! -> Note
$ -> Affected files
-18-Apr-08 Janusz Dobrwolski
-! Changed db_escape function to avoid XSS atacks via js db injection
+18-Apr-2008 Joe Hunt
+! Changed db_escape function to avoid XSS attacks via js db injection
+$ /includes/db/comments_db.inc
+ /includes/db/inventory_db.inc
+ /includes/db/references_db.inc
+ /inventory/includes/db/items_category_db.inc
+ /inventory/includes/db/items_db.inc
+ /inventory/includes/db/items_locations_db.inc
+ /inventory/includes/db/items_units_db.inc
+ /inventory/includes/db/movement_types_db.inc
+ /manufacturing/includes/db/work_centres_db.inc
+ /manufacturing/includes/db/work_orders_db.inc
+ /manufacturing/includes/db/work_orders_quick_db.inc
+ /manufacturing/includes/db/work_order_issues_db.inc
+ /manufacturing/includes/db/work_order_produce_items_db.inc
+
+18-Apr-2008 Janusz Dobrwolski
+! Changed db_escape function to avoid XSS attacks via js db injection
$ /includes/db/connect_db.inc
# Database inserts/updates secured against js injection
$ /admin/db/maintenance_db.inc
function get_comments($type, $type_no)
{
$sql = "SELECT * FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
-
+
return db_query($sql, "could not query comments transaction table");
}
function add_comments($type, $type_no, $date_, $memo_)
{
- if ($memo_ != null && $memo_ != "")
- {
+ if ($memo_ != null && $memo_ != "")
+ {
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_)
- VALUES ($type, $type_no, '$date', '$memo_')";
-
+ VALUES ($type, $type_no, '$date', ".db_quote($memo_).")";
+
db_query($sql, "could not add comments transaction entry");
- }
+ }
}
//--------------------------------------------------------------------------------------------------
function update_comments($type, $id, $date_, $memo_)
{
- if ($date_ == null)
+ if ($date_ == null)
{
delete_comments($type, $id);
add_comments($type, $id, '', $memo_);
- }
- else
+ }
+ else
{
$date = date2sql($date_);
- $sql = "UPDATE ".TB_PREF."comments SET memo_='$memo_' WHERE type=$type AND id=$id AND date_='$date'";
+ $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_quote($memo_)." WHERE type=$type AND id=$id AND date_='$date'";
db_query($sql, "could not update comments");
}
}
function delete_comments($type, $type_no)
{
$sql = "DELETE FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
-
+
db_query($sql, "could not delete from comments transaction table");
}
{
if ($date_ == null)
$date_ = Today();
-
+
$date = date2sql($date_);
-
- $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves
+
+ $sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves
WHERE stock_id='$stock_id'
AND tran_date <= '$date'";
-
+
if ($location != null)
$sql .= " AND loc_code = '$location'";
-
- $result = db_query($sql, "QOH calulcation failed");
-
+
+ $result = db_query($sql, "QOH calulcation failed");
+
$myrow = db_fetch_row($result);
-
- return $myrow[0];
+
+ return $myrow[0];
}
//--------------------------------------------------------------------------------------
function get_item_edit_info($stock_id)
{
- $sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units
+ $sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units
FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
$result = db_query($sql, "The standard cost cannot be retrieved");
-
+
return db_fetch($result);
}
function get_standard_cost($stock_id)
{
- $sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost
+ $sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost
FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
$result = db_query($sql, "The standard cost cannot be retrieved");
-
+
$myrow = db_fetch_row($result);
-
+
return $myrow[0];
}
function is_inventory_item($stock_id)
{
- $sql = "SELECT stock_id FROM ".TB_PREF."stock_master
+ $sql = "SELECT stock_id FROM ".TB_PREF."stock_master
WHERE stock_id='$stock_id' AND mb_flag <> 'D'";
$result = db_query($sql, "Cannot query is inventory item or not");
-
- return db_num_rows($result) > 0;
+
+ return db_num_rows($result) > 0;
}
//-------------------------------------------------------------------
{
/*Gets the GL Codes relevant to the item account */
- $sql = "SELECT inventory_account, cogs_account,
- adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM
+ $sql = "SELECT inventory_account, cogs_account,
+ adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM
