From 4760bdada4360adda015d4c10fd3d3a69f2a82df Mon Sep 17 00:00:00 2001
From: Khurshid Alam <kmkalam24@gmail.com>
Date: Tue, 1 Nov 2022 21:55:53 +0600
Subject: [PATCH] Security Update

---
 core/functions.php                            | 83 ++++++++++++-------
 module/accounts/ajax.php                      |  6 +-
 module/expenses/ajax.php                      |  4 +-
 module/incomes/ajax.php                       |  2 +-
 module/ledgers/ajax.php                       | 36 ++++----
 module/loan-management/ajax.php               |  2 +-
 module/my-shop/ajax.php                       |  8 +-
 module/peoples/ajax.php                       | 12 +--
 module/production/ajax.php                    | 83 +++++++++++++++++--
 module/production/link-raw-materials.php      |  2 +-
 module/products/ajax.php                      | 14 ++--
 module/products/attach-sub-product.php        |  2 +-
 module/products/edit-product.php              |  4 +-
 module/reports/ajax.php                       | 54 +++++-------
 module/reports/ajax_back.php                  |  6 +-
 .../customer-report-single.php                |  2 +-
 .../product-report/product-report-single.php  |  2 +-
 module/sales/ajax.php                         |  4 +-
 module/sales/edit-sale.php                    |  2 +-
 module/settings/ajax.php                      |  8 +-
 module/stock-management/ajax.php              | 12 +--
 module/stock-management/edit-purchase.php     |  2 +-
 22 files changed, 213 insertions(+), 137 deletions(-)

diff --git a/core/functions.php b/core/functions.php
index 31f892c..ed5de85 100644
--- a/core/functions.php
+++ b/core/functions.php
@@ -18,6 +18,16 @@ function safe_input($data, $encoding = true) {
 	return $data;
 }
 
+/**
+ * Convert all applicable characters to HTML entities
+ * 
+ * From PHP 8.1.0 the default flag is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
+ * So, we make this for all version
+ */
+function safe_entities($data) {
+    return htmlentities($data, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401);
+}
+
 /**
  * Determine the http or https and append with the domain.
  * 
@@ -2374,10 +2384,11 @@ function send_sms($number, $msg) {
 
         global $table_prefeix;
 
-	    $url = "http://example.com/api.php";
+        //$url = "http://66.45.237.70/maskingapi.php";
+	    $url = "http://66.45.237.70/api.php";
         $data= array(
-            'username'=>"username",
-            'password'=>"password",
+            'username'=>"Royal",
+            'password'=>"CZXAPHK8",
             //'senderid'=> "The Royal",
             'number'=>$number,
             'message'=>$msg
@@ -2777,40 +2788,48 @@ function near_unit_qty($product_id, $qty, $unit) {
         )
     ));
     
+
+    if($getData !== false) {
+
+        $totalBaseQty = $qty;
+        $remainQty = 0;
+        $finalUnitName = "";
+        $finalQtyBasedOnUnit = 0;
+        
+        // Generate the base qty based on unit
+        foreach($getData["data"] as $pKey => $pVal ) {
+        
+            if( $pVal["product_unit"] === $unit) {
+        
+                $totalBaseQty *= $pVal["base_qnt"];
+                break;
+        
+            }
         
-    $totalBaseQty = $qty;
-    $remainQty = 0;
-    $finalUnitName = "";
-    $finalQtyBasedOnUnit = 0;
-    
-    // Generate the base qty based on unit
-    foreach($getData["data"] as $pKey => $pVal ) {
-    
-        if( $pVal["product_unit"] === $unit) {
-    
-            $totalBaseQty *= $pVal["base_qnt"];
-            break;
-    
         }
-    
-    }
-    
-    // Now get the unit which base_qnt is grater then or equal to unitDevider
-    foreach($getData["data"] as $pKey => $pVal ) {
-    
-        if( $pVal["base_qnt"] <= $totalBaseQty) {
-    
-            $finalUnitName = $pVal["product_unit"];
-            $remainQty = ($totalBaseQty % $pVal["base_qnt"]);
-            $finalQtyBasedOnUnit = ($totalBaseQty - $remainQty) / $pVal["base_qnt"];
-            break;
-    
+        
+        // Now get the unit which base_qnt is grater then or equal to unitDevider
+        foreach($getData["data"] as $pKey => $pVal ) {
+        
+            if( $pVal["base_qnt"] <= $totalBaseQty) {
+        
+                $finalUnitName = $pVal["product_unit"];
+                $remainQty = ($totalBaseQty % $pVal["base_qnt"]);
+                $finalQtyBasedOnUnit = ($totalBaseQty - $remainQty) / $pVal["base_qnt"];
+                break;
+        
+            }
+        
         }
-    
-    }
 
 
-    return $finalQtyBasedOnUnit . " " . $finalUnitName . ( $remainQty > 0 ? ", " . near_unit_qty($product_id, $remainQty, $unit) : "");
+        return $finalQtyBasedOnUnit . " " . $finalUnitName . ( $remainQty > 0 ? ", " . near_unit_qty($product_id, $remainQty, $unit) : "");
+
+    } else {
+
+        return $qty . " " . $unit;
+
+    }
 
 
 }
diff --git a/module/accounts/ajax.php b/module/accounts/ajax.php
index 7f6e674..055d760 100644
--- a/module/accounts/ajax.php
+++ b/module/accounts/ajax.php
@@ -333,7 +333,7 @@
             <label for="negativeValueIsAllowed"><?= __("Negative value is allowed"); ?></label>
         </div>
 
-        <input type="hidden" name="accounts_id" value="<?php echo htmlentities($_GET['id']); ?>">
+        <input type="hidden" name="accounts_id" value="<?php echo safe_entities($_GET['id']); ?>">
               
       </div>
       <!-- /Box body-->
@@ -692,7 +692,7 @@
             <label for="transferDescription"><?= __("Description:");?></label>
             <textarea name="transferDescription" id="transferDescription" rows="3" class="form-control"><?php echo $selectTransfer["transfer_money_description"]; ?></textarea>
         </div>
-        <input type="hidden" name="transfer_money_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="transfer_money_id" value="<?php echo safe_entities($_GET["id"]); ?>">
 
