From: Janusz Dobrowolski Date: Sun, 18 Oct 2009 18:43:32 +0000 (+0000) Subject: Security update merged from 2.1. X-Git-Tag: v2.4.2~19^2~1120 X-Git-Url: https://delta.frontaccounting.com/gitweb/?p=fa-stable.git;a=commitdiff_plain;h=8ea6c4dd0d9b31b3456d012b0c94339b801bee0c Security update merged from 2.1. --- diff --git a/CHANGELOG.txt b/CHANGELOG.txt index cf129129..6e1977d9 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -19,6 +19,92 @@ Legend: ! -> Note $ -> Affected files +18-Oct-2009 Janusz Dobrowolski (merged changes for 2.1.7 from main branch) +! Added html_entity_decode() in db_escape() for correct INSERT>SELECT>INSERT sequences. +$ /includes/db/connect_db.inc +# Fixed warnings on first page display +$ /admin/company_preferences.php +# Fixed erroneous message +$ /gl/manage/gl_account_types.php +# Security sql statements update against sql injection attacks. +$ /admin/attachments.php + /admin/payment_terms.php + /admin/print_profiles.php + /admin/printers.php + /admin/shipping_companies.php + /admin/view_print_transaction.php + /admin/db/company_db.inc + /admin/db/printers_db.inc + /admin/db/voiding_db.inc + /admin/db/users_db.inc + /dimensions/includes/dimensions_db.inc + /dimensions/inquiry/search_dimensions.php + /gl/bank_account_reconcile.php + /gl/gl_budget.php + /gl/includes/db/gl_db_account_types.inc + /gl/includes/db/gl_db_accounts.inc + /gl/includes/db/gl_db_bank_accounts.inc + /gl/includes/db/gl_db_bank_trans.inc + /gl/includes/db/gl_db_banking.inc + /gl/includes/db/gl_db_currencies.inc + /gl/includes/db/gl_db_rates.inc + /gl/includes/db/gl_db_trans.inc + /gl/inquiry/bank_inquiry.php + /gl/view/bank_transfer_view.php + /gl/view/gl_trans_view.php + /inventory/cost_update.php + /inventory/purchasing_data.php + /inventory/includes/db/items_category_db.inc + /inventory/includes/db/items_codes_db.inc + /inventory/includes/db/items_db.inc + /inventory/includes/db/items_locations_db.inc + /inventory/includes/db/items_prices_db.inc + /inventory/includes/db/items_trans_db.inc + /inventory/includes/db/items_units_db.inc + /inventory/includes/db/movement_types_db.inc + /inventory/inquiry/stock_movements.php + /inventory/manage/item_categories.php + /inventory/manage/item_units.php + /inventory/manage/items.php + /inventory/manage/locations.php + /inventory/manage/movement_types.php + /manufacturing/search_work_orders.php + /manufacturing/includes/db/work_centres_db.inc + /manufacturing/includes/db/work_order_issues_db.inc + /manufacturing/includes/db/work_order_produce_items_db.inc + /manufacturing/includes/db/work_order_requirements_db.inc + /manufacturing/includes/db/work_orders_db.inc + /manufacturing/includes/db/work_orders_quick_db.inc + /manufacturing/inquiry/where_used_inquiry.php + /manufacturing/manage/bom_edit.php + /manufacturing/manage/work_centres.php + /purchasing/po_entry_items.php + /purchasing/po_receive_items.php + /purchasing/supplier_credit.php + /purchasing/supplier_invoice.php + /purchasing/includes/purchasing_db.inc + /purchasing/includes/db/grn_db.inc + /purchasing/includes/db/invoice_db.inc + /purchasing/includes/db/invoice_items_db.inc + /purchasing/includes/db/po_db.inc + /purchasing/includes/db/supp_trans_db.inc + /purchasing/includes/db/suppalloc_db.inc + /purchasing/includes/db/suppliers_db.inc + /purchasing/inquiry/po_search.php + /purchasing/inquiry/po_search_completed.php + /purchasing/inquiry/supplier_allocation_inquiry.php + /purchasing/inquiry/supplier_inquiry.php + /purchasing/manage/suppliers.php + +12-Oct-2009 Janusz Dobrowolski (merged) +# Fixed sql injection vulnerability on some php/mysql configurations +$ /admin/db/users_db.inc +! Single quotes also encoded before database data insert +$ /admin/db/maintenance_db.inc + /includes/db/connect_db.inc + /reporting/includes/tcpdf.php + /sales/includes/cart_class.inc + 16-Oct-2009 Janusz Dobrowolski + Access control system description. $ /doc/access_levels.txt (new) diff --git a/admin/attachments.php b/admin/attachments.php index 6febfb70..3b39aa94 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -112,25 +112,27 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') if ($Mode == 'ADD_ITEM') { $sql = "INSERT INTO ".TB_PREF."attachments (type_no, trans_no, description, filename, unique_name, - filesize, filetype, tran_date) VALUES (".$_POST['filterType'].",".$_POST['trans_no'].",". - db_escape($_POST['description']).", '$filename', '$unique_name', '$filesize', '$filetype', '$date')"; + filesize, filetype, tran_date) VALUES (".db_escape($_POST['filterType'])."," + .db_escape($_POST['trans_no']).",".db_escape($_POST['description']).", " + .db_escape($filename).", ".db_escape($unique_name).", ".db_escape($filesize) + .", ".db_escape($filetype).", '$date')"; db_query($sql, "Attachment could not be inserted"); display_notification(_("Attachment has been inserted.")); } else { $sql = "UPDATE ".TB_PREF."attachments SET - type_no=".$_POST['filterType'].", - trans_no=".$_POST['trans_no'].", + type_no=".db_escape($_POST['filterType']).", + trans_no=".db_escape($_POST['trans_no']).", description=".db_escape($_POST['description']).", "; if ($filename != "") { - $sql .= "filename='$filename', - unique_name='$unique_name', - filesize='$filesize', - filetype='$filetype', "; + $sql .= "filename=".db_escape($filename).", + unique_name=".db_escape($unique_name).", + filesize=".db_escape($filesize).", + filetype=".db_escape($filetype); } - $sql .= "tran_date='$date' WHERE id=$selected_id"; + $sql .= "tran_date='$date' WHERE id=".db_escape($selected_id); db_query($sql, "Attachment could not be updated"); display_notification(_("Attachment has been updated.")); } @@ -143,7 +145,7 @@ if ($Mode == 'Delete') $dir = $comp_path."/".user_company(). "/attachments"; if (file_exists($dir."/".$row['unique_name'])) unlink($dir."/".$row['unique_name']); - $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = $selected_id"; + $sql = "DELETE FROM ".TB_PREF."attachments WHERE id = ".db_escape($selected_id); db_query($sql, "Could not delete attachment"); display_notification(_("Attachment has been deleted.")); $Mode = 'RESET'; @@ -173,13 +175,14 @@ function viewing_controls() function get_attached_documents($type) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=$type ORDER BY trans_no"; + $sql = "SELECT * FROM ".TB_PREF."attachments WHERE type_no=".db_escape($type) + ." ORDER BY trans_no"; return db_query($sql, "Could not retrieve attachments"); } function get_attachment($id) { - $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."attachments WHERE id=".db_escape($id); $result = db_query($sql, "Could not retrieve attachments"); return db_fetch($result); } diff --git a/admin/db/company_db.inc b/admin/db/company_db.inc index 77780a60..621e9865 100644 --- a/admin/db/company_db.inc +++ b/admin/db/company_db.inc @@ -121,14 +121,14 @@ function add_fiscalyear($from_date, $to_date, $closed) $to = date2sql($to_date); $sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed) - VALUES (".db_escape($from).",".db_escape($to).", $closed)"; + VALUES (".db_escape($from).",".db_escape($to).", ".db_escape($closed).")"; db_query($sql, "could not add fiscal year"); } function update_fiscalyear($id, $closed) { - $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=$closed + $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=".db_escape($closed)." WHERE id=".db_escape($id); db_query($sql, "could not update fiscal year"); @@ -154,7 +154,7 @@ function get_current_fiscalyear() { $year = get_company_pref('f_year'); - $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year"; + $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year); $result = db_query($sql, "could not get current fiscal year"); diff --git a/admin/db/printers_db.inc b/admin/db/printers_db.inc index f605f658..572dca5e 100644 --- a/admin/db/printers_db.inc +++ b/admin/db/printers_db.inc @@ -15,13 +15,13 @@ function write_printer_def($id, $name, $descr, $queue, $host, $port, $timeout) if ($id>0) $sql = "UPDATE ".TB_PREF."printers SET description=".db_escape($descr) .",name=".db_escape($name).",queue=".db_escape($queue) - .",host=".db_escape($host).",port='$port',timeout='$timeout' " - ."WHERE id=$id"; + .",host=".db_escape($host).",port=".db_escape($port).",timeout=".db_escape($timeout) + ." WHERE id=".db_escape($id); else $sql = "INSERT INTO ".TB_PREF."printers (" ."name,description,queue,host,port,timeout) " ."VALUES (".db_escape($name).",".db_escape($descr)."," - .db_escape($queue).",".db_escape($host).",'$port','$timeout')"; + .db_escape($queue).",".db_escape($host).",".db_escape($port).",".db_escape($timeout).")"; return db_query($sql,"could not write printer definition"); } @@ -35,7 +35,7 @@ function get_all_printers() function get_printer($id) { $sql = "SELECT * FROM ".TB_PREF."printers - WHERE id=$id"; + WHERE id=".db_escape($id); $result = db_query($sql,"could not get printer definition"); return db_fetch($result); @@ -71,7 +71,7 @@ function update_printer_profile($name, $dest) function get_report_printer($profile, $report) { $sql = "SELECT printer FROM ".TB_PREF."print_profiles WHERE " - ."profile=".db_escape($profile)." AND report="; + ."profile=".db_escape($profile)." AND report=".db_escape($report); $result = db_query($sql.db_escape($report), 'report printer lookup failed'); diff --git a/admin/db/voiding_db.inc b/admin/db/voiding_db.inc index 8efc0036..553240c2 100644 --- a/admin/db/voiding_db.inc +++ b/admin/db/voiding_db.inc @@ -115,7 +115,8 @@ function void_transaction($type, $type_no, $date_, $memo_) function get_voided_entry($type, $type_no) { - $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=$type AND id=$type_no"; + $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=".db_escape($type) + ." AND id=".db_escape($type_no); $result = db_query($sql, "could not query voided transaction table"); @@ -128,7 +129,8 @@ function add_voided_entry($type, $type_no, $date_, $memo_) { $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_) - VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")"; + VALUES (".db_escape($type).", ".db_escape($type_no).", " + .db_escape($date).", ".db_escape($memo_).")"; db_query($sql, "could not add voided transaction entry"); } diff --git a/admin/payment_terms.php b/admin/payment_terms.php index 1dd5dc67..5855b989 100644 --- a/admin/payment_terms.php +++ b/admin/payment_terms.php @@ -103,7 +103,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN debtors_master - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE payment_terms = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE payment_terms = ".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -112,7 +112,7 @@ if ($Mode == 'Delete') } else { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE payment_terms = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE payment_terms = ".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -123,7 +123,7 @@ if ($Mode == 'Delete') { //only delete if used in neither customer or supplier accounts - $sql="DELETE FROM ".TB_PREF."payment_terms WHERE terms_indicator='$selected_id'"; + $sql="DELETE FROM ".TB_PREF."payment_terms WHERE terms_indicator=".db_escape($selected_id); db_query($sql,"could not delete a payment terms"); display_notification(_('Selected payment terms have been deleted')); } @@ -198,7 +198,7 @@ if ($selected_id != -1) if ($Mode == 'Edit') { //editing an existing payment terms $sql = "SELECT * FROM ".TB_PREF."payment_terms - WHERE terms_indicator='$selected_id'"; + WHERE terms_indicator=".db_escape($selected_id); $result = db_query($sql,"could not get payment term"); $myrow = db_fetch($result); diff --git a/admin/print_profiles.php b/admin/print_profiles.php index 99ef82e1..02e3701c 100644 --- a/admin/print_profiles.php +++ b/admin/print_profiles.php @@ -77,7 +77,7 @@ function check_delete($name) { // check if selected profile is used by any user if ($name=='') return 0; // cannot delete system default profile - $sql = "SELECT * FROM ".TB_PREF."users WHERE print_profile='$name'"; + $sql = "SELECT * FROM ".TB_PREF."users WHERE print_profile=".db_escape($name); $res = db_query($sql,'cannot check printing profile usage'); return db_num_rows($res); } diff --git a/admin/printers.php b/admin/printers.php index 8104f172..4c8ad144 100644 --- a/admin/printers.php +++ b/admin/printers.php @@ -59,7 +59,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN print_profiles - $sql= "SELECT COUNT(*) FROM ".TB_PREF."print_profiles WHERE printer = '$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."print_profiles WHERE printer = ".db_escape($selected_id); $result = db_query($sql,"check printers relations failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -68,7 +68,7 @@ if ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."printers WHERE id='$selected_id'"; + $sql="DELETE FROM ".TB_PREF."printers WHERE id=".db_escape($selected_id); db_query($sql,"could not delete printer definition"); display_notification(_('Selected printer definition has been deleted')); } diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php index c215f8cd..cb08f69b 100644 --- a/admin/shipping_companies.php +++ b/admin/shipping_companies.php @@ -55,7 +55,7 @@ if ($Mode=='UPDATE_ITEM' && can_process()) phone =" . db_escape($_POST['phone']). " , phone2 =" . db_escape($_POST['phone2']). " , address =" . db_escape($_POST['address']). " - WHERE shipper_id = $selected_id"; + WHERE shipper_id = ".db_escape($selected_id); db_query($sql,"The shipping company could not be updated"); display_notification(_('Selected shipping company has been updated')); @@ -68,7 +68,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN 'sales_orders' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -80,7 +80,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -90,7 +90,7 @@ if ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id"; + $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id); db_query($sql,"could not delete shipper"); display_notification(_('Selected shipping company has been deleted')); } @@ -146,7 +146,7 @@ if ($selected_id != -1) if ($Mode == 'Edit') { //editing an existing Shipper - $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id"; + $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id); $result = db_query($sql, "could not get shipper"); $myrow = db_fetch($result); diff --git a/admin/view_print_transaction.php b/admin/view_print_transaction.php index 90943fe7..39694181 100644 --- a/admin/view_print_transaction.php +++ b/admin/view_print_transaction.php @@ -109,11 +109,11 @@ function handle_search() $sql .= " ,$trans_ref "; $sql .= ", ".$_POST['filterType']." as type FROM $table_name - WHERE $trans_no_name >= " . $_POST['FromTransNo']. " - AND $trans_no_name <= " . $_POST['ToTransNo']; + WHERE $trans_no_name >= ".db_escape($_POST['FromTransNo']). " + AND $trans_no_name <= ".db_escape($_POST['ToTransNo']); if ($type_name != null) - $sql .= " AND `$type_name` = " . $_POST['filterType']; + $sql .= " AND `$type_name` = ".db_escape($_POST['filterType']); $sql .= " ORDER BY $trans_no_name"; diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc index 2a89b596..c455e891 100644 --- a/dimensions/includes/dimensions_db.inc +++ b/dimensions/includes/dimensions_db.inc @@ -19,7 +19,8 @@ function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_) $duedate = date2sql($due_date); $sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date) - VALUES (".db_escape($reference).", ".db_escape($name).", $type_, '$date', '$duedate')"; + VALUES (".db_escape($reference).", ".db_escape($name).", ".db_escape($type_) + .", ".db_escape($date_).", ".db_escape($due_date).")"; db_query($sql, "could not add dimension"); $id = db_insert_id(); @@ -41,10 +42,10 @@ function update_dimension($id, $name, $type_, $date_, $due_date, $memo_) $duedate = date2sql($due_date); $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).", - type_ = $type_, - date_='$date', - due_date='$duedate' - WHERE id = $id"; + type_ = ".db_escape($type_).", + date_=".db_escape($date_).", + due_date=".db_escape($due_date)." + WHERE id = ".db_escape($id); db_query($sql, "could not update dimension"); @@ -60,7 +61,7 @@ function delete_dimension($id) begin_transaction(); // delete the actual dimension - $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=$id"; + $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=".db_escape($id); db_query($sql,"The dimension could not be deleted"); delete_comments(ST_DIMENSION, $id); @@ -72,7 +73,7 @@ function delete_dimension($id) function get_dimension($id, $allow_null=false) { - $sql = "SELECT * FROM ".TB_PREF."dimensions WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."dimensions WHERE id=".db_escape($id); $result = db_query($sql, "The dimension could not be retrieved"); @@ -122,7 +123,7 @@ function dimension_has_deposits($id) function dimension_has_payments($id) { - $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = $id"; + $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = ".db_escape($id); $res = db_query($sql, "Transactions could not be calculated"); $row = db_fetch_row($res); return ($row[0] != 0.0); @@ -138,7 +139,7 @@ function dimension_is_closed($id) function close_dimension($id) { - $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = $id"; + $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = ".db_escape($id); db_query($sql, "could not close dimension"); } diff --git a/dimensions/inquiry/search_dimensions.php b/dimensions/inquiry/search_dimensions.php index 5498097a..752b5507 100644 --- a/dimensions/inquiry/search_dimensions.php +++ b/dimensions/inquiry/search_dimensions.php @@ -141,7 +141,7 @@ $sql = "SELECT dim.id, if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "") { - $sql .= " AND reference LIKE '%". $_POST['OrderNumber'] . "%'"; + $sql .= " AND reference LIKE ".db_escape("%". $_POST['OrderNumber'] . "%"); } else { if ($dim == 1) @@ -154,14 +154,14 @@ if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "") if (isset($_POST['type_']) && ($_POST['type_'] > 0)) { - $sql .= " AND type_=" . $_POST['type_']; + $sql .= " AND type_=".db_escape($_POST['type_']); } if (isset($_POST['OverdueOnly'])) { $today = date2sql(Today()); - $sql .= " AND due_date < '$today' "; + $sql .= " AND due_date < '$today'"; } $sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "' diff --git a/gl/bank_account_reconcile.php b/gl/bank_account_reconcile.php index b91bed9e..d1dbba01 100644 --- a/gl/bank_account_reconcile.php +++ b/gl/bank_account_reconcile.php @@ -117,14 +117,15 @@ function change_tpl_flag($reconcile_id) $_POST['bank_date'] = date2sql(get_post('reconcile_date')); $reconcile_value = check_value("rec_".$reconcile_id) ? ("'".$_POST['bank_date'] ."'") : 'NULL'; - $sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=$reconcile_value WHERE id=$reconcile_id"; + $sql = "UPDATE ".TB_PREF."bank_trans SET reconciled=".db_escape($reconcile_value) + ." WHERE id=".db_escape($reconcile_id); db_query($sql, "Can't change reconciliation status"); // save last reconcilation status (date, end balance) $sql2="UPDATE ".TB_PREF."bank_accounts SET last_reconciled_date='" .date2sql($_POST["reconcile_date"])."', ending_reconcile_balance=".input_num("end_balance") - ." WHERE id=".$_POST["bank_account"]; + ." WHERE id=".db_escape($_POST["bank_account"]); $result = db_query($sql2,"Error updating reconciliation information"); $Ajax->activate('reconciled'); @@ -182,7 +183,7 @@ $sql = "SELECT MAX(reconciled) as last_date, SUM(IF(reconciled<'$date', amount, 0)) as beg_balance, SUM(amount) as total FROM ".TB_PREF."bank_trans trans - WHERE bank_act=".$_POST['bank_account']; + WHERE bank_act=".db_escape($_POST['bank_account']); // ." AND trans.reconciled IS NOT NULL"; $result = db_query($sql,"Cannot retrieve reconciliation data"); @@ -197,8 +198,8 @@ if ($row = db_fetch($result)) { if (get_post('bank_date')) { // if it is the last updated bank statement retrieve ending balance $sql = "SELECT ending_reconcile_balance - FROM ".TB_PREF."bank_accounts WHERE id=".$_POST['bank_account'] - . " AND last_reconciled_date='".$_POST['bank_date']."'"; + FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($_POST['bank_account']) + . " AND last_reconciled_date=".db_escape($_POST['bank_date']); $result = db_query($sql,"Cannot retrieve last reconciliation"); $row = db_fetch($result); if($row) { @@ -244,7 +245,7 @@ if (!isset($_POST['bank_account'])) $sql = "SELECT type, trans_no, ref, trans_date, amount, person_id, person_type_id, reconciled, id FROM ".TB_PREF."bank_trans - WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "' + WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . " AND (reconciled IS NULL OR reconciled='". $date ."') ORDER BY trans_date,".TB_PREF."bank_trans.id"; // or ORDER BY reconciled desc, trans_date,".TB_PREF."bank_trans.id"; diff --git a/gl/gl_budget.php b/gl/gl_budget.php index 6357693b..c1236d18 100644 --- a/gl/gl_budget.php +++ b/gl/gl_budget.php @@ -27,8 +27,9 @@ check_db_has_gl_account_groups(_("There are no account groups defined. Please de function exists_gl_budget($date_, $account, $dimension, $dimension2) { - $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account='$account' AND tran_date='$date_' AND - dimension_id=$dimension AND dimension2_id=$dimension2"; + $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account) + ." AND tran_date='$date_' AND + dimension_id=".db_escape($dimension)." AND dimension2_id=".db_escape($dimension2); $result = db_query($sql, "Cannot retreive a gl transaction"); return (db_num_rows($result) > 0); @@ -39,12 +40,16 @@ function add_update_gl_budget_trans($date_, $account, $dimension, $dimension2, $ $date = date2sql($date_); if (exists_gl_budget($date, $account, $dimension, $dimension2)) - $sql = "UPDATE ".TB_PREF."budget_trans SET amount=$amount WHERE account='$account' AND - dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'"; + $sql = "UPDATE ".TB_PREF."budget_trans SET amount=".db_escape($amount) + ." WHERE account=".db_escape($account) + ." AND dimension_id=".db_escape($dimension) + ." AND dimension2_id=".db_escape($dimension2) + ." AND tran_date='$date'"; else $sql = "INSERT INTO ".TB_PREF."budget_trans (tran_date, account, dimension_id, dimension2_id, amount, memo_) VALUES ('$date', - '$account', $dimension, $dimension2, $amount, '')"; + ".db_escape($account).", ".db_escape($dimension).", " + .db_escape($dimension2).", ".db_escape($amount).", '')"; db_query($sql, "The GL budget transaction could not be saved"); } @@ -53,8 +58,10 @@ function delete_gl_budget_trans($date_, $account, $dimension, $dimension2) { $date = date2sql($date_); - $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account='$account' AND - dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'"; + $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account) + ." AND dimension_id=".db_escape($dimension) + ." AND dimension2_id=".db_escape($dimension2) + ." AND tran_date='$date'"; db_query($sql, "The GL budget transaction could not be deleted"); } @@ -65,8 +72,10 @@ function get_only_budget_trans_from_to($from_date, $to_date, $account, $dimensio $to = date2sql($to_date); $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans - WHERE account='$account' AND tran_date >= '$from' AND tran_date <= '$to' - AND dimension_id = $dimension AND dimension2_id = $dimension2"; + WHERE account=".db_escape($account) + ." AND tran_date >= '$from' AND tran_date <= '$to' + AND dimension_id = ".db_escape($dimension) + ." AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql,"No budget accounts were returned"); $row = db_fetch_row($result); @@ -142,7 +151,7 @@ if (db_has_gl_accounts()) table_header($th); $year = $_POST['fyear']; if (get_post('update') == '') { - $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year"; + $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year); $result = db_query($sql, "could not get current fiscal year"); diff --git a/gl/includes/db/gl_db_account_types.inc b/gl/includes/db/gl_db_account_types.inc index e82ee8df..bd760c19 100644 --- a/gl/includes/db/gl_db_account_types.inc +++ b/gl/includes/db/gl_db_account_types.inc @@ -12,7 +12,7 @@ function add_account_type($id, $name, $class_id, $parent) { $sql = "INSERT INTO ".TB_PREF."chart_types (id, name, class_id, parent) - VALUES ($id, ".db_escape($name).", $class_id, $parent)"; + VALUES ($id, ".db_escape($name).", ".db_escape($class_id).", ".db_escape($parent).")"; return db_query($sql); } @@ -20,7 +20,8 @@ function add_account_type($id, $name, $class_id, $parent) function update_account_type($id, $name, $class_id, $parent) { $sql = "UPDATE ".TB_PREF."chart_types SET name=".db_escape($name).", - class_id=$class_id, parent=$parent WHERE id = $id"; + class_id=".db_escape($class_id).", parent=".db_escape($parent) + ." WHERE id = ".db_escape($id); return db_query($sql, "could not update account type"); } @@ -37,7 +38,7 @@ function get_account_types($all=false) function get_account_type($id) { - $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = $id"; + $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id); $result = db_query($sql, "could not get account type"); @@ -46,7 +47,7 @@ function get_account_type($id) function get_account_type_name($id) { - $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = $id"; + $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id); $result = db_query($sql, "could not get account type"); @@ -56,7 +57,7 @@ function get_account_type_name($id) function delete_account_type($id) { - $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = $id"; + $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id); db_query($sql, "could not delete account type"); } @@ -64,7 +65,7 @@ function delete_account_type($id) function add_account_class($id, $name, $ctype) { $sql = "INSERT INTO ".TB_PREF."chart_class (cid, class_name, ctype) - VALUES ($id, ".db_escape($name).", $ctype)"; + VALUES (".db_escape($id).", ".db_escape($name).", ".db_escape($ctype).")"; return db_query($sql); } @@ -72,7 +73,7 @@ function add_account_class($id, $name, $ctype) function update_account_class($id, $name, $ctype) { $sql = "UPDATE ".TB_PREF."chart_class SET class_name=".db_escape($name).", - ctype=$ctype WHERE cid = $id"; + ctype=".db_escape($balance)." WHERE cid = ".db_escape($id); return db_query($sql); } @@ -88,7 +89,7 @@ function get_account_classes($all=false) function get_account_class($id) { - $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = $id"; + $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id); $result = db_query($sql, "could not get account type"); @@ -97,7 +98,7 @@ function get_account_class($id) function get_account_class_name($id) { - $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid = $id"; + $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid =".db_escape($id); $result = db_query($sql, "could not get account type"); @@ -107,7 +108,7 @@ function get_account_class_name($id) function delete_account_class($id) { - $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = $id"; + $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id); db_query($sql, "could not delete account type"); } diff --git a/gl/includes/db/gl_db_accounts.inc b/gl/includes/db/gl_db_accounts.inc index 754e7bc4..0fb50ea0 100644 --- a/gl/includes/db/gl_db_accounts.inc +++ b/gl/includes/db/gl_db_accounts.inc @@ -13,7 +13,8 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co { $account_name = db_escape($account_name); $sql = "INSERT INTO ".TB_PREF."chart_master (account_code, account_code2, account_name, account_type) - VALUES (".db_escape($account_code).", ".db_escape($account_code2).", $account_name, $account_type)"; + VALUES (".db_escape($account_code).", ".db_escape($account_code2).", " + .db_escape($account_name).", ".db_escape($account_type).")"; return db_query($sql); } @@ -21,16 +22,16 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co function update_gl_account($account_code, $account_name, $account_type, $account_code2) { $account_name = db_escape($account_name); - $sql = "UPDATE ".TB_PREF."chart_master SET account_name=$account_name, - account_type=$account_type, account_code2=".db_escape($account_code2) - ." WHERE account_code = '$account_code'"; + $sql = "UPDATE ".TB_PREF."chart_master SET account_name=".db_escape($account_name) + .",account_type=".db_escape($account_type).", account_code2=".db_escape($account_code2) + ." WHERE account_code = ".db_escape($account_code); return db_query($sql); } function delete_gl_account($code) { - $sql = "DELETE FROM ".TB_PREF."chart_master WHERE account_code='$code'"; + $sql = "DELETE FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($code); db_query($sql, "could not delete gl account"); } @@ -41,9 +42,9 @@ function get_gl_accounts($from=null, $to=null) FROM ".TB_PREF."chart_master,".TB_PREF."chart_types WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id"; if ($from != null) - $sql .