// run through each field
for ($k = 0; $k < $nf = db_num_fields($res2); $k++)
{
- $out .= db_escape($row2[$k], true);
+ $out .= db_escape($row2[$k]);
if ($k < ($nf - 1))
$out .= ", ";
}
{
mysql_select_db($database_name, $db);
}
-$sql = "UPDATE ".$table_prefix."users SET password = '" . md5($admin_password) . "', email = '$admin_email' WHERE user_id = 'admin'";
+$sql = "UPDATE ".$table_prefix."users SET password = '" . md5($admin_password) . "', email = ".db_escape($admin_email)." WHERE user_id = 'admin'";
db_query($sql, "could not update admin account");
-$sql = "UPDATE ".$table_prefix."company SET coy_name = '$company_name' WHERE coy_code = 1";
+$sql = "UPDATE ".$table_prefix."company SET coy_name = ".db_escape($company_name)." WHERE coy_code = 1";
db_query($sql, "could not update company name. Do it manually later in Setup");
session_unset();
else
$material_cost = ($qoh * $material_cost + $order_line->receive_qty * $price_in_home_currency) /
($qoh + $order_line->receive_qty);
- $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost
+ $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost)."
WHERE stock_id='$order_line->stock_id'";
db_query($sql,"The cost details for the inventory item could not be updated");
//----------------------------------------------------------------------------------------------------------------
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."grn_batch (purch_order_no, delivery_date, supplier_id, reference, loc_code)
- VALUES ($po_number, '$date', '$supplier_id', '$reference', '$location')";
+ VALUES (".db_escape($po_number).", ".db_escape($date).", "
+ .db_escape($supplier_id).", ".db_escape($reference).", ".db_escape($location).")";
db_query($sql, "A grn batch record could not be inserted.");
db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed ");
$sql = "INSERT INTO ".TB_PREF."grn_items (grn_batch_id, po_detail_item, item_code, description, qty_recd)
- VALUES ($grn_batch_id, $po_detail_item, '$item_code', '$description', $quantity_received)";
+ VALUES ($grn_batch_id, $po_detail_item, ".db_escape($item_code).", ".db_escape($description).", $quantity_received)";
db_query($sql, "A GRN detail item could not be inserted.");
{
$sql = "INSERT INTO ".TB_PREF."supp_invoice_items (supp_trans_type, supp_trans_no, stock_id, description, gl_code, unit_price, unit_tax, quantity,
grn_item_id, po_detail_item_id, memo_) ";
- $sql .= "VALUES ($supp_trans_type, $supp_trans_no, '$stock_id', '$description', '$gl_code', $unit_price, $unit_tax, $quantity,
- $grn_item_id, $po_detail_item_id, '$memo_')";
+ $sql .= "VALUES ($supp_trans_type, $supp_trans_no, ".db_escape($stock_id).
+ ", ".db_escape($description).", ".db_escape($gl_code).", $unit_price, $unit_tax, $quantity,
+ $grn_item_id, $po_detail_item_id, ".db_escape($memo_).")";
if ($err_msg == "")
$err_msg = "Cannot insert a supplier transaction detail record";
/*Insert to purchase order header record */
$sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES(";
- $sql .= "' ". $po_obj->supplier_id . "'," .
+ $sql .= db_escape($po_obj->supplier_id) . "," .
db_escape($po_obj->Comments) . ",'" .
date2sql($po_obj->orig_order_date) . "', '" .
$po_obj->reference . "', " .
