From: Janusz Dobrowolski Date: Fri, 18 Apr 2008 20:43:30 +0000 (+0000) Subject: Sealing against XSS atacks: purchasing,sales,install,admin,taxes X-Git-Tag: v2.4.2~19^2~2098 X-Git-Url: https://delta.frontaccounting.com/gitweb/?p=fa-stable.git;a=commitdiff_plain;h=5928cc0bb4164cfd1dfc77f279f6b12d7806294f Sealing against XSS atacks: purchasing,sales,install,admin,taxes --- diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc index b2583d5c..444ac100 100644 --- a/admin/db/maintenance_db.inc +++ b/admin/db/maintenance_db.inc @@ -411,7 +411,7 @@ function db_export($conn, $filename, $zip='no', $comment='') // run through each field for ($k = 0; $k < $nf = db_num_fields($res2); $k++) { - $out .= db_escape($row2[$k], true); + $out .= db_escape($row2[$k]); if ($k < ($nf - 1)) $out .= ", "; } diff --git a/install/save.php b/install/save.php index 0c786f26..e6de3fe9 100644 --- a/install/save.php +++ b/install/save.php @@ -348,9 +348,9 @@ else { mysql_select_db($database_name, $db); } -$sql = "UPDATE ".$table_prefix."users SET password = '" . md5($admin_password) . "', email = '$admin_email' WHERE user_id = 'admin'"; +$sql = "UPDATE ".$table_prefix."users SET password = '" . md5($admin_password) . "', email = ".db_escape($admin_email)." WHERE user_id = 'admin'"; db_query($sql, "could not update admin account"); -$sql = "UPDATE ".$table_prefix."company SET coy_name = '$company_name' WHERE coy_code = 1"; +$sql = "UPDATE ".$table_prefix."company SET coy_name = ".db_escape($company_name)." WHERE coy_code = 1"; db_query($sql, "could not update company name. Do it manually later in Setup"); session_unset(); diff --git a/purchasing/includes/db/grn_db.inc b/purchasing/includes/db/grn_db.inc index 81b11bb9..90b5528a 100644 --- a/purchasing/includes/db/grn_db.inc +++ b/purchasing/includes/db/grn_db.inc @@ -39,7 +39,7 @@ function add_grn(&$po, $date_, $reference, $location) else $material_cost = ($qoh * $material_cost + $order_line->receive_qty * $price_in_home_currency) / ($qoh + $order_line->receive_qty); - $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost + $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost)." WHERE stock_id='$order_line->stock_id'"; db_query($sql,"The cost details for the inventory item could not be updated"); //---------------------------------------------------------------------------------------------------------------- @@ -73,7 +73,8 @@ function add_grn_batch($po_number, $supplier_id, $reference, $location, $date_) $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."grn_batch (purch_order_no, delivery_date, supplier_id, reference, loc_code) - VALUES ($po_number, '$date', '$supplier_id', '$reference', '$location')"; + VALUES (".db_escape($po_number).", ".db_escape($date).", " + .db_escape($supplier_id).", ".db_escape($reference).", ".db_escape($location).")"; db_query($sql, "A grn batch record could not be inserted."); @@ -93,7 +94,7 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed "); $sql = "INSERT INTO ".TB_PREF."grn_items (grn_batch_id, po_detail_item, item_code, description, qty_recd) - VALUES ($grn_batch_id, $po_detail_item, '$item_code', '$description', $quantity_received)"; + VALUES ($grn_batch_id, $po_detail_item, ".db_escape($item_code).", ".db_escape($description).", $quantity_received)"; db_query($sql, "A GRN detail item could not be inserted."); diff --git a/purchasing/includes/db/invoice_items_db.inc b/purchasing/includes/db/invoice_items_db.inc index 18ff4aa9..621309bb 100644 --- a/purchasing/includes/db/invoice_items_db.inc +++ b/purchasing/includes/db/invoice_items_db.inc @@ -8,8 +8,9 @@ function add_supp_invoice_item($supp_trans_type, $supp_trans_no, $stock_id, $des { $sql = "INSERT INTO ".TB_PREF."supp_invoice_items (supp_trans_type, supp_trans_no, stock_id, description, gl_code, unit_price, unit_tax, quantity, grn_item_id, po_detail_item_id, memo_) "; - $sql .