Security update merged from 2.1.

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index cf12912998e9b7009f2ece79b9a16fe0d2ab2355..6e1977d998626f1ab18171f5d104d6d7d096b68b 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -19,6 +19,92 @@ Legend:
 ! -> Note
 $ -> Affected files
 
+18-Oct-2009 Janusz Dobrowolski (merged changes for 2.1.7 from main branch)
+! Added html_entity_decode() in db_escape() for correct INSERT>SELECT>INSERT sequences.
+$ /includes/db/connect_db.inc
+# Fixed warnings on first page display
+$ /admin/company_preferences.php
+# Fixed erroneous message
+$ /gl/manage/gl_account_types.php
+# Security sql statements update against sql injection attacks.
+$ /admin/attachments.php
+  /admin/payment_terms.php
+  /admin/print_profiles.php
+  /admin/printers.php
+  /admin/shipping_companies.php
+  /admin/view_print_transaction.php
+  /admin/db/company_db.inc
+  /admin/db/printers_db.inc
+  /admin/db/voiding_db.inc
+  /admin/db/users_db.inc
+  /dimensions/includes/dimensions_db.inc
+  /dimensions/inquiry/search_dimensions.php
+  /gl/bank_account_reconcile.php
+  /gl/gl_budget.php
+  /gl/includes/db/gl_db_account_types.inc
+  /gl/includes/db/gl_db_accounts.inc
+  /gl/includes/db/gl_db_bank_accounts.inc
+  /gl/includes/db/gl_db_bank_trans.inc
+  /gl/includes/db/gl_db_banking.inc
+  /gl/includes/db/gl_db_currencies.inc
+  /gl/includes/db/gl_db_rates.inc
+  /gl/includes/db/gl_db_trans.inc
+  /gl/inquiry/bank_inquiry.php
+  /gl/view/bank_transfer_view.php
+  /gl/view/gl_trans_view.php
+  /inventory/cost_update.php
+  /inventory/purchasing_data.php
+  /inventory/includes/db/items_category_db.inc
+  /inventory/includes/db/items_codes_db.inc
+  /inventory/includes/db/items_db.inc
+  /inventory/includes/db/items_locations_db.inc
+  /inventory/includes/db/items_prices_db.inc
+  /inventory/includes/db/items_trans_db.inc
+  /inventory/includes/db/items_units_db.inc
+  /inventory/includes/db/movement_types_db.inc
+  /inventory/inquiry/stock_movements.php
+  /inventory/manage/item_categories.php
+  /inventory/manage/item_units.php
+  /inventory/manage/items.php
+  /inventory/manage/locations.php
+  /inventory/manage/movement_types.php
+  /manufacturing/search_work_orders.php
+  /manufacturing/includes/db/work_centres_db.inc
+  /manufacturing/includes/db/work_order_issues_db.inc
+  /manufacturing/includes/db/work_order_produce_items_db.inc
+  /manufacturing/includes/db/work_order_requirements_db.inc
+  /manufacturing/includes/db/work_orders_db.inc
+  /manufacturing/includes/db/work_orders_quick_db.inc
+  /manufacturing/inquiry/where_used_inquiry.php
+  /manufacturing/manage/bom_edit.php
+  /manufacturing/manage/work_centres.php
+  /purchasing/po_entry_items.php
+  /purchasing/po_receive_items.php
+  /purchasing/supplier_credit.php
+  /purchasing/supplier_invoice.php
+  /purchasing/includes/purchasing_db.inc
+  /purchasing/includes/db/grn_db.inc
+  /purchasing/includes/db/invoice_db.inc
+  /purchasing/includes/db/invoice_items_db.inc
+  /purchasing/includes/db/po_db.inc
+  /purchasing/includes/db/supp_trans_db.inc
+  /purchasing/includes/db/suppalloc_db.inc
+  /purchasing/includes/db/suppliers_db.inc
+  /purchasing/inquiry/po_search.php
+  /purchasing/inquiry/po_search_completed.php
+  /purchasing/inquiry/supplier_allocation_inquiry.php
+  /purchasing/inquiry/supplier_inquiry.php
+  /purchasing/manage/suppliers.php
+
+12-Oct-2009 Janusz Dobrowolski (merged)
+# Fixed sql injection vulnerability on some php/mysql configurations
+$ /admin/db/users_db.inc
+! Single quotes also encoded before database data insert
+$ /admin/db/maintenance_db.inc
+  /includes/db/connect_db.inc
+  /reporting/includes/tcpdf.php
+  /sales/includes/cart_class.inc
+
 16-Oct-2009 Janusz Dobrowolski
 + Access control system description.
 $ /doc/access_levels.txt (new)

diff --git a/admin/attachments.php b/admin/attachments.php
index 6febfb70c92c77b922204d9162178abc65472275..3b39aa94bdeb22e7d28fa9394366a8950f3ac495 100644 (file)
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -112,25 +112,27 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
        if ($Mode == 'ADD_ITEM')
        {
                $sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name,
-                       filesize, filetype, tran_date) VALUES (".$_POST['filterType'].",".$_POST['trans_no'].",".
-                       db_escape($_POST['description']).", '$filename', '$unique_name', '$filesize', '$filetype', '$date')";
+                       filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType']).","
+                       .db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", "
+                       .db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize)
+                       .", ".db_escape($filetype).", '$date')";
                db_query($sql, "Attachment could not be inserted");             
                display_notification(_("Attachment has been inserted.")); 
        }
        else
        {
                $sql = "UPDATE ".TB_PREF."attachments SET
-                       type_no=".$_POST['filterType'].",
-                       trans_no=".$_POST['trans_no'].",
+                       type_no=".db_escape($_POST['filterType']).",
+                       trans_no=".db_escape($_POST['trans_no']).",
                        description=".db_escape($_POST['description']).", ";
                if ($filename != "")
                {
-                       $sql .= "filename='$filename',
-                       unique_name='$unique_name',
-                       filesize='$filesize',
-                       filetype='$filetype', ";
+                       $sql .= "filename=".db_escape($filename).",
+                       unique_name=".db_escape($unique_name).",
+                       filesize=".db_escape($filesize).",
+                       filetype=".db_escape($filetype);
                }       
-               $sql .= "tran_date='$date' WHERE id=$selected_id";
+               $sql .= "tran_date='$date' WHERE id=".db_escape($selected_id);
                db_query($sql, "Attachment could not be updated");              
                display_notification(_("Attachment has been updated.")); 
        }
@@ -143,7 +145,7 @@ if ($Mode == 'Delete')
        $dir =  $comp_path."/".user_company(). "/attachments";
        if (file_exists($dir."/".$row['unique_name']))
                unlink($dir."/".$row['unique_name']);
-       $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = $selected_id";
+       $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id);
        db_query($sql, "Could not delete attachment");
        display_notification(_("Attachment has been deleted.")); 
        $Mode = 'RESET';
@@ -173,13 +175,14 @@ function viewing_controls()
 
 function get_attached_documents($type)
 {
-       $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=$type ORDER BY trans_no";
+       $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type)
+       ." ORDER BY trans_no";
        return db_query($sql, "Could not retrieve attachments");
 }
 
 function get_attachment($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=$id";
+       $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id);
        $result = db_query($sql, "Could not retrieve attachments");
        return db_fetch($result);
 }

diff --git a/admin/db/company_db.inc b/admin/db/company_db.inc
index 77780a60a268ad7c827b95791e849f72fe2aca47..621e986571a85afc31a3ccfcc60c8f735f598f2e 100644 (file)
--- a/admin/db/company_db.inc
+++ b/admin/db/company_db.inc
@@ -121,14 +121,14 @@ function add_fiscalyear($from_date, $to_date, $closed)
        $to = date2sql($to_date);
 
        $sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed)
-               VALUES (".db_escape($from).",".db_escape($to).", $closed)";
+               VALUES (".db_escape($from).",".db_escape($to).", ".db_escape($closed).")";
 
        db_query($sql, "could not add fiscal year");
 }
 
 function update_fiscalyear($id, $closed)
 {
-       $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=$closed
+       $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=".db_escape($closed)."
                WHERE id=".db_escape($id);
 
        db_query($sql, "could not update fiscal year");
@@ -154,7 +154,7 @@ function get_current_fiscalyear()
 {
        $year = get_company_pref('f_year');
 
-       $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year";
+       $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year);
 
        $result = db_query($sql, "could not get current fiscal year");
 

diff --git a/admin/db/printers_db.inc b/admin/db/printers_db.inc
index f605f658aefe52b4a0c34209b643ec215f94a9fd..572dca5e2b28eba5b8fc0ddc61911777cded1cda 100644 (file)
--- a/admin/db/printers_db.inc
+++ b/admin/db/printers_db.inc
@@ -15,13 +15,13 @@ function write_printer_def($id, $name, $descr, $queue, $host, $port, $timeout)
        if ($id>0)
                $sql = "UPDATE ".TB_PREF."printers SET description=".db_escape($descr)
                .",name=".db_escape($name).",queue=".db_escape($queue)
-               .",host=".db_escape($host).",port='$port',timeout='$timeout' "
-               ."WHERE id=$id";
+               .",host=".db_escape($host).",port=".db_escape($port).",timeout=".db_escape($timeout)
+               ." WHERE id=".db_escape($id);
        else 
                $sql = "INSERT INTO ".TB_PREF."printers ("
                        ."name,description,queue,host,port,timeout) "
                        ."VALUES (".db_escape($name).",".db_escape($descr).","
-                       .db_escape($queue).",".db_escape($host).",'$port','$timeout')";
+                       .db_escape($queue).",".db_escape($host).",".db_escape($port).",".db_escape($timeout).")";
 
        return db_query($sql,"could not write printer definition");
 }
@@ -35,7 +35,7 @@ function get_all_printers()
 function get_printer($id)
 {
                $sql = "SELECT * FROM ".TB_PREF."printers
-                       WHERE id=$id";
+                       WHERE id=".db_escape($id);
 
                $result = db_query($sql,"could not get printer definition");
                return  db_fetch($result);
@@ -71,7 +71,7 @@ function update_printer_profile($name, $dest)
 function get_report_printer($profile, $report)
 {
        $sql = "SELECT printer FROM ".TB_PREF."print_profiles WHERE "
-               ."profile=".db_escape($profile)." AND report=";
+               ."profile=".db_escape($profile)." AND report=".db_escape($report);
 
        $result = db_query($sql.db_escape($report), 'report printer lookup failed');
 

diff --git a/admin/db/voiding_db.inc b/admin/db/voiding_db.inc
index 8efc0036dbdd0d13451545894da9200601ce363a..553240c2b016c1d2220d930529d0dd244b21afe6 100644 (file)
--- a/admin/db/voiding_db.inc
+++ b/admin/db/voiding_db.inc
@@ -115,7 +115,8 @@ function void_transaction($type, $type_no, $date_, $memo_)
 
 function get_voided_entry($type, $type_no)
 {
-       $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=$type AND id=$type_no";
+       $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=".db_escape($type)
+               ." AND id=".db_escape($type_no);
 
        $result = db_query($sql, "could not query voided transaction table");
 
@@ -128,7 +129,8 @@ function add_voided_entry($type, $type_no, $date_, $memo_)
 {
        $date = date2sql($date_);
        $sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_)
-               VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")";
+               VALUES (".db_escape($type).", ".db_escape($type_no).", "
+               .db_escape($date).", ".db_escape($memo_).")";
 
        db_query($sql, "could not add voided transaction entry");
 }

diff --git a/admin/payment_terms.php b/admin/payment_terms.php
index 1dd5dc67d9b533af4a79efd18634046d4ebe76ec..5855b989dd78373afe723105712554bafc31f369 100644 (file)
--- a/admin/payment_terms.php
+++ b/admin/payment_terms.php
@@ -103,7 +103,7 @@ if ($Mode == 'Delete')
 {
        // PREVENT DELETES IF DEPENDENT RECORDS IN debtors_master
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE payment_terms = '$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE payment_terms = ".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -112,7 +112,7 @@ if ($Mode == 'Delete')
        } 
        else 
        {
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE payment_terms = '$selected_id'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE payment_terms = ".db_escape($selected_id);
                $result = db_query($sql,"check failed");
                $myrow = db_fetch_row($result);
                if ($myrow[0] > 0) 
@@ -123,7 +123,7 @@ if ($Mode == 'Delete')
                {
                        //only delete if used in neither customer or supplier accounts
 
-                       $sql="DELETE FROM ".TB_PREF."payment_terms WHERE terms_indicator='$selected_id'";
+                       $sql="DELETE FROM ".TB_PREF."payment_terms WHERE terms_indicator=".db_escape($selected_id);
                        db_query($sql,"could not delete a payment terms");
                        display_notification(_('Selected payment terms have been deleted'));
                }
@@ -198,7 +198,7 @@ if ($selected_id != -1)
        if ($Mode == 'Edit') {
                //editing an existing payment terms
                $sql = "SELECT * FROM ".TB_PREF."payment_terms
-                       WHERE terms_indicator='$selected_id'";
+                       WHERE terms_indicator=".db_escape($selected_id);
 
                $result = db_query($sql,"could not get payment term");
                $myrow = db_fetch($result);

diff --git a/admin/print_profiles.php b/admin/print_profiles.php
index 99ef82e1d5144c6e1e9645f616751c8974708177..02e3701c55a9a2af8b13a55c1f5f53a16614ca96 100644 (file)
--- a/admin/print_profiles.php
+++ b/admin/print_profiles.php
@@ -77,7 +77,7 @@ function check_delete($name)
 {
 // check if selected profile is used by any user
        if ($name=='') return 0; // cannot delete system default profile
-       $sql = "SELECT * FROM ".TB_PREF."users WHERE print_profile='$name'";
+       $sql = "SELECT * FROM ".TB_PREF."users WHERE print_profile=".db_escape($name);
        $res = db_query($sql,'cannot check printing profile usage');
        return db_num_rows($res);
 }

diff --git a/admin/printers.php b/admin/printers.php
index 8104f1729beffb9a2a146bf8cabd56fd3c70e97e..4c8ad144021e4b670a474469454ec81739dadcef 100644 (file)
--- a/admin/printers.php
+++ b/admin/printers.php
@@ -59,7 +59,7 @@ if ($Mode == 'Delete')
 {
        // PREVENT DELETES IF DEPENDENT RECORDS IN print_profiles
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."print_profiles WHERE printer = '$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."print_profiles WHERE printer = ".db_escape($selected_id);
        $result = db_query($sql,"check printers relations failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -68,7 +68,7 @@ if ($Mode == 'Delete')
        } 
        else 
        {
-                       $sql="DELETE FROM ".TB_PREF."printers WHERE id='$selected_id'";
+                       $sql="DELETE FROM ".TB_PREF."printers WHERE id=".db_escape($selected_id);
                        db_query($sql,"could not delete printer definition");
                        display_notification(_('Selected printer definition has been deleted'));
        }

diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php
index c215f8cd31941cf55e88f5c95aaabc005c514e72..cb08f69bc088c5fa63fcf454f9cc1ae55320f1cc 100644 (file)
--- a/admin/shipping_companies.php
+++ b/admin/shipping_companies.php
@@ -55,7 +55,7 @@ if ($Mode=='UPDATE_ITEM' && can_process())
                phone =" . db_escape($_POST['phone']). " ,
                phone2 =" . db_escape($_POST['phone2']). " ,
                address =" . db_escape($_POST['address']). "
-               WHERE shipper_id = $selected_id";
+               WHERE shipper_id = ".db_escape($selected_id);
 
        db_query($sql,"The shipping company could not be updated");
        display_notification(_('Selected shipping company has been updated'));
@@ -68,7 +68,7 @@ if ($Mode == 'Delete')
 {
 // PREVENT DELETES IF DEPENDENT RECORDS IN 'sales_orders'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via=".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -80,7 +80,7 @@ if ($Mode == 'Delete')
        {
                // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
 
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via='$selected_id'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via=".db_escape($selected_id);
                $result = db_query($sql,"check failed");
                $myrow = db_fetch_row($result);
                if ($myrow[0] > 0) 
@@ -90,7 +90,7 @@ if ($Mode == 'Delete')
                } 
                else 
                {
-                       $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id";
+                       $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id);
                        db_query($sql,"could not delete shipper");
                        display_notification(_('Selected shipping company has been deleted'));
                }
@@ -146,7 +146,7 @@ if ($selected_id != -1)
        if ($Mode == 'Edit') {
                //editing an existing Shipper
 
-               $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id";
+               $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id);
 
                $result = db_query($sql, "could not get shipper");
                $myrow = db_fetch($result);

diff --git a/admin/view_print_transaction.php b/admin/view_print_transaction.php
index 90943fe75bb00647eba2504920cf33afe8ebfaab..3969418151680e4e5941a15115909e8e4f47506c 100644 (file)
--- a/admin/view_print_transaction.php
+++ b/admin/view_print_transaction.php
@@ -109,11 +109,11 @@ function handle_search()
                        $sql .= " ,$trans_ref ";
 
                $sql .= ", ".$_POST['filterType']." as type FROM $table_name
-                       WHERE $trans_no_name >= " . $_POST['FromTransNo']. "
-                       AND  $trans_no_name <= " . $_POST['ToTransNo'];
+                       WHERE $trans_no_name >= ".db_escape($_POST['FromTransNo']). "
+                       AND  $trans_no_name <= ".db_escape($_POST['ToTransNo']);
 
                if ($type_name != null)
-                       $sql .= " AND `$type_name` = " . $_POST['filterType'];
+                       $sql .= " AND `$type_name` = ".db_escape($_POST['filterType']);
 
                $sql .= " ORDER BY $trans_no_name";
 

diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc
index 2a89b59643b1551d7c8856bb5471ba022e95ab78..c455e891cfa8f462bf96426515991713c0b16464 100644 (file)
--- a/dimensions/includes/dimensions_db.inc
+++ b/dimensions/includes/dimensions_db.inc
@@ -19,7 +19,8 @@ function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_)
        $duedate = date2sql($due_date);
 
        $sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date)
-               VALUES (".db_escape($reference).", ".db_escape($name).", $type_, '$date', '$duedate')";
+               VALUES (".db_escape($reference).", ".db_escape($name).", ".db_escape($type_)
+               .", ".db_escape($date_).", ".db_escape($due_date).")";
        db_query($sql, "could not add dimension");
 
        $id = db_insert_id();
@@ -41,10 +42,10 @@ function update_dimension($id, $name, $type_, $date_, $due_date, $memo_)
        $duedate = date2sql($due_date);
 
        $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).",
-               type_ = $type_,
-               date_='$date',
-               due_date='$duedate'
-               WHERE id = $id";
+               type_ = ".db_escape($type_).",
+               date_=".db_escape($date_).",
+               due_date=".db_escape($due_date)."
+               WHERE id = ".db_escape($id);
 
        db_query($sql, "could not update dimension");
 
@@ -60,7 +61,7 @@ function delete_dimension($id)
        begin_transaction();
 
        // delete the actual dimension
-       $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=$id";
+       $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=".db_escape($id);
        db_query($sql,"The dimension could not be deleted");
 
        delete_comments(ST_DIMENSION, $id);
@@ -72,7 +73,7 @@ function delete_dimension($id)
 
 function get_dimension($id, $allow_null=false)
 {
-    $sql = "SELECT * FROM ".TB_PREF."dimensions        WHERE id=$id";
+    $sql = "SELECT * FROM ".TB_PREF."dimensions        WHERE id=".db_escape($id);
 
        $result = db_query($sql, "The dimension could not be retrieved");
 
@@ -122,7 +123,7 @@ function dimension_has_deposits($id)
 
 function dimension_has_payments($id)
 {
-       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = $id";
+       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = ".db_escape($id);
        $res = db_query($sql, "Transactions could not be calculated");
        $row = db_fetch_row($res);
        return ($row[0] != 0.0);
@@ -138,7 +139,7 @@ function dimension_is_closed($id)
 
 function close_dimension($id)
 {
-       $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = $id";
+       $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = ".db_escape($id);
        db_query($sql, "could not close dimension");
 }
 

diff --git a/dimensions/inquiry/search_dimensions.php b/dimensions/inquiry/search_dimensions.php
index 5498097a71b9e148762a5e202698f5e3cdb09a79..752b5507ab2574ab164425d76aa1efd8583a5d90 100644 (file)
--- a/dimensions/inquiry/search_dimensions.php
+++ b/dimensions/inquiry/search_dimensions.php
@@ -141,7 +141,7 @@ $sql = "SELECT dim.id,
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       $sql .= " AND reference LIKE '%". $_POST['OrderNumber'] . "%'";
+       $sql .= " AND reference LIKE ".db_escape("%". $_POST['OrderNumber'] . "%");
 } else {
 
        if ($dim == 1)
@@ -154,14 +154,14 @@ if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 
        if (isset($_POST['type_']) && ($_POST['type_'] > 0))
        {
-               $sql .= " AND type_=" . $_POST['type_'];
+               $sql .= " AND type_=".db_escape($_POST['type_']);
        }
 
        if (isset($_POST['OverdueOnly']))
        {
                $today = date2sql(Today());
 
-               $sql .= " AND due_date < '$today' ";
+               $sql .= " AND due_date < '$today'";
        }
 
        $sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "'

diff --git a/gl/bank_account_reconcile.php b/gl/bank_account_reconcile.php
index b91bed9eb612c17f5710c0452af92193f078ff93..d1dbba01c40d8d50af6ef9bd79f42dace4ce464d 100644 (file)
--- a/gl/bank_account_reconcile.php
+++ b/gl/bank_account_reconcile.php
@@ -117,14 +117,15 @@ function change_tpl_flag($reconcile_id)
        $_POST['bank_date'] = date2sql(get_post('reconcile_date'));
        $reconcile_value = check_value("rec_".$reconcile_id) 
                                                ? ("'".$_POST['bank_date'] ."'") : 'NULL';
-       $sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=$reconcile_value WHERE id=$reconcile_id";
+       $sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=".db_escape($reconcile_value)
+       ." WHERE id=".db_escape($reconcile_id);
 
        db_query($sql, "Can't change reconciliation status");
        // save last reconcilation status (date, end balance)
     $sql2="UPDATE ".TB_PREF."bank_accounts SET last_reconciled_date='"
                        .date2sql($_POST["reconcile_date"])."',
            ending_reconcile_balance=".input_num("end_balance")
-                       ." WHERE id=".$_POST["bank_account"];
+                       ." WHERE id=".db_escape($_POST["bank_account"]);
 
        $result = db_query($sql2,"Error updating reconciliation information");
        $Ajax->activate('reconciled');
@@ -182,7 +183,7 @@ $sql = "SELECT MAX(reconciled) as last_date,
                 SUM(IF(reconciled<'$date', amount, 0)) as beg_balance,
                 SUM(amount) as total
        FROM ".TB_PREF."bank_trans trans
-       WHERE bank_act=".$_POST['bank_account'];
+       WHERE bank_act=".db_escape($_POST['bank_account']);
 //     ." AND trans.reconciled IS NOT NULL";
 
 $result = db_query($sql,"Cannot retrieve reconciliation data");
@@ -197,8 +198,8 @@ if ($row = db_fetch($result)) {
                if (get_post('bank_date')) {
                        // if it is the last updated bank statement retrieve ending balance
                        $sql = "SELECT ending_reconcile_balance
-                               FROM ".TB_PREF."bank_accounts WHERE id=".$_POST['bank_account']
-                               . " AND last_reconciled_date='".$_POST['bank_date']."'";
+                               FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($_POST['bank_account'])
+                               . " AND last_reconciled_date=".db_escape($_POST['bank_date']);
                        $result = db_query($sql,"Cannot retrieve last reconciliation");
                        $row = db_fetch($result);
                        if($row) {
@@ -244,7 +245,7 @@ if (!isset($_POST['bank_account']))
 $sql = "SELECT type, trans_no, ref, trans_date, 
                                amount, person_id, person_type_id, reconciled, id
                FROM ".TB_PREF."bank_trans
-               WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "'
+               WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . "
                        AND (reconciled IS NULL OR reconciled='". $date ."')
                ORDER BY trans_date,".TB_PREF."bank_trans.id";
 // or  ORDER BY reconciled desc, trans_date,".TB_PREF."bank_trans.id";

diff --git a/gl/gl_budget.php b/gl/gl_budget.php
index 6357693b174eb9667e206a8053356a1be6e37975..c1236d182ca7bdcfa006d99bceda1ae8cb519464 100644 (file)
--- a/gl/gl_budget.php
+++ b/gl/gl_budget.php
@@ -27,8 +27,9 @@ check_db_has_gl_account_groups(_("There are no account groups defined. Please de
 
 function exists_gl_budget($date_, $account, $dimension, $dimension2)
 {
-       $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account='$account' AND tran_date='$date_' AND
-               dimension_id=$dimension AND dimension2_id=$dimension2";
+       $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+       ." AND tran_date='$date_' AND
+               dimension_id=".db_escape($dimension)." AND dimension2_id=".db_escape($dimension2);
        $result = db_query($sql, "Cannot retreive a gl transaction");
 
     return (db_num_rows($result) > 0);
@@ -39,12 +40,16 @@ function add_update_gl_budget_trans($date_, $account, $dimension, $dimension2, $
        $date = date2sql($date_);
 
        if (exists_gl_budget($date, $account, $dimension, $dimension2))
-               $sql = "UPDATE ".TB_PREF."budget_trans SET amount=$amount WHERE account='$account' AND
-                       dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+               $sql = "UPDATE ".TB_PREF."budget_trans SET amount=".db_escape($amount)
+               ." WHERE account=".db_escape($account)
+               ." AND dimension_id=".db_escape($dimension)
+               ." AND dimension2_id=".db_escape($dimension2)
+               ." AND tran_date='$date'";
        else
                $sql = "INSERT INTO ".TB_PREF."budget_trans (tran_date,
                        account, dimension_id, dimension2_id, amount, memo_) VALUES ('$date',
-                       '$account', $dimension, $dimension2, $amount, '')";
+                       ".db_escape($account).", ".db_escape($dimension).", "
+                       .db_escape($dimension2).", ".db_escape($amount).", '')";
 
        db_query($sql, "The GL budget transaction could not be saved");
 }
@@ -53,8 +58,10 @@ function delete_gl_budget_trans($date_, $account, $dimension, $dimension2)
 {
        $date = date2sql($date_);
 
-       $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account='$account' AND
-                       dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+       $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+       ." AND dimension_id=".db_escape($dimension)
+       ." AND dimension2_id=".db_escape($dimension2)
+       ." AND tran_date='$date'";
        db_query($sql, "The GL budget transaction could not be deleted");
 }
 
@@ -65,8 +72,10 @@ function get_only_budget_trans_from_to($from_date, $to_date, $account, $dimensio
        $to = date2sql($to_date);
 
        $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans
-               WHERE account='$account' AND tran_date >= '$from' AND tran_date <= '$to'
-                AND dimension_id = $dimension AND dimension2_id = $dimension2";
+               WHERE account=".db_escape($account)
+               ." AND tran_date >= '$from' AND tran_date <= '$to'
+                AND dimension_id = ".db_escape($dimension)
+                ." AND dimension2_id = ".db_escape($dimension2);
        $result = db_query($sql,"No budget accounts were returned");
 
        $row = db_fetch_row($result);
@@ -142,7 +151,7 @@ if (db_has_gl_accounts())
        table_header($th);
        $year = $_POST['fyear'];
        if (get_post('update') == '') {
-               $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year";
+               $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year);
 
                $result = db_query($sql, "could not get current fiscal year");
 

diff --git a/gl/includes/db/gl_db_account_types.inc b/gl/includes/db/gl_db_account_types.inc
index e82ee8dfa88fffd441609c398d1da4b79a022cd1..bd760c19ae3cd820799d055610de99b770c836ec 100644 (file)
--- a/gl/includes/db/gl_db_account_types.inc
+++ b/gl/includes/db/gl_db_account_types.inc
@@ -12,7 +12,7 @@
 function add_account_type($id, $name, $class_id, $parent)
 {
        $sql = "INSERT INTO ".TB_PREF."chart_types (id, name, class_id, parent)
-               VALUES ($id, ".db_escape($name).", $class_id, $parent)";
+               VALUES ($id, ".db_escape($name).", ".db_escape($class_id).", ".db_escape($parent).")";
 
        return db_query($sql);
 }
@@ -20,7 +20,8 @@ function add_account_type($id, $name, $class_id, $parent)
 function update_account_type($id, $name, $class_id, $parent)
 {
     $sql = "UPDATE ".TB_PREF."chart_types SET name=".db_escape($name).",
-               class_id=$class_id,     parent=$parent WHERE id = $id";
+               class_id=".db_escape($class_id).", parent=".db_escape($parent)
+               ." WHERE id = ".db_escape($id);
 
        return db_query($sql, "could not update account type");
 }
@@ -37,7 +38,7 @@ function get_account_types($all=false)
 
 function get_account_type($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -46,7 +47,7 @@ function get_account_type($id)
 
 function get_account_type_name($id)
 {
-       $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -56,7 +57,7 @@ function get_account_type_name($id)
 
 function delete_account_type($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        db_query($sql, "could not delete account type");
 }
@@ -64,7 +65,7 @@ function delete_account_type($id)
 function add_account_class($id, $name, $ctype)
 {
        $sql = "INSERT INTO ".TB_PREF."chart_class (cid, class_name, ctype)
-               VALUES ($id, ".db_escape($name).", $ctype)";
+               VALUES (".db_escape($id).", ".db_escape($name).", ".db_escape($ctype).")";
 
        return db_query($sql);
 }
@@ -72,7 +73,7 @@ function add_account_class($id, $name, $ctype)
 function update_account_class($id, $name, $ctype)
 {
     $sql = "UPDATE ".TB_PREF."chart_class SET class_name=".db_escape($name).",
-               ctype=$ctype WHERE cid = $id";
+               ctype=".db_escape($balance)." WHERE cid = ".db_escape($id);
 
        return db_query($sql);
 }
@@ -88,7 +89,7 @@ function get_account_classes($all=false)
 
 function get_account_class($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -97,7 +98,7 @@ function get_account_class($id)
 
 function get_account_class_name($id)
 {
-       $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid =".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -107,7 +108,7 @@ function get_account_class_name($id)
 
 function delete_account_class($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id);
 
        db_query($sql, "could not delete account type");
 }

diff --git a/gl/includes/db/gl_db_accounts.inc b/gl/includes/db/gl_db_accounts.inc
index 754e7bc45748e94cc33491052d64b527189ed5d8..0fb50ea09537b94cf8a1c22da5d25dd484037fbd 100644 (file)
--- a/gl/includes/db/gl_db_accounts.inc
+++ b/gl/includes/db/gl_db_accounts.inc
@@ -13,7 +13,8 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co
 {
        $account_name = db_escape($account_name);
        $sql = "INSERT INTO ".TB_PREF."chart_master (account_code, account_code2, account_name, account_type)
-               VALUES (".db_escape($account_code).", ".db_escape($account_code2).", $account_name, $account_type)";
+               VALUES (".db_escape($account_code).", ".db_escape($account_code2).", "
+                       .db_escape($account_name).", ".db_escape($account_type).")";
 
        return db_query($sql);
 }
@@ -21,16 +22,16 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co
 function update_gl_account($account_code, $account_name, $account_type, $account_code2)
 {
        $account_name = db_escape($account_name);
-    $sql = "UPDATE ".TB_PREF."chart_master SET account_name=$account_name,
-               account_type=$account_type, account_code2=".db_escape($account_code2)
-               ." WHERE account_code = '$account_code'";
+    $sql = "UPDATE ".TB_PREF."chart_master SET account_name=".db_escape($account_name)
+    .",account_type=".db_escape($account_type).", account_code2=".db_escape($account_code2)
+               ." WHERE account_code = ".db_escape($account_code);
 
        return db_query($sql);
 }
 
 function delete_gl_account($code)
 {
-       $sql = "DELETE FROM ".TB_PREF."chart_master WHERE account_code='$code'";
+       $sql = "DELETE FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($code);
 
        db_query($sql, "could not delete gl account");
 }
@@ -41,9 +42,9 @@ function get_gl_accounts($from=null, $to=null)
                FROM ".TB_PREF."chart_master,".TB_PREF."chart_types
                WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id";
        if ($from != null)
-               $sql .= " AND ".TB_PREF."chart_master.account_code >= '$from'";
+               $sql .= " AND ".TB_PREF."chart_master.account_code >= ".db_escape($from);
        if ($to != null)
-               $sql .= " AND ".TB_PREF."chart_master.account_code <= '$to'";
+               $sql .= " AND ".TB_PREF."chart_master.account_code <= ".db_escape($to);
        $sql .= " ORDER BY account_code";
 
        return db_query($sql, "could not get gl accounts");
@@ -71,7 +72,7 @@ function get_gl_accounts_all($balance=-1)
 
 function get_gl_account($code)
 {
-       $sql = "SELECT * FROM ".TB_PREF."chart_master WHERE account_code='$code'";
+       $sql = "SELECT * FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($code);
 