= " AND ".TB_PREF."chart_master.account_code >= '$from'"; + $sql .= " AND ".TB_PREF."chart_master.account_code >= ".db_escape($from); if ($to != null) - $sql .= " AND ".TB_PREF."chart_master.account_code <= '$to'"; + $sql .= " AND ".TB_PREF."chart_master.account_code <= ".db_escape($to); $sql .= " ORDER BY account_code"; return db_query($sql, "could not get gl accounts"); @@ -71,7 +72,7 @@ function get_gl_accounts_all($balance=-1) function get_gl_account($code) { - $sql = "SELECT * FROM ".TB_PREF."chart_master WHERE account_code='$code'"; + $sql = "SELECT * FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($code); $result = db_query($sql, "could not get gl account"); return db_fetch($result); @@ -79,10 +80,11 @@ function get_gl_account($code) function is_account_balancesheet($code) { - $sql = "SELECT ".TB_PREF."chart_class.ctype FROM ".TB_PREF."chart_class, ".TB_PREF."chart_types, ".TB_PREF."chart_master + $sql = "SELECT ".TB_PREF."chart_class.ctype FROM ".TB_PREF."chart_class, " + .TB_PREF."chart_types, ".TB_PREF."chart_master WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id AND ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid - AND ".TB_PREF."chart_master.account_code='$code'"; + AND ".TB_PREF."chart_master.account_code=".db_escape($code); $result = db_query($sql,"could not retreive the account class for $code"); $row = db_fetch_row($result); @@ -91,7 +93,7 @@ function is_account_balancesheet($code) function get_gl_account_name($code) { - $sql = "SELECT account_name from ".TB_PREF."chart_master WHERE account_code='$code'"; + $sql = "SELECT account_name from ".TB_PREF."chart_master WHERE account_code=".db_escape($code); $result = db_query($sql,"could not retreive the account name for $code"); diff --git a/gl/includes/db/gl_db_bank_accounts.inc b/gl/includes/db/gl_db_bank_accounts.inc index dbc1e01a..a86b2ec4 100644 --- a/gl/includes/db/gl_db_bank_accounts.inc +++ b/gl/includes/db/gl_db_bank_accounts.inc @@ -26,8 +26,10 @@ function add_bank_account($account_code, $account_type, $bank_account_name, $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, bank_account_name, bank_name, bank_account_number, bank_address, bank_curr_code, dflt_curr_act) - VALUES (".db_escape($account_code).", $account_type, ".db_escape($bank_account_name).", ".db_escape($bank_name).", ".db_escape($bank_account_number).", - ".db_escape($bank_address).", '$bank_curr_code', '$dflt_curr_act')"; + VALUES (".db_escape($account_code).", ".db_escape($account_type).", " + .db_escape($bank_account_name).", ".db_escape($bank_name).", " + .db_escape($bank_account_number).",".db_escape($bank_address). + ", ".db_escape($bank_curr_code).", ".db_escape($dflt_curr_act).")"; db_query($sql, "could not add a bank account for $account_code"); } @@ -40,12 +42,13 @@ function update_bank_account($id, $account_code, $account_type, $bank_account_na if($dflt_curr_act) // only one default account for any currency clear_dflt_curr_account($bank_curr_code); - $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type, + $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = ".db_escape($account_type).", account_code=".db_escape($account_code).", bank_account_name=".db_escape($bank_account_name).", bank_name=".db_escape($bank_name).", - bank_account_number=".db_escape($bank_account_number).", bank_curr_code='$bank_curr_code', - bank_address=".db_escape($bank_address)."," - ."dflt_curr_act='$dflt_curr_act' WHERE id = '$id'"; + bank_account_number=".db_escape($bank_account_number).", bank_curr_code=".db_escape($bank_curr_code).", + bank_address=".db_escape($bank_address).", + dflt_curr_act=".db_escape($dflt_curr_act) + ." WHERE id = ".db_escape($id); db_query($sql, "could not update bank account for $account_code"); } @@ -54,7 +57,7 @@ function update_bank_account($id, $account_code, $account_type, $bank_account_na function delete_bank_account($id) { - $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE id='$id'"; + $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id); db_query($sql,"could not delete bank account for $id"); } @@ -64,7 +67,7 @@ function delete_bank_account($id) function get_bank_account($id) { - $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE id='$id'"; + $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id); $result = db_query($sql, "could not retreive bank account for $id"); @@ -74,7 +77,7 @@ function get_bank_account($id) //--------------------------------------------------------------------------------------------- function get_bank_gl_account($id) { - $sql = "SELECT account_code FROM ".TB_PREF."bank_accounts WHERE id='$id'"; + $sql = "SELECT account_code FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id); $result = db_query($sql, "could not retreive bank account for $id"); @@ -88,7 +91,7 @@ function get_bank_gl_account($id) function add_quick_entry($description, $type, $base_amount, $base_desc) { $sql = "INSERT INTO ".TB_PREF."quick_entries (description, type, base_amount, base_desc) - VALUES (".db_escape($description).", $type, " + VALUES (".db_escape($description).", ".db_escape($type).", " .db_escape($base_amount).", ".db_escape($base_desc).")"; db_query($sql, "could not insert quick entry for $description"); @@ -99,8 +102,9 @@ function add_quick_entry($description, $type, $base_amount, $base_desc) function update_quick_entry($selected_id, $description, $type, $base_amount, $base_desc) { $sql = "UPDATE ".TB_PREF."quick_entries SET description = ".db_escape($description).", - type=$type, base_amount=".db_escape($base_amount).", base_desc=".db_escape($base_desc)." - WHERE id = $selected_id"; + type=".db_escape($type).", base_amount=".db_escape($base_amount) + .", base_desc=".db_escape($base_desc)." + WHERE id = ".db_escape($selected_id); db_query($sql, "could not update quick entry for $selected_id"); } @@ -109,7 +113,7 @@ function update_quick_entry($selected_id, $description, $type, $base_amount, $ba function delete_quick_entry($selected_id) { - $sql = "DELETE FROM ".TB_PREF."quick_entries WHERE id=$selected_id"; + $sql = "DELETE FROM ".TB_PREF."quick_entries WHERE id=".db_escape($selected_id); db_query($sql,"could not delete quick entry $selected_id"); } @@ -122,7 +126,7 @@ function add_quick_entry_line($qid, $action, $dest_id, $amount, $dim, $dim2) (qid, action, dest_id, amount, dimension_id, dimension2_id) VALUES ($qid, ".db_escape($action).",".db_escape($dest_id).", - $amount, $dim, $dim2)"; + ".db_escape($amount).", ".db_escape($dim).", ".db_escape($dim2).")"; db_query($sql, "could not insert quick entry line for $qid"); } @@ -131,9 +135,11 @@ function add_quick_entry_line($qid, $action, $dest_id, $amount, $dim, $dim2) function update_quick_entry_line($selected_id, $qid, $action, $dest_id, $amount, $dim, $dim2) { - $sql = "UPDATE ".TB_PREF."quick_entry_lines SET qid = $qid, action=".db_escape($action).", - dest_id=".db_escape($dest_id).", amount=$amount, dimension_id=$dim, dimension2_id=$dim2 - WHERE id = $selected_id"; + $sql = "UPDATE ".TB_PREF."quick_entry_lines SET qid = ".db_escape($qid) + .", action=".db_escape($action).", + dest_id=".db_escape($dest_id).", amount=".db_escape($amount) + .", dimension_id=".db_escape($dim).", dimension2_id=".db_escape($dim2)." + WHERE id = ".db_escape($selected_id); db_query($sql, "could not update quick entry line for $selected_id"); } @@ -142,7 +148,7 @@ function update_quick_entry_line($selected_id, $qid, $action, $dest_id, $amount, function delete_quick_entry_line($selected_id) { - $sql = "DELETE FROM ".TB_PREF."quick_entry_lines WHERE id=$selected_id"; + $sql = "DELETE FROM ".TB_PREF."quick_entry_lines WHERE id=".db_escape($selected_id); db_query($sql,"could not delete quick entry line $selected_id"); } @@ -153,7 +159,7 @@ function has_quick_entries($type=null) { $sql = "SELECT id FROM ".TB_PREF."quick_entries"; if ($type != null) - $sql .= " WHERE type=$type"; + $sql .= " WHERE type=".db_escape($type); $result = db_query($sql, "could not retreive quick entries"); return db_num_rows($result) > 0; @@ -163,7 +169,7 @@ function get_quick_entries($type = null) { $sql = "SELECT * FROM ".TB_PREF."quick_entries"; if ($type != null) - $sql .= " WHERE type=$type"; + $sql .= " WHERE type=".db_escape($type); $sql .= " ORDER BY description"; return db_query($sql, "could not retreive quick entries"); @@ -171,7 +177,7 @@ function get_quick_entries($type = null) function get_quick_entry($selected_id) { - $sql = "SELECT * FROM ".TB_PREF."quick_entries WHERE id=$selected_id"; + $sql = "SELECT * FROM ".TB_PREF."quick_entries WHERE id=".db_escape($selected_id); $result = db_query($sql, "could not retreive quick entry $selected_id"); @@ -188,15 +194,14 @@ function get_quick_entry_lines($qid) LEFT JOIN ".TB_PREF."tax_types ON ".TB_PREF."quick_entry_lines.dest_id = ".TB_PREF."tax_types.id WHERE - qid=$qid - ORDER by id"; + qid=".db_escape($qid)." ORDER by id"; return db_query($sql, "could not retreive quick entries"); } function has_quick_entry_lines($qid) { - $sql = "SELECT id FROM ".TB_PREF."quick_entry_lines WHERE qid=$qid"; + $sql = "SELECT id FROM ".TB_PREF."quick_entry_lines WHERE qid=".db_escape($qid); $result = db_query($sql, "could not retreive quick entries"); return db_num_rows($result) > 0; @@ -206,7 +211,7 @@ function has_quick_entry_lines($qid) function get_quick_entry_line($selected_id) { - $sql = "SELECT * FROM ".TB_PREF."quick_entry_lines WHERE id=$selected_id"; + $sql = "SELECT * FROM ".TB_PREF."quick_entry_lines WHERE id=".db_escape($selected_id); $result = db_query($sql, "could not retreive quick entry for $selected_id"); diff --git a/gl/includes/db/gl_db_bank_trans.inc b/gl/includes/db/gl_db_bank_trans.inc index c9f550c8..ad369861 100644 --- a/gl/includes/db/gl_db_bank_trans.inc +++ b/gl/includes/db/gl_db_bank_trans.inc @@ -41,7 +41,8 @@ function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_, trans_date, amount, person_type_id, person_id) "; $sql .= "VALUES ($type, $trans_no, '$bank_act', ".db_escape($ref).", '$sqlDate', - $amount_bank, $person_type_id, ". db_escape($person_id).")"; + ".db_escape($amount_bank).", ".db_escape($person_type_id) + .", ". db_escape($person_id).")"; if ($err_msg == "") $err_msg = "The bank transaction could not be inserted"; @@ -53,8 +54,8 @@ function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_, function exists_bank_trans($type, $type_no) { - $sql = "SELECT trans_no FROM ".TB_PREF."bank_trans WHERE type=$type - AND trans_no=$type_no"; + $sql = "SELECT trans_no FROM ".TB_PREF."bank_trans WHERE type=".db_escape($type) + ." AND trans_no=".db_escape($type_no); $result = db_query($sql, "Cannot retreive a bank transaction"); return (db_num_rows($result) > 0); @@ -68,13 +69,13 @@ function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id= FROM ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts WHERE ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act "; if ($type != null) - $sql .= " AND type=$type "; + $sql .= " AND type=".db_escape($type); if ($trans_no != null) - $sql .= " AND ".TB_PREF."bank_trans.trans_no = $trans_no "; + $sql .= " AND ".TB_PREF."bank_trans.trans_no = ".db_escape($trans_no); if ($person_type_id != null) - $sql .= " AND ".TB_PREF."bank_trans.person_type_id = $person_type_id "; + $sql .= " AND ".TB_PREF."bank_trans.person_type_id = ".db_escape($person_type_id); if ($person_id != null) - $sql .= " AND ".TB_PREF."bank_trans.person_id = '$person_id'"; + $sql .= " AND ".TB_PREF."bank_trans.person_id = ".db_escape($person_id); $sql .= " ORDER BY trans_date, ".TB_PREF."bank_trans.id"; return db_query($sql, "query for bank transaction"); @@ -84,7 +85,9 @@ function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id= function get_gl_trans_value($account, $type, $trans_no) { - $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE account='$account' AND type=$type AND type_no=$trans_no"; + $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE account=" + .db_escape($account)." AND type=".db_escape($type) + ." AND type_no=".db_escape($trans_no); $result = db_query($sql, "query for gl trans value"); @@ -100,7 +103,7 @@ function void_bank_trans($type, $type_no, $nested=false) begin_transaction(); $sql = "UPDATE ".TB_PREF."bank_trans SET amount=0 - WHERE type=$type AND trans_no=$type_no"; + WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); $result = db_query($sql, "could not void bank transactions for type=$type and trans_no=$type_no"); diff --git a/gl/includes/db/gl_db_banking.inc b/gl/includes/db/gl_db_banking.inc index b20644c5..bbef96d2 100644 --- a/gl/includes/db/gl_db_banking.inc +++ b/gl/includes/db/gl_db_banking.inc @@ -18,7 +18,7 @@ function add_exchange_variation($trans_type, $trans_no, $date_, $acc_id, $accoun $date_ = Today(); $rate = get_exchange_rate_from_home_currency($currency, $date_); $result = db_query("SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE - bank_act='$acc_id' AND trans_date<='".date2sql($date_)."'", + bank_act=".db_escape($acc_id)." AND trans_date<='".date2sql($date_)."'", "Transactions for account $account could not be calculated"); $row = db_fetch_row($result); $foreign_amount = $row[0]; diff --git a/gl/includes/db/gl_db_currencies.inc b/gl/includes/db/gl_db_currencies.inc index 342cddc4..eee35e1c 100644 --- a/gl/includes/db/gl_db_currencies.inc +++ b/gl/includes/db/gl_db_currencies.inc @@ -14,9 +14,11 @@ function update_currency($curr_abrev, $symbol, $currency, $country, $hundreds_name, $auto_update) { - $sql = "UPDATE ".TB_PREF."currencies SET currency=".db_escape($currency).", curr_symbol='$symbol', - country=".db_escape($country).", hundreds_name=".db_escape($hundreds_name) - .",auto_update = '$auto_update'"." WHERE curr_abrev = '$curr_abrev'"; + $sql = "UPDATE ".TB_PREF."currencies SET currency=".db_escape($currency) + .", curr_symbol=".db_escape($symbol).", country=".db_escape($country) + .", hundreds_name=".db_escape($hundreds_name) + .",auto_update = ".db_escape($auto_update) + ." WHERE curr_abrev = ".db_escape($curr_abrev); db_query($sql, "could not update currency for $curr_abrev"); } @@ -26,11 +28,11 @@ function update_currency($curr_abrev, $symbol, $currency, $country, function add_currency($curr_abrev, $symbol, $currency, $country, $hundreds_name, $auto_update) { - $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, country, - hundreds_name, auto_update) - VALUES (".db_escape($curr_abrev).", '$symbol', ".db_escape($currency) - .", ".db_escape($country).", ".db_escape($hundreds_name) - .",".db_escape($auto_update).")"; + $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, + country, hundreds_name, auto_update) + VALUES (".db_escape($curr_abrev).", ".db_escape($symbol).", " + .db_escape($currency).", ".db_escape($country).", " + .db_escape($hundreds_name).",".db_escape($auto_update).")"; db_query($sql, "could not add currency for $curr_abrev"); } @@ -39,7 +41,7 @@ function add_currency($curr_abrev, $symbol, $currency, $country, function delete_currency($curr_code) { - $sql="DELETE FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'"; + $sql="DELETE FROM ".TB_PREF."currencies WHERE curr_abrev=".db_escape($curr_code); db_query($sql, "could not delete currency $curr_code"); $sql="DELETE FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code'"; @@ -50,7 +52,7 @@ function delete_currency($curr_code) function get_currency($curr_code) { - $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'"; + $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev=".db_escape($curr_code); $result = db_query($sql, "could not get currency $curr_code"); $row = db_fetch($result); diff --git a/gl/includes/db/gl_db_rates.inc b/gl/includes/db/gl_db_rates.inc index fa5926b6..c6d5c530 100644 --- a/gl/includes/db/gl_db_rates.inc +++ b/gl/includes/db/gl_db_rates.inc @@ -12,7 +12,7 @@ //--------------------------------------------------------------------------------------------- function get_exchange_rate($rate_id) { - $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id"; + $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id); $result = db_query($sql, "could not get exchange rate for $rate_id"); return db_fetch($result); @@ -22,8 +22,8 @@ function get_exchange_rate($rate_id) function get_date_exchange_rate($curr_code, $date_) { $date = date2sql($date_); - $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code' - AND date_='$date'"; + $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code) + ." AND date_='$date'"; $result = db_query($sql, "could not get exchange rate for $curr_code - $date_"); if(db_num_rows($result) == 0) @@ -41,8 +41,8 @@ function update_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate) $date = date2sql($date_); - $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate - WHERE curr_code='$curr_code' AND date_='$date'"; + $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate) + ." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'"; db_query($sql, "could not add exchange rate for $curr_code"); } @@ -57,7 +57,8 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate) $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell) - VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)"; + VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate) + .", ".db_escape($sell_rate).")"; db_query($sql, "could not add exchange rate for $curr_code"); } @@ -65,7 +66,7 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate) function delete_exchange_rate($rate_id) { - $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id"; + $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id); db_query($sql, "could not delete exchange rate $rate_id"); } diff --git a/gl/includes/db/gl_db_trans.inc b/gl/includes/db/gl_db_trans.inc index f4096b7b..a842c951 100644 --- a/gl/includes/db/gl_db_trans.inc +++ b/gl/includes/db/gl_db_trans.inc @@ -50,11 +50,13 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension $sql .= ") "; - $sql .= "VALUES ($type, $trans_id, '$date', - '$account', $dimension, $dimension2, ".db_escape($memo_).", $amount_in_home_currency"; + $sql .= "VALUES (".db_escape($type).", ".db_escape($trans_id).", '$date', + ".db_escape($account).", ".db_escape($dimension).", " + .db_escape($dimension2).", ".db_escape($memo_).", " + .db_escape($amount_in_home_currency); if ($person_type_id != null) - $sql .= ", $person_type_id, ". db_escape($person_id); + $sql .= ", ".db_escape($person_type_id).", ". db_escape($person_id); $sql .= ") "; @@ -100,24 +102,26 @@ function get_gl_transactions($from_date, $to_date, $trans_no=0, $from = date2sql($from_date); $to = date2sql($to_date); - $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master + $sql = "SELECT ".TB_PREF."gl_trans.*, " + .TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, " + .TB_PREF."chart_master WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account AND tran_date >= '$from' AND tran_date <= '$to'"; if ($trans_no > 0) - $sql .= " AND ".TB_PREF."gl_trans.type_no LIKE '%$trans_no'"; + $sql .= " AND ".TB_PREF."gl_trans.type_no LIKE ".db_escape('%'.$trans_no); if ($account != null) - $sql .= " AND ".TB_PREF."gl_trans.account = '$account'"; + $sql .= " AND ".TB_PREF."gl_trans.account = ".db_escape($account); if ($dimension > 0) - $sql .= " AND ".TB_PREF."gl_trans.dimension_id = $dimension"; + $sql .= " AND ".TB_PREF."gl_trans.dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND ".TB_PREF."gl_trans.dimension2_id = $dimension2"; + $sql .= " AND ".TB_PREF."gl_trans.dimension2_id = ".db_escape($dimension2); if ($filter_type != null AND is_numeric($filter_type)) - $sql .= " AND ".TB_PREF."gl_trans.type= $filter_type"; + $sql .= " AND ".TB_PREF."gl_trans.type= ".db_escape($filter_type); $sql .= " ORDER BY tran_date"; @@ -129,9 +133,12 @@ function get_gl_transactions($from_date, $to_date, $trans_no=0, function get_gl_trans($type, $trans_id) { - $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master + $sql = "SELECT ".TB_PREF."gl_trans.*, " + .TB_PREF."chart_master.account_name FROM " + .TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account - AND ".TB_PREF."gl_trans.type=$type AND ".TB_PREF."gl_trans.type_no=$trans_id"; + AND ".TB_PREF."gl_trans.type=".db_escape($type) + ." AND ".TB_PREF."gl_trans.type_no=".db_escape($trans_id); return db_query($sql, "The gl transactions could not be retrieved"); } @@ -140,12 +147,14 @@ function get_gl_trans($type, $trans_id) function get_gl_wo_cost_trans($trans_id, $person_id=-1) { - $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master + $sql = "SELECT ".TB_PREF."gl_trans.*, ".TB_PREF."chart_master.account_name FROM " + .TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE ".TB_PREF."chart_master.account_code=".TB_PREF."gl_trans.account - AND ".TB_PREF."gl_trans.type=".ST_WORKORDER." AND ".TB_PREF."gl_trans.type_no=$trans_id + AND ".TB_PREF."gl_trans.type=".ST_WORKORDER + ." AND ".TB_PREF."gl_trans.type_no=".db_escape($trans_id)." AND ".TB_PREF."gl_trans.person_type_id=".PT_WORKORDER; if ($person_id != -1) - $sql .= " AND ".TB_PREF."gl_trans.person_id=$person_id"; + $sql .= " AND ".TB_PREF."gl_trans.person_id=".db_escape($person_id); $sql .= " AND amount < 0"; return db_query($sql, "The gl transactions could not be retrieved"); @@ -163,9 +172,9 @@ function get_gl_balance_from_to($from_date, $to_date, $account, $dimension=0, $d if ($to_date != "") $sql .= " AND tran_date < '$to'"; if ($dimension > 0) - $sql .= " AND dimension_id = $dimension"; + $sql .= " AND dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND dimension2_id = $dimension2"; + $sql .= " AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql, "The starting balance for account $account could not be calculated"); @@ -187,9 +196,9 @@ function get_gl_trans_from_to($from_date, $to_date, $account, $dimension=0, $dim if ($to_date != "") $sql .= " AND tran_date <= '$to'"; if ($dimension > 0) - $sql .= " AND dimension_id = $dimension"; + $sql .= " AND dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND dimension2_id = $dimension2"; + $sql .= " AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql, "Transactions for account $account could not be calculated"); @@ -200,17 +209,20 @@ function get_gl_trans_from_to($from_date, $to_date, $account, $dimension=0, $dim //---------------------------------------------------------------------------------------------------- function get_balance($account, $dimension, $dimension2, $from, $to, $from_incl=true, $to_incl=true) { - $sql = "SELECT SUM(IF(amount >= 0, amount, 0)) as debit, SUM(IF(amount < 0, -amount, 0)) as credit, SUM(amount) as balance - FROM ".TB_PREF."gl_trans,".TB_PREF."chart_master,".TB_PREF."chart_types, ".TB_PREF."chart_class - WHERE ".TB_PREF."gl_trans.account=".TB_PREF."chart_master.account_code AND ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id + $sql = "SELECT SUM(IF(amount >= 0, amount, 0)) as debit, + SUM(IF(amount < 0, -amount, 0)) as credit, SUM(amount) as balance + FROM ".TB_PREF."gl_trans,".TB_PREF."chart_master," + .TB_PREF."chart_types, ".TB_PREF."chart_class + WHERE ".TB_PREF."gl_trans.account=".TB_PREF."chart_master.account_code AND " + .TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id AND ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid AND"; if ($account != null) - $sql .= " account='$account' AND"; + $sql .= " account=".db_escape($account)." AND"; if ($dimension > 0) - $sql .= " dimension_id=$dimension AND"; + $sql .= " dimension_id=".db_escape($dimension)." AND"; if ($dimension2 > 0) - $sql .= " dimension2_id=$dimension2 AND"; + $sql .= " dimension2_id=".db_escape($dimension2)." AND"; $from_date = date2sql($from); if ($from_incl) $sql .= " tran_date >= '$from_date' AND"; @@ -236,15 +248,15 @@ function get_budget_trans_from_to($from_date, $to_date, $account, $dimension=0, $to = date2sql($to_date); $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans - WHERE account='$account' "; + WHERE account=".db_escape($account); if ($from_date != "") $sql .= " AND tran_date >= '$from' "; if ($to_date != "") $sql .= " AND tran_date <= '$to' "; if ($dimension > 0) - $sql .= " AND dimension_id = $dimension"; + $sql .= " AND dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND dimension2_id = $dimension2"; + $sql .= " AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql,"No budget accounts were returned"); $row = db_fetch_row($result); @@ -291,7 +303,7 @@ function add_trans_tax_details($trans_type, $trans_no, $tax_id, $rate, $included included_in_price, net_amount, amount, memo) VALUES (".db_escape($trans_type)."," . db_escape($trans_no).",'" .date2sql($tran_date)."',".db_escape($tax_id)."," - .$rate.",".$ex_rate.",".($included ? 1:0)."," + .db_escape($rate).",".db_escape($ex_rate).",".($included ? 1:0)."," .db_escape($net_amount)."," .db_escape($amount).",".db_escape($memo).")"; @@ -302,10 +314,11 @@ function add_trans_tax_details($trans_type, $trans_no, $tax_id, $rate, $included function get_trans_tax_details($trans_type, $trans_no) { - $sql = "SELECT ".TB_PREF."trans_tax_details.*, ".TB_PREF."tax_types.name AS tax_type_name + $sql = "SELECT ".TB_PREF."trans_tax_details.*, " + .TB_PREF."tax_types.name AS tax_type_name FROM ".TB_PREF."trans_tax_details,".TB_PREF."tax_types - WHERE trans_type = $trans_type - AND trans_no = $trans_no + WHERE trans_type = ".db_escape($trans_type)." + AND trans_no = ".db_escape($trans_no)." AND (net_amount != 0 OR amount != 0) AND ".TB_PREF."tax_types.id = ".TB_PREF."trans_tax_details.tax_type_id"; @@ -317,8 +330,8 @@ function get_trans_tax_details($trans_type, $trans_no) function void_trans_tax_details($type, $type_no) { $sql = "UPDATE ".TB_PREF."trans_tax_details SET amount=0, net_amount=0 - WHERE trans_no=$type_no - AND trans_type=$type"; + WHERE trans_no=".db_escape($type_no) + ." AND trans_type=".db_escape($type); db_query($sql, "The transaction tax details could not be voided"); } @@ -445,7 +458,8 @@ function write_journal_entries(&$cart, $reverse, $use_transaction=true) function exists_gl_trans($type, $trans_id) { - $sql = "SELECT type_no FROM ".TB_PREF."gl_trans WHERE type=$type AND type_no=$trans_id"; + $sql = "SELECT type_no FROM ".TB_PREF."gl_trans WHERE type=".db_escape($type) + ." AND type_no=".db_escape($trans_id); $result = db_query($sql, "Cannot retreive a gl transaction"); return (db_num_rows($result) > 0); @@ -458,7 +472,8 @@ function void_gl_trans($type, $trans_id, $nested=false) if (!$nested) begin_transaction(); - $sql = "UPDATE ".TB_PREF."gl_trans SET amount=0 WHERE type=$type AND type_no=$trans_id"; + $sql = "UPDATE ".TB_PREF."gl_trans SET amount=0 WHERE type=".db_escape($type) + ." AND type_no=".db_escape($trans_id); db_query($sql, "could not void gl transactions for type=$type and trans_no=$trans_id"); diff --git a/gl/inquiry/bank_inquiry.php b/gl/inquiry/bank_inquiry.php index ec98d993..33112d70 100644 --- a/gl/inquiry/bank_inquiry.php +++ b/gl/inquiry/bank_inquiry.php @@ -59,7 +59,7 @@ $date_to = date2sql($_POST['TransToDate']); if (!isset($_POST['bank_account'])) $_POST['bank_account'] = ""; $sql = "SELECT ".TB_PREF."bank_trans.