".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
$get = db_query($sql,"retreive stock gl code");
// $price - in $person_id's currency
function add_stock_move($type, $stock_id, $trans_no, $location,
- $date_, $reference, $quantity, $std_cost, $person_id=null, $show_or_hide=1,
+ $date_, $reference, $quantity, $std_cost, $person_id=null, $show_or_hide=1,
$price=0, $discount_percent=0, $error_msg="")
{
// do not add a stock move if it's a non-inventory item
if (!is_inventory_item($stock_id))
return null;
-
+
$date = date2sql($date_);
-
- $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code,
- tran_date, person_id, reference, qty, standard_cost, visible, price,
- discount_percent) VALUES ('$stock_id', $trans_no, $type,
- '$location', '$date', '$person_id', '$reference', $quantity, $std_cost,
+
+ $sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code,
+ tran_date, person_id, reference, qty, standard_cost, visible, price,
+ discount_percent) VALUES ('$stock_id', $trans_no, $type,
+ ".db_quote($location).", '$date', '$person_id', ".db_quote($reference).", $quantity, $std_cost,
$show_or_hide, $price, $discount_percent)";
-
+
if ($error_msg == "")
$error_msg = "The stock movement record cannot be inserted";
-
+
db_query($sql, $error_msg);
-
- return db_insert_id();
-}
+
+ return db_insert_id();
+}
//--------------------------------------------------------------------------------------------------
function get_stock_moves($type, $type_no, $visible=false)
{
- $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units,
+ $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units,
".TB_PREF."locations.location_name,
".TB_PREF."stock_master.material_cost + ".TB_PREF."stock_master.labour_cost + ".TB_PREF."stock_master.overhead_cost AS FixedStandardCost
FROM ".TB_PREF."stock_moves,".TB_PREF."locations,".TB_PREF."stock_master
- WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id
- AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code
+ WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id
+ AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code
AND type=$type AND trans_no=$type_no ORDER BY trans_id";
if ($visible)
$sql .= " AND ".TB_PREF."stock_moves.visible=1";
-
+
return db_query($sql, "Could not get stock moves");
}
{
$sql = "UPDATE ".TB_PREF."stock_moves SET qty=0, price=0, discount_percent=0,
standard_cost=0 WHERE type=$type AND trans_no=$type_no";
-
+
db_query($sql, "Could not void stock moves");
}
function get_location_name($loc_code)
{
$sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code='$loc_code'";
-
+
$result = db_query($sql, "could not retreive the location name for $loc_code");
-
+
if (db_num_rows($result) == 1)
{
$row = db_fetch_row($result);
return $row[0];
}
-
+
display_db_error("could not retreive the location name for $loc_code", $sql, true);
}
function get_reference($type, $id)
{
$sql = "SELECT * FROM ".TB_PREF."refs WHERE type=$type AND id=$id";
-
+
return db_query($sql, "could not query reference table");
}
function add_reference($type, $id, $reference)
{
$sql = "INSERT INTO ".TB_PREF."refs (type, id, reference)
- VALUES ($type, $id, '" . trim($reference) . "')";
-
+ VALUES ($type, $id, " . db_quote(trim($reference)) . ")";
+
db_query($sql, "could not add reference entry");
}
function delete_reference($type, $id)
{
$sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=$id";
-
+
return db_query($sql, "could not delete from reference table");
}
function find_reference($type, $reference)
{
$sql = "SELECT id FROM ".TB_PREF."refs WHERE type=$type AND reference='$reference'";
-
+
$result = db_query($sql, "could not query reference table");
-
+
return (db_num_rows($result) > 0);
}
function save_next_reference($type, $reference)
{
- $sql = "UPDATE ".TB_PREF."sys_types SET next_reference='" . trim($reference) . "' WHERE type_id = $type";
-
- db_query($sql, "The next transaction ref for $type could not be updated");
+ $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_quote(trim($reference)) . " WHERE type_id = $type";
+
+ db_query($sql, "The next transaction ref for $type could not be updated");
}
//--------------------------------------------------------------------------------------------------
function get_next_reference($type)
{
$sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = $type";
-
+
$result = db_query($sql,"The last transaction ref for $type could not be retreived");
-
+
$row = db_fetch_row($result);
return $row[0];
}
function add_item_category($description)
{
- $sql = "INSERT INTO ".TB_PREF."stock_category (description)
- VALUES ('$description')";
-
+ $sql = "INSERT INTO ".TB_PREF."stock_category (description)
+ VALUES (".db_quote($description).")";
+
db_query($sql,"an item category could not be added");
}
function update_item_category($ItemCategory, $description)
{
- $sql = "UPDATE ".TB_PREF."stock_category SET description = '$description'
- WHERE category_id = '$ItemCategory'";
-
- db_query($sql,"an item category could not be updated");
+ $sql = "UPDATE ".TB_PREF."stock_category SET description = ".db_quote($description)."
+ WHERE category_id = '$ItemCategory'";
+
+ db_query($sql,"an item category could not be updated");
}
function delete_item_category($ItemCategory)
{
- $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
-
- db_query($sql,"an item category could not be deleted");
+ $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
+
+ db_query($sql,"an item category could not be deleted");
}
function get_item_category($ItemCategory)
{
- $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
-
+ $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
+
$result = db_query($sql,"an item category could not be retrieved");
-
- return db_fetch($result);
+
+ return db_fetch($result);
}
function get_category_name($id)
{
$sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=$id";
-
+
$result = db_query($sql, "could not get sales type");
-
+
$row = db_fetch_row($result);
return $row[0];
}
$sales_account, $inventory_account, $cogs_account, $adjustment_account,
$assembly_account, $dimension_id, $dimension2_id)
{
- $sql = "UPDATE ".TB_PREF."stock_master SET long_description='$long_description',
- description='$description',
+ $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_quote($long_description).",
+ description=".db_quote($description).",
category_id='$category_id',
sales_account='$sales_account',
inventory_account='$inventory_account',
$sql = "INSERT INTO ".TB_PREF."stock_master (stock_id, description, long_description, category_id,
tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account,
adjustment_account, assembly_account, dimension_id, dimension2_id)
- VALUES ('$stock_id', '$description', '$long_description',
+ VALUES (".db_quote($stock_id).", ".db_quote($description).", ".db_quote($long_description).",
'$category_id', $tax_type_id, '$units', '$mb_flag',
'$sales_account', '$inventory_account', '$cogs_account',
'$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id)";
function add_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact)
{
- $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, fax, email, contact)
- VALUES ('$loc_code', '$location_name', '$delivery_address', '$phone', '$fax', '$email', '$contact')";
-
+ $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, fax, email, contact)
+ VALUES (".db_quote($loc_code).", ".db_quote($location_name).", ".db_quote($delivery_address).", ".db_quote($phone).", ".db_quote($fax).", ".db_quote($email).", ".db_quote($contact).")";
+
db_query($sql,"a location could not be added");
-
+
/* Also need to add loc_stock records for all existing items */
- $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level)
+ $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level)
SELECT '$loc_code', ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master";
-
- db_query($sql,"a location could not be added");
+
+ db_query($sql,"a location could not be added");
}
//------------------------------------------------------------------------------------
function update_item_location($loc_code, $location_name, $delivery_address, $phone, $fax, $email, $contact)
{
- $sql = "UPDATE ".TB_PREF."locations SET location_name='$location_name',
- delivery_address='$delivery_address',
- phone='$phone', fax='$fax',
- email='$email', contact='$contact'
+ $sql = "UPDATE ".TB_PREF."locations SET location_name=".db_quote($location_name).",
+ delivery_address=".db_quote($delivery_address).",
+ phone=".db_quote($phone).", fax=".db_quote($fax).",
+ email=".db_quote($email).", contact=".db_quote($contact)."