        $result = db_query($sql, "could not get gl account");
        return db_fetch($result);
@@ -79,10 +80,11 @@ function get_gl_account($code)
 
 function is_account_balancesheet($code)
 {
-       $sql = "SELECT ".TB_PREF."chart_class.ctype FROM ".TB_PREF."chart_class, ".TB_PREF."chart_types, ".TB_PREF."chart_master
+       $sql = "SELECT ".TB_PREF."chart_class.ctype FROM ".TB_PREF."chart_class, "
+               .TB_PREF."chart_types, ".TB_PREF."chart_master
                WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id AND
                ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid
-               AND ".TB_PREF."chart_master.account_code='$code'";
+               AND ".TB_PREF."chart_master.account_code=".db_escape($code);
 
        $result = db_query($sql,"could not retreive the account class for $code");
        $row = db_fetch_row($result);
@@ -91,7 +93,7 @@ function is_account_balancesheet($code)
 
 function get_gl_account_name($code)
 {
-       $sql = "SELECT account_name from ".TB_PREF."chart_master WHERE account_code='$code'";
+       $sql = "SELECT account_name from ".TB_PREF."chart_master WHERE account_code=".db_escape($code);
 
        $result = db_query($sql,"could not retreive the account name for $code");
 

diff --git a/gl/includes/db/gl_db_bank_accounts.inc b/gl/includes/db/gl_db_bank_accounts.inc
index dbc1e01afdc4c85c313269ef9ee791450d9f315e..a86b2ec475f9b9d7e158efdea53baabe0c0072dc 100644 (file)
--- a/gl/includes/db/gl_db_bank_accounts.inc
+++ b/gl/includes/db/gl_db_bank_accounts.inc
@@ -26,8 +26,10 @@ function add_bank_account($account_code, $account_type, $bank_account_name,
        $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, 
                bank_account_name, bank_name, bank_account_number, bank_address, 
                bank_curr_code, dflt_curr_act)
-               VALUES (".db_escape($account_code).", $account_type, ".db_escape($bank_account_name).", ".db_escape($bank_name).", ".db_escape($bank_account_number).",
-               ".db_escape($bank_address).", '$bank_curr_code', '$dflt_curr_act')";
+               VALUES (".db_escape($account_code).", ".db_escape($account_type).", "
+               .db_escape($bank_account_name).", ".db_escape($bank_name).", "
+               .db_escape($bank_account_number).",".db_escape($bank_address).
+               ", ".db_escape($bank_curr_code).", ".db_escape($dflt_curr_act).")";
 
        db_query($sql, "could not add a bank account for $account_code");
 }
@@ -40,12 +42,13 @@ function update_bank_account($id, $account_code, $account_type, $bank_account_na
        if($dflt_curr_act)      // only one default account for any currency
          clear_dflt_curr_account($bank_curr_code);
 
-       $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type,
+       $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = ".db_escape($account_type).",
                account_code=".db_escape($account_code).",
                bank_account_name=".db_escape($bank_account_name).", bank_name=".db_escape($bank_name).",
-               bank_account_number=".db_escape($bank_account_number).", bank_curr_code='$bank_curr_code',
-               bank_address=".db_escape($bank_address).","
-               ."dflt_curr_act='$dflt_curr_act' WHERE id = '$id'";
+               bank_account_number=".db_escape($bank_account_number).", bank_curr_code=".db_escape($bank_curr_code).",
+               bank_address=".db_escape($bank_address).",
+               dflt_curr_act=".db_escape($dflt_curr_act)
+               ." WHERE id = ".db_escape($id);
 
        db_query($sql, "could not update bank account for $account_code");
 }
@@ -54,7 +57,7 @@ function update_bank_account($id, $account_code, $account_type, $bank_account_na
 
 function delete_bank_account($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE id='$id'";
+       $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id);
 
        db_query($sql,"could not delete bank account for $id");
 }
@@ -64,7 +67,7 @@ function delete_bank_account($id)
 
 function get_bank_account($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE id='$id'";
+       $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id);
 
        $result = db_query($sql, "could not retreive bank account for $id");
 
@@ -74,7 +77,7 @@ function get_bank_account($id)
 //---------------------------------------------------------------------------------------------
 function get_bank_gl_account($id)
 {
-       $sql = "SELECT account_code FROM ".TB_PREF."bank_accounts WHERE id='$id'";
+       $sql = "SELECT account_code FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id);
 
        $result = db_query($sql, "could not retreive bank account for $id");
 
@@ -88,7 +91,7 @@ function get_bank_gl_account($id)
 function add_quick_entry($description, $type, $base_amount, $base_desc)
 {
        $sql = "INSERT INTO ".TB_PREF."quick_entries (description, type, base_amount, base_desc) 
-       VALUES (".db_escape($description).", $type, "
+       VALUES (".db_escape($description).", ".db_escape($type).", "
                .db_escape($base_amount).", ".db_escape($base_desc).")";
 
        db_query($sql, "could not insert quick entry for $description");
@@ -99,8 +102,9 @@ function add_quick_entry($description, $type, $base_amount, $base_desc)
 function update_quick_entry($selected_id, $description, $type, $base_amount, $base_desc)
 {
        $sql = "UPDATE ".TB_PREF."quick_entries SET description = ".db_escape($description).",
-               type=$type, base_amount=".db_escape($base_amount).", base_desc=".db_escape($base_desc)."
-               WHERE id = $selected_id";
+               type=".db_escape($type).", base_amount=".db_escape($base_amount)
+               .", base_desc=".db_escape($base_desc)."
+               WHERE id = ".db_escape($selected_id);
 
        db_query($sql, "could not update quick entry for $selected_id");
 }
@@ -109,7 +113,7 @@ function update_quick_entry($selected_id, $description, $type, $base_amount, $ba
 
 function delete_quick_entry($selected_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."quick_entries WHERE id=$selected_id";
+       $sql = "DELETE FROM ".TB_PREF."quick_entries WHERE id=".db_escape($selected_id);
 
        db_query($sql,"could not delete quick entry $selected_id");
 }
@@ -122,7 +126,7 @@ function add_quick_entry_line($qid, $action, $dest_id, $amount, $dim, $dim2)
                (qid, action, dest_id, amount, dimension_id, dimension2_id) 
        VALUES 
                ($qid, ".db_escape($action).",".db_escape($dest_id).",
-                       $amount, $dim, $dim2)";
+                       ".db_escape($amount).", ".db_escape($dim).", ".db_escape($dim2).")";
 
        db_query($sql, "could not insert quick entry line for $qid");
 }
@@ -131,9 +135,11 @@ function add_quick_entry_line($qid, $action, $dest_id, $amount, $dim, $dim2)
 
 function update_quick_entry_line($selected_id, $qid, $action, $dest_id, $amount, $dim, $dim2)
 {
-       $sql = "UPDATE ".TB_PREF."quick_entry_lines     SET qid = $qid, action=".db_escape($action).",
-               dest_id=".db_escape($dest_id).", amount=$amount, dimension_id=$dim, dimension2_id=$dim2 
-               WHERE id = $selected_id";
+       $sql = "UPDATE ".TB_PREF."quick_entry_lines SET qid = ".db_escape($qid)
+               .", action=".db_escape($action).",
+               dest_id=".db_escape($dest_id).", amount=".db_escape($amount)
+               .", dimension_id=".db_escape($dim).", dimension2_id=".db_escape($dim2)." 
+               WHERE id = ".db_escape($selected_id);
 
        db_query($sql, "could not update quick entry line for $selected_id");
 }
@@ -142,7 +148,7 @@ function update_quick_entry_line($selected_id, $qid, $action, $dest_id, $amount,
 
 function delete_quick_entry_line($selected_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."quick_entry_lines WHERE id=$selected_id";
+       $sql = "DELETE FROM ".TB_PREF."quick_entry_lines WHERE id=".db_escape($selected_id);
 
        db_query($sql,"could not delete quick entry line $selected_id");
 }
@@ -153,7 +159,7 @@ function has_quick_entries($type=null)
 {
        $sql = "SELECT id FROM ".TB_PREF."quick_entries";
        if ($type != null)
-               $sql .= " WHERE type=$type";
+               $sql .= " WHERE type=".db_escape($type);
 
        $result = db_query($sql, "could not retreive quick entries");
        return db_num_rows($result) > 0;
@@ -163,7 +169,7 @@ function get_quick_entries($type = null)
 {
        $sql = "SELECT * FROM ".TB_PREF."quick_entries";
        if ($type != null)
-               $sql .= " WHERE type=$type";
+               $sql .= " WHERE type=".db_escape($type);
        $sql .= " ORDER BY description";
 
        return db_query($sql, "could not retreive quick entries");
@@ -171,7 +177,7 @@ function get_quick_entries($type = null)
 
 function get_quick_entry($selected_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."quick_entries WHERE id=$selected_id";
+       $sql = "SELECT * FROM ".TB_PREF."quick_entries WHERE id=".db_escape($selected_id);
 
        $result = db_query($sql, "could not retreive quick entry $selected_id");
 
@@ -188,15 +194,14 @@ function get_quick_entry_lines($qid)
                LEFT JOIN ".TB_PREF."tax_types ON
                        ".TB_PREF."quick_entry_lines.dest_id = ".TB_PREF."tax_types.id
                WHERE 
-                       qid=$qid
-               ORDER by id";
+                       qid=".db_escape($qid)." ORDER by id";
 
        return db_query($sql, "could not retreive quick entries");
 }
 
 function has_quick_entry_lines($qid)
 {
-       $sql = "SELECT id FROM ".TB_PREF."quick_entry_lines WHERE qid=$qid";
+       $sql = "SELECT id FROM ".TB_PREF."quick_entry_lines WHERE qid=".db_escape($qid);
 
        $result = db_query($sql, "could not retreive quick entries");
        return db_num_rows($result) > 0;
@@ -206,7 +211,7 @@ function has_quick_entry_lines($qid)
 
 function get_quick_entry_line($selected_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."quick_entry_lines WHERE id=$selected_id";
+       $sql = "SELECT * FROM ".TB_PREF."quick_entry_lines WHERE id=".db_escape($selected_id);
 
        $result = db_query($sql, "could not retreive quick entry for $selected_id");
 

diff --git a/gl/includes/db/gl_db_bank_trans.inc b/gl/includes/db/gl_db_bank_trans.inc
index c9f550c82419aff60614b087b662a0f417447075..ad369861053d2dc6c47c4f2b62d2cadfe7db7ee7 100644 (file)
--- a/gl/includes/db/gl_db_bank_trans.inc
+++ b/gl/includes/db/gl_db_bank_trans.inc
@@ -41,7 +41,8 @@ function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_,
                trans_date, amount, person_type_id, person_id) ";
 
        $sql .= "VALUES ($type, $trans_no, '$bank_act', ".db_escape($ref).", '$sqlDate',
-               $amount_bank, $person_type_id, ". db_escape($person_id).")";
+               ".db_escape($amount_bank).", ".db_escape($person_type_id)
+               .", ". db_escape($person_id).")";
 
        if ($err_msg == "")
                $err_msg = "The bank transaction could not be inserted";
@@ -53,8 +54,8 @@ function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_,
 
 function exists_bank_trans($type, $type_no)
 {
-       $sql = "SELECT trans_no FROM ".TB_PREF."bank_trans WHERE type=$type
-               AND trans_no=$type_no";
+       $sql = "SELECT trans_no FROM ".TB_PREF."bank_trans WHERE type=".db_escape($type)
+               ." AND trans_no=".db_escape($type_no);
        $result = db_query($sql, "Cannot retreive a bank transaction");
 
     return (db_num_rows($result) > 0);
@@ -68,13 +69,13 @@ function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id=
                FROM ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts
                WHERE ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act ";
        if ($type != null)
-               $sql .= " AND type=$type ";
+               $sql .= " AND type=".db_escape($type);
        if ($trans_no != null)
-               $sql .= " AND ".TB_PREF."bank_trans.trans_no = $trans_no ";
+               $sql .= " AND ".TB_PREF."bank_trans.trans_no = ".db_escape($trans_no);
        if ($person_type_id != null)
-               $sql .= " AND ".TB_PREF."bank_trans.person_type_id = $person_type_id ";
+               $sql .= " AND ".TB_PREF."bank_trans.person_type_id = ".db_escape($person_type_id);
        if ($person_id != null)
-               $sql .= " AND ".TB_PREF."bank_trans.person_id = '$person_id'";
+               $sql .= " AND ".TB_PREF."bank_trans.person_id = ".db_escape($person_id);
        $sql .= " ORDER BY trans_date, ".TB_PREF."bank_trans.id";
 
        return db_query($sql, "query for bank transaction");
@@ -84,7 +85,9 @@ function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id=
 
 function get_gl_trans_value($account, $type, $trans_no)
 {
-       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE account='$account' AND type=$type AND type_no=$trans_no";
+       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE account="
+       .db_escape($account)." AND type=".db_escape($type)
+       ." AND type_no=".db_escape($trans_no);
 
        $result = db_query($sql, "query for gl trans value");
 
@@ -100,7 +103,7 @@ function void_bank_trans($type, $type_no, $nested=false)
                begin_transaction();
 
        $sql = "UPDATE ".TB_PREF."bank_trans SET amount=0
-               WHERE type=$type AND trans_no=$type_no";
+               WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
 
        $result = db_query($sql, "could not void bank transactions for type=$type and trans_no=$type_no");
 

diff --git a/gl/includes/db/gl_db_banking.inc b/gl/includes/db/gl_db_banking.inc
index b20644c58c2d79113383e18df7ce2057ff4ee6be..bbef96d21c4aeb404f8fd28b9c50e584830f5e5c 100644 (file)
--- a/gl/includes/db/gl_db_banking.inc
+++ b/gl/includes/db/gl_db_banking.inc
@@ -18,7 +18,7 @@ function add_exchange_variation($trans_type, $trans_no, $date_, $acc_id, $accoun
                $date_ = Today();
        $rate = get_exchange_rate_from_home_currency($currency, $date_);
        $result = db_query("SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE 
-               bank_act='$acc_id' AND trans_date<='".date2sql($date_)."'", 
+               bank_act=".db_escape($acc_id)." AND trans_date<='".date2sql($date_)."'", 
                "Transactions for account $account could not be calculated");
        $row = db_fetch_row($result);
        $foreign_amount = $row[0];

diff --git a/gl/includes/db/gl_db_currencies.inc b/gl/includes/db/gl_db_currencies.inc
index 342cddc4eb6275c6a45424fa861c760547cc8eb7..eee35e1cf06cf3a170a2b605870ff92c5e21704e 100644 (file)
--- a/gl/includes/db/gl_db_currencies.inc
+++ b/gl/includes/db/gl_db_currencies.inc
@@ -14,9 +14,11 @@
 function update_currency($curr_abrev, $symbol, $currency, $country, 
        $hundreds_name, $auto_update)
 {
-       $sql = "UPDATE ".TB_PREF."currencies SET currency=".db_escape($currency).", curr_symbol='$symbol',
-               country=".db_escape($country).", hundreds_name=".db_escape($hundreds_name)
-               .",auto_update = '$auto_update'"." WHERE curr_abrev = '$curr_abrev'";
+       $sql = "UPDATE ".TB_PREF."currencies SET currency=".db_escape($currency)
+               .", curr_symbol=".db_escape($symbol).", country=".db_escape($country)
+               .", hundreds_name=".db_escape($hundreds_name)
+               .",auto_update = ".db_escape($auto_update)
+                       ." WHERE curr_abrev = ".db_escape($curr_abrev);
 
        db_query($sql, "could not update currency for $curr_abrev");
 }
@@ -26,11 +28,11 @@ function update_currency($curr_abrev, $symbol, $currency, $country,
 function add_currency($curr_abrev, $symbol, $currency, $country, 
        $hundreds_name, $auto_update)
 {
-       $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, country, 
-               hundreds_name, auto_update)
-               VALUES (".db_escape($curr_abrev).", '$symbol', ".db_escape($currency)
-               .", ".db_escape($country).", ".db_escape($hundreds_name)
-               .",".db_escape($auto_update).")";
+       $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, 
+                       country, hundreds_name, auto_update)
+               VALUES (".db_escape($curr_abrev).", ".db_escape($symbol).", "
+               .db_escape($currency).", ".db_escape($country).", "
+               .db_escape($hundreds_name).",".db_escape($auto_update).")";
 
        db_query($sql, "could not add currency for $curr_abrev");
 }
@@ -39,7 +41,7 @@ function add_currency($curr_abrev, $symbol, $currency, $country,
 
 function delete_currency($curr_code)
 {
-       $sql="DELETE FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'";
+       $sql="DELETE FROM ".TB_PREF."currencies WHERE curr_abrev=".db_escape($curr_code);
        db_query($sql, "could not delete currency       $curr_code");
 
        $sql="DELETE FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code'";
@@ -50,7 +52,7 @@ function delete_currency($curr_code)
 
 function get_currency($curr_code)
 {
-       $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'";
+       $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev=".db_escape($curr_code);
        $result = db_query($sql, "could not get currency $curr_code");
 
        $row = db_fetch($result);

diff --git a/gl/includes/db/gl_db_rates.inc b/gl/includes/db/gl_db_rates.inc
index fa5926b6559fa04a67d548c1eefc4f6302f18405..c6d5c530bc159e331bb30bc2d142fee2f00e5e6e 100644 (file)
--- a/gl/includes/db/gl_db_rates.inc
+++ b/gl/includes/db/gl_db_rates.inc
@@ -12,7 +12,7 @@
 //---------------------------------------------------------------------------------------------
 function get_exchange_rate($rate_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+       $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
        $result = db_query($sql, "could not get exchange rate for $rate_id");   
 
        return db_fetch($result);
@@ -22,8 +22,8 @@ function get_exchange_rate($rate_id)
 function get_date_exchange_rate($curr_code, $date_)
 {
        $date = date2sql($date_);
-       $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code' 
-               AND date_='$date'";
+       $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code)
+       ." AND date_='$date'";
        $result = db_query($sql, "could not get exchange rate for $curr_code - $date_");        
 
        if(db_num_rows($result) == 0) 
@@ -41,8 +41,8 @@ function update_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
                        
        $date = date2sql($date_);
                
-       $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
-               WHERE curr_code='$curr_code' AND date_='$date'";
+       $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+       ." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
                                
        db_query($sql, "could not add exchange rate for $curr_code");                           
 }
@@ -57,7 +57,8 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
        $date = date2sql($date_);
                
        $sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
-               VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+               VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+               .", ".db_escape($sell_rate).")";
        db_query($sql, "could not add exchange rate for $curr_code");                           
 }
 
@@ -65,7 +66,7 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 
 function delete_exchange_rate($rate_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+       $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
        db_query($sql, "could not delete exchange rate $rate_id");              
 }
 

diff --git a/gl/includes/db/gl_db_trans.inc b/gl/includes/db/gl_db_trans.inc
index f4096b7b8dbeb07e515d1e6184d885a5c9e7604f..a842c951cc45e711e5049fd2ea202d735a9890f4 100644 (file)
--- a/gl/includes/db/gl_db_trans.inc
+++ b/gl/includes/db/gl_db_trans.inc
@@ -50,11 +50,13 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension
 
        $sql .= ") ";
 
-       $sql .= "VALUES ($type, $trans_id, '$date',
-               '$account', $dimension, $dimension2, ".db_escape($memo_).", $amount_in_home_currency";
+       $sql .= "VALUES (".db_escape($type).", ".db_escape($trans_id).", '$date',
+               ".db_escape($account).", ".db_escape($dimension).", "
+               .db_escape($dimension2).", ".db_escape($memo_).", "
+               .db_escape($amount_in_home_currency);
 
        if ($person_type_id != null)
-               $sql .= ", $person_type_id, ". db_escape($person_id);
+               $sql .= ", ".db_escape($person_type_id).", ". db_escape($person_id);
 
        $sql .= ") ";
 
@@ -100,24 +102,26 @@ function get_gl_transactions($from_date, $to_date, $trans_no=0,
        $from = date2sql($from_date);
        $to = date2sql($to_date);
 
-       $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master
+       $sql = "SELECT ".TB_PREF."gl_trans.*, "
+               .TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, "
+               .TB_PREF."chart_master
                WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account
                AND tran_date >= '$from'
                AND tran_date <= '$to'";
        if ($trans_no > 0)
-               $sql .= " AND ".TB_PREF."gl_trans.type_no LIKE '%$trans_no'";
+               $sql .= " AND ".TB_PREF."gl_trans.type_no LIKE ".db_escape('%'.$trans_no);
 
        if ($account != null)
-               $sql .= " AND ".TB_PREF."gl_trans.account = '$account'";
+               $sql .= " AND ".TB_PREF."gl_trans.account = ".db_escape($account);
 
        if ($dimension > 0)
-               $sql .= " AND ".TB_PREF."gl_trans.dimension_id = $dimension";
+               $sql .= " AND ".TB_PREF."gl_trans.dimension_id = ".db_escape($dimension);
 
        if ($dimension2 > 0)
-               $sql .= " AND ".TB_PREF."gl_trans.dimension2_id = $dimension2";
+               $sql .= " AND ".TB_PREF."gl_trans.dimension2_id = ".db_escape($dimension2);
 
        if ($filter_type != null AND is_numeric($filter_type))
-               $sql .= " AND ".TB_PREF."gl_trans.type= $filter_type";
+               $sql .= " AND ".TB_PREF."gl_trans.type= ".db_escape($filter_type);
 
        $sql .= " ORDER BY tran_date";
 
@@ -129,9 +133,12 @@ function get_gl_transactions($from_date, $to_date, $trans_no=0,
 
 function get_gl_trans($type, $trans_id)
 {
-       $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master
+       $sql = "SELECT ".TB_PREF."gl_trans.*, "
+               .TB_PREF."chart_master.account_name FROM "
+                       .TB_PREF."gl_trans, ".TB_PREF."chart_master
                WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account
-               AND ".TB_PREF."gl_trans.type=$type AND ".TB_PREF."gl_trans.type_no=$trans_id";
+               AND ".TB_PREF."gl_trans.type=".db_escape($type)
+               ." AND ".TB_PREF."gl_trans.type_no=".db_escape($trans_id);
 
        return db_query($sql, "The gl transactions could not be retrieved");
 }
@@ -140,12 +147,14 @@ function get_gl_trans($type, $trans_id)
 
 function get_gl_wo_cost_trans($trans_id, $person_id=-1)
 {
-       $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master
+       $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM "
+               .TB_PREF."gl_trans, ".TB_PREF."chart_master
                WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account
-               AND ".TB_PREF."gl_trans.type=".ST_WORKORDER." AND ".TB_PREF."gl_trans.type_no=$trans_id
+               AND ".TB_PREF."gl_trans.type=".ST_WORKORDER
+               ." AND ".TB_PREF."gl_trans.type_no=".db_escape($trans_id)."
                AND ".TB_PREF."gl_trans.person_type_id=".PT_WORKORDER;
        if ($person_id != -1)
-               $sql .= " AND ".TB_PREF."gl_trans.person_id=$person_id";
+               $sql .= " AND ".TB_PREF."gl_trans.person_id=".db_escape($person_id);
        $sql .= " AND amount < 0";      
 
        return db_query($sql, "The gl transactions could not be retrieved");
@@ -163,9 +172,9 @@ function get_gl_balance_from_to($from_date, $to_date, $account, $dimension=0, $d
        if ($to_date != "")
                $sql .= "  AND tran_date < '$to'";
        if ($dimension > 0)
-               $sql .= " AND dimension_id = $dimension";
+               $sql .= " AND dimension_id = ".db_escape($dimension);
        if ($dimension2 > 0)
-               $sql .= " AND dimension2_id = $dimension2";
+               $sql .= " AND dimension2_id = ".db_escape($dimension2);
 
        $result = db_query($sql, "The starting balance for account $account could not be calculated");
 
@@ -187,9 +196,9 @@ function get_gl_trans_from_to($from_date, $to_date, $account, $dimension=0, $dim
        if ($to_date != "")
                $sql .= " AND tran_date <= '$to'";
        if ($dimension > 0)
-               $sql .= " AND dimension_id = $dimension";
+               $sql .= " AND dimension_id = ".db_escape($dimension);
        if ($dimension2 > 0)
-               $sql .= " AND dimension2_id = $dimension2";
+               $sql .= " AND dimension2_id = ".db_escape($dimension2);
 
        $result = db_query($sql, "Transactions for account $account could not be calculated");
 
@@ -200,17 +209,20 @@ function get_gl_trans_from_to($from_date, $to_date, $account, $dimension=0, $dim
 //----------------------------------------------------------------------------------------------------
 function get_balance($account, $dimension, $dimension2, $from, $to, $from_incl=true, $to_incl=true) 
 {
-       $sql = "SELECT SUM(IF(amount >= 0, amount, 0)) as debit, SUM(IF(amount < 0, -amount, 0)) as credit, SUM(amount) as balance 
-               FROM ".TB_PREF."gl_trans,".TB_PREF."chart_master,".TB_PREF."chart_types, ".TB_PREF."chart_class 
-               WHERE ".TB_PREF."gl_trans.account=".TB_PREF."chart_master.account_code AND ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id 
+       $sql = "SELECT SUM(IF(amount >= 0, amount, 0)) as debit, 
+               SUM(IF(amount < 0, -amount, 0)) as credit, SUM(amount) as balance 
+               FROM ".TB_PREF."gl_trans,".TB_PREF."chart_master,"
+                       .TB_PREF."chart_types, ".TB_PREF."chart_class 
+               WHERE ".TB_PREF."gl_trans.account=".TB_PREF."chart_master.account_code AND "
+               .TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id 
                AND ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid AND";
                
        if ($account != null)
-               $sql .= " account='$account' AND";
+               $sql .= " account=".db_escape($account)." AND";
        if ($dimension > 0)
-               $sql .= " dimension_id=$dimension AND";
+               $sql .= " dimension_id=".db_escape($dimension)." AND";
        if ($dimension2 > 0)
-               $sql .= " dimension2_id=$dimension2 AND";
+               $sql .= " dimension2_id=".db_escape($dimension2)." AND";
        $from_date = date2sql($from);
        if ($from_incl)
                $sql .= " tran_date >= '$from_date'  AND";
@@ -236,15 +248,15 @@ function get_budget_trans_from_to($from_date, $to_date, $account, $dimension=0,
        $to = date2sql($to_date);
 
        $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans
-               WHERE account='$account' ";
+               WHERE account=".db_escape($account);
        if ($from_date != "")
                $sql .= " AND tran_date >= '$from' ";
        if ($to_date != "")
                $sql .= " AND tran_date <= '$to' ";
        if ($dimension > 0)
-               $sql .= " AND dimension_id = $dimension";
+               $sql .= " AND dimension_id = ".db_escape($dimension);
        if ($dimension2 > 0)
-               $sql .= " AND dimension2_id = $dimension2";
+               $sql .= " AND dimension2_id = ".db_escape($dimension2);
        $result = db_query($sql,"No budget accounts were returned");
 
        $row = db_fetch_row($result);
@@ -291,7 +303,7 @@ function add_trans_tax_details($trans_type, $trans_no, $tax_id, $rate, $included
                        included_in_price, net_amount, amount, memo)
                VALUES (".db_escape($trans_type)."," . db_escape($trans_no).",'"
                                .date2sql($tran_date)."',".db_escape($tax_id).","
-                               .$rate.",".$ex_rate.",".($included ? 1:0).","
+                               .db_escape($rate).",".db_escape($ex_rate).",".($included ? 1:0).","
                                .db_escape($net_amount).","
                                .db_escape($amount).",".db_escape($memo).")";
 
@@ -302,10 +314,11 @@ function add_trans_tax_details($trans_type, $trans_no, $tax_id, $rate, $included
 
 function get_trans_tax_details($trans_type, $trans_no)
 {
-       $sql = "SELECT ".TB_PREF."trans_tax_details.*, ".TB_PREF."tax_types.name AS tax_type_name
+       $sql = "SELECT ".TB_PREF."trans_tax_details.*, "
+               .TB_PREF."tax_types.name AS tax_type_name
                FROM ".TB_PREF."trans_tax_details,".TB_PREF."tax_types
-               WHERE trans_type = $trans_type
-               AND trans_no = $trans_no
+               WHERE trans_type = ".db_escape($trans_type)."
+               AND trans_no = ".db_escape($trans_no)."
                AND (net_amount != 0 OR amount != 0)
                AND ".TB_PREF."tax_types.id = ".TB_PREF."trans_tax_details.tax_type_id";
 
@@ -317,8 +330,8 @@ function get_trans_tax_details($trans_type, $trans_no)
 function void_trans_tax_details($type, $type_no)
 {
        $sql = "UPDATE ".TB_PREF."trans_tax_details SET amount=0, net_amount=0
-               WHERE trans_no=$type_no
-               AND trans_type=$type";
+               WHERE trans_no=".db_escape($type_no)
+               ." AND trans_type=".db_escape($type);
 
        db_query($sql, "The transaction tax details could not be voided");
 }
@@ -445,7 +458,8 @@ function write_journal_entries(&$cart, $reverse, $use_transaction=true)
 
 function exists_gl_trans($type, $trans_id)
 {
-       $sql = "SELECT type_no FROM ".TB_PREF."gl_trans WHERE type=$type AND type_no=$trans_id";
+       $sql = "SELECT type_no FROM ".TB_PREF."gl_trans WHERE type=".db_escape($type)
+               ." AND type_no=".db_escape($trans_id);
        $result = db_query($sql, "Cannot retreive a gl transaction");
 
     return (db_num_rows($result) > 0);
@@ -458,7 +472,8 @@ function void_gl_trans($type, $trans_id, $nested=false)
        if (!$nested)
                begin_transaction();
 
-       $sql = "UPDATE ".TB_PREF."gl_trans SET amount=0 WHERE type=$type AND type_no=$trans_id";
+       $sql = "UPDATE ".TB_PREF."gl_trans SET amount=0 WHERE type=".db_escape($type)
+       ." AND type_no=".db_escape($trans_id);
 
        db_query($sql, "could not void gl transactions for type=$type and trans_no=$trans_id");
 

diff --git a/gl/inquiry/bank_inquiry.php b/gl/inquiry/bank_inquiry.php
index ec98d993db5186b332f4b3cab465ba3deb9ebcca..33112d70d3632651d6d251a00d73ff1677d5414c 100644 (file)
--- a/gl/inquiry/bank_inquiry.php
+++ b/gl/inquiry/bank_inquiry.php
@@ -59,7 +59,7 @@ $date_to = date2sql($_POST['TransToDate']);
 if (!isset($_POST['bank_account']))
        $_POST['bank_account'] = "";
 $sql = "SELECT ".TB_PREF."bank_trans.* FROM ".TB_PREF."bank_trans
-       WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "'
+       WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . "
        AND trans_date >= '$date_after'
        AND trans_date <= '$date_to'
        ORDER BY trans_date,".TB_PREF."bank_trans.id";
@@ -76,7 +76,8 @@ $th = array(_("Type"), _("#"), _("Reference"), _("Date"),
        _("Debit"), _("Credit"), _("Balance"), _("Person/Item"), "");
 table_header($th);
 
