projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security update merged from 2.1.
[fa-stable.git] / purchasing / includes / db / grn_db.inc
diff --git a/purchasing/includes/db/grn_db.inc b/purchasing/includes/db/grn_db.inc
index 07c53190804aa7a64c70381b405adc70fd25b5f4..84a2f938ad83de9ecb9eeddf6fbefe2484ffa6e0 100644 (file)
--- a/purchasing/includes/db/grn_db.inc
+++ b/purchasing/includes/db/grn_db.inc
@@ -21,7 +21,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date,
                $price_in_home_currency = to_home_currency($price, $currency, $date);
        else
                $price_in_home_currency = $price;
-       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
+       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $material_cost = $myrow['material_cost'];
@@ -44,7 +44,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date,
                $material_cost = ($qoh * $material_cost + $qty * $price_in_home_currency) /     ($qoh + $qty);
 
        $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost)."
-               WHERE stock_id='$stock_id'";
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
        return $material_cost;
 }
@@ -125,15 +125,17 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri
        $quantity_received, $price)
 {
        $sql = "UPDATE ".TB_PREF."purch_order_details
-        SET quantity_received = quantity_received + $quantity_received,
-        std_cost_unit=$standard_unit_cost,
-        act_price=$price
-        WHERE po_detail_item = $po_detail_item";
+        SET quantity_received = quantity_received + ".db_escape($quantity_received).",
+        std_cost_unit=".db_escape($standard_unit_cost).",
+        act_price=".db_escape($price)."
+        WHERE po_detail_item = ".db_escape($po_detail_item);
 
        db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed ");
 
        $sql = "INSERT INTO ".TB_PREF."grn_items (grn_batch_id, po_detail_item, item_code, description, qty_recd)
-               VALUES ($grn_batch_id, $po_detail_item, ".db_escape($item_code).", ".db_escape($description).", $quantity_received)";
+               VALUES (".db_escape($grn_batch_id).", "
+               .db_escape($po_detail_item).", ".db_escape($item_code).", ".db_escape($description)
+               .", ".db_escape($quantity_received).")";
 
        db_query($sql, "A GRN detail item could not be inserted.");
 
@@ -143,7 +145,7 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri
 //----------------------------------------------------------------------------------------
 function get_grn_batch_from_item($item)
 {
-       $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=$item";
+       $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=".db_escape($item);
        $result = db_query($sql, "Could not retreive GRN batch id");
        $row = db_fetch_row($result);
        return $row[0];
@@ -151,7 +153,7 @@ function get_grn_batch_from_item($item)
 
 function get_grn_batch($grn)
 {
-       $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn";
+       $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn);
        $result = db_query($sql, "Could not retreive GRN batch id");
        return db_fetch($result);
 }
@@ -164,23 +166,26 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date)
        $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*
        FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items
        WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id
-               AND ".TB_PREF."grn_items.id=$entered_grn->id
-       AND ".TB_PREF."grn_items.item_code='$entered_grn->item_code' ";
+               AND ".TB_PREF."grn_items.id=".db_escape($entered_grn->id)."
+       AND ".TB_PREF."grn_items.item_code=".db_escape($entered_grn->item_code);
        $result = db_query($sql, "Could not retreive GRNS");
        $myrow = db_fetch($result);
 
        $sql = "UPDATE ".TB_PREF."purch_order_details
-        SET quantity_received = quantity_received + $entered_grn->this_quantity_inv,
-        quantity_ordered = quantity_ordered + $entered_grn->this_quantity_inv,
-        qty_invoiced = qty_invoiced + $entered_grn->this_quantity_inv,
-        std_cost_unit=$mcost,
-        act_price=$entered_grn->chg_price
+        SET quantity_received = quantity_received + "
+               .db_escape($entered_grn->this_quantity_inv).",
+        quantity_ordered = quantity_ordered + "
+        .db_escape($entered_grn->this_quantity_inv).",
+        qty_invoiced = qty_invoiced + ".db_escape($entered_grn->this_quantity_inv).",
+        std_cost_unit=".db_escape($mcost).",
+        act_price=".db_escape($entered_grn->chg_price)."
         WHERE po_detail_item = ".$myrow["po_detail_item"];
        db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed ");
 