       </div>
       <!-- /Box body-->
@@ -1242,7 +1242,7 @@
             <label for="closingDate"><?= __("Closing Date:"); ?></label>
             <input type="text" name="closingDate" id="closingDate" value="<?php echo $closings["closings_date"]; ?>" class="form-control datePicker" required>
         </div>
-        <input type="hidden" name="closingsId" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="closingsId" value="<?php echo safe_entities($_GET["id"]); ?>">
     
     </div>
     <!-- /Box body-->
diff --git a/module/expenses/ajax.php b/module/expenses/ajax.php
index 2bc975d..623f344 100644
--- a/module/expenses/ajax.php
+++ b/module/expenses/ajax.php
@@ -232,7 +232,7 @@
             <div class="form-group">
                 <label for="categoryName">Category Name</label>
                 <input type="text" name="categoryName" id="categoryName" value="<?php echo $selectPaymentCategory["payment_category_name"]; ?>" class="form-control">
-                <input type="hidden" name="categoryNameID" value="<?php echo htmlentities($_GET["id"]); ?>">
+                <input type="hidden" name="categoryNameID" value="<?php echo safe_entities($_GET["id"]); ?>">
             </div>
             <div class="form-group">
                 <label for="categoryShopId"><?= __("Shop:"); ?> </label>
@@ -1867,7 +1867,7 @@ function (data, status) {
             <label for="salaryDescription"><?= __("Description"); ?></label>
             <textarea name="salaryDescription" id="salaryDescription" rows="3" class="form-control"> <?php echo $selectSalary["salary_description"]; ?> </textarea>
         </div>
-        <input type="hidden" name="salaryId" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="salaryId" value="<?php echo safe_entities($_GET["id"]); ?>">
         <input type="hidden" name="employeeId" value="<?php echo $selectSalary["salary_emp_id"]; ?>">
         <div id="ajaxSubmitMsg"></div>
 
diff --git a/module/incomes/ajax.php b/module/incomes/ajax.php
index 75413d6..be4d549 100644
--- a/module/incomes/ajax.php
+++ b/module/incomes/ajax.php
@@ -1464,7 +1464,7 @@ function(data, status) {
             <label for="incomeDescription"><?= __("Description:"); ?></label>
             <textarea name="incomeDescription" id="incomeDescription" rows="3" class="form-control"><?php echo $income["incomes_description"]; ?></textarea>
         </div>
-        <input type="hidden" name="income_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="income_id" value="<?php echo safe_entities($_GET["id"]); ?>">
 
       </div>
       <!-- /Box body-->
diff --git a/module/ledgers/ajax.php b/module/ledgers/ajax.php
index 6550cda..fdcb221 100644
--- a/module/ledgers/ajax.php
+++ b/module/ledgers/ajax.php
@@ -44,7 +44,7 @@
 					sum(payment_items_amount) as total_salary_paid_before_filtered_date
 				from {$table_prefeix}payment_items where is_trash = 0 and payment_items_type != 'Bill' and payment_items_date < '{$dateRange[0]}' group by payment_items_employee 
 			) as payments on payment_items_employee = emp_id
-			where emp_id = {$emp_id}
+			where emp_id = '{$emp_id}'
 		");
 
 		
@@ -53,7 +53,7 @@
             (
                 select 
                     1 as sortby,
-                    {$emp_id} as empl_id,
+                    '{$emp_id}' as empl_id,
                     '' as ledger_date,
                     'Opening/Previous Balance' as description,
                     0 as debit,
@@ -89,7 +89,7 @@
                 from {$table_prefeix}payment_items
 				where is_trash = 0 and payment_items_type != 'Bill' and payment_items_date between '{$dateRange[0]}' and '{$dateRange[1]}' group by payment_items_id
 			) as get_data
-			where empl_id = {$emp_id}
+			where empl_id = '{$emp_id}'
             order by ledger_date, sortby
 		");
 			
@@ -253,7 +253,7 @@
                 WHERE is_trash = 0 and capital_received_date < '{$dateRange[0]}'
                 group by capital_accounts
             ) as capital on capital.capital_accounts = accounts.accounts_id
-			where accounts_id = {$account_id}
+			where accounts_id = '{$account_id}'
 		");
 
 		
@@ -261,7 +261,7 @@
 			SELECT account_id, ledger_date_time, sql_join_id, sql_join_id_two, description, debit, credit, @balance := ( @balance + debit ) - credit as balance from
 			(
 				SELECT 
-					{$account_id} as account_id,
+					'{$account_id}' as account_id,
 					'' as ledger_date_time,
 					'' as sql_join_id,
 					'' as sql_join_id_two,
@@ -429,7 +429,7 @@
 				from {$table_prefeix}capital as capital
 				where capital.is_trash = 0 and capital_received_date between '{$dateRange[0]}' and '{$dateRange[1]}'
 			) as getData
-			where account_id = {$account_id}
+			where account_id = '{$account_id}'
 			order by ledger_date_time ASC
 		");
 			
@@ -508,7 +508,7 @@
 					sum(journal_records_payment_amount) as journal_records_incoming_payment_amount_before_filtered_date
 				from {$table_prefeix}journal_records where is_trash = 0 and journal_records_payments_type = 'Incoming' and date(journal_records_datetime) < '{$dateRange[0]}' group by journal_records_journal_id
 			) as journal_records_Incoming on journal_records_Incoming.journal_records_journal_id = journals_id
-			where journals_id  = {$journal_id}
+			where journals_id  = '{$journal_id}'
 		");
 
 		
@@ -517,7 +517,7 @@
             (
                 select 
                     1 as sortby,
-                    {$journal_id} as journals_id,
+                    '{$journal_id}' as journals_id,
                     '' as ledger_date,
                     'Opening/Previous Balance' as description,
                     0 as debit,
@@ -543,7 +543,7 @@
                 from {$table_prefeix}journal_records as journal_records_outgoing
                 where journal_records_outgoing.is_trash = 0 and journal_records_outgoing.journal_records_payments_type = 'Outgoing' and date(journal_records_outgoing.journal_records_datetime) between '{$dateRange[0]}' and '{$dateRange[1]}' group by journal_records_outgoing.journal_records_id
 			) as get_data
-			where journals_id = {$journal_id}
+			where journals_id = '{$journal_id}'
             order by ledger_date, sortby
 		");
 			
