- $sql = "select id, name, cost from tt_predefined_expenses
- where id = $id and group_id = ".$user->getGroup();
+ $group_id = $user->getGroup();
+ $org_id = $user->org_id;
+
+ $sql = "select id, name, cost from tt_predefined_expenses".
+ " where id = $id and group_id = $group_id and org_id = $org_id";