Security statements update against sql injection attacks.

[fa-stable.git] / gl / gl_budget.php

diff --git a/gl/gl_budget.php b/gl/gl_budget.php
index 6c4db5270eb023b5168c676915747c84b0b1c66a..7945f171107924d7612faee2793c80cecdcc038f 100644 (file)
--- a/gl/gl_budget.php
+++ b/gl/gl_budget.php
@@ -27,8 +27,9 @@ check_db_has_gl_account_groups(_("There are no account groups defined. Please de
 
 function exists_gl_budget($date_, $account, $dimension, $dimension2)
 {
-       $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account='$account' AND tran_date='$date_' AND
-               dimension_id=$dimension AND dimension2_id=$dimension2";
+       $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+       ." AND tran_date='$date_' AND
+               dimension_id=".db_escape($dimension)." AND dimension2_id=".db_escape($dimension2);
        $result = db_query($sql, "Cannot retreive a gl transaction");
 
     return (db_num_rows($result) > 0);
@@ -39,12 +40,16 @@ function add_update_gl_budget_trans($date_, $account, $dimension, $dimension2, $
        $date = date2sql($date_);
 
        if (exists_gl_budget($date, $account, $dimension, $dimension2))
-               $sql = "UPDATE ".TB_PREF."budget_trans SET amount=$amount WHERE account='$account' AND
-                       dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+               $sql = "UPDATE ".TB_PREF."budget_trans SET amount=".db_escape($amount)
+               ." WHERE account=".db_escape($account)
+               ." AND dimension_id=".db_escape($dimension)
+               ." AND dimension2_id=".db_escape($dimension2)
+               ." AND tran_date='$date'";
        else
                $sql = "INSERT INTO ".TB_PREF."budget_trans (tran_date,
                        account, dimension_id, dimension2_id, amount, memo_) VALUES ('$date',
-                       '$account', $dimension, $dimension2, $amount, '')";
+                       ".db_escape($account).", ".db_escape($dimension).", "
+                       .db_escape($dimension2).", ".db_escape($amount).", '')";
 
        db_query($sql, "The GL budget transaction could not be saved");
 }
@@ -53,8 +58,10 @@ function delete_gl_budget_trans($date_, $account, $dimension, $dimension2)
 {
        $date = date2sql($date_);
 
-       $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account='$account' AND
-                       dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+       $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+       ." AND dimension_id=".db_escape($dimension)
+       ." AND dimension2_id=".db_escape($dimension2)
+       ." AND tran_date='$date'";
        db_query($sql, "The GL budget transaction could not be deleted");
 }
 
@@ -65,8 +72,10 @@ function get_only_budget_trans_from_to($from_date, $to_date, $account, $dimensio
        $to = date2sql($to_date);
 
        $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans
-               WHERE account='$account' AND tran_date >= '$from' AND tran_date <= '$to'
-                AND dimension_id = $dimension AND dimension2_id = $dimension2";
+               WHERE account=".db_escape($account)
+               ." AND tran_date >= '$from' AND tran_date <= '$to'
+                AND dimension_id = ".db_escape($dimension)
+                ." AND dimension2_id = ".db_escape($dimension2);
        $result = db_query($sql,"No budget accounts were returned");
 
        $row = db_fetch_row($result);
@@ -142,7 +151,7 @@ if (db_has_gl_accounts())
        table_header($th);
        $year = $_POST['fyear'];
        if (get_post('update') == '') {
-               $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year";
+               $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year);
 
                $result = db_query($sql, "could not get current fiscal year");