@@ -631,7 +631,7 @@
                     sum(payments_return_amount) as total_payment_return_before_filtered_date
                 from {$table_prefeix}payments_return where is_trash = 0 and payments_return_type = 'Outgoing' and date(payments_return_date) < '{$dateRange[0]}' group by payments_return_customer_id
             ) as payment_return on payments_return_customer_id = customer_id
-			where customer_id = {$customer_id}
+			where customer_id = '{$customer_id}'
 		");
 		
 		$getData = easySelectD("
@@ -639,7 +639,7 @@
             (
                 select 
                     1 as sortby,
-                    {$customer_id} as customer_id,
+                    '{$customer_id}' as customer_id,
                     '' as ledger_date,
                     'Opening/Previous Balance' as description,
                     0 as debit,
@@ -713,7 +713,7 @@
 					incomes_amount as credit
 				from {$table_prefeix}incomes where is_trash = 0 and incomes_date between '{$dateRange[0]}' and '{$dateRange[1]}' group by incomes_id
 			) as get_data
-			where customer_id = {$customer_id}
+			where customer_id = '{$customer_id}'
             order by ledger_date, sortby
 		");
 			
@@ -803,7 +803,7 @@
                     sum(payments_return_amount) as total_payment_return_before_filtered_date
                 from {$table_prefeix}payments_return where is_trash = 0 and payments_return_type = 'Incoming' and date(payments_return_date) < '{$dateRange[0]}' group by payments_return_company_id
             ) as payment_return on payments_return_company_id = company_id
-			where company_id = {$company_id}
+			where company_id = '{$company_id}'
 		");
 
 		//var_dump($previous_balance);
@@ -813,7 +813,7 @@
             (
                 select 
                     1 as sortby,
-                    {$company_id} as company_id,
+                    '{$company_id}' as company_id,
                     '' as ledger_date,
                     'Opening/Previous Balance' as description,
                     0 as debit,
@@ -901,7 +901,7 @@
                     payments_return_amount as credit
                 from {$table_prefeix}payments_return where is_trash = 0 and payments_return_type = 'Incoming' and date(payments_return_date) between '{$dateRange[0]}' and '{$dateRange[1]}' group by company_id
             ) as get_data
-			where company_id = {$company_id}
+			where company_id = '{$company_id}'
             order by ledger_date, sortby
 		");
 			
@@ -982,7 +982,7 @@
 					sum(payments_return_amount) as total_return_before_filtered_date
 				from {$table_prefeix}payments_return where is_trash = 0 and date(payments_return_date) < '{$dateRange[0]}' group by payments_return_emp_id
 			) as payment_return on payments_return_emp_id = emp_id
-			where emp_id = {$emp_id}
+			where emp_id = '{$emp_id}'
 		");
 
 		
@@ -991,7 +991,7 @@
             (
                 select 
                     1 as sortby,
-                    {$emp_id} as empl_id,
+                    '{$emp_id}' as empl_id,
                     '' as ledger_date,
                     'Opening/Previous Balance' as description,
                     0 as debit,
@@ -1036,7 +1036,7 @@
                 from {$table_prefeix}payments_return
                 where is_trash = 0 and date(payments_return_date) between '{$dateRange[0]}' and '{$dateRange[1]}' group by payments_return_id
 			) as get_data
-			where empl_id = {$emp_id}
+			where empl_id = '{$emp_id}'
             order by ledger_date, sortby
 		");
 			
diff --git a/module/loan-management/ajax.php b/module/loan-management/ajax.php
index 2610e2b..a78cd7b 100644
--- a/module/loan-management/ajax.php
+++ b/module/loan-management/ajax.php
@@ -300,7 +300,7 @@
             <label for="loanDetails"><?= __("Loan Details"); ?></label>
             <textarea name="loanDetails" id="loanDetails" rows="3" class="form-control"><?php echo $selectLoan["loan_details"]; ?></textarea>
         </div>
-        <input type="hidden" name="loan_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="loan_id" value="<?php echo safe_entities($_GET["id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
 
diff --git a/module/my-shop/ajax.php b/module/my-shop/ajax.php
index c900167..9f8c77d 100644
--- a/module/my-shop/ajax.php
+++ b/module/my-shop/ajax.php
@@ -301,8 +301,8 @@
             <label for="addSalesPaymentsDescription"><?= __("Description:"); ?></label>
             <textarea name="addSalesPaymentsDescription" id="addSalesPaymentsDescription" rows="3" class="form-control"></textarea>
         </div>
-        <input type="hidden" name="addSalesPaymentsCustomerId" value="<?php echo htmlentities($_GET["cid"]); ?>">
-        <input type="hidden" name="addSalesPaymentsSalesId" value="<?php echo htmlentities($_GET["sales_id"]); ?>">
+        <input type="hidden" name="addSalesPaymentsCustomerId" value="<?php echo safe_entities($_GET["cid"]); ?>">
+        <input type="hidden" name="addSalesPaymentsSalesId" value="<?php echo safe_entities($_GET["sales_id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
 
@@ -1210,7 +1210,7 @@
                 <input type="text" name="advancePaymentReference" id="advancePaymentReference" value="<?php echo $ac["received_payments_reference"]; ?>" class="form-control">
             </div>
         </div>
-        <input type="hidden" name="shopAdvanceCollectionId" value ="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="shopAdvanceCollectionId" value ="<?php echo safe_entities($_GET["id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
         
@@ -2193,7 +2193,7 @@ function(data, status) {
             <label for="discountDescription"><?= __("Description:"); ?></label>
             <textarea name="discountDescription" id="discountDescription" rows="3" class="form-control"><?php echo $selectDiscount["received_payments_details"]; ?></textarea>
         </div>
-        <input type="hidden" name="discountId" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="discountId" value="<?php echo safe_entities($_GET["id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
 
diff --git a/module/peoples/ajax.php b/module/peoples/ajax.php
index 6330302..a4e15b5 100644
--- a/module/peoples/ajax.php
+++ b/module/peoples/ajax.php
@@ -485,7 +485,7 @@
               <!-- Column three -->
             </div> <!-- row -->
 
-            <input type="hidden" name="emp_id" value="<?php echo htmlentities($_GET['id']); ?>">
+            <input type="hidden" name="emp_id" value="<?php echo safe_entities($_GET['id']); ?>">
 
 
     <?php
@@ -867,7 +867,7 @@
     
     ?>
             <div class="box-body">
-                <input type="hidden" name="user_id" value="<?php echo htmlentities($_GET['id']); ?>">
+                <input type="hidden" name="user_id" value="<?php echo safe_entities($_GET['id']); ?>">
 
