! -> Note
$ -> Affected files
+15-Oct-2009 Joe Hunt
+# Security sql statements update against sql injection attacks.
+$ /reporting/rep101.php
+ /reporting/rep102.php
+ /reporting/rep103.php
+ /reporting/rep104.php
+ /reporting/rep105.php
+ /reporting/rep106.php
+ /reporting/rep201.php
+ /reporting/rep202.php
+ /reporting/rep203.php
+ /reporting/rep204.php
+ /reporting/rep209.php
+ /reporting/rep301.php
+ /reporting/rep302.php
+ /reporting/rep303.php
+ /reporting/rep304.php
+ /reporting/rep401.php
+ /reporting/rep501.php
+ /reporting/rep705.php
+ /sales/create_recurrent_invoices.php
+ /sales/customer_payments.php
+ /sales/includes/sales_db.inc
+ /sales/includes/db/branches_db.inc
+ /sales/includes/db/credit_status_db.inc
+ /sales/includes/db/custalloc_db.inc
+ /sales/includes/db/customers_db.inc
+ /sales/includes/db/cust_trans_db.inc
+ /sales/includes/db/cust_trans_details_db.inc
+ /sales/includes/db/sales_order_db.inc
+ /sales/includes/db/sales_points_db.inc
+ /sales/includes/db/sales_types_db.inc
+ /sales/inquiry/customer_allocation_inquiry.php
+ /sales/inquiry/customer_inquiry.php
+ /sales/inquiry/sales_deliveries_view.php
+ /sales/inquiry/sales_orders_view.php
+ /sales/manage/credit_status.php
+ /sales/manage/customers.php
+ /sales/manage/customer_branches.php
+ /sales/manage/recurrent_invoices.php
+ /sales/manage/sales_areas.php
+ /sales/manage/sales_groups.php
+ /sales/manage/sales_people.php
+ /sales/manage/sales_types.php
+ /sales/view/view_sales_order.php
+ /taxes/item_tax_types.php
+ /taxes/tax_groups.php
+ /taxes/tax_types.php
+ /taxes/tax_calc.php
+ /taxes/db/item_tax_types_db.inc
+ /taxes/db/tax_groups_db.inc
+ /taxes/db/tax_types_db.inc
+
15-Oct-2009 Janusz Dobrowolski
! Added html_entity_decode() in db_escape() for correct INSERT>SELECT>INSERT sequences.
$ /includes/db/connect_db.inc
AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue
FROM ".TB_PREF."debtor_trans, ".TB_PREF."sys_types
WHERE ".TB_PREF."debtor_trans.tran_date <= '$date'
- AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno'
+ AND ".TB_PREF."debtor_trans.debtor_no = $debtorno
AND ".TB_PREF."debtor_trans.type != 13
AND ".TB_PREF."debtor_trans.type = ".TB_PREF."sys_types.type_id
ORDER BY ".TB_PREF."debtor_trans.tran_date";
$sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master ";
if ($fromcust != reserved_words::get_all_numeric())
- $sql .= "WHERE debtor_no=$fromcust ";
+ $sql .= "WHERE debtor_no=".db_escape($fromcust)." ";
$sql .= "ORDER BY name";
$result = db_query($sql, "The customers could not be retrieved");
print_aged_customer_analysis();
-function get_invoices($costomer_id, $to)
+function get_invoices($customer_id, $to)
{
$todate = date2sql($to);
$PastDueDays1 = get_company_pref('past_due_days');
AND ".TB_PREF."debtor_trans.type <> 13
AND ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
- AND ".TB_PREF."debtor_trans.debtor_no = $costomer_id
+ AND ".TB_PREF."debtor_trans.debtor_no = $customer_id
AND ".TB_PREF."debtor_trans.tran_date <= '$todate'
AND ABS(".TB_PREF."debtor_trans.ov_amount + ".TB_PREF."debtor_trans.ov_gst + ".TB_PREF."debtor_trans.ov_freight + ".TB_PREF."debtor_trans.ov_freight_tax + ".TB_PREF."debtor_trans.ov_discount) > 0.004
ORDER BY ".TB_PREF."debtor_trans.tran_date";
$sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master ";
if ($fromcust != reserved_words::get_all_numeric())
- $sql .= "WHERE debtor_no=$fromcust ";
+ $sql .= "WHERE debtor_no=".db_escape($fromcust)." ";
$sql .= "ORDER BY name";
$result = db_query($sql, "The customers could not be retrieved");
if ($area != 0)
{
if ($salesid != 0)
- $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'
- AND ".TB_PREF."areas.area_code='$area'";
+ $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid)."
