admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#29538 -- Nieuwe SQL-injection

Browse Source 
svn path=/Website/branches/v5.4.1/; revision=21504
This commit is contained in:
Arthur Egberink
2014-05-05 13:41:36 +00:00
parent b4a341cd42
commit 66c8463f0b
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
CUST/AAVL/custfunctions.wsc
View File

@@ -83,15 +83,17 @@ bes_punch_receive = function (RequestForm, bes_srtdeel_key, item, pResult)
// is de inclusief BTW prijs. Hier moeten we het BTW bedrag van aftrekken.
if (bedr_key == 572)
{
var vat = punchNVL("NEW_ITEM-VAT[#]", item, -1);
var vatamount = punchNVL("NEW_ITEM-VATAMOUNT[#]", item, -1);
var val = punchNVL("NEW_ITEM-VAT[#]", item, -1);
var vat = parseFloat(val.replace(/,/g,"."));
var val = punchNVL("NEW_ITEM-VATAMOUNT[#]", item, -1);
var vatamount = parseFloat(val.replace(/,/g,"."));
sql = "UPDATE bes_srtdeel SET bes_srtdeel_opmerking = bes_srtdeel_nr "
+ (vat == -1 ? " " : " ,bes_srtdeel_btw = " + vat)
+ (vat == -1 || isNaN(vat)? " " : " ,bes_srtdeel_btw = " + vat)
+ " WHERE bes_srtdeel_key = " + bes_srtdeel_key;
oRs = Oracle.Execute(sql);
if (vatamount != -1)
if (vatamount != -1 && !isNaN(vatamount))
{
sql = "UPDATE bes_srtdeel_prijs SET bes_srtdeel_prijs_prijs = bes_srtdeel_prijs_prijs - " + vatamount
+ " WHERE bes_srtdeel_key = " + bes_srtdeel_key