$sql = "INSERT INTO ".TB_PREF."supp_trans (trans_no, type, supplier_id, tran_date, due_date,
reference, supp_reference, ov_amount, ov_gst, rate, ov_discount) ";
$sql .= "VALUES ($trans_no, $type, $supplier_id, '$date', '$due_date',
- '$reference', '$supp_reference', $amount, $amount_tax, $rate, $discount)";
+ ".db_escape($reference).", ".db_escape($supp_reference).", $amount, $amount_tax, $rate, $discount)";
if ($err_msg == "")
$err_msg = "Cannot insert a supplier transaction record";
if (!isset($_POST['New']))
{
- $sql = "UPDATE ".TB_PREF."suppliers SET supp_name='" . $_POST['supp_name'] . "',
- address='" . $_POST['address'] . "',
- email='" . $_POST['email'] . "',
- bank_account='" . $_POST['bank_account'] . "',
- dimension_id=" . $_POST['dimension_id'] . ",
- dimension2_id=" . $_POST['dimension2_id'] . ",
- curr_code='" . $_POST['curr_code'] . "',
- payment_terms='" . $_POST['payment_terms'] . "',
- payable_account='" . $_POST['payable_account'] . "',
- purchase_account='" . $_POST['purchase_account'] . "',
- payment_discount_account='" . $_POST['payment_discount_account'] . "',
- tax_group_id=" . $_POST['tax_group_id'] . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'";
+ $sql = "UPDATE ".TB_PREF."suppliers SET supp_name=".db_escape($_POST['supp_name']) . ",
+ address=".db_escape($_POST['address']) . ",
+ email=".db_escape($_POST['email']) . ",
+ bank_account=".db_escape($_POST['bank_account']) . ",
+ dimension_id=".db_escape($_POST['dimension_id']) . ",
+ dimension2_id=".db_escape($_POST['dimension2_id']) . ",
+ curr_code=".db_escape($_POST['curr_code']).",
+ payment_terms=".db_escape($_POST['payment_terms']) . ",
+ payable_account=".db_escape($_POST['payable_account']) . ",
+ purchase_account=".db_escape($_POST['purchase_account']) . ",
+ payment_discount_account=".db_escape($_POST['payment_discount_account']) . ",
+ tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'";
db_query($sql,"The supplier could not be updated");
$sql = "INSERT INTO ".TB_PREF."suppliers (supp_name, address, email, bank_account, dimension_id, dimension2_id, curr_code,
payment_terms, payable_account, purchase_account, payment_discount_account, tax_group_id)
- VALUES ('" . $_POST['supp_name'] . "', '" .
- $_POST['address'] . "', '" .
- $_POST['email'] . "', '" .
- $_POST['bank_account'] . "', " .
- $_POST['dimension_id'] . ", " .
- $_POST['dimension2_id'] . ", '" .
- $_POST['curr_code'] . "', '" .
- $_POST['payment_terms'] . "', '" .
- $_POST['payable_account'] . "', '" .
- $_POST['purchase_account'] . "', '" .
- $_POST['payment_discount_account'] . "', " .
- $_POST['tax_group_id'] . ")";
+ VALUES (".db_escape($_POST['supp_name']). ", "
+ .db_escape($_POST['address']) . ", "
+ .db_escape($_POST['email']). ", "
+ .db_escape($_POST['bank_account']). ", "
+ .db_escape($_POST['dimension_id']). ", "
+ .db_escape($_POST['dimension2_id']). ", "
+ .db_escape($_POST['curr_code']). ", "
+ .db_escape($_POST['payment_terms']). ", "
+ .db_escape($_POST['payable_account']). ", "
+ .db_escape($_POST['purchase_account']). ", "
+ .db_escape($_POST['payment_discount_account']). ", "
+ .db_escape($_POST['tax_group_id']). ")";
db_query($sql,"The supplier could not be added");
}
function add_credit_status($description, $disallow_invoicing)
{
$sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices)
- VALUES ('$description',$disallow_invoicing)";
+ VALUES (".db_escape($description).",$disallow_invoicing)";
db_query($sql, "could not add credit status");
}
function update_credit_status($status_id, $description, $disallow_invoicing)
{
- $sql = "UPDATE ".TB_PREF."credit_status SET reason_description='$description',
+ $sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).",
dissallow_invoices=$disallow_invoicing WHERE id=$status_id";
db_query($sql, "could not update credit status");
order_, ov_amount, ov_discount,
ov_gst, ov_freight, ov_freight_tax,
rate, ship_via, alloc, trans_link
- ) VALUES ($trans_no, $trans_type, '$debtor_no', '$BranchNo',
- '$SQLDate', '$SQLDueDate', '$reference',
- '$sales_type', $order_no, $Total, $discount, $Tax, $Freight,
- $FreightTax, $rate, '$ship_via', $AllocAmt, $trans_link)";
+ ) VALUES ($trans_no, $trans_type,
+ ".db_escape($debtor_no).", ".db_escape($BranchNo).",
+ '$SQLDate', '$SQLDueDate', ".db_escape($reference).",
+ ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax,
+ ".db_escape($Freight).",
+ $FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link);
} else { // may be optional argument should stay unchanged ?