+ AND ".TB_PREF."areas.area_code=".db_escape($area);
else
- $sql .= " WHERE ".TB_PREF."areas.area_code='$area'";
+ $sql .= " WHERE ".TB_PREF."areas.area_code=".db_escape($area);
}
elseif ($salesid != 0)
- $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'";
+ $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid);
$sql .= " ORDER BY description,
".TB_PREF."salesman.salesman_name,
".TB_PREF."debtors_master.debtor_no,
WHERE debtor_no='$debtorno'
AND branch_code='$branchcode'
AND (type=10 or type=11)
- AND trandate >='$date'";
+ AND tran_date >='$date'";
$result = db_query($sql,"No transactions were returned");
".TB_PREF."stock_category
WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id";
if ($category != 0)
- $sql .= " AND ".TB_PREF."stock_category.category_id = '$category'";
+ $sql .= " AND ".TB_PREF."stock_category.category_id = ".db_escape($category);
$sql .= " ORDER BY ".TB_PREF."stock_master.category_id,
".TB_PREF."stock_master.stock_id";
ON i.category_id=c.category_id";
$sql .= " WHERE !i.is_foreign AND i.item_code!=i.stock_id";
if ($category != 0)
- $sql .= " AND c.category_id = '$category'";
+ $sql .= " AND c.category_id = ".db_escape($category);
$sql .= " GROUP BY i.item_code";
return db_query($sql,"No kits were returned");
}
WHERE ".TB_PREF."sales_orders.ord_date >='$fromdate'
AND ".TB_PREF."sales_orders.ord_date <='$todate'";
if ($category > 0)
- $sql .= " AND ".TB_PREF."stock_master.category_id=$category";
+ $sql .= " AND ".TB_PREF."stock_master.category_id=".db_escape($category);
if ($location != null)
- $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc='$location'";
+ $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc=".db_escape($location);
if ($backorder)
- $sql .= "AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
+ $sql .= " AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0";
$sql .= " ORDER BY ".TB_PREF."sales_orders.order_no";
return db_query($sql, "Error getting order details");
((".TB_PREF."debtor_trans.type = 10)
AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue
FROM ".TB_PREF."debtor_trans, ".TB_PREF."sys_types
- WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno'
+ WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = $debtorno
AND ".TB_PREF."debtor_trans.type = ".TB_PREF."sys_types.type_id
AND ".TB_PREF."debtor_trans.type <> 13
ORDER BY ".TB_PREF."debtor_trans.tran_date";
$sql = "SELECT debtor_no, name AS DebtorName, address, tax_id, email, curr_code, curdate() AS tran_date, payment_terms FROM ".TB_PREF."debtors_master";
if ($customer != reserved_words::get_all_numeric())
- $sql .= " WHERE debtor_no = $customer";
+ $sql .= " WHERE debtor_no = ".db_escape($customer);
else
$sql .= " ORDER by name";
$result = db_query($sql, "The customers could not be retrieved");
$sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
if ($fromsupp != reserved_words::get_all_numeric())
- $sql .= "WHERE supplier_id=$fromsupp ";
+ $sql .= "WHERE supplier_id=".db_escape($fromsupp)." ";
$sql .= "ORDER BY supp_name";
$result = db_query($sql, "The customers could not be retrieved");
$sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers ";
if ($fromsupp != reserved_words::get_all_numeric())
- $sql .= "WHERE supplier_id=$fromsupp ";
+ $sql .= "WHERE supplier_id=".db_escape($fromsupp)." ";
$sql .= "ORDER BY supp_name";
$result = db_query($sql, "The suppliers could not be retrieved");
$sql = "SELECT supplier_id, supp_name AS name, curr_code, ".TB_PREF."payment_terms.terms FROM ".TB_PREF."suppliers, ".TB_PREF."payment_terms
WHERE ";
if ($fromsupp != reserved_words::get_all_numeric())
- $sql .= "supplier_id=$fromsupp AND ";
+ $sql .= "supplier_id=".db_escape($fromsupp)." AND ";
$sql .= "".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator
ORDER BY supp_name";
$result = db_query($sql, "The customers could not be retrieved");
AND ".TB_PREF."grn_items.po_detail_item = ".TB_PREF."purch_order_details.po_detail_item
AND qty_recd-quantity_inv <>0 ";
if ($fromsupp != reserved_words::get_all_numeric())
- $sql .= "AND ".TB_PREF."grn_batch.supplier_id ='" . $fromsupp . "' ";
+ $sql .= "AND ".TB_PREF."grn_batch.supplier_id =".db_escape($fromsupp)." ";
$sql .= "ORDER BY ".TB_PREF."grn_batch.supplier_id,
".TB_PREF."grn_batch.id";
FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations
WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id
AND ".TB_PREF."locations.loc_code = into_stock_location
- AND ".TB_PREF."purch_orders.order_no = " . $order_no;
+ AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no);
$result = db_query($sql, "The order cannot be retrieved");
return db_fetch($result);
}
FROM ".TB_PREF."purch_order_details
LEFT JOIN ".TB_PREF."stock_master
ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id
- WHERE order_no =$order_no ";
+ WHERE order_no =".db_escape($order_no)." ";
$sql .= " ORDER BY po_detail_item";
return db_query($sql, "Retreive order Line Items");
}
".TB_PREF."stock_master.description
HAVING SUM(".TB_PREF."stock_moves.qty) != 0";
if ($category != 0)
- $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+ $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
if ($location != 'all')
- $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'";
+ $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location);
$sql .= " ORDER BY ".TB_PREF."stock_master.category_id,
".TB_PREF."stock_master.stock_id";
WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id
AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
if ($category != 0)
- $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+ $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
if ($location != 'all')
- $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')";
+ $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")";
$sql .= " GROUP BY ".TB_PREF."stock_master.category_id,
".TB_PREF."stock_category.description,
".TB_PREF."stock_master.stock_id,
WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id
AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
if ($category != 0)
- $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+ $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
if ($location != 'all')
- $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')";
+ $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")";
$sql .= " GROUP BY ".TB_PREF."stock_master.category_id,
".TB_PREF."stock_category.description,
".TB_PREF."stock_master.stock_id,
AND ((".TB_PREF."debtor_trans.type=13 AND ".TB_PREF."debtor_trans.version=1) OR ".TB_PREF."stock_moves.type=11)
AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')";
if ($category != 0)
- $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'";
+ $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category);
if ($location != 'all')
- $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'";
+ $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location);
if ($fromcust != -1)
- $sql .= " AND ".TB_PREF."debtors_master.debtor_no = $fromcust";
+ $sql .= " AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($fromcust);
$sql .= " GROUP BY ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name ORDER BY ".TB_PREF."stock_master.category_id,
".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name";
return db_query($sql,"No transactions were returned");
".TB_PREF."stock_master,
".TB_PREF."bom
WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component
- AND ".TB_PREF."bom.parent >= '$from'
- AND ".TB_PREF."bom.parent <= '$to'
+ AND ".TB_PREF."bom.parent >= ".db_escape($from)."
+ AND ".TB_PREF."bom.parent <= ".db_escape($to)."
