projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security statements update against sql injection attacks.
[fa-stable.git] / inventory / includes / db / items_db.inc
diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc
index e336155254177289c0af78e8a2ac0448287beda6..dfe259482d121b5464ba0bcdd2a5ed783733af4f 100644 (file)
--- a/inventory/includes/db/items_db.inc
+++ b/inventory/includes/db/items_db.inc
@@ -15,16 +15,16 @@ function update_item($stock_id, $description, $long_description, $category_id, $
 {
        $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_escape($long_description).",
                description=".db_escape($description).",
-               category_id='$category_id',
-               sales_account='$sales_account',
-               inventory_account='$inventory_account',
-               cogs_account='$cogs_account',
-               adjustment_account='$adjustment_account',
-               assembly_account='$assembly_account',
-               dimension_id=$dimension_id,
-               dimension2_id=$dimension2_id,
-               tax_type_id=$tax_type_id
-               WHERE stock_id='$stock_id'";
+               category_id=".db_escape($category_id).",
+               sales_account=".db_escape($sales_account).",
+               inventory_account=".db_escape($inventory_account).",
+               cogs_account=".db_escape($cogs_account).",
+               adjustment_account=".db_escape($adjustment_account).",
+               assembly_account=".db_escape($assembly_account).",
+               dimension_id=".db_escape($dimension_id).",
+               dimension2_id=".db_escape($dimension2_id).",
+               tax_type_id=".db_escape($tax_type_id)."
+               WHERE stock_id=".db_escape($stock_id);
 
        db_query($sql, "The item could not be updated");
 
@@ -39,14 +39,18 @@ function add_item($stock_id, $description, $long_description, $category_id, $tax
                tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account,
                adjustment_account, assembly_account, dimension_id, dimension2_id)
                VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).",
-               '$category_id', $tax_type_id, '$units', '$mb_flag',
-               '$sales_account', '$inventory_account', '$cogs_account',
-               '$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id)";
+               ".db_escape($category_id).", ".db_escape($tax_type_id).", "
+               .db_escape($units).", ".db_escape($mb_flag).",
+               ".db_escape($sales_account).", ".db_escape($inventory_account)
+               .", ".db_escape($cogs_account).",".db_escape($adjustment_account)
+               .", ".db_escape($assembly_account).", "
+               .db_escape($dimension_id).", ".db_escape($dimension2_id).")";
 
        db_query($sql, "The item could not be added");
 
        $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id)
-               SELECT ".TB_PREF."locations.loc_code, '$stock_id' FROM ".TB_PREF."locations";
+               SELECT ".TB_PREF."locations.loc_code, ".db_escape($stock_id)
+               ." FROM ".TB_PREF."locations";
 
        db_query($sql, "The item locstock could not be added");
 
@@ -55,23 +59,23 @@ function add_item($stock_id, $description, $long_description, $category_id, $tax
 
 function delete_item($stock_id)
 {
-       $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
+       $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item");
 
        /*and cascade deletes in loc_stock */
-       $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item loc stock");
 
        /*and cascade deletes in purch_data */
-       $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item purch data");
 
        /*and cascade deletes in prices */
-       $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item prices");
 
        /*and cascade delete the bill of material if any */
-       $sql = "DELETE FROM ".TB_PREF."bom WHERE parent='$stock_id'";
+       $sql = "DELETE FROM ".TB_PREF."bom WHERE parent=".db_escape($stock_id);
        db_query($sql, "could not delete stock item bom");
 
        delete_item_kit($stock_id);
@@ -82,7 +86,7 @@ function get_item($stock_id)
        $sql = "SELECT ".TB_PREF."stock_master.*,".TB_PREF."item_tax_types.name AS tax_type_name
                FROM ".TB_PREF."stock_master,".TB_PREF."item_tax_types
                WHERE ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id
-               AND stock_id='$stock_id'";
+               AND stock_id=".db_escape($stock_id);
        $result = db_query($sql,"an item could not be retreived");
 
        return db_fetch($result);
FrontAccounting stable branch