* FROM ".TB_PREF."bank_trans - WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "' + WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . " AND trans_date >= '$date_after' AND trans_date <= '$date_to' ORDER BY trans_date,".TB_PREF."bank_trans.id"; @@ -76,7 +76,8 @@ $th = array(_("Type"), _("#"), _("Reference"), _("Date"), _("Debit"), _("Credit"), _("Balance"), _("Person/Item"), ""); table_header($th); -$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act='" . $_POST['bank_account'] . "' +$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act=" + .db_escape($_POST['bank_account']) . " AND trans_date < '$date_after'"; $before_qty = db_query($sql, "The starting balance on hand could not be calculated"); diff --git a/gl/manage/gl_account_types.php b/gl/manage/gl_account_types.php index b4ca1866..e6445a56 100644 --- a/gl/manage/gl_account_types.php +++ b/gl/manage/gl_account_types.php @@ -109,7 +109,7 @@ if ($Mode == 'Delete') if (can_delete($selected_id)) { delete_account_type($selected_id); - display_notification(_('Selected currency has been deleted')); + display_notification(_('Selected account group has been deleted')); } $Mode = 'RESET'; } diff --git a/gl/view/bank_transfer_view.php b/gl/view/bank_transfer_view.php index 3ae52d96..8eaeb41c 100644 --- a/gl/view/bank_transfer_view.php +++ b/gl/view/bank_transfer_view.php @@ -28,7 +28,7 @@ if (isset($_GET["trans_no"])){ $result = get_bank_trans(ST_BANKTRANSFER, $trans_no); if (db_num_rows($result) != 2) - display_db_error("Bank transfer does not contain two records", $sql); + display_db_error("Bank transfer does not contain two records"); $trans1 = db_fetch($result); $trans2 = db_fetch($result); diff --git a/gl/view/gl_trans_view.php b/gl/view/gl_trans_view.php index d869dce9..64e585a5 100644 --- a/gl/view/gl_trans_view.php +++ b/gl/view/gl_trans_view.php @@ -47,7 +47,11 @@ function display_gl_heading($myrow) end_table(1); } -$sql = "SELECT ".TB_PREF."gl_trans.*, account_name FROM ".TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE ".TB_PREF."gl_trans.account = ".TB_PREF."chart_master.account_code AND type= " . $_GET['type_id'] . " AND type_no = " . $_GET['trans_no'] . " ORDER BY counter"; +$sql = "SELECT ".TB_PREF."gl_trans.*, account_name FROM " + .TB_PREF."gl_trans, ".TB_PREF."chart_master WHERE " + .TB_PREF."gl_trans.account = ".TB_PREF."chart_master.account_code AND type= " + .db_escape($_GET['type_id']) . " AND type_no = ".db_escape($_GET['trans_no']) + . " ORDER BY counter"; $result = db_query($sql,"could not get transactions"); //alert("sql = ".$sql); diff --git a/includes/db/connect_db.inc b/includes/db/connect_db.inc index f91d7023..d6b6e71a 100644 --- a/includes/db/connect_db.inc +++ b/includes/db/connect_db.inc @@ -100,6 +100,7 @@ function db_num_fields ($result) function db_escape($value = "", $nullify = false) { + $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); $value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding); //reset default if second parameter is skipped diff --git a/inventory/cost_update.php b/inventory/cost_update.php index bfaf0f33..e268f360 100644 --- a/inventory/cost_update.php +++ b/inventory/cost_update.php @@ -91,7 +91,7 @@ set_global_stock_item($_POST['stock_id']); $sql = "SELECT description, units, material_cost, labour_cost, overhead_cost, mb_flag FROM ".TB_PREF."stock_master - WHERE stock_id='" . $_POST['stock_id'] . "' + WHERE stock_id=".db_escape($_POST['stock_id']) . " GROUP BY description, units, material_cost, labour_cost, overhead_cost, mb_flag"; $result = db_query($sql); check_db_error("The cost details for the item could not be retrieved", $sql); diff --git a/inventory/includes/db/items_category_db.inc b/inventory/includes/db/items_category_db.inc index f7d4ed6b..11f9486d 100644 --- a/inventory/includes/db/items_category_db.inc +++ b/inventory/includes/db/items_category_db.inc @@ -51,22 +51,22 @@ function update_item_category($id, $description, $tax_type_id, ."dflt_assembly_act = ".db_escape($assembly_account)."," ."dflt_dim1 = ".db_escape($dim1)."," ."dflt_dim2 = ".db_escape($dim2)."," - ."dflt_no_sale = '$no_sale'" - ." WHERE category_id = '$id'"; + ."dflt_no_sale = ".db_escape($no_sale) + ."WHERE category_id = ".db_escape($id); db_query($sql,"an item category could not be updated"); } function delete_item_category($id) { - $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$id'"; + $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id); db_query($sql,"an item category could not be deleted"); } function get_item_category($id) { - $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$id'"; + $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id); $result = db_query($sql,"an item category could not be retrieved"); @@ -75,7 +75,7 @@ function get_item_category($id) function get_category_name($id) { - $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=$id"; + $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id); $result = db_query($sql, "could not get sales type"); diff --git a/inventory/includes/db/items_codes_db.inc b/inventory/includes/db/items_codes_db.inc index d262ee71..5169e2d0 100644 --- a/inventory/includes/db/items_codes_db.inc +++ b/inventory/includes/db/items_codes_db.inc @@ -19,7 +19,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $ item_code = ".db_escape($item_code).", stock_id = ".db_escape($stock_id).", description = ".db_escape($description).", - category_id = $category, + category_id = ".db_escape($category).", quantity = ".db_escape($qty).", is_foreign = ".db_escape($foreign)." WHERE "; @@ -28,7 +28,7 @@ function update_item_code($id, $item_code, $stock_id, $description, $category, $ $sql .= "item_code = ".db_escape($item_code) ." AND stock_id = ".db_escape($stock_id); else - $sql .= "id = $id"; + $sql .= "id = ".db_escape($id); db_query($sql,"an item code could not be updated"); } @@ -38,20 +38,21 @@ function add_item_code($item_code, $stock_id, $description, $category, $qty, $fo $sql = "INSERT INTO ".TB_PREF."item_codes (item_code, stock_id, description, category_id, quantity, is_foreign) VALUES( ".db_escape($item_code).",".db_escape($stock_id).", - ".db_escape($description).",$category,".db_escape($qty).",".$foreign.")"; + ".db_escape($description).",".db_escape($category) + .",".db_escape($qty).",".db_escape($foreign).")"; db_query($sql,"an item code could not be added"); } function delete_item_code($id) { - $sql="DELETE FROM ".TB_PREF."item_codes WHERE id='$id'"; + $sql="DELETE FROM ".TB_PREF."item_codes WHERE id=".db_escape($id); db_query($sql,"an item code could not be deleted"); } function get_item_code($id) { - $sql="SELECT * FROM ".TB_PREF."item_codes WHERE id='$id'"; + $sql="SELECT * FROM ".TB_PREF."item_codes WHERE id=".db_escape($id); $result = db_query($sql,"item code could not be retrieved"); @@ -63,9 +64,9 @@ function get_all_item_codes($stock_id, $foreign=1) $sql="SELECT i.*, c.description as cat_name FROM " .TB_PREF."item_codes as i," .TB_PREF."stock_category as c - WHERE stock_id='$stock_id' + WHERE stock_id=".db_escape($stock_id)." AND i.category_id=c.category_id - AND i.is_foreign=$foreign"; + AND i.is_foreign=".db_escape($foreign); $result = db_query($sql,"all item codes could not be retrieved"); @@ -74,7 +75,7 @@ function get_all_item_codes($stock_id, $foreign=1) function delete_item_kit($item_code) { - $sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code='$item_code'"; + $sql="DELETE FROM ".TB_PREF."item_codes WHERE item_code=".db_escape($item_code); db_query($sql,"an item kit could not be deleted"); } @@ -90,7 +91,7 @@ function get_item_kit($item_code) item.stock_id=comp.item_code WHERE kit.stock_id=comp.item_code - AND kit.item_code='$item_code'"; + AND kit.item_code=".db_escape($item_code); $result = db_query($sql,"item kit could not be retrieved"); @@ -101,7 +102,7 @@ function get_item_code_dflts($stock_id) { $sql = "SELECT units, decimals, description, category_id FROM ".TB_PREF."stock_master,".TB_PREF."item_units - WHERE stock_id='$stock_id'"; + WHERE stock_id=".db_escape($stock_id); $result = db_query($sql,"item code defaults could not be retrieved"); return db_fetch($result); @@ -137,7 +138,7 @@ function check_item_in_kit($old_id, $kit_code, $item_code, $recurse=false) function get_kit_props($kit_code) { $sql = "SELECT description, category_id FROM ".TB_PREF."item_codes " - . " WHERE item_code='$kit_code'"; + . " WHERE item_code=".db_escape($kit_code); $res = db_query($sql, "kit name query failed"); return db_fetch($res); } @@ -145,8 +146,8 @@ function get_kit_props($kit_code) function update_kit_props($kit_code, $name, $category) { $sql = "UPDATE ".TB_PREF."item_codes SET description=" - . db_escape($name).",category_id=".db_escape($category) - . " WHERE item_code='$kit_code'"; + . db_escape($name).",category_id=".db_escape($category) + . " WHERE item_code=".db_escape($kit_code); db_query($sql, "kit name update failed"); } @@ -154,8 +155,8 @@ function get_where_used($item_code) { $sql = "SELECT item_code, description FROM " .TB_PREF."item_codes " - . " WHERE stock_id='$item_code' - AND item_code!='$item_code'"; + . " WHERE stock_id=".db_escape($item_code)." + AND item_code!=".db_escape($item_code); return db_query($sql, "where used query failed"); } ?> \ No newline at end of file diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc index 9af892d9..9b382287 100644 --- a/inventory/includes/db/items_db.inc +++ b/inventory/includes/db/items_db.inc @@ -16,16 +16,16 @@ function update_item($stock_id, $description, $long_description, $category_id, { $sql = "UPDATE ".TB_PREF."stock_master SET long_description=".db_escape($long_description).", description=".db_escape($description).", - category_id='$category_id', - sales_account='$sales_account', - inventory_account='$inventory_account', - cogs_account='$cogs_account', - adjustment_account='$adjustment_account', - assembly_account='$assembly_account', - dimension_id=$dimension_id, - dimension2_id=$dimension2_id, - tax_type_id=$tax_type_id, - no_sale='$no_sale'"; + category_id=".db_escape($category_id).", + sales_account=".db_escape($sales_account).", + inventory_account=".db_escape($inventory_account).", + cogs_account=".db_escape($cogs_account).", + adjustment_account=".db_escape($adjustment_account).", + assembly_account=".db_escape($assembly_account).", + dimension_id=".db_escape($dimension_id).", + dimension2_id=".db_escape($dimension2_id).", + tax_type_id=".db_escape($tax_type_id)." + no_sale=".db_escape($no_sale); if ($units != '') $sql .= ", units='$units'"; @@ -33,7 +33,7 @@ function update_item($stock_id, $description, $long_description, $category_id, if ($mb_flag != '') $sql .= ", mb_flag='$mb_flag'"; - $sql .= " WHERE stock_id='$stock_id'"; + $sql .= " WHERE stock_id=".db_escape($stock_id); db_query($sql, "The item could not be updated"); @@ -49,15 +49,19 @@ function add_item($stock_id, $description, $long_description, $category_id, tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account, adjustment_account, assembly_account, dimension_id, dimension2_id, no_sale) VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).", - '$category_id', $tax_type_id, '$units', '$mb_flag', - '$sales_account', '$inventory_account', '$cogs_account', - '$adjustment_account', '$assembly_account', $dimension_id, $dimension2_id, - '$no_sale')"; + ".db_escape($category_id).", ".db_escape($tax_type_id).", " + .db_escape($units).", ".db_escape($mb_flag).", + ".db_escape($sales_account).", ".db_escape($inventory_account) + .", ".db_escape($cogs_account).",".db_escape($adjustment_account) + .", ".db_escape($assembly_account).", " + .db_escape($dimension_id).", ".db_escape($dimension2_id)."," + .db_escape($no_sale).")"; db_query($sql, "The item could not be added"); $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id) - SELECT ".TB_PREF."locations.loc_code, '$stock_id' FROM ".TB_PREF."locations"; + SELECT ".TB_PREF."locations.loc_code, ".db_escape($stock_id) + ." FROM ".TB_PREF."locations"; db_query($sql, "The item locstock could not be added"); @@ -66,23 +70,23 @@ function add_item($stock_id, $description, $long_description, $category_id, function delete_item($stock_id) { - $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'"; + $sql="DELETE FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id); db_query($sql, "could not delete stock item"); /*and cascade deletes in loc_stock */ - $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id='$stock_id'"; + $sql ="DELETE FROM ".TB_PREF."loc_stock WHERE stock_id=".db_escape($stock_id); db_query($sql, "could not delete stock item loc stock"); /*and cascade deletes in purch_data */ - $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id='$stock_id'"; + $sql ="DELETE FROM ".TB_PREF."purch_data WHERE stock_id=".db_escape($stock_id); db_query($sql, "could not delete stock item purch data"); /*and cascade deletes in prices */ - $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id='$stock_id'"; + $sql ="DELETE FROM ".TB_PREF."prices WHERE stock_id=".db_escape($stock_id); db_query($sql, "could not delete stock item prices"); /*and cascade delete the bill of material if any */ - $sql = "DELETE FROM ".TB_PREF."bom WHERE parent='$stock_id'"; + $sql = "DELETE FROM ".TB_PREF."bom WHERE parent=".db_escape($stock_id); db_query($sql, "could not delete stock item bom"); delete_item_kit($stock_id); @@ -93,7 +97,7 @@ function get_item($stock_id) $sql = "SELECT ".TB_PREF."stock_master.*,".TB_PREF."item_tax_types.name AS tax_type_name FROM ".TB_PREF."stock_master,".TB_PREF."item_tax_types WHERE ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id - AND stock_id='$stock_id'"; + AND stock_id=".db_escape($stock_id); $result = db_query($sql,"an item could not be retreived"); return db_fetch($result); diff --git a/inventory/includes/db/items_locations_db.inc b/inventory/includes/db/items_locations_db.inc index 809e928c..b0372971 100644 --- a/inventory/includes/db/items_locations_db.inc +++ b/inventory/includes/db/items_locations_db.inc @@ -13,13 +13,14 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone, { $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, phone2, fax, email, contact) VALUES (".db_escape($loc_code).", ".db_escape($location_name).", ".db_escape($delivery_address).", " - .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", ".db_escape($contact).")"; + .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", " + .db_escape($contact).")"; db_query($sql,"a location could not be added"); /* Also need to add loc_stock records for all existing items */ $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level) - SELECT '$loc_code', ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master"; + SELECT ".db_escape($loc_code).", ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master"; db_query($sql,"a location could not be added"); } @@ -33,7 +34,7 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho delivery_address=".db_escape($delivery_address).", phone=".db_escape($phone).", phone2=".db_escape($phone2).", fax=".db_escape($fax).", email=".db_escape($email).", contact=".db_escape($contact)." - WHERE loc_code = '$loc_code'"; + WHERE loc_code = ".db_escape($loc_code); db_query($sql,"a location could not be updated"); } @@ -42,10 +43,10 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho function delete_item_location($item_location) { - $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; + $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location); db_query($sql,"a location could not be deleted"); - $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code ='$item_location'"; + $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code =".db_escape($item_location); db_query($sql,"a location could not be deleted"); } @@ -53,7 +54,7 @@ function delete_item_location($item_location) function get_item_location($item_location) { - $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'"; + $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location); $result = db_query($sql,"a location could not be retrieved"); @@ -65,7 +66,7 @@ function get_item_location($item_location) function set_reorder_level($stock_id, $loc_code, $reorder_level) { $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level - WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'"; + WHERE stock_id = ".db_escape($stock_id)." AND loc_code = ".db_escape($loc_code); db_query($sql,"an item reorder could not be set"); } @@ -77,7 +78,8 @@ function get_loc_details($stock_id) $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name FROM ".TB_PREF."loc_stock, ".TB_PREF."locations WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code - AND ".TB_PREF."loc_stock.stock_id = '" . $stock_id . "' ORDER BY ".TB_PREF."loc_stock.loc_code"; + AND ".TB_PREF."loc_stock.stock_id = ".db_escape($stock_id) + ." ORDER BY ".TB_PREF."loc_stock.loc_code"; return db_query($sql,"an item reorder could not be retreived"); } diff --git a/inventory/includes/db/items_prices_db.inc b/inventory/includes/db/items_prices_db.inc index 13fa14da..9b670d24 100644 --- a/inventory/includes/db/items_prices_db.inc +++ b/inventory/includes/db/items_prices_db.inc @@ -12,24 +12,24 @@ function add_item_price($stock_id, $sales_type_id, $curr_abrev, $price) { $sql = "INSERT INTO ".TB_PREF."prices (stock_id, sales_type_id, curr_abrev, price) - VALUES ('$stock_id', $sales_type_id, '$curr_abrev', $price)"; + VALUES (".db_escape($stock_id).", ".db_escape($sales_type_id) + .", ".db_escape($curr_abrev).", ".db_escape($price).")"; db_query($sql,"an item price could not be added"); } function update_item_price($price_id, $sales_type_id, $curr_abrev, $price) { - $sql = "UPDATE ".TB_PREF."prices SET sales_type_id=$sales_type_id, - curr_abrev='$curr_abrev', - price=$price - WHERE id=$price_id"; + $sql = "UPDATE ".TB_PREF."prices SET sales_type_id=".db_escape($sales_type_id).", + curr_abrev=".db_escape($curr_abrev).", + price=".db_escape($price)." WHERE id=".db_escape($price_id); db_query($sql,"an item price could not be updated"); } function delete_item_price($price_id) { - $sql="DELETE FROM ".TB_PREF."prices WHERE id= $price_id"; + $sql="DELETE FROM ".TB_PREF."prices WHERE id= ".db_escape($price_id); db_query($sql,"an item price could not be deleted"); } @@ -38,14 +38,15 @@ function get_prices($stock_id) $sql = "SELECT ".TB_PREF."sales_types.sales_type, ".TB_PREF."prices.* FROM ".TB_PREF."prices, ".TB_PREF."sales_types WHERE ".TB_PREF."prices.sales_type_id = ".TB_PREF."sales_types.id - AND stock_id='$stock_id' ORDER BY curr_abrev, sales_type_id"; + AND stock_id=".db_escape($stock_id) + ." ORDER BY curr_abrev, sales_type_id"; return db_query($sql,"item prices could not be retreived"); } function get_stock_price($price_id) { - $sql = "SELECT * FROM ".TB_PREF."prices WHERE id=$price_id"; + $sql = "SELECT * FROM ".TB_PREF."prices WHERE id=".db_escape($price_id); $result = db_query($sql,"price could not be retreived"); diff --git a/inventory/includes/db/items_trans_db.inc b/inventory/includes/db/items_trans_db.inc index 0bcdb82b..7292814d 100644 --- a/inventory/includes/db/items_trans_db.inc +++ b/inventory/includes/db/items_trans_db.inc @@ -25,11 +25,11 @@ function stock_cost_update($stock_id, $material_cost, $labour_cost, $overhead_co begin_transaction(); - $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost, - labour_cost=$labour_cost, - overhead_cost=$overhead_cost, - last_cost=$last_cost - WHERE stock_id='$stock_id'"; + $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost).", + labour_cost=".db_escape($labour_cost).", + overhead_cost=".db_escape($overhead_cost).", + last_cost=".db_escape($last_cost)." + WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); $qoh = get_qoh_on_date($_POST['stock_id']); diff --git a/inventory/includes/db/items_units_db.inc b/inventory/includes/db/items_units_db.inc index b5c98d91..c06aeafb 100644 --- a/inventory/includes/db/items_units_db.inc +++ b/inventory/includes/db/items_units_db.inc @@ -15,26 +15,26 @@ function write_item_unit($selected, $abbr, $description, $decimals) $sql = "UPDATE ".TB_PREF."item_units SET abbr = ".db_escape($abbr).", name = ".db_escape($description).", - decimals = $decimals - WHERE abbr = '$selected'"; + decimals = ".db_escape($decimals)." + WHERE abbr = ".db_escape($selected); else $sql = "INSERT INTO ".TB_PREF."item_units (abbr, name, decimals) VALUES( ".db_escape($abbr).", - ".db_escape($description).", $decimals)"; + ".db_escape($description).", ".db_escape($decimals).")"; db_query($sql,"an item unit could not be updated"); } function delete_item_unit($unit) { - $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit); db_query($sql,"an unit of measure could not be deleted"); } function get_item_unit($unit) { - $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit); $result = db_query($sql,"an unit of measure could not be retrieved"); @@ -43,7 +43,7 @@ function get_item_unit($unit) function get_unit_descr($unit) { - $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$unit'"; + $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr=".db_escape($unit); $result = db_query($sql, "could not unit description"); @@ -52,7 +52,7 @@ function get_unit_descr($unit) } function item_unit_used($unit) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE units='$unit'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE units=".db_escape($unit); $result = db_query($sql, "could not query stock master"); $myrow = db_fetch_row($result); return ($myrow[0] > 0); @@ -68,7 +68,7 @@ function get_all_item_units($all=false) { function get_unit_dec($stock_id) { $sql = "SELECT decimals FROM ".TB_PREF."item_units, ".TB_PREF."stock_master - WHERE abbr=units AND stock_id='$stock_id' LIMIT 1"; + WHERE abbr=units AND stock_id=".db_escape($stock_id)." LIMIT 1"; $result = db_query($sql, "could not get unit decimals"); $row = db_fetch_row($result); diff --git a/inventory/includes/db/movement_types_db.inc b/inventory/includes/db/movement_types_db.inc index 41fd14ac..210cad43 100644 --- a/inventory/includes/db/movement_types_db.inc +++ b/inventory/includes/db/movement_types_db.inc @@ -20,7 +20,7 @@ function add_movement_type($name) function update_movement_type($type_id, $name) { $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_escape($name)." - WHERE id=$type_id"; + WHERE id=".db_escape($type_id); db_query($sql, "could not update item movement type"); } @@ -35,7 +35,8 @@ function get_all_movement_type($all=false) function get_movement_type($type_id) { - $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=$type_id"; + $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id); + $result = db_query($sql, "could not get item movement type"); return db_fetch($result); @@ -43,7 +44,7 @@ function get_movement_type($type_id) function delete_movement_type($type_id) { - $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=$type_id"; + $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id); db_query($sql, "could not delete item movement type"); } diff --git a/inventory/inquiry/stock_movements.php b/inventory/inquiry/stock_movements.php index 6b83d045..75837a11 100644 --- a/inventory/inquiry/stock_movements.php +++ b/inventory/inquiry/stock_movements.php @@ -64,10 +64,10 @@ $after_date = date2sql($_POST['AfterDate']); $sql = "SELECT type, trans_no, tran_date, person_id, qty, reference FROM ".TB_PREF."stock_moves - WHERE loc_code='" . $_POST['StockLocation'] . "' + WHERE loc_code=".db_escape($_POST['StockLocation'])." AND tran_date >= '". $after_date . "' AND tran_date <= '" . $before_date . "' - AND stock_id = '" . $_POST['stock_id'] . "' ORDER BY tran_date,trans_id"; + AND stock_id = ".db_escape($_POST['stock_id']) . " ORDER BY tran_date,trans_id"; $result = db_query($sql, "could not query stock moves"); check_db_error("The stock movements for the selected criteria could not be retrieved",$sql); @@ -79,8 +79,8 @@ $th = array(_("Type"), _("#"), _("Reference"), _("Date"), _("Detail"), table_header($th); -$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves WHERE stock_id='" . $_POST['stock_id'] . "' - AND loc_code='" . $_POST['StockLocation'] . "' +$sql = "SELECT SUM(qty) FROM ".TB_PREF."stock_moves WHERE stock_id=".db_escape($_POST['stock_id']) . " + AND loc_code=".db_escape( $_POST['StockLocation']) . " AND tran_date < '" . $after_date . "'"; $before_qty = db_query($sql, "The starting quantity on hand could not be calculated"); diff --git a/inventory/manage/item_categories.php b/inventory/manage/item_categories.php index 26a2889f..233d034b 100644 --- a/inventory/manage/item_categories.php +++ b/inventory/manage/item_categories.php @@ -67,7 +67,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN 'stock_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE category_id='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE category_id=".db_escape($selected_id); $result = db_query($sql, "could not query stock master"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/inventory/manage/item_units.php b/inventory/manage/item_units.php index 39be1be5..a17ac69f 100644 --- a/inventory/manage/item_units.php +++ b/inventory/manage/item_units.php @@ -34,6 +34,12 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') display_error(_("The unit of measure code cannot be empty.")); set_focus('abbr'); } + if (strlen(db_escape($_POST['abbr']))>(20+2)) + { + $input_error = 1; + display_error(_("The unit of measure code is too long.")); + set_focus('abbr'); + } if (strlen($_POST['description']) == 0) { $input_error = 1; diff --git a/inventory/manage/items.php b/inventory/manage/items.php index 9d301277..9356e0b1 100644 --- a/inventory/manage/items.php +++ b/inventory/manage/items.php @@ -212,16 +212,16 @@ function check_usage($stock_id, $dispmsg=true) { $sqls= array( "SELECT COUNT(*) FROM " - .TB_PREF."stock_moves WHERE stock_id='$stock_id'" => + .TB_PREF."stock_moves WHERE stock_id=".db_escape($stock_id) => _('Cannot delete this item because there are stock movements that refer to this item.'), "SELECT COUNT(*) FROM " - .TB_PREF."bom WHERE component='$stock_id'"=> + .TB_PREF."bom WHERE component=".db_escape($stock_id)=> _('Cannot delete this item record because there are bills of material that require this part as a component.'), "SELECT COUNT(*) FROM " - .TB_PREF."sales_order_details WHERE stk_code='$stock_id'" => + .TB_PREF."sales_order_details WHERE stk_code=".db_escape($stock_id) => _('Cannot delete this item because there are existing purchase order items for it.'), "SELECT COUNT(*) FROM " - .TB_PREF."purch_order_details WHERE item_code='$stock_id'"=> + .TB_PREF."purch_order_details WHERE item_code=".db_escape($stock_id)=> _('Cannot delete this item because there are existing purchase order items for it.') ); diff --git a/inventory/manage/locations.php b/inventory/manage/locations.php index e7f72290..d32d10a1 100644 --- a/inventory/manage/locations.php +++ b/inventory/manage/locations.php @@ -33,10 +33,10 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') //first off validate inputs sensible $_POST['loc_code'] = strtoupper($_POST['loc_code']); - if (strlen($_POST['loc_code']) > 5) + if (strlen(db_escape($_POST['loc_code'])) > 7) //check length after conversion { $input_error = 1; - display_error( _("The location code must be five characters or less long.")); + display_error( _("The location code must be five characters or less long (including converted special chars).")); set_focus('loc_code'); } elseif (strlen($_POST['location_name']) == 0) @@ -71,7 +71,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves WHERE loc_code='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves WHERE loc_code=".db_escape($selected_id); $result = db_query($sql, "could not query stock moves"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -80,7 +80,7 @@ function can_delete($selected_id) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."workorders WHERE loc_code='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."workorders WHERE loc_code=".db_escape($selected_id); $result = db_query($sql, "could not query work orders"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -98,7 +98,7 @@ function can_delete($selected_id) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE loc_code='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE loc_code=".db_escape($selected_id); $result = db_query($sql, "could not query bom"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -106,7 +106,7 @@ function can_delete($selected_id) display_error(_("Cannot delete this location because it is used by some related records in other tables.")); return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."grn_batch WHERE loc_code='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."grn_batch WHERE loc_code=".db_escape($selected_id); $result = db_query($sql, "could not query grn batch"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -114,7 +114,7 @@ function can_delete($selected_id) display_error(_("Cannot delete this location because it is used by some related records in other tables.")); return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE into_stock_location='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE into_stock_location=".db_escape($selected_id); $result = db_query($sql, "could not query purch orders"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -122,7 +122,7 @@ function can_delete($selected_id) display_error(_("Cannot delete this location because it is used by some related records in other tables.")); return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE from_stk_loc='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE from_stk_loc=".db_escape($selected_id); $result = db_query($sql, "could not query sales orders"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -130,7 +130,7 @@ function can_delete($selected_id) display_error(_("Cannot delete this location because it is used by some related records in other tables.")); return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_location='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_pos WHERE pos_location=".db_escape($selected_id); $result = db_query($sql, "could not query sales pos"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/inventory/manage/movement_types.php b/inventory/manage/movement_types.php index 5f75844f..60b8e83e 100644 --- a/inventory/manage/movement_types.php +++ b/inventory/manage/movement_types.php @@ -57,7 +57,8 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') function can_delete($selected_id) { $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_moves - WHERE type=" . ST_INVADJUST. " AND person_id=$selected_id"; + WHERE type=" . ST_INVADJUST. " AND person_id=".db_escape($selected_id); + $result = db_query($sql, "could not query stock moves"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/inventory/purchasing_data.php b/inventory/purchasing_data.php index 51464e04..de9ed65e 100644 --- a/inventory/purchasing_data.php +++ b/inventory/purchasing_data.php @@ -58,20 +58,21 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom, conversion_factor, supplier_description) VALUES ("; - $sql .