= "VALUES ($supp_trans_type, $supp_trans_no, '$stock_id', '$description', '$gl_code', $unit_price, $unit_tax, $quantity, - $grn_item_id, $po_detail_item_id, '$memo_')"; + $sql .= "VALUES ($supp_trans_type, $supp_trans_no, ".db_escape($stock_id). + ", ".db_escape($description).", ".db_escape($gl_code).", $unit_price, $unit_tax, $quantity, + $grn_item_id, $po_detail_item_id, ".db_escape($memo_).")"; if ($err_msg == "") $err_msg = "Cannot insert a supplier transaction detail record"; diff --git a/purchasing/includes/db/po_db.inc b/purchasing/includes/db/po_db.inc index ba2740e9..cb2a1e49 100644 --- a/purchasing/includes/db/po_db.inc +++ b/purchasing/includes/db/po_db.inc @@ -19,7 +19,7 @@ function add_po(&$po_obj) /*Insert to purchase order header record */ $sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES("; - $sql .= "' ". $po_obj->supplier_id . "'," . + $sql .= db_escape($po_obj->supplier_id) . "," . db_escape($po_obj->Comments) . ",'" . date2sql($po_obj->orig_order_date) . "', '" . $po_obj->reference . "', " . diff --git a/purchasing/includes/db/supp_trans_db.inc b/purchasing/includes/db/supp_trans_db.inc index 6526093b..b38e787a 100644 --- a/purchasing/includes/db/supp_trans_db.inc +++ b/purchasing/includes/db/supp_trans_db.inc @@ -17,7 +17,7 @@ function add_supp_trans($type, $supplier_id, $date_, $due_date, $reference, $sup $sql = "INSERT INTO ".TB_PREF."supp_trans (trans_no, type, supplier_id, tran_date, due_date, reference, supp_reference, ov_amount, ov_gst, rate, ov_discount) "; $sql .= "VALUES ($trans_no, $type, $supplier_id, '$date', '$due_date', - '$reference', '$supp_reference', $amount, $amount_tax, $rate, $discount)"; + ".db_escape($reference).", ".db_escape($supp_reference).", $amount, $amount_tax, $rate, $discount)"; if ($err_msg == "") $err_msg = "Cannot insert a supplier transaction record"; diff --git a/purchasing/manage/suppliers.php b/purchasing/manage/suppliers.php index b1866cd1..fbaabbca 100644 --- a/purchasing/manage/suppliers.php +++ b/purchasing/manage/suppliers.php @@ -46,18 +46,18 @@ if (isset($_POST['submit'])) if (!isset($_POST['New'])) { - $sql = "UPDATE ".TB_PREF."suppliers SET supp_name='" . $_POST['supp_name'] . "', - address='" . $_POST['address'] . "', - email='" . $_POST['email'] . "', - bank_account='" . $_POST['bank_account'] . "', - dimension_id=" . $_POST['dimension_id'] . ", - dimension2_id=" . $_POST['dimension2_id'] . ", - curr_code='" . $_POST['curr_code'] . "', - payment_terms='" . $_POST['payment_terms'] . "', - payable_account='" . $_POST['payable_account'] . "', - purchase_account='" . $_POST['purchase_account'] . "', - payment_discount_account='" . $_POST['payment_discount_account'] . "', - tax_group_id=" . $_POST['tax_group_id'] . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'"; + $sql = "UPDATE ".TB_PREF."suppliers SET supp_name=".db_escape($_POST['supp_name']) . ", + address=".db_escape($_POST['address']) . ", + email=".db_escape($_POST['email']) . ", + bank_account=".db_escape($_POST['bank_account']) . ", + dimension_id=".db_escape($_POST['dimension_id']) . ", + dimension2_id=".db_escape($_POST['dimension2_id']) . ", + curr_code=".db_escape($_POST['curr_code']).", + payment_terms=".db_escape($_POST['payment_terms']) . ", + payable_account=".db_escape($_POST['payable_account']) . ", + purchase_account=".db_escape($_POST['purchase_account']) . ", + payment_discount_account=".db_escape($_POST['payment_discount_account']) . ", + tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'"; db_query($sql,"The supplier could not be updated"); @@ -67,18 +67,18 @@ if (isset($_POST['submit'])) $sql = "INSERT INTO ".TB_PREF."suppliers (supp_name, address, email, bank_account, dimension_id, dimension2_id, curr_code, payment_terms, payable_account, purchase_account, payment_discount_account, tax_group_id) - VALUES ('" . $_POST['supp_name'] . "', '" . - $_POST['address'] . "', '" . - $_POST['email'] . "', '" . - $_POST['bank_account'] . "', " . - $_POST['dimension_id'] . ", " . - $_POST['dimension2_id'] . ", '" . - $_POST['curr_code'] . "', '" . - $_POST['payment_terms'] . "', '" . - $_POST['payable_account'] . "', '" . - $_POST['purchase_account'] . "', '" . - $_POST['payment_discount_account'] . "', " . - $_POST['tax_group_id'] . ")"; + VALUES (".db_escape($_POST['supp_name']). ", " + .db_escape($_POST['address']) . ", " + .db_escape($_POST['email']). ", " + .db_escape($_POST['bank_account']). ", " + .db_escape($_POST['dimension_id']). ", " + .db_escape($_POST['dimension2_id']). ", " + .db_escape($_POST['curr_code']). ", " + .db_escape($_POST['payment_terms']). ", " + .db_escape($_POST['payable_account']). ", " + .db_escape($_POST['purchase_account']). ", " + .db_escape($_POST['payment_discount_account']). ", " + .db_escape($_POST['tax_group_id']). ")"; db_query($sql,"The supplier could not be added"); } diff --git a/sales/includes/db/credit_status_db.inc b/sales/includes/db/credit_status_db.inc index 4bf0bdd9..0bcabe70 100644 --- a/sales/includes/db/credit_status_db.inc +++ b/sales/includes/db/credit_status_db.inc @@ -3,14 +3,14 @@ function add_credit_status($description, $disallow_invoicing) { $sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices) - VALUES ('$description',$disallow_invoicing)"; + VALUES (".db_escape($description).",$disallow_invoicing)"; db_query($sql, "could not add credit status"); } function update_credit_status($status_id, $description, $disallow_invoicing) { - $sql = "UPDATE ".TB_PREF."credit_status SET reason_description='$description', + $sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).", dissallow_invoices=$disallow_invoicing WHERE id=$status_id"; db_query($sql, "could not update credit status"); diff --git a/sales/includes/db/cust_trans_db.inc b/sales/includes/db/cust_trans_db.inc index 5e403c51..dde04fe7 100644 --- a/sales/includes/db/cust_trans_db.inc +++ b/sales/includes/db/cust_trans_db.inc @@ -99,18 +99,20 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo, order_, ov_amount, ov_discount, ov_gst, ov_freight, ov_freight_tax, rate, ship_via, alloc, trans_link - ) VALUES ($trans_no, $trans_type, '$debtor_no', '$BranchNo', - '$SQLDate', '$SQLDueDate', '$reference', - '$sales_type', $order_no, $Total, $discount, $Tax, $Freight, - $FreightTax, $rate, '$ship_via', $AllocAmt, $trans_link)"; + ) VALUES ($trans_no, $trans_type, + ".db_escape($debtor_no).", ".db_escape($BranchNo).", + '$SQLDate', '$SQLDueDate', ".db_escape($reference).", + ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax, + ".db_escape($Freight).", + $FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link); } else { // may be optional argument should stay unchanged ? $sql = "UPDATE ".TB_PREF."debtor_trans SET - debtor_no='$debtor_no' , branch_code='$BranchNo', + debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).", tran_date='$SQLDate', due_date='$SQLDueDate', - reference='$reference', tpe='$sales_type', order_=$order_no, - ov_amount=$Total, ov_discount=$discount, ov_gst=$Tax, - ov_freight=$Freight, ov_freight_tax=$FreightTax, rate=$rate, - ship_via='$ship_via', alloc=$AllocAmt, trans_link=$trans_link + reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no, + ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax, + ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate, + ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link WHERE trans_no=$trans_no AND type=$trans_type"; } db_query($sql, "The debtor transaction record could not be inserted"); diff --git a/sales/includes/db/cust_trans_details_db.inc b/sales/includes/db/cust_trans_details_db.inc index ebe79a56..b44c1d5f 100644 --- a/sales/includes/db/cust_trans_details_db.inc +++ b/sales/includes/db/cust_trans_details_db.inc @@ -84,8 +84,8 @@ function write_customer_trans_detail_item($debtor_trans_type, $debtor_trans_no, { if ($line_id!