$sql = "UPDATE ".TB_PREF."debtor_trans SET
- debtor_no='$debtor_no' , branch_code='$BranchNo',
+ debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).",
tran_date='$SQLDate', due_date='$SQLDueDate',
- reference='$reference', tpe='$sales_type', order_=$order_no,
- ov_amount=$Total, ov_discount=$discount, ov_gst=$Tax,
- ov_freight=$Freight, ov_freight_tax=$FreightTax, rate=$rate,
- ship_via='$ship_via', alloc=$AllocAmt, trans_link=$trans_link
+ reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no,
+ ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax,
+ ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate,
+ ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link
WHERE trans_no=$trans_no AND type=$trans_type";
}
db_query($sql, "The debtor transaction record could not be inserted");
{
if ($line_id!=0)
$sql = "UPDATE ".TB_PREF."debtor_trans_details SET
- stock_id='$stock_id',
- description='$description',
+ stock_id=".db_escape($stock_id).",
+ description=".db_escape($description).",
quantity=$quantity,
unit_price=$unit_price,
unit_tax=$unit_tax,
$sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no,
debtor_trans_type, stock_id, description, quantity, unit_price,
unit_tax, discount_percent, standard_cost)
- VALUES ($debtor_trans_no, $debtor_trans_type, '$stock_id', '$description',
+ VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id).
+ ", ".db_escape($description).",
$quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)";
db_query($sql, "The debtor transaction detail could not be written");
$sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date,
order_type, ship_via, deliver_to, delivery_address, contact_phone,
contact_email, freight_cost, from_stk_loc, delivery_date)
- VALUES (" .db_quote($order_type) . "," . db_quote($order->customer_id) .
- ", " . db_quote($order->Branch) . ", ".
- db_quote($order->cust_ref) .",".
- db_quote($order->Comments) .",'" .
+ VALUES (" .db_escape($order_type) . "," . db_escape($order->customer_id) .
+ ", " . db_escape($order->Branch) . ", ".
+ db_escape($order->cust_ref) .",".
+ db_escape($order->Comments) .",'" .
date2sql($order->document_date) . "', " .
- db_quote($order->sales_type) . ", " .
+ db_escape($order->sales_type) . ", " .
$_POST['ship_via'] ."," .
- db_quote($order->deliver_to) . "," .
- db_quote($order->delivery_address) . ", " .
- db_quote($order->phone) . ", " .
- db_quote($order->email) . ", " .
- db_quote($order->freight_cost) .", " .
- db_quote($order->Location) .", " .
- db_quote($del_date) . ")";
+ db_escape($order->deliver_to) . "," .
+ db_escape($order->delivery_address) . ", " .
+ db_escape($order->phone) . ", " .
+ db_escape($order->email) . ", " .
+ db_escape($order->freight_cost) .", " .
+ db_escape($order->Location) .", " .
+ db_escape($del_date) . ")";
db_query($sql, "order Cannot be Added");
$sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, stk_code, description, unit_price, quantity, discount_percent) VALUES (";
$sql .= $order_no .