= "'".$_POST['supplier_id']."', '" . $_POST['stock_id'] . "', " . - input_num('price',0) . ", '" . $_POST['suppliers_uom'] . "', " . - input_num('conversion_factor') . ", " . db_escape($_POST['supplier_description']) . ")"; + $sql .= db_escape($_POST['supplier_id']).", ".db_escape($_POST['stock_id']). ", " + .input_num('price',0) . ", ".db_escape( $_POST['suppliers_uom'] ). ", " + .input_num('conversion_factor') . ", " + .db_escape($_POST['supplier_description']) . ")"; db_query($sql,"The supplier purchasing details could not be added"); display_notification(_("This supplier purchasing data has been added.")); } else { $sql = "UPDATE ".TB_PREF."purch_data SET price=" . input_num('price',0) . ", - suppliers_uom='" . $_POST['suppliers_uom'] . "', + suppliers_uom=".db_escape($_POST['suppliers_uom']) . ", conversion_factor=" . input_num('conversion_factor') . ", supplier_description=" . db_escape($_POST['supplier_description']) . " - WHERE stock_id='" . $_POST['stock_id'] . "' AND - supplier_id='$selected_id'"; + WHERE stock_id=".db_escape($_POST['stock_id']) . " AND + supplier_id=".db_escape($selected_id); db_query($sql,"The supplier purchasing details could not be updated"); display_notification(_("Supplier purchasing data has been updated.")); @@ -85,8 +86,8 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') if ($Mode == 'Delete') { - $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id='$selected_id' - AND stock_id='" . $_POST['stock_id'] . "'"; + $sql = "DELETE FROM ".TB_PREF."purch_data WHERE supplier_id=".db_escape($selected_id)." + AND stock_id=".db_escape($_POST['stock_id']); db_query($sql,"could not delete purchasing data"); display_notification(_("The purchasing data item has been sucessfully deleted.")); @@ -130,10 +131,11 @@ if ($mb_flag == -1) else { - $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name,".TB_PREF."suppliers.curr_code + $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name," + .TB_PREF."suppliers.curr_code FROM ".TB_PREF."purch_data INNER JOIN ".TB_PREF."suppliers ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id - WHERE stock_id = '" . $_POST['stock_id'] . "'"; + WHERE stock_id = ".db_escape($_POST['stock_id']); $result = db_query($sql, "The supplier purchasing details for the selected part could not be retrieved"); div_start('price_table'); @@ -187,8 +189,8 @@ if ($Mode =='Edit') $sql = "SELECT ".TB_PREF."purch_data.*,".TB_PREF."suppliers.supp_name FROM ".TB_PREF."purch_data INNER JOIN ".TB_PREF."suppliers ON ".TB_PREF."purch_data.supplier_id=".TB_PREF."suppliers.supplier_id - WHERE ".TB_PREF."purch_data.supplier_id='$selected_id' - AND ".TB_PREF."purch_data.stock_id='" . $_POST['stock_id'] . "'"; + WHERE ".TB_PREF."purch_data.supplier_id=".db_escape($selected_id)." + AND ".TB_PREF."purch_data.stock_id=".db_escape($_POST['stock_id']); $result = db_query($sql, "The supplier purchasing details for the selected supplier and item could not be retrieved"); diff --git a/manufacturing/includes/db/work_centres_db.inc b/manufacturing/includes/db/work_centres_db.inc index e1b8a023..18adc74f 100644 --- a/manufacturing/includes/db/work_centres_db.inc +++ b/manufacturing/includes/db/work_centres_db.inc @@ -20,7 +20,7 @@ function add_work_centre($name, $description) function update_work_centre($type_id, $name, $description) { $sql = "UPDATE ".TB_PREF."workcentres SET name=".db_escape($name).", description=".db_escape($description)." - WHERE id=$type_id"; + WHERE id=".db_escape($type_id); db_query($sql, "could not update work centre"); } @@ -35,7 +35,7 @@ function get_all_work_centres($all=false) function get_work_centre($type_id) { - $sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=$type_id"; + $sql = "SELECT * FROM ".TB_PREF."workcentres WHERE id=".db_escape($type_id); $result = db_query($sql, "could not get work centre"); @@ -44,7 +44,7 @@ function get_work_centre($type_id) function delete_work_centre($type_id) { - $sql="DELETE FROM ".TB_PREF."workcentres WHERE id=$type_id"; + $sql="DELETE FROM ".TB_PREF."workcentres WHERE id=".db_escape($type_id); db_query($sql, "could not delete work centre"); } diff --git a/manufacturing/includes/db/work_order_issues_db.inc b/manufacturing/includes/db/work_order_issues_db.inc index 0e0999b0..2bdffa26 100644 --- a/manufacturing/includes/db/work_order_issues_db.inc +++ b/manufacturing/includes/db/work_order_issues_db.inc @@ -36,8 +36,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w // insert the actual issue $sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id) - VALUES ($woid, ".db_escape($ref).", '" . - date2sql($date_) . "', ".db_escape($location).", $workcentre)"; + VALUES (".db_escape($woid).", ".db_escape($ref).", '" . + date2sql($date_) . "', ".db_escape($location).", ".db_escape($workcentre).")"; db_query($sql,"The work order issue could not be added"); $number = db_insert_id(); @@ -53,7 +53,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w $location, $date_, $memo_, -$item->quantity, 0); $sql = "INSERT INTO ".TB_PREF."wo_issue_items (issue_id, stock_id, qty_issued) - VALUES ('$number', '$item->stock_id', $item->quantity)"; + VALUES (".db_escape($number).", ".db_escape($item->stock_id).", " + .db_escape($item->quantity).")"; db_query($sql,"A work order issue item could not be added"); } @@ -70,7 +71,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w function get_work_order_issues($woid) { - $sql = "SELECT * FROM ".TB_PREF."wo_issues WHERE workorder_id=$woid ORDER BY issue_no"; + $sql = "SELECT * FROM ".TB_PREF."wo_issues WHERE workorder_id=".db_escape($woid) + ." ORDER BY issue_no"; return db_query($sql, "The work order issues could not be retrieved"); } @@ -79,7 +81,8 @@ function get_additional_issues($woid) $sql = "SELECT ".TB_PREF."wo_issues.*, ".TB_PREF."wo_issue_items.* FROM ".TB_PREF."wo_issues, ".TB_PREF."wo_issue_items WHERE ".TB_PREF."wo_issues.issue_no=".TB_PREF."wo_issue_items.issue_id - AND ".TB_PREF."wo_issues.workorder_id=$woid ORDER BY ".TB_PREF."wo_issue_items.id"; + AND ".TB_PREF."wo_issues.workorder_id=".db_escape($woid) + ." ORDER BY ".TB_PREF."wo_issue_items.id"; return db_query($sql, "The work order issues could not be retrieved"); } //-------------------------------------------------------------------------------------- @@ -87,9 +90,11 @@ function get_additional_issues($woid) function get_work_order_issue($issue_no) { $sql = "SELECT DISTINCT ".TB_PREF."wo_issues.*, ".TB_PREF."workorders.stock_id, - ".TB_PREF."stock_master.description, ".TB_PREF."locations.location_name, ".TB_PREF."workcentres.name AS WorkCentreName - FROM ".TB_PREF."wo_issues, ".TB_PREF."workorders, ".TB_PREF."stock_master, ".TB_PREF."locations, ".TB_PREF."workcentres - WHERE issue_no='$issue_no' + ".TB_PREF."stock_master.description, ".TB_PREF."locations.location_name, " + .TB_PREF."workcentres.name AS WorkCentreName + FROM ".TB_PREF."wo_issues, ".TB_PREF."workorders, ".TB_PREF."stock_master, " + .TB_PREF."locations, ".TB_PREF."workcentres + WHERE issue_no=".db_escape($issue_no)." AND ".TB_PREF."workorders.id = ".TB_PREF."wo_issues.workorder_id AND ".TB_PREF."locations.loc_code = ".TB_PREF."wo_issues.loc_code AND ".TB_PREF."workcentres.id = ".TB_PREF."wo_issues.workcentre_id @@ -103,9 +108,10 @@ function get_work_order_issue($issue_no) function get_work_order_issue_details($issue_no) { - $sql = "SELECT ".TB_PREF."wo_issue_items.*,".TB_PREF."stock_master.description, ".TB_PREF."stock_master.units + $sql = "SELECT ".TB_PREF."wo_issue_items.*," + .TB_PREF."stock_master.description, ".TB_PREF."stock_master.units FROM ".TB_PREF."wo_issue_items, ".TB_PREF."stock_master - WHERE issue_id=$issue_no + WHERE issue_id=".db_escape($issue_no)." AND ".TB_PREF."stock_master.stock_id=".TB_PREF."wo_issue_items.stock_id ORDER BY ".TB_PREF."wo_issue_items.id"; return db_query($sql, "The work order issue items could not be retrieved"); @@ -115,7 +121,7 @@ function get_work_order_issue_details($issue_no) function exists_work_order_issue($issue_no) { - $sql = "SELECT issue_no FROM ".TB_PREF."wo_issues WHERE issue_no=$issue_no"; + $sql = "SELECT issue_no FROM ".TB_PREF."wo_issues WHERE issue_no=".db_escape($issue_no); $result = db_query($sql, "Cannot retreive a wo issue"); return (db_num_rows($result) > 0); @@ -128,7 +134,8 @@ function void_work_order_issue($type_no) begin_transaction(); // void the actual issue items and their quantities - $sql = "UPDATE ".TB_PREF."wo_issue_items Set qty_issued = 0 WHERE issue_id=$type_no"; + $sql = "UPDATE ".TB_PREF."wo_issue_items Set qty_issued = 0 WHERE issue_id=" + .db_escape($type_no); db_query($sql,"A work order issue item could not be voided"); // void all related stock moves diff --git a/manufacturing/includes/db/work_order_produce_items_db.inc b/manufacturing/includes/db/work_order_produce_items_db.inc index a6233050..6f5c001f 100644 --- a/manufacturing/includes/db/work_order_produce_items_db.inc +++ b/manufacturing/includes/db/work_order_produce_items_db.inc @@ -33,7 +33,8 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo) $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."wo_manufacture (workorder_id, reference, quantity, date_) - VALUES ($woid, ".db_escape($ref).", $quantity, '$date')"; + VALUES (".db_escape($woid).", ".db_escape($ref).", ".db_escape($quantity) + .", '$date')"; db_query($sql,"A work order manufacture could not be added"); @@ -65,11 +66,12 @@ function work_order_produce($woid, $ref, $quantity, $date_, $memo_, $close_wo) function get_work_order_produce($id) { - $sql = "SELECT ".TB_PREF."wo_manufacture.*,".TB_PREF."workorders.stock_id, ".TB_PREF."stock_master.description AS StockDescription + $sql = "SELECT ".TB_PREF."wo_manufacture.*,".TB_PREF."workorders.stock_id, " + .TB_PREF."stock_master.description AS StockDescription FROM ".TB_PREF."wo_manufacture, ".TB_PREF."workorders, ".TB_PREF."stock_master WHERE ".TB_PREF."wo_manufacture.workorder_id=".TB_PREF."workorders.id AND ".TB_PREF."stock_master.stock_id=".TB_PREF."workorders.stock_id - AND ".TB_PREF."wo_manufacture.id=$id"; + AND ".TB_PREF."wo_manufacture.id=".db_escape($id); $result = db_query($sql, "The work order production could not be retrieved"); return db_fetch($result); @@ -79,7 +81,8 @@ function get_work_order_produce($id) function get_work_order_productions($woid) { - $sql = "SELECT * FROM ".TB_PREF."wo_manufacture WHERE workorder_id=$woid ORDER BY id"; + $sql = "SELECT * FROM ".TB_PREF."wo_manufacture WHERE workorder_id=" + .db_escape($woid)." ORDER BY id"; return db_query($sql, "The work order issues could not be retrieved"); } @@ -87,7 +90,7 @@ function get_work_order_productions($woid) function exists_work_order_produce($id) { - $sql = "SELECT id FROM ".TB_PREF."wo_manufacture WHERE id=$id"; + $sql = "SELECT id FROM ".TB_PREF."wo_manufacture WHERE id=".db_escape($id); $result = db_query($sql, "Cannot retreive a wo production"); return (db_num_rows($result) > 0); @@ -105,7 +108,7 @@ function void_work_order_produce($type_no) work_order_update_finished_quantity($row["workorder_id"], -$row["quantity"]); // clear the production record - $sql = "UPDATE ".TB_PREF."wo_manufacture SET quantity=0 WHERE id=$type_no"; + $sql = "UPDATE ".TB_PREF."wo_manufacture SET quantity=0 WHERE id=".db_escape($type_no); db_query($sql, "Cannot void a wo production"); // void all related stock moves diff --git a/manufacturing/includes/db/work_order_requirements_db.inc b/manufacturing/includes/db/work_order_requirements_db.inc index 71f9e50a..ba53b5a2 100644 --- a/manufacturing/includes/db/work_order_requirements_db.inc +++ b/manufacturing/includes/db/work_order_requirements_db.inc @@ -15,9 +15,10 @@ function get_wo_requirements($woid) ".TB_PREF."stock_master.mb_flag, ".TB_PREF."locations.location_name, ".TB_PREF."workcentres.name AS WorkCentreDescription FROM - (".TB_PREF."wo_requirements, ".TB_PREF."locations, ".TB_PREF."workcentres) INNER JOIN ".TB_PREF."stock_master ON + (".TB_PREF."wo_requirements, ".TB_PREF."locations, " + .TB_PREF."workcentres) INNER JOIN ".TB_PREF."stock_master ON ".TB_PREF."wo_requirements.stock_id = ".TB_PREF."stock_master.stock_id - WHERE workorder_id=$woid + WHERE workorder_id=".db_escape($woid)." AND ".TB_PREF."locations.loc_code = ".TB_PREF."wo_requirements.loc_code AND ".TB_PREF."workcentres.id=workcentre"; @@ -35,7 +36,7 @@ function create_wo_requirements($woid, $stock_id) { $sql = "INSERT INTO ".TB_PREF."wo_requirements (workorder_id, stock_id, workcentre, units_req, loc_code) - VALUES ($woid, '" . + VALUES (".db_escape($woid).", '" . $myrow["component"] . "', '" . $myrow["workcentre_added"] . "', '" . $myrow["quantity"] . "', '" . @@ -49,7 +50,7 @@ function create_wo_requirements($woid, $stock_id) function delete_wo_requirements($woid) { - $sql="DELETE FROM ".TB_PREF."wo_requirements WHERE workorder_id=$woid"; + $sql="DELETE FROM ".TB_PREF."wo_requirements WHERE workorder_id=".db_escape($woid); db_query($sql,"The work order requirements could not be deleted"); } @@ -58,8 +59,8 @@ function delete_wo_requirements($woid) function update_wo_requirement_issued($woReqID, $quantity) { - $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = units_issued + $quantity - WHERE id = '$woReqID'"; + $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = units_issued + ".db_escape($quantity)." + WHERE id = ".db_escape($woReqID); db_query($sql, "The work requirements issued quantity couldn't be updated"); } @@ -68,8 +69,9 @@ function update_wo_requirement_issued($woReqID, $quantity) function void_wo_requirements($woid) { - $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = 0 WHERE workorder_id = $woid"; - + $sql = "UPDATE ".TB_PREF."wo_requirements SET units_issued = 0 WHERE workorder_id = " + .db_escape($woid); + db_query($sql, "The work requirements issued quantity couldn't be voided"); } diff --git a/manufacturing/includes/db/work_orders_db.inc b/manufacturing/includes/db/work_orders_db.inc index 122179f0..f97f87a5 100644 --- a/manufacturing/includes/db/work_orders_db.inc +++ b/manufacturing/includes/db/work_orders_db.inc @@ -20,7 +20,8 @@ function add_material_cost($stock_id, $qty, $date_) $standard_cost = get_standard_cost($bom_item['component']); $m_cost += ($bom_item['quantity'] * $standard_cost); } - $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; + $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = " + .db_escape($stock_id); $result = db_query($sql); $myrow = db_fetch($result); $material_cost = $myrow['material_cost']; @@ -30,7 +31,7 @@ function add_material_cost($stock_id, $qty, $date_) else $material_cost = ($qoh * $material_cost + $qty * $m_cost) / ($qoh + $qty); $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=$material_cost - WHERE stock_id='$stock_id'"; + WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); } @@ -38,7 +39,8 @@ function add_overhead_cost($stock_id, $qty, $date_, $costs) { if ($qty != 0) $costs /= $qty; - $sql = "SELECT overhead_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; + $sql = "SELECT overhead_cost FROM ".TB_PREF."stock_master WHERE stock_id = " + .db_escape($stock_id); $result = db_query($sql); $myrow = db_fetch($result); $overhead_cost = $myrow['overhead_cost']; @@ -47,8 +49,8 @@ function add_overhead_cost($stock_id, $qty, $date_, $costs) $overhead_cost = 0; else $overhead_cost = ($qoh * $overhead_cost + $qty * $costs) / ($qoh + $qty); - $sql = "UPDATE ".TB_PREF."stock_master SET overhead_cost=$overhead_cost - WHERE stock_id='$stock_id'"; + $sql = "UPDATE ".TB_PREF."stock_master SET overhead_cost=".db_escape($overhead_cost)." + WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); } @@ -56,7 +58,8 @@ function add_labour_cost($stock_id, $qty, $date_, $costs) { if ($qty != 0) $costs /= $qty; - $sql = "SELECT labour_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; + $sql = "SELECT labour_cost FROM ".TB_PREF."stock_master WHERE stock_id = " + .db_escape($stock_id); $result = db_query($sql); $myrow = db_fetch($result); $labour_cost = $myrow['labour_cost']; @@ -65,8 +68,8 @@ function add_labour_cost($stock_id, $qty, $date_, $costs) $labour_cost = 0; else $labour_cost = ($qoh * $labour_cost + $qty * $costs) / ($qoh + $qty); - $sql = "UPDATE ".TB_PREF."stock_master SET labour_cost=$labour_cost - WHERE stock_id='$stock_id'"; + $sql = "UPDATE ".TB_PREF."stock_master SET labour_cost=".db_escape($labour_cost)." + WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); } @@ -74,7 +77,8 @@ function add_issue_cost($stock_id, $qty, $date_, $costs) { if ($qty != 0) $costs /= $qty; - $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = '$stock_id'"; + $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id = " + .db_escape($stock_id); $result = db_query($sql); $myrow = db_fetch($result); $material_cost = $myrow['material_cost']; @@ -83,8 +87,9 @@ function add_issue_cost($stock_id, $qty, $date_, $costs) $material_cost = 0; else $material_cost = ($qty * $costs) / ($qoh + $qty); - $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=material_cost+$material_cost - WHERE stock_id='$stock_id'"; + $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=material_cost+" + .db_escape($material_cost) + ." WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); } @@ -105,8 +110,9 @@ function add_work_order($wo_ref, $loc_code, $units_reqd, $stock_id, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, stock_id, type, date_, required_by) - VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, '$stock_id', - $type, '$date', '$required')"; + VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", " + .db_escape($units_reqd).", ".db_escape($stock_id).", + ".db_escape($type).", '$date', ".db_escape($required).")"; db_query($sql, "could not add work order"); $woid = db_insert_id(); @@ -135,10 +141,10 @@ function update_work_order($woid, $loc_code, $units_reqd, $stock_id, $required = date2sql($required_by); $sql = "UPDATE ".TB_PREF."workorders SET loc_code=".db_escape($loc_code).", - units_reqd=$units_reqd, stock_id='$stock_id', - required_by='$required', + units_reqd=".db_escape($units_reqd).", stock_id=".db_escape($stock_id).", + required_by=".db_escape($required).", date_='$date' - WHERE id = $woid"; + WHERE id = ".db_escape($woid); db_query($sql, "could not update work order"); @@ -158,7 +164,7 @@ function delete_work_order($woid) delete_wo_requirements($woid); // delete the actual work order - $sql = "DELETE FROM ".TB_PREF."workorders WHERE id=$woid"; + $sql = "DELETE FROM ".TB_PREF."workorders WHERE id=".db_escape($woid); db_query($sql,"The work order could not be deleted"); delete_comments(ST_WORKORDER, $woid); @@ -176,7 +182,7 @@ function get_work_order($woid, $allow_null=false) FROM ".TB_PREF."workorders, ".TB_PREF."stock_master, ".TB_PREF."locations WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."workorders.stock_id AND ".TB_PREF."locations.loc_code=".TB_PREF."workorders.loc_code - AND ".TB_PREF."workorders.id=$woid + AND ".TB_PREF."workorders.id=".db_escape($woid)." GROUP BY ".TB_PREF."workorders.id"; $result = db_query($sql, "The work order issues could not be retrieved"); @@ -191,7 +197,7 @@ function get_work_order($woid, $allow_null=false) function work_order_has_productions($woid) { - $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_manufacture WHERE workorder_id=$woid"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_manufacture WHERE workorder_id=".db_escape($woid); $result = db_query($sql, "query work order for productions"); $myrow = db_fetch_row($result); @@ -203,7 +209,7 @@ function work_order_has_productions($woid) function work_order_has_issues($woid) { - $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_issues WHERE workorder_id=$woid"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."wo_issues WHERE workorder_id=".db_escape($woid); $result = db_query($sql, "query work order for issues"); $myrow = db_fetch_row($result); @@ -231,7 +237,7 @@ function release_work_order($woid, $releaseDate, $memo_) $date = date2sql($releaseDate); $sql = "UPDATE ".TB_PREF."workorders SET released_date='$date', - released=1 WHERE id = $woid"; + released=1 WHERE id = ".db_escape($woid); db_query($sql, "could not release work order"); // create Work Order Requirements based on the bom @@ -247,7 +253,7 @@ function release_work_order($woid, $releaseDate, $memo_) function close_work_order($woid) { - $sql = "UPDATE ".TB_PREF."workorders SET closed=1 WHERE id = $woid"; + $sql = "UPDATE ".TB_PREF."workorders SET closed=1 WHERE id = ".db_escape($woid); db_query($sql, "could not close work order"); } @@ -255,7 +261,7 @@ function close_work_order($woid) function work_order_is_closed($woid) { - $sql = "SELECT closed FROM ".TB_PREF."workorders WHERE id = $woid"; + $sql = "SELECT closed FROM ".TB_PREF."workorders WHERE id = ".db_escape($woid); $result = db_query($sql, "could not query work order"); $row = db_fetch_row($result); return ($row[0] > 0); @@ -265,9 +271,9 @@ function work_order_is_closed($woid) function work_order_update_finished_quantity($woid, $quantity, $force_close=0) { - $sql = "UPDATE ".TB_PREF."workorders SET units_issued = units_issued + $quantity, - closed = ((units_issued >= units_reqd) OR $force_close) - WHERE id = $woid"; + $sql = "UPDATE ".TB_PREF."workorders SET units_issued = units_issued + ".db_escape($quantity).", + closed = ((units_issued >= units_reqd) OR ".db_escape($force_close).") + WHERE id = ".db_escape($woid); db_query($sql, "The work order issued quantity couldn't be updated"); } @@ -282,7 +288,8 @@ function void_work_order($woid) { begin_transaction(); - $sql = "UPDATE ".TB_PREF."workorders SET closed=1,units_issued=0 WHERE id = $woid"; + $sql = "UPDATE ".TB_PREF."workorders SET closed=1,units_issued=0 WHERE id = " + .db_escape($woid); db_query($sql, "The work order couldn't be voided"); // void all related stock moves diff --git a/manufacturing/includes/db/work_orders_quick_db.inc b/manufacturing/includes/db/work_orders_quick_db.inc index 455f918e..1b254f75 100644 --- a/manufacturing/includes/db/work_orders_quick_db.inc +++ b/manufacturing/includes/db/work_orders_quick_db.inc @@ -33,8 +33,9 @@ function add_work_order_quick($wo_ref, $loc_code, $units_reqd, $stock_id, $type, $sql = "INSERT INTO ".TB_PREF."workorders (wo_ref, loc_code, units_reqd, units_issued, stock_id, type, additional_costs, date_, released_date, required_by, released, closed) - VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", $units_reqd, $units_reqd, '$stock_id', - $type, $costs, '$date', '$date', '$date', 1, 1)"; + VALUES (".db_escape($wo_ref).", ".db_escape($loc_code).", ".db_escape($units_reqd) + .", ".db_escape($units_reqd).", ".db_escape($stock_id).", + ".db_escape($type).", ".db_escape($costs).", '$date', '$date', '$date', 1, 1)"; db_query($sql, "could not add work order"); $woid = db_insert_id(); diff --git a/manufacturing/inquiry/where_used_inquiry.php b/manufacturing/inquiry/where_used_inquiry.php index 4ad2ebc7..c10dc2a7 100644 --- a/manufacturing/inquiry/where_used_inquiry.php +++ b/manufacturing/inquiry/where_used_inquiry.php @@ -50,7 +50,7 @@ $sql = "SELECT WHERE bom.parent = parent.stock_id AND bom.workcentre_added = workcentre.id AND bom.loc_code = location.loc_code - AND bom.component='" . $_POST['stock_id'] . "'"; + AND bom.component=".db_escape($_POST['stock_id']); $cols = array( _("Parent Item") => array('fun'=>'select_link'), diff --git a/manufacturing/manage/bom_edit.php b/manufacturing/manage/bom_edit.php index 45aaab40..fe373a1c 100644 --- a/manufacturing/manage/bom_edit.php +++ b/manufacturing/manage/bom_edit.php @@ -68,7 +68,7 @@ function check_for_recursive_bom($ultimate_parent, $component_to_check) /* returns true ie 1 if the bom contains the parent part as a component ie the bom is recursive otherwise false ie 0 */ - $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent='$component_to_check'"; + $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent=".db_escape($component_to_check); $result = db_query($sql,"could not check recursive bom"); if ($result != 0) @@ -139,11 +139,11 @@ function on_submit($selected_parent, $selected_component=-1) if ($selected_component != -1) { - $sql = "UPDATE ".TB_PREF."bom SET workcentre_added='" . $_POST['workcentre_added'] . "', - loc_code='" . $_POST['loc_code'] . "', + $sql = "UPDATE ".TB_PREF."bom SET workcentre_added=".db_escape($_POST['workcentre_added']) + . ",loc_code=".db_escape($_POST['loc_code']) . ", quantity= " . input_num('quantity') . " - WHERE parent='" . $selected_parent . "' - AND id='" . $selected_component . "'"; + WHERE parent=".db_escape($selected_parent) . " + AND id=".db_escape($selected_component); check_db_error("Could not update this bom component", $sql); db_query($sql,"could not update bom"); @@ -163,17 +163,17 @@ function on_submit($selected_parent, $selected_component=-1) /*Now check to see that the component is not already on the bom */ $sql = "SELECT component FROM ".TB_PREF."bom - WHERE parent='$selected_parent' - AND component='" . $_POST['component'] . "' - AND workcentre_added='" . $_POST['workcentre_added'] . "' - AND loc_code='" . $_POST['loc_code'] . "'" ; + WHERE parent=".db_escape($selected_parent)." + AND component=".db_escape($_POST['component']) . " + AND workcentre_added=".db_escape($_POST['workcentre_added']) . " + AND loc_code=".db_escape($_POST['loc_code']); $result = db_query($sql,"check failed"); if (db_num_rows($result) == 0) { $sql = "INSERT INTO ".TB_PREF."bom (parent, component, workcentre_added, loc_code, quantity) - VALUES ('$selected_parent', '" . $_POST['component'] . "', '" - . $_POST['workcentre_added'] . "', '" . $_POST['loc_code'] . "', " + VALUES (".db_escape($selected_parent).", ".db_escape($_POST['component']) . "," + .db_escape($_POST['workcentre_added']) . ", ".db_escape($_POST['loc_code']) . ", " . input_num('quantity') . ")"; db_query($sql,"check failed"); @@ -198,7 +198,7 @@ function on_submit($selected_parent, $selected_component=-1) if ($Mode == 'Delete') { - $sql = "DELETE FROM ".TB_PREF."bom WHERE id='" . $selected_id. "'"; + $sql = "DELETE FROM ".TB_PREF."bom WHERE id=".db_escape($selected_id); db_query($sql,"Could not delete this bom components"); display_notification(_("The component item has been deleted from this bom")); @@ -244,8 +244,9 @@ start_form(); { if ($Mode == 'Edit') { //editing a selected component from the link to the line item - $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM ".TB_PREF."bom,".TB_PREF."stock_master - WHERE id='$selected_id' + $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM " + .TB_PREF."bom,".TB_PREF."stock_master + WHERE id=".db_escape($selected_id)." AND ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component"; $result = db_query($sql, "could not get bom"); diff --git a/manufacturing/manage/work_centres.php b/manufacturing/manage/work_centres.php index 4ae7e90f..716bb818 100644 --- a/manufacturing/manage/work_centres.php +++ b/manufacturing/manage/work_centres.php @@ -56,7 +56,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE workcentre_added='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."bom WHERE workcentre_added=".db_escape($selected_id); $result = db_query($sql, "check can delete work centre"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -65,7 +65,7 @@ function can_delete($selected_id) return false; } - $sql= "SELECT COUNT(*) FROM ".TB_PREF."wo_requirements WHERE workcentre='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."wo_requirements WHERE workcentre=".db_escape($selected_id); $result = db_query($sql, "check can delete work centre"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/manufacturing/search_work_orders.php b/manufacturing/search_work_orders.php index b4e0d2f5..cf93441c 100644 --- a/manufacturing/search_work_orders.php +++ b/manufacturing/search_work_orders.php @@ -185,17 +185,17 @@ if (check_value('OpenOnly') || $outstanding_only != 0) if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items) { - $sql .