X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FCP.pm;h=46cebfebf5dea4aa28849dd60295f0c551525686;hb=1eaf497886107c359dbc2a185f4bede9b7e7f6ea;hp=56f579543ab5c9b60cc7a289987c705efa7ee458;hpb=61824c4571db7e870e7c9cdc03e4af408fd27702;p=kivitendo-erp.git

diff --git a/SL/CP.pm b/SL/CP.pm
index 56f579543..46cebfebf 100644
--- a/SL/CP.pm
+++ b/SL/CP.pm
@@ -74,8 +74,7 @@ sub paymentaccounts {
     qq|FROM chart | .
     qq|WHERE link LIKE ? |.
     qq|ORDER BY accno|;
-  my $sth = prepare_execute_query($form, $dbh, $query,
-                                  $form->{ARAP} eq "AR" ? "AR" : "AP" );
+  my $sth = prepare_execute_query($form, $dbh, $query, '%' . $ARAP . '%');
 
   $form->{PR}{ $form->{ARAP} } = ();
   $form->{PR}{"$form->{ARAP}_paid"} = ();
@@ -159,10 +158,12 @@ sub get_openinvoices {
   my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";
   my $arap = $form->{arap} eq "ar" ? "ar" : "ap";
 
+  my $curr_null = $form->{curreny} ? '' : ' OR a.curr IS NULL'; # fix: after sql-injection fix, curr is inserted as NULL, before that as ''
+
   my $query =
      qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, a.curr | .
 	   qq|FROM $arap a | .
-     qq|WHERE (a.${vc}_id = ?) AND (a.curr = ?) AND NOT (a.amount = paid)|;
+     qq|WHERE (a.${vc}_id = ?) AND (a.curr = ? $curr_null) AND NOT (a.amount = paid)|;
 		 qq|ORDER BY a.id|;
   my $sth = prepare_execute_query($form, $dbh, $query,
                                   conv_i($form->{"${vc}_id"}),