ORDER BY
".TB_PREF."bom.parent,
".TB_PREF."bom.component";
$sql = "SELECT *
FROM
".TB_PREF."dimensions
- WHERE reference >= '$from'
- AND reference <= '$to'
+ WHERE reference >= ".db_escape($from)."
+ AND reference <= ".db_escape($to)."
ORDER BY
reference";
FROM ".TB_PREF."gl_trans
WHERE account='$account'";
if ($dimension > 0)
- $sql .= " AND dimension_id = $dimension";
+ $sql .= " AND dimension_id = ".db_escape($dimension);
if ($dimension2 > 0)
- $sql .= " AND dimension2_id = $dimension2";
+ $sql .= " AND dimension2_id = ".db_escape($dimension2);
$result = db_query($sql, "Transactions for account $account could not be calculated");
function set_last_sent($id, $date)
{
$date = date2sql($date);
- $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=$id";
+ $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=".db_escape($id);
db_query($sql,"The recurrent invoice could not be updated or added");
}
if (isset($_GET['recurrent']))
{
$invs = array();
- $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".$_GET['recurrent'];
+ $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($_GET['recurrent']);
$result = db_query($sql,"could not get recurrent invoice");
$myrow = db_fetch($result);
//-------------------------------------------------------------------------------------------------
function get_sales_group_name($group_no)
{
- $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no";
+ $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no);
$result = db_query($sql, "could not get group");
$row = db_fetch($result);
return $row[0];
".TB_PREF."credit_status.dissallow_invoices
FROM ".TB_PREF."debtors_master, ".TB_PREF."credit_status
WHERE ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
- AND ".TB_PREF."debtors_master.debtor_no = '" . $_POST['customer_id'] . "'";
+ AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql, "could not query customers");
$sql = "SELECT ".TB_PREF."cust_branch.*,".TB_PREF."salesman.salesman_name
FROM ".TB_PREF."cust_branch, ".TB_PREF."salesman
WHERE ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code
- AND branch_code=$branch_id";
+ AND branch_code=".db_escape($branch_id);
$result = db_query($sql, "Cannot retreive a customer branch");
function get_branch_accounts($branch_id)
{
$sql = "SELECT receivables_account,sales_account, sales_discount_account, payment_discount_account
- FROM ".TB_PREF."cust_branch WHERE branch_code=$branch_id";
+ FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($branch_id);
$result = db_query($sql, "Cannot retreive a customer branch");
function get_branch_name($branch_id)
{
$sql = "SELECT br_name FROM ".TB_PREF."cust_branch
- WHERE branch_code = '$branch_id'";
+ WHERE branch_code = ".db_escape($branch_id);
$result = db_query($sql,"could not retreive name for branch" . $branch_id);
function get_cust_branches_from_group($group_no)
{
$sql = "SELECT branch_code, debtor_no FROM ".TB_PREF."cust_branch
- WHERE group_no = '$group_no'";
+ WHERE group_no = ".db_escape($group_no);
return db_query($sql,"could not retreive branches for group " . $group_no);
}
function add_credit_status($description, $disallow_invoicing)
{
$sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices)
- VALUES (".db_escape($description).",$disallow_invoicing)";
+ VALUES (".db_escape($description).",".db_escape($disallow_invoicing).")";
db_query($sql, "could not add credit status");
}
function update_credit_status($status_id, $description, $disallow_invoicing)
{
$sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).",
- dissallow_invoices=$disallow_invoicing WHERE id=$status_id";
+ dissallow_invoices=".db_escape($disallow_invoicing)." WHERE id=".db_escape($status_id);
db_query($sql, "could not update credit status");
}
function get_credit_status($status_id)
{
- $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=$status_id";
+ $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id);
$result = db_query($sql, "could not get credit status");
function delete_credit_status($status_id)
{
- $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=$status_id";
+ $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id);
db_query($sql, "could not delete credit status");
}
$sql = 'SELECT trans_link FROM
'.TB_PREF.'debtor_trans WHERE
- (trans_no=' .$trans_no. ' AND type='.$trans_type.' AND trans_link!=0)';
+ (trans_no='.db_escape($trans_no).' AND type='.db_escape($trans_type).' AND trans_link!=0)';
$result = db_query($sql, 'Parent document numbers cannot be retrieved');
// invoice: find batch invoice parent trans.
$sql = 'SELECT trans_no FROM
'.TB_PREF.'debtor_trans WHERE
- (trans_link='.$trans_no.' AND type='. get_parent_type($trans_type) .')';
+ (trans_link='.db_escape($trans_no).' AND type='. get_parent_type($trans_type) .')';
$result = db_query($sql, 'Delivery links cannot be retrieved');
function update_customer_trans_version($type, $versions) {
$sql= 'UPDATE '.TB_PREF. 'debtor_trans SET version=version+1
- WHERE type='.$type. ' AND (';
+ WHERE type='.db_escape($type).' AND (';
foreach ($versions as $trans_no=>$version)
- $where[] = '(trans_no='.$trans_no.
- ' AND version='.$version.')';
+ $where[] = '(trans_no='.db_escape($trans_no).' AND version='.$version.')';
$sql .= implode(' OR ', $where) .')';
$trans_no = array( $trans_no );
$sql= 'SELECT trans_no, version FROM '.TB_PREF. 'debtor_trans
- WHERE type='.$type.' AND (';
+ WHERE type='.db_escape($type).' AND (';
foreach ($trans_no as $key=>$trans)
$trans_no[$key] = 'trans_no='.$trans_no[$key];
ov_gst, ov_freight, ov_freight_tax,
rate, ship_via, alloc, trans_link,
dimension_id, dimension2_id
- ) VALUES ($trans_no, $trans_type,
+ ) VALUES ($trans_no, ".db_escape($trans_type).",
".db_escape($debtor_no).", ".db_escape($BranchNo).",
'$SQLDate', '$SQLDueDate', ".db_escape($reference).",
- ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax,
+ ".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax,
".db_escape($Freight).",
$FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link).",
- $dimension_id, $dimension2_id)";
+ ".db_escape($dimension_id).", ".db_escape($dimension2_id).")";
} else { // may be optional argument should stay unchanged ?
