Re: [Koha-patches] [PATCH] When searching the catalogue, if I get no results then hit the Z39.50 search the title field in the pop up window is populated with what I searched for.

Thu, 30 Jun 2011 03:23:32 -0700 

Also, what bug number is this patch for?

Nicole

2011/6/30 Frère Sébastien <[email protected]>:
> Hi,
>
> Please use placeholders in SQL statement.
>
> Your patch could result SQL injection if user may change C4::Branch::mybranch 
> return value or result SQL error if branchname contains "'" (quote) character.
>
> The 'safe' way should be:
>  $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE 
> branchcode = ?");
>  $bsth->execute(C4::Branch::mybranch());
>
> As here the 'prepare' is in if-clause, the 'execute' should be too (as 
> parameters are dependant of placeholders), resulting something like:
>
> my $bsth;
> if ( C4::Context->preference("searchMyLibraryOnly")  ) {
>  $bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches WHERE 
> branchcode = ?"); # FIXME : use C4::Branch::GetBranches
>  $bsth->execute(C4::Branch::mybranch());
> } else {
>  $bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches");
>  $bsth->execute();
> }
>
>
> Thanks.
> --
> Frère Sébastien Marie
> Abbaye Notre Dame de La Trappe
> 61380 Soligny-la-Trappe
> Tél: 02.33.84.17.00
> Fax: 02.33.34.98.57
> Web: http://www.latrappe.fr/
>
> On Wed, Jun 29, 2011 at 05:44:21PM +0100, Peter Lorimer wrote:
>> If I search for a valid ISBN number and hit the Z39.50 search, the title 
>> field
>> is populated with the ISBN number I searched for. This number should populate
>> the ISBN field and not the title field.
>> ---
>>  C4/Search.pm |   34 +++++++++++++++++++++++++++++-----
>>  1 files changed, 29 insertions(+), 5 deletions(-)
>
> [...]
>
>>+    my $bsth;
>>+              if ( C4::Context->preference("searchMyLibraryOnly")  )
>>+           {
>>+            $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches 
>>WHERE branchcode = '". C4::Branch::mybranch() ."'
>>+"); # FIXME : use C4::Branch::GetBranches
>>+            }
>>+            else
>>+            {
>>+             $bsth =$dbh->prepare("SELECT branchcode,branchname FROM 
>>branches ");
>>+            }
>>     $bsth->execute();
>
> [...]
> _______________________________________________
> Koha-patches mailing list
> [email protected]
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-patches
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
_______________________________________________
Koha-patches mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-patches
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to