WHERE loc_code = '$loc_code'";
-
- db_query($sql,"a location could not be updated");
+
+ db_query($sql,"a location could not be updated");
}
//------------------------------------------------------------------------------------
function delete_item_location($item_location)
{
- $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+ $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
db_query($sql,"a location could not be deleted");
-
+
$sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code ='$item_location'";
- db_query($sql,"a location could not be deleted");
+ db_query($sql,"a location could not be deleted");
}
//------------------------------------------------------------------------------------
function get_item_location($item_location)
{
- $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
-
+ $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+
$result = db_query($sql,"a location could not be retrieved");
-
- return db_fetch($result);
+
+ return db_fetch($result);
}
//------------------------------------------------------------------------------------
function set_reorder_level($stock_id, $loc_code, $reorder_level)
{
- $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level
- WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'";
-
- db_query($sql,"an item reorder could not be set");
+ $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level
+ WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'";
+
+ db_query($sql,"an item reorder could not be set");
}
//------------------------------------------------------------------------------------
function get_loc_details($stock_id)
{
- $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name
- FROM ".TB_PREF."loc_stock, ".TB_PREF."locations
- WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
+ $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name
+ FROM ".TB_PREF."loc_stock, ".TB_PREF."locations
+ WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
AND ".TB_PREF."loc_stock.stock_id = '" . $stock_id . "' ORDER BY ".TB_PREF."loc_stock.loc_code";
return db_query($sql,"an item reorder could not be retreived");
}
{
if($selected!='')
$sql = "UPDATE ".TB_PREF."item_units SET
- abbr = '$abbr',
- name = '$description',
+ abbr = ".db_quote($abbr).",
+ name = ".db_quote($description).",
decimals = $decimals
WHERE abbr = '$selected'";
else
$sql = "INSERT INTO ".TB_PREF."item_units
- (abbr, name, decimals) VALUES( '$abbr',
- '$description', $decimals)";
-
- db_query($sql,"an item unit could not be updated");
+ (abbr, name, decimals) VALUES( ".db_quote($abbr).",
+ ".db_quote($description).", $decimals)";
+
+ db_query($sql,"an item unit could not be updated");
}
function delete_item_unit($unit)
{
- $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'";
-
- db_query($sql,"an unit of measure could not be deleted");
+ $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
+ db_query($sql,"an unit of measure could not be deleted");
}
function get_item_unit($unit)
{
- $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'";
-
+ $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
$result = db_query($sql,"an unit of measure could not be retrieved");
-
- return db_fetch($result);
+
+ return db_fetch($result);
}
function get_unit_descr($unit)
{
- $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$id'";
-
+ $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
$result = db_query($sql, "could not unit description");
-
+
$row = db_fetch_row($result);
return $row[0];
}
function add_movement_type($name)
{
- $sql = "INSERT INTO ".TB_PREF."movement_types (name)
- VALUES ('$name')";
-
- db_query($sql, "could not add item movement type");
+ $sql = "INSERT INTO ".TB_PREF."movement_types (name)
+ VALUES (".db_quote($name).")";
+
+ db_query($sql, "could not add item movement type");
}
function update_movement_type($type_id, $name)
{
- $sql = "UPDATE ".TB_PREF."movement_types SET name='$name'
+ $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_quote($name)."