- ",'$line->stock_id', '$line->item_description', $line->price,
+ ",".db_escape($line->stock_id).", "
+ .db_escape($line->item_description).", $line->price,
$line->quantity,
$line->discount_percent)";
db_query($sql, "order Details Cannot be Added");
begin_transaction();
$sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
- debtor_no = " . db_quote($order->customer_id) . ",
- branch_code = " . db_quote($order->Branch) . ",
- customer_ref = ". db_quote($order->cust_ref) .",
- comments = ". db_quote($order->Comments) .",
- ord_date = " . db_quote($ord_date) . ",
- order_type = " .db_quote($order->sales_type) . ",
- ship_via = " . db_quote($order->ship_via) .",
- deliver_to = " . db_quote($order->deliver_to) . ",
- delivery_address = " . db_quote($order->delivery_address) . ",
- contact_phone = " .db_quote($order->phone) . ",
- contact_email = " .db_quote($order->email) . ",
- freight_cost = " .db_quote($order->freight_cost) .",
- from_stk_loc = " .db_quote($order->Location) .",
- delivery_date = " .db_quote($del_date). ",
+ debtor_no = " . db_escape($order->customer_id) . ",
+ branch_code = " . db_escape($order->Branch) . ",
+ customer_ref = ". db_escape($order->cust_ref) .",
+ comments = ". db_escape($order->Comments) .",
+ ord_date = " . db_escape($ord_date) . ",
+ order_type = " .db_escape($order->sales_type) . ",
+ ship_via = " . db_escape($order->ship_via) .",
+ deliver_to = " . db_escape($order->deliver_to) . ",
+ delivery_address = " . db_escape($order->delivery_address) . ",
+ contact_phone = " .db_escape($order->phone) . ",
+ contact_email = " .db_escape($order->email) . ",
+ freight_cost = " .db_escape($order->freight_cost) .",
+ from_stk_loc = " .db_escape($order->Location) .",
+ delivery_date = " .db_escape($del_date). ",
version = ".($version+1)."
WHERE order_no=" . $order_no ."
AND version=".$version;
-
db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict");
$sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
(order_no, stk_code, description, unit_price, quantity,
discount_percent, qty_sent)
VALUES (";
- $sql .= $order_no . ",'"
- .$line->stock_id . "','"
- .$line->item_description . "', "
- .$line->price . ", "
- .$line->quantity . ", "
- .$line->discount_percent . ", "
- .$line->qty_done ." )";
+ $sql .= $order_no . ","
+ .db_escape($line->stock_id) . ","
+ .db_escape($line->item_description) . ", "
+ .db_escape($line->price) . ", "
+ .db_escape($line->quantity) . ", "
+ .db_escape($line->discount_percent) . ", "
+ .db_escape($line->qty_done) ." )";
db_query($sql, "Old order Cannot be Inserted");
function add_sales_type($name, $tax_included)
{
- $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included) VALUES ('$name','$tax_included')";
+ $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included) VALUES (".db_escape($name).",'$tax_included')";
db_query($sql, "could not add sales type");
}
function update_sales_type($id, $name, $tax_included)
{
- $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = '$name',
+ $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).",
tax_included =$tax_included WHERE id = $id";
db_query($sql, "could not update sales type");
{
/*SelectedBranch could also exist if submit had not been clicked this code would not run in this case cos submit is false of course see the delete code below*/
- $sql = "UPDATE ".TB_PREF."cust_branch SET br_name = '" . $_POST['br_name'] . "',
- br_address = '" . $_POST['br_address'] . "',
- phone='" . $_POST['phone'] . "',
- fax='" . $_POST['fax'] . "',
- contact_name='" . $_POST['contact_name'] . "',
- salesman= '" . $_POST['salesman'] . "',
- area='" . $_POST['area'] . "',
- email='" . $_POST['email'] . "',
- tax_group_id=" . $_POST['tax_group_id'] . ",
- sales_account='" . $_POST['sales_account'] . "',
- sales_discount_account='" . $_POST['sales_discount_account'] . "',