                 <style>
                 
@@ -1056,7 +1056,7 @@
             <label for="confirmUserPassword"><?= __("Confirm User Password:"); ?></label>
             <input type="password" name="confirmUserPassword" id="confirmUserPassword" class="form-control">
         </div>
-        <input type="hidden" name="user_id" value="<?php echo htmlentities($_GET['id']); ?>">
+        <input type="hidden" name="user_id" value="<?php echo safe_entities($_GET['id']); ?>">
             
     </div>
     <!-- /Box body-->
@@ -1218,7 +1218,7 @@
         <label for="confirmNewPassword"><?= __("Confirm New Password:"); ?></label>
         <input type="password" name="confirmNewPassword" id="confirmNewPassword" class="form-control">
       </div>
-      <input type="hidden" name="user_id" value="<?php echo htmlentities($_GET['id']); ?>">
+      <input type="hidden" name="user_id" value="<?php echo safe_entities($_GET['id']); ?>">
             
     </div>
     <!-- /Box body-->
@@ -2221,7 +2221,7 @@
             <textarea name="customerAddress" id="customerAddress" rows="3" class="form-control"> <?php echo $customers["customer_address"]; ?> </textarea>
         </div>
 
-      <input type="hidden" name="customer_id" value="<?php echo htmlentities($_GET['id']); ?>">
+      <input type="hidden" name="customer_id" value="<?php echo safe_entities($_GET['id']); ?>">
             
     </div>
     <!-- /Box body-->
@@ -2683,7 +2683,7 @@
         <label for="companyWebsite"><?= __("Website:"); ?></label>
         <input type="text" name="companyWebsite" id="companyWebsite" value="<?php echo $companies["company_website"]; ?>" class="form-control">
       </div>
-      <input type="hidden" name="company_id" value="<?php echo htmlentities($_GET['id']); ?>">
+      <input type="hidden" name="company_id" value="<?php echo safe_entities($_GET['id']); ?>">
             
     </div>
     <!-- /Box body-->
diff --git a/module/production/ajax.php b/module/production/ajax.php
index 9e27c31..2f55722 100644
--- a/module/production/ajax.php
+++ b/module/production/ajax.php
@@ -658,14 +658,6 @@
 
             $product = $selectProduct["data"][0];
 
-            // Delete Privous bg product
-            easyPermDelete(
-                "bg_product_items",
-                array(
-                    "bg_product_id" => $_POST["mainProduct"]
-                )
-            );
-
 
             // Insert Bundle/ Sub product
             $insertSubProduct = "INSERT INTO {$table_prefeix}bg_product_items(
@@ -676,7 +668,78 @@
                 is_raw_materials
             ) VALUES";
 
-             
+            
+            // If the main product is variable
+            if( $product["product_type"] === "Variable" ) {
+
+                /**
+                 * If the main product is variable
+                 * Then add sub product in all child product
+                 */
+
+
+                // Select all Child product of this variable product
+                easySelectA(array(
+                    "table" => "products",
+                    "where" => array(
+                        "parent_product_id" => $_POST["mainProduct"]
+                    )
+                ));
+
+                
+
+                // Delete Privous bg product
+                easyPermDelete(
+                    "bg_product_items",
+                    array(
+                        "bg_product_id" => $_POST["mainProduct"]
+                    )
+                );
+
+                
+                foreach($_POST["bgProductID"] as $pkey => $bgProductId) {
+
+                    // If there have any unit in this product
+                    // Then multiply the bgProductQnt with unit base qty
+                    if( !empty($product['product_unit']) ) {
+
+                        $bgProductQty = "(select base_qnt * ". $_POST["bgProductQnt"][$pkey] ." from {$table_prefeix}product_units where unit_name = '{$product['product_unit']}' )";
+
+                    } else {
+                        
+                        $bgProductQty = safe_input($_POST["bgProductQnt"][$pkey]);
+
+                    }
+
+                    $insertSubProduct .= "(
+                        '{$product['product_id']}',
+                        '{$bgProductId}',
+                        '". safe_input($_POST["bgProductSalePrice"][$pkey]) ."',
+                        '{$bgProductQty}',
+                        '1'
+                    ),";
+                    
+
+                }
+
+
+            }
+
+
+            /**
+             * Either The main product is variable or normal or child
+             * Add sub product on it along with child product
+             */
+
+            // Delete Privous bg product
+            easyPermDelete(
+                "bg_product_items",
+                array(
+                    "bg_product_id" => $_POST["mainProduct"]
+                )
+            );
+
+            
             foreach($_POST["bgProductID"] as $pkey => $bgProductId) {
 
                 // If there have any unit in this product
@@ -702,6 +765,8 @@
 
             }
 
+            
+
 
             // Run query to insert sub products
             runQuery(substr_replace($insertSubProduct, ";", -1, 1));
diff --git a/module/production/link-raw-materials.php b/module/production/link-raw-materials.php
index 148866d..9867807 100644
--- a/module/production/link-raw-materials.php
+++ b/module/production/link-raw-materials.php
@@ -124,7 +124,7 @@
                                 <div class="text-center">
                                     <button data-toggle="modal" data-target="#browseProduct" type="button" class="btn btn-info"><i class="fa fa-folder-open"></i> <?php echo __("browse Product"); ?></button>
                                 </div>
-                                <input type="hidden" name="mainProduct" value="<?php echo htmlentities($_GET["pid"]); ?>">
+                                <input type="hidden" name="mainProduct" value="<?php echo safe_entities($_GET["pid"]); ?>">
                                 <br />
 
                                 <!-- Browse Product Modal -->
diff --git a/module/products/ajax.php b/module/products/ajax.php
index 401a00f..48a7121 100644
--- a/module/products/ajax.php
+++ b/module/products/ajax.php
@@ -221,7 +221,7 @@
         <select name="shopId" id="shopId" class="form-control select2Ajax" select2-ajax-url="<?php echo full_website_address() ?>/info/?module=select2&page=shopList" style="width: 100%;">
           <option value="<?php echo $productCategory["shop_id"]; ?>"><?php echo $productCategory["shop_name"]; ?></option>  
         </select>
-        <input type="hidden" name="category_id" value="<?php echo htmlentities($_GET['id']); ?>">
+        <input type="hidden" name="category_id" value="<?php echo safe_entities($_GET['id']); ?>">
       </div>
             
