Mercurial > bms / file diff

--- a/www/includes/db_inventory_suppliers.php	Sat Sep 22 22:15:01 2018 +0200
+++ b/www/includes/db_inventory_suppliers.php	Sun Sep 23 17:15:33 2018 +0200
@@ -10,56 +10,56 @@
 }
 
 // get data and store in a json array
-$query = "SELECT * FROM inventory_suppliers";
-if (isset($_GET['insert'])) {
+$query = "SELECT * FROM inventory_suppliers ORDER BY name";
+if (isset($_POST['insert'])) {
 	// INSERT COMMAND
-	$sql  = "INSERT INTO `inventory_suppliers` SET name='" . mysqli_real_escape_string($connect, $_GET['name']);
-	$sql .= "', address='" . mysqli_real_escape_string($connect, $_GET['address']);
-	$sql .= "', city='" . mysqli_real_escape_string($connect, $_GET['city']);
-	$sql .= "', zip='" . mysqli_real_escape_string($connect, $_GET['zip']);
-	$sql .= "', country='" . mysqli_real_escape_string($connect, $_GET['country']);
-	$sql .= "', website='" . mysqli_real_escape_string($connect, $_GET['website']);
-	$sql .= "', email='" . mysqli_real_escape_string($connect, $_GET['email']);
-	$sql .= "', phone='" . mysqli_real_escape_string($connect, $_GET['phone']);
-	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']);
+	$sql  = "INSERT INTO `inventory_suppliers` SET name='" . mysqli_real_escape_string($connect, $_POST['name']);
+	$sql .= "', address='" . mysqli_real_escape_string($connect, $_POST['address']);
+	$sql .= "', city='" . mysqli_real_escape_string($connect, $_POST['city']);
+	$sql .= "', zip='" . mysqli_real_escape_string($connect, $_POST['zip']);
+	$sql .= "', country='" . mysqli_real_escape_string($connect, $_POST['country']);
+	$sql .= "', website='" . mysqli_real_escape_string($connect, $_POST['website']);
+	$sql .= "', email='" . mysqli_real_escape_string($connect, $_POST['email']);
+	$sql .= "', phone='" . mysqli_real_escape_string($connect, $_POST['phone']);
+	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_POST['notes']);
 	$sql .= "';";
 	$result = mysqli_query($connect, $sql);
 	if (! $result) {
 		syslog(LOG_NOTICE, "db_inventory_suppliers: ".$sql." result: ".mysqli_error($connect));
 	} else {
-		syslog(LOG_NOTICE, "db_inventory_suppliers: inserted ".$_GET['name']);
+		syslog(LOG_NOTICE, "db_inventory_suppliers: inserted ".$_POST['name']);
 	}
 	echo $result;
 
-} else if (isset($_GET['update'])) {
+} else if (isset($_POST['update'])) {
 	// UPDATE COMMAND
-	$sql  = "UPDATE `inventory_suppliers` SET name='" . mysqli_real_escape_string($connect, $_GET['name']);
-	$sql .= "', address='" . mysqli_real_escape_string($connect, $_GET['address']);
-	$sql .= "', city='" . mysqli_real_escape_string($connect, $_GET['city']);
-	$sql .= "', zip='" . mysqli_real_escape_string($connect, $_GET['zip']);
-	$sql .= "', country='" . mysqli_real_escape_string($connect, $_GET['country']);
-	$sql .= "', website='" . mysqli_real_escape_string($connect, $_GET['website']);
-	$sql .= "', email='" . mysqli_real_escape_string($connect, $_GET['email']);
-	$sql .= "', phone='" . mysqli_real_escape_string($connect, $_GET['phone']);
-	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']);
-	$sql .= "' WHERE record='" . $_GET['record'] . "';";
+	$sql  = "UPDATE `inventory_suppliers` SET name='" . mysqli_real_escape_string($connect, $_POST['name']);
+	$sql .= "', address='" . mysqli_real_escape_string($connect, $_POST['address']);
+	$sql .= "', city='" . mysqli_real_escape_string($connect, $_POST['city']);
+	$sql .= "', zip='" . mysqli_real_escape_string($connect, $_POST['zip']);
+	$sql .= "', country='" . mysqli_real_escape_string($connect, $_POST['country']);
+	$sql .= "', website='" . mysqli_real_escape_string($connect, $_POST['website']);
+	$sql .= "', email='" . mysqli_real_escape_string($connect, $_POST['email']);
+	$sql .= "', phone='" . mysqli_real_escape_string($connect, $_POST['phone']);
+	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_POST['notes']);
+	$sql .= "' WHERE record='" . $_POST['record'] . "';";
 	$result = mysqli_query($connect, $sql);
 	if (! $result) {
 		syslog(LOG_NOTICE, "db_inventory_suppliers: ".$sql." result: ".mysqli_error($connect));
 	} else {
-		syslog(LOG_NOTICE, "db_inventory_suppliers: updated record ".$_GET['record']);
+		syslog(LOG_NOTICE, "db_inventory_suppliers: updated record ".$_POST['record']);
 	}
 	echo $result;
 
-} else if (isset($_GET['delete'])) {
+} else if (isset($_POST['delete'])) {
 	// DELETE COMMAND
 	// FIXME: need to check if the record is in use
-	$sql = "DELETE FROM `inventory_suppliers` WHERE record='".$_GET['record']."';";
+	$sql = "DELETE FROM `inventory_suppliers` WHERE record='".$_POST['record']."';";
 	$result = mysqli_query($connect, $sql);
 	if (! $result) {
 		syslog(LOG_NOTICE, "db_inventory_suppliers: ".$sql." result: ".mysqli_error($connect));
 	} else {
-		syslog(LOG_NOTICE, "db_inventory_suppliers: deleted record ".$_GET['record']);
+		syslog(LOG_NOTICE, "db_inventory_suppliers: deleted record ".$_POST['record']);
 	}
 	echo $result;