- receivables_account='" . $_POST['receivables_account'] . "',
- payment_discount_account='" . $_POST['payment_discount_account'] . "',
- default_location='" . $_POST['default_location'] . "',
- br_post_address = '" . $_POST['br_post_address'] . "',
- disable_trans=" . $_POST['disable_trans'] . ",
- default_ship_via=" . $_POST['default_ship_via'] . "
- WHERE branch_code = '" . $_POST['branch_code'] . "'
- AND debtor_no='" . $_POST['customer_id']. "'";
+ $sql = "UPDATE ".TB_PREF."cust_branch SET br_name = " . db_escape($_POST['br_name']) . ",
+ br_address = ".db_escape($_POST['br_address']). ",
+ phone=".db_escape($_POST['phone']). ",
+ fax=".db_escape($_POST['fax']).",
+ contact_name=".db_escape($_POST['contact_name']) . ",
+ salesman= ".db_escape($_POST['salesman']) . ",
+ area=".db_escape($_POST['area']) . ",
+ email=".db_escape($_POST['email']) . ",
+ tax_group_id=".db_escape($_POST['tax_group_id']). ",
+ sales_account=".db_escape($_POST['sales_account']) . ",
+ sales_discount_account=".db_escape($_POST['sales_discount_account']) . ",
+ receivables_account=".db_escape($_POST['receivables_account']) . ",
+ payment_discount_account=".db_escape($_POST['payment_discount_account']) . ",
+ default_location=".db_escape($_POST['default_location']) . ",
+ br_post_address =".db_escape($_POST['br_post_address']) . ",
+ disable_trans=".db_escape($_POST['disable_trans']) . ",
+ default_ship_via=".db_escape($_POST['default_ship_via']) . "
+ WHERE branch_code =".db_escape($_POST['branch_code']) . "
+ AND debtor_no=".db_escape($_POST['customer_id']);
}
else
salesman, phone, fax,
contact_name, area, email, tax_group_id, sales_account, receivables_account, payment_discount_account, sales_discount_account, default_location,
br_post_address, disable_trans, default_ship_via)
- VALUES ('" . $_POST['customer_id']. "', '" . $_POST['br_name'] . "', '" .
- $_POST['br_address'] . "', '" . $_POST['salesman'] . "', '" .
- $_POST['phone'] . "', '" . $_POST['fax'] . "','" .
- $_POST['contact_name'] . "', '" . $_POST['area'] . "','" .
- $_POST['email'] . "', " . $_POST['tax_group_id'] . ", '" .
- $_POST['sales_account'] . "', '" .
- $_POST['receivables_account'] . "', '" .
- $_POST['payment_discount_account'] . "', '" .
- $_POST['sales_discount_account'] . "', '" .
- $_POST['default_location'] . "', '" . $_POST['br_post_address'] . "'," . $_POST['disable_trans'] . ", " . $_POST['default_ship_via'] . ")";
+ VALUES (".db_escape($_POST['customer_id']). ",".db_escape($_POST['br_name']) . ", "
+ .db_escape($_POST['br_address']) . ", ".db_escape($_POST['salesman']) . ", "
+ .db_escape($_POST['phone']) . ", ".db_escape($_POST['fax']) . ","
+ .db_escape($_POST['contact_name']) . ", ".db_escape($_POST['area']) . ","
+ .db_escape($_POST['email']) . ", ".db_escape($_POST['tax_group_id']) . ", "
+ .db_escape($_POST['sales_account']) . ", "
+ .db_escape($_POST['receivables_account']) . ", "
+ .db_escape($_POST['payment_discount_account']) . ", "
+ .db_escape($_POST['sales_discount_account']) . ", "
+ .db_escape($_POST['default_location']) . ", "
+ .db_escape($_POST['br_post_address']) . ","
+ .db_escape($_POST['disable_trans']) . ", "
+ .db_escape($_POST['default_ship_via']) . ")";
}
//run the sql from either of the above possibilites
if (!isset($_POST['New']))
{
- $sql = "UPDATE ".TB_PREF."debtors_master SET name='" . $_POST['CustName'] . "',
- address='" . $_POST['address'] . "',
- tax_id='" . $_POST['tax_id'] . "',
- curr_code='" . $_POST['curr_code'] . "',
- email='" . $_POST['email'] . "',
- dimension_id=" . $_POST['dimension_id'] . ",
- dimension2_id=" . $_POST['dimension2_id'] . ",
- credit_status='" . $_POST['credit_status'] . "',
- payment_terms='" . $_POST['payment_terms'] . "',
+ $sql = "UPDATE ".TB_PREF."debtors_master SET name=" . db_escape($_POST['CustName']) . ",
+ address=".db_escape($_POST['address']) . ",