     </div>
@@ -1747,7 +1747,7 @@
         <label for="unitDescription"><?= __("Unit Description"); ?></label>
         <textarea name="unitDescription" id="unitDescription" rows="3" class="form-control"><?php echo $itemUnit["unit_description"]; ?></textarea>
       </div>
-      <input type="hidden" name="unit_id" value="<?php echo htmlentities($_GET['id']); ?>">
+      <input type="hidden" name="unit_id" value="<?php echo safe_entities($_GET['id']); ?>">
     </div>
     <!-- /Box body-->
 
@@ -1992,7 +1992,7 @@
           <label for="editionDescription"><?= __("Description:"); ?></label>
           <textarea name="editionDescription" id="editionDescription" rows="3" class="form-control"><?php echo $productEdition["edition_description"]; ?></textarea>
         </div>
-        <input type="hidden" name="edition_id" value="<?php echo htmlentities($_GET['id']); ?>">
+        <input type="hidden" name="edition_id" value="<?php echo safe_entities($_GET['id']); ?>">
               
       </div>
       <!-- /Box body-->
@@ -2214,7 +2214,7 @@
         <label for="brandDescription"><?= __("Brand Description:"); ?></label>
         <textarea name="brandDescription" id="brandDescription" rows="3" class="form-control"><?php echo $ProductBrand["brand_description"]; ?></textarea>
       </div>
-      <input type="hidden" name="brand_id" value="<?php echo htmlentities($_GET['id']); ?>">
+      <input type="hidden" name="brand_id" value="<?php echo safe_entities($_GET['id']); ?>">
             
     </div>
     <!-- /Box body-->
@@ -2749,7 +2749,7 @@
           <label for="attributeDescription"><?= __("Attribute Description:"); ?></label>
           <textarea name="attributeDescription" id="attributeDescription" cols="30" rows="3" class="form-control"><?php echo $pa["pa_description"] ; ?></textarea>
         </div>
-        <input type="hidden" name="pa_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="pa_id" value="<?php echo safe_entities($_GET["id"]); ?>">
         
         
       </div>
@@ -3022,7 +3022,7 @@
           <label for="variationDescription"><?= __("Description:"); ?></label>
           <textarea name="variationDescription" id="variationDescription" cols="30" rows="3" class="form-control"><?php echo $pv["pv_description"]; ?></textarea>
         </div>
-        <input type="hidden" name="pv_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="pv_id" value="<?php echo safe_entities($_GET["id"]); ?>">
         
         
       </div>
@@ -3275,7 +3275,7 @@
           <label for="genericDescription"><?= __("Description:"); ?></label>
           <textarea name="genericDescription" id="genericDescription" cols="30" rows="3" class="form-control"><?php echo $pg["generic_description"]; ?></textarea>
         </div>
-        <input type="hidden" name="generic_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="generic_id" value="<?php echo safe_entities($_GET["id"]); ?>">
         
       </div>
       <!-- /Box body-->
diff --git a/module/products/attach-sub-product.php b/module/products/attach-sub-product.php
index d71cf8b..6b77c6b 100644
--- a/module/products/attach-sub-product.php
+++ b/module/products/attach-sub-product.php
@@ -123,7 +123,7 @@
                                 <div class="text-center">
                                     <button data-toggle="modal" data-target="#browseProduct" type="button" class="btn btn-info"><i class="fa fa-folder-open"></i> <?php echo __("browse Product"); ?></button>
                                 </div>
-                                <input type="hidden" name="mainProduct" value="<?php echo htmlentities($_GET["pid"]); ?>">
+                                <input type="hidden" name="mainProduct" value="<?php echo safe_entities($_GET["pid"]); ?>">
                                 <br />
 
                                 <!-- Browse Product Modal -->
diff --git a/module/products/edit-product.php b/module/products/edit-product.php
index 4728b72..971be0e 100644
--- a/module/products/edit-product.php
+++ b/module/products/edit-product.php
@@ -127,7 +127,7 @@
                         <div class="form-group col-md-6 required">
                             <label for="productName"><?php echo __("Product Name:"); ?></label>
                             <input type="text" name="productName" id="productName" value="<?php echo $product["product_name"]; ?>" class="form-control" required>
-                            <input type="hidden" name="product_id" value="<?php echo htmlentities($_GET["pid"]); ?>">
+                            <input type="hidden" name="product_id" value="<?php echo safe_entities($_GET["pid"]); ?>">
                         </div>
                         <div class="form-group col-md-3 required">
                             <?php
@@ -319,7 +319,7 @@
 
                             <div style="margin-bottom: 5px;" class="form-group col-md-3">
                                 <div style="height: 120px; text-align: center;" class="image_preview">
-                                    <img style="margin: auto;" class="previewing" width="auto" height="140px" src="<?php echo full_website_address(); ?>/images/?for=products&id=<?php echo htmlentities($_GET["pid"]); ?>" />
+                                    <img style="margin: auto;" class="previewing" width="auto" height="140px" src='<?php echo full_website_address(); ?>/images/?for=products&id=<?php echo safe_entities($_GET["pid"], ENT_QUOTES); ?>' />
                                 </div>
                             </div>
 
diff --git a/module/reports/ajax.php b/module/reports/ajax.php
index 6ae2502..9df9481 100644
--- a/module/reports/ajax.php
+++ b/module/reports/ajax.php
@@ -52,9 +52,9 @@
  
     if(!empty($requestData["search"]["value"]) or !empty($requestData["columns"][1]['search']['value']) or !empty($requestData["columns"][2]['search']['value']) or !empty($requestData["columns"][3]['search']['value']) or !empty($requestData["columns"][4]['search']['value']) ) {  // get data with search
         
-        $edition_filter = empty($requestData["columns"][4]['search']['value']) ? "AND product.product_type != 'Child'" : "AND product_edition = {$requestData["columns"][4]['search']['value']} ";
+        $edition_filter = empty($requestData["columns"][4]['search']['value']) ? "AND product.product_type != 'Child'" : "AND product_edition = '". safe_input($requestData["columns"][4]['search']['value']) ."' ";
 
-        $warehouse_filter = empty($requestData["columns"][1]['search']['value']) ? "" : " = " . safe_input($requestData["columns"][1]['search']['value']);
+        $warehouse_filter = empty($requestData["columns"][1]['search']['value']) ? "" : " = '". safe_input($requestData["columns"][1]['search']['value']) ."'";
 
