X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/kivitendo-erp.git/blobdiff_plain/61824c4571db7e870e7c9cdc03e4af408fd27702..ab96e204a2beec2302b1850df50f45a6e67a13c4:/SL/CP.pm

diff --git a/SL/CP.pm b/SL/CP.pm
index 56f579543..46cebfebf 100644
--- a/SL/CP.pm
+++ b/SL/CP.pm
@@ -74,8 +74,7 @@ sub paymentaccounts {
     qq|FROM chart | .
     qq|WHERE link LIKE ? |.
     qq|ORDER BY accno|;
-  my $sth = prepare_execute_query($form, $dbh, $query,
-                                  $form->{ARAP} eq "AR" ? "AR" : "AP" );
+  my $sth = prepare_execute_query($form, $dbh, $query, '%' . $ARAP . '%');
 
   $form->{PR}{ $form->{ARAP} } = ();
   $form->{PR}{"$form->{ARAP}_paid"} = ();
@@ -159,10 +158,12 @@ sub get_openinvoices {
   my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";
   my $arap = $form->{arap} eq "ar" ? "ar" : "ap";
 
+  my $curr_null = $form->{curreny} ? '' : ' OR a.curr IS NULL'; # fix: after sql-injection fix, curr is inserted as NULL, before that as ''
+
   my $query =
      qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, a.curr | .
 	   qq|FROM $arap a | .
-     qq|WHERE (a.${vc}_id = ?) AND (a.curr = ?) AND NOT (a.amount = paid)|;
+     qq|WHERE (a.${vc}_id = ?) AND (a.curr = ? $curr_null) AND NOT (a.amount = paid)|;
 		 qq|ORDER BY a.id|;
   my $sth = prepare_execute_query($form, $dbh, $query,
                                   conv_i($form->{"${vc}_id"}),