-$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act='" . $_POST['bank_account'] . "'
+$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act="
+       .db_escape($_POST['bank_account']) . "
        AND trans_date < '$date_after'";
 $before_qty = db_query($sql, "The starting balance on hand could not be calculated");
 

diff --git a/gl/manage/gl_account_types.php b/gl/manage/gl_account_types.php
index b4ca18665f55ce9ea2d70438c53a0c7292333228..e6445a56c23a705494186dc7cba91e2fac382b50 100644 (file)
--- a/gl/manage/gl_account_types.php
+++ b/gl/manage/gl_account_types.php
@@ -109,7 +109,7 @@ if ($Mode == 'Delete')
        if (can_delete($selected_id))
        {
                delete_account_type($selected_id);
-               display_notification(_('Selected currency has been deleted'));
+               display_notification(_('Selected account group has been deleted'));
        }
        $Mode = 'RESET';
 }

diff --git a/gl/view/bank_transfer_view.php b/gl/view/bank_transfer_view.php
index 3ae52d961c102edf709e62a37100106d0192a026..8eaeb41cab7a4e86646ed99ec6944acc0eba9ea8 100644 (file)
--- a/gl/view/bank_transfer_view.php
+++ b/gl/view/bank_transfer_view.php
@@ -28,7 +28,7 @@ if (isset($_GET["trans_no"])){
 $result = get_bank_trans(ST_BANKTRANSFER, $trans_no);
 
 if (db_num_rows($result) != 2)
-       display_db_error("Bank transfer does not contain two records", $sql);
+       display_db_error("Bank transfer does not contain two records");
 
 $trans1 = db_fetch($result);
 $trans2 = db_fetch($result);

diff --git a/gl/view/gl_trans_view.php b/gl/view/gl_trans_view.php
index d869dce935239e912a41242d743f9d5faf75d023..64e585a5a16b8f2530bfa84d9f0cc3d028b0dc26 100644 (file)
--- a/gl/view/gl_trans_view.php
+++ b/gl/view/gl_trans_view.php
@@ -47,7 +47,11 @@ function display_gl_heading($myrow)
     end_table(1);
 }
 
-$sql = "SELECT ".TB_PREF."gl_trans.*, account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE ".TB_PREF."gl_trans.account = ".TB_PREF."chart_master.account_code AND type= " . $_GET['type_id'] . " AND type_no = " . $_GET['trans_no'] . " ORDER BY counter";
+$sql = "SELECT ".TB_PREF."gl_trans.*, account_name FROM "
+       .TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE "
+       .TB_PREF."gl_trans.account = ".TB_PREF."chart_master.account_code AND type= " 
+       .db_escape($_GET['type_id']) . " AND type_no = ".db_escape($_GET['trans_no']) 
+       . " ORDER BY counter";
 $result = db_query($sql,"could not get transactions");
 //alert("sql = ".$sql);
 

diff --git a/includes/db/connect_db.inc b/includes/db/connect_db.inc
index f91d70235fe0bb53eec1dae5182b13030f770dc2..d6b6e71ab04f83a35c554b08a2d146de6618997c 100644 (file)
--- a/includes/db/connect_db.inc
+++ b/includes/db/connect_db.inc
@@ -100,6 +100,7 @@ function db_num_fields ($result)
 
 function db_escape($value = "", $nullify = false)
 {
+       $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
        $value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
 
        //reset default if second parameter is skipped

diff --git a/inventory/cost_update.php b/inventory/cost_update.php
index bfaf0f33b986a957604e2ea714f35fa5a20f430c..e268f360dbdcdca8d6200bf88d087a57ab98b36d 100644 (file)
--- a/inventory/cost_update.php
+++ b/inventory/cost_update.php
@@ -91,7 +91,7 @@ set_global_stock_item($_POST['stock_id']);
 $sql = "SELECT description, units, material_cost, labour_cost,
        overhead_cost, mb_flag
        FROM ".TB_PREF."stock_master
-       WHERE stock_id='" . $_POST['stock_id'] . "'
+       WHERE stock_id=".db_escape($_POST['stock_id']) . "
        GROUP BY description, units, material_cost, labour_cost, overhead_cost, mb_flag";
 $result = db_query($sql);
 check_db_error("The cost details for the item could not be retrieved", $sql);

diff --git a/inventory/includes/db/items_category_db.inc b/inventory/includes/db/items_category_db.inc
index f7d4ed6b5ee86ee5bb8756f2bcd1601ac4889122..11f9486ddc3b7a2f3ef41bde988a0c1b1c500243 100644 (file)
--- a/inventory/includes/db/items_category_db.inc
+++ b/inventory/includes/db/items_category_db.inc
@@ -51,22 +51,22 @@ function update_item_category($id, $description, $tax_type_id,
                ."dflt_assembly_act = ".db_escape($assembly_account).","
                ."dflt_dim1 = ".db_escape($dim1).","
                ."dflt_dim2 = ".db_escape($dim2).","
-               ."dflt_no_sale = '$no_sale'"
-        ." WHERE category_id = '$id'";
+               ."dflt_no_sale = ".db_escape($no_sale)
+        ."WHERE category_id = ".db_escape($id);
 
        db_query($sql,"an item category could not be updated");
 }
 
 function delete_item_category($id)
 {
-       $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$id'";
+       $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id);
 
        db_query($sql,"an item category could not be deleted");
 }
 
 function get_item_category($id)
 {
-       $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$id'";
+       $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id);
 
        $result = db_query($sql,"an item category could not be retrieved");
 
@@ -75,7 +75,7 @@ function get_item_category($id)
 
 function get_category_name($id)
 {
-       $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=$id";
+       $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id);
 
        $result = db_query($sql, "could not get sales type");
 

diff --git a/inventory/includes/db/items_codes_db.inc b/inventory/includes/db/items_codes_db.inc
index d262ee7120f954ea0a09893c99243f5e2c7ee242..5169e2d02348a28da83bdfd6311c14fdc9348cad 100644 (file)
--- a/inventory/includes/db/items_codes_db.inc
+++ b/inventory/includes/db/items_codes_db.inc
@@ -19,7 +19,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $
                item_code = ".db_escape($item_code).",
                stock_id = ".db_escape($stock_id).",
                description = ".db_escape($description).",
-               category_id = $category,
+               category_id = ".db_escape($category).",
                quantity = ".db_escape($qty).",
                is_foreign = ".db_escape($foreign)."
                WHERE ";
@@ -28,7 +28,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $
                $sql .= "item_code = ".db_escape($item_code)
                ." AND stock_id = ".db_escape($stock_id);
        else
-               $sql .= "id = $id";
+               $sql .= "id = ".db_escape($id);
 
        db_query($sql,"an item code could not be updated");
 }
@@ -38,20 +38,21 @@ function add_item_code($item_code, $stock_id, $description, $category, $qty, $fo
        $sql = "INSERT INTO ".TB_PREF."item_codes
                        (item_code, stock_id, description, category_id, quantity, is_foreign) 
                        VALUES( ".db_escape($item_code).",".db_escape($stock_id).",
-                       ".db_escape($description).",$category,".db_escape($qty).",".$foreign.")";
+                       ".db_escape($description).",".db_escape($category)
+                       .",".db_escape($qty).",".db_escape($foreign).")";
 
        db_query($sql,"an item code could not be added");
 }
 
 function delete_item_code($id)
 {
-       $sql="DELETE FROM ".TB_PREF."item_codes WHERE id='$id'";
+       $sql="DELETE FROM ".TB_PREF."item_codes WHERE id=".db_escape($id);
        db_query($sql,"an item code could not be deleted");
 }
 
 function get_item_code($id)
 {
-       $sql="SELECT * FROM ".TB_PREF."item_codes WHERE id='$id'";
+       $sql="SELECT * FROM ".TB_PREF."item_codes WHERE id=".db_escape($id);
 
        $result = db_query($sql,"item code could not be retrieved");
 
@@ -63,9 +64,9 @@ function get_all_item_codes($stock_id, $foreign=1)
        $sql="SELECT i.*, c.description as cat_name FROM "
                .TB_PREF."item_codes as i,"
                .TB_PREF."stock_category as c
-               WHERE stock_id='$stock_id'
+               WHERE stock_id=".db_escape($stock_id)."
                AND i.category_id=c.category_id
-               AND i.is_foreign=$foreign";
+               AND i.is_foreign=".db_escape($foreign);
 
        $result = db_query($sql,"all item codes could not be retrieved");
 
@@ -74,7 +75,7 @@ function get_all_item_codes($stock_id, $foreign=1)
 
 function delete_item_kit($item_code)
 {
-       $sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code='$item_code'";
+       $sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code=".db_escape($item_code);
        db_query($sql,"an item kit could not be deleted");
 }
 
@@ -90,7 +91,7 @@ function get_item_kit($item_code)
                        item.stock_id=comp.item_code
                WHERE
                        kit.stock_id=comp.item_code
-                       AND kit.item_code='$item_code'";
+                       AND kit.item_code=".db_escape($item_code);
 
        $result = db_query($sql,"item kit could not be retrieved");
 
@@ -101,7 +102,7 @@ function get_item_code_dflts($stock_id)
 {
        $sql = "SELECT units, decimals, description, category_id
                FROM ".TB_PREF."stock_master,".TB_PREF."item_units
-               WHERE stock_id='$stock_id'";
+               WHERE stock_id=".db_escape($stock_id);
 
        $result = db_query($sql,"item code defaults could not be retrieved");
        return db_fetch($result);
@@ -137,7 +138,7 @@ function check_item_in_kit($old_id, $kit_code, $item_code, $recurse=false)
 function get_kit_props($kit_code)
 {
        $sql = "SELECT description, category_id FROM ".TB_PREF."item_codes "
-               . " WHERE item_code='$kit_code'";
+               . " WHERE item_code=".db_escape($kit_code);
        $res = db_query($sql, "kit name query failed");
        return db_fetch($res);
 }
@@ -145,8 +146,8 @@ function get_kit_props($kit_code)
 function update_kit_props($kit_code, $name, $category)
 {
        $sql = "UPDATE ".TB_PREF."item_codes SET description="
-               . db_escape($name).",category_id=".db_escape($category)         
-               . " WHERE item_code='$kit_code'";
+               . db_escape($name).",category_id=".db_escape($category)
+               . " WHERE item_code=".db_escape($kit_code);
        db_query($sql, "kit name update failed");
 }
 
@@ -154,8 +155,8 @@ function get_where_used($item_code)
 {
        $sql = "SELECT item_code, description FROM "
                .TB_PREF."item_codes "
-               . " WHERE stock_id='$item_code'
-                       AND item_code!='$item_code'";
+               . " WHERE stock_id=".db_escape($item_code)."
+                       AND item_code!=".db_escape($item_code);
        return db_query($sql, "where used query failed");
 }
 ?>
\ No newline at end of file

diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc
index 9af892d91c3bdddcf442f1e75655fb5156a345ec..9b382287749a65f93ee2748da615566eaed1d29d 100644 (file)
--- a/inventory/includes/db/items_db.inc
+++ b/inventory/includes/db/items_db.inc
@@ -16,16 +16,16 @@ function update_item($stock_id, $description, $long_description, $category_id,
 {
        $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_escape($long_description).",
                description=".db_escape($description).",
-               category_id='$category_id',
-               sales_account='$sales_account',
-               inventory_account='$inventory_account',
-               cogs_account='$cogs_account',
-               adjustment_account='$adjustment_account',
-               assembly_account='$assembly_account',
-               dimension_id=$dimension_id,
-               dimension2_id=$dimension2_id,
-               tax_type_id=$tax_type_id,
-               no_sale='$no_sale'";
+               category_id=".db_escape($category_id).",
+               sales_account=".db_escape($sales_account).",
+               inventory_account=".db_escape($inventory_account).",
+               cogs_account=".db_escape($cogs_account).",
+               adjustment_account=".db_escape($adjustment_account).",
+               assembly_account=".db_escape($assembly_account).",
+               dimension_id=".db_escape($dimension_id).",
+               dimension2_id=".db_escape($dimension2_id).",
+               tax_type_id=".db_escape($tax_type_id)."
+               no_sale=".db_escape($no_sale);
 
        if ($units != '')
                $sql .= ", units='$units'";
@@ -33,7 +33,7 @@ function update_item($stock_id, $description, $long_description, $category_id,
        if ($mb_flag != '')
                $sql .= ", mb_flag='$mb_flag'";
 
-       $sql .= " WHERE stock_id='$stock_id'";
+       $sql .= " WHERE stock_id=".db_escape($stock_id);
 
        db_query($sql, "The item could not be updated");
 
@@ -49,15 +49,19 @@ function add_item($stock_id, $description, $long_description, $category_id,
                tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account,
                adjustment_account, assembly_account, dimension_id, dimension2_id, no_sale)
                VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).",
-               '$category_id', $tax_type_id, '$units', '$mb_flag',
-               '$sales_account', '$inventory_account', '$cogs_account',
-               '$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id,
-               '$no_sale')";
+               ".db_escape($category_id).", ".db_escape($tax_type_id).", "
+               .db_escape($units).", ".db_escape($mb_flag).",
+               ".db_escape($sales_account).", ".db_escape($inventory_account)
+               .", ".db_escape($cogs_account).",".db_escape($adjustment_account)
+               .", ".db_escape($assembly_account).", "
+               .db_escape($dimension_id).", ".db_escape($dimension2_id).","
+               .db_escape($no_sale).")";
 
        db_query($sql, "The item could not be added");
 
        $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id)
-               SELECT ".TB_PREF."locations.loc_code, '$stock_id' FROM ".TB_PREF."locations";
+               SELECT ".TB_PREF."locations.loc_code, ".db_escape($stock_id)
+               ." FROM ".TB_PREF."locations";
 
        db_query($sql, "The item locstock could not be added");
 
@@ -66,23 +70,23 @@ function add_item($stock_id, $description, $long_description, $category_id,
 
 function delete_item($stock_id)
 {
-       $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
+       $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item");
 
        /*and cascade deletes in loc_stock */
-       $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item loc stock");
 
        /*and cascade deletes in purch_data */
-       $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item purch data");
 
        /*and cascade deletes in prices */
-       $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id='$stock_id'";
+       $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id=".db_escape($stock_id);
        db_query($sql, "could not delete stock item prices");
 
        /*and cascade delete the bill of material if any */
-       $sql = "DELETE FROM ".TB_PREF."bom WHERE parent='$stock_id'";
+       $sql = "DELETE FROM ".TB_PREF."bom WHERE parent=".db_escape($stock_id);
        db_query($sql, "could not delete stock item bom");
 
        delete_item_kit($stock_id);
@@ -93,7 +97,7 @@ function get_item($stock_id)
        $sql = "SELECT ".TB_PREF."stock_master.*,".TB_PREF."item_tax_types.name AS tax_type_name
                FROM ".TB_PREF."stock_master,".TB_PREF."item_tax_types
                WHERE ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id
-               AND stock_id='$stock_id'";
+               AND stock_id=".db_escape($stock_id);
        $result = db_query($sql,"an item could not be retreived");
 
        return db_fetch($result);

diff --git a/inventory/includes/db/items_locations_db.inc b/inventory/includes/db/items_locations_db.inc
index 809e928c028f1021aed34bd9e2bcbee28c6c0f15..b0372971441a3ca1e49d0404fb379770d7b9103f 100644 (file)
--- a/inventory/includes/db/items_locations_db.inc
+++ b/inventory/includes/db/items_locations_db.inc
@@ -13,13 +13,14 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone,
 {
        $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, phone2, fax, email, contact)
                VALUES (".db_escape($loc_code).", ".db_escape($location_name).", ".db_escape($delivery_address).", "
-                       .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", ".db_escape($contact).")";
+                       .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", "
+                       .db_escape($contact).")";
 
        db_query($sql,"a location could not be added");
 
        /* Also need to add loc_stock records for all existing items */
        $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level)
-               SELECT '$loc_code', ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master";
+               SELECT ".db_escape($loc_code).", ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master";
 
        db_query($sql,"a location could not be added");
 }
@@ -33,7 +34,7 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho
        delivery_address=".db_escape($delivery_address).",
        phone=".db_escape($phone).", phone2=".db_escape($phone2).", fax=".db_escape($fax).",
        email=".db_escape($email).", contact=".db_escape($contact)."
-       WHERE loc_code = '$loc_code'";
+       WHERE loc_code = ".db_escape($loc_code);
 
        db_query($sql,"a location could not be updated");
 }
@@ -42,10 +43,10 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho
 
 function delete_item_location($item_location)
 {
-       $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+       $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location);
        db_query($sql,"a location could not be deleted");
 
-       $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code ='$item_location'";
+       $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code =".db_escape($item_location);
        db_query($sql,"a location could not be deleted");
 }
 
@@ -53,7 +54,7 @@ function delete_item_location($item_location)
 
 function get_item_location($item_location)
 {
-       $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+       $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location);
 
        $result = db_query($sql,"a location could not be retrieved");
 
@@ -65,7 +66,7 @@ function get_item_location($item_location)
 function set_reorder_level($stock_id, $loc_code, $reorder_level)
 {
        $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level
-               WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'";
+               WHERE stock_id = ".db_escape($stock_id)." AND loc_code = ".db_escape($loc_code);
 
        db_query($sql,"an item reorder could not be set");
 }
@@ -77,7 +78,8 @@ function get_loc_details($stock_id)
        $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name
                FROM ".TB_PREF."loc_stock, ".TB_PREF."locations
                WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
-               AND ".TB_PREF."loc_stock.stock_id = '" . $stock_id . "' ORDER BY ".TB_PREF."loc_stock.loc_code";
+               AND ".TB_PREF."loc_stock.stock_id = ".db_escape($stock_id) 
+               ." ORDER BY ".TB_PREF."loc_stock.loc_code";
        return db_query($sql,"an item reorder could not be retreived");
 }
 

diff --git a/inventory/includes/db/items_prices_db.inc b/inventory/includes/db/items_prices_db.inc
index 13fa14dad4d5c6599c7b41574b4577275e452ee0..9b670d2499fb55dbf7ed68ceb5df4a6515bcb48c 100644 (file)
--- a/inventory/includes/db/items_prices_db.inc
+++ b/inventory/includes/db/items_prices_db.inc
@@ -12,24 +12,24 @@
 function add_item_price($stock_id, $sales_type_id, $curr_abrev, $price)
 {
        $sql = "INSERT INTO ".TB_PREF."prices (stock_id, sales_type_id, curr_abrev, price) 
-               VALUES ('$stock_id', $sales_type_id, '$curr_abrev', $price)";
+               VALUES (".db_escape($stock_id).", ".db_escape($sales_type_id)
+               .", ".db_escape($curr_abrev).", ".db_escape($price).")";
        
        db_query($sql,"an item price could not be added");              
 }
 
 function update_item_price($price_id, $sales_type_id, $curr_abrev, $price)
 {
-       $sql = "UPDATE ".TB_PREF."prices SET sales_type_id=$sales_type_id, 
-               curr_abrev='$curr_abrev', 
-               price=$price 
-               WHERE id=$price_id";
+       $sql = "UPDATE ".TB_PREF."prices SET sales_type_id=".db_escape($sales_type_id).", 
+               curr_abrev=".db_escape($curr_abrev).", 
+               price=".db_escape($price)." WHERE id=".db_escape($price_id);
        
        db_query($sql,"an item price could not be updated");            
 }
 
 function delete_item_price($price_id)
 {
-       $sql="DELETE FROM ".TB_PREF."prices WHERE id= $price_id";
+       $sql="DELETE FROM ".TB_PREF."prices WHERE id= ".db_escape($price_id);
        db_query($sql,"an item price could not be deleted");                    
 }
 
@@ -38,14 +38,15 @@ function get_prices($stock_id)
        $sql = "SELECT ".TB_PREF."sales_types.sales_type, ".TB_PREF."prices.* 
                FROM ".TB_PREF."prices, ".TB_PREF."sales_types 
                WHERE ".TB_PREF."prices.sales_type_id = ".TB_PREF."sales_types.id 
-               AND stock_id='$stock_id' ORDER BY curr_abrev, sales_type_id";   
+               AND stock_id=".db_escape($stock_id)
+               ." ORDER BY curr_abrev, sales_type_id"; 
        
        return db_query($sql,"item prices could not be retreived");
 }
 
 function get_stock_price($price_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."prices WHERE id=$price_id";    
+       $sql = "SELECT * FROM ".TB_PREF."prices WHERE id=".db_escape($price_id);
        
        $result = db_query($sql,"price could not be retreived");
        

diff --git a/inventory/includes/db/items_trans_db.inc b/inventory/includes/db/items_trans_db.inc
index 0bcdb82b80e6e12f7fb26108745cd2fa8e5f9c5a..7292814d35c38d95e0f52befcb6dbd8227d9ce05 100644 (file)
--- a/inventory/includes/db/items_trans_db.inc
+++ b/inventory/includes/db/items_trans_db.inc
@@ -25,11 +25,11 @@ function stock_cost_update($stock_id, $material_cost, $labour_cost, $overhead_co
        
        begin_transaction();
        
-       $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost, 
-               labour_cost=$labour_cost, 
-               overhead_cost=$overhead_cost, 
-               last_cost=$last_cost 
-               WHERE stock_id='$stock_id'";
+       $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost).", 
+               labour_cost=".db_escape($labour_cost).", 
+               overhead_cost=".db_escape($overhead_cost).", 
+               last_cost=".db_escape($last_cost)." 
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
 
        $qoh = get_qoh_on_date($_POST['stock_id']);

diff --git a/inventory/includes/db/items_units_db.inc b/inventory/includes/db/items_units_db.inc
index b5c98d9118f7afd5f39d2fcc0f9754618e16a9ed..c06aeafb775d4f3090b7221a6d169948a2b41185 100644 (file)
--- a/inventory/includes/db/items_units_db.inc
+++ b/inventory/includes/db/items_units_db.inc
@@ -15,26 +15,26 @@ function write_item_unit($selected, $abbr, $description, $decimals)
                $sql = "UPDATE ".TB_PREF."item_units SET
                abbr = ".db_escape($abbr).",
                name = ".db_escape($description).",
-               decimals = $decimals
-               WHERE    abbr = '$selected'";
+               decimals = ".db_escape($decimals)."
+               WHERE abbr = ".db_escape($selected);
     else
                $sql = "INSERT INTO ".TB_PREF."item_units
                        (abbr, name, decimals) VALUES( ".db_escape($abbr).",
-                       ".db_escape($description).", $decimals)";
+                       ".db_escape($description).", ".db_escape($decimals).")";
 
        db_query($sql,"an item unit could not be updated");
 }
 
 function delete_item_unit($unit)
 {
-       $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+       $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit);
 
        db_query($sql,"an unit of measure could not be deleted");
 }
 
 function get_item_unit($unit)
 {
-       $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+       $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit);
 
        $result = db_query($sql,"an unit of measure could not be retrieved");
 
@@ -43,7 +43,7 @@ function get_item_unit($unit)
 
 function get_unit_descr($unit)
 {
-       $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+       $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit);
 
        $result = db_query($sql, "could not unit description");
 
@@ -52,7 +52,7 @@ function get_unit_descr($unit)
 }
 
 function item_unit_used($unit) {
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE units='$unit'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE units=".db_escape($unit);
        $result = db_query($sql, "could not query stock master");
        $myrow = db_fetch_row($result);
        return ($myrow[0] > 0);
@@ -68,7 +68,7 @@ function get_all_item_units($all=false) {
 function get_unit_dec($stock_id)
 {
        $sql = "SELECT decimals FROM ".TB_PREF."item_units,     ".TB_PREF."stock_master
-               WHERE abbr=units AND stock_id='$stock_id' LIMIT 1";
+               WHERE abbr=units AND stock_id=".db_escape($stock_id)." LIMIT 1";
        $result = db_query($sql, "could not get unit decimals");
 
        $row = db_fetch_row($result);

diff --git a/inventory/includes/db/movement_types_db.inc b/inventory/includes/db/movement_types_db.inc
index 41fd14acc4cdc0f5c0be3629963657d2d2d5e507..210cad432ea789700b29262da8b8150d7095704d 100644 (file)
--- a/inventory/includes/db/movement_types_db.inc
+++ b/inventory/includes/db/movement_types_db.inc
@@ -20,7 +20,7 @@ function add_movement_type($name)
 function update_movement_type($type_id, $name)
 {
        $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_escape($name)."
-                       WHERE id=$type_id";
+                       WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not update item movement type");
 }
@@ -35,7 +35,8 @@ function get_all_movement_type($all=false)
 
 function get_movement_type($type_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=$type_id";
+       $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id);
+
        $result = db_query($sql, "could not get item movement type");
 
        return db_fetch($result);
@@ -43,7 +44,7 @@ function get_movement_type($type_id)
 
 function delete_movement_type($type_id)
 {
-       $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=$type_id";
+       $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not delete item movement type");
 }

diff --git a/inventory/inquiry/stock_movements.php b/inventory/inquiry/stock_movements.php
index 6b83d04599c6ae3319921d6169e6fc581357f066..75837a11089860a0d6b75bc7bd8b228a5796e4d1 100644 (file)
--- a/inventory/inquiry/stock_movements.php
+++ b/inventory/inquiry/stock_movements.php
@@ -64,10 +64,10 @@ $after_date = date2sql($_POST['AfterDate']);
 
 $sql = "SELECT type, trans_no, tran_date, person_id, qty, reference
        FROM ".TB_PREF."stock_moves
-       WHERE loc_code='" . $_POST['StockLocation'] . "'
+       WHERE loc_code=".db_escape($_POST['StockLocation'])."
        AND tran_date >= '". $after_date . "'
        AND tran_date <= '" . $before_date . "'
-       AND stock_id = '" . $_POST['stock_id'] . "' ORDER BY tran_date,trans_id";
+       AND stock_id = ".db_escape($_POST['stock_id']) . " ORDER BY tran_date,trans_id";
 $result = db_query($sql, "could not query stock moves");
 
 check_db_error("The stock movements for the selected criteria could not be retrieved",$sql);
@@ -79,8 +79,8 @@ $th = array(_("Type"), _("#"), _("Reference"), _("Date"), _("Detail"),
 
 table_header($th);
 
-$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves WHERE stock_id='" . $_POST['stock_id'] . "'
-       AND loc_code='" . $_POST['StockLocation'] . "'
+$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves WHERE stock_id=".db_escape($_POST['stock_id']) . "
+       AND loc_code=".db_escape( $_POST['StockLocation']) . "
        AND tran_date < '" . $after_date . "'";
 $before_qty = db_query($sql, "The starting quantity on hand could not be calculated");
 

diff --git a/inventory/manage/item_categories.php b/inventory/manage/item_categories.php
index 26a2889fec39035ef5a247f7a5bb377614d3ee8a..233d034b401bf3d361ef49f30621994dc6ab8ebc 100644 (file)
--- a/inventory/manage/item_categories.php
+++ b/inventory/manage/item_categories.php
@@ -67,7 +67,7 @@ if ($Mode == 'Delete')
 {
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'stock_master'
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE category_id='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE category_id=".db_escape($selected_id);
        $result = db_query($sql, "could not query stock master");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/inventory/manage/item_units.php b/inventory/manage/item_units.php
index 39be1be54d192d1c986488d67063d1aa50a68907..a17ac69ff5045b085d7d114b2c25d35051917b1f 100644 (file)
--- a/inventory/manage/item_units.php
+++ b/inventory/manage/item_units.php
@@ -34,6 +34,12 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
                display_error(_("The unit of measure code cannot be empty."));
                set_focus('abbr');
        }
+       if (strlen(db_escape($_POST['abbr']))>(20+2))
+       {
+               $input_error = 1;
+               display_error(_("The unit of measure code is too long."));
+               set_focus('abbr');
+       }
        if (strlen($_POST['description']) == 0)
        {
                $input_error = 1;

diff --git a/inventory/manage/items.php b/inventory/manage/items.php
index 9d30127725d6b60ffa49b70d2af4ceaa768aca28..9356e0b11fcc729fb06bed9e1a864f58861b95f7 100644 (file)
--- a/inventory/manage/items.php
+++ b/inventory/manage/items.php
@@ -212,16 +212,16 @@ function check_usage($stock_id, $dispmsg=true)
 {
        $sqls=  array(
        "SELECT COUNT(*) FROM "
-               .TB_PREF."stock_moves WHERE stock_id='$stock_id'" =>
+               .TB_PREF."stock_moves WHERE stock_id=".db_escape($stock_id) =>
         _('Cannot delete this item because there are stock movements that refer to this item.'),
        "SELECT COUNT(*) FROM "
-               .TB_PREF."bom WHERE component='$stock_id'"=>
+               .TB_PREF."bom WHERE component=".db_escape($stock_id)=>
         _('Cannot delete this item record because there are bills of material that require this part as a component.'),
        "SELECT COUNT(*) FROM "
-               .TB_PREF."sales_order_details WHERE stk_code='$stock_id'" =>
+               .TB_PREF."sales_order_details WHERE stk_code=".db_escape($stock_id) =>
         _('Cannot delete this item because there are existing purchase order items for it.'),
        "SELECT COUNT(*) FROM "
-               .TB_PREF."purch_order_details WHERE item_code='$stock_id'"=>
+               .TB_PREF."purch_order_details WHERE item_code=".db_escape($stock_id)=>
         _('Cannot delete this item because there are existing purchase order items for it.')
        );
 

diff --git a/inventory/manage/locations.php b/inventory/manage/locations.php
index e7f72290edf6dad018dbdca37113ecea20a46052..d32d10a1ea7486fbd12768829fc365b1229ee107 100644 (file)
--- a/inventory/manage/locations.php
+++ b/inventory/manage/locations.php
@@ -33,10 +33,10 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
        //first off validate inputs sensible
        $_POST['loc_code'] = strtoupper($_POST['loc_code']);
 
-       if (strlen($_POST['loc_code']) > 5) 
+       if (strlen(db_escape($_POST['loc_code'])) > 7) //check length after conversion
        {
                $input_error = 1;
-               display_error( _("The location code must be five characters or less long."));
+               display_error( _("The location code must be five characters or less long (including converted special chars)."));
                set_focus('loc_code');
        } 
        elseif (strlen($_POST['location_name']) == 0) 
@@ -71,7 +71,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 
 function can_delete($selected_id)
 {
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves WHERE loc_code='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves WHERE loc_code=".db_escape($selected_id);
        $result = db_query($sql, "could not query stock moves");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -80,7 +80,7 @@ function can_delete($selected_id)
                return false;
        }
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."workorders WHERE loc_code='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."workorders WHERE loc_code=".db_escape($selected_id);
        $result = db_query($sql, "could not query work orders");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -98,7 +98,7 @@ function can_delete($selected_id)
                return false;
        }
        