$sql = "UPDATE ".TB_PREF."debtor_trans SET
debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).",
tran_date='$SQLDate', due_date='$SQLDueDate',
- reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no,
+ reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=".db_escape($order_no).",
ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax,
ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate,
ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link,
- dimension_id=$dimension_id, dimension2_id=$dimension2_id
- WHERE trans_no=$trans_no AND type=$trans_type";
+ dimension_id=".db_escape($dimension_id).", dimension2_id=".db_escape($dimension2_id)."
+ WHERE trans_no=$trans_no AND type=".db_escape($trans_type);
}
db_query($sql, "The debtor transaction record could not be inserted");
$sql .= ", ".TB_PREF."shippers, ".TB_PREF."sales_types, ".TB_PREF."cust_branch, ".TB_PREF."tax_groups ";
}
- $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=$trans_id
- AND ".TB_PREF."debtor_trans.type=$trans_type
+ $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=".db_escape($trans_id)."
+ AND ".TB_PREF."debtor_trans.type=".db_escape($trans_type)."
AND ".TB_PREF."debtor_trans.debtor_no=".TB_PREF."debtors_master.debtor_no";
if ($trans_type == systypes::cust_payment()) {
function exists_customer_trans($type, $type_no)
{
- $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=$type
- AND trans_no=$type_no";
+ $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)."
+ AND trans_no=".db_escape($type_no);
$result = db_query($sql, "Cannot retreive a debtor transaction");
function get_customer_trans_order($type, $type_no)
{
- $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=$type AND trans_no=$type_no";
+ $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
$result = db_query($sql, "The debtor transaction could not be queried");
{
$sql = "SELECT ".TB_PREF."debtors_master.name, ".TB_PREF."debtors_master.curr_code, ".TB_PREF."cust_branch.br_name
FROM ".TB_PREF."debtors_master,".TB_PREF."cust_branch,".TB_PREF."debtor_trans
- WHERE ".TB_PREF."debtor_trans.type=$type AND ".TB_PREF."debtor_trans.trans_no=$type_no
+ WHERE ".TB_PREF."debtor_trans.type=".db_escape($type)." AND ".TB_PREF."debtor_trans.trans_no=".db_escape($type_no)."
AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
AND ".TB_PREF."cust_branch.branch_code = ".TB_PREF."debtor_trans.branch_code";
{
// clear all values and mark as void
$sql = "UPDATE ".TB_PREF."debtor_trans SET ov_amount=0, ov_discount=0, ov_gst=0, ov_freight=0,
- ov_freight_tax=0, alloc=0, version=version+1 WHERE type=$type AND trans_no=$type_no";
+ ov_freight_tax=0, alloc=0, version=version+1 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
}
function get_customer_trans_link($type, $type_no)
{
$row = db_query("SELECT trans_link from ".TB_PREF."debtor_trans
- WHERE type=$type AND trans_no=$type_no",
+ WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no),
"could not get transaction link for type=$type and trans_no=$type_no");
return $row[0];
}
$sql .= implode(' OR ', $tr);
- $sql.= ") AND debtor_trans_type=$debtor_trans_type
+ $sql.= ") AND debtor_trans_type=".db_escape($debtor_trans_type)."
AND ".TB_PREF."stock_master.stock_id=".TB_PREF."debtor_trans_details.stock_id
ORDER BY id";
return db_query($sql, "The debtor transaction detail could not be queried");
{
$sql = "UPDATE ".TB_PREF."debtor_trans_details SET quantity=0, unit_price=0,
unit_tax=0, discount_percent=0, standard_cost=0
- WHERE debtor_trans_no=$type_no
- AND debtor_trans_type=$type";
+ WHERE debtor_trans_no=".db_escape($type_no)."
+ AND debtor_trans_type=".db_escape($type);
db_query($sql, "The debtor transaction details could not be voided");
unit_tax=$unit_tax,
discount_percent=$discount_percent,
standard_cost=$std_cost WHERE
- id=$line_id";
+ id=".db_escape($line_id);
else
$sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no,
debtor_trans_type, stock_id, description, quantity, unit_price,
unit_tax, discount_percent, standard_cost)
- VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id).
+ VALUES (".db_escape($debtor_trans_no).", ".db_escape($debtor_trans_type).", ".db_escape($stock_id).
", ".db_escape($description).",
$quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)";
$sql = "INSERT INTO ".TB_PREF."cust_allocations (
amt, date_alloc,
trans_type_from, trans_no_from, trans_no_to, trans_type_to)
- VALUES ($amount, Now(), $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)";
+ VALUES ($amount, Now(), ".db_escape($trans_type_from).", ".db_escape($trans_no_from).", ".db_escape($trans_no_to)
+ .", ".db_escape($trans_type_to).")";
db_query($sql, "A customer allocation could not be added to the database");
}
function delete_cust_allocation($trans_id)
{
- $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = " . $trans_id;
+ $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = ".db_escape($trans_id);
return db_query($sql, "The existing allocation $trans_id could not be deleted");
}
{
$sql = "SELECT (ov_amount+ov_gst+ov_freight+ov_freight_tax-ov_discount-alloc) AS BalToAllocate
- FROM ".TB_PREF."debtor_trans WHERE trans_no=$trans_no AND type=$trans_type";
+ FROM ".TB_PREF."debtor_trans WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type);
$result = db_query($sql,"calculate the allocation");
$myrow = db_fetch_row($result);
function update_debtor_trans_allocation($trans_type, $trans_no, $alloc)
{
$sql = "UPDATE ".TB_PREF."debtor_trans SET alloc = alloc + $alloc
- WHERE type=$trans_type AND trans_no = $trans_no";
+ WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no);
db_query($sql, "The debtor transaction record could not be modified for the allocation against it");
}
{
// clear any allocations for this transaction
$sql = "SELECT * FROM ".TB_PREF."cust_allocations
- WHERE (trans_type_from=$type AND trans_no_from=$type_no)
- OR (trans_type_to=$type AND trans_no_to=$type_no)";
+ WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+ OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
$result = db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
while ($row = db_fetch($result))
// remove any allocations for this transaction
$sql = "DELETE FROM ".TB_PREF."cust_allocations
- WHERE (trans_type_from=$type AND trans_no_from=$type_no)
- OR (trans_type_to=$type AND trans_no_to=$type_no)";
+ WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).")
+ OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")";
db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no");
}
}
$cust_sql = "";
if ($customer_id != null)
- $cust_sql = " AND trans.debtor_no = $customer_id";
+ $cust_sql = " AND trans.debtor_no = ".db_escape($customer_id);
$sql = get_alloc_trans_sql("round(ov_amount+ov_gst+ov_freight+ov_freight_tax+ov_discount-alloc,6) <= 0 AS settled",
"(type=12 OR type=11 OR type=2) AND (trans.ov_amount > 0) " . $settled_sql . $cust_sql);
AND trans.type = alloc.trans_type_to
AND alloc.trans_no_from=$trans_no
AND alloc.trans_type_from=$type
- AND trans.debtor_no=$customer_id",
+ AND trans.debtor_no=".db_escape($customer_id),
"".TB_PREF."cust_allocations as alloc");
}
else
AND trans.type != " . systypes::bank_deposit() . "
AND trans.type != 11
AND trans.type != 13
- AND trans.debtor_no=$customer_id");
+ AND trans.debtor_no=".db_escape($customer_id));
}
return db_query($sql." ORDER BY trans_no", "Cannot retreive alloc to transactions");
WHERE
".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
- AND ".TB_PREF."debtors_master.debtor_no = $customer_id
+ AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id)."
AND ".TB_PREF."debtor_trans.tran_date <= '$todate'
AND ".TB_PREF."debtor_trans.type <> 13
AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no
WHERE
".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator
AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id
- AND ".TB_PREF."debtors_master.debtor_no = '$customer_id'";
+ AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
$result = db_query($sql,"The customer details could not be retrieved");
function get_customer($customer_id)
{
- $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id";
+ $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id);
$result = db_query($sql, "could not get customer");
function get_customer_name($customer_id)
{
- $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id";
+ $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id);
$result = db_query($sql, "could not get customer");
function get_area_name($id)
{
- $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=$id";
+ $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=".db_escape($id);
$result = db_query($sql, "could not get sales type");
function get_salesman_name($id)
{
- $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=$id";
+ $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($id);
$result = db_query($sql, "could not get sales type");
{
begin_transaction();
- $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no;
+ $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=".db_escape($order_no);
db_query($sql, "order Header Delete");
- $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no;
+ $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =".db_escape($order_no);
db_query($sql, "order Detail Delete");
commit_transaction();
begin_transaction();
- $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." ,
+ $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." ,
debtor_no = " . db_escape($order->customer_id) . ",
branch_code = " . db_escape($order->Branch) . ",
customer_ref = ". db_escape($order->cust_ref) .",
FROM ".TB_PREF."loc_stock, "
.TB_PREF."locations
WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
- AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "'
- AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'";
+ AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)."
+ AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location);
$res = db_query($sql,"a location could not be retreived");
$loc = db_fetch($res);
if ($loc['email'] != "")
AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no
AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc
AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via
- AND ".TB_PREF."sales_orders.order_no = " . $order_no ;
+ AND ".TB_PREF."sales_orders.order_no = ".db_escape($order_no);
$result = db_query($sql, "order Retreival");
$num = db_num_rows($result);
.TB_PREF."stock_master.overhead_cost AS standard_cost
FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master
WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id
- AND order_no =" . $order_no . " ORDER BY id";
+ AND order_no =".db_escape($order_no)." ORDER BY id";
return db_query($sql, "Retreive order Line Items");
}
function sales_order_has_deliveries($order_no)
{
$sql = "SELECT SUM(qty_sent) FROM ".TB_PREF.
- "sales_order_details WHERE order_no=$order_no";
+ "sales_order_details WHERE order_no=".db_escape($order_no);
$result = db_query($sql, "could not query for sales order usage");
{
// set the quantity of each item to the already sent quantity. this will mark item as closed.
$sql = "UPDATE ".TB_PREF."sales_order_details
- SET quantity = qty_sent WHERE order_no = $order_no";
+ SET quantity = qty_sent WHERE order_no = ".db_escape($order_no);
db_query($sql, "The sales order detail record could not be updated");
}
}
$sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master,
".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND
- ".TB_PREF."debtors_master.debtor_no = '$debtorno'";
+ ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno);
$result = db_query($sql,"The customer details could not be retrieved");
$myrow = db_fetch($result);
WHERE ".TB_PREF."debtors_master.sales_type="
.TB_PREF."sales_types.id
AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id
- AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'";
+ AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id);
$result =db_query($sql,"Customer Record Retreive");
return db_fetch($result);
.TB_PREF."locations
WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id
AND ".TB_PREF."locations.loc_code=default_location
- AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "'
- AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'";
+ AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)."
+ AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id);
return db_query($sql,"Customer Branch Record Retreive");
}
.",pos_account=".db_escape($account)
.",cash_sale =$cash"
.",credit_sale =$credit"
- ." WHERE id = $id";
+ ." WHERE id = ".db_escape($id);
db_query($sql, "could not update sales type");
}
.TB_PREF."sales_pos as pos
LEFT JOIN ".TB_PREF."locations as loc on pos.pos_location=loc.loc_code
LEFT JOIN ".TB_PREF."bank_accounts as acc on pos.pos_account=acc.id
- WHERE pos.id='$id'";
+ WHERE pos.id=".db_escape($id);
$result = db_query($sql, "could not get POS definition");
function get_sales_point_name($id)
{
- $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=$id";
+ $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
$result = db_query($sql, "could not get POS name");
function delete_sales_point($id)
{
- $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=$id";
+ $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id);
db_query($sql,"The point of sale record could not be deleted");
}
***********************************************************************/
function add_sales_type($name, $tax_included, $factor)
{
- $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).",'$tax_included',$factor)";
+ $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).","
+ .db_escape($tax_included).",".db_escape($factor).")";
db_query($sql, "could not add sales type");
}
{
$sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).",
- tax_included =$tax_included, factor=$factor WHERE id = $id";
+ tax_included =".db_escape($tax_included).", factor=".db_escape($factor)." WHERE id = ".db_escape($id);
db_query($sql, "could not update sales type");
}
function get_sales_type($id)
{
- $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=$id";
+ $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
$result = db_query($sql, "could not get sales type");
function get_sales_type_name($id)
{
- $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=$id";
+ $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
$result = db_query($sql, "could not get sales type");
function delete_sales_type($id)
{
- $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=$id";
+ $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=".db_escape($id);
db_query($sql,"The Sales type record could not be deleted");
- $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id='$id'";
+ $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id=".db_escape($id);
db_query($sql,"The Sales type prices could not be deleted");
}
$sql = "SELECT price
FROM ".TB_PREF."prices
- WHERE stock_id = '" . $stock_id . "' "
- ." AND sales_type_id = " . $sales_type_id
- ." AND curr_abrev = '$currency'";
+ WHERE stock_id = ".db_escape($stock_id)
+ ." AND sales_type_id = ".db_escape($sales_type_id)
+ ." AND curr_abrev = ".db_escape($currency);
$msg = "There was a problem retrieving the pricing information for the part $stock_id for customer";
$result = db_query($sql, $msg);
// alternative is make up to 2 additional sql queries
$sql = "SELECT price, curr_abrev, sales_type_id
FROM ".TB_PREF."prices
- WHERE stock_id = '" . $stock_id . "' "
- ." AND (sales_type_id = " . $sales_type_id
- ." OR sales_type_id = " . $base_id.")"
- ." AND (curr_abrev = '$currency'"
- ." OR curr_abrev = '$home_curr')";
+ WHERE stock_id = ".db_escape($stock_id)
+ ." AND (sales_type_id = ".db_escape($sales_type_id)
+ ." OR sales_type_id = ".db_escape($base_id).")"
+ ." AND (curr_abrev = ".db_escape($currency)
+ ." OR curr_abrev = ".db_escape($home_curr).")";
$result = db_query($sql, $msg);
$del_no = reset(array_keys($cart->src_docs));
$sql = 'UPDATE '.TB_PREF.'debtor_trans SET trans_link = ' . $del_no .
- ' WHERE type='.$cart->trans_type.' AND trans_no='. $inv_no ;
+ ' WHERE type=".db_escape($cart->trans_type)." AND trans_no='. $inv_no ;
db_query($sql, 'Child document link cannot be updated');
}
if ($doc_type==30)
$sql = "UPDATE ".TB_PREF."sales_order_details
SET qty_sent = qty_sent + $qty_dispatched
- WHERE id=$line_id";
+ WHERE id=".db_escape($line_id);
else
$sql = "UPDATE ".TB_PREF."debtor_trans_details
SET qty_done = qty_done + $qty_dispatched
- WHERE id=$line_id";
+ WHERE id=".db_escape($line_id);
}
db_query($sql, "The parent document detail record could not be updated");
return true;
{
$sql = "SELECT ".TB_PREF."locations.* FROM ".TB_PREF."stock_moves,"
.TB_PREF."locations".
- " WHERE type=".$cart->trans_type.
+ " WHERE type=".db_escape($cart->trans_type).
" AND trans_no=".key($cart->trans_no).
" AND qty!=0 ".
" AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code";
AND trans.tran_date <= '$date_to'";
if ($_POST['customer_id'] != reserved_words::get_all())
- $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'";
+ $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']);
if (isset($_POST['filterType']) && $_POST['filterType'] != reserved_words::get_all())
{
AND trans.branch_code = branch.branch_code";
if ($_POST['customer_id'] != reserved_words::get_all())
- $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'";
+ $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']);
if ($_POST['filterType'] != reserved_words::get_all())
{
//figure out the sql required from the inputs available
if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "")
{
- $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'";
+ $delivery = "%".$_POST['DeliveryNumber'];
+ $sql .= " AND trans.trans_no LIKE ".db_escape($delivery);
$sql .= " GROUP BY trans.trans_no";
}
else
$sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'";
if ($selected_customer != -1)
- $sql .= " AND trans.debtor_no='" . $selected_customer . "' ";
+ $sql .= " AND trans.debtor_no=".db_escape($selected_customer)." ";
if (isset($selected_stock_item))
- $sql .= " AND line.stock_id='". $selected_stock_item ."' ";
+ $sql .= " AND line.stock_id=".db_escape($selected_stock_item)." ";
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all())
- $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+ $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." ";
$sql .= " GROUP BY trans.trans_no ";
if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
{
- // search orders with number like ...
