http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7365
--- Comment #19 from Marc Balmer <[email protected]> --- The proposed patch does not introduce new vulnerabilities or possibilities for SQL injection and you can not prevent the placeholder system. It does a mere text replacement, so when you feed '?' to one of the (date) functions, the resulting SQL code will contain the '?' at the right place and $dbh->prepare() will do it's job like before. The right flow of things is as follows: $sql = $dbq->dateDiff('?', '?') $qth = $dbh->prepare($sql) $res = $qth->execute() -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
