Security sql statements update against sql injection attacks.

[fa-stable.git] / sales / inquiry / customer_allocation_inquiry.php

diff --git a/sales/inquiry/customer_allocation_inquiry.php b/sales/inquiry/customer_allocation_inquiry.php
index 325d848ffd82b5a76cb8f5d3afe8dda68186ee85..e0567644d21e086ab085b3d3f6c21e170ffeade7 100644 (file)
--- a/sales/inquiry/customer_allocation_inquiry.php
+++ b/sales/inquiry/customer_allocation_inquiry.php
@@ -159,7 +159,7 @@ function fmt_credit($row)
                AND trans.tran_date <= '$date_to'";
 
        if ($_POST['customer_id'] != reserved_words::get_all())
-               $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'";
+               $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']);
 
        if (isset($_POST['filterType']) && $_POST['filterType'] != reserved_words::get_all())
        {