//the link to delete a selected record was clicked instead of the submit button
$cancel_delete = 0;
-
+ $acc = db_escape($selected_id);
// PREVENT DELETES IF DEPENDENT RECORDS IN 'bank_trans'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_trans WHERE bank_act='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_trans WHERE bank_act=$acc";
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
$cancel_delete = 1;
display_error(_("Cannot delete this bank account because transactions have been created using this account."));
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_account='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_account=$acc";
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
if ($selected_id == "")
return false;
+ $curr = db_escape($selected_id);
+
// PREVENT DELETES IF DEPENDENT RECORDS IN debtors_master
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE curr_code = '$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE curr_code = $curr";
$result = db_query($sql);
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
return false;
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE curr_code = '$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE curr_code = $curr";
$result = db_query($sql);
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
return false;
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE curr_default = '$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE curr_default = $curr";
$result = db_query($sql);
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
// see if there are any bank accounts that use this currency
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE bank_curr_code = '$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE bank_curr_code = $curr";
$result = db_query($sql);
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
$sql = "SELECT date_, rate_buy, id FROM "
.TB_PREF."exchange_rates "
- ."WHERE curr_code='".$_POST['curr_abrev']."'
+ ."WHERE curr_code=".db_escape($_POST['curr_abrev'])."
ORDER BY date_ DESC";
$cols = array(
{
if ($selected_id == -1)
return false;
+ $type = db_escape($selected_id);
+
$sql= "SELECT COUNT(*) FROM ".TB_PREF."chart_master
- WHERE account_type=$selected_id";
+ WHERE account_type=$type";
$result = db_query($sql, "could not query chart master");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
$sql= "SELECT COUNT(*) FROM ".TB_PREF."chart_types
- WHERE parent=$selected_id";
+ WHERE parent=$type";
$result = db_query($sql, "could not query chart types");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
{
if ($selected_account == "")
return false;
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."gl_trans WHERE account='$selected_account'";
+ $acc = db_escape($selected_account);
+
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."gl_trans WHERE account=$acc";
$result = db_query($sql,"Couldn't test for existing transactions");
$myrow = db_fetch_row($result);
return false;
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE debtors_act='$selected_account'
- OR pyt_discount_act='$selected_account'
- OR creditors_act='$selected_account'
- OR freight_act='$selected_account'
- OR default_sales_act='$selected_account'
- OR default_sales_discount_act='$selected_account'
- OR default_prompt_payment_act='$selected_account'
- OR default_inventory_act='$selected_account'
- OR default_cogs_act='$selected_account'
- OR default_adj_act='$selected_account'
- OR default_inv_sales_act='$selected_account'
- OR default_assembly_act='$selected_account'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."company WHERE debtors_act=$acc
+ OR pyt_discount_act=$acc
+ OR creditors_act=$acc
+ OR freight_act=$acc
+ OR default_sales_act=$acc
+ OR default_sales_discount_act=$acc
+ OR default_prompt_payment_act=$acc
+ OR default_inventory_act=$acc
+ OR default_cogs_act=$acc
+ OR default_adj_act=$acc
+ OR default_inv_sales_act=$acc
+ OR default_assembly_act=$acc";
$result = db_query($sql,"Couldn't test for default company GL codes");
$myrow = db_fetch_row($result);
return false;
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE account_code='$selected_account'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."bank_accounts WHERE account_code=$acc";
$result = db_query($sql,"Couldn't test for bank accounts");
$myrow = db_fetch_row($result);
}
$sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE
- inventory_account='$selected_account'
- OR cogs_account='$selected_account'
- OR adjustment_account='$selected_account'
- OR sales_account='$selected_account'";
+ inventory_account=$acc
+ OR cogs_account=$acc
+ OR adjustment_account=$acc
+ OR sales_account=$acc";
$result = db_query($sql,"Couldn't test for existing stock GL codes");