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE loc_code='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE loc_code=".db_escape($selected_id);
        $result = db_query($sql, "could not query bom");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -106,7 +106,7 @@ function can_delete($selected_id)
                display_error(_("Cannot delete this location because it is used by some related records in other tables."));
                return false;
        }
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."grn_batch WHERE loc_code='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."grn_batch WHERE loc_code=".db_escape($selected_id);
        $result = db_query($sql, "could not query grn batch");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -114,7 +114,7 @@ function can_delete($selected_id)
                display_error(_("Cannot delete this location because it is used by some related records in other tables."));
                return false;
        }
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE into_stock_location='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE into_stock_location=".db_escape($selected_id);
        $result = db_query($sql, "could not query purch orders");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -122,7 +122,7 @@ function can_delete($selected_id)
                display_error(_("Cannot delete this location because it is used by some related records in other tables."));
                return false;
        }
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE from_stk_loc='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE from_stk_loc=".db_escape($selected_id);
        $result = db_query($sql, "could not query sales orders");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -130,7 +130,7 @@ function can_delete($selected_id)
                display_error(_("Cannot delete this location because it is used by some related records in other tables."));
                return false;
        }
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_location='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_location=".db_escape($selected_id);
        $result = db_query($sql, "could not query sales pos");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/inventory/manage/movement_types.php b/inventory/manage/movement_types.php
index 5f75844fca8e536ddde2d7f5ce7aae2a6a8573ed..60b8e83e30ce52fcb6ac91659a4b68d18fefaf3d 100644 (file)
--- a/inventory/manage/movement_types.php
+++ b/inventory/manage/movement_types.php
@@ -57,7 +57,8 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 function can_delete($selected_id)
 {
        $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves 
-               WHERE type=" . ST_INVADJUST. " AND person_id=$selected_id";
+               WHERE type=" . ST_INVADJUST. " AND person_id=".db_escape($selected_id);
+
        $result = db_query($sql, "could not query stock moves");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/inventory/purchasing_data.php b/inventory/purchasing_data.php
index 51464e04969cb3eb31386e7ba6d563b452a5d31a..de9ed65e000d3a155f244ae3b1a3dc982db2503f 100644 (file)
--- a/inventory/purchasing_data.php
+++ b/inventory/purchasing_data.php
@@ -58,20 +58,21 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 
                $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom,
                        conversion_factor, supplier_description) VALUES (";
-               $sql .= "'".$_POST['supplier_id']."', '" . $_POST['stock_id'] . "', " .
-                   input_num('price',0) . ", '" . $_POST['suppliers_uom'] . "', " .
-                       input_num('conversion_factor') . ", " . db_escape($_POST['supplier_description']) . ")";
+               $sql .= db_escape($_POST['supplier_id']).", ".db_escape($_POST['stock_id']). ", "
+                       .input_num('price',0) . ", ".db_escape( $_POST['suppliers_uom'] ). ", "
+                       .input_num('conversion_factor') . ", "
+                       .db_escape($_POST['supplier_description']) . ")";
 
                db_query($sql,"The supplier purchasing details could not be added");
                display_notification(_("This supplier purchasing data has been added."));
                } else
                {
                $sql = "UPDATE ".TB_PREF."purch_data SET price=" . input_num('price',0) . ",
-                               suppliers_uom='" . $_POST['suppliers_uom'] . "',
+                               suppliers_uom=".db_escape($_POST['suppliers_uom']) . ",
                                conversion_factor=" . input_num('conversion_factor') . ",
                                supplier_description=" . db_escape($_POST['supplier_description']) . "
-                               WHERE stock_id='" . $_POST['stock_id'] . "' AND
-                               supplier_id='$selected_id'";
+                               WHERE stock_id=".db_escape($_POST['stock_id']) . " AND
+                               supplier_id=".db_escape($selected_id);
                db_query($sql,"The supplier purchasing details could not be updated");
 
                display_notification(_("Supplier purchasing data has been updated."));
@@ -85,8 +86,8 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 if ($Mode == 'Delete')
 {
 
-       $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id='$selected_id'
-               AND stock_id='" . $_POST['stock_id'] . "'";
+       $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id=".db_escape($selected_id)."
+               AND stock_id=".db_escape($_POST['stock_id']);
        db_query($sql,"could not delete purchasing data");
 
        display_notification(_("The purchasing data item has been sucessfully deleted."));
@@ -130,10 +131,11 @@ if ($mb_flag == -1)
 else
 {
 
-    $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name,".TB_PREF."suppliers.curr_code
+    $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name,"
+       .TB_PREF."suppliers.curr_code
                FROM ".TB_PREF."purch_data INNER JOIN ".TB_PREF."suppliers
                ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id
-               WHERE stock_id = '" . $_POST['stock_id'] . "'";
+               WHERE stock_id = ".db_escape($_POST['stock_id']);
 
     $result = db_query($sql, "The supplier purchasing details for the selected part could not be retrieved");
   div_start('price_table');
@@ -187,8 +189,8 @@ if ($Mode =='Edit')
 
        $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name FROM ".TB_PREF."purch_data
                INNER JOIN ".TB_PREF."suppliers ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id
-               WHERE ".TB_PREF."purch_data.supplier_id='$selected_id'
-               AND ".TB_PREF."purch_data.stock_id='" . $_POST['stock_id'] . "'";
+               WHERE ".TB_PREF."purch_data.supplier_id=".db_escape($selected_id)."
+               AND ".TB_PREF."purch_data.stock_id=".db_escape($_POST['stock_id']);
 
        $result = db_query($sql, "The supplier purchasing details for the selected supplier and item could not be retrieved");
 

diff --git a/manufacturing/includes/db/work_centres_db.inc b/manufacturing/includes/db/work_centres_db.inc
index e1b8a023a63b112ef8b85a85dba71253f83cf3f2..18adc74fdaceba36c7d3d5f195a11f05ab3bd00b 100644 (file)
--- a/manufacturing/includes/db/work_centres_db.inc
+++ b/manufacturing/includes/db/work_centres_db.inc
@@ -20,7 +20,7 @@ function add_work_centre($name, $description)
 function update_work_centre($type_id, $name, $description)
 {
        $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_escape($name).", description=".db_escape($description)."
-               WHERE id=$type_id";
+               WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not update work centre");
 }
@@ -35,7 +35,7 @@ function get_all_work_centres($all=false)
 
 function get_work_centre($type_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=$type_id";
+       $sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get work centre");
 
@@ -44,7 +44,7 @@ function get_work_centre($type_id)
 
 function delete_work_centre($type_id)
 {
-       $sql="DELETE FROM ".TB_PREF."workcentres WHERE id=$type_id";
+       $sql="DELETE FROM ".TB_PREF."workcentres WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not delete work centre");
 }

diff --git a/manufacturing/includes/db/work_order_issues_db.inc b/manufacturing/includes/db/work_order_issues_db.inc
index 0e0999b0cb460725b555370b3222d9f29962162d..2bdffa266b61306c8d0afd7e614ad71a65c0bd1e 100644 (file)
--- a/manufacturing/includes/db/work_order_issues_db.inc
+++ b/manufacturing/includes/db/work_order_issues_db.inc
@@ -36,8 +36,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w
 
        // insert the actual issue
        $sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id)
-               VALUES ($woid, ".db_escape($ref).", '" .
-               date2sql($date_) . "', ".db_escape($location).", $workcentre)";
+               VALUES (".db_escape($woid).", ".db_escape($ref).", '" .
+               date2sql($date_) . "', ".db_escape($location).", ".db_escape($workcentre).")";
        db_query($sql,"The work order issue could not be added");
 
        $number = db_insert_id();
@@ -53,7 +53,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w
                        $location, $date_, $memo_, -$item->quantity, 0);
 
                $sql = "INSERT INTO ".TB_PREF."wo_issue_items (issue_id, stock_id, qty_issued)
-                       VALUES ('$number', '$item->stock_id', $item->quantity)";
+                       VALUES (".db_escape($number).", ".db_escape($item->stock_id).", "
+                       .db_escape($item->quantity).")";
                db_query($sql,"A work order issue item could not be added");
        }
 
@@ -70,7 +71,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w
 
 function get_work_order_issues($woid)
 {
-       $sql = "SELECT * FROM ".TB_PREF."wo_issues WHERE workorder_id=$woid ORDER BY issue_no";
+       $sql = "SELECT * FROM ".TB_PREF."wo_issues WHERE workorder_id=".db_escape($woid)
+       ." ORDER BY issue_no";
     return db_query($sql, "The work order issues could not be retrieved");
 }
 
@@ -79,7 +81,8 @@ function get_additional_issues($woid)
        $sql = "SELECT ".TB_PREF."wo_issues.*, ".TB_PREF."wo_issue_items.*
                FROM ".TB_PREF."wo_issues, ".TB_PREF."wo_issue_items
                WHERE ".TB_PREF."wo_issues.issue_no=".TB_PREF."wo_issue_items.issue_id
-               AND ".TB_PREF."wo_issues.workorder_id=$woid ORDER BY ".TB_PREF."wo_issue_items.id";
+               AND ".TB_PREF."wo_issues.workorder_id=".db_escape($woid)
+               ." ORDER BY ".TB_PREF."wo_issue_items.id";
     return db_query($sql, "The work order issues could not be retrieved");
 }
 //--------------------------------------------------------------------------------------
@@ -87,9 +90,11 @@ function get_additional_issues($woid)
 function get_work_order_issue($issue_no)
 {
        $sql = "SELECT DISTINCT ".TB_PREF."wo_issues.*, ".TB_PREF."workorders.stock_id,
-               ".TB_PREF."stock_master.description, ".TB_PREF."locations.location_name, ".TB_PREF."workcentres.name AS WorkCentreName
-               FROM ".TB_PREF."wo_issues, ".TB_PREF."workorders, ".TB_PREF."stock_master, ".TB_PREF."locations, ".TB_PREF."workcentres
-               WHERE issue_no='$issue_no'
+               ".TB_PREF."stock_master.description, ".TB_PREF."locations.location_name, "
+               .TB_PREF."workcentres.name AS WorkCentreName
+               FROM ".TB_PREF."wo_issues, ".TB_PREF."workorders, ".TB_PREF."stock_master, "
+               .TB_PREF."locations, ".TB_PREF."workcentres
+               WHERE issue_no=".db_escape($issue_no)."
                AND ".TB_PREF."workorders.id = ".TB_PREF."wo_issues.workorder_id
                AND ".TB_PREF."locations.loc_code = ".TB_PREF."wo_issues.loc_code
                AND ".TB_PREF."workcentres.id = ".TB_PREF."wo_issues.workcentre_id
@@ -103,9 +108,10 @@ function get_work_order_issue($issue_no)
 
 function get_work_order_issue_details($issue_no)
 {
-       $sql = "SELECT ".TB_PREF."wo_issue_items.*,".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units
+       $sql = "SELECT ".TB_PREF."wo_issue_items.*,"
+       .TB_PREF."stock_master.description, ".TB_PREF."stock_master.units
                FROM ".TB_PREF."wo_issue_items, ".TB_PREF."stock_master
-               WHERE issue_id=$issue_no
+               WHERE issue_id=".db_escape($issue_no)."
                AND ".TB_PREF."stock_master.stock_id=".TB_PREF."wo_issue_items.stock_id
                ORDER BY ".TB_PREF."wo_issue_items.id";
     return db_query($sql, "The work order issue items could not be retrieved");
@@ -115,7 +121,7 @@ function get_work_order_issue_details($issue_no)
 
 function exists_work_order_issue($issue_no)
 {
-       $sql = "SELECT issue_no FROM ".TB_PREF."wo_issues WHERE issue_no=$issue_no";
+       $sql = "SELECT issue_no FROM ".TB_PREF."wo_issues WHERE issue_no=".db_escape($issue_no);
        $result = db_query($sql, "Cannot retreive a wo issue");
 
     return (db_num_rows($result) > 0);
@@ -128,7 +134,8 @@ function void_work_order_issue($type_no)
        begin_transaction();
 
        // void the actual issue items and their quantities
-       $sql = "UPDATE ".TB_PREF."wo_issue_items Set qty_issued = 0 WHERE issue_id=$type_no";
+       $sql = "UPDATE ".TB_PREF."wo_issue_items Set qty_issued = 0 WHERE issue_id="
+               .db_escape($type_no);
        db_query($sql,"A work order issue item could not be voided");
 
        // void all related stock moves

diff --git a/manufacturing/includes/db/work_order_produce_items_db.inc b/manufacturing/includes/db/work_order_produce_items_db.inc
index a6233050d455e965c3096551d0141cd0db3e6a68..6f5c001f3df137da8b039d45749195ac6b8f63a8 100644 (file)
--- a/manufacturing/includes/db/work_order_produce_items_db.inc
+++ b/manufacturing/includes/db/work_order_produce_items_db.inc
@@ -33,7 +33,8 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo)
     $date = date2sql($date_);
 
     $sql = "INSERT INTO ".TB_PREF."wo_manufacture (workorder_id, reference, quantity, date_)
-               VALUES ($woid, ".db_escape($ref).", $quantity, '$date')";
+               VALUES (".db_escape($woid).", ".db_escape($ref).", ".db_escape($quantity)
+               .", '$date')";
 
        db_query($sql,"A work order manufacture could not be added");
 
@@ -65,11 +66,12 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo)
 
 function get_work_order_produce($id)
 {
-       $sql = "SELECT ".TB_PREF."wo_manufacture.*,".TB_PREF."workorders.stock_id, ".TB_PREF."stock_master.description AS StockDescription
+       $sql = "SELECT ".TB_PREF."wo_manufacture.*,".TB_PREF."workorders.stock_id, "
+               .TB_PREF."stock_master.description AS StockDescription
                FROM ".TB_PREF."wo_manufacture, ".TB_PREF."workorders, ".TB_PREF."stock_master
                WHERE ".TB_PREF."wo_manufacture.workorder_id=".TB_PREF."workorders.id
                AND ".TB_PREF."stock_master.stock_id=".TB_PREF."workorders.stock_id
-               AND ".TB_PREF."wo_manufacture.id=$id";
+               AND ".TB_PREF."wo_manufacture.id=".db_escape($id);
     $result = db_query($sql, "The work order production could not be retrieved");
 
     return db_fetch($result);
@@ -79,7 +81,8 @@ function get_work_order_produce($id)
 
 function get_work_order_productions($woid)
 {
-       $sql = "SELECT * FROM ".TB_PREF."wo_manufacture WHERE workorder_id=$woid ORDER BY id";
+       $sql = "SELECT * FROM ".TB_PREF."wo_manufacture WHERE workorder_id="
+               .db_escape($woid)." ORDER BY id";
     return db_query($sql, "The work order issues could not be retrieved");
 }
 
@@ -87,7 +90,7 @@ function get_work_order_productions($woid)
 
 function exists_work_order_produce($id)
 {
-       $sql = "SELECT id FROM ".TB_PREF."wo_manufacture WHERE id=$id";
+       $sql = "SELECT id FROM ".TB_PREF."wo_manufacture WHERE id=".db_escape($id);
        $result = db_query($sql, "Cannot retreive a wo production");
 
     return (db_num_rows($result) > 0);
@@ -105,7 +108,7 @@ function void_work_order_produce($type_no)
        work_order_update_finished_quantity($row["workorder_id"], -$row["quantity"]);
 
        // clear the production record
-       $sql = "UPDATE ".TB_PREF."wo_manufacture SET quantity=0 WHERE id=$type_no";
+       $sql = "UPDATE ".TB_PREF."wo_manufacture SET quantity=0 WHERE id=".db_escape($type_no);
        db_query($sql, "Cannot void a wo production");
 
        // void all related stock moves

diff --git a/manufacturing/includes/db/work_order_requirements_db.inc b/manufacturing/includes/db/work_order_requirements_db.inc
index 71f9e50a1854664ede79edb45aadae50af7a3a46..ba53b5a2b2e69192a086342608545835560790c8 100644 (file)
--- a/manufacturing/includes/db/work_order_requirements_db.inc
+++ b/manufacturing/includes/db/work_order_requirements_db.inc
@@ -15,9 +15,10 @@ function get_wo_requirements($woid)
                ".TB_PREF."stock_master.mb_flag, 
                ".TB_PREF."locations.location_name, 
                ".TB_PREF."workcentres.name AS WorkCentreDescription FROM 
-               (".TB_PREF."wo_requirements, ".TB_PREF."locations, ".TB_PREF."workcentres) INNER JOIN ".TB_PREF."stock_master ON 
+               (".TB_PREF."wo_requirements, ".TB_PREF."locations, "
+               .TB_PREF."workcentres) INNER JOIN ".TB_PREF."stock_master ON 
                ".TB_PREF."wo_requirements.stock_id = ".TB_PREF."stock_master.stock_id 
-               WHERE workorder_id=$woid
+               WHERE workorder_id=".db_escape($woid)."
                AND ".TB_PREF."locations.loc_code = ".TB_PREF."wo_requirements.loc_code
                AND ".TB_PREF."workcentres.id=workcentre";
 
@@ -35,7 +36,7 @@ function create_wo_requirements($woid, $stock_id)
        {
                
                $sql = "INSERT INTO ".TB_PREF."wo_requirements (workorder_id, stock_id, workcentre, units_req, loc_code)
-                       VALUES ($woid, '" .
+                       VALUES (".db_escape($woid).", '" .
                        $myrow["component"] . "', '"    .
                        $myrow["workcentre_added"] . "', '"     .
                        $myrow["quantity"] . "', '"     .
@@ -49,7 +50,7 @@ function create_wo_requirements($woid, $stock_id)
 
 function delete_wo_requirements($woid)
 {
-       $sql="DELETE FROM ".TB_PREF."wo_requirements WHERE workorder_id=$woid";
+       $sql="DELETE FROM ".TB_PREF."wo_requirements WHERE workorder_id=".db_escape($woid);
        db_query($sql,"The work order requirements could not be deleted");      
 }
 
@@ -58,8 +59,8 @@ function delete_wo_requirements($woid)
 
 function update_wo_requirement_issued($woReqID, $quantity)
 {
-       $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = units_issued + $quantity
-               WHERE id = '$woReqID'";
+       $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = units_issued + ".db_escape($quantity)."
+               WHERE id = ".db_escape($woReqID);
                                
        db_query($sql, "The work requirements issued quantity couldn't be updated");
 }
@@ -68,8 +69,9 @@ function update_wo_requirement_issued($woReqID, $quantity)
 
 function void_wo_requirements($woid)
 {
-       $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = 0 WHERE workorder_id = $woid";
-                               
+       $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = 0 WHERE workorder_id = "
+       .db_escape($woid);
+
        db_query($sql, "The work requirements issued quantity couldn't be voided");     
 }
 

diff --git a/manufacturing/includes/db/work_orders_db.inc b/manufacturing/includes/db/work_orders_db.inc
index 122179f0c0954fc757a2fc6bc26007aaf9cceaee..f97f87a5e3813e39d97d6d014029a852850a89b4 100644 (file)
--- a/manufacturing/includes/db/work_orders_db.inc
+++ b/manufacturing/includes/db/work_orders_db.inc
@@ -20,7 +20,8 @@ function add_material_cost($stock_id, $qty, $date_)
                $standard_cost = get_standard_cost($bom_item['component']);
                $m_cost += ($bom_item['quantity'] * $standard_cost);
        }
-       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
+       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = "
+               .db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $material_cost =  $myrow['material_cost'];
@@ -30,7 +31,7 @@ function add_material_cost($stock_id, $qty, $date_)
        else
                $material_cost = ($qoh * $material_cost + $qty * $m_cost) /     ($qoh + $qty);
        $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost
-               WHERE stock_id='$stock_id'";
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
 }
 
@@ -38,7 +39,8 @@ function add_overhead_cost($stock_id, $qty, $date_, $costs)
 {
        if ($qty != 0)
                $costs /= $qty;
-       $sql = "SELECT overhead_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
+       $sql = "SELECT overhead_cost FROM ".TB_PREF."stock_master WHERE stock_id = "
+               .db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $overhead_cost =  $myrow['overhead_cost'];
@@ -47,8 +49,8 @@ function add_overhead_cost($stock_id, $qty, $date_, $costs)
                $overhead_cost = 0;
        else
                $overhead_cost = ($qoh * $overhead_cost + $qty * $costs) /      ($qoh + $qty);
-       $sql = "UPDATE ".TB_PREF."stock_master SET overhead_cost=$overhead_cost
-               WHERE stock_id='$stock_id'";
+       $sql = "UPDATE ".TB_PREF."stock_master SET overhead_cost=".db_escape($overhead_cost)."
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
 }
 
@@ -56,7 +58,8 @@ function add_labour_cost($stock_id, $qty, $date_, $costs)
 {
        if ($qty != 0)
                $costs /= $qty;
-       $sql = "SELECT labour_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
+       $sql = "SELECT labour_cost FROM ".TB_PREF."stock_master WHERE stock_id = "
+               .db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $labour_cost =  $myrow['labour_cost'];
@@ -65,8 +68,8 @@ function add_labour_cost($stock_id, $qty, $date_, $costs)
                $labour_cost = 0;
        else
                $labour_cost = ($qoh * $labour_cost + $qty * $costs) /  ($qoh + $qty);
-       $sql = "UPDATE ".TB_PREF."stock_master SET labour_cost=$labour_cost
-               WHERE stock_id='$stock_id'";
+       $sql = "UPDATE ".TB_PREF."stock_master SET labour_cost=".db_escape($labour_cost)."
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
 }
 
@@ -74,7 +77,8 @@ function add_issue_cost($stock_id, $qty, $date_, $costs)
 {
        if ($qty != 0)
                $costs /= $qty;
-       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
+       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = "
+               .db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $material_cost =  $myrow['material_cost'];
@@ -83,8 +87,9 @@ function add_issue_cost($stock_id, $qty, $date_, $costs)
                $material_cost = 0;
        else
                $material_cost = ($qty * $costs) /      ($qoh + $qty);
-       $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=material_cost+$material_cost
-               WHERE stock_id='$stock_id'";
+       $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=material_cost+"
+               .db_escape($material_cost)
+               ." WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
 }
 
@@ -105,8 +110,9 @@ function add_work_order($wo_ref, $loc_code, $units_reqd, $stock_id,
 
        $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, stock_id,
                type, date_, required_by)
-       VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, '$stock_id',
-               $type, '$date', '$required')";
+       VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", "
+       .db_escape($units_reqd).", ".db_escape($stock_id).",
+               ".db_escape($type).", '$date', ".db_escape($required).")";
        db_query($sql, "could not add work order");
 
        $woid = db_insert_id();
@@ -135,10 +141,10 @@ function update_work_order($woid, $loc_code, $units_reqd, $stock_id,
        $required = date2sql($required_by);
 
        $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_escape($loc_code).",
-               units_reqd=$units_reqd, stock_id='$stock_id',
-               required_by='$required',
+               units_reqd=".db_escape($units_reqd).", stock_id=".db_escape($stock_id).",
+               required_by=".db_escape($required).",
                date_='$date'
-               WHERE id = $woid";
+               WHERE id = ".db_escape($woid);
 
        db_query($sql, "could not update work order");
 
@@ -158,7 +164,7 @@ function delete_work_order($woid)
        delete_wo_requirements($woid);
 
        // delete the actual work order
-       $sql = "DELETE FROM ".TB_PREF."workorders WHERE id=$woid";
+       $sql = "DELETE FROM ".TB_PREF."workorders WHERE id=".db_escape($woid);
        db_query($sql,"The work order could not be deleted");
 
        delete_comments(ST_WORKORDER, $woid);
@@ -176,7 +182,7 @@ function get_work_order($woid, $allow_null=false)
                FROM ".TB_PREF."workorders, ".TB_PREF."stock_master, ".TB_PREF."locations
                WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."workorders.stock_id
                AND     ".TB_PREF."locations.loc_code=".TB_PREF."workorders.loc_code
-               AND ".TB_PREF."workorders.id=$woid
+               AND ".TB_PREF."workorders.id=".db_escape($woid)."
                GROUP BY ".TB_PREF."workorders.id";
 
        $result = db_query($sql, "The work order issues could not be retrieved");
@@ -191,7 +197,7 @@ function get_work_order($woid, $allow_null=false)
 
 function work_order_has_productions($woid)
 {
-       $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_manufacture WHERE workorder_id=$woid";
+       $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_manufacture WHERE workorder_id=".db_escape($woid);
        $result = db_query($sql, "query work order for productions");
 
        $myrow = db_fetch_row($result);
@@ -203,7 +209,7 @@ function work_order_has_productions($woid)
 
 function work_order_has_issues($woid)
 {
-       $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_issues WHERE workorder_id=$woid";
+       $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_issues WHERE workorder_id=".db_escape($woid);
        $result = db_query($sql, "query work order for issues");
 
        $myrow = db_fetch_row($result);
@@ -231,7 +237,7 @@ function release_work_order($woid, $releaseDate, $memo_)
        $date = date2sql($releaseDate);
 
        $sql = "UPDATE ".TB_PREF."workorders SET released_date='$date',
-               released=1 WHERE id = $woid";
+               released=1 WHERE id = ".db_escape($woid);
        db_query($sql, "could not release work order");
 
        // create Work Order Requirements based on the bom
@@ -247,7 +253,7 @@ function release_work_order($woid, $releaseDate, $memo_)
 
 function close_work_order($woid)
 {
-       $sql = "UPDATE ".TB_PREF."workorders SET closed=1 WHERE id = $woid";
+       $sql = "UPDATE ".TB_PREF."workorders SET closed=1 WHERE id = ".db_escape($woid);
        db_query($sql, "could not close work order");
 }
 
@@ -255,7 +261,7 @@ function close_work_order($woid)
 
 function work_order_is_closed($woid)
 {
-       $sql = "SELECT closed FROM ".TB_PREF."workorders WHERE id = $woid";
+       $sql = "SELECT closed FROM ".TB_PREF."workorders WHERE id = ".db_escape($woid);
        $result = db_query($sql, "could not query work order");
        $row = db_fetch_row($result);
        return ($row[0] > 0);
@@ -265,9 +271,9 @@ function work_order_is_closed($woid)
 
 function work_order_update_finished_quantity($woid, $quantity, $force_close=0)
 {
-       $sql = "UPDATE ".TB_PREF."workorders SET units_issued = units_issued + $quantity,
-               closed = ((units_issued >= units_reqd) OR $force_close)
-               WHERE id = $woid";
+       $sql = "UPDATE ".TB_PREF."workorders SET units_issued = units_issued + ".db_escape($quantity).",
+               closed = ((units_issued >= units_reqd) OR ".db_escape($force_close).")
+               WHERE id = ".db_escape($woid);
 
        db_query($sql, "The work order issued quantity couldn't be updated");
 }
@@ -282,7 +288,8 @@ function void_work_order($woid)
        {
                begin_transaction();
 
-               $sql = "UPDATE ".TB_PREF."workorders SET closed=1,units_issued=0 WHERE id = $woid";
+               $sql = "UPDATE ".TB_PREF."workorders SET closed=1,units_issued=0 WHERE id = "
+                       .db_escape($woid);
                db_query($sql, "The work order couldn't be voided");
 
                // void all related stock moves

diff --git a/manufacturing/includes/db/work_orders_quick_db.inc b/manufacturing/includes/db/work_orders_quick_db.inc
index 455f918e0b43b68e4a5cf597ce5ff55694f15faf..1b254f753c2bb3bf316fce28c9b5994184b02356 100644 (file)
--- a/manufacturing/includes/db/work_orders_quick_db.inc
+++ b/manufacturing/includes/db/work_orders_quick_db.inc
@@ -33,8 +33,9 @@ function add_work_order_quick($wo_ref, $loc_code, $units_reqd, $stock_id, $type,
                
        $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, units_issued, stock_id,
                type, additional_costs, date_, released_date, required_by, released, closed)
-       VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, $units_reqd, '$stock_id',
-               $type, $costs, '$date', '$date', '$date', 1, 1)";
+       VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", ".db_escape($units_reqd)
+       .", ".db_escape($units_reqd).", ".db_escape($stock_id).",
+               ".db_escape($type).", ".db_escape($costs).", '$date', '$date', '$date', 1, 1)";
        db_query($sql, "could not add work order");
 
        $woid = db_insert_id();

diff --git a/manufacturing/inquiry/where_used_inquiry.php b/manufacturing/inquiry/where_used_inquiry.php
index 4ad2ebc7eb578f06d77484c4af74fbd6ccd4972a..c10dc2a7aa039af1ce06f44a5c493a7f69dcfe7e 100644 (file)
--- a/manufacturing/inquiry/where_used_inquiry.php
+++ b/manufacturing/inquiry/where_used_inquiry.php
@@ -50,7 +50,7 @@ $sql = "SELECT
                WHERE bom.parent = parent.stock_id 
                        AND bom.workcentre_added = workcentre.id
                        AND bom.loc_code = location.loc_code
-                       AND bom.component='" . $_POST['stock_id'] . "'";
+                       AND bom.component=".db_escape($_POST['stock_id']);
 
    $cols = array(
        _("Parent Item") => array('fun'=>'select_link'), 

diff --git a/manufacturing/manage/bom_edit.php b/manufacturing/manage/bom_edit.php
index 45aaab40b2eb9d3d24867820d30535dd20593491..fe373a1c373c3bcf9aa6812aea9b86c0fb81f601 100644 (file)
--- a/manufacturing/manage/bom_edit.php
+++ b/manufacturing/manage/bom_edit.php
@@ -68,7 +68,7 @@ function check_for_recursive_bom($ultimate_parent, $component_to_check)
        /* returns true ie 1 if the bom contains the parent part as a component
        ie the bom is recursive otherwise false ie 0 */
 
-       $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent='$component_to_check'";
+       $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent=".db_escape($component_to_check);
        $result = db_query($sql,"could not check recursive bom");
 
        if ($result != 0)
@@ -139,11 +139,11 @@ function on_submit($selected_parent, $selected_component=-1)
        if ($selected_component != -1)
        {
 
-               $sql = "UPDATE ".TB_PREF."bom SET workcentre_added='" . $_POST['workcentre_added'] . "',
-                       loc_code='" . $_POST['loc_code'] . "',
+               $sql = "UPDATE ".TB_PREF."bom SET workcentre_added=".db_escape($_POST['workcentre_added'])
+                . ",loc_code=".db_escape($_POST['loc_code']) . ",
                        quantity= " . input_num('quantity') . "
-                       WHERE parent='" . $selected_parent . "'
-                       AND id='" . $selected_component . "'";
+                       WHERE parent=".db_escape($selected_parent) . "
+                       AND id=".db_escape($selected_component);
                check_db_error("Could not update this bom component", $sql);
 
                db_query($sql,"could not update bom");
@@ -163,17 +163,17 @@ function on_submit($selected_parent, $selected_component=-1)
 
                        /*Now check to see that the component is not already on the bom */
                        $sql = "SELECT component FROM ".TB_PREF."bom
-                               WHERE parent='$selected_parent'
-                               AND component='" . $_POST['component'] . "'
-                               AND workcentre_added='" . $_POST['workcentre_added'] . "'
-                               AND loc_code='" . $_POST['loc_code'] . "'" ;
+                               WHERE parent=".db_escape($selected_parent)."
+                               AND component=".db_escape($_POST['component']) . "
+                               AND workcentre_added=".db_escape($_POST['workcentre_added']) . "
+                               AND loc_code=".db_escape($_POST['loc_code']);
                        $result = db_query($sql,"check failed");
 
                        if (db_num_rows($result) == 0)
                        {
                                $sql = "INSERT INTO ".TB_PREF."bom (parent, component, workcentre_added, loc_code, quantity)
-                                       VALUES ('$selected_parent', '" . $_POST['component'] . "', '"
-                                       . $_POST['workcentre_added'] . "', '" . $_POST['loc_code'] . "', "
+                                       VALUES (".db_escape($selected_parent).", ".db_escape($_POST['component']) . ","
+                                       .db_escape($_POST['workcentre_added']) . ", ".db_escape($_POST['loc_code']) . ", "
                                        . input_num('quantity') . ")";
 