+ tax_id=".db_escape($_POST['tax_id']) . ",
+ curr_code=".db_escape($_POST['curr_code']) . ",
+ email=".db_escape($_POST['email']) . ",
+ dimension_id=".db_escape($_POST['dimension_id']) . ",
+ dimension2_id=".db_escape($_POST['dimension2_id']) . ",
+ credit_status=".db_escape($_POST['credit_status']) . ",
+ payment_terms=".db_escape($_POST['payment_terms']) . ",
discount=" . input_num('discount') / 100 . ",
pymt_discount=" . input_num('pymt_discount') / 100 . ",
credit_limit=" . input_num('credit_limit') . ",
- sales_type = '" . $_POST['sales_type'] . "'
- WHERE debtor_no = '" . $_POST['customer_id'] . "'";
+ sales_type = ".db_escape($_POST['sales_type']) . "
+ WHERE debtor_no = '". $_POST['customer_id'] . "'";
db_query($sql,"The customer could not be updated");
display_notification(_("Customer has been updated."));
$sql = "INSERT INTO ".TB_PREF."debtors_master (name, address, tax_id, email, dimension_id, dimension2_id,
curr_code, credit_status, payment_terms, discount, pymt_discount,credit_limit,
- sales_type) VALUES ('" . $_POST['CustName'] ."', '" . $_POST['address'] . "', '" . $_POST['tax_id'] . "',
- '" . $_POST['email'] . "', " . $_POST['dimension_id'] . ", " . $_POST['dimension2_id'] . ", '" . $_POST['curr_code'] . "',
- " . $_POST['credit_status'] . ", '" . $_POST['payment_terms'] . "', " . input_num('discount')/100 . ",
- " . input_num('pymt_discount')/100 . ", " . input_num('credit_limit') . ", '" . $_POST['sales_type'] . "')";
+ sales_type) VALUES (".db_escape($_POST['CustName']) .", "
+ .db_escape($_POST['address']) . ", " . db_escape($_POST['tax_id']) . ","
+ .db_escape($_POST['email']) . ", ".db_escape($_POST['dimension_id']) . ", "
+ .db_escape($_POST['dimension2_id']) . ", ".db_escape($_POST['curr_code']) . ",
+ " . db_escape($_POST['credit_status']) . ", ".db_escape($_POST['payment_terms']) . ", " . input_num('discount')/100 . ",
+ " . input_num('pymt_discount')/100 . ", " . input_num('credit_limit') . ", ".db_escape($_POST['sales_type']) . ")";
db_query($sql,"The customer could not be added");
{
if (isset($selected_id))
{
- $sql = "UPDATE ".TB_PREF."areas SET description='" . $_POST['description'] . "' WHERE area_code = '$selected_id'";
+ $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'";
}
else
{
- $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES ('" . $_POST['description'] . "')";
+ $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES (".db_escape($_POST['description']) . ")";
}
db_query($sql,"The sales area could not be updated or added");
$input_error = 1;
display_error(_("The sales person name cannot be empty."));
}
-
+ $pr1 = check_num('provision', 0,100);
+ if (!$pr1 || !check_num('provision2', 0, 100)) {
+ $input_error = 1;
+ display_error( _("Salesman provision cannot be less than 0 or more than 100%."));
+ set_focus(!$pr1 ? 'provision' : 'provision2');
+ }
+ if (!check_num('break_pt', 0)) {
+ $input_error = 1;
+ display_error( _("Salesman provision breakpoint must be numeric and not less than 0."));
+ set_focus('break_pt');
+ }
if ($input_error != 1)
{
if (isset($selected_id))
{
/*selected_id could also exist if submit had not been clicked this code would not run in this case cos submit is false of course see the delete code below*/
- $sql = "UPDATE ".TB_PREF."salesman SET salesman_name='" . $_POST['salesman_name'] . "',
- salesman_phone='" . $_POST['salesman_phone'] . "',
- salesman_fax='" . $_POST['salesman_fax'] . "',
- salesman_email='" . $_POST['salesman_email'] . "',
+ $sql = "UPDATE ".TB_PREF."salesman SET salesman_name=".db_escape($_POST['salesman_name']) . ",
+ salesman_phone=".db_escape($_POST['salesman_phone']) . ",
+ salesman_fax=".db_escape($_POST['salesman_fax']) . ",
+ salesman_email=".db_escape($_POST['salesman_email']) . ",
provision=".input_num('provision').",
break_pt=".input_num('break_pt').",
provision2=".input_num('provision2')."