$myrow = db_fetch_row($result);
return false;
}
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_types WHERE sales_gl_code='$selected_account' OR purchasing_gl_code='$selected_account'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_types WHERE sales_gl_code=$acc OR purchasing_gl_code=$acc";
$result = db_query($sql,"Couldn't test for existing tax GL codes");
$myrow = db_fetch_row($result);
}
$sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE
- sales_account='$selected_account'
- OR sales_discount_account='$selected_account'
- OR receivables_account='$selected_account'
- OR payment_discount_account='$selected_account'";
+ sales_account=$acc
+ OR sales_discount_account=$acc
+ OR receivables_account=$acc
+ OR payment_discount_account=$acc";
$result = db_query($sql,"Couldn't test for existing cust branch GL codes");
$myrow = db_fetch_row($result);
}
$sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE
- purchase_account='$selected_account'
- OR payment_discount_account='$selected_account'
- OR payable_account='$selected_account'";
+ purchase_account=$acc
+ OR payment_discount_account=$acc
+ OR payable_account=$acc";
$result = db_query($sql,"Couldn't test for existing suppliers GL codes");
$myrow = db_fetch_row($result);
}
$sql= "SELECT COUNT(*) FROM ".TB_PREF."quick_entry_lines WHERE
- dest_id='$selected_account' AND UPPER(LEFT(action, 1)) <> 'T'";
+ dest_id=$acc AND UPPER(LEFT(action, 1)) <> 'T'";
$result = db_query($sql,"Couldn't test for existing suppliers GL codes");
$myrow = db_fetch_row($result);
{
$sql = "INSERT INTO ".TB_PREF."audit_trail"
. " (type, trans_no, user, fiscal_year, gl_date, description, gl_seq)
- VALUES($trans_type, $trans_no,"
+ VALUES(".db_escape($trans_type).", ".db_escape($trans_no).","
. $_SESSION["wa_current_user"]->user. ","
. get_company_pref('f_year') .","
. "'". date2sql($trans_date) ."',"
// all audit records beside latest one should have gl_seq set to NULL
// to avoid need for subqueries (not existing in MySQL 3) all over the code
$sql = "UPDATE ".TB_PREF."audit_trail SET gl_seq = NULL"
- . " WHERE type=$trans_type AND trans_no=$trans_no AND id!=".db_insert_id();
+ . " WHERE type=".db_escape($trans_type)." AND trans_no="
+ .db_escape($trans_no)." AND id!=".db_insert_id();
db_query($sql, "Cannot update audit gl_seq");
}
function get_audit_trail_all($trans_type, $trans_no)
{
$sql = "SELECT * FROM ".TB_PREF."audit_trail"
- ." WHERE type=$trans_type AND trans_no=$trans_no";
+ ." WHERE type=".db_escape($trans_type)." AND trans_no="
+ .db_escape($trans_no);
return db_query($sql, "Cannot get all audit info for transaction");
}
function get_audit_trail_last($trans_type, $trans_no)
{
$sql = "SELECT * FROM ".TB_PREF."audit_trail"
- ." WHERE type=$trans_type AND trans_no=$trans_no AND NOT ISNULL(gl_seq)";
+ ." WHERE type=".db_escape($trans_type).
+ " AND trans_no=".db_escape($trans_no)." AND NOT ISNULL(gl_seq)";
$res = db_query($sql, "Cannot get last audit info for transaction");
if ($res)
*/
function is_closed_trans($type, $trans_no) {
$sql = "SELECT gl_seq FROM ".TB_PREF."audit_trail"
- . " WHERE type=$type AND trans_no=$trans_no AND gl_seq>0";
+ . " WHERE type=".db_escape($type)
+ ." AND trans_no=".db_escape($trans_no)
+ ." AND gl_seq>0";
$res = db_query($sql, "Cannot check transaction");
function get_comments($type, $type_no)
{
- $sql = "SELECT * FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
+ $sql = "SELECT * FROM ".TB_PREF."comments WHERE type="
+ .db_escape($type)." AND id=".db_escape($type_no);
return db_query($sql, "could not query comments transaction table");
}
{
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."comments (type, id, date_, memo_)
- VALUES ($type, $type_no, '$date', ".db_escape($memo_).")";
+ VALUES (".db_escape($type).", ".db_escape($type_no)
+ .", '$date', ".db_escape($memo_).")";
db_query($sql, "could not add comments transaction entry");
}
else
{
$date = date2sql($date_);
- $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)." WHERE type=$type AND id=$id AND date_='$date'";
+ $sql = "UPDATE ".TB_PREF."comments SET memo_=".db_escape($memo_)
+ ." WHERE type=".db_escape($type)." AND id=".db_escape($id)
+ ." AND date_='$date'";
db_query($sql, "could not update comments");
}
}
function delete_comments($type, $type_no)
{
- $sql = "DELETE FROM ".TB_PREF."comments WHERE type=$type AND id=$type_no";
+ $sql = "DELETE FROM ".TB_PREF."comments WHERE type=".db_escape($type)
+ ." AND id=".db_escape($type_no);
db_query($sql, "could not delete from comments transaction table");
}
$date = date2sql($date_);
$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves
- WHERE stock_id='$stock_id'
+ WHERE stock_id=".db_escape($stock_id)."