= " AND workorder.loc_code='" . $_POST['StockLocation'] . "' "; + $sql .= " AND workorder.loc_code=".db_escape($_POST['StockLocation']); } if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "") { - $sql .= " AND workorder.wo_ref LIKE '%". $_POST['OrderNumber'] . "%'"; + $sql .= " AND workorder.wo_ref LIKE ".db_escape('%'.$_POST['OrderNumber'].'%'); } if (isset($_POST['SelectedStockItem']) && $_POST['SelectedStockItem'] != $all_items) { - $sql .= " AND workorder.stock_id='". $_POST['SelectedStockItem'] . "'"; + $sql .= " AND workorder.stock_id=".db_escape($_POST['SelectedStockItem']); } if (check_value('OverdueOnly')) diff --git a/purchasing/includes/db/grn_db.inc b/purchasing/includes/db/grn_db.inc index 07c53190..84a2f938 100644 --- a/purchasing/includes/db/grn_db.inc +++ b/purchasing/includes/db/grn_db.inc @@ -21,7 +21,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date, $price_in_home_currency = to_home_currency($price, $currency, $date); else $price_in_home_currency = $price; - $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id='$stock_id'"; + $sql = "SELECT material_cost FROM ".TB_PREF."stock_master WHERE stock_id=".db_escape($stock_id); $result = db_query($sql); $myrow = db_fetch($result); $material_cost = $myrow['material_cost']; @@ -44,7 +44,7 @@ function update_average_material_cost($supplier, $stock_id, $price, $qty, $date, $material_cost = ($qoh * $material_cost + $qty * $price_in_home_currency) / ($qoh + $qty); $sql = "UPDATE ".TB_PREF."stock_master SET material_cost=".db_escape($material_cost)." - WHERE stock_id='$stock_id'"; + WHERE stock_id=".db_escape($stock_id); db_query($sql,"The cost details for the inventory item could not be updated"); return $material_cost; } @@ -125,15 +125,17 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri $quantity_received, $price) { $sql = "UPDATE ".TB_PREF."purch_order_details - SET quantity_received = quantity_received + $quantity_received, - std_cost_unit=$standard_unit_cost, - act_price=$price - WHERE po_detail_item = $po_detail_item"; + SET quantity_received = quantity_received + ".db_escape($quantity_received).", + std_cost_unit=".db_escape($standard_unit_cost).", + act_price=".db_escape($price)." + WHERE po_detail_item = ".db_escape($po_detail_item); db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed "); $sql = "INSERT INTO ".TB_PREF."grn_items (grn_batch_id, po_detail_item, item_code, description, qty_recd) - VALUES ($grn_batch_id, $po_detail_item, ".db_escape($item_code).", ".db_escape($description).", $quantity_received)"; + VALUES (".db_escape($grn_batch_id).", " + .db_escape($po_detail_item).", ".db_escape($item_code).", ".db_escape($description) + .", ".db_escape($quantity_received).")"; db_query($sql, "A GRN detail item could not be inserted."); @@ -143,7 +145,7 @@ function add_grn_detail_item($grn_batch_id, $po_detail_item, $item_code, $descri //---------------------------------------------------------------------------------------- function get_grn_batch_from_item($item) { - $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=$item"; + $sql = "SELECT grn_batch_id FROM ".TB_PREF."grn_items WHERE id=".db_escape($item); $result = db_query($sql, "Could not retreive GRN batch id"); $row = db_fetch_row($result); return $row[0]; @@ -151,7 +153,7 @@ function get_grn_batch_from_item($item) function get_grn_batch($grn) { - $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn"; + $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn); $result = db_query($sql, "Could not retreive GRN batch id"); return db_fetch($result); } @@ -164,23 +166,26 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date) $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.* FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id - AND ".TB_PREF."grn_items.id=$entered_grn->id - AND ".TB_PREF."grn_items.item_code='$entered_grn->item_code' "; + AND ".TB_PREF."grn_items.id=".db_escape($entered_grn->id)." + AND ".TB_PREF."grn_items.item_code=".db_escape($entered_grn->item_code); $result = db_query($sql, "Could not retreive GRNS"); $myrow = db_fetch($result); $sql = "UPDATE ".TB_PREF."purch_order_details - SET quantity_received = quantity_received + $entered_grn->this_quantity_inv, - quantity_ordered = quantity_ordered + $entered_grn->this_quantity_inv, - qty_invoiced = qty_invoiced + $entered_grn->this_quantity_inv, - std_cost_unit=$mcost, - act_price=$entered_grn->chg_price + SET quantity_received = quantity_received + " + .db_escape($entered_grn->this_quantity_inv).", + quantity_ordered = quantity_ordered + " + .db_escape($entered_grn->this_quantity_inv).", + qty_invoiced = qty_invoiced + ".db_escape($entered_grn->this_quantity_inv).", + std_cost_unit=".db_escape($mcost).", + act_price=".db_escape($entered_grn->chg_price)." WHERE po_detail_item = ".$myrow["po_detail_item"]; db_query($sql, "a purchase order details record could not be updated. This receipt of goods has not been processed "); //$sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0 WHERE id=$entered_grn->id"; - $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+$entered_grn->this_quantity_inv, - quantity_inv=quantity_inv+$entered_grn->this_quantity_inv WHERE id=$entered_grn->id"; + $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=qty_recd+".db_escape($entered_grn->this_quantity_inv) + .",quantity_inv=quantity_inv+".db_escape($entered_grn->this_quantity_inv) + ." WHERE id=".db_escape($entered_grn->id); db_query($sql); add_stock_move(ST_SUPPCREDIT, $entered_grn->item_code, $transno, $myrow['loc_code'], $date, "", @@ -190,9 +195,11 @@ function set_grn_item_credited(&$entered_grn, $supplier, $transno, $date) function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false, $is_invoiced_only=false, $invoice_no=0, $begin="", $end="") { - $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, ".TB_PREF."purch_order_details.unit_price, + $sql = "SELECT ".TB_PREF."grn_batch.*, ".TB_PREF."grn_items.*, " + .TB_PREF."purch_order_details.unit_price, ".TB_PREF."purch_order_details.std_cost_unit, units - FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master"; + FROM ".TB_PREF."grn_batch, ".TB_PREF."grn_items, " + .TB_PREF."purch_order_details, ".TB_PREF."stock_master"; if ($invoice_no != 0) $sql .= ", ".TB_PREF."supp_invoice_items"; $sql .= " WHERE ".TB_PREF."grn_items.grn_batch_id=".TB_PREF."grn_batch.id @@ -208,7 +215,8 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false if ($end != "") $sql .= " AND ".TB_PREF."grn_batch.delivery_date<='".date2sql($end)."'"; if ($grn_batch_id != 0) - $sql .= " AND ".TB_PREF."grn_batch.id=$grn_batch_id AND ".TB_PREF."grn_items.grn_batch_id=$grn_batch_id "; + $sql .= " AND ".TB_PREF."grn_batch.id=".db_escape($grn_batch_id) + ." AND ".TB_PREF."grn_items.grn_batch_id=".db_escape($grn_batch_id); if ($is_invoiced_only) $sql .= " AND ".TB_PREF."grn_items.quantity_inv > 0"; @@ -217,7 +225,7 @@ function get_grn_items($grn_batch_id=0, $supplier_id="", $outstanding_only=false $sql .= " AND ".TB_PREF."grn_items.qty_recd - ".TB_PREF."grn_items.quantity_inv > 0"; if ($supplier_id != "") - $sql .= " AND ".TB_PREF."grn_batch.supplier_id ='$supplier_id' "; + $sql .= " AND ".TB_PREF."grn_batch.supplier_id =".db_escape($supplier_id); $sql .= " ORDER BY ".TB_PREF."grn_batch.delivery_date, ".TB_PREF."grn_batch.id, ".TB_PREF."grn_items.id"; @@ -236,7 +244,7 @@ function get_grn_item_detail($grn_item_no) FROM ".TB_PREF."grn_items, ".TB_PREF."purch_order_details, ".TB_PREF."stock_master WHERE ".TB_PREF."grn_items.po_detail_item=".TB_PREF."purch_order_details.po_detail_item AND ".TB_PREF."stock_master.stock_id=".TB_PREF."grn_items.item_code - AND ".TB_PREF."grn_items.id=$grn_item_no"; + AND ".TB_PREF."grn_items.id=".db_escape($grn_item_no); $result = db_query($sql, "could not retreive grn item details"); return db_fetch($result); @@ -279,7 +287,7 @@ function read_grn_items_to_order($grn_batch, &$order) function read_grn($grn_batch, &$order) { - $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=$grn_batch"; + $sql= "SELECT * FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch); $result = db_query($sql, "The grn sent is not valid"); @@ -305,7 +313,7 @@ function read_grn($grn_batch, &$order) function get_po_grns($po_number) { - $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=$po_number"; + $sql = "SELECT * FROM ".TB_PREF."grn_batch WHERE purch_order_no=".db_escape($po_number); return db_query($sql, "The grns for the po $po_number could not be retreived"); } @@ -314,7 +322,7 @@ function get_po_grns($po_number) function exists_grn($grn_batch) { - $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=$grn_batch"; + $sql = "SELECT id FROM ".TB_PREF."grn_batch WHERE id=".db_escape($grn_batch); $result = db_query($sql, "Cannot retreive a grn"); return (db_num_rows($result) > 0); @@ -327,7 +335,7 @@ function exists_grn_on_invoices($grn_batch) $sql = "SELECT ".TB_PREF."supp_invoice_items.id FROM ".TB_PREF."supp_invoice_items,".TB_PREF."grn_items WHERE ".TB_PREF."supp_invoice_items.grn_item_id=".TB_PREF."grn_items.id AND quantity != 0 - AND grn_batch_id=$grn_batch"; + AND grn_batch_id=".db_escape($grn_batch); $result = db_query($sql, "Cannot query GRNs"); return (db_num_rows($result) > 0); @@ -366,7 +374,7 @@ function void_grn($grn_batch) // clear the quantities in the grn items $sql = "UPDATE ".TB_PREF."grn_items SET qty_recd=0, quantity_inv=0 - WHERE grn_batch_id=$grn_batch"; + WHERE grn_batch_id=".db_escape($grn_batch); db_query($sql, "A grn detail item could not be voided."); diff --git a/purchasing/includes/db/invoice_db.inc b/purchasing/includes/db/invoice_db.inc index 0fbb0509..21a43d89 100644 --- a/purchasing/includes/db/invoice_db.inc +++ b/purchasing/includes/db/invoice_db.inc @@ -15,13 +15,14 @@ include_once($path_to_root . "/purchasing/includes/db/invoice_items_db.inc"); function read_supplier_details_to_trans(&$supp_trans, $supplier_id) { - $sql = "SELECT ".TB_PREF."suppliers.supp_name, ".TB_PREF."payment_terms.terms, ".TB_PREF."payment_terms.days_before_due, + $sql = "SELECT ".TB_PREF."suppliers.supp_name, ".TB_PREF."payment_terms.terms, " + .TB_PREF."payment_terms.days_before_due, ".TB_PREF."payment_terms.day_in_following_month, ".TB_PREF."suppliers.tax_group_id, ".TB_PREF."tax_groups.name As tax_group_name From ".TB_PREF."suppliers, ".TB_PREF."payment_terms, ".TB_PREF."tax_groups WHERE ".TB_PREF."suppliers.tax_group_id = ".TB_PREF."tax_groups.id AND ".TB_PREF."suppliers.payment_terms=".TB_PREF."payment_terms.terms_indicator - AND ".TB_PREF."suppliers.supplier_id = '" . $supplier_id . "'"; + AND ".TB_PREF."suppliers.supplier_id = ".db_escape($supplier_id); $result = db_query($sql, "The supplier record selected: " . $supplier_id . " cannot be retrieved"); @@ -61,7 +62,7 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi if ($chg_price != null) { $sql = "SELECT act_price, unit_price FROM ".TB_PREF."purch_order_details WHERE - po_detail_item = $po_detail_item"; + po_detail_item = ".db_escape($po_detail_item); $result = db_query($sql, "The old actual price of the purchase order line could not be retrieved"); $row = db_fetch_row($result); $ret = $row[0]; @@ -69,7 +70,8 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi $unit_price = $row[1]; //Added by Rasmus $sql = "SELECT delivery_date FROM ".TB_PREF."grn_batch,".TB_PREF."grn_items WHERE - ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id AND ".TB_PREF."grn_items.id=$id"; + ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id AND " + .TB_PREF."grn_items.id=".db_escape($id); $result = db_query($sql, "The old delivery date from the received record cout not be retrieved"); $row = db_fetch_row($result); $date = $row[0]; @@ -81,17 +83,17 @@ function update_supp_received_items_for_invoice($id, $po_detail_item, $qty_invoi $unit_price = 0; // Added by Rasmus } $sql = "UPDATE ".TB_PREF."purch_order_details - SET qty_invoiced = qty_invoiced + $qty_invoiced "; + SET qty_invoiced = qty_invoiced + ".db_escape($qty_invoiced); if ($chg_price != null) - $sql .= " , act_price = $chg_price "; + $sql .= " , act_price = ".db_escape($chg_price); - $sql .= " WHERE po_detail_item = $po_detail_item"; + $sql .= " WHERE po_detail_item = ".db_escape($po_detail_item); db_query($sql, "The quantity invoiced of the purchase order line could not be updated"); $sql = "UPDATE ".TB_PREF."grn_items - SET quantity_inv = quantity_inv + $qty_invoiced - WHERE id = $id"; + SET quantity_inv = quantity_inv + ".db_escape($qty_invoiced)." + WHERE id = ".db_escape($id); db_query($sql, "The quantity invoiced off the items received record could not be updated"); return array($ret, $date, $unit_price); } @@ -101,8 +103,9 @@ function get_deliveries_between($stock_id, $from, $to) $from = date2sql($from); $to = date2sql($to); $sql = "SELECT SUM(-qty), SUM(-qty*standard_cost) FROM ".TB_PREF."stock_moves - WHERE type=".ST_CUSTDELIVERY." AND stock_id='$stock_id' AND + WHERE type=".ST_CUSTDELIVERY." AND stock_id=".db_escape($stock_id)." AND tran_date>='$from' AND tran_date<='$to' GROUP BY stock_id"; + $result = db_query($sql, "The deliveries could not be updated"); return db_fetch_row($result); } @@ -340,11 +343,12 @@ function get_po_invoices_credits($po_number) $sql = "SELECT DISTINCT ".TB_PREF."supp_trans.trans_no, ".TB_PREF."supp_trans.type, ov_amount+ov_discount+ov_gst AS Total, ".TB_PREF."supp_trans.tran_date - FROM ".TB_PREF."supp_trans, ".TB_PREF."supp_invoice_items, ".TB_PREF."purch_order_details, ".TB_PREF."purch_orders + FROM ".TB_PREF."supp_trans, ".TB_PREF."supp_invoice_items, " + .TB_PREF."purch_order_details, ".TB_PREF."purch_orders WHERE ".TB_PREF."supp_invoice_items.supp_trans_no = ".TB_PREF."supp_trans.trans_no AND ".TB_PREF."supp_invoice_items.po_detail_item_id = ".TB_PREF."purch_order_details.po_detail_item AND ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."supp_trans.supplier_id - AND ".TB_PREF."purch_order_details.order_no = $po_number"; + AND ".TB_PREF."purch_order_details.order_no = ".db_escape($po_number); return db_query($sql, "The invoices/credits for the po $po_number could not be retreived"); } @@ -354,7 +358,7 @@ function get_po_invoices_credits($po_number) function read_supp_invoice($trans_no, $trans_type, &$supp_trans) { $sql = "SELECT ".TB_PREF."supp_trans.*, supp_name FROM ".TB_PREF."supp_trans,".TB_PREF."suppliers - WHERE trans_no = $trans_no AND type = $trans_type + WHERE trans_no = ".db_escape($trans_no)." AND type = ".db_escape($trans_type)." AND ".TB_PREF."suppliers.supplier_id=".TB_PREF."supp_trans.supplier_id"; $result = db_query($sql, "Cannot retreive a supplier transaction"); @@ -414,7 +418,8 @@ function read_supp_invoice($trans_no, $trans_type, &$supp_trans) function get_matching_invoice_item($stock_id, $po_item_id) { $sql = "SELECT *, tran_date FROM ".TB_PREF."supp_invoice_items, ".TB_PREF."supp_trans - WHERE supp_trans_type = ".ST_SUPPINVOICE." AND stock_id = '$stock_id' AND po_detail_item_id = $po_item_id + WHERE supp_trans_type = ".ST_SUPPINVOICE." AND stock_id = " + .db_escape($stock_id)." AND po_detail_item_id = ".db_escape($po_item_id)." AND supp_trans_no = trans_no"; $result = db_query($sql, "Cannot retreive supplier transaction detail records"); return db_fetch($result); diff --git a/purchasing/includes/db/invoice_items_db.inc b/purchasing/includes/db/invoice_items_db.inc index 0d69d868..efcdcb4b 100644 --- a/purchasing/includes/db/invoice_items_db.inc +++ b/purchasing/includes/db/invoice_items_db.inc @@ -17,9 +17,11 @@ function add_supp_invoice_item($supp_trans_type, $supp_trans_no, $stock_id, $des { $sql = "INSERT INTO ".TB_PREF."supp_invoice_items (supp_trans_type, supp_trans_no, stock_id, description, gl_code, unit_price, unit_tax, quantity, grn_item_id, po_detail_item_id, memo_) "; - $sql .= "VALUES ($supp_trans_type, $supp_trans_no, ".db_escape($stock_id). - ", ".db_escape($description).", ".db_escape($gl_code).", $unit_price, $unit_tax, $quantity, - $grn_item_id, $po_detail_item_id, ".db_escape($memo_).")"; + $sql .= "VALUES (".db_escape($supp_trans_type).", ".db_escape($supp_trans_no).", " + .db_escape($stock_id). + ", ".db_escape($description).", ".db_escape($gl_code).", ".db_escape($unit_price) + .", ".db_escape($unit_tax).", ".db_escape($quantity).", + ".db_escape($grn_item_id).", ".db_escape($po_detail_item_id).", ".db_escape($memo_).")"; if ($err_msg == "") $err_msg = "Cannot insert a supplier transaction detail record"; @@ -43,8 +45,8 @@ function add_supp_invoice_gl_item($supp_trans_type, $supp_trans_no, $gl_code, $a function get_supp_invoice_items($supp_trans_type, $supp_trans_no) { $sql = "SELECT *, unit_price AS FullUnitPrice FROM ".TB_PREF."supp_invoice_items - WHERE supp_trans_type = $supp_trans_type - AND supp_trans_no = $supp_trans_no ORDER BY id"; + WHERE supp_trans_type = ".db_escape($supp_trans_type)." + AND supp_trans_no = ".db_escape($supp_trans_no)." ORDER BY id"; return db_query($sql, "Cannot retreive supplier transaction detail records"); } @@ -53,7 +55,7 @@ function get_supp_invoice_items($supp_trans_type, $supp_trans_no) function void_supp_invoice_items($type, $type_no) { $sql = "UPDATE ".TB_PREF."supp_invoice_items SET quantity=0, unit_price=0 - WHERE supp_trans_type = $type AND supp_trans_no=$type_no"; + WHERE supp_trans_type = ".db_escape($type)." AND supp_trans_no=".db_escape($type_no); db_query($sql, "could not void supptrans details"); } diff --git a/purchasing/includes/db/po_db.inc b/purchasing/includes/db/po_db.inc index 1f5f5750..ee2b7d8e 100644 --- a/purchasing/includes/db/po_db.inc +++ b/purchasing/includes/db/po_db.inc @@ -13,10 +13,10 @@ function delete_po($po) { - $sql = "DELETE FROM ".TB_PREF."purch_orders WHERE order_no=" . $po; + $sql = "DELETE FROM ".TB_PREF."purch_orders WHERE order_no=".db_escape($po); db_query($sql, "The order header could not be deleted"); - $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE order_no =" . $po; + $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE order_no =".db_escape($po); db_query($sql, "The order detail lines could not be deleted"); } @@ -32,8 +32,8 @@ function add_po(&$po_obj) $sql = "INSERT INTO ".TB_PREF."purch_orders (supplier_id, Comments, ord_date, reference, requisition_no, into_stock_location, delivery_address) VALUES("; $sql .= db_escape($po_obj->supplier_id) . "," . db_escape($po_obj->Comments) . ",'" . - date2sql($po_obj->orig_order_date) . "', '" . - $po_obj->reference . "', " . + date2sql($po_obj->orig_order_date) . "', " . + db_escape($po_obj->reference) . ", " . db_escape($po_obj->requisition_no) . ", " . db_escape($po_obj->Location) . ", " . db_escape($po_obj->delivery_address) . ")"; @@ -52,8 +52,8 @@ function add_po(&$po_obj) $sql .= $po_obj->order_no . ", " . db_escape($po_line->stock_id). "," . db_escape($po_line->item_description). ",'" . date2sql($po_line->req_del_date) . "'," . - $po_line->price . ", " . - $po_line->quantity . ")"; + db_escape($po_line->price) . ", " . + db_escape($po_line->quantity). ")"; db_query($sql, "One of the purchase order detail records could not be inserted"); } } @@ -92,7 +92,7 @@ function update_po(&$po_obj) // Sherifoz 21.06.03 Handle deleting existing lines if ($po_line->po_detail_rec!='') { - $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE po_detail_item='" . $po_line->po_detail_rec . "'"; + $sql = "DELETE FROM ".TB_PREF."purch_order_details WHERE po_detail_item=".db_escape($po_line->po_detail_rec); db_query($sql, "could not query purch order details"); } } @@ -104,16 +104,16 @@ function update_po(&$po_obj) db_escape($po_line->stock_id). "," . db_escape($po_line->item_description). ",'" . date2sql($po_line->req_del_date) . "'," . - $po_line->price . ", " . $po_line->quantity . ")"; + db_escape($po_line->price) . ", ".db_escape($po_line->quantity) . ")"; } else { - $sql = "UPDATE ".TB_PREF."purch_order_details SET item_code='" . $po_line->stock_id . "', + $sql = "UPDATE ".TB_PREF."purch_order_details SET item_code=".db_escape($po_line->stock_id).", description =" . db_escape($po_line->item_description). ", delivery_date ='" . date2sql($po_line->req_del_date) . "', - unit_price=" . $po_line->price . ", - quantity_ordered=" . $po_line->quantity . " - WHERE po_detail_item=" . $po_line->po_detail_rec; + unit_price=".db_escape($po_line->price).", + quantity_ordered=".db_escape($po_line->quantity) . " + WHERE po_detail_item=".db_escape($po_line->po_detail_rec); } db_query($sql, "One of the purchase order detail records could not be updated"); } @@ -134,7 +134,7 @@ function read_po_header($order_no, &$order) FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id AND ".TB_PREF."locations.loc_code = into_stock_location - AND ".TB_PREF."purch_orders.order_no = " . $order_no; + AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no); $result = db_query($sql, "The order cannot be retrieved"); @@ -172,7 +172,7 @@ function read_po_items($order_no, &$order, $open_items_only=false) FROM ".TB_PREF."purch_order_details LEFT JOIN ".TB_PREF."stock_master ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id - WHERE order_no =$order_no "; + WHERE order_no =".db_escape($order_no); if ($open_items_only) $sql .= " AND (".TB_PREF."purch_order_details.quantity_ordered > ".TB_PREF."purch_order_details.quantity_received) "; @@ -186,6 +186,7 @@ function read_po_items($order_no, &$order, $open_items_only=false) while ($myrow = db_fetch($result)) { + $data = get_purchase_data($order->supplier_id, $myrow['item_code']); if ($data !== false) { @@ -203,13 +204,13 @@ function read_po_items($order_no, &$order, $open_items_only=false) $units = $myrow["units"]; } - $order->add_to_order($order->lines_on_order+1, $myrow["item_code"], + if ($order->add_to_order($order->lines_on_order+1, $myrow["item_code"], $myrow["quantity_ordered"],$myrow["description"], $myrow["unit_price"],$units, sql2date($myrow["delivery_date"]), - $myrow["qty_invoiced"], $myrow["quantity_received"]); - - $order->line_items[$order->lines_on_order]->po_detail_rec = $myrow["po_detail_item"]; - $order->line_items[$order->lines_on_order]->standard_cost = $myrow["std_cost_unit"]; /*Needed for receiving goods and GL interface */ + $myrow["qty_invoiced"], $myrow["quantity_received"])) { + $order->line_items[$order->lines_on_order]->po_detail_rec = $myrow["po_detail_item"]; + $order->line_items[$order->lines_on_order]->standard_cost = $myrow["std_cost_unit"]; /*Needed for receiving goods and GL interface */ + } } /* line po from purchase order details */ } //end of checks on returned data set } diff --git a/purchasing/includes/db/supp_trans_db.inc b/purchasing/includes/db/supp_trans_db.inc index e1715a6e..4ba8d7ba 100644 --- a/purchasing/includes/db/supp_trans_db.inc +++ b/purchasing/includes/db/supp_trans_db.inc @@ -30,8 +30,10 @@ function add_supp_trans($type, $supplier_id, $date_, $due_date, $reference, $sup $sql = "INSERT INTO ".TB_PREF."supp_trans (trans_no, type, supplier_id, tran_date, due_date, reference, supp_reference, ov_amount, ov_gst, rate, ov_discount) "; - $sql .= "VALUES ($trans_no, $type, $supplier_id, '$date', '$due_date', - ".db_escape($reference).", ".db_escape($supp_reference).", $amount, $amount_tax, $rate, $discount)"; + $sql .= "VALUES (".db_escape($trans_no).", ".db_escape($type) + .", ".db_escape($supplier_id).", '$date', '$due_date', + ".db_escape($reference).", ".db_escape($supp_reference).", ".db_escape($amount) + .", ".db_escape($amount_tax).", ".db_escape($rate).", ".db_escape($discount).")"; if ($err_msg == "") $err_msg = "Cannot insert a supplier transaction record"; @@ -65,17 +67,17 @@ function get_supp_trans($trans_no, $trans_type=-1) $sql .= ", ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts"; } - $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=$trans_no + $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=".db_escape($trans_no)." AND ".TB_PREF."supp_trans.supplier_id=".TB_PREF."suppliers.supplier_id"; if ($trans_type > 0) - $sql .= " AND ".TB_PREF."supp_trans.type=$trans_type "; + $sql .= " AND ".TB_PREF."supp_trans.type=".db_escape($trans_type); if ($trans_type == ST_SUPPAYMENT) { // it's a payment so also get the bank account - $sql .= " AND ".TB_PREF."bank_trans.trans_no =$trans_no - AND ".TB_PREF."bank_trans.type=$trans_type + $sql .= " AND ".TB_PREF."bank_trans.trans_no =".db_escape($trans_no)." + AND ".TB_PREF."bank_trans.type=".db_escape($trans_type)." AND ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act "; } @@ -105,8 +107,8 @@ function exists_supp_trans($type, $type_no) if ($type == 25) return exists_grn($type_no); - $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=$type - AND trans_no=$type_no"; + $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=".db_escape($type)." + AND trans_no=".db_escape($type_no); $result = db_query($sql, "Cannot retreive a supplier transaction"); return (db_num_rows($result) > 0); @@ -117,7 +119,7 @@ function exists_supp_trans($type, $type_no) function void_supp_trans($type, $type_no) { $sql = "UPDATE ".TB_PREF."supp_trans SET ov_amount=0, ov_discount=0, ov_gst=0, - alloc=0 WHERE type=$type AND trans_no=$type_no"; + alloc=0 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no"); } diff --git a/purchasing/includes/db/suppalloc_db.inc b/purchasing/includes/db/suppalloc_db.inc index b31adc52..987a640d 100644 --- a/purchasing/includes/db/suppalloc_db.inc +++ b/purchasing/includes/db/suppalloc_db.inc @@ -18,7 +18,9 @@ function add_supp_allocation($amount, $trans_type_from, $trans_no_from, $sql = "INSERT INTO ".TB_PREF."supp_allocations ( amt, date_alloc, trans_type_from, trans_no_from, trans_no_to, trans_type_to) - VALUES ($amount, '$date', $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)"; + VALUES (".db_escape($amount).", '$date', " + .db_escape($trans_type_from).", ".db_escape($trans_no_from).", " + .db_escape($trans_no_to).", ".db_escape($trans_type_to).")"; db_query($sql, "A supplier allocation could not be added to the database"); } @@ -28,7 +30,7 @@ function add_supp_allocation($amount, $trans_type_from, $trans_no_from, function delete_supp_allocation($trans_id) { - $sql = "DELETE FROM ".TB_PREF."supp_allocations WHERE id = " . $trans_id; + $sql = "DELETE FROM ".TB_PREF."supp_allocations WHERE id = ".db_escape($trans_id); db_query($sql, "The existing allocation $trans_id could not be deleted"); } @@ -37,7 +39,8 @@ function delete_supp_allocation($trans_id) function get_supp_trans_allocation_balance($trans_type, $trans_no) { $sql = "SELECT (ov_amount+ov_gst-ov_discount-alloc) AS BalToAllocate - FROM ".TB_PREF."supp_trans WHERE trans_no=$trans_no AND type=$trans_type"; + FROM ".TB_PREF."supp_trans WHERE trans_no=" + .db_escape($trans_no)." AND type=".db_escape($trans_type); $result = db_query($sql,"calculate the allocation"); $myrow = db_fetch_row($result); @@ -48,8 +51,8 @@ function get_supp_trans_allocation_balance($trans_type, $trans_no) function update_supp_trans_allocation($trans_type, $trans_no, $alloc) { - $sql = "UPDATE ".TB_PREF."supp_trans SET alloc = alloc + $alloc - WHERE type=$trans_type AND trans_no = $trans_no"; + $sql = "UPDATE ".TB_PREF."supp_trans SET alloc = alloc + ".db_escape($alloc)." + WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no); db_query($sql, "The supp transaction record could not be modified for the allocation against it"); } @@ -67,7 +70,7 @@ function clear_supp_alloctions($type, $type_no, $date="") // clear any allocations for this transaction $sql = "SELECT * FROM ".TB_PREF."supp_allocations WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; $result = db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no"); while ($row = db_fetch($result)) @@ -88,8 +91,8 @@ function clear_supp_alloctions($type, $type_no, $date="") // remove any allocations for this transaction $sql = "DELETE FROM ".TB_PREF."supp_allocations - WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).") + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no"); } @@ -124,7 +127,7 @@ function get_alloc_supp_sql($extra_fields=null, $extra_conditions=null, $extra_t $sql .