my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";
my $arap = $form->{arap} eq "ar" ? "ar" : "ap";
+ my $curr_null = $form->{curreny} ? '' : ' OR a.curr IS NULL'; # fix: after sql-injection fix, curr is inserted as NULL, before that as ''
+
my $query =
qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, a.curr | .
qq|FROM $arap a | .
- qq|WHERE (a.${vc}_id = ?) AND (a.curr = ?) AND NOT (a.amount = paid)|;
+ qq|WHERE (a.${vc}_id = ?) AND (a.curr = ? $curr_null) AND NOT (a.amount = paid)|;
qq|ORDER BY a.id|;
my $sth = prepare_execute_query($form, $dbh, $query,
conv_i($form->{"${vc}_id"}),
<td align=right>
<table>
$department
- <tr>
- <th align=right nowrap>| . $locale->text($form->{ARAP}) . qq|</th>
- <td colspan=3><select name=$form->{ARAP}>$form->{"select$form->{ARAP}"}</select>
- </td>
- <input type=hidden name="select$form->{ARAP}" value="$form->{"select$form->{ARAP}"}">
- </tr>
<tr>
<th align=right nowrap>| . $locale->text('Account') . qq|</th>
<td colspan=3><select name=account>$form->{selectaccount}</select>