=0) $sql = "UPDATE ".TB_PREF."debtor_trans_details SET - stock_id='$stock_id', - description='$description', + stock_id=".db_escape($stock_id).", + description=".db_escape($description).", quantity=$quantity, unit_price=$unit_price, unit_tax=$unit_tax, @@ -96,7 +96,8 @@ function write_customer_trans_detail_item($debtor_trans_type, $debtor_trans_no, $sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no, debtor_trans_type, stock_id, description, quantity, unit_price, unit_tax, discount_percent, standard_cost) - VALUES ($debtor_trans_no, $debtor_trans_type, '$stock_id', '$description', + VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id). + ", ".db_escape($description).", $quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)"; db_query($sql, "The debtor transaction detail could not be written"); diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc index cb8e416b..0e51a907 100644 --- a/sales/includes/db/sales_order_db.inc +++ b/sales/includes/db/sales_order_db.inc @@ -54,20 +54,20 @@ function add_sales_order(&$order) $sql = "INSERT INTO ".TB_PREF."sales_orders (type, debtor_no, branch_code, customer_ref, comments, ord_date, order_type, ship_via, deliver_to, delivery_address, contact_phone, contact_email, freight_cost, from_stk_loc, delivery_date) - VALUES (" .db_quote($order_type) . "," . db_quote($order->customer_id) . - ", " . db_quote($order->Branch) . ", ". - db_quote($order->cust_ref) .",". - db_quote($order->Comments) .",'" . + VALUES (" .db_escape($order_type) . "," . db_escape($order->customer_id) . + ", " . db_escape($order->Branch) . ", ". + db_escape($order->cust_ref) .",". + db_escape($order->Comments) .",'" . date2sql($order->document_date) . "', " . - db_quote($order->sales_type) . ", " . + db_escape($order->sales_type) . ", " . $_POST['ship_via'] ."," . - db_quote($order->deliver_to) . "," . - db_quote($order->delivery_address) . ", " . - db_quote($order->phone) . ", " . - db_quote($order->email) . ", " . - db_quote($order->freight_cost) .", " . - db_quote($order->Location) .", " . - db_quote($del_date) . ")"; + db_escape($order->deliver_to) . "," . + db_escape($order->delivery_address) . ", " . + db_escape($order->phone) . ", " . + db_escape($order->email) . ", " . + db_escape($order->freight_cost) .", " . + db_escape($order->Location) .", " . + db_escape($del_date) . ")"; db_query($sql, "order Cannot be Added"); @@ -111,7 +111,8 @@ function add_sales_order(&$order) $sql = "INSERT INTO ".TB_PREF."sales_order_details (order_no, stk_code, description, unit_price, quantity, discount_percent) VALUES ("; $sql .= $order_no . - ",'$line->stock_id', '$line->item_description', $line->price, + ",".db_escape($line->stock_id).", " + .db_escape($line->item_description).", $line->price, $line->quantity, $line->discount_percent)"; db_query($sql, "order Details Cannot be Added"); @@ -182,24 +183,23 @@ function update_sales_order($order) begin_transaction(); $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." , - debtor_no = " . db_quote($order->customer_id) . ", - branch_code = " . db_quote($order->Branch) . ", - customer_ref = ". db_quote($order->cust_ref) .", - comments = ". db_quote($order->Comments) .", - ord_date = " . db_quote($ord_date) . ", - order_type = " .db_quote($order->sales_type) . ", - ship_via = " . db_quote($order->ship_via) .", - deliver_to = " . db_quote($order->deliver_to) . ", - delivery_address = " . db_quote($order->delivery_address) . ", - contact_phone = " .db_quote($order->phone) . ", - contact_email = " .db_quote($order->email) . ", - freight_cost = " .db_quote($order->freight_cost) .", - from_stk_loc = " .db_quote($order->Location) .", - delivery_date = " .db_quote($del_date). ", + debtor_no = " . db_escape($order->customer_id) . ", + branch_code = " . db_escape($order->Branch) . ", + customer_ref = ". db_escape($order->cust_ref) .", + comments = ". db_escape($order->Comments) .", + ord_date = " . db_escape($ord_date) . ", + order_type = " .db_escape($order->sales_type) . ", + ship_via = " . db_escape($order->ship_via) .", + deliver_to = " . db_escape($order->deliver_to) . ", + delivery_address = " . db_escape($order->delivery_address) . ", + contact_phone = " .db_escape($order->phone) . ", + contact_email = " .db_escape($order->email) . ", + freight_cost = " .db_escape($order->freight_cost) .", + from_stk_loc = " .db_escape($order->Location) .", + delivery_date = " .db_escape($del_date). ", version = ".($version+1)." WHERE order_no=" . $order_no ." AND version=".$version; - db_query($sql, "order Cannot be Updated, this can be concurrent edition conflict"); $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no; @@ -247,13 +247,13 @@ function update_sales_order($order) (order_no, stk_code, description, unit_price, quantity, discount_percent, qty_sent) VALUES ("; - $sql .= $order_no . ",'" - .$line->stock_id . "','" - .$line->item_description . "', " - .$line->price . ", " - .$line->quantity . ", " - .$line->discount_percent . ", " - .$line->qty_done ." )"; + $sql .= $order_no . "," + .db_escape($line->stock_id) . "," + .db_escape($line->item_description) . ", " + .db_escape($line->price) . ", " + .db_escape($line->quantity) . ", " + .db_escape($line->discount_percent) . ", " + .db_escape($line->qty_done) ." )"; db_query($sql, "Old order Cannot be Inserted"); diff --git a/sales/includes/db/sales_types_db.inc b/sales/includes/db/sales_types_db.inc index 338ae59b..51e1142b 100644 --- a/sales/includes/db/sales_types_db.inc +++ b/sales/includes/db/sales_types_db.inc @@ -2,14 +2,14 @@ function add_sales_type($name, $tax_included) { - $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included) VALUES ('$name','$tax_included')"; + $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included) VALUES (".db_escape($name).",'$tax_included')"; db_query($sql, "could not add sales type"); } function update_sales_type($id, $name, $tax_included) { - $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = '$name', + $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).", tax_included =$tax_included WHERE id = $id"; db_query($sql, "could not update sales type"); diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php index ef2b2db9..1ca32ec7 100644 --- a/sales/manage/customer_branches.php +++ b/sales/manage/customer_branches.php @@ -63,25 +63,25 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM'])) { /*SelectedBranch could also exist if submit had not been clicked this code would not run in this case cos submit is false of course see the delete code below*/ - $sql = "UPDATE ".TB_PREF."cust_branch SET br_name = '" . $_POST['br_name'] . "', - br_address = '" . $_POST['br_address'] . "', - phone='" . $_POST['phone'] . "', - fax='" . $_POST['fax'] . "', - contact_name='" . $_POST['contact_name'] . "', - salesman= '" . $_POST['salesman'] . "', - area='" . $_POST['area'] . "', - email='" . $_POST['email'] . "', - tax_group_id=" . $_POST['tax_group_id'] . ", - sales_account='" . $_POST['sales_account'] . "', - sales_discount_account='" . $_POST['sales_discount_account'] . "', - receivables_account='" . $_POST['receivables_account'] . "', - payment_discount_account='" . $_POST['payment_discount_account'] . "', - default_location='" . $_POST['default_location'] . "', - br_post_address = '" . $_POST['br_post_address'] . "', - disable_trans=" . $_POST['disable_trans'] . ", - default_ship_via=" . $_POST['default_ship_via'] . " - WHERE branch_code = '" . $_POST['branch_code'] . "' - AND debtor_no='" . $_POST['customer_id']. "'"; + $sql = "UPDATE ".TB_PREF."cust_branch SET br_name = " . db_escape($_POST['br_name']) . ", + br_address = ".db_escape($_POST['br_address']). ", + phone=".db_escape($_POST['phone']). ", + fax=".db_escape($_POST['fax']).", + contact_name=".db_escape($_POST['contact_name']) . ", + salesman= ".db_escape($_POST['salesman']) . ", + area=".db_escape($_POST['area']) . ", + email=".db_escape($_POST['email']) . ", + tax_group_id=".db_escape($_POST['tax_group_id']). ", + sales_account=".db_escape($_POST['sales_account']) . ", + sales_discount_account=".db_escape($_POST['sales_discount_account']) . ", + receivables_account=".db_escape($_POST['receivables_account']) . ", + payment_discount_account=".db_escape($_POST['payment_discount_account']) . ", + default_location=".db_escape($_POST['default_location']) . ", + br_post_address =".db_escape($_POST['br_post_address']) . ", + disable_trans=".db_escape($_POST['disable_trans']) . ", + default_ship_via=".db_escape($_POST['default_ship_via']) . " + WHERE branch_code =".db_escape($_POST['branch_code']) . " + AND debtor_no=".db_escape($_POST['customer_id']); } else @@ -91,16 +91,19 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM'])) salesman, phone, fax, contact_name, area, email, tax_group_id, sales_account, receivables_account, payment_discount_account, sales_discount_account, default_location, br_post_address, disable_trans, default_ship_via) - VALUES ('" . $_POST['customer_id']. "', '" . $_POST['br_name'] . "', '" . - $_POST['br_address'] . "', '" . $_POST['salesman'] . "', '" . - $_POST['phone'] . "', '" . $_POST['fax'] . "','" . - $_POST['contact_name'] . "', '" . $_POST['area'] . "','" . - $_POST['email'] . "', " . $_POST['tax_group_id'] . ", '" . - $_POST['sales_account'] . "', '" . - $_POST['receivables_account'] . "', '" . - $_POST['payment_discount_account'] . "', '" . - $_POST['sales_discount_account'] . "', '" . - $_POST['default_location'] . "', '" . $_POST['br_post_address'] . "'," . $_POST['disable_trans'] . ", " . $_POST['default_ship_via'] . ")"; + VALUES (".db_escape($_POST['customer_id']). ",".db_escape($_POST['br_name']) . ", " + .db_escape($_POST['br_address']) . ", ".db_escape($_POST['salesman']) . ", " + .db_escape($_POST['phone']) . ", ".db_escape($_POST['fax']) . "," + .db_escape($_POST['contact_name']) . ", ".db_escape($_POST['area']) . "," + .db_escape($_POST['email']) . ", ".db_escape($_POST['tax_group_id']) . ", " + .db_escape($_POST['sales_account']) . ", " + .db_escape($_POST['receivables_account']) . ", " + .db_escape($_POST['payment_discount_account']) . ", " + .db_escape($_POST['sales_discount_account']) . ", " + .db_escape($_POST['default_location']) . ", " + .db_escape($_POST['br_post_address']) . "," + .db_escape($_POST['disable_trans']) . ", " + .db_escape($_POST['default_ship_via']) . ")"; } //run the sql from either of the above possibilites diff --git a/sales/manage/customers.php b/sales/manage/customers.php index a82c71b0..0f101574 100644 --- a/sales/manage/customers.php +++ b/sales/manage/customers.php @@ -62,20 +62,20 @@ function handle_submit() if (!isset($_POST['New'])) { - $sql = "UPDATE ".TB_PREF."debtors_master SET name='" . $_POST['CustName'] . "', - address='" . $_POST['address'] . "', - tax_id='" . $_POST['tax_id'] . "', - curr_code='" . $_POST['curr_code'] . "', - email='" . $_POST['email'] . "', - dimension_id=" . $_POST['dimension_id'] . ", - dimension2_id=" . $_POST['dimension2_id'] . ", - credit_status='" . $_POST['credit_status'] . "', - payment_terms='" . $_POST['payment_terms'] . "', + $sql = "UPDATE ".TB_PREF."debtors_master SET name=" . db_escape($_POST['CustName']) . ", + address=".db_escape($_POST['address']) . ", + tax_id=".db_escape($_POST['tax_id']) . ", + curr_code=".db_escape($_POST['curr_code']) . ", + email=".db_escape($_POST['email']) . ", + dimension_id=".db_escape($_POST['dimension_id']) . ", + dimension2_id=".db_escape($_POST['dimension2_id']) . ", + credit_status=".db_escape($_POST['credit_status']) . ", + payment_terms=".db_escape($_POST['payment_terms']) . ", discount=" . input_num('discount') / 