= " WHERE trans.supplier_id=supplier.supplier_id"; if ($extra_conditions) - $sql .= " AND $extra_conditions "; + $sql .= " AND $extra_conditions"; return $sql; } @@ -142,7 +145,7 @@ function get_allocatable_from_supp_sql($supplier_id, $settled) $supp_sql = ""; if ($supplier_id != null) - $supp_sql = " AND trans.supplier_id = $supplier_id"; + $supp_sql = " AND trans.supplier_id = ".db_escape($supplier_id); $sql = get_alloc_supp_sql("round(ABS(ov_amount+ov_gst+ov_discount)-alloc,6) <= 0 AS settled", "(type=".ST_SUPPAYMENT." OR type=".ST_SUPPCREDIT." OR type=".ST_BANKPAYMENT.") AND (ov_amount < 0) " . $settled_sql . $supp_sql); @@ -158,10 +161,10 @@ function get_allocatable_to_supp_transactions($supplier_id, $trans_no=null, $typ { $sql = get_alloc_supp_sql("amt, supp_reference", "trans.trans_no = alloc.trans_no_to AND trans.type = alloc.trans_type_to - AND alloc.trans_no_from=$trans_no - AND alloc.trans_type_from=$type - AND trans.supplier_id=$supplier_id", - "".TB_PREF."supp_allocations as alloc"); + AND alloc.trans_no_from=".db_escape($trans_no)." + AND alloc.trans_type_from=".db_escape($type)." + AND trans.supplier_id=".db_escape($supplier_id), + TB_PREF."supp_allocations as alloc"); } else { diff --git a/purchasing/includes/db/suppliers_db.inc b/purchasing/includes/db/suppliers_db.inc index 1cfa85da..dd72a6cf 100644 --- a/purchasing/includes/db/suppliers_db.inc +++ b/purchasing/includes/db/suppliers_db.inc @@ -60,7 +60,7 @@ function get_supplier_details($supplier_id, $to=null) ".TB_PREF."payment_terms WHERE ".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator - AND ".TB_PREF."suppliers.supplier_id = '$supplier_id'"; + AND ".TB_PREF."suppliers.supplier_id = ".db_escape($supplier_id); $result = db_query($sql,"The customer details could not be retrieved"); @@ -86,7 +86,7 @@ function get_supplier_details($supplier_id, $to=null) function get_supplier($supplier_id) { - $sql = "SELECT * FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id"; + $sql = "SELECT * FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id); $result = db_query($sql, "could not get supplier"); @@ -95,7 +95,7 @@ function get_supplier($supplier_id) function get_supplier_name($supplier_id) { - $sql = "SELECT supp_name AS name FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id"; + $sql = "SELECT supp_name AS name FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id); $result = db_query($sql, "could not get supplier"); @@ -106,7 +106,7 @@ function get_supplier_name($supplier_id) function get_supplier_accounts($supplier_id) { - $sql = "SELECT payable_account,purchase_account,payment_discount_account FROM ".TB_PREF."suppliers WHERE supplier_id=$supplier_id"; + $sql = "SELECT payable_account,purchase_account,payment_discount_account FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($supplier_id); $result = db_query($sql, "could not get supplier"); diff --git a/purchasing/includes/purchasing_db.inc b/purchasing/includes/purchasing_db.inc index 89b7533e..51b456a2 100644 --- a/purchasing/includes/purchasing_db.inc +++ b/purchasing/includes/purchasing_db.inc @@ -47,8 +47,8 @@ function add_gl_trans_supplier($type, $type_no, $date_, $account, $dimension, $d function get_purchase_price($supplier_id, $stock_id) { $sql = "SELECT price, conversion_factor FROM ".TB_PREF."purch_data - WHERE supplier_id = '" . $supplier_id . "' - AND stock_id = '". $stock_id . "'"; + WHERE supplier_id = ".db_escape($supplier_id) . " + AND stock_id = ".db_escape($stock_id); $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved"); if (db_num_rows($result) == 1) @@ -65,8 +65,8 @@ function get_purchase_price($supplier_id, $stock_id) function get_purchase_conversion_factor($supplier_id, $stock_id) { $sql = "SELECT conversion_factor FROM ".TB_PREF."purch_data - WHERE supplier_id = '" . $supplier_id . "' - AND stock_id = '". $stock_id . "'"; + WHERE supplier_id = ".db_escape($supplier_id)." + AND stock_id = ".db_escape($stock_id); $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved"); if (db_num_rows($result) == 1) @@ -84,8 +84,8 @@ function get_purchase_conversion_factor($supplier_id, $stock_id) function get_purchase_data($supplier_id, $stock_id) { $sql = "SELECT * FROM ".TB_PREF."purch_data - WHERE supplier_id = '" . $supplier_id . "' - AND stock_id = '". $stock_id . "'"; + WHERE supplier_id = ".db_escape($supplier_id) . " + AND stock_id = ".db_escape($stock_id); $result = db_query($sql, "The supplier pricing details for " . $stock_id . " could not be retrieved"); return db_fetch($result); @@ -97,18 +97,19 @@ function add_or_update_purchase_data($supplier_id, $stock_id, $price, $descripti if ($data === false) { $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom, - conversion_factor, supplier_description) VALUES ('$supplier_id', '$stock_id', - $price, '$uom', 1, ".db_escape($description).")"; + conversion_factor, supplier_description) VALUES (".db_escape($supplier_id) + .", ".db_escape($stock_id).", ".db_escape($price).", " + .db_escape($uom).", 1, ".db_escape($description).")"; db_query($sql,"The supplier purchasing details could not be added"); return; } - $price = round($price * $data['conversion_factor'], user_price_dec()); - $sql = "UPDATE ".TB_PREF."purch_data SET price=$price"; + $price = round($price * $data['conversion_factor'], user_price_dec()); + $sql = "UPDATE ".TB_PREF."purch_data SET price=".db_escape($price); if ($uom != "") - $sql .= ",suppliers_uom='$uom'"; + $sql .= ",suppliers_uom=".db_escape($uom); if ($description != "") $sql .= ",supplier_description=".db_escape($description); - $sql .= " WHERE stock_id='$stock_id' AND supplier_id='$supplier_id'"; + $sql .= " WHERE stock_id=".db_escape($stock_id)." AND supplier_id=".db_escape($supplier_id); db_query($sql,"The supplier purchasing details could not be updated"); return true; } diff --git a/purchasing/inquiry/po_search.php b/purchasing/inquiry/po_search.php index 39ba20d8..a82a3743 100644 --- a/purchasing/inquiry/po_search.php +++ b/purchasing/inquiry/po_search.php @@ -140,7 +140,7 @@ $sql = "SELECT if (isset($order_number) && $order_number != "") { - $sql .= "AND porder.reference LIKE '%". $order_number . "%'"; + $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%'); } else { @@ -152,12 +152,12 @@ else if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items) { - $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' "; + $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']); } if (isset($selected_stock_item)) { - $sql .= " AND line.item_code='". $selected_stock_item ."' "; + $sql .= " AND line.item_code=".db_escape($selected_stock_item); } } //end not order number selected diff --git a/purchasing/inquiry/po_search_completed.php b/purchasing/inquiry/po_search_completed.php index aa2f269a..23053bae 100644 --- a/purchasing/inquiry/po_search_completed.php +++ b/purchasing/inquiry/po_search_completed.php @@ -126,7 +126,7 @@ $sql = "SELECT if (isset($order_number) && $order_number != "") { - $sql .= "AND porder.reference LIKE '%". $order_number . "%'"; + $sql .= "AND porder.reference LIKE ".db_escape('%'. $order_number . '%'); } else { @@ -139,11 +139,11 @@ else if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT) { - $sql .= " AND porder.into_stock_location = '". $_POST['StockLocation'] . "' "; + $sql .= " AND porder.into_stock_location = ".db_escape($_POST['StockLocation']); } if (isset($selected_stock_item)) { - $sql .= " AND line.item_code='". $selected_stock_item ."' "; + $sql .= " AND line.item_code=".db_escape($selected_stock_item); } } //end not order number selected diff --git a/purchasing/inquiry/supplier_allocation_inquiry.php b/purchasing/inquiry/supplier_allocation_inquiry.php index 89383141..0a5c65d8 100644 --- a/purchasing/inquiry/supplier_allocation_inquiry.php +++ b/purchasing/inquiry/supplier_allocation_inquiry.php @@ -142,8 +142,9 @@ function fmt_credit($row) WHERE supplier.supplier_id = trans.supplier_id AND trans.tran_date >= '$date_after' AND trans.tran_date <= '$date_to'"; + if ($_POST['supplier_id'] != ALL_TEXT) - $sql .= " AND trans.supplier_id = '" . $_POST['supplier_id'] . "'"; + $sql .= " AND trans.supplier_id = ".db_escape($_POST['supplier_id']); if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT) { if (($_POST['filterType'] == '1') || ($_POST['filterType'] == '2')) diff --git a/purchasing/inquiry/supplier_inquiry.php b/purchasing/inquiry/supplier_inquiry.php index 079faf1c..0ff50984 100644 --- a/purchasing/inquiry/supplier_inquiry.php +++ b/purchasing/inquiry/supplier_inquiry.php @@ -179,7 +179,7 @@ function check_overdue($row) AND trans.tran_date <= '$date_to' AND trans.ov_amount != 0"; // exclude voided transactions if ($_POST['supplier_id'] != ALL_TEXT) - $sql .= " AND trans.supplier_id = '" . $_POST['supplier_id'] . "'"; + $sql .= " AND trans.supplier_id = ".db_escape($_POST['supplier_id']); if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT) { if (($_POST['filterType'] == '1')) diff --git a/purchasing/manage/suppliers.php b/purchasing/manage/suppliers.php index 6e52c3a5..bfed5d6c 100644 --- a/purchasing/manage/suppliers.php +++ b/purchasing/manage/suppliers.php @@ -80,7 +80,7 @@ if (isset($_POST['submit'])) purchase_account=".db_escape($_POST['purchase_account']) . ", payment_discount_account=".db_escape($_POST['payment_discount_account']) . ", notes=".db_escape($_POST['notes']) . ", - tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'"; + tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = ".db_escape($_POST['supplier_id']); db_query($sql,"The supplier could not be updated"); update_record_status($_POST['supplier_id'], $_POST['inactive'], @@ -136,7 +136,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "") // PREVENT DELETES IF DEPENDENT RECORDS IN 'supp_trans' , purch_orders - $sql= "SELECT COUNT(*) FROM ".TB_PREF."supp_trans WHERE supplier_id='" . $_POST['supplier_id'] . "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."supp_trans WHERE supplier_id=".db_escape($_POST['supplier_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -147,7 +147,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "") } else { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE supplier_id='" . $_POST['supplier_id'] . "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."purch_orders WHERE supplier_id=".db_escape($_POST['supplier_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -159,7 +159,7 @@ elseif (isset($_POST['delete']) && $_POST['delete'] != "") } if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."suppliers WHERE supplier_id='" . $_POST['supplier_id']. "'"; + $sql="DELETE FROM ".TB_PREF."suppliers WHERE supplier_id=".db_escape($_POST['supplier_id']); db_query($sql,"check failed"); unset($_SESSION['supplier_id']); diff --git a/purchasing/po_entry_items.php b/purchasing/po_entry_items.php index a5f4b7d5..2f903ba1 100644 --- a/purchasing/po_entry_items.php +++ b/purchasing/po_entry_items.php @@ -228,7 +228,7 @@ function handle_add_new_item() if ($allow_update == true) { $sql = "SELECT description, units, mb_flag - FROM ".TB_PREF."stock_master WHERE stock_id = '". $_POST['stock_id'] . "'"; + FROM ".TB_PREF."stock_master WHERE stock_id = ".db_escape($_POST['stock_id']); $result = db_query($sql,"The stock details for " . $_POST['stock_id'] . " could not be retrieved"); diff --git a/purchasing/po_receive_items.php b/purchasing/po_receive_items.php index 601e5d5f..1c6e6d62 100644 --- a/purchasing/po_receive_items.php +++ b/purchasing/po_receive_items.php @@ -121,7 +121,7 @@ function check_po_changed() // Otherwise if you try to fullfill item quantities separately will give error. $sql = "SELECT item_code, quantity_ordered, quantity_received, qty_invoiced FROM ".TB_PREF."purch_order_details - WHERE order_no=" . $_SESSION['PO']->order_no + WHERE order_no=".db_escape($_SESSION['PO']->order_no) ." ORDER BY po_detail_item"; $result = db_query($sql, "could not query purch order details"); diff --git a/purchasing/supplier_credit.php b/purchasing/supplier_credit.php index 319bab0b..c20abbcd 100644 --- a/purchasing/supplier_credit.php +++ b/purchasing/supplier_credit.php @@ -97,7 +97,7 @@ if (isset($_POST['AddGLCodeToTrans'])){ $Ajax->activate('gl_items'); $input_error = false; - $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code='" . $_POST['gl_code'] . "'"; + $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($_POST['gl_code']); $result = db_query($sql,"get account information"); if (db_num_rows($result) == 0) { diff --git a/purchasing/supplier_invoice.php b/purchasing/supplier_invoice.php index 15a6529f..afa2df18 100644 --- a/purchasing/supplier_invoice.php +++ b/purchasing/supplier_invoice.php @@ -99,7 +99,7 @@ if (isset($_POST['AddGLCodeToTrans'])){ $Ajax->activate('gl_items'); $input_error = false; - $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code='" . $_POST['gl_code'] . "'"; + $sql = "SELECT account_code, account_name FROM ".TB_PREF."chart_master WHERE account_code=".db_escape($_POST['gl_code']); $result = db_query($sql,"get account information"); if (db_num_rows($result) == 0) { @@ -186,10 +186,10 @@ function check_data() return false; } - $sql = "SELECT Count(*) FROM ".TB_PREF."supp_trans WHERE supplier_id='" - . $_SESSION['supp_trans']->supplier_id . "' AND supp_reference='" - . $_POST['supp_reference'] - . "' AND ov_amount!=0"; // ignore voided invoice references + $sql = "SELECT Count(*) FROM ".TB_PREF."supp_trans WHERE supplier_id=" + .db_escape($_SESSION['supp_trans']->supplier_id) . " AND supp_reference=" + .db_escape( $_POST['supp_reference']) + . " AND ov_amount!=0"; // ignore voided invoice references $result=db_query($sql,"The sql to check for the previous entry of the same invoice failed"); diff --git a/reporting/rep101.php b/reporting/rep101.php index c57ab3ae..772d33f0 100644 --- a/reporting/rep101.php +++ b/reporting/rep101.php @@ -59,7 +59,7 @@ function get_open_balance($debtorno, $to, $convert) $sql .= ")) AS OutStanding FROM ".TB_PREF."debtor_trans WHERE ".TB_PREF."debtor_trans.tran_date < '$to' - AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno' + AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)." AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY." GROUP BY debtor_no"; $result = db_query($sql,"No transactions were returned"); @@ -80,7 +80,7 @@ function get_transactions($debtorno, $from, $to) FROM ".TB_PREF."debtor_trans WHERE ".TB_PREF."debtor_trans.tran_date >= '$from' AND ".TB_PREF."debtor_trans.tran_date <= '$to' - AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno' + AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)." AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY." ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -140,8 +140,8 @@ function print_customer_balances() $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master "; if ($fromcust != ALL_NUMERIC) - $sql .= "WHERE debtor_no=$fromcust "; - $sql .= "ORDER BY name"; + $sql .= "WHERE debtor_no=".db_escape($fromcust); + $sql .= " ORDER BY name"; $result = db_query($sql, "The customers could not be retrieved"); while ($myrow = db_fetch($result)) diff --git a/reporting/rep102.php b/reporting/rep102.php index 9070ae18..fc2457c4 100644 --- a/reporting/rep102.php +++ b/reporting/rep102.php @@ -27,7 +27,7 @@ include_once($path_to_root . "/gl/includes/gl_db.inc"); print_aged_customer_analysis(); -function get_invoices($costomer_id, $to) +function get_invoices($customer_id, $to) { $todate = date2sql($to); $PastDueDays1 = get_company_pref('past_due_days'); @@ -52,7 +52,7 @@ function get_invoices($costomer_id, $to) WHERE ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY." AND ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no - AND ".TB_PREF."debtor_trans.debtor_no = $costomer_id + AND ".TB_PREF."debtor_trans.debtor_no = $customer_id AND ".TB_PREF."debtor_trans.tran_date <= '$todate' AND ABS(".TB_PREF."debtor_trans.ov_amount + ".TB_PREF."debtor_trans.ov_gst + ".TB_PREF."debtor_trans.ov_freight + ".TB_PREF."debtor_trans.ov_freight_tax + ".TB_PREF."debtor_trans.ov_discount) > 0.004 ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -129,10 +129,10 @@ function print_aged_customer_analysis() $total = array(0,0,0,0, 0); - $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master "; + $sql = "SELECT debtor_no, name, curr_code FROM ".TB_PREF."debtors_master"; if ($fromcust != ALL_NUMERIC) - $sql .= "WHERE debtor_no=$fromcust "; - $sql .= "ORDER BY name"; + $sql .= " WHERE debtor_no=".db_escape($fromcust); + $sql .= " ORDER BY name"; $result = db_query($sql, "The customers could not be retrieved"); while ($myrow=db_fetch($result)) diff --git a/reporting/rep103.php b/reporting/rep103.php index 5eeeb228..8ee0abbe 100644 --- a/reporting/rep103.php +++ b/reporting/rep103.php @@ -56,18 +56,18 @@ function get_customer_details_for_report($area=0, $salesid=0) if ($area != 0) { if ($salesid != 0) - $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid' - AND ".TB_PREF."areas.area_code='$area'"; + $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid)." + AND ".TB_PREF."areas.area_code=".db_escape($area); else - $sql .= " WHERE ".TB_PREF."areas.area_code='$area'"; + $sql .= " WHERE ".TB_PREF."areas.area_code=".db_escape($area); } elseif ($salesid != 0) - $sql .= " WHERE ".TB_PREF."salesman.salesman_code='$salesid'"; + $sql .= " WHERE ".TB_PREF."salesman.salesman_code=".db_escape($salesid); $sql .= " ORDER BY description, ".TB_PREF."salesman.salesman_name, ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."cust_branch.branch_code"; - + return db_query($sql,"No transactions were returned"); } @@ -78,11 +78,11 @@ function getTransactions($debtorno, $branchcode, $date) $sql = "SELECT SUM((ov_amount+ov_freight+ov_discount)*rate) AS Turnover FROM ".TB_PREF."debtor_trans - WHERE debtor_no='$debtorno' - AND branch_code='$branchcode' + WHERE debtor_no=".db_escape($debtorno)." + AND branch_code=".db_escape($branchcode)." AND (type=".ST_SALESINVOICE." OR type=".ST_CUSTCREDIT.") AND trandate >='$date'"; - + $result = db_query($sql,"No transactions were returned"); $row = db_fetch_row($result); diff --git a/reporting/rep104.php b/reporting/rep104.php index 53d8fea1..d6249e0d 100644 --- a/reporting/rep104.php +++ b/reporting/rep104.php @@ -40,7 +40,7 @@ function fetch_items($category=0) ".TB_PREF."stock_category WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_category.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_category.category_id = ".db_escape($category); $sql .= " ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id"; @@ -57,7 +57,7 @@ function get_kits($category=0) ON i.category_id=c.category_id"; $sql .= " WHERE !i.is_foreign AND i.item_code!=i.stock_id"; if ($category != 0) - $sql .= " AND c.category_id = '$category'"; + $sql .= " AND c.category_id = ".db_escape($category); $sql .= " GROUP BY i.item_code"; return db_query($sql,"No kits were returned"); } diff --git a/reporting/rep105.php b/reporting/rep105.php index dd535b98..4b6a086c 100644 --- a/reporting/rep105.php +++ b/reporting/rep105.php @@ -57,11 +57,11 @@ function GetSalesOrders($from, $to, $category=0, $location=null, $backorder=0) WHERE ".TB_PREF."sales_orders.ord_date >='$fromdate' AND ".TB_PREF."sales_orders.ord_date <='$todate'"; if ($category > 0) - $sql .= " AND ".TB_PREF."stock_master.category_id=$category"; + $sql .= " AND ".TB_PREF."stock_master.category_id=".db_escape($category); if ($location != null) - $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc='$location'"; + $sql .= " AND ".TB_PREF."sales_orders.from_stk_loc=".db_escape($location); if ($backorder) - $sql .= "AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0"; + $sql .= " AND ".TB_PREF."sales_order_details.quantity - ".TB_PREF."sales_order_details.qty_sent > 0"; $sql .= " ORDER BY ".TB_PREF."sales_orders.order_no"; return db_query($sql, "Error getting order details"); diff --git a/reporting/rep108.php b/reporting/rep108.php index 843e747e..97c4413b 100644 --- a/reporting/rep108.php +++ b/reporting/rep108.php @@ -38,7 +38,7 @@ function getTransactions($debtorno, $date) ((".TB_PREF."debtor_trans.type = ".ST_SALESINVOICE.") AND ".TB_PREF."debtor_trans.due_date < '$date') AS OverDue FROM ".TB_PREF."debtor_trans - WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = '$debtorno' + WHERE ".TB_PREF."debtor_trans.tran_date <= '$date' AND ".TB_PREF."debtor_trans.debtor_no = ".db_escape($debtorno)." AND ".TB_PREF."debtor_trans.type <> ".ST_CUSTDELIVERY." ORDER BY ".TB_PREF."debtor_trans.tran_date"; @@ -82,7 +82,7 @@ function print_statements() $sql = "SELECT debtor_no, name AS DebtorName, address, tax_id, email, curr_code, curdate() AS tran_date, payment_terms FROM ".TB_PREF."debtors_master"; if ($customer != ALL_NUMERIC) - $sql .= " WHERE debtor_no = $customer"; + $sql .= " WHERE debtor_no = ".db_escape($customer); else $sql .= " ORDER by name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep201.php b/reporting/rep201.php index a5614755..532da5fc 100644 --- a/reporting/rep201.php +++ b/reporting/rep201.php @@ -130,10 +130,10 @@ function print_supplier_balances() $total = array(); $grandtotal = array(0,0,0,0); - $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers "; + $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers"; if ($fromsupp != ALL_NUMERIC) - $sql .= "WHERE supplier_id=$fromsupp "; - $sql .= "ORDER BY supp_name"; + $sql .= " WHERE supplier_id=".db_escape($fromsupp); + $sql .= " ORDER BY supp_name"; $result = db_query($sql, "The customers could not be retrieved"); while ($myrow=db_fetch($result)) diff --git a/reporting/rep202.php b/reporting/rep202.php index 97156dc5..3f68bb5a 100644 --- a/reporting/rep202.php +++ b/reporting/rep202.php @@ -137,10 +137,10 @@ function print_aged_supplier_analysis() $pastdue1 = $PastDueDays1 + 1 . "-" . $PastDueDays2 . " " . _('Days'); $pastdue2 = _('Over') . " " . $PastDueDays2 . " " . _('Days'); - $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers "; + $sql = "SELECT supplier_id, supp_name AS name, curr_code FROM ".TB_PREF."suppliers"; if ($fromsupp != ALL_NUMERIC) - $sql .= "WHERE supplier_id=$fromsupp "; - $sql .= "ORDER BY supp_name"; + $sql .= " WHERE supplier_id=".db_escape($fromsupp); + $sql .= " ORDER BY supp_name"; $result = db_query($sql, "The suppliers could not be retrieved"); while ($myrow=db_fetch($result)) diff --git a/reporting/rep203.php b/reporting/rep203.php index 91fdfde6..27eef02b 100644 --- a/reporting/rep203.php +++ b/reporting/rep203.php @@ -104,7 +104,7 @@ function print_payment_report() $sql = "SELECT supplier_id, supp_name AS name, curr_code, ".TB_PREF."payment_terms.terms FROM ".TB_PREF."suppliers, ".TB_PREF."payment_terms WHERE "; if ($fromsupp != ALL_NUMERIC) - $sql .= "supplier_id=$fromsupp AND "; + $sql .= "supplier_id=".db_escape($fromsupp)." AND "; $sql .= "".TB_PREF."suppliers.payment_terms = ".TB_PREF."payment_terms.terms_indicator ORDER BY supp_name"; $result = db_query($sql, "The customers could not be retrieved"); diff --git a/reporting/rep204.php b/reporting/rep204.php index 5521c745..2c8250cd 100644 --- a/reporting/rep204.php +++ b/reporting/rep204.php @@ -48,8 +48,9 @@ function getTransactions($fromsupp) AND ".TB_PREF."grn_batch.id = ".TB_PREF."grn_items.grn_batch_id AND ".TB_PREF."grn_items.po_detail_item = ".TB_PREF."purch_order_details.po_detail_item AND qty_recd-quantity_inv <>0 "; + if ($fromsupp != ALL_NUMERIC) - $sql .= "AND ".TB_PREF."grn_batch.supplier_id ='" . $fromsupp . "' "; + $sql .= "AND ".TB_PREF."grn_batch.supplier_id =".db_escape($fromsupp)." "; $sql .= "ORDER BY ".TB_PREF."grn_batch.supplier_id, ".TB_PREF."grn_batch.id"; diff --git a/reporting/rep209.php b/reporting/rep209.php index 785420c9..b6b88a45 100644 --- a/reporting/rep209.php +++ b/reporting/rep209.php @@ -37,7 +37,7 @@ function get_po($order_no) FROM ".TB_PREF."purch_orders, ".TB_PREF."suppliers, ".TB_PREF."locations WHERE ".TB_PREF."purch_orders.supplier_id = ".TB_PREF."suppliers.supplier_id AND ".TB_PREF."locations.loc_code = into_stock_location - AND ".TB_PREF."purch_orders.order_no = " . $order_no; + AND ".TB_PREF."purch_orders.order_no = ".db_escape($order_no); $result = db_query($sql, "The order cannot be retrieved"); return db_fetch($result); } @@ -48,7 +48,7 @@ function get_po_details($order_no) FROM ".TB_PREF."purch_order_details LEFT JOIN ".TB_PREF."stock_master ON ".TB_PREF."purch_order_details.item_code=".TB_PREF."stock_master.stock_id - WHERE order_no =$order_no "; + WHERE order_no =".db_escape($order_no)." "; $sql .= " ORDER BY po_detail_item"; return db_query($sql, "Retreive order Line Items"); } diff --git a/reporting/rep301.php b/reporting/rep301.php index eac7b122..3b091cde 100644 --- a/reporting/rep301.php +++ b/reporting/rep301.php @@ -52,9 +52,9 @@ function getTransactions($category, $location) ".TB_PREF."stock_master.description HAVING SUM(".TB_PREF."stock_moves.qty) != 0"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'"; + $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location); $sql .= " ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id"; diff --git a/reporting/rep302.php b/reporting/rep302.php index 611e214b..8e5bb6dd 100644 --- a/reporting/rep302.php +++ b/reporting/rep302.php @@ -44,9 +44,9 @@ function getTransactions($category, $location) WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')"; + $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")"; $sql .= " GROUP BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_category.description, ".TB_PREF."stock_master.stock_id, diff --git a/reporting/rep303.php b/reporting/rep303.php index 2ac79f8d..25b7a68c 100644 --- a/reporting/rep303.php +++ b/reporting/rep303.php @@ -44,9 +44,9 @@ function getTransactions($category, $location) WHERE ".TB_PREF."stock_master.category_id=".TB_PREF."stock_category.category_id AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = '$location')"; + $sql .= " AND IF(".TB_PREF."stock_moves.stock_id IS NULL, '1=1',".TB_PREF."stock_moves.loc_code = ".db_escape($location).")"; $sql .= " GROUP BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_category.description, ".TB_PREF."stock_master.stock_id, diff --git a/reporting/rep304.php b/reporting/rep304.php index 3958536f..f1262a18 100644 --- a/reporting/rep304.php +++ b/reporting/rep304.php @@ -59,11 +59,11 @@ function getTransactions($category, $location, $fromcust, $from, $to) AND ((".TB_PREF."debtor_trans.type=".ST_CUSTDELIVERY." AND ".TB_PREF."debtor_trans.version=1) OR ".TB_PREF."stock_moves.type=".ST_CUSTCREDIT.") AND (".TB_PREF."stock_master.mb_flag='B' OR ".TB_PREF."stock_master.mb_flag='M')"; if ($category != 0) - $sql .= " AND ".TB_PREF."stock_master.category_id = '$category'"; + $sql .= " AND ".TB_PREF."stock_master.category_id = ".db_escape($category); if ($location != 'all') - $sql .= " AND ".TB_PREF."stock_moves.loc_code = '$location'"; + $sql .= " AND ".TB_PREF."stock_moves.loc_code = ".db_escape($location); if ($fromcust != -1) - $sql .= " AND ".TB_PREF."debtors_master.debtor_no = $fromcust"; + $sql .= " AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($fromcust); $sql .