Changeset 82 for branches/1.1dev/lib/OrderStatus.inc.php
- Timestamp:
- Apr 8, 2006 3:07:57 AM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/lib/OrderStatus.inc.php
r81 r82 18 18 { 19 19 if ($status != '') { 20 $whereclause = 'WHERE status = ' . addslashes($status);20 $whereclause = 'WHERE status = ' . mysql_real_escape_string($status); 21 21 } else { 22 22 $whereclause = ''; … … 52 52 global $CFG, $_SESSION; 53 53 54 $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . addslashes($order_id));54 $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 55 55 if (mysql_num_rows($qid) == 1) { 56 56 /* The order exists, we contine. */ … … 105 105 /* Otherwise we assume everything was updated okay and that 106 106 * we have a valid new status and so proceed updating the orders table. */ 107 dbQuery("UPDATE order_tbl SET status = " . addslashes($db_update) . " WHERE order_id = " . addslashes($order_id));107 dbQuery("UPDATE order_tbl SET status = " . mysql_real_escape_string($db_update) . " WHERE order_id = " . mysql_real_escape_string($order_id)); 108 108 109 109 if ($email_user == true) { … … 111 111 112 112 /* Query to load the details of this order. */ 113 $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . addslashes($order_id));113 $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 114 114 $order = mysql_fetch_assoc($qid_order); 115 115 … … 129 129 LEFT JOIN product_tbl p 130 130 ON (oi.product_id = p.product_id) 131 WHERE oi.order_id = " . addslashes($order_id) . "131 WHERE oi.order_id = " . mysql_real_escape_string($order_id) . " 132 132 "); 133 133 $item_num = 0; … … 214 214 { 215 215 if ($polarity == '+' || $polarity == '-') { 216 $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . addslashes($order_id));216 $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . mysql_real_escape_string($order_id)); 217 217 /* First we make sure each item is in stock in adequate quantities. */ 218 218 while ($order_item = mysql_fetch_assoc($qid)) {
Note: See TracChangeset
for help on using the changeset viewer.