https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32637
--- Comment #1 from jpl <[email protected]> --- I did some testing it at does indeed appear that Koha tries to do a SQL query with the user supplied JSON as a column name if that particular header is used: curl -v -s -u kohaapi:kohaapi --request GET http://koha_testing/api/v1/patrons --data-raw '{ "surname": { "-like": "Smith%" } }' will result in the following query showing up in the mariadb General Query Log: SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `{ "surname": { "-like": "Smith%" } }` = '' ) Sending any other Content-type header results in a correct query: SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `surname` LIKE 'Smith%' ) Arbitrary data can be put into that query since Koha won't check that the JSON is valid if that header is used (only tested with 22.05): SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `FooBar` = '' ) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