= " GROUP BY ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name ORDER BY ".TB_PREF."stock_master.category_id, ".TB_PREF."stock_master.stock_id, ".TB_PREF."debtors_master.name"; return db_query($sql,"No transactions were returned"); diff --git a/reporting/rep401.php b/reporting/rep401.php index 0113375e..e72f163c 100644 --- a/reporting/rep401.php +++ b/reporting/rep401.php @@ -40,8 +40,8 @@ function getTransactions($from, $to) ".TB_PREF."stock_master, ".TB_PREF."bom WHERE ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component - AND ".TB_PREF."bom.parent >= '$from' - AND ".TB_PREF."bom.parent <= '$to' + AND ".TB_PREF."bom.parent >= ".db_escape($from)." + AND ".TB_PREF."bom.parent <= ".db_escape($to)." ORDER BY ".TB_PREF."bom.parent, ".TB_PREF."bom.component"; diff --git a/reporting/rep501.php b/reporting/rep501.php index 8e9653b4..45047adc 100644 --- a/reporting/rep501.php +++ b/reporting/rep501.php @@ -32,8 +32,8 @@ function getTransactions($from, $to) $sql = "SELECT * FROM ".TB_PREF."dimensions - WHERE reference >= '$from' - AND reference <= '$to' + WHERE reference >= ".db_escape($from)." + AND reference <= ".db_escape($to)." ORDER BY reference"; diff --git a/reporting/rep705.php b/reporting/rep705.php index 4361b6e7..faf815f4 100644 --- a/reporting/rep705.php +++ b/reporting/rep705.php @@ -62,9 +62,9 @@ function getPeriods($year, $account, $dimension, $dimension2) FROM ".TB_PREF."gl_trans WHERE account='$account'"; if ($dimension > 0) - $sql .= " AND dimension_id = $dimension"; + $sql .= " AND dimension_id = ".db_escape($dimension); if ($dimension2 > 0) - $sql .= " AND dimension2_id = $dimension2"; + $sql .= " AND dimension2_id = ".db_escape($dimension2); $result = db_query($sql, "Transactions for account $account could not be calculated"); diff --git a/sales/create_recurrent_invoices.php b/sales/create_recurrent_invoices.php index cdd656bd..492d8482 100644 --- a/sales/create_recurrent_invoices.php +++ b/sales/create_recurrent_invoices.php @@ -26,7 +26,7 @@ page(_("Create and Print Recurrent Invoices"), false, false, "", $js); function set_last_sent($id, $date) { $date = date2sql($date); - $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."recurrent_invoices SET last_sent='$date' WHERE id=".db_escape($id); db_query($sql,"The recurrent invoice could not be updated or added"); } @@ -62,7 +62,7 @@ function create_recurrent_invoices($customer_id, $branch_id, $order_no, $tmpl_no if (isset($_GET['recurrent'])) { $invs = array(); - $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".$_GET['recurrent']; + $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($_GET['recurrent']); $result = db_query($sql,"could not get recurrent invoice"); $myrow = db_fetch($result); @@ -99,7 +99,7 @@ if (isset($_GET['recurrent'])) //------------------------------------------------------------------------------------------------- function get_sales_group_name($group_no) { - $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no"; + $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no); $result = db_query($sql, "could not get group"); $row = db_fetch($result); return $row[0]; diff --git a/sales/customer_payments.php b/sales/customer_payments.php index 61489857..a01bd289 100644 --- a/sales/customer_payments.php +++ b/sales/customer_payments.php @@ -204,7 +204,7 @@ function read_customer_data() ".TB_PREF."credit_status.dissallow_invoices FROM ".TB_PREF."debtors_master, ".TB_PREF."credit_status WHERE ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '" . $_POST['customer_id'] . "'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql, "could not query customers"); diff --git a/sales/includes/db/branches_db.inc b/sales/includes/db/branches_db.inc index 72a96565..97d6fa20 100644 --- a/sales/includes/db/branches_db.inc +++ b/sales/includes/db/branches_db.inc @@ -14,7 +14,7 @@ function get_branch($branch_id) $sql = "SELECT ".TB_PREF."cust_branch.*,".TB_PREF."salesman.salesman_name FROM ".TB_PREF."cust_branch, ".TB_PREF."salesman WHERE ".TB_PREF."cust_branch.salesman=".TB_PREF."salesman.salesman_code - AND branch_code=$branch_id"; + AND branch_code=".db_escape($branch_id); $result = db_query($sql, "Cannot retreive a customer branch"); @@ -24,7 +24,7 @@ function get_branch($branch_id) function get_branch_accounts($branch_id) { $sql = "SELECT receivables_account,sales_account, sales_discount_account, payment_discount_account - FROM ".TB_PREF."cust_branch WHERE branch_code=$branch_id"; + FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($branch_id); $result = db_query($sql, "Cannot retreive a customer branch"); @@ -34,7 +34,7 @@ function get_branch_accounts($branch_id) function get_branch_name($branch_id) { $sql = "SELECT br_name FROM ".TB_PREF."cust_branch - WHERE branch_code = '$branch_id'"; + WHERE branch_code = ".db_escape($branch_id); $result = db_query($sql,"could not retreive name for branch" . $branch_id); @@ -45,7 +45,7 @@ function get_branch_name($branch_id) function get_cust_branches_from_group($group_no) { $sql = "SELECT branch_code, debtor_no FROM ".TB_PREF."cust_branch - WHERE group_no = '$group_no'"; + WHERE group_no = ".db_escape($group_no); return db_query($sql,"could not retreive branches for group " . $group_no); } diff --git a/sales/includes/db/credit_status_db.inc b/sales/includes/db/credit_status_db.inc index d59785a3..ab0ade98 100644 --- a/sales/includes/db/credit_status_db.inc +++ b/sales/includes/db/credit_status_db.inc @@ -12,7 +12,7 @@ function add_credit_status($description, $disallow_invoicing) { $sql = "INSERT INTO ".TB_PREF."credit_status (reason_description, dissallow_invoices) - VALUES (".db_escape($description).",$disallow_invoicing)"; + VALUES (".db_escape($description).",".db_escape($disallow_invoicing).")"; db_query($sql, "could not add credit status"); } @@ -20,7 +20,7 @@ function add_credit_status($description, $disallow_invoicing) function update_credit_status($status_id, $description, $disallow_invoicing) { $sql = "UPDATE ".TB_PREF."credit_status SET reason_description=".db_escape($description).", - dissallow_invoices=$disallow_invoicing WHERE id=$status_id"; + dissallow_invoices=".db_escape($disallow_invoicing)." WHERE id=".db_escape($status_id); db_query($sql, "could not update credit status"); } @@ -35,7 +35,7 @@ function get_all_credit_status($all=false) function get_credit_status($status_id) { - $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=$status_id"; + $sql = "SELECT * FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id); $result = db_query($sql, "could not get credit status"); @@ -44,7 +44,7 @@ function get_credit_status($status_id) function delete_credit_status($status_id) { - $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=$status_id"; + $sql="DELETE FROM ".TB_PREF."credit_status WHERE id=".db_escape($status_id); db_query($sql, "could not delete credit status"); } diff --git a/sales/includes/db/cust_trans_db.inc b/sales/includes/db/cust_trans_db.inc index fab74ab6..2ab21e17 100644 --- a/sales/includes/db/cust_trans_db.inc +++ b/sales/includes/db/cust_trans_db.inc @@ -16,7 +16,7 @@ function get_parent_trans($trans_type, $trans_no) { $sql = 'SELECT trans_link FROM '.TB_PREF.'debtor_trans WHERE - (trans_no=' .$trans_no. ' AND type='.$trans_type.' AND trans_link!=0)'; + (trans_no='.db_escape($trans_no).' AND type='.db_escape($trans_type).' AND trans_link!=0)'; $result = db_query($sql, 'Parent document numbers cannot be retrieved'); @@ -28,7 +28,7 @@ function get_parent_trans($trans_type, $trans_no) { // invoice: find batch invoice parent trans. $sql = 'SELECT trans_no FROM '.TB_PREF.'debtor_trans WHERE - (trans_link='.$trans_no.' AND type='. get_parent_type($trans_type) .')'; + (trans_link='.db_escape($trans_no).' AND type='. get_parent_type($trans_type) .')'; $result = db_query($sql, 'Delivery links cannot be retrieved'); @@ -47,11 +47,10 @@ function get_parent_trans($trans_type, $trans_no) { function update_customer_trans_version($type, $versions) { $sql= 'UPDATE '.TB_PREF. 'debtor_trans SET version=version+1 - WHERE type='.$type. ' AND ('; + WHERE type='.db_escape($type).' AND ('; foreach ($versions as $trans_no=>$version) - $where[] = '(trans_no='.$trans_no. - ' AND version='.$version.')'; + $where[] = '(trans_no='.db_escape($trans_no).' AND version='.$version.')'; $sql .= implode(' OR ', $where) .')'; @@ -68,7 +67,7 @@ function get_customer_trans_version($type, $trans_no) { $trans_no = array( $trans_no ); $sql= 'SELECT trans_no, version FROM '.TB_PREF. 'debtor_trans - WHERE type='.$type.' AND ('; + WHERE type='.db_escape($type).' AND ('; foreach ($trans_no as $key=>$trans) $trans_no[$key] = 'trans_no='.$trans_no[$key]; @@ -117,23 +116,23 @@ function write_customer_trans($trans_type, $trans_no, $debtor_no, $BranchNo, ov_gst, ov_freight, ov_freight_tax, rate, ship_via, alloc, trans_link, dimension_id, dimension2_id - ) VALUES ($trans_no, $trans_type, + ) VALUES ($trans_no, ".db_escape($trans_type).", ".db_escape($debtor_no).", ".db_escape($BranchNo).", '$SQLDate', '$SQLDueDate', ".db_escape($reference).", - ".db_escape($sales_type).", $order_no, $Total, ".db_escape($discount).", $Tax, + ".db_escape($sales_type).", ".db_escape($order_no).", $Total, ".db_escape($discount).", $Tax, ".db_escape($Freight).", $FreightTax, $rate, ".db_escape($ship_via).", $AllocAmt, ".db_escape($trans_link).", - $dimension_id, $dimension2_id)"; + ".db_escape($dimension_id).", ".db_escape($dimension2_id).")"; } else { // may be optional argument should stay unchanged ? $sql = "UPDATE ".TB_PREF."debtor_trans SET debtor_no=".db_escape($debtor_no)." , branch_code=".db_escape($BranchNo).", tran_date='$SQLDate', due_date='$SQLDueDate', - reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=$order_no, + reference=".db_escape($reference).", tpe=".db_escape($sales_type).", order_=".db_escape($order_no).", ov_amount=$Total, ov_discount=".db_escape($discount).", ov_gst=$Tax, ov_freight=".db_escape($Freight).", ov_freight_tax=$FreightTax, rate=$rate, ship_via=".db_escape($ship_via).", alloc=$AllocAmt, trans_link=$trans_link, - dimension_id=$dimension_id, dimension2_id=$dimension2_id - WHERE trans_no=$trans_no AND type=$trans_type"; + dimension_id=".db_escape($dimension_id).", dimension2_id=".db_escape($dimension2_id)." + WHERE trans_no=$trans_no AND type=".db_escape($trans_type); } db_query($sql, "The debtor transaction record could not be inserted"); @@ -181,8 +180,8 @@ function get_customer_trans($trans_id, $trans_type) $sql .= ", ".TB_PREF."shippers, ".TB_PREF."sales_types, ".TB_PREF."cust_branch, ".TB_PREF."tax_groups "; } - $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=$trans_id - AND ".TB_PREF."debtor_trans.type=$trans_type + $sql .= " WHERE ".TB_PREF."debtor_trans.trans_no=".db_escape($trans_id)." + AND ".TB_PREF."debtor_trans.type=".db_escape($trans_type)." AND ".TB_PREF."debtor_trans.debtor_no=".TB_PREF."debtors_master.debtor_no"; if ($trans_type == ST_CUSTPAYMENT) { @@ -223,8 +222,8 @@ function get_customer_trans($trans_id, $trans_type) function exists_customer_trans($type, $type_no) { - $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=$type - AND trans_no=$type_no"; + $sql = "SELECT trans_no FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." + AND trans_no=".db_escape($type_no); $result = db_query($sql, "Cannot retreive a debtor transaction"); @@ -237,7 +236,7 @@ function exists_customer_trans($type, $type_no) function get_customer_trans_order($type, $type_no) { - $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=$type AND trans_no=$type_no"; + $sql = "SELECT order_ FROM ".TB_PREF."debtor_trans WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); $result = db_query($sql, "The debtor transaction could not be queried"); @@ -252,7 +251,7 @@ function get_customer_details_from_trans($type, $type_no) { $sql = "SELECT ".TB_PREF."debtors_master.name, ".TB_PREF."debtors_master.curr_code, ".TB_PREF."cust_branch.br_name FROM ".TB_PREF."debtors_master,".TB_PREF."cust_branch,".TB_PREF."debtor_trans - WHERE ".TB_PREF."debtor_trans.type=$type AND ".TB_PREF."debtor_trans.trans_no=$type_no + WHERE ".TB_PREF."debtor_trans.type=".db_escape($type)." AND ".TB_PREF."debtor_trans.trans_no=".db_escape($type_no)." AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no AND ".TB_PREF."cust_branch.branch_code = ".TB_PREF."debtor_trans.branch_code"; @@ -266,7 +265,7 @@ function void_customer_trans($type, $type_no) { // clear all values and mark as void $sql = "UPDATE ".TB_PREF."debtor_trans SET ov_amount=0, ov_discount=0, ov_gst=0, ov_freight=0, - ov_freight_tax=0, alloc=0, version=version+1 WHERE type=$type AND trans_no=$type_no"; + ov_freight_tax=0, alloc=0, version=version+1 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no); db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); } @@ -294,7 +293,7 @@ function post_void_customer_trans($type, $type_no) function get_customer_trans_link($type, $type_no) { $row = db_query("SELECT trans_link from ".TB_PREF."debtor_trans - WHERE type=$type AND trans_no=$type_no", + WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no), "could not get transaction link for type=$type and trans_no=$type_no"); return $row[0]; } diff --git a/sales/includes/db/cust_trans_details_db.inc b/sales/includes/db/cust_trans_details_db.inc index 17c30c19..86310ffa 100644 --- a/sales/includes/db/cust_trans_details_db.inc +++ b/sales/includes/db/cust_trans_details_db.inc @@ -30,7 +30,7 @@ if (!is_array($debtor_trans_no)) $sql .= implode(' OR ', $tr); - $sql.= ") AND debtor_trans_type=$debtor_trans_type + $sql.= ") AND debtor_trans_type=".db_escape($debtor_trans_type)." AND ".TB_PREF."stock_master.stock_id=".TB_PREF."debtor_trans_details.stock_id ORDER BY id"; return db_query($sql, "The debtor transaction detail could not be queried"); @@ -42,8 +42,8 @@ function void_customer_trans_details($type, $type_no) { $sql = "UPDATE ".TB_PREF."debtor_trans_details SET quantity=0, unit_price=0, unit_tax=0, discount_percent=0, standard_cost=0 - WHERE debtor_trans_no=$type_no - AND debtor_trans_type=$type"; + WHERE debtor_trans_no=".db_escape($type_no)." + AND debtor_trans_type=".db_escape($type); db_query($sql, "The debtor transaction details could not be voided"); @@ -64,12 +64,12 @@ function write_customer_trans_detail_item($debtor_trans_type, $debtor_trans_no, unit_tax=$unit_tax, discount_percent=$discount_percent, standard_cost=$std_cost WHERE - id=$line_id"; + id=".db_escape($line_id); else $sql = "INSERT INTO ".TB_PREF."debtor_trans_details (debtor_trans_no, debtor_trans_type, stock_id, description, quantity, unit_price, unit_tax, discount_percent, standard_cost) - VALUES ($debtor_trans_no, $debtor_trans_type, ".db_escape($stock_id). + VALUES (".db_escape($debtor_trans_no).", ".db_escape($debtor_trans_type).", ".db_escape($stock_id). ", ".db_escape($description).", $quantity, $unit_price, $unit_tax, $discount_percent, $std_cost)"; diff --git a/sales/includes/db/custalloc_db.inc b/sales/includes/db/custalloc_db.inc index 9152a3f4..618c9397 100644 --- a/sales/includes/db/custalloc_db.inc +++ b/sales/includes/db/custalloc_db.inc @@ -17,7 +17,8 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from, $sql = "INSERT INTO ".TB_PREF."cust_allocations ( amt, date_alloc, trans_type_from, trans_no_from, trans_no_to, trans_type_to) - VALUES ($amount, Now(), $trans_type_from, $trans_no_from, $trans_no_to, $trans_type_to)"; + VALUES ($amount, Now(), ".db_escape($trans_type_from).", ".db_escape($trans_no_from).", ".db_escape($trans_no_to) + .", ".db_escape($trans_type_to).")"; db_query($sql, "A customer allocation could not be added to the database"); } @@ -27,7 +28,7 @@ function add_cust_allocation($amount, $trans_type_from, $trans_no_from, function delete_cust_allocation($trans_id) { - $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = " . $trans_id; + $sql = "DELETE FROM ".TB_PREF."cust_allocations WHERE id = ".db_escape($trans_id); return db_query($sql, "The existing allocation $trans_id could not be deleted"); } @@ -37,7 +38,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no) { $sql = "SELECT (ov_amount+ov_gst+ov_freight+ov_freight_tax-ov_discount-alloc) AS BalToAllocate - FROM ".TB_PREF."debtor_trans WHERE trans_no=$trans_no AND type=$trans_type"; + FROM ".TB_PREF."debtor_trans WHERE trans_no=".db_escape($trans_no)." AND type=".db_escape($trans_type); $result = db_query($sql,"calculate the allocation"); $myrow = db_fetch_row($result); @@ -49,7 +50,7 @@ function get_DebtorTrans_allocation_balance($trans_type, $trans_no) function update_debtor_trans_allocation($trans_type, $trans_no, $alloc) { $sql = "UPDATE ".TB_PREF."debtor_trans SET alloc = alloc + $alloc - WHERE type=$trans_type AND trans_no = $trans_no"; + WHERE type=".db_escape($trans_type)." AND trans_no = ".db_escape($trans_no); db_query($sql, "The debtor transaction record could not be modified for the allocation against it"); } @@ -66,8 +67,8 @@ function clear_cust_alloctions($type, $type_no, $date="") { // clear any allocations for this transaction $sql = "SELECT * FROM ".TB_PREF."cust_allocations - WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).") + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; $result = db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); while ($row = db_fetch($result)) @@ -86,8 +87,8 @@ function clear_cust_alloctions($type, $type_no, $date="") // remove any allocations for this transaction $sql = "DELETE FROM ".TB_PREF."cust_allocations - WHERE (trans_type_from=$type AND trans_no_from=$type_no) - OR (trans_type_to=$type AND trans_no_to=$type_no)"; + WHERE (trans_type_from=".db_escape($type)." AND trans_no_from=".db_escape($type_no).") + OR (trans_type_to=".db_escape($type)." AND trans_no_to=".db_escape($type_no).")"; db_query($sql, "could not void debtor transactions for type=$type and trans_no=$type_no"); } @@ -136,7 +137,7 @@ function get_allocatable_from_cust_sql($customer_id, $settled) } $cust_sql = ""; if ($customer_id != null) - $cust_sql = " AND trans.debtor_no = $customer_id"; + $cust_sql = " AND trans.debtor_no = ".db_escape($customer_id); $sql = get_alloc_trans_sql("round(ov_amount+ov_gst+ov_freight+ov_freight_tax+ov_discount-alloc,6) <= 0 AS settled", "(type=".ST_CUSTPAYMENT." OR type=".ST_CUSTCREDIT." OR type=".ST_BANKDEPOSIT.") AND (trans.ov_amount > 0) " . $settled_sql . $cust_sql); @@ -154,7 +155,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ AND trans.type = alloc.trans_type_to AND alloc.trans_no_from=$trans_no AND alloc.trans_type_from=$type - AND trans.debtor_no=$customer_id", + AND trans.debtor_no=".db_escape($customer_id), "".TB_PREF."cust_allocations as alloc"); } else @@ -164,7 +165,7 @@ function get_allocatable_to_cust_transactions($customer_id, $trans_no=null, $typ AND trans.type <> " . ST_BANKDEPOSIT . " AND trans.type <> " . ST_CUSTCREDIT . " AND trans.type <> " . ST_CUSTDELIVERY . " - AND trans.debtor_no=$customer_id"); + AND trans.debtor_no=".db_escape($customer_id)); } return db_query($sql." ORDER BY trans_no", "Cannot retreive alloc to transactions"); diff --git a/sales/includes/db/customers_db.inc b/sales/includes/db/customers_db.inc index db0e47af..1670c426 100644 --- a/sales/includes/db/customers_db.inc +++ b/sales/includes/db/customers_db.inc @@ -43,7 +43,7 @@ function get_customer_details($customer_id, $to=null) WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = $customer_id + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id)." AND ".TB_PREF."debtor_trans.tran_date <= '$todate' AND ".TB_PREF."debtor_trans.type <> 13 AND ".TB_PREF."debtors_master.debtor_no = ".TB_PREF."debtor_trans.debtor_no @@ -74,7 +74,7 @@ function get_customer_details($customer_id, $to=null) WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND ".TB_PREF."debtors_master.credit_status = ".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '$customer_id'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id); $result = db_query($sql,"The customer details could not be retrieved"); @@ -100,7 +100,7 @@ function get_customer_details($customer_id, $to=null) function get_customer($customer_id) { - $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id"; + $sql = "SELECT * FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id); $result = db_query($sql, "could not get customer"); @@ -109,7 +109,7 @@ function get_customer($customer_id) function get_customer_name($customer_id) { - $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=$customer_id"; + $sql = "SELECT name FROM ".TB_PREF."debtors_master WHERE debtor_no=".db_escape($customer_id); $result = db_query($sql, "could not get customer"); @@ -120,7 +120,7 @@ function get_customer_name($customer_id) function get_area_name($id) { - $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=$id"; + $sql = "SELECT description FROM ".TB_PREF."areas WHERE area_code=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -130,7 +130,7 @@ function get_area_name($id) function get_salesman_name($id) { - $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=$id"; + $sql = "SELECT salesman_name FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($id); $result = db_query($sql, "could not get sales type"); diff --git a/sales/includes/db/sales_order_db.inc b/sales/includes/db/sales_order_db.inc index 2d2e4696..0d8c618a 100644 --- a/sales/includes/db/sales_order_db.inc +++ b/sales/includes/db/sales_order_db.inc @@ -118,10 +118,13 @@ function delete_sales_order($order_no, $trans_type) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . $order_no . " AND trans_type=".$trans_type; + $sql = "DELETE FROM ".TB_PREF."sales_orders WHERE order_no=" . db_escape($order_no) + . " AND trans_type=".db_escape($trans_type); + db_query($sql, "order Header Delete"); - $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" . $order_no . " AND trans_type=".$trans_type; + $sql = "DELETE FROM ".TB_PREF."sales_order_details WHERE order_no =" + .db_escape($order_no) . " AND trans_type=".db_escape($trans_type); db_query($sql, "order Detail Delete"); add_audit_trail($trans_type, $order_no, Today(), _("Deleted.")); @@ -153,7 +156,7 @@ function update_sales_order($order) begin_transaction(); - $sql = "UPDATE ".TB_PREF."sales_orders SET type =".$order->so_type." , + $sql = "UPDATE ".TB_PREF."sales_orders SET type =".db_escape($order->so_type)." , debtor_no = " . db_escape($order->customer_id) . ", branch_code = " . db_escape($order->Branch) . ", customer_ref = ". db_escape($order->cust_ref) .", @@ -196,8 +199,8 @@ function update_sales_order($order) FROM ".TB_PREF."loc_stock, " .TB_PREF."locations WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code - AND ".TB_PREF."loc_stock.stock_id = '" . $line->stock_id . "' - AND ".TB_PREF."loc_stock.loc_code = '" . $order->Location . "'"; + AND ".TB_PREF."loc_stock.stock_id = ".db_escape($line->stock_id)." + AND ".TB_PREF."loc_stock.loc_code = ".db_escape($order->Location); $res = db_query($sql,"a location could not be retreived"); $loc = db_fetch($res); if ($loc['email'] != "") @@ -287,8 +290,9 @@ function get_sales_order_header($order_no, $trans_type) AND ".TB_PREF."sales_orders.debtor_no = ".TB_PREF."debtors_master.debtor_no AND ".TB_PREF."locations.loc_code = ".TB_PREF."sales_orders.from_stk_loc AND ".TB_PREF."shippers.shipper_id = ".TB_PREF."sales_orders.ship_via - AND ".TB_PREF."sales_orders.trans_type = " . $trans_type ." - AND ".TB_PREF."sales_orders.order_no = " . $order_no ; + AND ".TB_PREF."sales_orders.trans_type = " . db_escape($trans_type) ." + AND ".TB_PREF."sales_orders.order_no = " . db_escape($order_no ); + $result = db_query($sql, "order Retreival"); $num = db_num_rows($result); @@ -319,7 +323,8 @@ function get_sales_order_details($order_no, $trans_type) { .TB_PREF."stock_master.overhead_cost AS standard_cost FROM ".TB_PREF."sales_order_details, ".TB_PREF."stock_master WHERE ".TB_PREF."sales_order_details.stk_code = ".TB_PREF."stock_master.stock_id - AND order_no =" . $order_no . " AND trans_type = " . $trans_type . " ORDER BY id"; + AND order_no =" . db_escape($order_no) + ." AND trans_type = " . db_escape($trans_type) . " ORDER BY id"; return db_query($sql, "Retreive order Line Items"); } @@ -375,7 +380,8 @@ function read_sales_order($order_no, &$order, $trans_type) function sales_order_has_deliveries($order_no) { $sql = "SELECT SUM(qty_sent) FROM ".TB_PREF. - "sales_order_details WHERE order_no=$order_no AND trans_type=".ST_SALESORDER.""; + "sales_order_details WHERE order_no=".db_escape($order_no) + ." AND trans_type=".ST_SALESORDER.""; $result = db_query($sql, "could not query for sales order usage"); @@ -390,7 +396,8 @@ function close_sales_order($order_no) { // set the quantity of each item to the already sent quantity. this will mark item as closed. $sql = "UPDATE ".TB_PREF."sales_order_details - SET quantity = qty_sent WHERE order_no = $order_no AND trans_type=".ST_SALESORDER.""; + SET quantity = qty_sent WHERE order_no = ".db_escape($order_no) + ." AND trans_type=".ST_SALESORDER.""; db_query($sql, "The sales order detail record could not be updated"); } @@ -405,7 +412,7 @@ function get_invoice_duedate($debtorno, $invdate) } $sql = "SELECT ".TB_PREF."debtors_master.debtor_no, ".TB_PREF."debtors_master.payment_terms, ".TB_PREF."payment_terms.* FROM ".TB_PREF."debtors_master, ".TB_PREF."payment_terms WHERE ".TB_PREF."debtors_master.payment_terms = ".TB_PREF."payment_terms.terms_indicator AND - ".TB_PREF."debtors_master.debtor_no = '$debtorno'"; + ".TB_PREF."debtors_master.debtor_no = ".db_escape($debtorno); $result = db_query($sql,"The customer details could not be retrieved"); $myrow = db_fetch($result); @@ -440,7 +447,7 @@ function get_customer_to_order($customer_id) { WHERE ".TB_PREF."debtors_master.sales_type=" .TB_PREF."sales_types.id AND ".TB_PREF."debtors_master.credit_status=".TB_PREF."credit_status.id - AND ".TB_PREF."debtors_master.debtor_no = '" . $customer_id . "'"; + AND ".TB_PREF."debtors_master.debtor_no = ".db_escape($customer_id); $result =db_query($sql,"Customer Record Retreive"); return db_fetch($result); @@ -462,8 +469,8 @@ function get_branch_to_order($customer_id, $branch_id) { .TB_PREF."locations WHERE ".TB_PREF."cust_branch.tax_group_id = ".TB_PREF."tax_groups.id AND ".TB_PREF."locations.loc_code=default_location - AND ".TB_PREF."cust_branch.branch_code='" . $branch_id . "' - AND ".TB_PREF."cust_branch.debtor_no = '" . $customer_id . "'"; + AND ".TB_PREF."cust_branch.branch_code=".db_escape($branch_id)." + AND ".TB_PREF."cust_branch.debtor_no = ".db_escape($customer_id); return db_query($sql,"Customer Branch Record Retreive"); } diff --git a/sales/includes/db/sales_points_db.inc b/sales/includes/db/sales_points_db.inc index 35d220dd..c7ff404b 100644 --- a/sales/includes/db/sales_points_db.inc +++ b/sales/includes/db/sales_points_db.inc @@ -25,7 +25,7 @@ function update_sales_point($id, $name, $location, $account, $cash, $credit) .",pos_account=".db_escape($account) .",cash_sale =$cash" .",credit_sale =$credit" - ." WHERE id = $id"; + ." WHERE id = ".db_escape($id); db_query($sql, "could not update sales type"); } @@ -47,7 +47,7 @@ function get_sales_point($id) .TB_PREF."sales_pos as pos LEFT JOIN ".TB_PREF."locations as loc on pos.pos_location=loc.loc_code LEFT JOIN ".TB_PREF."bank_accounts as acc on pos.pos_account=acc.id - WHERE pos.id='$id'"; + WHERE pos.id=".db_escape($id); $result = db_query($sql, "could not get POS definition"); @@ -56,7 +56,7 @@ function get_sales_point($id) function get_sales_point_name($id) { - $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=$id"; + $sql = "SELECT pos_name FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id); $result = db_query($sql, "could not get POS name"); @@ -66,7 +66,7 @@ function get_sales_point_name($id) function delete_sales_point($id) { - $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=$id"; + $sql="DELETE FROM ".TB_PREF."sales_pos WHERE id=".db_escape($id); db_query($sql,"The point of sale record could not be deleted"); } diff --git a/sales/includes/db/sales_types_db.inc b/sales/includes/db/sales_types_db.inc index 9e462bc2..22af8d72 100644 --- a/sales/includes/db/sales_types_db.inc +++ b/sales/includes/db/sales_types_db.inc @@ -11,7 +11,8 @@ ***********************************************************************/ function add_sales_type($name, $tax_included, $factor) { - $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name).",'$tax_included',$factor)"; + $sql = "INSERT INTO ".TB_PREF."sales_types (sales_type,tax_included,factor) VALUES (".db_escape($name)."," + .db_escape($tax_included).",".db_escape($factor).")"; db_query($sql, "could not add sales type"); } @@ -19,7 +20,7 @@ function update_sales_type($id, $name, $tax_included, $factor) { $sql = "UPDATE ".TB_PREF."sales_types SET sales_type = ".db_escape($name).", - tax_included =$tax_included, factor=$factor WHERE id = $id"; + tax_included =".db_escape($tax_included).", factor=".db_escape($factor)." WHERE id = ".db_escape($id); db_query($sql, "could not update sales type"); } @@ -35,7 +36,7 @@ function get_all_sales_types($all=false) function get_sales_type($id) { - $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -44,7 +45,7 @@ function get_sales_type($id) function get_sales_type_name($id) { - $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql = "SELECT sales_type FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get sales type"); @@ -54,10 +55,10 @@ function get_sales_type_name($id) function delete_sales_type($id) { - $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=$id"; + $sql="DELETE FROM ".TB_PREF."sales_types WHERE id=".db_escape($id); db_query($sql,"The Sales type record could not be deleted"); - $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id='$id'"; + $sql ="DELETE FROM ".TB_PREF."prices WHERE sales_type_id=".db_escape($id); db_query($sql,"The Sales type prices could not be deleted"); } diff --git a/sales/includes/sales_db.inc b/sales/includes/sales_db.inc index fc6f2904..53645836 100644 --- a/sales/includes/sales_db.inc +++ b/sales/includes/sales_db.inc @@ -92,15 +92,15 @@ function get_price ($stock_id, $currency, $sales_type_id, $factor=null, $date=nu $myrow = get_sales_type($sales_type_id); $factor = $myrow['factor']; } - + $add_pct = get_company_pref('add_pct'); $base_id = get_base_sales_type(); $home_curr = get_company_currency(); // AND (sales_type_id = $sales_type_id OR sales_type_id = $base_id) $sql = "SELECT price, curr_abrev, sales_type_id FROM ".TB_PREF."prices - WHERE stock_id = '$stock_id' - AND (curr_abrev = '$currency' OR curr_abrev = '$home_curr')"; + WHERE stock_id = ".db_escape($stock_id)." + AND (curr_abrev = ".db_escape($currency)." OR curr_abrev = ".db_escape($home_curr).")"; $result = db_query($sql, "There was a problem retrieving the pricing information for the part $stock_id for customer"); $num_rows = db_num_rows($result); @@ -188,7 +188,7 @@ function set_document_parent($cart) $del_no = reset(array_keys($cart->src_docs)); $sql = 'UPDATE '.TB_PREF.'debtor_trans SET trans_link = ' . $del_no . - ' WHERE type='.