- $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'"
+ // search orders with number like
+ $number_like = "%".$_POST['OrderNumber'];
+ $sql .= " AND sorder.order_no LIKE ".db_escape($number_like)
." GROUP BY sorder.order_no";
}
else // ... or select inquiry constraints
." AND sorder.ord_date <= '$date_before'";
}
if ($selected_customer != -1)
- $sql .= " AND sorder.debtor_no='" . $selected_customer . "'";
+ $sql .= " AND sorder.debtor_no=".db_escape($selected_customer);
if (isset($selected_stock_item))
- $sql .= " AND line.stk_code='". $selected_stock_item ."'";
+ $sql .= " AND line.stk_code=".db_escape($selected_stock_item);
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != reserved_words::get_all())
- $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' ";
+ $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." ";
if ($_POST['order_view_mode']=='OutstandingOnly')
$sql .= " AND line.qty_sent < line.quantity";
function can_delete($selected_id)
{
$sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master
- WHERE credit_status=$selected_id";
+ WHERE credit_status=".db_escape($selected_id);
$result = db_query($sql, "could not query customers");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"could not query debtortrans");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
else
{
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"could not query sales orders");
$myrow = db_fetch_row($result);
}
else
{
- $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'";
+ $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']);
db_query($sql,"could not delete branch");
display_notification(_('Selected customer branch has been deleted'));
}
AND ".TB_PREF."cust_branch.tax_group_id=".TB_PREF."tax_groups.id
AND ".TB_PREF."cust_branch.area=".TB_PREF."areas.area_code
AND ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code
- AND ".TB_PREF."cust_branch.debtor_no = '" . $_POST['customer_id']. "'";
+ AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"could not get customer branches");
//editing an existing branch
$sql = "SELECT * FROM ".TB_PREF."cust_branch
- WHERE branch_code='" . $_POST['branch_code'] . "'
- AND debtor_no='" . $_POST['customer_id'] . "'";
+ WHERE branch_code=".db_escape($_POST['branch_code'])."
+ AND debtor_no=".db_escape($_POST['customer_id']);
$result = db_query($sql,"check failed");
$myrow = db_fetch($result);
set_focus('br_name');
{ //end of if $SelectedBranch only do the else when a new record is being entered
if(!$num_branches) {
$sql = "SELECT name, address, email
- FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'";
+ FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']);
$result = db_query($sql,"check failed");
$myrow = db_fetch($result);
$_POST['br_name'] = $myrow["name"];
pymt_discount=" . input_num('pymt_discount') / 100 . ",
credit_limit=" . input_num('credit_limit') . ",
sales_type = ".db_escape($_POST['sales_type']) . "
- WHERE debtor_no = '". $_POST['customer_id'] . "'";
+ WHERE debtor_no = ".db_escape($_POST['customer_id']);
db_query($sql,"The customer could not be updated");
display_notification(_("Customer has been updated."));
monthly=".input_num('monthly', 0).",
begin='".date2sql($_POST['begin'])."',
end='".date2sql($_POST['end'])."'
- WHERE id = '$selected_id'";
+ WHERE id = ".db_escape($selected_id);
$note = _('Selected recurrent invoice has been updated');
}
else
if ($cancel_delete == 0)
{
- $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id='" . $selected_id . "'";
+ $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id);
db_query($sql,"could not delete recurrent invoice");
display_notification(_('Selected recurrent invoice has been deleted'));
//-------------------------------------------------------------------------------------------------
function get_sales_group_name($group_no)
{
- $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no";
+ $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no);
$result = db_query($sql, "could not get group");
$row = db_fetch($result);
return $row[0];
{
if ($Mode == 'Edit') {
//editing an existing area
- $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id='$selected_id'";
+ $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id);
$result = db_query($sql,"could not get recurrent invoice");
$myrow = db_fetch($result);
{
if ($selected_id != -1)
{
- $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'";
+ $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = ".db_escape($selected_id);
$note = _('Selected sales area has been updated');
}
else
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area=".db_escape($selected_id);
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
if ($cancel_delete == 0)
{
- $sql="DELETE FROM ".TB_PREF."areas WHERE area_code='" . $selected_id . "'";
+ $sql="DELETE FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id);
db_query($sql,"could not delete sales area");
display_notification(_('Selected sales area has been deleted'));
{
if ($Mode == 'Edit') {
//editing an existing area
- $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code='$selected_id'";
+ $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id);
$result = db_query($sql,"could not get area");
$myrow = db_fetch($result);
{
if ($selected_id != -1)
{
- $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = '$selected_id'";
+ $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = ".db_escape($selected_id);
$note = _('Selected sales group has been updated');
}
else
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=".db_escape($selected_id);
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
if ($cancel_delete == 0)
{
- $sql="DELETE FROM ".TB_PREF."groups WHERE id='" . $selected_id . "'";
+ $sql="DELETE FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id);
db_query($sql,"could not delete sales group");
display_notification(_('Selected sales group has been deleted'));
{
if ($Mode == 'Edit') {
//editing an existing area
- $sql = "SELECT * FROM ".TB_PREF."groups WHERE id='$selected_id'";
+ $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id);
$result = db_query($sql,"could not get group");
$myrow = db_fetch($result);
provision=".input_num('provision').",
break_pt=".input_num('break_pt').",
provision2=".input_num('provision2')."
- WHERE salesman_code = '$selected_id'";
+ WHERE salesman_code = ".db_escape($selected_id);
}
else
{
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman=".db_escape($selected_id);
$result = db_query($sql,"check failed");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
}
else
{
- $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'";
+ $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id);
db_query($sql,"The sales-person could not be deleted");
display_notification(_('Selected sales person data have been deleted'));
}
{
if ($Mode == 'Edit') {
//editing an existing Sales-person
- $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'";
+ $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id);
$result = db_query($sql,"could not get sales person");
$myrow = db_fetch($result);
{
// PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe='$selected_id'";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe=".db_escape($selected_id);
$result = db_query($sql,"check failed");
check_db_error("The number of transactions using this Sales type record could not be retrieved", $sql);
else
{
- $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type='$selected_id'";
+ $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type=".db_escape($selected_id);
$result = db_query($sql,"check failed");
check_db_error("The number of customers using this Sales type record could not be retrieved", $sql);
$th = array(_("#"), _("Ref"), _("Date"), _("Total"));
table_header($th);
-$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=13 AND order_=" . $_GET['trans_no'];
+$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=13 AND order_=".db_escape($_GET['trans_no']);
$result = db_query($sql,"The related delivery notes could not be retreived");
$delivery_total = 0;
$th = array(_("#"), _("Ref"), _("Date"), _("Total"));
table_header($th);
-$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=10 AND order_=" . $_GET['trans_no'];
+$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=10 AND order_=".db_escape($_GET['trans_no']);
$result = db_query($sql,"The related invoices could not be retreived");
$invoices_total = 0;
$th = array(_("#"), _("Ref"), _("Date"), _("Total"));
table_header($th);
-$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=11 AND order_=" . $_GET['trans_no'];
+$sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=11 AND order_=".db_escape($_GET['trans_no']);
$result = db_query($sql,"The related credit notes could not be retreived");
$credits_total = 0;
begin_transaction();
$sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt)
- VALUES (".db_escape($name).",$exempt)";
+ VALUES (".db_escape($name).",".db_escape($exempt).")";
db_query($sql, "could not add item tax type");
begin_transaction();
$sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name).