         
         $getData = easySelectA(array(
@@ -407,7 +407,7 @@
     $pid = safe_input($_POST["datatoUpdate"]);
 
     // Delete previous stock belongs to this product id
-    runQuery("DELETE FROM product_base_stock WHERE product_id = {$pid}");
+    runQuery("DELETE FROM product_base_stock WHERE product_id = '{$pid}'");
 
     // Insert New Stocks
     runQuery("
@@ -503,7 +503,7 @@
 
     $getDateRange = ( isset( $requestData['columns'][1]['search']['value']) and !empty($requestData['columns'][1]['search']['value']) )  ? safe_input($requestData['columns'][1]['search']['value']) : "1970-01-01 - " . date("Y-12-31");
     $dateRange = explode(" - ", $getDateRange);
-
+    $orderBy = $requestData['order'][0]['dir'];
          
     $getData = easySelectD(
         "select customer_id, customer_name,
@@ -559,8 +559,8 @@
             from {$table_prefeix}received_payments where is_trash = 0 and received_payments_type = 'Discounts' group by received_payments_from
         ) as given_discounts on customer_id = given_discounts.received_payments_from
         where customer.is_trash = 0 and customer_name like '{$search}%'
-        group by customer_id order by customer_name {$requestData['order'][0]['dir']}
-        LIMIT {$requestData['start']}, {$requestData['length']}
+        group by customer_id order by customer_name {$orderBy}
+        LIMIT ". safe_input($requestData['start']) .", ". safe_input($requestData['length']) ."
         "
     );
 
@@ -658,7 +658,7 @@
                 where is_trash = 0 and payments_return_type = 'Outgoing' and date(payments_return_date) < '{$dateRange[0]}'
                 group by payments_return_customer_id
             ) as payment_return on customer_id = payments_return_customer_id
-			where customer_id = {$customer_id}
+			where customer_id = '{$customer_id}'
 	    ");
  
             
@@ -776,7 +776,7 @@
                 from {$table_prefeix}incomes where is_trash = 0 and incomes_date between '{$dateRange[0]}' and '{$dateRange[1]}' group by incomes_id
 
             ) as get_data
-            where customers = {$customer_id} and date(dates) between '{$dateRange[0]}' and '{$dateRange[1]}'
+            where customers = '{$customer_id}' and date(dates) between '{$dateRange[0]}' and '{$dateRange[1]}'
             order by dates, sortby
         ");
 
@@ -909,8 +909,8 @@
 
         <div class="no-print">
             <div style="display: block; width: 200px; margin: auto;" class="form-group">
-                <a onClick='BMS.MAIN.printPage(this.href, event);' class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=posSale&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
-                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?invoiceType=posSale&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-eye"></i> View Invoice</a>
+                <a onClick='BMS.MAIN.printPage(this.href, event);' class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=posSale&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
+                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?invoiceType=posSale&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-eye"></i> View Invoice</a>
             </div>
         </div>
     
@@ -1021,7 +1021,7 @@
 
         <div class="no-print">
             <div style="display: block; width: 200px; margin: auto;" class="form-group">
-                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=produtReturn&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
+                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=produtReturn&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
             </div>
         </div>
     
@@ -1048,7 +1048,7 @@
             left join {$table_prefeix}products on stock_product_id = product_id
             left join {$table_prefeix}sales on sales_id = stock_sales_id
             left join {$table_prefeix}customers on sales_customer_id = customer_id
-            where product_stock.is_trash = 0 and product_stock.stock_type = 'sale' and sales_customer_id = {$cid} and stock_product_id = {$pid}
+            where product_stock.is_trash = 0 and product_stock.stock_type = 'sale' and sales_customer_id = '{$cid}' and stock_product_id = '{$pid}'
             group by stock_entry_date
         ");
 
@@ -1124,7 +1124,7 @@
         "table" => "payments_categories",
         "fields" => "count(*) as totalRow",
         "where" => array(
-        "is_trash = 0"
+            "is_trash = 0"
         )
     ))["data"][0]["totalRow"];
 
@@ -1149,8 +1149,8 @@
         ) as bill_items on bill_items_category = payment_category_id
         where payments_categorie.is_trash = 0 and payment_category_name LIKE '{$search}%'
         having total_amount_in_this_category > 0
-        order by payment_category_name {$requestData['order'][0]['dir']}
-        LIMIT {$requestData['start']}, {$requestData['length']}
+        order by payment_category_name ". safe_input($requestData['order'][0]['dir']) ."
+        LIMIT ". safe_input($requestData['start']) .", ". $requestData['length'] ."
         "
     );
 
@@ -1239,7 +1239,7 @@
                 bill_items_category as category_id
             from {$table_prefeix}bill_items where is_trash = 0 and date(bill_items_add_on) between '{$dateRange[0]}' and '{$dateRange[1]}')
         ) as getData
-        where category_id = {$cat_id}
+        where category_id = '{$cat_id}'
         "
     )["count"];
 
@@ -1266,10 +1266,9 @@
                 bill_items_note as item_description
             from {$table_prefeix}bill_items where is_trash = 0 and date(bill_items_add_on) between '{$dateRange[0]}' and '{$dateRange[1]}')
         ) as getData
-        where category_id = {$cat_id}
-        order by item_date {$requestData['order'][0]['dir']}, sortby ASC, item_description DESC
-        LIMIT {$requestData['start']}, {$requestData['length']}
-        "
+        where category_id = '{$cat_id}'
+        order by item_date ". safe_input($requestData['order'][0]['dir']) .", sortby ASC, item_description DESC
+        LIMIT ". safe_input($requestData['start']) .", " . safe_input($requestData['length'])
     );
 
