if ($field_type[$k] != "" && $field_type[$k] != "NO" && $row2[$k] == "")
$out .= "NULL";
else
- $out .= "'" . db_escape($row2[$k]) . "'";
+ $out .= db_escape($row2[$k]);
if ($k < ($nf - 1))
$out .= ", ";
}
$account_name = db_escape($account_name);
$sql = "INSERT INTO ".TB_PREF."chart_master (account_code, account_code2, account_name, account_type,
tax_code)
- VALUES ('$account_code', '$account_code2', '$account_name', $account_type, $tax_code)";
+ VALUES ('$account_code', '$account_code2', $account_name, $account_type, $tax_code)";
db_query($sql, "could not add gl account");
}
function update_gl_account($account_code, $account_name, $account_type, $account_code2, $tax_code)
{
$account_name = db_escape($account_name);
- $sql = "UPDATE ".TB_PREF."chart_master SET account_name='$account_name',
+ $sql = "UPDATE ".TB_PREF."chart_master SET account_name=$account_name,
account_type=$account_type, account_code2='$account_code2',
tax_code=$tax_code WHERE account_code = '$account_code'";
/*Insert to purchase order header record */
$sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES(";
- $sql .= "'" . $po_obj->supplier_id . "', '" .
- db_escape($po_obj->Comments) . "','" .
+ $sql .= "' ". $po_obj->supplier_id . "'," .
+ db_escape($po_obj->Comments) . ",'" .
date2sql($po_obj->orig_order_date) . "', '" .
- $po_obj->reference . "', '" .
- $po_obj->requisition_no . "', '" .
- $po_obj->Location . "', '" .
- $po_obj->delivery_address . "')";
+ $po_obj->reference . "', " .
+ db_escape($po_obj->requisition_no) . ", " .
+ db_escape($po_obj->Location) . ", " .
+ db_escape($po_obj->delivery_address) . ")";
db_query($sql, "The purchase order header record could not be inserted");
if ($po_line->Deleted == false)
{
$sql = "INSERT INTO ".TB_PREF."purch_order_details (order_no, item_code, description, delivery_date, unit_price, quantity_ordered) VALUES (";
- $sql .= $po_obj->order_no . ", '" . $po_line->stock_id . "','" .
- $po_line->item_description . "','" .
+ $sql .= $po_obj->order_no . ", " . db_escape($po_line->stock_id). "," .
+ db_escape($po_line->item_description). ",'" .
date2sql($po_line->req_del_date) . "'," .
$po_line->price . ", " .
$po_line->quantity . ")";
begin_transaction();
/*Update the purchase order header with any changes */
- $sql = "UPDATE ".TB_PREF."purch_orders SET Comments='" . db_escape($po_obj->Comments) . "',
- requisition_no= '" . $po_obj->requisition_no . "',
- into_stock_location='" . $po_obj->Location . "',
+ $sql = "UPDATE ".TB_PREF."purch_orders SET Comments=" . db_escape($po_obj->Comments) . ",
+ requisition_no= " db_escape(. $po_obj->requisition_no). ",
+ into_stock_location=" . db_escape($po_obj->Location). ",
ord_date='" . date2sql($po_obj->orig_order_date) . "',
- delivery_address='" . $po_obj->delivery_address . "'";
+ delivery_address=" . db_escape($po_obj->delivery_address);
$sql .= " WHERE order_no = " . $po_obj->order_no;
db_query($sql, "The purchase order could not be updated");
{
// Sherifoz 21.06.03 Handle adding new lines vs. updating. if no key(po_detail_rec) then it's a new line
$sql = "INSERT INTO ".TB_PREF."purch_order_details (order_no, item_code, description, delivery_date, unit_price, quantity_ordered) VALUES (";
- $sql .= $po_obj->order_no . ", '" .
- $po_line->stock_id . "','" .
- $po_line->item_description . "','" .
+ $sql .= $po_obj->order_no . "," .
+ db_escape($po_line->stock_id). "," .
