$ItemCategory'"; db_query($sql,"an item category could not be updated"); diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc index 3e5e860e..f9f60a47 100644 --- a/inventory/includes/db/items_db.inc +++ b/inventory/includes/db/items_db.inc @@ -4,8 +4,8 @@ function update_item($stock_id, $description, $long_description, $category_id, $ $sales_account, $inventory_account, $cogs_account, $adjustment_account, $assembly_account, $dimension_id, $dimension2_id) { - $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_quote($long_description).", - description=".db_quote($description).", + $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_escape($long_description).", + description=".db_escape($description).", category_id='$category_id', sales_account='$sales_account', inventory_account='$inventory_account', @@ -27,7 +27,7 @@ function add_item($stock_id, $description, $long_description, $category_id, $tax $sql = "INSERT INTO ".TB_PREF."stock_master (stock_id, description, long_description, category_id, tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account, adjustment_account, assembly_account, dimension_id, dimension2_id) - VALUES (".db_quote($stock_id).", ".db_quote($description).", ".db_quote($long_description).", + VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).", '$category_id', $tax_type_id, '$units', '$mb_flag', '$sales_account', '$inventory_account', '$cogs_account', '$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id)"; diff --git a/inventory/includes/db/items_locations_db.inc b/inventory/includes/db/items_locations_db.inc index aeaee0df..66120c30 100644 --- a/inventory/includes/db/items_locations_db.inc +++ b/inventory/includes/db/items_locations_db.inc @@ -3,7 +3,7 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact) { $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, fax, email, contact) - VALUES (".db_quote($loc_code).", ".db_quote($location_name).", ".db_quote($delivery_address).", ".db_quote($phone).", ".db_quote($fax).", ".db_quote($email).", ".db_quote($contact).")"; + VALUES (".db_escape($loc_code).", ".db_escape($location_name).", ".db_escape($delivery_address).", ".db_escape($phone).", ".db_escape($fax).", ".db_escape($email).", ".db_escape($contact).")"; db_query($sql,"a location could not be added"); @@ -19,10 +19,10 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone, function update_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact) { - $sql = "UPDATE ".TB_PREF."locations SET location_name=".db_quote($location_name).", - delivery_address=".db_quote($delivery_address).", - phone=".db_quote($phone).", fax=".db_quote($fax).", - email=".db_quote($email).", contact=".db_quote($contact)." + $sql = "UPDATE ".TB_PREF."locations SET location_name=".db_escape($location_name).", + delivery_address=".db_escape($delivery_address).", + phone=".db_escape($phone).", fax=".db_escape($fax).", + email=".db_escape($email).", contact=".db_escape($contact)." WHERE loc_code = '$loc_code'"; db_query($sql,"a location could not be updated"); diff --git a/inventory/includes/db/items_units_db.inc b/inventory/includes/db/items_units_db.inc index 05cb544c..f7ad5f65 100644 --- a/inventory/includes/db/items_units_db.inc +++ b/inventory/includes/db/items_units_db.inc @@ -4,14 +4,14 @@ function write_item_unit($selected, $abbr, $description, $decimals) { if($selected!='') $sql = "UPDATE ".TB_PREF."item_units SET - abbr = ".db_quote($abbr).", - name = ".db_quote($description).", + abbr = ".db_escape($abbr).", + name = ".db_escape($description).", decimals = $decimals WHERE abbr = '$selected'"; else $sql = "INSERT INTO ".TB_PREF."item_units - (abbr, name, decimals) VALUES( ".db_quote($abbr).", - ".db_quote($description).", $decimals)"; + (abbr, name, decimals) VALUES( ".db_escape($abbr).", + ".db_escape($description).", $decimals)"; db_query($sql,"an item unit could not be updated"); } diff --git a/inventory/includes/db/movement_types_db.inc b/inventory/includes/db/movement_types_db.inc index 28021719..73c19a21 100644 --- a/inventory/includes/db/movement_types_db.inc +++ b/inventory/includes/db/movement_types_db.inc @@ -3,14 +3,14 @@ function add_movement_type($name) { $sql = "INSERT INTO ".TB_PREF."movement_types (name) - VALUES (".db_quote($name).")"; + VALUES (".db_escape($name).")"; db_query($sql, "could not add item movement type"); } function