 
@@ -1415,15 +1414,15 @@
     $empTypeFilter = (array)json_decode($requestData['columns'][3]['search']['value']);
 
     if( isset($departmentFilter["operator"]) ) {
-        $departmentFilter = "and emp_department_id {$departmentFilter["operator"]} '{$departmentFilter["search"]}'";
+        $departmentFilter = "and emp_department_id {$departmentFilter["operator"]} '". safe_input($departmentFilter["search"]) ."'";
     } else {
-        $departmentFilter = empty($requestData['columns'][2]['search']['value']) ? "" : "and emp_department_id = '{$requestData['columns'][2]['search']['value']}'";
+        $departmentFilter = empty($requestData['columns'][2]['search']['value']) ? "" : "and emp_department_id = '". safe_input($requestData['columns'][2]['search']['value']) ."'";
     }
 
     if( isset($empTypeFilter["operator"]) ) {
-        $empTypeFilter = "and emp_type {$empTypeFilter["operator"]} '{$empTypeFilter["search"]}'";
+        $empTypeFilter = "and emp_type {$empTypeFilter["operator"]} '". safe_input($empTypeFilter["search"]) ."'";
     } else {
-        $empTypeFilter = empty($requestData['columns'][3]['search']['value']) ? "" : "and emp_type = '{$requestData['columns'][3]['search']['value']}'";
+        $empTypeFilter = empty($requestData['columns'][3]['search']['value']) ? "" : "and emp_type = '". safe_input($requestData['columns'][3]['search']['value']) ."'";
     }
 
 
@@ -1935,7 +1934,6 @@
                     {$warehouse_filter}
                     GROUP BY stock_id
                 
-
             ) as get_data
             LEFT JOIN {$table_prefeix}users as user on user.user_id = get_data.record_user_id
             LEFT JOIN {$table_prefeix}employees on emp_id = user_emp_id
@@ -1944,12 +1942,6 @@
 
 
 
-        // ('initial', 'sale-production', 'sale-processing', 'sale', 'sale-order', 'wastage-sale', 'sale-return', 'purchase', 'purchase-order', 
-        //             'purchase-return', 'transfer-in', 'transfer-out', 'specimen-copy', 'specimen-copy-return', 'undeclared') default 'undeclared',
-            
-
-        //print_r($getData);
-
         $totalFilteredRecords = $totalRecords = $getData !== false ? $getData["count"] : 0;
 
         // Check if there have more then zero data
diff --git a/module/reports/ajax_back.php b/module/reports/ajax_back.php
index 953729f..7f89d6a 100644
--- a/module/reports/ajax_back.php
+++ b/module/reports/ajax_back.php
@@ -975,8 +975,8 @@
 
         <div class="no-print">
             <div style="display: block; width: 200px; margin: auto;" class="form-group">
-                <a onClick='BMS.MAIN.printPage(this.href, event);' class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=posSale&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
-                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?invoiceType=posSale&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-eye"></i> View Invoice</a>
+                <a onClick='BMS.MAIN.printPage(this.href, event);' class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=posSale&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
+                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?invoiceType=posSale&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-eye"></i> View Invoice</a>
             </div>
         </div>
     
@@ -1087,7 +1087,7 @@
 
         <div class="no-print">
             <div style="display: block; width: 200px; margin: auto;" class="form-group">
-                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=produtReturn&id=<?php echo htmlentities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
+                <a target="_blank" class="btn btn-primary" href="<?php echo full_website_address(); ?>/invoice-print/?autoPrint=true&invoiceType=produtReturn&id=<?php echo safe_entities($_GET["id"]); ?>"> <i class="fa fa-print"></i> Print</a>
             </div>
         </div>
     
diff --git a/module/reports/customer-report/customer-report-single.php b/module/reports/customer-report/customer-report-single.php
index f0af15e..57be870 100644
--- a/module/reports/customer-report/customer-report-single.php
+++ b/module/reports/customer-report/customer-report-single.php
@@ -146,7 +146,7 @@ class="col-lg-4 col-xs-6">
         <div class="box box-info">
           <div class="box-header">
             <h3 class="box-title"><?= __("Top Products"); ?></h3>
-            <div class="printButtonPosition"><a class="" target="_blank" href='<?php echo full_website_address(); ?>/print/?page=allProductOfThisCustomer&cid=<?php echo htmlentities($_GET["cid"]); ?>'>View All</a></div>
+            <div class="printButtonPosition"><a class="" target="_blank" href='<?php echo full_website_address(); ?>/print/?page=allProductOfThisCustomer&cid=<?php echo safe_entities($_GET["cid"]); ?>'>View All</a></div>
           </div>
           <div class="box-body">
             <table class="table table-bordered table-striped table-hover" style="width: 100%;">
diff --git a/module/reports/product-report/product-report-single.php b/module/reports/product-report/product-report-single.php
index 31b95cc..682b1bc 100644
--- a/module/reports/product-report/product-report-single.php
+++ b/module/reports/product-report/product-report-single.php
@@ -173,7 +173,7 @@
                 <div class="box box-info">
                     <div class="box-header">
                         <h3 class="box-title"><?= __("Top Customer"); ?></h3>
-                        <div class="printButtonPosition"><a class="" target="_blank" href='<?php echo full_website_address(); ?>/print/?page=allCustomerOfThisProduct&pid=<?php echo htmlentities($_GET["pid"]); ?>'><?= __("View All"); ?></a></div>
+                        <div class="printButtonPosition"><a class="" target="_blank" href='<?php echo full_website_address(); ?>/print/?page=allCustomerOfThisProduct&pid=<?php echo safe_entities($_GET["pid"]); ?>'><?= __("View All"); ?></a></div>
                     </div>
                     <div class="box-body">
                         <table class="table table-bordered table-striped table-hover" style="width: 100%;">
diff --git a/module/sales/ajax.php b/module/sales/ajax.php
index 92aca88..6b30816 100644
--- a/module/sales/ajax.php
+++ b/module/sales/ajax.php
@@ -398,8 +398,8 @@
             <label for="addSalesPaymentsDescription"><?= __("Description:"); ?></label>
             <textarea name="addSalesPaymentsDescription" id="addSalesPaymentsDescription" rows="3" class="form-control"></textarea>
         </div>
-        <input type="hidden" name="addSalesPaymentsCustomerId" value="<?php echo htmlentities($_GET["cid"]); ?>">
-        <input type="hidden" name="addSalesPaymentsSalesId" value="<?php echo htmlentities($_GET["sales_id"]); ?>">
+        <input type="hidden" name="addSalesPaymentsCustomerId" value="<?php echo safe_entities($_GET["cid"]); ?>">
+        <input type="hidden" name="addSalesPaymentsSalesId" value="<?php echo safe_entities($_GET["sales_id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
 