+ db_escape($po_line->item_description). ",'" .
date2sql($po_line->req_del_date) . "'," .
$po_line->price . ", " . $po_line->quantity . ")";
}
else
{
$sql = "UPDATE ".TB_PREF."purch_order_details SET item_code='" . $po_line->stock_id . "',
- description ='" . $po_line->item_description . "',
+ description =" . db_escape($po_line->item_description). ",
delivery_date ='" . date2sql($po_line->req_del_date) . "',
unit_price=" . $po_line->price . ",
quantity_ordered=" . $po_line->quantity . "
$sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date,
order_type, ship_via, deliver_to, delivery_address, contact_phone,
contact_email, freight_cost, from_stk_loc, delivery_date)
- VALUES ('" . $order_type . "', '" . $order->customer_id . "', '" . $order->Branch . "', '".
- $order->cust_ref ."','". db_escape($order->Comments) ."','" .
- date2sql($order->document_date) . "', '" .
- $order->sales_type . "', " .
- $_POST['ship_via'] .",'" . $order->deliver_to . "', '" .
- $order->delivery_address . "', '" .
- $order->phone . "', '" . $order->email . "', " .
- $order->freight_cost .", '" . $order->Location ."', '" .
- $del_date . "')";
+ VALUES (" .db_quote($order_type) . "," . db_quote($order->customer_id) .
+ ", " . db_quote($order->Branch) . ", ".
+ db_quote($order->cust_ref) .",".
+ db_quote($order->Comments) .",'" .
+ date2sql($order->document_date) . "', " .
+ db_quote($order->sales_type) . ", " .
+ $_POST['ship_via'] ."," .
+ db_quote($order->deliver_to) . "," .
+ db_quote($order->delivery_address) . ", " .
+ db_quote($order->phone) . ", " .
+ db_quote($order->email) . ", " .
+ db_quote($order->freight_cost) .", " .
+ db_quote($order->Location) .", " .
+ db_quote($del_date) . ")";
db_query($sql, "order Cannot be Added");
begin_transaction();
$sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
- debtor_no = '" . $order->customer_id . "',
- branch_code = '" . $order->Branch . "',
- customer_ref = '". $order->cust_ref ."',
- comments = '". db_escape($order->Comments) ."',
- ord_date = '" . $ord_date . "',
- order_type = '" . $order->sales_type . "',
- ship_via = " . $order->ship_via .",
- deliver_to = '" . $order->deliver_to . "',
- delivery_address = '" . $order->delivery_address . "',
- contact_phone = '" . $order->phone . "',
- contact_email = '" . $order->email . "',
- freight_cost = " . $order->freight_cost .",
- from_stk_loc = '" . $order->Location ."',
- delivery_date = '" . $del_date . "',
+ debtor_no = " . db_quote($order->customer_id) . ",
+ branch_code = " . db_quote($order->Branch) . ",
+ customer_ref = ". db_quote($order->cust_ref) .",
+ comments = ". db_quote($order->Comments) .",
+ ord_date = " . db_quote($ord_date) . ",
+ order_type = " .db_quote($order->sales_type) . ",
+ ship_via = " . db_quote($order->ship_via) .",
+ deliver_to = " . db_quote($order->deliver_to) . ",
+ delivery_address = " . db_quote($order->delivery_address) . ",
+ contact_phone = " .db_quote($order->phone) . ",
+ contact_email = " .db_quote($order->email) . ",
+ freight_cost = " .db_quote($order->freight_cost) .",
+ from_stk_loc = " .db_quote($order->Location) .",
+ delivery_date = " .db_quote($del_date). ",
version = ".($version+1)."
WHERE order_no=" . $order_no ."
AND version=".$version;
if ($cart->trans_type!=30) {
$cart->reference = $_POST['ref'];
}
- $cart->Comments = str_replace("'", "\\'", $_POST['Comments']);
+ $cart->Comments = $_POST['Comments'];
$cart->document_date = $_POST['OrderDate'];
$cart->due_date = $_POST['delivery_date'];
projects / fa-stable.git / commitdiff