WHERE id=$type_id";
-
- db_query($sql, "could not update item movement type");
+
+ db_query($sql, "could not update item movement type");
}
function get_all_movement_type()
{
$sql = "SELECT * FROM ".TB_PREF."movement_types";
-
+
return db_query($sql, "could not get all item movement type");
-}
+}
function get_movement_type($type_id)
{
$sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=$type_id";
-
+
$result = db_query($sql, "could not get item movement type");
-
+
return db_fetch($result);
}
function delete_movement_type($type_id)
{
$sql="DELETE FROM ".TB_PREF."movement_types WHERE id=$type_id";
-
- db_query($sql, "could not delete item movement type");
+
+ db_query($sql, "could not delete item movement type");
}
?>
\ No newline at end of file
function add_work_centre($name, $description)
{
- $sql = "INSERT INTO ".TB_PREF."workcentres (name, description)
- VALUES ('$name','$description')";
-
- db_query($sql, "could not add work centre");
+ $sql = "INSERT INTO ".TB_PREF."workcentres (name, description)
+ VALUES (".db_quote($name).",".db_quote($description).")";
+
+ db_query($sql, "could not add work centre");
}
function update_work_centre($type_id, $name, $description)
{
- $sql = "UPDATE ".TB_PREF."workcentres SET name='$name', description='$description'
+ $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_quote($name).", description=".db_quote($description)."
WHERE id=$type_id";
-
- db_query($sql, "could not update work centre");
+
+ db_query($sql, "could not update work centre");
}
function get_all_work_centres()
{
$sql = "SELECT * FROM ".TB_PREF."workcentres";
-
+
return db_query($sql, "could not get all work centres");
-}
+}
function get_work_centre($type_id)
{
$sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=$type_id";
-
+
$result = db_query($sql, "could not get work centre");
-
+
return db_fetch($result);
}
function delete_work_centre($type_id)
{
$sql="DELETE FROM ".TB_PREF."workcentres WHERE id=$type_id";
-
- db_query($sql, "could not delete work centre");
+
+ db_query($sql, "could not delete work centre");
}
?>
\ No newline at end of file
// insert the actual issue
$sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id)
- VALUES ($woid, '$ref', '" .
- date2sql($date_) . "', '$location', $workcentre)";
+ VALUES ($woid, ".db_quote($ref).", '" .
+ date2sql($date_) . "', ".db_quote($location).", $workcentre)";
db_query($sql,"The work order issue could not be added");
$number = db_insert_id();
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."wo_manufacture (workorder_id, reference, quantity, date_)
- VALUES ($woid, '$ref', $quantity, '$date')";
+ VALUES ($woid, ".db_quote($ref).", $quantity, '$date')";
db_query($sql,"A work order manufacture could not be added");
$sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, stock_id,
type, date_, required_by)
- VALUES ('$wo_ref', '$loc_code', $units_reqd, '$stock_id',
+ VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, '$stock_id',
$type, '$date', '$required')";
db_query($sql, "could not add work order");
$date = date2sql($date_);
$required = date2sql($required_by);
- $sql = "UPDATE ".TB_PREF."workorders SET loc_code='$loc_code',
+ $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_quote($loc_code).",
units_reqd=$units_reqd, stock_id='$stock_id',
required_by='$required',
date_='$date'
$result = db_query($sql, "The work order issues could not be retrieved");
if (!$allow_null && db_num_rows($result) == 0)
- display_db_error("Could not find work order $workOrder", $sql);
+ display_db_error("Could not find work order $woid", $sql);
return db_fetch($result);
}
$sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, units_issued, stock_id,
type, additional_costs, date_, released_date, required_by, released, closed)
- VALUES ('$wo_ref', '$loc_code', $units_reqd, $units_reqd, '$stock_id',
+ VALUES (".db_quote($wo_ref).", ".db_quote($loc_code).", $units_reqd, $units_reqd, '$stock_id',
$type, $additional_costs, '$date', '$date', '$date', 1, 1)";
db_query($sql, "could not add work order");
projects / fa-stable.git / commitdiff