update_movement_type($type_id, $name) { - $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_quote($name)." + $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_escape($name)." WHERE id=$type_id"; db_query($sql, "could not update item movement type"); diff --git a/manufacturing/includes/db/work_centres_db.inc b/manufacturing/includes/db/work_centres_db.inc index a2255c32..1338d5d0 100644 --- a/manufacturing/includes/db/work_centres_db.inc +++ b/manufacturing/includes/db/work_centres_db.inc @@ -3,14 +3,14 @@ function add_work_centre($name, $description) { $sql = "INSERT INTO ".TB_PREF."workcentres (name, description) - VALUES (".db_quote($name).",".db_quote($description).")"; + VALUES (".db_escape($name).",".db_escape($description).")"; db_query($sql, "could not add work centre"); } function update_work_centre($type_id, $name, $description) { - $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_quote($name).", description=".db_quote($description)." + $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_escape($name).", description=".db_escape($description)." WHERE id=$type_id"; db_query($sql, "could not update work centre"); diff --git a/manufacturing/includes/db/work_order_issues_db.inc b/manufacturing/includes/db/work_order_issues_db.inc index a2a6a418..9474da08 100644 --- a/manufacturing/includes/db/work_order_issues_db.inc +++ b/manufacturing/includes/db/work_order_issues_db.inc @@ -25,8 +25,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w // insert the actual issue $sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id) - VALUES ($woid, ".db_quote($ref).", '" . - date2sql($date_) . "', ".db_quote($location).", $workcentre)"; + VALUES ($woid, ".db_escape($ref).", '" . + date2sql($date_) . "', ".db_escape($location).", $workcentre)"; db_query($sql,"The work order issue could not be added"); $number = db_insert_id(); diff --git a/manufacturing/includes/db/work_order_produce_items_db.inc b/manufacturing/includes/db/work_order_produce_items_db.inc index 8c3f8d07..d005772e 100644 --- a/manufacturing/includes/db/work_order_produce_items_db.inc +++ b/manufacturing/includes/db/work_order_produce_items_db.inc @@ -22,7 +22,7 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo) $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."wo_manufacture (workorder_id, reference, quantity, date_) - VALUES ($woid, ".db_quote($ref).", $quantity, '$date')"; + VALUES ($woid, ".db_escape($ref).", $quantity, '$date')"; db_query($sql,"A work order manufacture could not be added"); diff --git a/manufacturing/includes/db/work_orders_db.inc b/manufacturing/includes/db/work_orders_db.inc index 58f3d82d..bc371a8a 100644 --- a/manufacturing/includes/db/work_orders_db.inc +++ b/manufacturing/includes/db/work_orders_db.inc @@ -42,7 +42,7 @@ function add_work_order($wo_ref, $loc_code, $units_reqd, $stock_id, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, stock_id, type, date_, required_by) - VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, '$stock_id', + VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, '$stock_id', $type, '$date', '$required')"; db_query($sql, "could not add work order"); @@ -70,7 +70,7 @@ function update_work_order($woid, $loc_code, $units_reqd, $stock_id, $date = date2sql($date_); $required = date2sql($required_by); - $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_quote($loc_code).", + $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_escape($loc_code).", units_reqd=$units_reqd, stock_id='$stock_id', required_by='$required', date_='$date' diff --git a/manufacturing/includes/db/work_orders_quick_db.inc b/manufacturing/includes/db/work_orders_quick_db.inc index a687837d..cb16e374 100644 --- a/manufacturing/includes/db/work_orders_quick_db.inc +++ b/manufacturing/includes/db/work_orders_quick_db.inc @@ -18,7 +18,7 @@ function add_work_order_quick($wo_ref, $loc_code, $units_reqd, $stock_id, $type, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, units_issued, stock_id, type, additional_costs, date_, released_date, required_by, released, closed) - VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, $units_reqd, '$stock_id', + VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, $units_reqd, '$stock_id', $type, $additional_costs, '$date', '$date', '$date', 1, 1)"; db_query($sql, "could not add work order"); -- 2.30.2