                                db_query($sql,"check failed");
@@ -198,7 +198,7 @@ function on_submit($selected_parent, $selected_component=-1)
 
 if ($Mode == 'Delete')
 {
-       $sql = "DELETE FROM ".TB_PREF."bom WHERE id='" . $selected_id. "'";
+       $sql = "DELETE FROM ".TB_PREF."bom WHERE id=".db_escape($selected_id);
        db_query($sql,"Could not delete this bom components");
 
        display_notification(_("The component item has been deleted from this bom"));
@@ -244,8 +244,9 @@ start_form();
        {
                if ($Mode == 'Edit') {
                        //editing a selected component from the link to the line item
-                       $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM ".TB_PREF."bom,".TB_PREF."stock_master
-                               WHERE id='$selected_id'
+                       $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM "
+                               .TB_PREF."bom,".TB_PREF."stock_master
+                               WHERE id=".db_escape($selected_id)."
                                AND ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component";
 
                        $result = db_query($sql, "could not get bom");

diff --git a/manufacturing/manage/work_centres.php b/manufacturing/manage/work_centres.php
index 4ae7e90f945fce6b7faa3c26207282f8862351f7..716bb81886eca35c3be3eada781fc19618b9e2de 100644 (file)
--- a/manufacturing/manage/work_centres.php
+++ b/manufacturing/manage/work_centres.php
@@ -56,7 +56,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 
 function can_delete($selected_id)
 {
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE workcentre_added='$selected_id'";      
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE workcentre_added=".db_escape($selected_id);
        $result = db_query($sql, "check can delete work centre");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -65,7 +65,7 @@ function can_delete($selected_id)
                return false;
        }
        
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."wo_requirements WHERE workcentre='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."wo_requirements WHERE workcentre=".db_escape($selected_id);
        $result = db_query($sql, "check can delete work centre");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/manufacturing/search_work_orders.php b/manufacturing/search_work_orders.php
index b4e0d2f5cb5401d02c601f0435aca1f6ab7a0dd3..cf93441cfaa7332ef74cc7f5e020667a52e9e1a7 100644 (file)
--- a/manufacturing/search_work_orders.php
+++ b/manufacturing/search_work_orders.php
@@ -185,17 +185,17 @@ if (check_value('OpenOnly') || $outstanding_only != 0)
 
 if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
 {
-       $sql .= " AND workorder.loc_code='" . $_POST['StockLocation'] . "' ";
+       $sql .= " AND workorder.loc_code=".db_escape($_POST['StockLocation']);
 }
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       $sql .= " AND workorder.wo_ref LIKE '%". $_POST['OrderNumber'] . "%'";
+       $sql .= " AND workorder.wo_ref LIKE ".db_escape('%'.$_POST['OrderNumber'].'%');
 }
 
 if (isset($_POST['SelectedStockItem']) && $_POST['SelectedStockItem'] != $all_items)
 {
-       $sql .= " AND workorder.stock_id='". $_POST['SelectedStockItem'] . "'";
+       $sql .= " AND workorder.stock_id=".db_escape($_POST['SelectedStockItem']);
 }
 
 if (check_value('OverdueOnly'))

diff --git a/purchasing/includes/db/grn_db.inc b/purchasing/includes/db/grn_db.inc
index 07c53190804aa7a64c70381b405adc70fd25b5f4..84a2f938ad83de9ecb9eeddf6fbefe2484ffa6e0 100644 (file)
--- a/purchasing/includes/db/grn_db.inc
+++ b/purchasing/includes/db/grn_db.inc
@@ -21,7 +21,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date,
                $price_in_home_currency = to_home_currency($price, $currency, $date);
        else
                $price_in_home_currency = $price;
-       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
+       $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id);
        $result = db_query($sql);
        $myrow = db_fetch($result);
        $material_cost = $myrow['material_cost'];
@@ -44,7 +44,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date,
                $material_cost = ($qoh * $material_cost + $qty * $price_in_home_currency) /     ($qoh + $qty);
 
        $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost)."
-               WHERE stock_id='$stock_id'";
+               WHERE stock_id=".db_escape($stock_id);
        db_query($sql,"The cost details for the inventory item could not be updated");
        return $material_cost;
 }
@@ -125,15 +125,17 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri
        $quantity_received, $price)
 {
        $sql = "UPDATE ".TB_PREF."purch_order_details
-        SET quantity_received = quantity_received + $quantity_received,
-        std_cost_unit=$standard_unit_cost,
-        act_price=$price
-        WHERE po_detail_item = $po_detail_item";
+        SET quantity_received = quantity_received + ".db_escape($quantity_received).",
+        std_cost_unit=".db_escape($standard_unit_cost).",
+        act_price=".db_escape($price)."
+        WHERE po_detail_item = ".db_escape($po_detail_item);
 
        db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed ");
 
        $sql = "INSERT INTO ".TB_PREF."grn_items (grn_batch_id, po_detail_item, item_code, description, qty_recd)
-               VALUES ($grn_batch_id, $po_detail_item, ".db_escape($item_code).", ".db_escape($description).", $quantity_received)";
+               VALUES (".db_escape($grn_batch_id).", "
+               .db_escape($po_detail_item).", ".db_escape($item_code).", ".db_escape($description)
+               .", ".db_escape($quantity_received).")";
 
        db_query($sql, "A GRN detail item could not be inserted.");
 
@@ -143,7 +145,7 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri
 //----------------------------------------------------------------------------------------
 function get_grn_batch_from_item($item)
 {
-       $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=$item";
+       $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=".db_escape($item);
        $result = db_query($sql, "Could not retreive GRN batch id");
        $row = db_fetch_row($result);
        return $row[0];
@@ -151,7 +153,7 @@ function get_grn_batch_from_item($item)
 
 function get_grn_batch($grn)
 {
-       $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn";
+       $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn);
        $result = db_query($sql, "Could not retreive GRN batch id");
        return db_fetch($result);
 }
@@ -164,23 +166,26 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date)
        $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*
        FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items
        WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id
-               AND ".TB_PREF."grn_items.id=$entered_grn->id
-       AND ".TB_PREF."grn_items.item_code='$entered_grn->item_code' ";
+               AND ".TB_PREF."grn_items.id=".db_escape($entered_grn->id)."
+       AND ".TB_PREF."grn_items.item_code=".db_escape($entered_grn->item_code);
        $result = db_query($sql, "Could not retreive GRNS");
        $myrow = db_fetch($result);
 
        $sql = "UPDATE ".TB_PREF."purch_order_details
-        SET quantity_received = quantity_received + $entered_grn->this_quantity_inv,
-        quantity_ordered = quantity_ordered + $entered_grn->this_quantity_inv,
-        qty_invoiced = qty_invoiced + $entered_grn->this_quantity_inv,
-        std_cost_unit=$mcost,
-        act_price=$entered_grn->chg_price
+        SET quantity_received = quantity_received + "
+               .db_escape($entered_grn->this_quantity_inv).",
+        quantity_ordered = quantity_ordered + "
+        .db_escape($entered_grn->this_quantity_inv).",
+        qty_invoiced = qty_invoiced + ".db_escape($entered_grn->this_quantity_inv).",
+        std_cost_unit=".db_escape($mcost).",
+        act_price=".db_escape($entered_grn->chg_price)."
         WHERE po_detail_item = ".$myrow["po_detail_item"];
        db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed ");
 
        //$sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0 WHERE id=$entered_grn->id";
-       $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+$entered_grn->this_quantity_inv,
-               quantity_inv=quantity_inv+$entered_grn->this_quantity_inv WHERE id=$entered_grn->id";
+       $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+".db_escape($entered_grn->this_quantity_inv)
+       .",quantity_inv=quantity_inv+".db_escape($entered_grn->this_quantity_inv)
+       ." WHERE id=".db_escape($entered_grn->id);
        db_query($sql);
 
     add_stock_move(ST_SUPPCREDIT, $entered_grn->item_code, $transno, $myrow['loc_code'], $date, "",
@@ -190,9 +195,11 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date)
 function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false,
        $is_invoiced_only=false, $invoice_no=0, $begin="", $end="")
 {
-    $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, ".TB_PREF."purch_order_details.unit_price,
+    $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, "
+       .TB_PREF."purch_order_details.unit_price,
                ".TB_PREF."purch_order_details.std_cost_unit, units
-       FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master";
+       FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, "
+       .TB_PREF."purch_order_details, ".TB_PREF."stock_master";
     if ($invoice_no != 0)
        $sql .= ", ".TB_PREF."supp_invoice_items";
     $sql .= " WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id
@@ -208,7 +215,8 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false
        if ($end != "")
                $sql .= " AND ".TB_PREF."grn_batch.delivery_date<='".date2sql($end)."'";
        if ($grn_batch_id != 0)
-               $sql .= " AND ".TB_PREF."grn_batch.id=$grn_batch_id AND ".TB_PREF."grn_items.grn_batch_id=$grn_batch_id ";
+               $sql .= " AND ".TB_PREF."grn_batch.id=".db_escape($grn_batch_id)
+                       ." AND ".TB_PREF."grn_items.grn_batch_id=".db_escape($grn_batch_id);
 
        if ($is_invoiced_only)
                $sql .= " AND ".TB_PREF."grn_items.quantity_inv > 0";
@@ -217,7 +225,7 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false
        $sql .= " AND ".TB_PREF."grn_items.qty_recd - ".TB_PREF."grn_items.quantity_inv > 0";
 
        if ($supplier_id != "")
-               $sql .= " AND ".TB_PREF."grn_batch.supplier_id ='$supplier_id' ";
+               $sql .= " AND ".TB_PREF."grn_batch.supplier_id =".db_escape($supplier_id);
 
        $sql .= " ORDER BY ".TB_PREF."grn_batch.delivery_date, ".TB_PREF."grn_batch.id, ".TB_PREF."grn_items.id";
 
@@ -236,7 +244,7 @@ function get_grn_item_detail($grn_item_no)
                FROM ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master
                WHERE ".TB_PREF."grn_items.po_detail_item=".TB_PREF."purch_order_details.po_detail_item
                        AND ".TB_PREF."stock_master.stock_id=".TB_PREF."grn_items.item_code
-                       AND ".TB_PREF."grn_items.id=$grn_item_no";
+                       AND ".TB_PREF."grn_items.id=".db_escape($grn_item_no);
 
        $result = db_query($sql, "could not retreive grn item details");
        return db_fetch($result);
@@ -279,7 +287,7 @@ function read_grn_items_to_order($grn_batch, &$order)
 
 function read_grn($grn_batch, &$order)
 {
-       $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn_batch";
+       $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch);
 
        $result = db_query($sql, "The grn sent is not valid");
 
@@ -305,7 +313,7 @@ function read_grn($grn_batch, &$order)
 
 function get_po_grns($po_number)
 {
-    $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=$po_number";
+    $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=".db_escape($po_number);
 
        return db_query($sql, "The grns for the po $po_number could not be retreived");
 }
@@ -314,7 +322,7 @@ function get_po_grns($po_number)
 
 function exists_grn($grn_batch)
 {
-       $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=$grn_batch";
+       $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch);
        $result = db_query($sql, "Cannot retreive a grn");
 
     return (db_num_rows($result) > 0);
@@ -327,7 +335,7 @@ function exists_grn_on_invoices($grn_batch)
        $sql = "SELECT ".TB_PREF."supp_invoice_items.id FROM ".TB_PREF."supp_invoice_items,".TB_PREF."grn_items
                WHERE ".TB_PREF."supp_invoice_items.grn_item_id=".TB_PREF."grn_items.id
                AND quantity != 0
-               AND grn_batch_id=$grn_batch";
+               AND grn_batch_id=".db_escape($grn_batch);
        $result = db_query($sql, "Cannot query GRNs");
 
     return (db_num_rows($result) > 0);
@@ -366,7 +374,7 @@ function void_grn($grn_batch)
 
        // clear the quantities in the grn items
        $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0
-               WHERE grn_batch_id=$grn_batch";
+               WHERE grn_batch_id=".db_escape($grn_batch);
 
        db_query($sql, "A grn detail item could not be voided.");
 

diff --git a/purchasing/includes/db/invoice_db.inc b/purchasing/includes/db/invoice_db.inc
index 0fbb05099d9f0aee8bbc18e1a3a0208af914a2ce..21a43d89b5e848a2ce2d926ee599e7c161b1a59c 100644 (file)
--- a/purchasing/includes/db/invoice_db.inc
+++ b/purchasing/includes/db/invoice_db.inc
@@ -15,13 +15,14 @@ include_once($path_to_root . "/purchasing/includes/db/invoice_items_db.inc");
 
 function read_supplier_details_to_trans(&$supp_trans, $supplier_id)
 {
-       $sql = "SELECT ".TB_PREF."suppliers.supp_name, ".TB_PREF."payment_terms.terms, ".TB_PREF."payment_terms.days_before_due,
+       $sql = "SELECT ".TB_PREF."suppliers.supp_name, ".TB_PREF."payment_terms.terms, "
+               .TB_PREF."payment_terms.days_before_due,
                ".TB_PREF."payment_terms.day_in_following_month,
                ".TB_PREF."suppliers.tax_group_id, ".TB_PREF."tax_groups.name As tax_group_name
                From ".TB_PREF."suppliers, ".TB_PREF."payment_terms, ".TB_PREF."tax_groups
                WHERE ".TB_PREF."suppliers.tax_group_id = ".TB_PREF."tax_groups.id
                AND ".TB_PREF."suppliers.payment_terms=".TB_PREF."payment_terms.terms_indicator
-               AND ".TB_PREF."suppliers.supplier_id = '" . $supplier_id . "'";
+               AND ".TB_PREF."suppliers.supplier_id = ".db_escape($supplier_id);
 
        $result = db_query($sql, "The supplier record selected: " . $supplier_id . " cannot be retrieved");
 
@@ -61,7 +62,7 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi
        if ($chg_price != null)
        {
                $sql = "SELECT act_price, unit_price FROM ".TB_PREF."purch_order_details WHERE
-                       po_detail_item = $po_detail_item";
+                       po_detail_item = ".db_escape($po_detail_item);
                $result = db_query($sql, "The old actual price of the purchase order line could not be retrieved");
                $row = db_fetch_row($result);
                $ret = $row[0];
@@ -69,7 +70,8 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi
                $unit_price = $row[1]; //Added by Rasmus
 
                $sql = "SELECT delivery_date FROM ".TB_PREF."grn_batch,".TB_PREF."grn_items WHERE
-                       ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id AND ".TB_PREF."grn_items.id=$id";
+                       ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id AND "
+                       .TB_PREF."grn_items.id=".db_escape($id);
                $result = db_query($sql, "The old delivery date from the received record cout not be retrieved");
                $row = db_fetch_row($result);
                $date = $row[0];
@@ -81,17 +83,17 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi
                $unit_price = 0; // Added by Rasmus
        }
     $sql = "UPDATE ".TB_PREF."purch_order_details
-               SET qty_invoiced = qty_invoiced + $qty_invoiced ";
+               SET qty_invoiced = qty_invoiced + ".db_escape($qty_invoiced);
 
        if ($chg_price != null)
-               $sql .= " , act_price = $chg_price ";
+               $sql .= " , act_price = ".db_escape($chg_price);
 
-       $sql .= " WHERE po_detail_item = $po_detail_item";
+       $sql .= " WHERE po_detail_item = ".db_escape($po_detail_item);
     db_query($sql, "The quantity invoiced of the purchase order line could not be updated");
 
     $sql = "UPDATE ".TB_PREF."grn_items
-        SET quantity_inv = quantity_inv + $qty_invoiced
-        WHERE id = $id";
+        SET quantity_inv = quantity_inv + ".db_escape($qty_invoiced)."
+        WHERE id = ".db_escape($id);
        db_query($sql, "The quantity invoiced off the items received record could not be updated");
        return array($ret, $date, $unit_price);
 }
@@ -101,8 +103,9 @@ function get_deliveries_between($stock_id, $from, $to)
        $from = date2sql($from);
        $to = date2sql($to);
        $sql = "SELECT SUM(-qty), SUM(-qty*standard_cost) FROM ".TB_PREF."stock_moves
-               WHERE type=".ST_CUSTDELIVERY." AND stock_id='$stock_id' AND
+               WHERE type=".ST_CUSTDELIVERY." AND stock_id=".db_escape($stock_id)." AND
                        tran_date>='$from' AND tran_date<='$to' GROUP BY stock_id";
+
        $result = db_query($sql, "The deliveries could not be updated");
        return db_fetch_row($result);
 }
@@ -340,11 +343,12 @@ function get_po_invoices_credits($po_number)
        $sql = "SELECT DISTINCT ".TB_PREF."supp_trans.trans_no, ".TB_PREF."supp_trans.type,
                ov_amount+ov_discount+ov_gst AS Total,
                ".TB_PREF."supp_trans.tran_date
-               FROM ".TB_PREF."supp_trans, ".TB_PREF."supp_invoice_items, ".TB_PREF."purch_order_details, ".TB_PREF."purch_orders
+               FROM ".TB_PREF."supp_trans, ".TB_PREF."supp_invoice_items, "
+               .TB_PREF."purch_order_details, ".TB_PREF."purch_orders
                WHERE ".TB_PREF."supp_invoice_items.supp_trans_no = ".TB_PREF."supp_trans.trans_no
                AND ".TB_PREF."supp_invoice_items.po_detail_item_id = ".TB_PREF."purch_order_details.po_detail_item
                AND ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."supp_trans.supplier_id
-               AND ".TB_PREF."purch_order_details.order_no = $po_number";
+               AND ".TB_PREF."purch_order_details.order_no = ".db_escape($po_number);
 
        return db_query($sql, "The invoices/credits for the po $po_number could not be retreived");
 }
@@ -354,7 +358,7 @@ function get_po_invoices_credits($po_number)
 function read_supp_invoice($trans_no, $trans_type, &$supp_trans)
 {
        $sql = "SELECT ".TB_PREF."supp_trans.*, supp_name FROM ".TB_PREF."supp_trans,".TB_PREF."suppliers
-               WHERE trans_no = $trans_no AND type = $trans_type
+               WHERE trans_no = ".db_escape($trans_no)." AND type = ".db_escape($trans_type)."
                AND ".TB_PREF."suppliers.supplier_id=".TB_PREF."supp_trans.supplier_id";
        $result = db_query($sql, "Cannot retreive a supplier transaction");
 
@@ -414,7 +418,8 @@ function read_supp_invoice($trans_no, $trans_type, &$supp_trans)
 function get_matching_invoice_item($stock_id, $po_item_id)
 {
        $sql = "SELECT *, tran_date FROM ".TB_PREF."supp_invoice_items, ".TB_PREF."supp_trans
-               WHERE supp_trans_type = ".ST_SUPPINVOICE." AND stock_id = '$stock_id' AND po_detail_item_id = $po_item_id
+               WHERE supp_trans_type = ".ST_SUPPINVOICE." AND stock_id = "
+               .db_escape($stock_id)." AND po_detail_item_id = ".db_escape($po_item_id)."
                AND supp_trans_no = trans_no";
        $result = db_query($sql, "Cannot retreive supplier transaction detail records");
        return db_fetch($result);  

diff --git a/purchasing/includes/db/invoice_items_db.inc b/purchasing/includes/db/invoice_items_db.inc
index 0d69d8682661475b252a53896cc237a8fe5e0dcf..efcdcb4bd323b1af4a737c2cbd2225ed10b176c2 100644 (file)
--- a/purchasing/includes/db/invoice_items_db.inc
+++ b/purchasing/includes/db/invoice_items_db.inc
@@ -17,9 +17,11 @@ function add_supp_invoice_item($supp_trans_type, $supp_trans_no, $stock_id, $des
 {
        $sql = "INSERT INTO ".TB_PREF."supp_invoice_items (supp_trans_type, supp_trans_no, stock_id, description, gl_code, unit_price, unit_tax, quantity,
                grn_item_id, po_detail_item_id, memo_) ";
-       $sql .= "VALUES ($supp_trans_type, $supp_trans_no, ".db_escape($stock_id).
-       ", ".db_escape($description).", ".db_escape($gl_code).", $unit_price, $unit_tax, $quantity,
-               $grn_item_id, $po_detail_item_id, ".db_escape($memo_).")";
+       $sql .= "VALUES (".db_escape($supp_trans_type).", ".db_escape($supp_trans_no).", "
+               .db_escape($stock_id).
+       ", ".db_escape($description).", ".db_escape($gl_code).", ".db_escape($unit_price)
+       .", ".db_escape($unit_tax).", ".db_escape($quantity).",
+               ".db_escape($grn_item_id).", ".db_escape($po_detail_item_id).", ".db_escape($memo_).")";
 
        if ($err_msg == "")
                $err_msg = "Cannot insert a supplier transaction detail record";
@@ -43,8 +45,8 @@ function add_supp_invoice_gl_item($supp_trans_type, $supp_trans_no, $gl_code, $a
 function get_supp_invoice_items($supp_trans_type, $supp_trans_no)
 {
        $sql = "SELECT *, unit_price AS FullUnitPrice FROM ".TB_PREF."supp_invoice_items
-               WHERE supp_trans_type = $supp_trans_type
-               AND supp_trans_no = $supp_trans_no ORDER BY id";
+               WHERE supp_trans_type = ".db_escape($supp_trans_type)."
+               AND supp_trans_no = ".db_escape($supp_trans_no)." ORDER BY id";
        return db_query($sql, "Cannot retreive supplier transaction detail records");
 }
 
@@ -53,7 +55,7 @@ function get_supp_invoice_items($supp_trans_type, $supp_trans_no)
 function void_supp_invoice_items($type, $type_no)
 {
        $sql = "UPDATE ".TB_PREF."supp_invoice_items SET quantity=0, unit_price=0
-               WHERE supp_trans_type = $type AND supp_trans_no=$type_no";
+               WHERE supp_trans_type = ".db_escape($type)." AND supp_trans_no=".db_escape($type_no);
        db_query($sql, "could not void supptrans details");
 }
 

diff --git a/purchasing/includes/db/po_db.inc b/purchasing/includes/db/po_db.inc
index 1f5f57504a17fae58880bfdb6bb0b057a06a3804..ee2b7d8e38575b0a2dc92f737c88799cd6b3f51c 100644 (file)
--- a/purchasing/includes/db/po_db.inc
+++ b/purchasing/includes/db/po_db.inc
@@ -13,10 +13,10 @@
 
 function delete_po($po)
 {
-       $sql = "DELETE FROM ".TB_PREF."purch_orders WHERE order_no=" . $po;
+       $sql = "DELETE FROM ".TB_PREF."purch_orders WHERE order_no=".db_escape($po);
        db_query($sql, "The order header could not be deleted");
 
-       $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE order_no =" . $po;
+       $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE order_no =".db_escape($po);
        db_query($sql, "The order detail lines could not be deleted");
 }
 
@@ -32,8 +32,8 @@ function add_po(&$po_obj)
      $sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES(";
      $sql .= db_escape($po_obj->supplier_id) . "," .
          db_escape($po_obj->Comments) . ",'" .
-         date2sql($po_obj->orig_order_date) . "', '" .
-                $po_obj->reference . "', " .
+         date2sql($po_obj->orig_order_date) . "', " .
+                db_escape($po_obj->reference) . ", " .
          db_escape($po_obj->requisition_no) . ", " .
          db_escape($po_obj->Location) . ", " .
          db_escape($po_obj->delivery_address) . ")";
@@ -52,8 +52,8 @@ function add_po(&$po_obj)
                $sql .= $po_obj->order_no . ", " . db_escape($po_line->stock_id). "," .
                        db_escape($po_line->item_description). ",'" .
                        date2sql($po_line->req_del_date) . "'," .
-                       $po_line->price . ", " .
-                       $po_line->quantity . ")";
+                       db_escape($po_line->price) . ", " .
+                       db_escape($po_line->quantity). ")";
                        db_query($sql, "One of the purchase order detail records could not be inserted");
        }
      }
@@ -92,7 +92,7 @@ function update_po(&$po_obj)
                        // Sherifoz 21.06.03 Handle deleting existing lines
                        if ($po_line->po_detail_rec!='')
                        {
-                               $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE po_detail_item='" . $po_line->po_detail_rec . "'";
+                               $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE po_detail_item=".db_escape($po_line->po_detail_rec);
                                db_query($sql, "could not query purch order details");
                        }
                }
@@ -104,16 +104,16 @@ function update_po(&$po_obj)
                                db_escape($po_line->stock_id). "," .
                                db_escape($po_line->item_description). ",'" .
                                date2sql($po_line->req_del_date) . "'," .
-                               $po_line->price . ", " . $po_line->quantity . ")";
+                               db_escape($po_line->price) . ", ".db_escape($po_line->quantity) . ")";
                }
                else
                {
-                       $sql = "UPDATE ".TB_PREF."purch_order_details SET item_code='" . $po_line->stock_id . "',
+                       $sql = "UPDATE ".TB_PREF."purch_order_details SET item_code=".db_escape($po_line->stock_id).",
                                description =" . db_escape($po_line->item_description). ",
                                delivery_date ='" . date2sql($po_line->req_del_date) . "',
-                               unit_price=" . $po_line->price . ",
-                               quantity_ordered=" . $po_line->quantity . "
-                               WHERE po_detail_item=" . $po_line->po_detail_rec;
+                               unit_price=".db_escape($po_line->price).",
+                               quantity_ordered=".db_escape($po_line->quantity) . "
+                               WHERE po_detail_item=".db_escape($po_line->po_detail_rec);
                }
                db_query($sql, "One of the purchase order detail records could not be updated");
     }
@@ -134,7 +134,7 @@ function read_po_header($order_no, &$order)
                FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations
                WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id
                AND ".TB_PREF."locations.loc_code = into_stock_location
-               AND ".TB_PREF."purch_orders.order_no = " . $order_no;
+               AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no);
 
        $result = db_query($sql, "The order cannot be retrieved");
 
@@ -172,7 +172,7 @@ function read_po_items($order_no, &$order, $open_items_only=false)
                FROM ".TB_PREF."purch_order_details
                LEFT JOIN ".TB_PREF."stock_master
                ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id
-               WHERE order_no =$order_no ";
+               WHERE order_no =".db_escape($order_no);
 
     if ($open_items_only)
                $sql .= " AND (".TB_PREF."purch_order_details.quantity_ordered > ".TB_PREF."purch_order_details.quantity_received) ";
@@ -186,6 +186,7 @@ function read_po_items($order_no, &$order, $open_items_only=false)
 
                while ($myrow = db_fetch($result))
         {
+
                $data = get_purchase_data($order->supplier_id, $myrow['item_code']);
                if ($data !== false)
                {
@@ -203,13 +204,13 @@ function read_po_items($order_no, &$order, $open_items_only=false)
                 $units = $myrow["units"];
             }
 
-            $order->add_to_order($order->lines_on_order+1, $myrow["item_code"],
+            if ($order->add_to_order($order->lines_on_order+1, $myrow["item_code"],
                $myrow["quantity_ordered"],$myrow["description"],
                $myrow["unit_price"],$units, sql2date($myrow["delivery_date"]),
-               $myrow["qty_invoiced"], $myrow["quantity_received"]);
-
-            $order->line_items[$order->lines_on_order]->po_detail_rec = $myrow["po_detail_item"];
-            $order->line_items[$order->lines_on_order]->standard_cost = $myrow["std_cost_unit"];  /*Needed for receiving goods and GL interface */
+               $myrow["qty_invoiced"], $myrow["quantity_received"])) {
+                                       $order->line_items[$order->lines_on_order]->po_detail_rec = $myrow["po_detail_item"];
+                                       $order->line_items[$order->lines_on_order]->standard_cost = $myrow["std_cost_unit"];  /*Needed for receiving goods and GL interface */
+                       }
         } /* line po from purchase order details */
     } //end of checks on returned data set
 }

diff --git a/purchasing/includes/db/supp_trans_db.inc b/purchasing/includes/db/supp_trans_db.inc
index e1715a6e713df0b27e5a3529dec5c2c4fdb71a84..4ba8d7bac65d57517c4f6f1eb41f595c418e17a5 100644 (file)
--- a/purchasing/includes/db/supp_trans_db.inc
+++ b/purchasing/includes/db/supp_trans_db.inc
@@ -30,8 +30,10 @@ function add_supp_trans($type, $supplier_id, $date_, $due_date, $reference, $sup
 
        $sql = "INSERT INTO ".TB_PREF."supp_trans (trans_no, type, supplier_id, tran_date, due_date,
                reference, supp_reference, ov_amount, ov_gst, rate, ov_discount) ";
-       $sql .= "VALUES ($trans_no, $type, $supplier_id, '$date', '$due_date',
-               ".db_escape($reference).", ".db_escape($supp_reference).", $amount, $amount_tax, $rate, $discount)";
+       $sql .= "VALUES (".db_escape($trans_no).", ".db_escape($type)
+       .", ".db_escape($supplier_id).", '$date', '$due_date',
+               ".db_escape($reference).", ".db_escape($supp_reference).", ".db_escape($amount)
+               .", ".db_escape($amount_tax).", ".db_escape($rate).", ".db_escape($discount).")";
 
        if ($err_msg == "")
                $err_msg = "Cannot insert a supplier transaction record";
@@ -65,17 +67,17 @@ function get_supp_trans($trans_no, $trans_type=-1)
                $sql .= ", ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts";
        }
 
-       $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=$trans_no
+       $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=".db_escape($trans_no)."
                AND ".TB_PREF."supp_trans.supplier_id=".TB_PREF."suppliers.supplier_id";
 
        if ($trans_type > 0)
-               $sql .= " AND ".TB_PREF."supp_trans.type=$trans_type ";
+               $sql .= " AND ".TB_PREF."supp_trans.type=".db_escape($trans_type);
 
        if ($trans_type == ST_SUPPAYMENT)
        {
                // it's a payment so also get the bank account
-               $sql .= " AND ".TB_PREF."bank_trans.trans_no =$trans_no
-                       AND ".TB_PREF."bank_trans.type=$trans_type
+               $sql .= " AND ".TB_PREF."bank_trans.trans_no =".db_escape($trans_no)."
+                       AND ".TB_PREF."bank_trans.type=".db_escape($trans_type)."
                        AND ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act ";
        }
 
@@ -105,8 +107,8 @@ function exists_supp_trans($type, $type_no)
        if ($type == 25)
                return exists_grn($type_no);
 
-       $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=$type
-               AND trans_no=$type_no";
+       $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=".db_escape($type)."
+               AND trans_no=".db_escape($type_no);
        $result = db_query($sql, "Cannot retreive a supplier transaction");
 
     return (db_num_rows($result) > 0);
@@ -117,7 +119,7 @@ function exists_supp_trans($type, $type_no)
 function void_supp_trans($type, $type_no)
 {
        $sql = "UPDATE ".TB_PREF."supp_trans SET ov_amount=0, ov_discount=0, ov_gst=0,
-               alloc=0 WHERE type=$type AND trans_no=$type_no";
+               alloc=0 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
 
        db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no");
 }

diff --git a/purchasing/includes/db/suppalloc_db.inc b/purchasing/includes/db/suppalloc_db.inc
index b31adc52e0c28755ec3909a03eaf7c5bfe9b9d85..987a640db957073acbe105afc56b416e9f22740b 100644 (file)
--- a/purchasing/includes/db/suppalloc_db.inc
+++ b/purchasing/includes/db/suppalloc_db.inc
@@ -18,7 +18,9 @@ function add_supp_allocation($amount, $trans_type_from, $trans_no_from,
        $sql = "INSERT INTO ".TB_PREF."supp_allocations (
                amt, date_alloc,
                trans_type_from, trans_no_from, trans_no_to, trans_type_to)
-               VALUES ($amount, '$date', $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)";
+               VALUES (".db_escape($amount).", '$date', "
+               .db_escape($trans_type_from).", ".db_escape($trans_no_from).", "
+               .db_escape($trans_no_to).", ".db_escape($trans_type_to).")";
 
        db_query($sql, "A supplier allocation could not be added to the database");
 }
@@ -28,7 +30,7 @@ function add_supp_allocation($amount, $trans_type_from, $trans_no_from,
 
 function delete_supp_allocation($trans_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."supp_allocations WHERE id = " . $trans_id;
+       $sql = "DELETE FROM ".TB_PREF."supp_allocations WHERE id = ".db_escape($trans_id);
        db_query($sql, "The existing allocation $trans_id could not be deleted");
 }
 