diff --git a/module/sales/edit-sale.php b/module/sales/edit-sale.php
index 28a3ac2..ba894c5 100644
--- a/module/sales/edit-sale.php
+++ b/module/sales/edit-sale.php
@@ -62,7 +62,7 @@
                                         ?>
                                   </select>
                                   <input type="hidden" name="warehouseId" id="warehouseId" value="<?php echo $sale["sales_warehouse_id"]; ?>">
-                                  <input type="hidden" id="editSalesId" name="salesId" value="<?php echo htmlentities($_GET["edit"]); ?>">
+                                  <input type="hidden" id="editSalesId" name="salesId" value="<?php echo safe_entities($_GET["edit"]); ?>">
                                   <input type="hidden" name="userShopId" value="<?php echo $sale["sales_shop_id"]; ?>">
                               </div>
                               <div class="form-group">
diff --git a/module/settings/ajax.php b/module/settings/ajax.php
index 8c5f2e7..9946eb0 100644
--- a/module/settings/ajax.php
+++ b/module/settings/ajax.php
@@ -279,7 +279,7 @@
                     <label for="groupName">Group name</label>
                     <input type="text" name="groupName" class="form-control" id="groupName" value="<?php echo $group_name; ?>" placeholder="Enter group Name">
                 </div>
-                <input type="hidden" name="group_id" value="<?php echo htmlentities($_GET['id']); ?>">
+                <input type="hidden" name="group_id" value="<?php echo safe_entities($_GET['id']); ?>">
 
                 <style>
                 
@@ -577,7 +577,7 @@
                 <input type="text" value = "<?php echo $department_name; ?>" name="departmentName" class="form-control" id="groupdepartmentNameName" placeholder="Enter department Name">
             </div>
 
-            <input type="hidden" name="department_id" value="<?php echo htmlentities($_GET['id']); ?>">
+            <input type="hidden" name="department_id" value="<?php echo safe_entities($_GET['id']); ?>">
 
     <?php
 
@@ -949,7 +949,7 @@
                 <div id="message"></div>
             </div>
 
-            <input type="hidden" name="shop_id" value="<?php echo htmlentities($_GET['id']); ?>">
+            <input type="hidden" name="shop_id" value="<?php echo safe_entities($_GET['id']); ?>">
         
         <script>
 
@@ -1561,7 +1561,7 @@ function imageIsLoaded(e) {
                 <label for="firewallComments"><?= __("Comments:"); ?></label>
                 <textarea name="firewallComments" id="firewallComments" cols="30" rows="3" class="form-control"><?php echo $fw["fw_comment"]; ?></textarea>
             </div>
-            <input type="hidden" name="fw_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+            <input type="hidden" name="fw_id" value="<?php echo safe_entities($_GET["id"]); ?>">
             
         </div>
             
diff --git a/module/stock-management/ajax.php b/module/stock-management/ajax.php
index 2e1b673..19ec447 100644
--- a/module/stock-management/ajax.php
+++ b/module/stock-management/ajax.php
@@ -765,8 +765,8 @@
             <label for="addPurchasePaymentsDescription"><?= __("Description:"); ?></label>
             <textarea name="addPurchasePaymentsDescription" id="addPurchasePaymentsDescription" rows="3" class="form-control"></textarea>
         </div>
-        <input type="hidden" name="addPurchasePaymentsCompanyId" value="<?php echo htmlentities($_GET["cid"]); ?>">
-        <input type="hidden" name="addPurchasePaymentsPurchaseId" value="<?php echo htmlentities($_GET["purchase_id"]); ?>">
+        <input type="hidden" name="addPurchasePaymentsCompanyId" value="<?php echo safe_entities($_GET["cid"]); ?>">
+        <input type="hidden" name="addPurchasePaymentsPurchaseId" value="<?php echo safe_entities($_GET["purchase_id"]); ?>">
 
         <div id="ajaxSubmitMsg"></div>
 
@@ -2231,7 +2231,7 @@
             <label for="stockTransferStatusNote"><?= __("Note:"); ?></label>
             <textarea name="stockTransferStatusNote" id="stockTransferStatusNote" rows="3" class="form-control"></textarea>
         </div>
-        <input type="hidden" name="stockTransferId" value="<?php echo htmlentities($_GET["id"]); ?>">
+        <input type="hidden" name="stockTransferId" value="<?php echo safe_entities($_GET["id"]); ?>">
               
       </div>
       <!-- /Box body-->
@@ -2545,7 +2545,7 @@
             <label for="warehouseLocation"><?= __("Warehouse Location:"); ?></label>
             <textarea name="warehouseLocation" id="warehouseLocation" rows="3" class="form-control"> <?php echo $warehouse["warehouse_location"] ?> </textarea>
         </div>
-        <input type="hidden" name="warehouse_id" value="<?php echo htmlentities($_GET['id']); ?>">
+        <input type="hidden" name="warehouse_id" value="<?php echo safe_entities($_GET['id']); ?>">
     </div>
     <!-- /Box body-->
 
@@ -2823,10 +2823,10 @@
     ?>
       <div class="box-body">
         
-        <input type="hidden" name="batchProductId" value="<?php echo htmlentities($_GET["pid"]); ?>">
+        <input type="hidden" name="batchProductId" value="<?php echo safe_entities($_GET["pid"]); ?>">
         <div class="form-group required">
           <label for="batchNumber"><?= __("Batch Number:"); ?></label>
-          <input type="text" name="batchNumber" id="batchNumber" value="<?php echo htmlentities($_GET["val"]); ?>" placeholder="Enter batch number" class="form-control" required>
+          <input type="text" name="batchNumber" id="batchNumber" value="<?php echo safe_entities($_GET["val"]); ?>" placeholder="Enter batch number" class="form-control" required>
         </div>
         <div class="form-group">
           <label for="batchManufacturingDate"><?= __("Manufacturing Date:"); ?> <small><?= __("Optional"); ?></small> </label>
diff --git a/module/stock-management/edit-purchase.php b/module/stock-management/edit-purchase.php
index c57f63a..8dbb5cd 100644
--- a/module/stock-management/edit-purchase.php
+++ b/module/stock-management/edit-purchase.php
@@ -127,7 +127,7 @@
 
                     <div class="row">
 
-                        <input type="hidden" name="purchase_id" value="<?php echo htmlentities($_GET["id"]); ?>">
+                        <input type="hidden" name="purchase_id" value="<?php echo safe_entities($_GET["id"]); ?>">
                         <div class="form-group col-sm-3 required">
                             <label for="purchaseDate"><?= __("Purchase Date:"); ?></label>
                             <div class="input-group data">