From: Andrew Moore <[EMAIL PROTECTED]>
The SQL call in displayServers was not using placeholders, leaving itself open
to potential SQL injection attacks. I've rewritten it to use placeholders.
Signed-off-by: Galen Charlton <[EMAIL PROTECTED]>
---
C4/Koha.pm | 17 ++++++++++++++---
1 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/C4/Koha.pm b/C4/Koha.pm
index 401dd9c..5a7fe4d 100644
--- a/C4/Koha.pm
+++ b/C4/Koha.pm
@@ -890,11 +890,22 @@ SELECT lib,
sub displayServers {
my ( $position, $type ) = @_;
my $dbh = C4::Context->dbh;
+
my $strsth = "SELECT * FROM z3950servers where 1";
- $strsth .= " AND position=\"$position\"" if ($position);
- $strsth .= " AND type=\"$type\"" if ($type);
+ my @bind_params;
+
+ if ( $position ) {
+ push @bind_params, $position;
+ $strsth .= ' AND position = ? ';
+ }
+
+ if ( $type ) {
+ push @bind_params, $type;
+ $strsth .= ' AND type = ? ';
+ }
+
my $rq = $dbh->prepare($strsth);
- $rq->execute;
+ $rq->execute( @bind_params );
my @primaryserverloop;
while ( my $data = $rq->fetchrow_hashref ) {
--
1.5.5.GIT
_______________________________________________
Koha-patches mailing list
[email protected]
http://lists.koha.org/mailman/listinfo/koha-patches