@@ -37,7 +39,8 @@ function delete_supp_allocation($trans_id)
 function get_supp_trans_allocation_balance($trans_type, $trans_no)
 {
        $sql = "SELECT (ov_amount+ov_gst-ov_discount-alloc) AS BalToAllocate
-               FROM ".TB_PREF."supp_trans WHERE trans_no=$trans_no AND type=$trans_type";
+               FROM ".TB_PREF."supp_trans WHERE trans_no="
+               .db_escape($trans_no)." AND type=".db_escape($trans_type);
        $result = db_query($sql,"calculate the allocation");
        $myrow = db_fetch_row($result);
 
@@ -48,8 +51,8 @@ function get_supp_trans_allocation_balance($trans_type, $trans_no)
 
 function update_supp_trans_allocation($trans_type, $trans_no, $alloc)
 {
-       $sql = "UPDATE ".TB_PREF."supp_trans SET alloc = alloc + $alloc
-               WHERE type=$trans_type AND trans_no = $trans_no";
+       $sql = "UPDATE ".TB_PREF."supp_trans SET alloc = alloc + ".db_escape($alloc)."
+               WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no);
        db_query($sql, "The supp transaction record could not be modified for the allocation against it");
 }
 
@@ -67,7 +70,7 @@ function clear_supp_alloctions($type, $type_no, $date="")
        // clear any allocations for this transaction
        $sql = "SELECT * FROM ".TB_PREF."supp_allocations
                WHERE (trans_type_from=$type AND trans_no_from=$type_no)
-               OR (trans_type_to=$type AND trans_no_to=$type_no)";
+               OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
        $result = db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no");
 
        while ($row = db_fetch($result))
@@ -88,8 +91,8 @@ function clear_supp_alloctions($type, $type_no, $date="")
 
        // remove any allocations for this transaction
        $sql = "DELETE FROM ".TB_PREF."supp_allocations
-               WHERE (trans_type_from=$type AND trans_no_from=$type_no)
-               OR (trans_type_to=$type AND trans_no_to=$type_no)";
+               WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+               OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
 
        db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no");
 }
@@ -124,7 +127,7 @@ function get_alloc_supp_sql($extra_fields=null, $extra_conditions=null, $extra_t
        $sql .= " WHERE trans.supplier_id=supplier.supplier_id";
 
        if ($extra_conditions)
-               $sql .= " AND $extra_conditions ";
+               $sql .= " AND $extra_conditions";
 
        return $sql;
 }
@@ -142,7 +145,7 @@ function get_allocatable_from_supp_sql($supplier_id, $settled)
 
        $supp_sql = "";
        if ($supplier_id != null)
-               $supp_sql = " AND trans.supplier_id = $supplier_id";
+               $supp_sql = " AND trans.supplier_id = ".db_escape($supplier_id);
 
        $sql = get_alloc_supp_sql("round(ABS(ov_amount+ov_gst+ov_discount)-alloc,6) <= 0 AS settled",
                "(type=".ST_SUPPAYMENT." OR type=".ST_SUPPCREDIT." OR type=".ST_BANKPAYMENT.") AND (ov_amount < 0) " . $settled_sql . $supp_sql);
@@ -158,10 +161,10 @@ function get_allocatable_to_supp_transactions($supplier_id, $trans_no=null, $typ
        {
                $sql = get_alloc_supp_sql("amt, supp_reference", "trans.trans_no = alloc.trans_no_to
                        AND trans.type = alloc.trans_type_to
-                       AND alloc.trans_no_from=$trans_no
-                       AND alloc.trans_type_from=$type
-                       AND trans.supplier_id=$supplier_id",
-                       "".TB_PREF."supp_allocations as alloc");
+                       AND alloc.trans_no_from=".db_escape($trans_no)."
+                       AND alloc.trans_type_from=".db_escape($type)."
+                       AND trans.supplier_id=".db_escape($supplier_id),
+                       TB_PREF."supp_allocations as alloc");
        }
        else
        {

diff --git a/purchasing/includes/db/suppliers_db.inc b/purchasing/includes/db/suppliers_db.inc
index 1cfa85daa45c3c4ec858a8f53a37a64ed99b0d2a..dd72a6cf94efa8628354bc9648ffe26fc31c699c 100644 (file)
--- a/purchasing/includes/db/suppliers_db.inc
+++ b/purchasing/includes/db/suppliers_db.inc
@@ -60,7 +60,7 @@ function get_supplier_details($supplier_id, $to=null)
                                 ".TB_PREF."payment_terms
                        WHERE
                                 ".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator
-                                AND ".TB_PREF."suppliers.supplier_id = '$supplier_id'";
+                                AND ".TB_PREF."suppliers.supplier_id = ".db_escape($supplier_id);
 
        $result = db_query($sql,"The customer details could not be retrieved");
 
@@ -86,7 +86,7 @@ function get_supplier_details($supplier_id, $to=null)
 
 function get_supplier($supplier_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id";
+       $sql = "SELECT * FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id);
 
        $result = db_query($sql, "could not get supplier");
 
@@ -95,7 +95,7 @@ function get_supplier($supplier_id)
 
 function get_supplier_name($supplier_id)
 {
-       $sql = "SELECT supp_name AS name FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id";
+       $sql = "SELECT supp_name AS name FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id);
 
        $result = db_query($sql, "could not get supplier");
 
@@ -106,7 +106,7 @@ function get_supplier_name($supplier_id)
 
 function get_supplier_accounts($supplier_id)
 {
-       $sql = "SELECT payable_account,purchase_account,payment_discount_account FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id";
+       $sql = "SELECT payable_account,purchase_account,payment_discount_account FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id);
 
        $result = db_query($sql, "could not get supplier");
 

diff --git a/purchasing/includes/purchasing_db.inc b/purchasing/includes/purchasing_db.inc
index 89b7533e849fa6eda1da77c141d5b703af66c6a5..51b456a216ec01346ce42f059894b6c4e15c1941 100644 (file)
--- a/purchasing/includes/purchasing_db.inc
+++ b/purchasing/includes/purchasing_db.inc
@@ -47,8 +47,8 @@ function add_gl_trans_supplier($type, $type_no, $date_, $account, $dimension, $d
 function get_purchase_price($supplier_id, $stock_id)
 {
        $sql = "SELECT price, conversion_factor FROM ".TB_PREF."purch_data 
-               WHERE supplier_id = '" . $supplier_id . "' 
-               AND stock_id = '". $stock_id . "'";
+               WHERE supplier_id = ".db_escape($supplier_id) . " 
+               AND stock_id = ".db_escape($stock_id);
        $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
        if (db_num_rows($result) == 1)
@@ -65,8 +65,8 @@ function get_purchase_price($supplier_id, $stock_id)
 function get_purchase_conversion_factor($supplier_id, $stock_id)
 {
        $sql = "SELECT conversion_factor FROM ".TB_PREF."purch_data 
-               WHERE supplier_id = '" . $supplier_id . "' 
-               AND stock_id = '". $stock_id . "'";
+               WHERE supplier_id = ".db_escape($supplier_id)." 
+               AND stock_id = ".db_escape($stock_id);
        $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
        if (db_num_rows($result) == 1)
@@ -84,8 +84,8 @@ function get_purchase_conversion_factor($supplier_id, $stock_id)
 function get_purchase_data($supplier_id, $stock_id)
 {
        $sql = "SELECT * FROM ".TB_PREF."purch_data 
-               WHERE supplier_id = '" . $supplier_id . "' 
-               AND stock_id = '". $stock_id . "'";
+               WHERE supplier_id = ".db_escape($supplier_id) . "
+               AND stock_id = ".db_escape($stock_id);
        $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved");    
 
        return db_fetch($result);
@@ -97,18 +97,19 @@ function add_or_update_purchase_data($supplier_id, $stock_id, $price, $descripti
        if ($data === false)
        {
                $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom,
-                       conversion_factor, supplier_description) VALUES ('$supplier_id', '$stock_id', 
-                       $price, '$uom', 1, ".db_escape($description).")";
+                       conversion_factor, supplier_description) VALUES (".db_escape($supplier_id)
+                       .", ".db_escape($stock_id).", ".db_escape($price).", "
+                       .db_escape($uom).", 1, ".db_escape($description).")";
                db_query($sql,"The supplier purchasing details could not be added");
                return;
        }       
-       $price = round($price * $data['conversion_factor'], user_price_dec());  
-       $sql = "UPDATE ".TB_PREF."purch_data SET price=$price";
+       $price = round($price * $data['conversion_factor'], user_price_dec());
+       $sql = "UPDATE ".TB_PREF."purch_data SET price=".db_escape($price);
        if ($uom != "")
-               $sql .= ",suppliers_uom='$uom'";
+               $sql .= ",suppliers_uom=".db_escape($uom);
        if ($description != "") 
                $sql .= ",supplier_description=".db_escape($description);
-       $sql .= " WHERE stock_id='$stock_id' AND supplier_id='$supplier_id'";
+       $sql .= " WHERE stock_id=".db_escape($stock_id)." AND supplier_id=".db_escape($supplier_id);
        db_query($sql,"The supplier purchasing details could not be updated");
        return true;
 }

diff --git a/purchasing/inquiry/po_search.php b/purchasing/inquiry/po_search.php
index 39ba20d8dd92f294371ebfe6c30e8aea1bbdf63d..a82a37435ff8c68eef47e7b7a179b3db9f06e8f3 100644 (file)
--- a/purchasing/inquiry/po_search.php
+++ b/purchasing/inquiry/po_search.php
@@ -140,7 +140,7 @@ $sql = "SELECT
 
 if (isset($order_number) && $order_number != "")
 {
-       $sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+       $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
 }
 else
 {
@@ -152,12 +152,12 @@ else
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
        {
-               $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
        }
 
        if (isset($selected_stock_item))
        {
-               $sql .= " AND line.item_code='". $selected_stock_item ."' ";
+               $sql .= " AND line.item_code=".db_escape($selected_stock_item);
        }
 } //end not order number selected
 

diff --git a/purchasing/inquiry/po_search_completed.php b/purchasing/inquiry/po_search_completed.php
index aa2f269a06d5e136a3dfb7c8fcb46fc46c8589d9..23053bae4cc850e4dbeedea3b564d7fdbeba1461 100644 (file)
--- a/purchasing/inquiry/po_search_completed.php
+++ b/purchasing/inquiry/po_search_completed.php
@@ -126,7 +126,7 @@ $sql = "SELECT
 
 if (isset($order_number) && $order_number != "")
 {
-       $sql .= "AND porder.reference LIKE '%". $order_number . "%'";
+       $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%');
 }
 else
 {
@@ -139,11 +139,11 @@ else
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
        {
-               $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']);
        }
        if (isset($selected_stock_item))
        {
-               $sql .= " AND line.item_code='". $selected_stock_item ."' ";
+               $sql .= " AND line.item_code=".db_escape($selected_stock_item);
        }
 
 } //end not order number selected

diff --git a/purchasing/inquiry/supplier_allocation_inquiry.php b/purchasing/inquiry/supplier_allocation_inquiry.php
index 89383141a161f41b3561143d6e6d8e0fa2a4a697..0a5c65d8f0f5e88ac12985571d7cf543374f728a 100644 (file)
--- a/purchasing/inquiry/supplier_allocation_inquiry.php
+++ b/purchasing/inquiry/supplier_allocation_inquiry.php
@@ -142,8 +142,9 @@ function fmt_credit($row)
        WHERE supplier.supplier_id = trans.supplier_id
        AND trans.tran_date >= '$date_after'
        AND trans.tran_date <= '$date_to'";
+
        if ($_POST['supplier_id'] != ALL_TEXT)
-               $sql .= " AND trans.supplier_id = '" . $_POST['supplier_id'] . "'";
+               $sql .= " AND trans.supplier_id = ".db_escape($_POST['supplier_id']);
        if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT)
        {
                if (($_POST['filterType'] == '1') || ($_POST['filterType'] == '2'))

diff --git a/purchasing/inquiry/supplier_inquiry.php b/purchasing/inquiry/supplier_inquiry.php
index 079faf1c477ae441dcaba6535769daf143370886..0ff509844042ce390dfb55ada9206bc491bdc0d1 100644 (file)
--- a/purchasing/inquiry/supplier_inquiry.php
+++ b/purchasing/inquiry/supplier_inquiry.php
@@ -179,7 +179,7 @@ function check_overdue($row)
        AND trans.tran_date <= '$date_to'
                AND trans.ov_amount != 0";      // exclude voided transactions
        if ($_POST['supplier_id'] != ALL_TEXT)
-               $sql .= " AND trans.supplier_id = '" . $_POST['supplier_id'] . "'";
+               $sql .= " AND trans.supplier_id = ".db_escape($_POST['supplier_id']);
        if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT)
        {
                if (($_POST['filterType'] == '1')) 

diff --git a/purchasing/manage/suppliers.php b/purchasing/manage/suppliers.php
index 6e52c3a516d7681f2cfac38c207da97be2fe09b5..bfed5d6c13cc0fbed01c0d9404901b5e24811c8d 100644 (file)
--- a/purchasing/manage/suppliers.php
+++ b/purchasing/manage/suppliers.php
@@ -80,7 +80,7 @@ if (isset($_POST['submit']))
                                purchase_account=".db_escape($_POST['purchase_account']) . ",
                                payment_discount_account=".db_escape($_POST['payment_discount_account']) . ",
                 notes=".db_escape($_POST['notes']) . ",
-                               tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'";
+                               tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = ".db_escape($_POST['supplier_id']);
 
                        db_query($sql,"The supplier could not be updated");
                        update_record_status($_POST['supplier_id'], $_POST['inactive'],
@@ -136,7 +136,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "")
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'supp_trans' , purch_orders
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."supp_trans WHERE supplier_id='" . $_POST['supplier_id'] . "'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."supp_trans WHERE supplier_id=".db_escape($_POST['supplier_id']);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -147,7 +147,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "")
        } 
        else 
        {
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE supplier_id='" . $_POST['supplier_id'] . "'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE supplier_id=".db_escape($_POST['supplier_id']);
                $result = db_query($sql,"check failed");
                $myrow = db_fetch_row($result);
                if ($myrow[0] > 0) 
@@ -159,7 +159,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "")
        }
        if ($cancel_delete == 0) 
        {
-               $sql="DELETE FROM ".TB_PREF."suppliers WHERE supplier_id='" . $_POST['supplier_id']. "'";
+               $sql="DELETE FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($_POST['supplier_id']);
                db_query($sql,"check failed");
 
                unset($_SESSION['supplier_id']);

diff --git a/purchasing/po_entry_items.php b/purchasing/po_entry_items.php
index a5f4b7d59e9f2e7919a03b134c18b71b0bbe067b..2f903ba12be839caa38e95236ec79283cf17f080 100644 (file)
--- a/purchasing/po_entry_items.php
+++ b/purchasing/po_entry_items.php
@@ -228,7 +228,7 @@ function handle_add_new_item()
                if ($allow_update == true)
                {
                        $sql = "SELECT description, units, mb_flag
-                               FROM ".TB_PREF."stock_master WHERE stock_id = '". $_POST['stock_id'] . "'";
+                               FROM ".TB_PREF."stock_master WHERE stock_id = ".db_escape($_POST['stock_id']);
 
                    $result = db_query($sql,"The stock details for " . $_POST['stock_id'] . " could not be retrieved");
 

diff --git a/purchasing/po_receive_items.php b/purchasing/po_receive_items.php
index 601e5d5f0458f83e388be565080646e0343b9c06..1c6e6d627a0280aff0a50deafff18578e7160f5b 100644 (file)
--- a/purchasing/po_receive_items.php
+++ b/purchasing/po_receive_items.php
@@ -121,7 +121,7 @@ function check_po_changed()
        // Otherwise if you try to fullfill item quantities separately will give error.
        $sql = "SELECT item_code, quantity_ordered, quantity_received, qty_invoiced
                FROM ".TB_PREF."purch_order_details
-               WHERE order_no=" . $_SESSION['PO']->order_no 
+               WHERE order_no=".db_escape($_SESSION['PO']->order_no)
                ." ORDER BY po_detail_item";
 
        $result = db_query($sql, "could not query purch order details");

diff --git a/purchasing/supplier_credit.php b/purchasing/supplier_credit.php
index 319bab0bb1acf583fec8d99a4198668a47bc718e..c20abbcd38d7b56cbda1c49f16abc4be4af0d8c9 100644 (file)
--- a/purchasing/supplier_credit.php
+++ b/purchasing/supplier_credit.php
@@ -97,7 +97,7 @@ if (isset($_POST['AddGLCodeToTrans'])){
        $Ajax->activate('gl_items');
        $input_error = false;
 
-       $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code='" . $_POST['gl_code'] . "'";
+       $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($_POST['gl_code']);
        $result = db_query($sql,"get account information");
        if (db_num_rows($result) == 0)
        {

diff --git a/purchasing/supplier_invoice.php b/purchasing/supplier_invoice.php
index 15a6529f1667438d4cb72d32503b4779ac153ef6..afa2df18da28a0a573c37f9205c2c238e10f9381 100644 (file)
--- a/purchasing/supplier_invoice.php
+++ b/purchasing/supplier_invoice.php
@@ -99,7 +99,7 @@ if (isset($_POST['AddGLCodeToTrans'])){
        $Ajax->activate('gl_items');
        $input_error = false;
 
-       $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code='" . $_POST['gl_code'] . "'";
+       $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($_POST['gl_code']);
        $result = db_query($sql,"get account information");
        if (db_num_rows($result) == 0)
        {
@@ -186,10 +186,10 @@ function check_data()
                return false;
        }
 
-       $sql = "SELECT Count(*) FROM ".TB_PREF."supp_trans WHERE supplier_id='" 
-               . $_SESSION['supp_trans']->supplier_id . "' AND supp_reference='" 
-               . $_POST['supp_reference'] 
-               . "' AND ov_amount!=0"; // ignore voided invoice references
+       $sql = "SELECT Count(*) FROM ".TB_PREF."supp_trans WHERE supplier_id="
+               .db_escape($_SESSION['supp_trans']->supplier_id) . " AND supp_reference=" 
+               .db_escape( $_POST['supp_reference']) 
+               . " AND ov_amount!=0"; // ignore voided invoice references
 
        $result=db_query($sql,"The sql to check for the previous entry of the same invoice failed");
 

diff --git a/reporting/rep101.php b/reporting/rep101.php
index c57ab3aebe36c7ae45001a9e6ef9e6e1ce6d9b93..772d33f0cc6aec6a0199746f284dec5ed74a3c25 100644 (file)
--- a/reporting/rep101.php
+++ b/reporting/rep101.php
@@ -59,7 +59,7 @@ function get_open_balance($debtorno, $to, $convert)
     $sql .= ")) AS OutStanding
                FROM ".TB_PREF."debtor_trans
        WHERE ".TB_PREF."debtor_trans.tran_date < '$to'
-               AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno'
+               AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)."
                AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY." GROUP BY debtor_no";
 
     $result = db_query($sql,"No transactions were returned");
@@ -80,7 +80,7 @@ function get_transactions($debtorno, $from, $to)
        FROM ".TB_PREF."debtor_trans
        WHERE ".TB_PREF."debtor_trans.tran_date >= '$from'
                AND ".TB_PREF."debtor_trans.tran_date <= '$to'
-               AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno'
+               AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)."
                AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY."
        ORDER BY ".TB_PREF."debtor_trans.tran_date";
 
@@ -140,8 +140,8 @@ function print_customer_balances()
 
        $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master ";
        if ($fromcust != ALL_NUMERIC)
-               $sql .= "WHERE debtor_no=$fromcust ";
-       $sql .= "ORDER BY name";
+               $sql .= "WHERE debtor_no=".db_escape($fromcust);
+       $sql .= " ORDER BY name";
        $result = db_query($sql, "The customers could not be retrieved");
 
        while ($myrow = db_fetch($result))

diff --git a/reporting/rep102.php b/reporting/rep102.php
index 9070ae186a9a45a92e7690e3a1ed96eab08f1844..fc2457c4930193c22c27ddfb6daa299015befced 100644 (file)
--- a/reporting/rep102.php
+++ b/reporting/rep102.php
@@ -27,7 +27,7 @@ include_once($path_to_root . "/gl/includes/gl_db.inc");
 
 print_aged_customer_analysis();
 
-function get_invoices($costomer_id, $to)
+function get_invoices($customer_id, $to)
 {
        $todate = date2sql($to);
        $PastDueDays1 = get_company_pref('past_due_days');
@@ -52,7 +52,7 @@ function get_invoices($costomer_id, $to)
                WHERE ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY."
                        AND ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
                        AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
-                       AND ".TB_PREF."debtor_trans.debtor_no = $costomer_id
+                       AND ".TB_PREF."debtor_trans.debtor_no = $customer_id 
                        AND ".TB_PREF."debtor_trans.tran_date <= '$todate'
                        AND ABS(".TB_PREF."debtor_trans.ov_amount + ".TB_PREF."debtor_trans.ov_gst + ".TB_PREF."debtor_trans.ov_freight + ".TB_PREF."debtor_trans.ov_freight_tax + ".TB_PREF."debtor_trans.ov_discount) > 0.004
                        ORDER BY ".TB_PREF."debtor_trans.tran_date";
@@ -129,10 +129,10 @@ function print_aged_customer_analysis()
 
        $total = array(0,0,0,0, 0);
 
-       $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master ";
+       $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master";
        if ($fromcust != ALL_NUMERIC)
-               $sql .= "WHERE debtor_no=$fromcust ";
-       $sql .= "ORDER BY name";
+               $sql .= " WHERE debtor_no=".db_escape($fromcust);
+       $sql .= " ORDER BY name";
        $result = db_query($sql, "The customers could not be retrieved");
 
        while ($myrow=db_fetch($result))

diff --git a/reporting/rep103.php b/reporting/rep103.php
index 5eeeb22860b735725ce4cf3d2e459d10894df62c..8ee0abbe62971dcf34bee9d819566a171822829e 100644 (file)
--- a/reporting/rep103.php
+++ b/reporting/rep103.php
@@ -56,18 +56,18 @@ function get_customer_details_for_report($area=0, $salesid=0)
        if ($area != 0)
        {
                if ($salesid != 0)
-                       $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid' 
-                               AND ".TB_PREF."areas.area_code='$area'";
+                       $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid)." 
+                               AND ".TB_PREF."areas.area_code=".db_escape($area);
                else            
-                       $sql .= " WHERE ".TB_PREF."areas.area_code='$area'";
+                       $sql .= " WHERE ".TB_PREF."areas.area_code=".db_escape($area);
        }
        elseif ($salesid != 0)
-               $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'";
+               $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid);
        $sql .= " ORDER BY description,
                        ".TB_PREF."salesman.salesman_name,
                        ".TB_PREF."debtors_master.debtor_no,
                        ".TB_PREF."cust_branch.branch_code";
-                                       
+
     return db_query($sql,"No transactions were returned");
 }
 
@@ -78,11 +78,11 @@ function getTransactions($debtorno, $branchcode, $date)
 
        $sql = "SELECT SUM((ov_amount+ov_freight+ov_discount)*rate) AS Turnover
                FROM ".TB_PREF."debtor_trans
-               WHERE debtor_no='$debtorno'
-               AND branch_code='$branchcode'
+               WHERE debtor_no=".db_escape($debtorno)."
+               AND branch_code=".db_escape($branchcode)."
                AND (type=".ST_SALESINVOICE." OR type=".ST_CUSTCREDIT.")
                AND trandate >='$date'";
-               
+
     $result = db_query($sql,"No transactions were returned");
 
        $row = db_fetch_row($result);

diff --git a/reporting/rep104.php b/reporting/rep104.php
index 53d8fea1df6d438c4bfdd79e1fa27afdd993d297..d6249e0d5a5dfeaf109b421c98655f56bcb3f81e 100644 (file)
--- a/reporting/rep104.php
+++ b/reporting/rep104.php
@@ -40,7 +40,7 @@ function fetch_items($category=0)
                                ".TB_PREF."stock_category
                        WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id";
                if ($category != 0)
-                       $sql .= " AND ".TB_PREF."stock_category.category_id = '$category'";
+                       $sql .= " AND ".TB_PREF."stock_category.category_id = ".db_escape($category);
                $sql .= " ORDER BY ".TB_PREF."stock_master.category_id,
                                ".TB_PREF."stock_master.stock_id";
 
@@ -57,7 +57,7 @@ function get_kits($category=0)
                        ON i.category_id=c.category_id";
        $sql .= " WHERE !i.is_foreign AND i.item_code!=i.stock_id";
        if ($category != 0)
-               $sql .= " AND c.category_id = '$category'";
+               $sql .= " AND c.category_id = ".db_escape($category);
        $sql .= " GROUP BY i.item_code";
     return db_query($sql,"No kits were returned");
 }

diff --git a/reporting/rep105.php b/reporting/rep105.php
index dd535b9858b4b23cb993b9c05ffd636349b1a58b..4b6a086cc55b00166070f36d650eeac56d3425d0 100644 (file)
--- a/reporting/rep105.php
+++ b/reporting/rep105.php
@@ -57,11 +57,11 @@ function GetSalesOrders($from, $to, $category=0, $location=null, $backorder=0)
             WHERE ".TB_PREF."sales_orders.ord_date >='$fromdate'
                 AND ".TB_PREF."sales_orders.ord_date <='$todate'";
        if ($category > 0)
-               $sql .= " AND ".TB_PREF."stock_master.category_id=$category";
+               $sql .= " AND ".TB_PREF."stock_master.category_id=".db_escape($category);
        if ($location != null)
-               $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc='$location'";
+               $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc=".db_escape($location);
        if ($backorder)
-               $sql .= "AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
+               $sql .= " AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
        $sql .= " ORDER BY ".TB_PREF."sales_orders.order_no";
 
        return db_query($sql, "Error getting order details");

diff --git a/reporting/rep108.php b/reporting/rep108.php
index 843e747ee80cd7c720f49a8accbb66e8d2e42022..97c4413bc711cf308dc8ae5200cb1e2c86e2ebb6 100644 (file)
--- a/reporting/rep108.php
+++ b/reporting/rep108.php
@@ -38,7 +38,7 @@ function getTransactions($debtorno, $date)
                                ((".TB_PREF."debtor_trans.type = ".ST_SALESINVOICE.")
                                        AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue
                        FROM ".TB_PREF."debtor_trans
-                       WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno'
+                       WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)."
                                AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY."
                                ORDER BY ".TB_PREF."debtor_trans.tran_date";
 
@@ -82,7 +82,7 @@ function print_statements()
 
        $sql = "SELECT debtor_no, name AS DebtorName, address, tax_id, email, curr_code, curdate() AS tran_date, payment_terms FROM ".TB_PREF."debtors_master";
        if ($customer != ALL_NUMERIC)
-               $sql .= " WHERE debtor_no = $customer";
+               $sql .= " WHERE debtor_no = ".db_escape($customer);
        else
                $sql .= " ORDER by name";
        $result = db_query($sql, "The customers could not be retrieved");

diff --git a/reporting/rep201.php b/reporting/rep201.php
index a5614755dc079e4f0053fcafc8cc91847a51f8e6..532da5fceeb789a3685bd248157feb96188ccf34 100644 (file)
--- a/reporting/rep201.php
+++ b/reporting/rep201.php
@@ -130,10 +130,10 @@ function print_supplier_balances()
        $total = array();
        $grandtotal = array(0,0,0,0);
 
-       $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
+       $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers";
        if ($fromsupp != ALL_NUMERIC)
-               $sql .= "WHERE supplier_id=$fromsupp ";
-       $sql .= "ORDER BY supp_name";
+               $sql .= " WHERE supplier_id=".db_escape($fromsupp);
+       $sql .= " ORDER BY supp_name";
        $result = db_query($sql, "The customers could not be retrieved");
 
        while ($myrow=db_fetch($result))

diff --git a/reporting/rep202.php b/reporting/rep202.php
index 97156dc513ccc06ec51dd6e78f77230421b8096b..3f68bb5adcbe094115247a67361dd382baeef146 100644 (file)
--- a/reporting/rep202.php
+++ b/reporting/rep202.php
@@ -137,10 +137,10 @@ function print_aged_supplier_analysis()
        $pastdue1 = $PastDueDays1 + 1 . "-" . $PastDueDays2 . " " . _('Days');
        $pastdue2 = _('Over') . " " . $PastDueDays2 . " " . _('Days');
 