$cart->trans_type.' AND trans_no='. $inv_no ; + ' WHERE type=".db_escape($cart->trans_type)." AND trans_no='. $inv_no ; db_query($sql, 'Child document link cannot be updated'); } @@ -236,11 +236,11 @@ function update_parent_line($doc_type, $line_id, $qty_dispatched) if ($doc_type==ST_SALESORDER) $sql = "UPDATE ".TB_PREF."sales_order_details SET qty_sent = qty_sent + $qty_dispatched - WHERE id=$line_id"; + WHERE id=".db_escape($line_id); else $sql = "UPDATE ".TB_PREF."debtor_trans_details SET qty_done = qty_done + $qty_dispatched - WHERE id=$line_id"; + WHERE id=".db_escape($line_id); } db_query($sql, "The parent document detail record could not be updated"); return true; @@ -253,7 +253,7 @@ function get_location(&$cart) { $sql = "SELECT ".TB_PREF."locations.* FROM ".TB_PREF."stock_moves," .TB_PREF."locations". - " WHERE type=".$cart->trans_type. + " WHERE type=".db_escape($cart->trans_type). " AND trans_no=".key($cart->trans_no). " AND qty!=0 ". " AND ".TB_PREF."locations.loc_code=".TB_PREF."stock_moves.loc_code"; diff --git a/sales/inquiry/customer_allocation_inquiry.php b/sales/inquiry/customer_allocation_inquiry.php index 252e9611..fae2ad0f 100644 --- a/sales/inquiry/customer_allocation_inquiry.php +++ b/sales/inquiry/customer_allocation_inquiry.php @@ -161,7 +161,7 @@ function fmt_credit($row) AND trans.tran_date <= '$date_to'"; if ($_POST['customer_id'] != ALL_TEXT) - $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'"; + $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']); if (isset($_POST['filterType']) && $_POST['filterType'] != ALL_TEXT) { diff --git a/sales/inquiry/customer_inquiry.php b/sales/inquiry/customer_inquiry.php index 5315aa2d..b076faad 100644 --- a/sales/inquiry/customer_inquiry.php +++ b/sales/inquiry/customer_inquiry.php @@ -216,6 +216,7 @@ function check_overdue($row) debtor.name, branch.br_name, debtor.curr_code, + @bal := @bal+trans.ov_amount, (trans.ov_amount + trans.ov_gst + trans.ov_freight + trans.ov_freight_tax + trans.ov_discount) AS TotalAmount, trans.alloc AS Allocated, @@ -231,7 +232,7 @@ function check_overdue($row) AND trans.branch_code = branch.branch_code"; if ($_POST['customer_id'] != ALL_TEXT) - $sql .= " AND trans.debtor_no = '" . $_POST['customer_id'] . "'"; + $sql .= " AND trans.debtor_no = ".db_escape($_POST['customer_id']); if ($_POST['filterType'] != ALL_TEXT) { @@ -267,6 +268,7 @@ function check_overdue($row) } //------------------------------------------------------------------------------------------------ +db_query("set @bal:=0"); $cols = array( _("Type") => array('fun'=>'systype_name', 'ord'=>''), @@ -278,6 +280,7 @@ $cols = array( _("Customer") => array('ord'=>''), _("Branch") => array('ord'=>''), _("Currency") => array('align'=>'center'), + _("RB"), _("Debit") => array('align'=>'right', 'fun'=>'fmt_debit'), _("Credit") => array('align'=>'right','insert'=>true, 'fun'=>'fmt_credit'), array('insert'=>true, 'fun'=>'gl_view'), diff --git a/sales/inquiry/sales_deliveries_view.php b/sales/inquiry/sales_deliveries_view.php index 9e4a03a6..72e6d132 100644 --- a/sales/inquiry/sales_deliveries_view.php +++ b/sales/inquiry/sales_deliveries_view.php @@ -204,7 +204,8 @@ if ($_POST['OutstandingOnly'] == true) { //figure out the sql required from the inputs available if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "") { - $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'"; + $delivery = "%".$_POST['DeliveryNumber']; + $sql .= " AND trans.trans_no LIKE ".db_escape($delivery); $sql .= " GROUP BY trans.trans_no"; } else @@ -213,13 +214,13 @@ else $sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'"; if ($selected_customer != -1) - $sql .= " AND trans.debtor_no='" . $selected_customer . "' "; + $sql .= " AND trans.debtor_no=".db_escape($selected_customer)." "; if (isset($selected_stock_item)) - $sql .= " AND line.stock_id='". $selected_stock_item ."' "; + $sql .= " AND line.stock_id=".db_escape($selected_stock_item)." "; if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT) - $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' "; + $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation'])." "; $sql .= " GROUP BY trans.trans_no "; diff --git a/sales/inquiry/sales_orders_view.php b/sales/inquiry/sales_orders_view.php index 9a0be7a5..dac158ea 100644 --- a/sales/inquiry/sales_orders_view.php +++ b/sales/inquiry/sales_orders_view.php @@ -275,8 +275,9 @@ $sql = "SELECT if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "") { - // search orders with number like ... - $sql .= " AND sorder.order_no LIKE '%". $_POST['OrderNumber'] ."'" + // search orders with number like + $number_like = "%".$_POST['OrderNumber']; + $sql .= " AND sorder.order_no LIKE ".db_escape($number_like) ." GROUP BY sorder.order_no"; } else // ... or select inquiry constraints @@ -292,13 +293,13 @@ else // ... or select inquiry constraints if ($trans_type == 32 && !check_value('show_all')) $sql .= " AND sorder.delivery_date >= '".date2sql(Today())."'"; if ($selected_customer != -1) - $sql .= " AND sorder.debtor_no='" . $selected_customer . "'"; + $sql .= " AND sorder.debtor_no=".db_escape($selected_customer); if (isset($selected_stock_item)) - $sql .= " AND line.stk_code='". $selected_stock_item ."'"; + $sql .= " AND line.stk_code=".db_escape($selected_stock_item); if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT) - $sql .= " AND sorder.from_stk_loc = '". $_POST['StockLocation'] . "' "; + $sql .= " AND sorder.from_stk_loc = ".db_escape($_POST['StockLocation']); if ($_POST['order_view_mode']=='OutstandingOnly') $sql .= " AND line.qty_sent < line.quantity"; diff --git a/sales/manage/credit_status.php b/sales/manage/credit_status.php index 097956b7..8bc3683c 100644 --- a/sales/manage/credit_status.php +++ b/sales/manage/credit_status.php @@ -59,7 +59,7 @@ if ($Mode=='UPDATE_ITEM' && can_process()) function can_delete($selected_id) { $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtors_master - WHERE credit_status=$selected_id"; + WHERE credit_status=".db_escape($selected_id); $result = db_query($sql, "could not query customers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/sales/manage/customer_branches.php b/sales/manage/customer_branches.php index af6cd996..849ac557 100644 --- a/sales/manage/customer_branches.php +++ b/sales/manage/customer_branches.php @@ -148,7 +148,7 @@ elseif ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"could not query debtortrans"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -158,7 +158,7 @@ elseif ($Mode == 'Delete') } else { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no = '" . $_POST['customer_id']. "'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"could not query sales orders"); $myrow = db_fetch_row($result); @@ -168,7 +168,7 @@ elseif ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code='" . $_POST['branch_code']. "' AND debtor_no='" . $_POST['customer_id']. "'"; + $sql="DELETE FROM ".TB_PREF."cust_branch WHERE branch_code=".db_escape($_POST['branch_code'])." AND debtor_no=".db_escape($_POST['customer_id']); db_query($sql,"could not delete branch"); display_notification(_('Selected customer branch has been deleted')); } @@ -232,7 +232,7 @@ $num_branches = db_customer_has_branches($_POST['customer_id']); AND b.tax_group_id=t.id AND b.area=a.area_code AND b.salesman=s.salesman_code - AND b.debtor_no = '" . $_POST['customer_id']. "'"; + AND b.debtor_no = ".db_escape($_POST['customer_id']); if (!get_post('show_inactive')) $sql .= " AND !b.inactive"; //------------------------------------------------------------------------------------------------ @@ -280,8 +280,8 @@ if ($selected_id != -1) //editing an existing branch $sql = "SELECT * FROM ".TB_PREF."cust_branch - WHERE branch_code='" . $_POST['branch_code'] . "' - AND debtor_no='" . $_POST['customer_id'] . "'"; + WHERE branch_code=".db_escape($_POST['branch_code'])." + AND debtor_no=".db_escape($_POST['customer_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch($result); set_focus('br_name'); @@ -314,7 +314,7 @@ elseif ($Mode != 'ADD_ITEM') { //end of if $SelectedBranch only do the else when a new record is being entered if(!$num_branches) { $sql = "SELECT name, address, email, debtor_ref - FROM ".TB_PREF."debtors_master WHERE debtor_no = '" . $_POST['customer_id']. "'"; + FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($_POST['customer_id']); $result = db_query($sql,"check failed"); $myrow = db_fetch($result); $_POST['br_name'] = $myrow["name"]; diff --git a/sales/manage/customers.php b/sales/manage/customers.php index 017d1607..3b967e88 100644 --- a/sales/manage/customers.php +++ b/sales/manage/customers.php @@ -93,7 +93,7 @@ function handle_submit() credit_limit=" . input_num('credit_limit') . ", sales_type = ".db_escape($_POST['sales_type']) . ", notes=".db_escape($_POST['notes']) . " - WHERE debtor_no = '". $_POST['customer_id'] . "'"; + WHERE debtor_no = ".db_escape($_POST['customer_id']); db_query($sql,"The customer could not be updated"); diff --git a/sales/manage/recurrent_invoices.php b/sales/manage/recurrent_invoices.php index cdbc3bfa..a1b0bdec 100644 --- a/sales/manage/recurrent_invoices.php +++ b/sales/manage/recurrent_invoices.php @@ -49,7 +49,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') monthly=".input_num('monthly', 0).", begin='".date2sql($_POST['begin'])."', end='".date2sql($_POST['end'])."' - WHERE id = '$selected_id'"; + WHERE id = ".db_escape($selected_id); $note = _('Selected recurrent invoice has been updated'); } else @@ -75,7 +75,7 @@ if ($Mode == 'Delete') if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id); db_query($sql,"could not delete recurrent invoice"); display_notification(_('Selected recurrent invoice has been deleted')); @@ -91,7 +91,7 @@ if ($Mode == 'RESET') //------------------------------------------------------------------------------------------------- function get_sales_group_name($group_no) { - $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = $group_no"; + $sql = "SELECT description FROM ".TB_PREF."groups WHERE id = ".db_escape($group_no); $result = db_query($sql, "could not get group"); $row = db_fetch($result); return $row[0]; @@ -149,7 +149,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."recurrent_invoices WHERE id=".db_escape($selected_id); $result = db_query($sql,"could not get recurrent invoice"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_areas.php b/sales/manage/sales_areas.php index 3fd37dd2..64f043fc 100644 --- a/sales/manage/sales_areas.php +++ b/sales/manage/sales_areas.php @@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') { if ($selected_id != -1) { - $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = '$selected_id'"; + $sql = "UPDATE ".TB_PREF."areas SET description=".db_escape($_POST['description'])." WHERE area_code = ".db_escape($selected_id); $note = _('Selected sales area has been updated'); } else @@ -57,7 +57,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE area=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -67,7 +67,7 @@ if ($Mode == 'Delete') } if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."areas WHERE area_code='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id); db_query($sql,"could not delete sales area"); display_notification(_('Selected sales area has been deleted')); @@ -124,7 +124,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."areas WHERE area_code=".db_escape($selected_id); $result = db_query($sql,"could not get area"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_groups.php b/sales/manage/sales_groups.php index 4978299f..0a922d4c 100644 --- a/sales/manage/sales_groups.php +++ b/sales/manage/sales_groups.php @@ -35,7 +35,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') { if ($selected_id != -1) { - $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = '$selected_id'"; + $sql = "UPDATE ".TB_PREF."groups SET description=".db_escape($_POST['description'])." WHERE id = ".db_escape($selected_id); $note = _('Selected sales group has been updated'); } else @@ -57,7 +57,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE group_no=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -67,7 +67,7 @@ if ($Mode == 'Delete') } if ($cancel_delete == 0) { - $sql="DELETE FROM ".TB_PREF."groups WHERE id='" . $selected_id . "'"; + $sql="DELETE FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id); db_query($sql,"could not delete sales group"); display_notification(_('Selected sales group has been deleted')); @@ -122,7 +122,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing area - $sql = "SELECT * FROM ".TB_PREF."groups WHERE id='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."groups WHERE id=".db_escape($selected_id); $result = db_query($sql,"could not get group"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_people.php b/sales/manage/sales_people.php index 8546ba7e..30e4c556 100644 --- a/sales/manage/sales_people.php +++ b/sales/manage/sales_people.php @@ -56,7 +56,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') provision=".input_num('provision').", break_pt=".input_num('break_pt').", provision2=".input_num('provision2')." - WHERE salesman_code = '$selected_id'"; + WHERE salesman_code = ".db_escape($selected_id); } else { @@ -86,7 +86,7 @@ if ($Mode == 'Delete') // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtors_master' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE salesman=".db_escape($selected_id); $result = db_query($sql,"check failed"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -95,7 +95,7 @@ if ($Mode == 'Delete') } else { - $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'"; + $sql="DELETE FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id); db_query($sql,"The sales-person could not be deleted"); display_notification(_('Selected sales person data have been deleted')); } @@ -154,7 +154,7 @@ if ($selected_id != -1) { if ($Mode == 'Edit') { //editing an existing Sales-person - $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code='$selected_id'"; + $sql = "SELECT * FROM ".TB_PREF."salesman WHERE salesman_code=".db_escape($selected_id); $result = db_query($sql,"could not get sales person"); $myrow = db_fetch($result); diff --git a/sales/manage/sales_types.php b/sales/manage/sales_types.php index 75a504fa..4d9d1f08 100644 --- a/sales/manage/sales_types.php +++ b/sales/manage/sales_types.php @@ -66,7 +66,7 @@ if ($Mode == 'Delete') { // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans' - $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe='$selected_id'"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE tpe=".db_escape($selected_id); $result = db_query($sql,"check failed"); check_db_error("The number of transactions using this Sales type record could not be retrieved", $sql); @@ -79,7 +79,7 @@ if ($Mode == 'Delete') else { - $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type='$selected_id'"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."debtors_master WHERE sales_type=".db_escape($selected_id); $result = db_query($sql,"check failed"); check_db_error("The number of customers using this Sales type record could not be retrieved", $sql); diff --git a/sales/view/view_sales_order.php b/sales/view/view_sales_order.php index 352b6823..8120332b 100644 --- a/sales/view/view_sales_order.php +++ b/sales/view/view_sales_order.php @@ -90,10 +90,11 @@ if ($_GET['trans_type'] != ST_SALESQUOTE) start_table($table_style); display_heading2(_("Delivery Notes")); + $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); - $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTDELIVERY." AND order_=" . $_GET['trans_no']; + $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTDELIVERY." AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related delivery notes could not be retreived"); $delivery_total = 0; @@ -126,7 +127,7 @@ if ($_GET['trans_type'] != ST_SALESQUOTE) $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); - $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_SALESINVOICE." AND order_=" . $_GET['trans_no']; + $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_SALESINVOICE." AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related invoices could not be retreived"); $invoices_total = 0; @@ -158,7 +159,7 @@ if ($_GET['trans_type'] != ST_SALESQUOTE) $th = array(_("#"), _("Ref"), _("Date"), _("Total")); table_header($th); - $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTCREDIT." AND order_=" . $_GET['trans_no']; + $sql = "SELECT * FROM ".TB_PREF."debtor_trans WHERE type=".ST_CUSTCREDIT." AND order_=".db_escape($_GET['trans_no']); $result = db_query($sql,"The related credit notes could not be retreived"); $credits_total = 0; diff --git a/taxes/db/item_tax_types_db.inc b/taxes/db/item_tax_types_db.inc index 3a99f9ba..7e034e4b 100644 --- a/taxes/db/item_tax_types_db.inc +++ b/taxes/db/item_tax_types_db.inc @@ -14,7 +14,7 @@ function add_item_tax_type($name, $exempt, $exempt_from) begin_transaction(); $sql = "INSERT INTO ".TB_PREF."item_tax_types (name, exempt) - VALUES (".db_escape($name).",$exempt)"; + VALUES (".db_escape($name).",".db_escape($exempt).")"; db_query($sql, "could not add item tax type"); @@ -31,7 +31,7 @@ function update_item_tax_type($id, $name, $exempt, $exempt_from) begin_transaction(); $sql = "UPDATE ".TB_PREF."item_tax_types SET name=".db_escape($name). - ", exempt=$exempt WHERE id=$id"; + ", exempt=".db_escape($exempt)." WHERE id=".db_escape($id); db_query($sql, "could not update item tax type"); @@ -51,7 +51,7 @@ function get_all_item_tax_types() function get_item_tax_type($id) { - $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=$id"; + $sql = "SELECT * FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id); $result = db_query($sql, "could not get item tax type"); @@ -60,7 +60,8 @@ function get_item_tax_type($id) function get_item_tax_type_for_item($stock_id) { - $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE ".TB_PREF."stock_master.stock_id='$stock_id' + $sql = "SELECT ".TB_PREF."item_tax_types.* FROM ".TB_PREF."item_tax_types,".TB_PREF."stock_master WHERE + ".TB_PREF."stock_master.stock_id=".db_escape($stock_id)." AND ".TB_PREF."item_tax_types.id=".TB_PREF."stock_master.tax_type_id"; $result = db_query($sql, "could not get item tax type"); @@ -72,7 +73,7 @@ function delete_item_tax_type($id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=$id"; + $sql = "DELETE FROM ".TB_PREF."item_tax_types WHERE id=".db_escape($id); db_query($sql, "could not delete item tax type"); // also delete all exemptions @@ -86,21 +87,21 @@ function add_item_tax_type_exemptions($id, $exemptions) for ($i = 0; $i < count($exemptions); $i++) { $sql = "INSERT INTO ".TB_PREF."item_tax_type_exemptions (item_tax_type_id, tax_type_id) - VALUES ($id, " . $exemptions[$i] . ")"; + VALUES (".db_escape($id).", ".db_escape($exemptions[$i]).")"; db_query($sql, "could not add item tax type exemptions"); } } function delete_item_tax_type_exemptions($id) { - $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id"; + $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id); db_query($sql, "could not delete item tax type exemptions"); } function get_item_tax_type_exemptions($id) { - $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=$id"; + $sql = "SELECT * FROM ".TB_PREF."item_tax_type_exemptions WHERE item_tax_type_id=".db_escape($id); return db_query($sql, "could not get item tax type exemptions"); } diff --git a/taxes/db/tax_groups_db.inc b/taxes/db/tax_groups_db.inc index df48e0a1..392ec8cb 100644 --- a/taxes/db/tax_groups_db.inc +++ b/taxes/db/tax_groups_db.inc @@ -21,7 +21,7 @@ function add_tax_group($name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", $tax_shipping)"; + $sql = "INSERT INTO ".TB_PREF."tax_groups (name, tax_shipping) VALUES (".db_escape($name).", ".db_escape($tax_shipping).")"; db_query($sql, "could not add tax group"); $id = db_insert_id(); @@ -38,7 +38,7 @@ function update_tax_group($id, $name, $tax_shipping, $taxes, $rates) if($tax_shipping) // only one tax group for shipping clear_shipping_tax_group(); - $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=$tax_shipping WHERE id=$id"; + $sql = "UPDATE ".TB_PREF."tax_groups SET name=".db_escape($name).",tax_shipping=".db_escape($tax_shipping)." WHERE id=".db_escape($id); db_query($sql, "could not update tax group"); delete_tax_group_items($id); @@ -57,7 +57,7 @@ function get_all_tax_groups($all=false) function get_tax_group($type_id) { - $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=$type_id"; + $sql = "SELECT * FROM ".TB_PREF."tax_groups WHERE id=".db_escape($type_id); $result = db_query($sql, "could not get tax group"); @@ -68,7 +68,7 @@ function delete_tax_group($id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=$id"; + $sql = "DELETE FROM ".TB_PREF."tax_groups WHERE id=".db_escape($id); db_query($sql, "could not delete tax group"); @@ -82,14 +82,14 @@ function add_tax_group_items($id, $items, $rates) for ($i=0; $i < count($items); $i++) { $sql = "INSERT INTO ".TB_PREF."tax_group_items (tax_group_id, tax_type_id, rate) - VALUES ($id, " . $items[$i] . ", " . $rates[$i] .")"; + VALUES (".db_escape($id).", ".db_escape($items[$i]).", " . $rates[$i] .")"; db_query($sql, "could not add item tax group item"); } } function delete_tax_group_items($id) { - $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=$id"; + $sql = "DELETE FROM ".TB_PREF."tax_group_items WHERE tax_group_id=".db_escape($id); db_query($sql, "could not delete item tax group items"); } @@ -99,7 +99,7 @@ function get_tax_group_items($id) $sql = "SELECT ".TB_PREF."tax_group_items.*, ".TB_PREF."tax_types.name AS tax_type_name, ".TB_PREF."tax_types.sales_gl_code, ".TB_PREF."tax_types.purchasing_gl_code FROM ".TB_PREF."tax_group_items, ".TB_PREF."tax_types - WHERE tax_group_id=$id + WHERE tax_group_id=".db_escape($id)." AND ".TB_PREF."tax_types.id=tax_type_id"; return db_query($sql, "could not get item tax type group items"); diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc index 52ee5eea..e57ffb35 100644 --- a/taxes/db/tax_types_db.inc +++ b/taxes/db/tax_types_db.inc @@ -24,7 +24,7 @@ function update_tax_type($type_id, $name, $sales_gl_code, $purchasing_gl_code, $ sales_gl_code=".db_escape($sales_gl_code).", purchasing_gl_code=".db_escape($purchasing_gl_code).", rate=$rate - WHERE id=$type_id"; + WHERE id=".db_escape($type_id); db_query($sql, "could not update tax type"); } @@ -58,7 +58,7 @@ function get_tax_type($type_id) FROM ".TB_PREF."tax_types, ".TB_PREF."chart_master AS Chart1, ".TB_PREF."chart_master AS Chart2 WHERE ".TB_PREF."tax_types.sales_gl_code = Chart1.account_code - AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=$type_id"; + AND ".TB_PREF."tax_types.purchasing_gl_code = Chart2.account_code AND id=".db_escape($type_id); $result = db_query($sql, "could not get tax type"); return db_fetch($result); @@ -66,7 +66,7 @@ function get_tax_type($type_id) function get_tax_type_default_rate($type_id) { - $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=$type_id"; + $sql = "SELECT rate FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id); $result = db_query($sql, "could not get tax type rate"); @@ -78,7 +78,7 @@ function delete_tax_type($type_id) { begin_transaction(); - $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=$type_id"; + $sql = "DELETE FROM ".TB_PREF."tax_types WHERE id=".db_escape($type_id); db_query($sql, "could not delete tax type"); diff --git a/taxes/item_tax_types.php b/taxes/item_tax_types.php index 817ce4ec..e6c1b104 100644 --- a/taxes/item_tax_types.php +++ b/taxes/item_tax_types.php @@ -72,7 +72,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=$selected_id"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."stock_master WHERE tax_type_id=".db_escape($selected_id); $result = db_query($sql, "could not query stock master"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/taxes/tax_calc.inc b/taxes/tax_calc.inc index 1209d621..7107cdca 100644 --- a/taxes/tax_calc.inc +++ b/taxes/tax_calc.inc @@ -210,7 +210,7 @@ function get_tax_for_items($items, $prices, $shipping_cost, $tax_group, $tax_inc function is_tax_account($account_code) { $sql= "SELECT id FROM ".TB_PREF."tax_types WHERE - sales_gl_code='$account_code' OR purchasing_gl_code='$account_code'"; + sales_gl_code=".db_escape($account_code)." OR purchasing_gl_code=".db_escape($account_code); $result = db_query($sql, "checking account is tax account"); if (db_num_rows($result) > 0) { $acct = db_fetch($result); diff --git a/taxes/tax_groups.php b/taxes/tax_groups.php index 07cda243..ea61fd34 100644 --- a/taxes/tax_groups.php +++ b/taxes/tax_groups.php @@ -99,7 +99,7 @@ function can_delete($selected_id) { if ($selected_id == -1) return false; - $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=$selected_id"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."cust_branch WHERE tax_group_id=".db_escape($selected_id); $result = db_query($sql, "could not query customers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) @@ -108,7 +108,7 @@ function can_delete($selected_id) return false; } - $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=$selected_id"; + $sql = "SELECT COUNT(*) FROM ".TB_PREF."suppliers WHERE tax_group_id=".db_escape($selected_id); $result = db_query($sql, "could not query suppliers"); $myrow = db_fetch_row($result); if ($myrow[0] > 0) diff --git a/taxes/tax_types.php b/taxes/tax_types.php index 5976f1a9..ca2f866f 100644 --- a/taxes/tax_types.php +++ b/taxes/tax_types.php @@ -72,7 +72,7 @@ if ($Mode=='UPDATE_ITEM' && can_process()) function can_delete($selected_id) { - $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=$selected_id"; + $sql= "SELECT COUNT(*) FROM ".TB_PREF."tax_group_items WHERE tax_type_id=".db_escape($selected_id); $result = db_query($sql, "could not query tax groups"); $myrow = db_fetch_row($result); if ($myrow[0] > 0)