/*Selected group is null cos no item selected on first time round so must be adding a record must be submitting new entries in the new Sales-person form */
$sql = "INSERT INTO ".TB_PREF."salesman (salesman_name, salesman_phone, salesman_fax, salesman_email,
provision, break_pt, provision2)
- VALUES ('" . $_POST['salesman_name'] . "', '" .$_POST['salesman_phone'] . "', '" . $_POST['salesman_fax'] . "', '" . $_POST['salesman_email'] . "', ".
- input_num('provision').", ".input_num('break_pt').", ".input_num('provision2').")";
+ VALUES (".db_escape($_POST['salesman_name']) . ", "
+ .db_escape($_POST['salesman_phone']) . ", "
+ .db_escape($_POST['salesman_fax']) . ", "
+ .db_escape($_POST['salesman_email']) . ", ".
+ input_num('provision').", ".input_num('break_pt').", "
+ .input_num('provision2').")";
}
//run the sql from either of the above possibilites
begin_transaction();
$sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt)
- VALUES ('$name',$exempt)";
+ VALUES (".db_escape($name).",$exempt)";
db_query($sql, "could not add item tax type");
{
begin_transaction();
- $sql = "UPDATE ".TB_PREF."item_tax_types SET name='$name', exempt=$exempt WHERE id=$id";
+ $sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name).
+ ", exempt=$exempt WHERE id=$id";
db_query($sql, "could not update item tax type");
if($tax_shipping) // only one tax group for shipping
clear_shipping_tax_group();
- $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES ('$name', $tax_shipping)";
+ $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)";
db_query($sql, "could not add tax group");
$id = db_insert_id();
if($tax_shipping) // only one tax group for shipping
clear_shipping_tax_group();
- $sql = "UPDATE ".TB_PREF."tax_groups SET name='$name',tax_shipping=$tax_shipping WHERE id=$id";
+ $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id";
db_query($sql, "could not update tax group");
delete_tax_group_items($id);
function add_tax_type($name, $sales_gl_code, $purchasing_gl_code, $rate)
{
$sql = "INSERT INTO ".TB_PREF."tax_types (name, sales_gl_code, purchasing_gl_code, rate)
- VALUES ('$name', '$sales_gl_code', '$purchasing_gl_code', $rate)";
+ VALUES (".db_escape($name).", ".db_escape($sales_gl_code)
+ .", ".db_escape($purchasing_gl_code).", $rate)";
db_query($sql, "could not add tax type");
}
function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $rate)
{
- $sql = "UPDATE ".TB_PREF."tax_types SET name='$name',
- sales_gl_code='$sales_gl_code',
- purchasing_gl_code='$purchasing_gl_code',
+ $sql = "UPDATE ".TB_PREF."tax_types SET name=".db_escape($name).",
+ sales_gl_code=".db_escape($sales_gl_code).",
+ purchasing_gl_code=".db_escape($purchasing_gl_code).",
rate=$rate
WHERE id=$type_id";
projects / fa-stable.git / commitdiff