AND tran_date <= '$date'";
if ($location != null)
- $sql .= " AND loc_code = '$location'";
+ $sql .= " AND loc_code = ".db_escape($location);
$result = db_query($sql, "QOH calulcation failed");
if ($exclude > 0)
{
$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves
- WHERE stock_id='$stock_id'
- AND type=$exclude
- AND tran_date = '$date'";
+ WHERE stock_id=".db_escape($stock_id)
+ ." AND type=".db_escape($exclude)
+ ." AND tran_date = '$date'";
$result = db_query($sql, "QOH calulcation failed");
$myrow2 = db_fetch_row($result);
{
$sql = "SELECT material_cost + labour_cost + overhead_cost AS standard_cost, units, decimals
FROM ".TB_PREF."stock_master,".TB_PREF."item_units
- WHERE stock_id='$stock_id'
- AND ".TB_PREF."stock_master.units=".TB_PREF."item_units.abbr";
+ WHERE stock_id=".db_escape($stock_id)
+ ." AND ".TB_PREF."stock_master.units=".TB_PREF."item_units.abbr";
$result = db_query($sql, "The standard cost cannot be retrieved");
return db_fetch($result);
function get_standard_cost($stock_id)
{
$sql = "SELECT material_cost + labour_cost + overhead_cost AS std_cost
- FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'";
+ FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id);
$result = db_query($sql, "The standard cost cannot be retrieved");
$myrow = db_fetch_row($result);
function is_inventory_item($stock_id)
{
$sql = "SELECT stock_id FROM ".TB_PREF."stock_master
- WHERE stock_id='$stock_id' AND mb_flag <> 'D'";
+ WHERE stock_id=".db_escape($stock_id)." AND mb_flag <> 'D'";
$result = db_query($sql, "Cannot query is inventory item or not");
return db_num_rows($result) > 0;
$sql = "SELECT inventory_account, cogs_account,
adjustment_account, sales_account, assembly_account, dimension_id, dimension2_id FROM
- ".TB_PREF."stock_master WHERE stock_id = '$stock_id'";
+ ".TB_PREF."stock_master WHERE stock_id = ".db_escape($stock_id);
$get = db_query($sql,"retreive stock gl code");
return db_fetch($get);
$sql = "INSERT INTO ".TB_PREF."stock_moves (stock_id, trans_no, type, loc_code,
tran_date, person_id, reference, qty, standard_cost, visible, price,
- discount_percent) VALUES ('$stock_id', $trans_no, $type,
- ".db_escape($location).", '$date', '$person_id', ".db_escape($reference).", $quantity, $std_cost,
- $show_or_hide, $price, $discount_percent)";
+ discount_percent) VALUES (".db_escape($stock_id)
+ .", ".db_escape($trans_no).", ".db_escape($type)
+ .", ".db_escape($location).", '$date', "
+ .db_escape($person_id).", ".db_escape($reference).", "
+ .db_escape($quantity).", ".db_escape($std_cost).","
+ .db_escape($show_or_hide).", ".db_escape($price).", "
+ .db_escape($discount_percent).")";
if ($error_msg == "")
$error_msg = "The stock movement record cannot be inserted";
{
$from = date2sql($from);
$to = date2sql($to);
- $sql = "UPDATE ".TB_PREF."stock_moves SET standard_cost=$cost WHERE type=$type
- AND stock_id='$stock_id' AND tran_date>='$from' AND tran_date<='$to' AND person_id = $pid";
+ $sql = "UPDATE ".TB_PREF."stock_moves SET standard_cost=".db_escape($cost)
+ ." WHERE type=".db_escape($type)
+ ." AND stock_id=".db_escape($stock_id)
+ ." AND tran_date>='$from' AND tran_date<='$to'
+ AND person_id = ".db_escape($pid);
db_query($sql, "The stock movement standard_cost cannot be updated");
}
function get_stock_moves($type, $type_no, $visible=false)
{
- $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units,
