From fdb0ed9e45cc7876ad7a72f78b17f23562593e9e Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Thu, 9 Dec 2010 11:09:38 +0000
Subject: [PATCH] [0000313] Fixed multiply vulnerabilities.

---
 dimensions/includes/dimensions_db.inc |  6 +++---
 includes/banking.inc                  | 10 +++++-----
 includes/data_checks.inc              |  6 +++---
 includes/systypes.inc                 |  2 +-
 purchasing/includes/ui/po_ui.inc      |  2 +-
 reporting/includes/header2.inc        |  2 +-
 sales/includes/sales_db.inc           |  2 ++
 7 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc
index 54ece7c4..c0483710 100644
--- a/dimensions/includes/dimensions_db.inc
+++ b/dimensions/includes/dimensions_db.inc
@@ -147,7 +147,7 @@ function close_dimension($id)
 
 function reopen_dimension($id)
 {
-	$sql = "UPDATE ".TB_PREF."dimensions SET closed='0' WHERE id = $id";
+	$sql = "UPDATE ".TB_PREF."dimensions SET closed='0' WHERE id = ".db_escape($id);
 	db_query($sql, "could not reopen dimension");
 }
 
@@ -160,7 +160,7 @@ function get_dimension_balance_all($id, $from, $to)
 	$sql = "SELECT account, ".TB_PREF."chart_master.account_name, sum(amount) AS amt FROM
 		".TB_PREF."gl_trans,".TB_PREF."chart_master WHERE
 		".TB_PREF."gl_trans.account = ".TB_PREF."chart_master.account_code AND
-		(dimension_id = $id OR dimension2_id = $id) AND
+		(dimension_id = ".db_escape($id)." OR dimension2_id = ".db_escape($id).") AND
 		tran_date >= '$from' AND tran_date <= '$to' GROUP BY account";
 	return db_query($sql, "Transactions could not be calculated");
 }
@@ -173,7 +173,7 @@ function get_dimension_balance($id, $from, $to)
 	$sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE tran_date >= '" .
 		date2sql($from) . "' AND
 		tran_date <= '" . date2sql($to) . "' AND (dimension_id = " .
-		$id." OR dimension2_id = " .$id.")";
+		db_escape($id)." OR dimension2_id = " .db_escape($id).")";
 	$res = db_query($sql, "Sum of transactions could not be calculated");
 	$row = db_fetch_row($res);
 
diff --git a/includes/banking.inc b/includes/banking.inc
index 82d78b05..21dbb8f6 100644
--- a/includes/banking.inc
+++ b/includes/banking.inc
@@ -21,7 +21,7 @@ include_once($path_to_root . "/gl/includes/gl_db.inc");
 //
 function is_bank_account($account_code)
 {
-	$sql= "SELECT id FROM ".TB_PREF."bank_accounts WHERE account_code='$account_code'";
+	$sql= "SELECT id FROM ".TB_PREF."bank_accounts WHERE account_code=".db_escape($account_code);
 	$result = db_query($sql, "checking account is bank account");
 	if (db_num_rows($result) > 0) {
 		$acct = db_fetch($result);
@@ -48,7 +48,7 @@ function get_company_currency()
 
 function get_bank_account_currency($id)
 {
-	$sql= "SELECT bank_curr_code FROM ".TB_PREF."bank_accounts WHERE id='$id'";
+	$sql= "SELECT bank_curr_code FROM ".TB_PREF."bank_accounts WHERE id=".db_escape($id);
 	$result = db_query($sql, "retreive bank account currency");
 
 	$myrow = db_fetch_row($result);
@@ -59,7 +59,7 @@ function get_bank_account_currency($id)
 
 function get_customer_currency($customer_id)
 {
-    $sql = "SELECT curr_code FROM ".TB_PREF."debtors_master WHERE debtor_no = '$customer_id'";
+    $sql = "SELECT curr_code FROM ".TB_PREF."debtors_master WHERE debtor_no = ".db_escape($customer_id);
 
 	$result = db_query($sql, "Retreive currency of customer $customer_id");
 
@@ -71,7 +71,7 @@ function get_customer_currency($customer_id)
 
 function get_supplier_currency($supplier_id)
 {
-    $sql = "SELECT curr_code FROM ".TB_PREF."suppliers WHERE supplier_id = '$supplier_id'";
+    $sql = "SELECT curr_code FROM ".TB_PREF."suppliers WHERE supplier_id = ".db_escape($supplier_id);
 
 	$result = db_query($sql, "Retreive currency of supplier $supplier_id");
 
@@ -88,7 +88,7 @@ function get_exchange_rate_from_home_currency($currency_code, $date_)
 
 	$date = date2sql($date_);
 