- ", exempt=$exempt WHERE id=$id";
+ ", exempt=".db_escape($exempt)." WHERE id=".db_escape($id);
db_query($sql, "could not update item tax type");
function get_item_tax_type($id)
{
- $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=$id";
+ $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id);
$result = db_query($sql, "could not get item tax type");
function get_item_tax_type_for_item($stock_id)
{
- $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE ".TB_PREF."stock_master.stock_id='$stock_id'
+ $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE
+ ".TB_PREF."stock_master.stock_id=".db_escape($stock_id)."
AND ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id";
$result = db_query($sql, "could not get item tax type");
{
begin_transaction();
- $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=$id";
+ $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id);
db_query($sql, "could not delete item tax type");
// also delete all exemptions
for ($i = 0; $i < count($exemptions); $i++)
{
$sql = "INSERT INTO ".TB_PREF."item_tax_type_exemptions (item_tax_type_id, tax_type_id)
- VALUES ($id, " . $exemptions[$i] . ")";
+ VALUES (".db_escape($id).", ".db_escape($exemptions[$i]).")";
db_query($sql, "could not add item tax type exemptions");
}
}
function delete_item_tax_type_exemptions($id)
{
- $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id";
+ $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id);
db_query($sql, "could not delete item tax type exemptions");
}
function get_item_tax_type_exemptions($id)
{
- $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id";
+ $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id);
return db_query($sql, "could not get item tax type exemptions");
}
if($tax_shipping) // only one tax group for shipping
clear_shipping_tax_group();
- $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)";
+ $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", ".db_escape($tax_shipping).")";
db_query($sql, "could not add tax group");
$id = db_insert_id();
if($tax_shipping) // only one tax group for shipping
clear_shipping_tax_group();
- $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id";
+ $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=".db_escape($tax_shipping)." WHERE id=".db_escape($id);
db_query($sql, "could not update tax group");
delete_tax_group_items($id);
function get_tax_group($type_id)
{
- $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=$type_id";
+ $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=".db_escape($type_id);
$result = db_query($sql, "could not get tax group");
{
begin_transaction();
- $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=$id";
+ $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=".db_escape($id);
db_query($sql, "could not delete tax group");
for ($i=0; $i < count($items); $i++)
{
$sql = "INSERT INTO ".TB_PREF."tax_group_items (tax_group_id, tax_type_id, rate)
- VALUES ($id, " . $items[$i] . ", " . $rates[$i] .")";
+ VALUES (".db_escape($id).", ".db_escape($items[$i]).", " . $rates[$i] .")";
db_query($sql, "could not add item tax group item");
}
}
function delete_tax_group_items($id)
{
- $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=$id";
+ $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=".db_escape($id);
db_query($sql, "could not delete item tax group items");
}
$sql = "SELECT ".TB_PREF."tax_group_items.*, ".TB_PREF."tax_types.name AS tax_type_name,
".TB_PREF."tax_types.sales_gl_code, ".TB_PREF."tax_types.purchasing_gl_code
FROM ".TB_PREF."tax_group_items, ".TB_PREF."tax_types
- WHERE tax_group_id=$id
+ WHERE tax_group_id=".db_escape($id)."
AND ".TB_PREF."tax_types.id=tax_type_id";
return db_query($sql, "could not get item tax type group items");
sales_gl_code=".db_escape($sales_gl_code).",
purchasing_gl_code=".db_escape($purchasing_gl_code).",
rate=$rate
- WHERE id=$type_id";
+ WHERE id=".db_escape($type_id);
db_query($sql, "could not update tax type");
}
FROM ".TB_PREF."tax_types, ".TB_PREF."chart_master AS Chart1,
".TB_PREF."chart_master AS Chart2
WHERE ".TB_PREF."tax_types.sales_gl_code = Chart1.account_code
- AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=$type_id";
+ AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=".db_escape($type_id);
$result = db_query($sql, "could not get tax type");
return db_fetch($result);
function get_tax_type_default_rate($type_id)
{
- $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=$type_id";
+ $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
$result = db_query($sql, "could not get tax type rate");
{
begin_transaction();
- $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=$type_id";
+ $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id);
db_query($sql, "could not delete tax type");
function can_delete($selected_id)
{
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=$selected_id";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=".db_escape($selected_id);
$result = db_query($sql, "could not query stock master");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
function is_tax_account($account_code)
{
$sql= "SELECT id FROM ".TB_PREF."tax_types WHERE
- sales_gl_code='$account_code' OR purchasing_gl_code='$account_code'";
+ sales_gl_code=".db_escape($account_code)." OR purchasing_gl_code=".db_escape($account_code);
$result = db_query($sql, "checking account is tax account");
if (db_num_rows($result) > 0) {
$acct = db_fetch($result);
{
if ($selected_id == -1)
return false;
- $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=$selected_id";
+ $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=".db_escape($selected_id);
$result = db_query($sql, "could not query customers");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
return false;
}
- $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=$selected_id";
+ $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=".db_escape($selected_id);
$result = db_query($sql, "could not query suppliers");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
function can_delete($selected_id)
{
- $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=$selected_id";
+ $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=".db_escape($selected_id);
$result = db_query($sql, "could not query tax groups");
$myrow = db_fetch_row($result);
if ($myrow[0] > 0)
projects / fa-stable.git / commitdiff