-       $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
+       $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers";
        if ($fromsupp != ALL_NUMERIC)
-               $sql .= "WHERE supplier_id=$fromsupp ";
-       $sql .= "ORDER BY supp_name";
+               $sql .= " WHERE supplier_id=".db_escape($fromsupp);
+       $sql .= " ORDER BY supp_name";
        $result = db_query($sql, "The suppliers could not be retrieved");
 
        while ($myrow=db_fetch($result))

diff --git a/reporting/rep203.php b/reporting/rep203.php
index 91fdfde62b5356cc9f1a287ef13532ecf0a132b2..27eef02b5dd538a10c2975d8f47bdf98dbe7b6e0 100644 (file)
--- a/reporting/rep203.php
+++ b/reporting/rep203.php
@@ -104,7 +104,7 @@ function print_payment_report()
        $sql = "SELECT supplier_id, supp_name AS name, curr_code, ".TB_PREF."payment_terms.terms FROM ".TB_PREF."suppliers, ".TB_PREF."payment_terms
                WHERE ";
        if ($fromsupp != ALL_NUMERIC)
-               $sql .= "supplier_id=$fromsupp AND ";
+               $sql .= "supplier_id=".db_escape($fromsupp)." AND ";
        $sql .= "".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator
                ORDER BY supp_name";
        $result = db_query($sql, "The customers could not be retrieved");

diff --git a/reporting/rep204.php b/reporting/rep204.php
index 5521c7450e40eec5673b46c28e685fbadcbc07a6..2c8250cd3ba33d195ef7ce0aa277a227b02e5500 100644 (file)
--- a/reporting/rep204.php
+++ b/reporting/rep204.php
@@ -48,8 +48,9 @@ function getTransactions($fromsupp)
                AND ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id
                AND ".TB_PREF."grn_items.po_detail_item = ".TB_PREF."purch_order_details.po_detail_item
                AND qty_recd-quantity_inv <>0 ";
+
        if ($fromsupp != ALL_NUMERIC)
-               $sql .= "AND ".TB_PREF."grn_batch.supplier_id ='" . $fromsupp . "' ";
+               $sql .= "AND ".TB_PREF."grn_batch.supplier_id =".db_escape($fromsupp)." ";
        $sql .= "ORDER BY ".TB_PREF."grn_batch.supplier_id,
                        ".TB_PREF."grn_batch.id";
 

diff --git a/reporting/rep209.php b/reporting/rep209.php
index 785420c9218cd7223133f931bf517b139942c0b8..b6b88a4572ee85b310b3493d5109b019c5594441 100644 (file)
--- a/reporting/rep209.php
+++ b/reporting/rep209.php
@@ -37,7 +37,7 @@ function get_po($order_no)
                FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations
                WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id
                AND ".TB_PREF."locations.loc_code = into_stock_location
-               AND ".TB_PREF."purch_orders.order_no = " . $order_no;
+               AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no);
        $result = db_query($sql, "The order cannot be retrieved");
     return db_fetch($result);
 }
@@ -48,7 +48,7 @@ function get_po_details($order_no)
                FROM ".TB_PREF."purch_order_details
                LEFT JOIN ".TB_PREF."stock_master
                ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id
-               WHERE order_no =$order_no ";
+               WHERE order_no =".db_escape($order_no)." ";
        $sql .= " ORDER BY po_detail_item";
        return db_query($sql, "Retreive order Line Items");
 }

diff --git a/reporting/rep301.php b/reporting/rep301.php
index eac7b1227601d23e3ea579d7f243e5deb5a76d4f..3b091cde1da032217492d436284d6a298829e37e 100644 (file)
--- a/reporting/rep301.php
+++ b/reporting/rep301.php
@@ -52,9 +52,9 @@ function getTransactions($category, $location)
                        ".TB_PREF."stock_master.description
                HAVING SUM(".TB_PREF."stock_moves.qty) != 0";
                if ($category != 0)
-                       $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+                       $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
                if ($location != 'all')
-                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'";
+                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location);
                $sql .= " ORDER BY ".TB_PREF."stock_master.category_id,
                        ".TB_PREF."stock_master.stock_id";
 

diff --git a/reporting/rep302.php b/reporting/rep302.php
index 611e214b0aa98da3779a6c4c5aa405504ba8ecf7..8e5bb6ddfd2e39e0898149e167842b5d82295df1 100644 (file)
--- a/reporting/rep302.php
+++ b/reporting/rep302.php
@@ -44,9 +44,9 @@ function getTransactions($category, $location)
                WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id
                AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
        if ($category != 0)
-               $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+               $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
        if ($location != 'all')
-               $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')";
+               $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")";
        $sql .= " GROUP BY ".TB_PREF."stock_master.category_id,
                ".TB_PREF."stock_category.description,
                ".TB_PREF."stock_master.stock_id,

diff --git a/reporting/rep303.php b/reporting/rep303.php
index 2ac79f8d739f2e2e0c012fab2f95edfe1e608368..25b7a68ca589dd9a1462cc6e5302e253dc895847 100644 (file)
--- a/reporting/rep303.php
+++ b/reporting/rep303.php
@@ -44,9 +44,9 @@ function getTransactions($category, $location)
                WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id
                AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
        if ($category != 0)
-               $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+               $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
        if ($location != 'all')
-               $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')";
+               $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")";
        $sql .= " GROUP BY ".TB_PREF."stock_master.category_id,
                ".TB_PREF."stock_category.description,
                ".TB_PREF."stock_master.stock_id,

diff --git a/reporting/rep304.php b/reporting/rep304.php
index 3958536fe9440c5f8526b793a16d778b7a65f532..f1262a1873730d0d5602e7d2769d647cec0feb90 100644 (file)
--- a/reporting/rep304.php
+++ b/reporting/rep304.php
@@ -59,11 +59,11 @@ function getTransactions($category, $location, $fromcust, $from, $to)
                AND ((".TB_PREF."debtor_trans.type=".ST_CUSTDELIVERY." AND ".TB_PREF."debtor_trans.version=1) OR ".TB_PREF."stock_moves.type=".ST_CUSTCREDIT.")
                AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
                if ($category != 0)
-                       $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+                       $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
                if ($location != 'all')
-                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'";
+                       $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location);
                if ($fromcust != -1)
-                       $sql .= " AND ".TB_PREF."debtors_master.debtor_no = $fromcust";
+                       $sql .= " AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($fromcust);
                $sql .= " GROUP BY ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name ORDER BY ".TB_PREF."stock_master.category_id,
                        ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name";
     return db_query($sql,"No transactions were returned");

diff --git a/reporting/rep401.php b/reporting/rep401.php
index 0113375efa720e1ed108f953520437f417c218d8..e72f163ce02037886435cd3e2cfd9f77c0e893c6 100644 (file)
--- a/reporting/rep401.php
+++ b/reporting/rep401.php
@@ -40,8 +40,8 @@ function getTransactions($from, $to)
                        ".TB_PREF."stock_master,
                        ".TB_PREF."bom
                WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component
-               AND ".TB_PREF."bom.parent >= '$from'
-               AND ".TB_PREF."bom.parent <= '$to'
+               AND ".TB_PREF."bom.parent >= ".db_escape($from)."
+               AND ".TB_PREF."bom.parent <= ".db_escape($to)."
                ORDER BY
                        ".TB_PREF."bom.parent,
                        ".TB_PREF."bom.component";

diff --git a/reporting/rep501.php b/reporting/rep501.php
index 8e9653b46485d2cfb810fa0b1d408c959f681487..45047adc021cbac1139fcbda68595977e5394307 100644 (file)
--- a/reporting/rep501.php
+++ b/reporting/rep501.php
@@ -32,8 +32,8 @@ function getTransactions($from, $to)
        $sql = "SELECT *
                FROM
                        ".TB_PREF."dimensions
-               WHERE reference >= '$from'
-               AND reference <= '$to'
+               WHERE reference >= ".db_escape($from)."
+               AND reference <= ".db_escape($to)."
                ORDER BY
                        reference";
 

diff --git a/reporting/rep705.php b/reporting/rep705.php
index 4361b6e7cea3ee10d63448dbe11a05e58e5aa958..faf815f44c9c1aef9cab03e72606cc4911926447 100644 (file)
--- a/reporting/rep705.php
+++ b/reporting/rep705.php
@@ -62,9 +62,9 @@ function getPeriods($year, $account, $dimension, $dimension2)
                        FROM ".TB_PREF."gl_trans
                                WHERE account='$account'";
        if ($dimension > 0)
-               $sql .= " AND dimension_id = $dimension";
+               $sql .= " AND dimension_id = ".db_escape($dimension);
        if ($dimension2 > 0)
-               $sql .= " AND dimension2_id = $dimension2";
+               $sql .= " AND dimension2_id = ".db_escape($dimension2);
 
        $result = db_query($sql, "Transactions for account $account could not be calculated");
 

diff --git a/sales/create_recurrent_invoices.php b/sales/create_recurrent_invoices.php
index cdd656bd38ba75144726285c3b777d13fb9b0251..492d8482e8c4e0e0bf6d147eb0168836ee25c061 100644 (file)
--- a/sales/create_recurrent_invoices.php
+++ b/sales/create_recurrent_invoices.php
@@ -26,7 +26,7 @@ page(_("Create and Print Recurrent Invoices"), false, false, "", $js);
 function set_last_sent($id, $date)
 {
        $date = date2sql($date);
-       $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=$id";
+       $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=".db_escape($id);
        db_query($sql,"The recurrent invoice could not be updated or added");
 }      
 
@@ -62,7 +62,7 @@ function create_recurrent_invoices($customer_id, $branch_id, $order_no, $tmpl_no
 if (isset($_GET['recurrent']))
 {
        $invs = array();
-       $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".$_GET['recurrent'];
+       $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($_GET['recurrent']);
 
        $result = db_query($sql,"could not get recurrent invoice");
        $myrow = db_fetch($result);
@@ -99,7 +99,7 @@ if (isset($_GET['recurrent']))
 //-------------------------------------------------------------------------------------------------
 function get_sales_group_name($group_no)
 {
-       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no";
+       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no);
        $result = db_query($sql, "could not get group");
        $row = db_fetch($result);
        return $row[0];

diff --git a/sales/customer_payments.php b/sales/customer_payments.php
index 6148985705658fa0f456b5c54b9d4279ff1d89ad..a01bd2896df7df19760a7caa17dc94ce56f54b19 100644 (file)
--- a/sales/customer_payments.php
+++ b/sales/customer_payments.php
@@ -204,7 +204,7 @@ function read_customer_data()
                ".TB_PREF."credit_status.dissallow_invoices
                FROM ".TB_PREF."debtors_master, ".TB_PREF."credit_status
                WHERE ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
-                       AND ".TB_PREF."debtors_master.debtor_no = '" . $_POST['customer_id'] . "'";
+                       AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($_POST['customer_id']);
 
        $result = db_query($sql, "could not query customers");
 

diff --git a/sales/includes/db/branches_db.inc b/sales/includes/db/branches_db.inc
index 72a965655746546c949e93bc489b75c9d73c5fbd..97d6fa2040b120cd9ceefd816cd5b7f031cdb9fc 100644 (file)
--- a/sales/includes/db/branches_db.inc
+++ b/sales/includes/db/branches_db.inc
@@ -14,7 +14,7 @@ function get_branch($branch_id)
        $sql = "SELECT ".TB_PREF."cust_branch.*,".TB_PREF."salesman.salesman_name 
                FROM ".TB_PREF."cust_branch, ".TB_PREF."salesman 
                WHERE ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code 
-               AND branch_code=$branch_id";
+               AND branch_code=".db_escape($branch_id);
        
        $result = db_query($sql, "Cannot retreive a customer branch");
        
@@ -24,7 +24,7 @@ function get_branch($branch_id)
 function get_branch_accounts($branch_id)
 {
        $sql = "SELECT receivables_account,sales_account, sales_discount_account, payment_discount_account 
-               FROM ".TB_PREF."cust_branch WHERE branch_code=$branch_id";
+               FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($branch_id);
        
        $result = db_query($sql, "Cannot retreive a customer branch");
        
@@ -34,7 +34,7 @@ function get_branch_accounts($branch_id)
 function get_branch_name($branch_id)
 {
        $sql = "SELECT br_name FROM ".TB_PREF."cust_branch 
-               WHERE branch_code = '$branch_id'";
+               WHERE branch_code = ".db_escape($branch_id);
 
        $result = db_query($sql,"could not retreive name for branch" . $branch_id);
 
@@ -45,7 +45,7 @@ function get_branch_name($branch_id)
 function get_cust_branches_from_group($group_no)
 {
        $sql = "SELECT branch_code, debtor_no FROM ".TB_PREF."cust_branch 
-               WHERE group_no = '$group_no'";
+               WHERE group_no = ".db_escape($group_no);
 
        return db_query($sql,"could not retreive branches for group " . $group_no);
 }

diff --git a/sales/includes/db/credit_status_db.inc b/sales/includes/db/credit_status_db.inc
index d59785a365cf5ad00dcbbc0471dc662030e4ddc5..ab0ade98765ddc20d025cf07fb5ba723eaafb826 100644 (file)
--- a/sales/includes/db/credit_status_db.inc
+++ b/sales/includes/db/credit_status_db.inc
@@ -12,7 +12,7 @@
 function add_credit_status($description, $disallow_invoicing)
 {
        $sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices) 
-               VALUES (".db_escape($description).",$disallow_invoicing)";
+               VALUES (".db_escape($description).",".db_escape($disallow_invoicing).")";
                
        db_query($sql, "could not add credit status");          
 }
@@ -20,7 +20,7 @@ function add_credit_status($description, $disallow_invoicing)
 function update_credit_status($status_id, $description, $disallow_invoicing)
 {
        $sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).",
-               dissallow_invoices=$disallow_invoicing WHERE id=$status_id";
+               dissallow_invoices=".db_escape($disallow_invoicing)." WHERE id=".db_escape($status_id);
        
        db_query($sql, "could not update credit status");                       
 }
@@ -35,7 +35,7 @@ function get_all_credit_status($all=false)
 
 function get_credit_status($status_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=$status_id";
+       $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id);
        
        $result = db_query($sql, "could not get credit status");
        
@@ -44,7 +44,7 @@ function get_credit_status($status_id)
 
 function delete_credit_status($status_id)
 {
-       $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=$status_id";
+       $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id);
                
        db_query($sql, "could not delete credit status");       
 }

diff --git a/sales/includes/db/cust_trans_db.inc b/sales/includes/db/cust_trans_db.inc
index fab74ab6e6ec4f4ee94501a65d820755c10223dc..2ab21e17f03da2f8bfc97b7777bc662581706fe8 100644 (file)
--- a/sales/includes/db/cust_trans_db.inc
+++ b/sales/includes/db/cust_trans_db.inc
@@ -16,7 +16,7 @@ function get_parent_trans($trans_type, $trans_no) {
 
        $sql = 'SELECT trans_link FROM
                        '.TB_PREF.'debtor_trans WHERE
-                       (trans_no=' .$trans_no. ' AND type='.$trans_type.' AND trans_link!=0)';
+                       (trans_no='.db_escape($trans_no).' AND type='.db_escape($trans_type).' AND trans_link!=0)';
 
        $result = db_query($sql, 'Parent document numbers cannot be retrieved');
 
@@ -28,7 +28,7 @@ function get_parent_trans($trans_type, $trans_no) {
        // invoice: find batch invoice parent trans.
        $sql = 'SELECT trans_no FROM
                        '.TB_PREF.'debtor_trans WHERE
-                       (trans_link='.$trans_no.' AND type='. get_parent_type($trans_type) .')';
+                       (trans_link='.db_escape($trans_no).' AND type='. get_parent_type($trans_type) .')';
 
        $result = db_query($sql, 'Delivery links cannot be retrieved');
 
@@ -47,11 +47,10 @@ function get_parent_trans($trans_type, $trans_no) {
 function update_customer_trans_version($type, $versions) {
 
        $sql= 'UPDATE '.TB_PREF. 'debtor_trans SET version=version+1
-                       WHERE type='.$type. ' AND (';
+                       WHERE type='.db_escape($type).' AND (';
 
        foreach ($versions as $trans_no=>$version)
-               $where[] =      '(trans_no='.$trans_no.
-                       ' AND version='.$version.')';
+               $where[] =      '(trans_no='.db_escape($trans_no).' AND version='.$version.')';
 
                $sql .= implode(' OR ', $where) .')';
 
@@ -68,7 +67,7 @@ function get_customer_trans_version($type, $trans_no) {
                $trans_no = array( $trans_no );
 
        $sql= 'SELECT trans_no, version FROM '.TB_PREF. 'debtor_trans
-                       WHERE type='.$type.' AND (';
+                       WHERE type='.db_escape($type).' AND (';
 
        foreach ($trans_no as $key=>$trans)
                $trans_no[$key] =       'trans_no='.$trans_no[$key];
@@ -117,23 +116,23 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo,
                ov_gst, ov_freight, ov_freight_tax,
                rate, ship_via, alloc, trans_link,
                dimension_id, dimension2_id
-               ) VALUES ($trans_no, $trans_type,
+               ) VALUES ($trans_no, ".db_escape($trans_type).",
                ".db_escape($debtor_no).", ".db_escape($BranchNo).",
                '$SQLDate', '$SQLDueDate', ".db_escape($reference).",
-               ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax,
+               ".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax,
                ".db_escape($Freight).",
                $FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link).",
-               $dimension_id, $dimension2_id)";
+               ".db_escape($dimension_id).", ".db_escape($dimension2_id).")";
        } else {        // may be optional argument should stay unchanged ?
        $sql = "UPDATE ".TB_PREF."debtor_trans SET
                debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).",
                tran_date='$SQLDate', due_date='$SQLDueDate',
-               reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no,
+               reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=".db_escape($order_no).",
                ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax,
                ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate,
                ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link,
-               dimension_id=$dimension_id, dimension2_id=$dimension2_id
-               WHERE trans_no=$trans_no AND type=$trans_type";
+               dimension_id=".db_escape($dimension_id).", dimension2_id=".db_escape($dimension2_id)."
+               WHERE trans_no=$trans_no AND type=".db_escape($trans_type);
        }
        db_query($sql, "The debtor transaction record could not be inserted");
 
@@ -181,8 +180,8 @@ function get_customer_trans($trans_id, $trans_type)
                $sql .= ", ".TB_PREF."shippers, ".TB_PREF."sales_types, ".TB_PREF."cust_branch, ".TB_PREF."tax_groups ";
        }
 
-       $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=$trans_id
-               AND ".TB_PREF."debtor_trans.type=$trans_type
+       $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=".db_escape($trans_id)."
+               AND ".TB_PREF."debtor_trans.type=".db_escape($trans_type)."
                AND ".TB_PREF."debtor_trans.debtor_no=".TB_PREF."debtors_master.debtor_no";
 
        if ($trans_type == ST_CUSTPAYMENT) {
@@ -223,8 +222,8 @@ function get_customer_trans($trans_id, $trans_type)
 
 function exists_customer_trans($type, $type_no)
 {
-       $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=$type
-               AND trans_no=$type_no";
+       $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)."
+               AND trans_no=".db_escape($type_no);
 
        $result = db_query($sql, "Cannot retreive a debtor transaction");
 
@@ -237,7 +236,7 @@ function exists_customer_trans($type, $type_no)
 
 function get_customer_trans_order($type, $type_no)
 {
-       $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=$type AND trans_no=$type_no";
+       $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
 
        $result = db_query($sql, "The debtor transaction could not be queried");
 
@@ -252,7 +251,7 @@ function get_customer_details_from_trans($type, $type_no)
 {
        $sql = "SELECT ".TB_PREF."debtors_master.name, ".TB_PREF."debtors_master.curr_code, ".TB_PREF."cust_branch.br_name
                FROM ".TB_PREF."debtors_master,".TB_PREF."cust_branch,".TB_PREF."debtor_trans
-               WHERE ".TB_PREF."debtor_trans.type=$type AND ".TB_PREF."debtor_trans.trans_no=$type_no
+               WHERE ".TB_PREF."debtor_trans.type=".db_escape($type)." AND ".TB_PREF."debtor_trans.trans_no=".db_escape($type_no)."
                AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
                AND     ".TB_PREF."cust_branch.branch_code = ".TB_PREF."debtor_trans.branch_code";
 
@@ -266,7 +265,7 @@ function void_customer_trans($type, $type_no)
 {
        // clear all values and mark as void
        $sql = "UPDATE ".TB_PREF."debtor_trans SET ov_amount=0, ov_discount=0, ov_gst=0, ov_freight=0,
-               ov_freight_tax=0, alloc=0, version=version+1 WHERE type=$type AND trans_no=$type_no";
+               ov_freight_tax=0, alloc=0, version=version+1 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
 
        db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
 }
@@ -294,7 +293,7 @@ function post_void_customer_trans($type, $type_no)
 function get_customer_trans_link($type, $type_no)
 {
        $row = db_query("SELECT trans_link from ".TB_PREF."debtor_trans
-               WHERE type=$type AND trans_no=$type_no",
+               WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no),
                "could not get transaction link for type=$type and trans_no=$type_no");
        return $row[0];
 }

diff --git a/sales/includes/db/cust_trans_details_db.inc b/sales/includes/db/cust_trans_details_db.inc
index 17c30c199571fb31d4f565537c7eb82991a05599..86310ffaf0995bda3e2615cc56cd7f62c440bbcd 100644 (file)
--- a/sales/includes/db/cust_trans_details_db.inc
+++ b/sales/includes/db/cust_trans_details_db.inc
@@ -30,7 +30,7 @@ if (!is_array($debtor_trans_no))
        $sql .= implode(' OR ', $tr);
 
 
-       $sql.=  ") AND debtor_trans_type=$debtor_trans_type
+       $sql.=  ") AND debtor_trans_type=".db_escape($debtor_trans_type)."
                AND ".TB_PREF."stock_master.stock_id=".TB_PREF."debtor_trans_details.stock_id
                ORDER BY id";
        return db_query($sql, "The debtor transaction detail could not be queried");
@@ -42,8 +42,8 @@ function void_customer_trans_details($type, $type_no)
 {
        $sql = "UPDATE ".TB_PREF."debtor_trans_details SET quantity=0, unit_price=0,
                unit_tax=0, discount_percent=0, standard_cost=0
-               WHERE debtor_trans_no=$type_no
-               AND debtor_trans_type=$type";
+               WHERE debtor_trans_no=".db_escape($type_no)."
+               AND debtor_trans_type=".db_escape($type);
 
        db_query($sql, "The debtor transaction details could not be voided");
 
@@ -64,12 +64,12 @@ function write_customer_trans_detail_item($debtor_trans_type, $debtor_trans_no,
                        unit_tax=$unit_tax,
                        discount_percent=$discount_percent,
                        standard_cost=$std_cost WHERE
-                       id=$line_id";
+                       id=".db_escape($line_id);
        else
                        $sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no,
                                debtor_trans_type, stock_id, description, quantity, unit_price,
                                unit_tax, discount_percent, standard_cost)
-                       VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id).
+                       VALUES (".db_escape($debtor_trans_no).", ".db_escape($debtor_trans_type).", ".db_escape($stock_id).
                        ", ".db_escape($description).",
                                $quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)";
 

diff --git a/sales/includes/db/custalloc_db.inc b/sales/includes/db/custalloc_db.inc
index 9152a3f41142dbba608c1a3117168bb525c57673..618c9397ca61bbdba6879d0faba20367d04727e3 100644 (file)
--- a/sales/includes/db/custalloc_db.inc
+++ b/sales/includes/db/custalloc_db.inc
@@ -17,7 +17,8 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from,
        $sql = "INSERT INTO ".TB_PREF."cust_allocations (
                amt, date_alloc,
                trans_type_from, trans_no_from, trans_no_to, trans_type_to)
-               VALUES ($amount, Now(), $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)";
+               VALUES ($amount, Now(), ".db_escape($trans_type_from).", ".db_escape($trans_no_from).", ".db_escape($trans_no_to)
+               .", ".db_escape($trans_type_to).")";
 
        db_query($sql, "A customer allocation could not be added to the database");
 }
@@ -27,7 +28,7 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from,
 
 function delete_cust_allocation($trans_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = " . $trans_id;
+       $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = ".db_escape($trans_id);
        return db_query($sql, "The existing allocation $trans_id could not be deleted");
 }
 
@@ -37,7 +38,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no)
 {
 
        $sql = "SELECT (ov_amount+ov_gst+ov_freight+ov_freight_tax-ov_discount-alloc) AS BalToAllocate
-               FROM ".TB_PREF."debtor_trans WHERE trans_no=$trans_no AND type=$trans_type";
+               FROM ".TB_PREF."debtor_trans WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type);
        $result = db_query($sql,"calculate the allocation");
        $myrow = db_fetch_row($result);
 
@@ -49,7 +50,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no)
 function update_debtor_trans_allocation($trans_type, $trans_no, $alloc)
 {
        $sql = "UPDATE ".TB_PREF."debtor_trans SET alloc = alloc + $alloc
-               WHERE type=$trans_type AND trans_no = $trans_no";
+               WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no);
        db_query($sql, "The debtor transaction record could not be modified for the allocation against it");
 }
 
@@ -66,8 +67,8 @@ function clear_cust_alloctions($type, $type_no, $date="")
 {
        // clear any allocations for this transaction
        $sql = "SELECT * FROM ".TB_PREF."cust_allocations
-               WHERE (trans_type_from=$type AND trans_no_from=$type_no)
-               OR (trans_type_to=$type AND trans_no_to=$type_no)";
+               WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+               OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
        $result = db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
 
        while ($row = db_fetch($result))
@@ -86,8 +87,8 @@ function clear_cust_alloctions($type, $type_no, $date="")
 
        // remove any allocations for this transaction
        $sql = "DELETE FROM ".TB_PREF."cust_allocations
-               WHERE (trans_type_from=$type AND trans_no_from=$type_no)
-               OR (trans_type_to=$type AND trans_no_to=$type_no)";
+               WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+               OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
 
        db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
 }
@@ -136,7 +137,7 @@ function get_allocatable_from_cust_sql($customer_id, $settled)
        }
        $cust_sql = "";
        if ($customer_id != null)
-               $cust_sql = " AND trans.debtor_no = $customer_id";
+               $cust_sql = " AND trans.debtor_no = ".db_escape($customer_id);
 
        $sql = get_alloc_trans_sql("round(ov_amount+ov_gst+ov_freight+ov_freight_tax+ov_discount-alloc,6) <= 0 AS settled",
                "(type=".ST_CUSTPAYMENT." OR type=".ST_CUSTCREDIT." OR type=".ST_BANKDEPOSIT.") AND (trans.ov_amount > 0) " . $settled_sql . $cust_sql);
@@ -154,7 +155,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ
                        AND trans.type = alloc.trans_type_to
                        AND alloc.trans_no_from=$trans_no
                        AND alloc.trans_type_from=$type
-                       AND trans.debtor_no=$customer_id",
+                       AND trans.debtor_no=".db_escape($customer_id),
                        "".TB_PREF."cust_allocations as alloc");
        }
        else
@@ -164,7 +165,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ
                        AND trans.type <> " . ST_BANKDEPOSIT . "
                        AND trans.type <> " . ST_CUSTCREDIT . "
                        AND trans.type <> " . ST_CUSTDELIVERY . "
-                       AND trans.debtor_no=$customer_id");
+                       AND trans.debtor_no=".db_escape($customer_id));
        }
 
        return db_query($sql." ORDER BY trans_no", "Cannot retreive alloc to transactions");

diff --git a/sales/includes/db/customers_db.inc b/sales/includes/db/customers_db.inc
index db0e47af833d05598a7e835b7bb02bc53ec231b1..1670c426e7eceaf2e3f9b7e3bc6eb1f4041a094c 100644 (file)
--- a/sales/includes/db/customers_db.inc
+++ b/sales/includes/db/customers_db.inc
@@ -43,7 +43,7 @@ function get_customer_details($customer_id, $to=null)
                WHERE
                         ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
                         AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
-                        AND ".TB_PREF."debtors_master.debtor_no = $customer_id
+                        AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id)."
                         AND ".TB_PREF."debtor_trans.tran_date <= '$todate'
                         AND ".TB_PREF."debtor_trans.type <> 13
                         AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
@@ -74,7 +74,7 @@ function get_customer_details($customer_id, $to=null)
                WHERE
                     ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
                     AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
-                    AND ".TB_PREF."debtors_master.debtor_no = '$customer_id'";
+                    AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
 
        $result = db_query($sql,"The customer details could not be retrieved");
 
@@ -100,7 +100,7 @@ function get_customer_details($customer_id, $to=null)
 
 function get_customer($customer_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id";
+       $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id);
 
        $result = db_query($sql, "could not get customer");
 
@@ -109,7 +109,7 @@ function get_customer($customer_id)
 
 function get_customer_name($customer_id)
 {
-       $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id";
+       $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id);
 
        $result = db_query($sql, "could not get customer");
 
@@ -120,7 +120,7 @@ function get_customer_name($customer_id)
 
 function get_area_name($id)
 {
-       $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=$id";
+       $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=".db_escape($id);
 
        $result = db_query($sql, "could not get sales type");
 
@@ -130,7 +130,7 @@ function get_area_name($id)
 
 function get_salesman_name($id)
 {
-       $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=$id";
+       $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($id);
 
        $result = db_query($sql, "could not get sales type");
 

diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc
index 2d2e46964fd5616009d5c407577d06d97f203261..0d8c618aaae685396a96ceb2c3951214febd3256 100644 (file)
--- a/sales/includes/db/sales_order_db.inc
+++ b/sales/includes/db/sales_order_db.inc
@@ -118,10 +118,13 @@ function delete_sales_order($order_no, $trans_type)
 {
        begin_transaction();
 
-       $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no . " AND trans_type=".$trans_type;
+       $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . db_escape($order_no) 
+               . " AND trans_type=".db_escape($trans_type);
+
        db_query($sql, "order Header Delete");
 
-       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no . " AND trans_type=".$trans_type;
+       $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" 
+               .db_escape($order_no) . " AND trans_type=".db_escape($trans_type);
        db_query($sql, "order Detail Delete");
 
        add_audit_trail($trans_type, $order_no, Today(), _("Deleted."));
@@ -153,7 +156,7 @@ function update_sales_order($order)
 
        begin_transaction();
 
-       $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
+       $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." ,
                debtor_no = " . db_escape($order->customer_id) . ",
                branch_code = " . db_escape($order->Branch) . ",
                customer_ref = ". db_escape($order->cust_ref) .",
@@ -196,8 +199,8 @@ function update_sales_order($order)
                                FROM ".TB_PREF."loc_stock, "
                                  .TB_PREF."locations
                                WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
-                                AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "'
-                                AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'";
+                                AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)."
+                                AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location);
                        $res = db_query($sql,"a location could not be retreived");
                        $loc = db_fetch($res);
                        if ($loc['email'] != "")
@@ -287,8 +290,9 @@ function get_sales_order_header($order_no, $trans_type)
                AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no
                AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc
                AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via
-               AND ".TB_PREF."sales_orders.trans_type = " . $trans_type ."
-               AND ".TB_PREF."sales_orders.order_no = " . $order_no ;
+               AND ".TB_PREF."sales_orders.trans_type = " . db_escape($trans_type) ."
+               AND ".TB_PREF."sales_orders.order_no = " . db_escape($order_no );
+
        $result = db_query($sql, "order Retreival");
 
        $num = db_num_rows($result);
@@ -319,7 +323,8 @@ function get_sales_order_details($order_no, $trans_type) {
                        .TB_PREF."stock_master.overhead_cost AS standard_cost
        FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master
        WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id
-       AND order_no =" . $order_no . " AND trans_type = " . $trans_type . " ORDER BY id";
+       AND order_no =" . db_escape($order_no) 
+               ." AND trans_type = " . db_escape($trans_type) . " ORDER BY id";
 
        return db_query($sql, "Retreive order Line Items");
 }
@@ -375,7 +380,8 @@ function read_sales_order($order_no, &$order, $trans_type)
 function sales_order_has_deliveries($order_no)
 {
        $sql = "SELECT SUM(qty_sent) FROM ".TB_PREF.
-       "sales_order_details WHERE order_no=$order_no AND trans_type=".ST_SALESORDER."";
+       "sales_order_details WHERE order_no=".db_escape($order_no)
+       ." AND trans_type=".ST_SALESORDER."";
 
        $result = db_query($sql, "could not query for sales order usage");
 
@@ -390,7 +396,8 @@ function close_sales_order($order_no)
 {
        // set the quantity of each item to the already sent quantity. this will mark item as closed.
        $sql = "UPDATE ".TB_PREF."sales_order_details
-               SET quantity = qty_sent WHERE order_no = $order_no AND trans_type=".ST_SALESORDER."";
+               SET quantity = qty_sent WHERE order_no = ".db_escape($order_no)
+               ." AND trans_type=".ST_SALESORDER."";
 
        db_query($sql, "The sales order detail record could not be updated");
 }
@@ -405,7 +412,7 @@ function get_invoice_duedate($debtorno, $invdate)
        }
        $sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master,
                ".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND
-               ".TB_PREF."debtors_master.debtor_no = '$debtorno'";
+               ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno);
 
        $result = db_query($sql,"The customer details could not be retrieved");
        $myrow = db_fetch($result);
@@ -440,7 +447,7 @@ function get_customer_to_order($customer_id) {
                WHERE ".TB_PREF."debtors_master.sales_type="
                  .TB_PREF."sales_types.id
                AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id
-               AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'";
+               AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
 
        $result =db_query($sql,"Customer Record Retreive");
        return  db_fetch($result);
@@ -462,8 +469,8 @@ function get_branch_to_order($customer_id, $branch_id) {
                          .TB_PREF."locations
                        WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id
                                AND ".TB_PREF."locations.loc_code=default_location
-                               AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "'
-                               AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'";
+                               AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)."
+                               AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id);
 
            return db_query($sql,"Customer Branch Record Retreive");
 }

diff --git a/sales/includes/db/sales_points_db.inc b/sales/includes/db/sales_points_db.inc
index 35d220dd7bb0c4f8c27de9499c776dcf25d41014..c7ff404b9eb832b48b6d7b0a443c1dd0f8b6e71d 100644 (file)
--- a/sales/includes/db/sales_points_db.inc
+++ b/sales/includes/db/sales_points_db.inc
@@ -25,7 +25,7 @@ function update_sales_point($id, $name, $location, $account, $cash, $credit)
                                .",pos_account=".db_escape($account)
                                .",cash_sale =$cash"
                                .",credit_sale =$credit"
-                               ." WHERE id = $id";
+                               ." WHERE id = ".db_escape($id);
        
        db_query($sql, "could not update sales type");                  
 }
@@ -47,7 +47,7 @@ function get_sales_point($id)
                .TB_PREF."sales_pos as pos
                LEFT JOIN ".TB_PREF."locations as loc on pos.pos_location=loc.loc_code
                LEFT JOIN ".TB_PREF."bank_accounts as acc on pos.pos_account=acc.id
-               WHERE pos.id='$id'";
+               WHERE pos.id=".db_escape($id);
        