- ".TB_PREF."locations.location_name,
- ".TB_PREF."stock_master.material_cost + ".TB_PREF."stock_master.labour_cost + ".TB_PREF."stock_master.overhead_cost AS FixedStandardCost
+ $sql = "SELECT ".TB_PREF."stock_moves.*, ".TB_PREF."stock_master.description, "
+ .TB_PREF."stock_master.units,".TB_PREF."locations.location_name,"
+ .TB_PREF."stock_master.material_cost + "
+ .TB_PREF."stock_master.labour_cost + "
+ .TB_PREF."stock_master.overhead_cost AS FixedStandardCost
FROM ".TB_PREF."stock_moves,".TB_PREF."locations,".TB_PREF."stock_master
WHERE ".TB_PREF."stock_moves.stock_id = ".TB_PREF."stock_master.stock_id
AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code
- AND type=$type AND trans_no=$type_no ORDER BY trans_id";
+ AND type=".db_escape($type)." AND trans_no=".db_escape($type_no)." ORDER BY trans_id";
if ($visible)
$sql .= " AND ".TB_PREF."stock_moves.visible=1";
function void_stock_move($type, $type_no)
{
$sql = "UPDATE ".TB_PREF."stock_moves SET qty=0, price=0, discount_percent=0,
- standard_cost=0 WHERE type=$type AND trans_no=$type_no";
+ standard_cost=0 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
db_query($sql, "Could not void stock moves");
}
function get_location_name($loc_code)
{
- $sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code='$loc_code'";
+ $sql = "SELECT location_name FROM ".TB_PREF."locations WHERE loc_code="
+ .db_escape($loc_code);
$result = db_query($sql, "could not retreive the location name for $loc_code");
function get_reference($type, $id)
{
- $sql = "SELECT * FROM ".TB_PREF."refs WHERE type=$type AND id=$id";
+ $sql = "SELECT * FROM ".TB_PREF."refs WHERE type=".db_escape($type)." AND id=".db_escape($id);
$result = db_query($sql, "could not query reference table");
$row = db_fetch($result);
function add_reference($type, $id, $reference)
{
$sql = "INSERT INTO ".TB_PREF."refs (type, id, reference)
- VALUES ($type, $id, " . db_escape(trim($reference)) . ")";
+ VALUES (".db_escape($type).", ".db_escape($id).", "
+ . db_escape(trim($reference)) . ")";
db_query($sql, "could not add reference entry");
}
function delete_reference($type, $id)
{
- $sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=$id";
+ $sql = "DELETE FROM ".TB_PREF."refs WHERE type=$type AND id=".db_escape($id);
return db_query($sql, "could not delete from reference table");
}
function find_reference($type, $reference)
{
- $sql = "SELECT id FROM ".TB_PREF."refs WHERE type=$type AND reference='$reference'";
+ $sql = "SELECT id FROM ".TB_PREF."refs WHERE type=".db_escape($type)
+ ." AND reference=".db_escape($reference);
$result = db_query($sql, "could not query reference table");
function save_next_reference($type, $reference)
{
- $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_escape(trim($reference)) . " WHERE type_id = $type";
+ $sql = "UPDATE ".TB_PREF."sys_types SET next_reference=" . db_escape(trim($reference))
+ . " WHERE type_id = ".db_escape($type);
db_query($sql, "The next transaction ref for $type could not be updated");
}
function get_next_reference($type)
{
- $sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = $type";
+ $sql = "SELECT next_reference FROM ".TB_PREF."sys_types WHERE type_id = ".db_escape($type);
$result = db_query($sql,"The last transaction ref for $type could not be retreived");
projects / fa-stable.git / commitdiff