        //$sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0 WHERE id=$entered_grn->id";
-       $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+$entered_grn->this_quantity_inv,
-               quantity_inv=quantity_inv+$entered_grn->this_quantity_inv WHERE id=$entered_grn->id";
+       $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+".db_escape($entered_grn->this_quantity_inv)
+       .",quantity_inv=quantity_inv+".db_escape($entered_grn->this_quantity_inv)
+       ." WHERE id=".db_escape($entered_grn->id);
        db_query($sql);
 
     add_stock_move(ST_SUPPCREDIT, $entered_grn->item_code, $transno, $myrow['loc_code'], $date, "",
@@ -190,9 +195,11 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date)
 function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false,
        $is_invoiced_only=false, $invoice_no=0, $begin="", $end="")
 {
-    $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, ".TB_PREF."purch_order_details.unit_price,
+    $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, "
+       .TB_PREF."purch_order_details.unit_price,
                ".TB_PREF."purch_order_details.std_cost_unit, units
-       FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master";
+       FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, "
+       .TB_PREF."purch_order_details, ".TB_PREF."stock_master";
     if ($invoice_no != 0)
        $sql .= ", ".TB_PREF."supp_invoice_items";
     $sql .= " WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id
@@ -208,7 +215,8 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false
        if ($end != "")
                $sql .= " AND ".TB_PREF."grn_batch.delivery_date<='".date2sql($end)."'";
        if ($grn_batch_id != 0)
-               $sql .= " AND ".TB_PREF."grn_batch.id=$grn_batch_id AND ".TB_PREF."grn_items.grn_batch_id=$grn_batch_id ";
+               $sql .= " AND ".TB_PREF."grn_batch.id=".db_escape($grn_batch_id)
+                       ." AND ".TB_PREF."grn_items.grn_batch_id=".db_escape($grn_batch_id);
 
        if ($is_invoiced_only)
                $sql .= " AND ".TB_PREF."grn_items.quantity_inv > 0";
@@ -217,7 +225,7 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false
        $sql .= " AND ".TB_PREF."grn_items.qty_recd - ".TB_PREF."grn_items.quantity_inv > 0";
 
        if ($supplier_id != "")
-               $sql .= " AND ".TB_PREF."grn_batch.supplier_id ='$supplier_id' ";
+               $sql .= " AND ".TB_PREF."grn_batch.supplier_id =".db_escape($supplier_id);
 
        $sql .= " ORDER BY ".TB_PREF."grn_batch.delivery_date, ".TB_PREF."grn_batch.id, ".TB_PREF."grn_items.id";
 
@@ -236,7 +244,7 @@ function get_grn_item_detail($grn_item_no)
                FROM ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master
                WHERE ".TB_PREF."grn_items.po_detail_item=".TB_PREF."purch_order_details.po_detail_item
                        AND ".TB_PREF."stock_master.stock_id=".TB_PREF."grn_items.item_code
-                       AND ".TB_PREF."grn_items.id=$grn_item_no";
+                       AND ".TB_PREF."grn_items.id=".db_escape($grn_item_no);
 
        $result = db_query($sql, "could not retreive grn item details");
        return db_fetch($result);
@@ -279,7 +287,7 @@ function read_grn_items_to_order($grn_batch, &$order)
 
 function read_grn($grn_batch, &$order)
 {
-       $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn_batch";
+       $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch);
 
        $result = db_query($sql, "The grn sent is not valid");
 
@@ -305,7 +313,7 @@ function read_grn($grn_batch, &$order)
 
 function get_po_grns($po_number)
 {
-    $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=$po_number";
+    $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=".db_escape($po_number);
 
        return db_query($sql, "The grns for the po $po_number could not be retreived");
 }
@@ -314,7 +322,7 @@ function get_po_grns($po_number)
 
 function exists_grn($grn_batch)
 {
-       $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=$grn_batch";
+       $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch);
        $result = db_query($sql, "Cannot retreive a grn");
 
     return (db_num_rows($result) > 0);
@@ -327,7 +335,7 @@ function exists_grn_on_invoices($grn_batch)
        $sql = "SELECT ".TB_PREF."supp_invoice_items.id FROM ".TB_PREF."supp_invoice_items,".TB_PREF."grn_items
                WHERE ".TB_PREF."supp_invoice_items.grn_item_id=".TB_PREF."grn_items.id
                AND quantity != 0
-               AND grn_batch_id=$grn_batch";
+               AND grn_batch_id=".db_escape($grn_batch);
        $result = db_query($sql, "Cannot query GRNs");
 
     return (db_num_rows($result) > 0);
@@ -366,7 +374,7 @@ function void_grn($grn_batch)
 
        // clear the quantities in the grn items
        $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0
-               WHERE grn_batch_id=$grn_batch";
+               WHERE grn_batch_id=".db_escape($grn_batch);
 
        db_query($sql, "A grn detail item could not be voided.");
 
FrontAccounting stable branch