        $result = db_query($sql, "could not get POS definition");
        
@@ -56,7 +56,7 @@ function get_sales_point($id)
 
 function get_sales_point_name($id)
 {
-       $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=$id";
+       $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
        
        $result = db_query($sql, "could not get POS name");
        
@@ -66,7 +66,7 @@ function get_sales_point_name($id)
 
 function delete_sales_point($id)
 {
-       $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=$id";
+       $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
        db_query($sql,"The point of sale record could not be deleted");
 }
 

diff --git a/sales/includes/db/sales_types_db.inc b/sales/includes/db/sales_types_db.inc
index 9e462bc2a26c60e9991e3911579b538eaa19dbb7..22af8d72651ba193d5c8ca97927271edbe52ad4b 100644 (file)
--- a/sales/includes/db/sales_types_db.inc
+++ b/sales/includes/db/sales_types_db.inc
@@ -11,7 +11,8 @@
 ***********************************************************************/
 function add_sales_type($name, $tax_included, $factor)
 {
-       $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).",'$tax_included',$factor)";
+       $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).","
+               .db_escape($tax_included).",".db_escape($factor).")";
        db_query($sql, "could not add sales type");             
 }
 
@@ -19,7 +20,7 @@ function update_sales_type($id, $name, $tax_included, $factor)
 {
 
        $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).",
-       tax_included =$tax_included, factor=$factor WHERE id = $id";
+       tax_included =".db_escape($tax_included).", factor=".db_escape($factor)." WHERE id = ".db_escape($id);
        
        db_query($sql, "could not update sales type");                  
 }
@@ -35,7 +36,7 @@ function get_all_sales_types($all=false)
 
 function get_sales_type($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=$id";
+       $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
        
        $result = db_query($sql, "could not get sales type");
        
@@ -44,7 +45,7 @@ function get_sales_type($id)
 
 function get_sales_type_name($id)
 {
-       $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=$id";
+       $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
        
        $result = db_query($sql, "could not get sales type");
        
@@ -54,10 +55,10 @@ function get_sales_type_name($id)
 
 function delete_sales_type($id)
 {
-       $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=$id";
+       $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
        db_query($sql,"The Sales type record could not be deleted");
 
-       $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id='$id'";
+       $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id=".db_escape($id);
        db_query($sql,"The Sales type prices could not be deleted");
 }
 

diff --git a/sales/includes/sales_db.inc b/sales/includes/sales_db.inc
index fc6f290479c1e2b64348969da51b59bab84cf068..536458369b243695db5c789535d9e2897ee2442e 100644 (file)
--- a/sales/includes/sales_db.inc
+++ b/sales/includes/sales_db.inc
@@ -92,15 +92,15 @@ function get_price ($stock_id, $currency, $sales_type_id, $factor=null, $date=nu
                $myrow = get_sales_type($sales_type_id);
                $factor = $myrow['factor'];
        }
-           
+
        $add_pct = get_company_pref('add_pct');
        $base_id = get_base_sales_type();
     $home_curr = get_company_currency();
        //      AND (sales_type_id = $sales_type_id     OR sales_type_id = $base_id)
        $sql = "SELECT price, curr_abrev, sales_type_id
                FROM ".TB_PREF."prices
-               WHERE stock_id = '$stock_id' 
-                       AND (curr_abrev = '$currency' OR curr_abrev = '$home_curr')";
+               WHERE stock_id = ".db_escape($stock_id)."
+                       AND (curr_abrev = ".db_escape($currency)." OR curr_abrev = ".db_escape($home_curr).")";
 
        $result = db_query($sql, "There was a problem retrieving the pricing information for the part $stock_id for customer");
        $num_rows = db_num_rows($result);
@@ -188,7 +188,7 @@ function set_document_parent($cart)
        $del_no = reset(array_keys($cart->src_docs));
 
        $sql = 'UPDATE '.TB_PREF.'debtor_trans SET trans_link = ' . $del_no .
-               ' WHERE type='.$cart->trans_type.' AND trans_no='. $inv_no ;
+               ' WHERE type=".db_escape($cart->trans_type)." AND trans_no='. $inv_no ;
        db_query($sql, 'Child document link cannot be updated');
 
        }
@@ -236,11 +236,11 @@ function update_parent_line($doc_type, $line_id, $qty_dispatched)
                if ($doc_type==ST_SALESORDER)
                        $sql = "UPDATE ".TB_PREF."sales_order_details
                                SET qty_sent = qty_sent + $qty_dispatched
-                               WHERE id=$line_id";
+                               WHERE id=".db_escape($line_id);
                else
                        $sql = "UPDATE ".TB_PREF."debtor_trans_details
                                SET qty_done = qty_done + $qty_dispatched
-                               WHERE id=$line_id";
+                               WHERE id=".db_escape($line_id);
        }
        db_query($sql, "The parent document detail record could not be updated");
        return true;
@@ -253,7 +253,7 @@ function get_location(&$cart)
 {
        $sql = "SELECT ".TB_PREF."locations.* FROM ".TB_PREF."stock_moves,"
                .TB_PREF."locations".
-               " WHERE type=".$cart->trans_type.
+               " WHERE type=".db_escape($cart->trans_type).
                " AND trans_no=".key($cart->trans_no).
                " AND qty!=0 ".
                " AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code";

diff --git a/sales/inquiry/customer_allocation_inquiry.php b/sales/inquiry/customer_allocation_inquiry.php
index 252e961154d203d08386a0b17d575e2eca3e0704..fae2ad0ff7c0c840558e3b3f1bef71d75e9e22e9 100644 (file)
--- a/sales/inquiry/customer_allocation_inquiry.php
+++ b/sales/inquiry/customer_allocation_inquiry.php
@@ -161,7 +161,7 @@ function fmt_credit($row)
                AND trans.tran_date <= '$date_to'";
 
        if ($_POST['customer_id'] != ALL_TEXT)
-               $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'";
+               $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']);
 
        if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT)
        {

diff --git a/sales/inquiry/customer_inquiry.php b/sales/inquiry/customer_inquiry.php
index 5315aa2d988cfb02ff7cf3a4c7e59db6ba625af5..b076faadc6a29c688e8e73f10657a929b43cb24f 100644 (file)
--- a/sales/inquiry/customer_inquiry.php
+++ b/sales/inquiry/customer_inquiry.php
@@ -216,6 +216,7 @@ function check_overdue($row)
                debtor.name, 
                branch.br_name,
                debtor.curr_code,
+               @bal := @bal+trans.ov_amount,
                (trans.ov_amount + trans.ov_gst + trans.ov_freight 
                        + trans.ov_freight_tax + trans.ov_discount)     AS TotalAmount, 
                trans.alloc AS Allocated,
@@ -231,7 +232,7 @@ function check_overdue($row)
                        AND trans.branch_code = branch.branch_code";
 
        if ($_POST['customer_id'] != ALL_TEXT)
-               $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'";
+               $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']);
 
        if ($_POST['filterType'] != ALL_TEXT)
        {
@@ -267,6 +268,7 @@ function check_overdue($row)
        }
 
 //------------------------------------------------------------------------------------------------
+db_query("set @bal:=0");
 
 $cols = array(
        _("Type") => array('fun'=>'systype_name', 'ord'=>''),
@@ -278,6 +280,7 @@ $cols = array(
        _("Customer") => array('ord'=>''), 
        _("Branch") => array('ord'=>''), 
        _("Currency") => array('align'=>'center'),
+       _("RB"),
        _("Debit") => array('align'=>'right', 'fun'=>'fmt_debit'), 
        _("Credit") => array('align'=>'right','insert'=>true, 'fun'=>'fmt_credit'), 
                array('insert'=>true, 'fun'=>'gl_view'),

diff --git a/sales/inquiry/sales_deliveries_view.php b/sales/inquiry/sales_deliveries_view.php
index 9e4a03a66efaf4aa811d9a326087d4d761029a1a..72e6d132da71930d9f5e84a1a0bdb40aa0d3d9c2 100644 (file)
--- a/sales/inquiry/sales_deliveries_view.php
+++ b/sales/inquiry/sales_deliveries_view.php
@@ -204,7 +204,8 @@ if ($_POST['OutstandingOnly'] == true) {
 //figure out the sql required from the inputs available
 if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "")
 {
-       $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'";
+       $delivery = "%".$_POST['DeliveryNumber'];
+       $sql .= " AND trans.trans_no LIKE ".db_escape($delivery);
        $sql .= " GROUP BY trans.trans_no";
 }
 else
@@ -213,13 +214,13 @@ else
        $sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'";
 
        if ($selected_customer != -1)
-               $sql .= " AND trans.debtor_no='" . $selected_customer . "' ";
+               $sql .= " AND trans.debtor_no=".db_escape($selected_customer)." ";
 
        if (isset($selected_stock_item))
-               $sql .= " AND line.stock_id='". $selected_stock_item ."' ";
+               $sql .= " AND line.stock_id=".db_escape($selected_stock_item)." ";
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
-               $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." ";
 
        $sql .= " GROUP BY trans.trans_no ";
 

diff --git a/sales/inquiry/sales_orders_view.php b/sales/inquiry/sales_orders_view.php
index 9a0be7a5ab0c2d139695a5bf9d60fe1da87c3e47..dac158eaf7c133aa31679c9a2611f13ba8f25982 100644 (file)
--- a/sales/inquiry/sales_orders_view.php
+++ b/sales/inquiry/sales_orders_view.php
@@ -275,8 +275,9 @@ $sql = "SELECT
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       // search orders with number like ...
-       $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'"
+       // search orders with number like 
+       $number_like = "%".$_POST['OrderNumber'];
+       $sql .= " AND sorder.order_no LIKE ".db_escape($number_like)
                        ." GROUP BY sorder.order_no";
 }
 else   // ... or select inquiry constraints
@@ -292,13 +293,13 @@ else      // ... or select inquiry constraints
        if ($trans_type == 32 && !check_value('show_all'))
                $sql .= " AND sorder.delivery_date >= '".date2sql(Today())."'";
        if ($selected_customer != -1)
-               $sql .= " AND sorder.debtor_no='" . $selected_customer . "'";
+               $sql .= " AND sorder.debtor_no=".db_escape($selected_customer);
 
        if (isset($selected_stock_item))
-               $sql .= " AND line.stk_code='". $selected_stock_item ."'";
+               $sql .= " AND line.stk_code=".db_escape($selected_stock_item);
 
        if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
-               $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+               $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation']);
 
        if ($_POST['order_view_mode']=='OutstandingOnly')
                $sql .= " AND line.qty_sent < line.quantity";

diff --git a/sales/manage/credit_status.php b/sales/manage/credit_status.php
index 097956b7de2dce13fee9f0a75cce1676045e6533..8bc3683ca6c8215570f67f7ddf32d5ba490b3676 100644 (file)
--- a/sales/manage/credit_status.php
+++ b/sales/manage/credit_status.php
@@ -59,7 +59,7 @@ if ($Mode=='UPDATE_ITEM' && can_process())
 function can_delete($selected_id)
 {
        $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master 
-               WHERE credit_status=$selected_id";
+               WHERE credit_status=".db_escape($selected_id);
        $result = db_query($sql, "could not query customers");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php
index af6cd9968724a2edda2f99569cd7d9f6f33ecdf4..849ac557786c42867421968265c7e6958ed49f73 100644 (file)
--- a/sales/manage/customer_branches.php
+++ b/sales/manage/customer_branches.php
@@ -148,7 +148,7 @@ elseif ($Mode == 'Delete')
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
        $result = db_query($sql,"could not query debtortrans");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0)
@@ -158,7 +158,7 @@ elseif ($Mode == 'Delete')
        }
        else
        {
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
                $result = db_query($sql,"could not query sales orders");
 
                $myrow = db_fetch_row($result);
@@ -168,7 +168,7 @@ elseif ($Mode == 'Delete')
                }
                else
                {
-                       $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'";
+                       $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']);
                        db_query($sql,"could not delete branch");
                        display_notification(_('Selected customer branch has been deleted'));
                }
@@ -232,7 +232,7 @@ $num_branches = db_customer_has_branches($_POST['customer_id']);
                AND b.tax_group_id=t.id
                AND b.area=a.area_code
                AND b.salesman=s.salesman_code
-               AND b.debtor_no = '" . $_POST['customer_id']. "'";
+               AND b.debtor_no = ".db_escape($_POST['customer_id']);
 
        if (!get_post('show_inactive')) $sql .= " AND !b.inactive";
 //------------------------------------------------------------------------------------------------
@@ -280,8 +280,8 @@ if ($selected_id != -1)
 
                //editing an existing branch
        $sql = "SELECT * FROM ".TB_PREF."cust_branch
-                       WHERE branch_code='" . $_POST['branch_code'] . "'
-                       AND debtor_no='" . $_POST['customer_id'] . "'";
+                       WHERE branch_code=".db_escape($_POST['branch_code'])."
+                       AND debtor_no=".db_escape($_POST['customer_id']);
                $result = db_query($sql,"check failed");
            $myrow = db_fetch($result);
                set_focus('br_name');
@@ -314,7 +314,7 @@ elseif ($Mode != 'ADD_ITEM')
 { //end of if $SelectedBranch only do the else when a new record is being entered
        if(!$num_branches) {
                $sql = "SELECT name, address, email, debtor_ref
-                       FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'";
+                       FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
                $result = db_query($sql,"check failed");
                $myrow = db_fetch($result);
                $_POST['br_name'] = $myrow["name"];

diff --git a/sales/manage/customers.php b/sales/manage/customers.php
index 017d1607b7228da79224bc25810e03a83c832a62..3b967e886a210046fe6ab705e218503bc1e3f09f 100644 (file)
--- a/sales/manage/customers.php
+++ b/sales/manage/customers.php
@@ -93,7 +93,7 @@ function handle_submit()
             credit_limit=" . input_num('credit_limit') . ", 
             sales_type = ".db_escape($_POST['sales_type']) . ", 
             notes=".db_escape($_POST['notes']) . "
-            WHERE debtor_no = '". $_POST['customer_id'] . "'";
+            WHERE debtor_no = ".db_escape($_POST['customer_id']);
 
                db_query($sql,"The customer could not be updated");
 

diff --git a/sales/manage/recurrent_invoices.php b/sales/manage/recurrent_invoices.php
index cdbc3bfaa2dc33a048df928ee4a429597df7b35f..a1b0bdec6f3595a41d836a5587fa70e348695f93 100644 (file)
--- a/sales/manage/recurrent_invoices.php
+++ b/sales/manage/recurrent_invoices.php
@@ -49,7 +49,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
                        monthly=".input_num('monthly', 0).", 
                        begin='".date2sql($_POST['begin'])."', 
                        end='".date2sql($_POST['end'])."' 
-                       WHERE id = '$selected_id'";
+                       WHERE id = ".db_escape($selected_id);
                        $note = _('Selected recurrent invoice has been updated');
        } 
        else 
@@ -75,7 +75,7 @@ if ($Mode == 'Delete')
 
        if ($cancel_delete == 0) 
        {
-               $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id='" . $selected_id . "'";
+               $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id);
                db_query($sql,"could not delete recurrent invoice");
 
                display_notification(_('Selected recurrent invoice has been deleted'));
@@ -91,7 +91,7 @@ if ($Mode == 'RESET')
 //-------------------------------------------------------------------------------------------------
 function get_sales_group_name($group_no)
 {
-       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no";
+       $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no);
        $result = db_query($sql, "could not get group");
        $row = db_fetch($result);
        return $row[0];
@@ -149,7 +149,7 @@ if ($selected_id != -1)
 {
        if ($Mode == 'Edit') {
                //editing an existing area
-               $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id='$selected_id'";
+               $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id);
 
                $result = db_query($sql,"could not get recurrent invoice");
                $myrow = db_fetch($result);

diff --git a/sales/manage/sales_areas.php b/sales/manage/sales_areas.php
index 3fd37dd23c1aed87d1965463e9faf8f18b16ddbf..64f043fc2dd5a313719c00b2d5d08ab920bd0f73 100644 (file)
--- a/sales/manage/sales_areas.php
+++ b/sales/manage/sales_areas.php
@@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
        {
        if ($selected_id != -1) 
        {
-               $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'";
+               $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = ".db_escape($selected_id);
                        $note = _('Selected sales area has been updated');
        } 
        else 
@@ -57,7 +57,7 @@ if ($Mode == 'Delete')
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area=".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -67,7 +67,7 @@ if ($Mode == 'Delete')
        } 
        if ($cancel_delete == 0) 
        {
-               $sql="DELETE FROM ".TB_PREF."areas WHERE area_code='" . $selected_id . "'";
+               $sql="DELETE FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id);
                db_query($sql,"could not delete sales area");
 
                display_notification(_('Selected sales area has been deleted'));
@@ -124,7 +124,7 @@ if ($selected_id != -1)
 {
        if ($Mode == 'Edit') {
                //editing an existing area
-               $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code='$selected_id'";
+               $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id);
 
                $result = db_query($sql,"could not get area");
                $myrow = db_fetch($result);

diff --git a/sales/manage/sales_groups.php b/sales/manage/sales_groups.php
index 4978299f6b7b2a0d278309d7c092406a67d1c9b7..0a922d4cd0a2289bc16f9ab861780f0f7b277c9d 100644 (file)
--- a/sales/manage/sales_groups.php
+++ b/sales/manage/sales_groups.php
@@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
        {
        if ($selected_id != -1) 
        {
-               $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = '$selected_id'";
+               $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = ".db_escape($selected_id);
                        $note = _('Selected sales group has been updated');
        } 
        else 
@@ -57,7 +57,7 @@ if ($Mode == 'Delete')
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -67,7 +67,7 @@ if ($Mode == 'Delete')
        } 
        if ($cancel_delete == 0) 
        {
-               $sql="DELETE FROM ".TB_PREF."groups WHERE id='" . $selected_id . "'";
+               $sql="DELETE FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id);
                db_query($sql,"could not delete sales group");
 
                display_notification(_('Selected sales group has been deleted'));
@@ -122,7 +122,7 @@ if ($selected_id != -1)
 {
        if ($Mode == 'Edit') {
                //editing an existing area
-               $sql = "SELECT * FROM ".TB_PREF."groups WHERE id='$selected_id'";
+               $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id);
 
                $result = db_query($sql,"could not get group");
                $myrow = db_fetch($result);

diff --git a/sales/manage/sales_people.php b/sales/manage/sales_people.php
index 8546ba7e38d1f7d3578a3e33e5b02b3ea0ffadd4..30e4c5561826a56edd26e1177166a2a36261adc1 100644 (file)
--- a/sales/manage/sales_people.php
+++ b/sales/manage/sales_people.php
@@ -56,7 +56,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
                        provision=".input_num('provision').",
                        break_pt=".input_num('break_pt').",
                        provision2=".input_num('provision2')."
-                       WHERE salesman_code = '$selected_id'";
+                       WHERE salesman_code = ".db_escape($selected_id);
        }
        else
        {
@@ -86,7 +86,7 @@ if ($Mode == 'Delete')
 
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman=".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0)
@@ -95,7 +95,7 @@ if ($Mode == 'Delete')
        }
        else
        {
-               $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'";
+               $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id);
                db_query($sql,"The sales-person could not be deleted");
                display_notification(_('Selected sales person data have been deleted'));
        }
@@ -154,7 +154,7 @@ if ($selected_id != -1)
 {
        if ($Mode == 'Edit') {
                //editing an existing Sales-person
-               $sql = "SELECT *  FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'";
+               $sql = "SELECT *  FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id);
 
                $result = db_query($sql,"could not get sales person");
                $myrow = db_fetch($result);

diff --git a/sales/manage/sales_types.php b/sales/manage/sales_types.php
index 75a504fa5c70a835abf91f2f30af8c7f5377818e..4d9d1f08a54a753940613792eabd3f56d4643bfb 100644 (file)
--- a/sales/manage/sales_types.php
+++ b/sales/manage/sales_types.php
@@ -66,7 +66,7 @@ if ($Mode == 'Delete')
 {
        // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
 
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe=".db_escape($selected_id);
        $result = db_query($sql,"check failed");
        check_db_error("The number of transactions using this Sales type record could not be retrieved", $sql);
 
@@ -79,7 +79,7 @@ if ($Mode == 'Delete')
        else
        {
 
-               $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type='$selected_id'";
+               $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type=".db_escape($selected_id);
                $result = db_query($sql,"check failed");
                check_db_error("The number of customers using this Sales type record could not be retrieved", $sql);
 

diff --git a/sales/view/view_sales_order.php b/sales/view/view_sales_order.php
index 352b68234a28dd0b23c0aa532aeb5cd6d4d64d98..8120332b5d265dc84a94268deb9e3bf16c72f002 100644 (file)
--- a/sales/view/view_sales_order.php
+++ b/sales/view/view_sales_order.php
@@ -90,10 +90,11 @@ if ($_GET['trans_type'] != ST_SALESQUOTE)
        start_table($table_style);
        display_heading2(_("Delivery Notes"));
 
+
        $th = array(_("#"), _("Ref"), _("Date"), _("Total"));
        table_header($th);
 
-       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTDELIVERY." AND order_=" . $_GET['trans_no'];
+       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTDELIVERY." AND order_=".db_escape($_GET['trans_no']);
        $result = db_query($sql,"The related delivery notes could not be retreived");
 
        $delivery_total = 0;
@@ -126,7 +127,7 @@ if ($_GET['trans_type'] != ST_SALESQUOTE)
        $th = array(_("#"), _("Ref"), _("Date"), _("Total"));
        table_header($th);
 
-       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_SALESINVOICE." AND order_=" . $_GET['trans_no'];
+       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_SALESINVOICE." AND order_=".db_escape($_GET['trans_no']);
        $result = db_query($sql,"The related invoices could not be retreived");
 
        $invoices_total = 0;
@@ -158,7 +159,7 @@ if ($_GET['trans_type'] != ST_SALESQUOTE)
        $th = array(_("#"), _("Ref"), _("Date"), _("Total"));
        table_header($th);
 
-       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTCREDIT." AND order_=" . $_GET['trans_no'];
+       $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTCREDIT." AND order_=".db_escape($_GET['trans_no']);
        $result = db_query($sql,"The related credit notes could not be retreived");
 
        $credits_total = 0;

diff --git a/taxes/db/item_tax_types_db.inc b/taxes/db/item_tax_types_db.inc
index 3a99f9babeba67185d37b449e1e69f04c1761865..7e034e4b746242bd4f3abd47bf770726128d877a 100644 (file)
--- a/taxes/db/item_tax_types_db.inc
+++ b/taxes/db/item_tax_types_db.inc
@@ -14,7 +14,7 @@ function add_item_tax_type($name, $exempt, $exempt_from)
        begin_transaction();
        
        $sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt) 
-               VALUES (".db_escape($name).",$exempt)";
+               VALUES (".db_escape($name).",".db_escape($exempt).")";
                
        db_query($sql, "could not add item tax type");  
        
@@ -31,7 +31,7 @@ function update_item_tax_type($id, $name, $exempt, $exempt_from)
        begin_transaction();
        
        $sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name).
-       ",      exempt=$exempt WHERE id=$id";
+       ",      exempt=".db_escape($exempt)." WHERE id=".db_escape($id);
        
        db_query($sql, "could not update item tax type");       
        
@@ -51,7 +51,7 @@ function get_all_item_tax_types()
 
 function get_item_tax_type($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=$id";
+       $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id);
        
        $result = db_query($sql, "could not get item tax type");
        
@@ -60,7 +60,8 @@ function get_item_tax_type($id)
 
 function get_item_tax_type_for_item($stock_id)
 {
-       $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE ".TB_PREF."stock_master.stock_id='$stock_id'
+       $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE 
+               ".TB_PREF."stock_master.stock_id=".db_escape($stock_id)."
                AND ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id";
        
        $result = db_query($sql, "could not get item tax type");
@@ -72,7 +73,7 @@ function delete_item_tax_type($id)
 {
        begin_transaction();
                
-       $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=$id";
+       $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id);
                
        db_query($sql, "could not delete item tax type");
        // also delete all exemptions
@@ -86,21 +87,21 @@ function add_item_tax_type_exemptions($id, $exemptions)
        for ($i = 0; $i < count($exemptions); $i++) 
        {
                $sql = "INSERT INTO ".TB_PREF."item_tax_type_exemptions (item_tax_type_id, tax_type_id)
-                       VALUES ($id,  " . $exemptions[$i] . ")";
+                       VALUES (".db_escape($id).",  ".db_escape($exemptions[$i]).")";
                db_query($sql, "could not add item tax type exemptions");                                       
        }               
 }
 
 function delete_item_tax_type_exemptions($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id";
+       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id);
        
        db_query($sql, "could not delete item tax type exemptions");                                    
 }
 
 function get_item_tax_type_exemptions($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id";
+       $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id);
        
        return db_query($sql, "could not get item tax type exemptions");
 }

diff --git a/taxes/db/tax_groups_db.inc b/taxes/db/tax_groups_db.inc
index df48e0a1793d3b6a370825df7c7f4aaa0535cb8a..392ec8cbbec5528c1a49234df3658742d0d8f1e9 100644 (file)
--- a/taxes/db/tax_groups_db.inc
+++ b/taxes/db/tax_groups_db.inc
@@ -21,7 +21,7 @@ function add_tax_group($name, $tax_shipping, $taxes, $rates)
        if($tax_shipping)       // only one tax group for shipping
          clear_shipping_tax_group();
                
-       $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)";
+       $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", ".db_escape($tax_shipping).")";
        db_query($sql, "could not add tax group");
        
        $id = db_insert_id();
@@ -38,7 +38,7 @@ function update_tax_group($id, $name, $tax_shipping, $taxes, $rates)
        if($tax_shipping)       // only one tax group for shipping
          clear_shipping_tax_group();
        
-    $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id";
+    $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=".db_escape($tax_shipping)." WHERE id=".db_escape($id);
        db_query($sql, "could not update tax group");
        
        delete_tax_group_items($id);
@@ -57,7 +57,7 @@ function get_all_tax_groups($all=false)
 
 function get_tax_group($type_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=$type_id";
+       $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=".db_escape($type_id);
        
        $result = db_query($sql, "could not get tax group");
        
@@ -68,7 +68,7 @@ function delete_tax_group($id)
 {
        begin_transaction();
                
-       $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=$id";
+       $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=".db_escape($id);
                
        db_query($sql, "could not delete tax group");
        
@@ -82,14 +82,14 @@ function add_tax_group_items($id, $items, $rates)
        for ($i=0; $i < count($items); $i++) 
        {
                $sql = "INSERT INTO ".TB_PREF."tax_group_items (tax_group_id, tax_type_id, rate)
-                       VALUES ($id,  " . $items[$i] . ", " . $rates[$i] .")";
+                       VALUES (".db_escape($id).",  ".db_escape($items[$i]).", " . $rates[$i] .")";
                db_query($sql, "could not add item tax group item");                                    
        }               
 }
 
 function delete_tax_group_items($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=$id";
+       $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=".db_escape($id);
        
        db_query($sql, "could not delete item tax group items");                                        
 }
@@ -99,7 +99,7 @@ function get_tax_group_items($id)
        $sql = "SELECT ".TB_PREF."tax_group_items.*, ".TB_PREF."tax_types.name AS tax_type_name, 
                ".TB_PREF."tax_types.sales_gl_code, ".TB_PREF."tax_types.purchasing_gl_code  
                FROM ".TB_PREF."tax_group_items, ".TB_PREF."tax_types 
-               WHERE tax_group_id=$id
+               WHERE tax_group_id=".db_escape($id)."
                        AND ".TB_PREF."tax_types.id=tax_type_id";
        
        return db_query($sql, "could not get item tax type group items");

diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc
index 52ee5eea956c4bf619df293c3a01b0bd9e386cf8..e57ffb356bfbb171d10ca0bec47a695c5d0aca7b 100644 (file)
--- a/taxes/db/tax_types_db.inc
+++ b/taxes/db/tax_types_db.inc
@@ -24,7 +24,7 @@ function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $
                sales_gl_code=".db_escape($sales_gl_code).",
                purchasing_gl_code=".db_escape($purchasing_gl_code).",
                rate=$rate
-               WHERE id=$type_id";
+               WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not update tax type");
 }
@@ -58,7 +58,7 @@ function get_tax_type($type_id)
                FROM ".TB_PREF."tax_types, ".TB_PREF."chart_master AS Chart1,
                ".TB_PREF."chart_master AS Chart2
                WHERE ".TB_PREF."tax_types.sales_gl_code = Chart1.account_code
-               AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=$type_id";
+               AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get tax type");
        return db_fetch($result);
@@ -66,7 +66,7 @@ function get_tax_type($type_id)
 
 function get_tax_type_default_rate($type_id)
 {
-       $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=$type_id";
+       $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get tax type rate");
 
@@ -78,7 +78,7 @@ function delete_tax_type($type_id)
 {
        begin_transaction();
 
-       $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=$type_id";
+       $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not delete tax type");
 

diff --git a/taxes/item_tax_types.php b/taxes/item_tax_types.php
index 817ce4ecd48d30b0e01cb982dca5d718ea316ccb..e6c1b104ef8c2b1a6e1f15fc63405ad2f7d90651 100644 (file)
--- a/taxes/item_tax_types.php
+++ b/taxes/item_tax_types.php
@@ -72,7 +72,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
 
 function can_delete($selected_id)
 {
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=$selected_id";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=".db_escape($selected_id);
        $result = db_query($sql, "could not query stock master");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/taxes/tax_calc.inc b/taxes/tax_calc.inc
index 1209d62133eca1f355f073e7f2a464b95b999aaa..7107cdca7a75c8f6732e533231faeda6c84cc92e 100644 (file)
--- a/taxes/tax_calc.inc
+++ b/taxes/tax_calc.inc
@@ -210,7 +210,7 @@ function get_tax_for_items($items, $prices, $shipping_cost, $tax_group, $tax_inc
 function is_tax_account($account_code)
 {
        $sql= "SELECT id FROM ".TB_PREF."tax_types WHERE 
-               sales_gl_code='$account_code' OR purchasing_gl_code='$account_code'";
+               sales_gl_code=".db_escape($account_code)." OR purchasing_gl_code=".db_escape($account_code);
        $result = db_query($sql, "checking account is tax account");
        if (db_num_rows($result) > 0) {
                $acct = db_fetch($result);

diff --git a/taxes/tax_groups.php b/taxes/tax_groups.php
index 07cda24372a2bc9fe4ae5f496c19d406c18e4643..ea61fd3444f0fb71ecd96d8a6952fb30d6579d74 100644 (file)
--- a/taxes/tax_groups.php
+++ b/taxes/tax_groups.php
@@ -99,7 +99,7 @@ function can_delete($selected_id)
 {
        if ($selected_id == -1)
                return false;
-       $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=$selected_id";
+       $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=".db_escape($selected_id);
        $result = db_query($sql, "could not query customers");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 
@@ -108,7 +108,7 @@ function can_delete($selected_id)
                return false;
        }
 
-       $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=$selected_id";
+       $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=".db_escape($selected_id);
        $result = db_query($sql, "could not query suppliers");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0) 

diff --git a/taxes/tax_types.php b/taxes/tax_types.php
index 5976f1a9eda6b005c9fd1860153047181cf3a157..ca2f866f3ce06644fbda659225740dbbe8fe79e8 100644 (file)
--- a/taxes/tax_types.php
+++ b/taxes/tax_types.php
@@ -72,7 +72,7 @@ if ($Mode=='UPDATE_ITEM' && can_process())
 
 function can_delete($selected_id)
 {
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items  WHERE tax_type_id=$selected_id";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items  WHERE tax_type_id=".db_escape($selected_id);
        $result = db_query($sql, "could not query tax groups");
        $myrow = db_fetch_row($result);
        if ($myrow[0] > 0)