100 . ", pymt_discount=" . input_num('pymt_discount') / 100 . ", credit_limit=" . input_num('credit_limit') . ", - sales_type = '" . $_POST['sales_type'] . "' - WHERE debtor_no = '" . $_POST['customer_id'] . "'"; + sales_type = ".db_escape($_POST['sales_type']) . " + WHERE debtor_no = '". $_POST['customer_id'] . "'"; db_query($sql,"The customer could not be updated"); display_notification(_("Customer has been updated.")); @@ -89,10 +89,12 @@ function handle_submit() $sql = "INSERT INTO ".TB_PREF."debtors_master (name, address, tax_id, email, dimension_id, dimension2_id, curr_code, credit_status, payment_terms, discount, pymt_discount,credit_limit, - sales_type) VALUES ('" . $_POST['CustName'] ."', '" . $_POST['address'] . "', '" . $_POST['tax_id'] . "', - '" . $_POST['email'] . "', " . $_POST['dimension_id'] . ", " . $_POST['dimension2_id'] . ", '" . $_POST['curr_code'] . "', - " . $_POST['credit_status'] . ", '" . $_POST['payment_terms'] . "', " . input_num('discount')/100 . ", - " . input_num('pymt_discount')/100 . ", " . input_num('credit_limit') . ", '" . $_POST['sales_type'] . "')"; + sales_type) VALUES (".db_escape($_POST['CustName']) .", " + .db_escape($_POST['address']) . ", " . db_escape($_POST['tax_id']) . "," + .db_escape($_POST['email']) . ", ".db_escape($_POST['dimension_id']) . ", " + .db_escape($_POST['dimension2_id']) . ", ".db_escape($_POST['curr_code']) . ", + " . db_escape($_POST['credit_status']) . ", ".db_escape($_POST['payment_terms']) . ", " . input_num('discount')/100 . ", + " . input_num('pymt_discount')/100 . ", " . input_num('credit_limit') . ", ".db_escape($_POST['sales_type']) . ")"; db_query($sql,"The customer could not be added"); diff --git a/sales/manage/sales_areas.php b/sales/manage/sales_areas.php index 7aed3e6e..7b993667 100644 --- a/sales/manage/sales_areas.php +++ b/sales/manage/sales_areas.php @@ -33,12 +33,12 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM'])) { if (isset($selected_id)) { - $sql = "UPDATE ".TB_PREF."areas SET description='" . $_POST['description'] . "' WHERE area_code = '$selected_id'"; + $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'"; } else { - $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES ('" . $_POST['description'] . "')"; + $sql = "INSERT INTO ".TB_PREF."areas (description) VALUES (".db_escape($_POST['description']) . ")"; } db_query($sql,"The sales area could not be updated or added"); diff --git a/sales/manage/sales_people.php b/sales/manage/sales_people.php index e2c4ed43..7d5e57b3 100644 --- a/sales/manage/sales_people.php +++ b/sales/manage/sales_people.php @@ -30,17 +30,27 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM'])) $input_error = 1; display_error(_("The sales person name cannot be empty.")); } - + $pr1 = check_num('provision', 0,100); + if (!$pr1 || !check_num('provision2', 0, 100)) { + $input_error = 1; + display_error( _("Salesman provision cannot be less than 0 or more than 100%.")); + set_focus(!$pr1 ? 'provision' : 'provision2'); + } + if (!check_num('break_pt', 0)) { + $input_error = 1; + display_error( _("Salesman provision breakpoint must be numeric and not less than 0.")); + set_focus('break_pt'); + } if ($input_error != 1) { if (isset($selected_id)) { /*selected_id could also exist if submit had not been clicked this code would not run in this case cos submit is false of course see the delete code below*/ - $sql = "UPDATE ".TB_PREF."salesman SET salesman_name='" . $_POST['salesman_name'] . "', - salesman_phone='" . $_POST['salesman_phone'] . "', - salesman_fax='" . $_POST['salesman_fax'] . "', - salesman_email='" . $_POST['salesman_email'] . "', + $sql = "UPDATE ".TB_PREF."salesman SET salesman_name=".db_escape($_POST['salesman_name']) . ", + salesman_phone=".db_escape($_POST['salesman_phone']) . ", + salesman_fax=".db_escape($_POST['salesman_fax']) . ", + salesman_email=".db_escape($_POST['salesman_email']) . ", provision=".input_num('provision').", break_pt=".input_num('break_pt').", provision2=".input_num('provision2')." @@ -51,8 +61,12 @@ if (isset($_POST['ADD_ITEM']) || isset($_POST['UPDATE_ITEM'])) /*Selected group is null cos no item selected on first time round so must be adding a record must be submitting new entries in the new Sales-person form */ $sql = "INSERT INTO ".TB_PREF."salesman (salesman_name, salesman_phone, salesman_fax, salesman_email, provision, break_pt, provision2) - VALUES ('" . $_POST['salesman_name'] . "', '" .$_POST['salesman_phone'] . "', '" . $_POST['salesman_fax'] . "', '" . $_POST['salesman_email'] . "', ". - input_num('provision').", ".input_num('break_pt').", ".input_num('provision2').")"; + VALUES (".db_escape($_POST['salesman_name']) . ", " + .db_escape($_POST['salesman_phone']) . ", " + .db_escape($_POST['salesman_fax']) . ", " + .db_escape($_POST['salesman_email']) . ", ". + input_num('provision').", ".input_num('break_pt').", " + .input_num('provision2').")"; } //run the sql from either of the above possibilites diff --git a/taxes/db/item_tax_types_db.inc b/taxes/db/item_tax_types_db.inc index 486bfc78..24a5eedd 100644 --- a/taxes/db/item_tax_types_db.inc +++ b/taxes/db/item_tax_types_db.inc @@ -5,7 +5,7 @@ function add_item_tax_type($name, $exempt, $exempt_from) begin_transaction(); $sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt) - VALUES ('$name',$exempt)"; + VALUES (".db_escape($name).",$exempt)"; db_query($sql, "could not add item tax type"); @@ -21,7 +21,8 @@ function update_item_tax_type($id, $name, $exempt, $exempt_from) { begin_transaction(); - $sql = "UPDATE ".TB_PREF."item_tax_types SET name='$name', exempt=$exempt WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name). + ", exempt=$exempt WHERE id=$id"; db_query($sql, "could not update item tax type"); diff --git a/taxes/db/tax_groups_db.inc b/taxes/db/tax_groups_db.inc index 10f0f5cf..10f0256a 100644 --- a/taxes/db/tax_groups_db.inc +++ b/taxes/db/tax_groups_db.inc @@ -12,7 +12,7 @@ function add_tax_group($name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES ('$name', $tax_shipping)"; + $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)"; db_query($sql, "could not add tax group"); $id = db_insert_id(); @@ -29,7 +29,7 @@ function update_tax_group($id, $name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "UPDATE ".TB_PREF."tax_groups SET name='$name',tax_shipping=$tax_shipping WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id"; db_query($sql, "could not update tax group"); delete_tax_group_items($id); diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc index 029cad16..5cd18ebb 100644 --- a/taxes/db/tax_types_db.inc +++ b/taxes/db/tax_types_db.inc @@ -3,16 +3,17 @@ function add_tax_type($name, $sales_gl_code, $purchasing_gl_code, $rate) { $sql = "INSERT INTO ".TB_PREF."tax_types (name, sales_gl_code, purchasing_gl_code, rate) - VALUES ('$name', '$sales_gl_code', '$purchasing_gl_code', $rate)"; + VALUES (".db_escape($name).", ".db_escape($sales_gl_code) + .", ".db_escape($purchasing_gl_code).", $rate)"; db_query($sql, "could not add tax type"); } function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $rate) { - $sql = "UPDATE ".TB_PREF."tax_types SET name='$name', - sales_gl_code='$sales_gl_code', - purchasing_gl_code='$purchasing_gl_code', + $sql = "UPDATE ".TB_PREF."tax_types SET name=".db_escape($name).", + sales_gl_code=".db_escape($sales_gl_code).", + purchasing_gl_code=".db_escape($purchasing_gl_code).", rate=$rate WHERE id=$type_id";