-	$sql = "SELECT rate_buy, max(date_) as date_ FROM ".TB_PREF."exchange_rates WHERE curr_code = '$currency_code'
+	$sql = "SELECT rate_buy, max(date_) as date_ FROM ".TB_PREF."exchange_rates WHERE curr_code = ".db_escape($currency_code)."
 				AND date_ <= '$date' GROUP BY rate_buy ORDER BY date_ Desc LIMIT 1";
 
 	$result = db_query($sql, "could not query exchange rates");
diff --git a/includes/data_checks.inc b/includes/data_checks.inc
index ff316953..798e84c4 100644
--- a/includes/data_checks.inc
+++ b/includes/data_checks.inc
@@ -124,7 +124,7 @@ function check_db_has_movement_types($msg)
 function db_customer_has_branches($customer_id)
 {
 	return check_empty_result("SELECT COUNT(*) FROM ".TB_PREF."cust_branch "
-		."WHERE debtor_no='$customer_id'");
+		."WHERE debtor_no=".db_escape($customer_id));
 }
 
 function db_has_customer_branches()
@@ -430,7 +430,7 @@ function db_has_quick_entries()
 
 function db_has_tags($type)
 {
-	return check_empty_result("SELECT COUNT(*) FROM ".TB_PREF."tags WHERE type=$type");
+	return check_empty_result("SELECT COUNT(*) FROM ".TB_PREF."tags WHERE type=".db_escape($type));
 }
 
 function check_db_has_tags($type, $msg)
@@ -449,7 +449,7 @@ function check_empty_result($sql)
 	$result = db_query($sql, "could not do check empty query");	
 	
 	$myrow = db_fetch_row($result);
-	return $myrow[0] > 0;	 	
+	return $myrow[0] > 0;
 }
 //
 //	Integer input check 
diff --git a/includes/systypes.inc b/includes/systypes.inc
index 1c91abc2..974adfdb 100644
--- a/includes/systypes.inc
+++ b/includes/systypes.inc
@@ -26,7 +26,7 @@ function get_next_trans_no ($trans_type){
 	$sql = "SELECT MAX(`$st[2]`) FROM $st[0]";
 
 	if ($st[1] != null)
-		 $sql .= " WHERE `$st[1]`=$trans_type";
+		 $sql .= " WHERE `$st[1]`=".db_escape($trans_type);
 
     $result = db_query($sql,"The next transaction number for $trans_type could not be retrieved");
     $myrow = db_fetch_row($result);
diff --git a/purchasing/includes/ui/po_ui.inc b/purchasing/includes/ui/po_ui.inc
index 87ef5632..5f713a48 100644
--- a/purchasing/includes/ui/po_ui.inc
+++ b/purchasing/includes/ui/po_ui.inc
@@ -201,7 +201,7 @@ function display_po_header(&$order)
     	/*If this is the first time the form loaded set up defaults */
 
         //$_POST['StkLocation'] = $_SESSION['UserStockLocation'];
-        $sql = "SELECT delivery_address, phone FROM ".TB_PREF."locations WHERE loc_code='" . $_POST['StkLocation'] . "'";
+        $sql = "SELECT delivery_address, phone FROM ".TB_PREF."locations WHERE loc_code='" . db_escape($_POST['StkLocation']) . "'";
         $result = db_query($sql,"could not get location info");
 
         if (db_num_rows($result) == 1)
diff --git a/reporting/includes/header2.inc b/reporting/includes/header2.inc
index 9c9b36b7..cb40430a 100644
--- a/reporting/includes/header2.inc
+++ b/reporting/includes/header2.inc
@@ -287,7 +287,7 @@
 			else
 			{
 				$id = $this->formData['payment_terms'];
-				$sql = "SELECT terms FROM ".TB_PREF."payment_terms WHERE terms_indicator='$id'";
+				$sql = "SELECT terms FROM ".TB_PREF."payment_terms WHERE terms_indicator=".db_escape($id);
 				$result = db_query($sql,"could not get paymentterms");
 				$row = db_fetch($result);
 				$str = $row["terms"];
diff --git a/sales/includes/sales_db.inc b/sales/includes/sales_db.inc
index db81a3e7..5e6913d1 100644
--- a/sales/includes/sales_db.inc
+++ b/sales/includes/sales_db.inc
@@ -201,6 +201,8 @@ function update_parent_line($doc_type, $line_id, $qty_dispatched, $auto=false)
 {
 	$doc_type = get_parent_type($doc_type);
 
+        $qty_dispatched = (float)$qty_dispatched;
+
 //	echo "update line: $line_id, $doc_type, $qty_dispatched";
 	if ($doc_type==0)
 		return false;
-- 
2.30.2