Andrew Moore a écrit : > The SQL in C4::Items::GetItemsForInventory wasn't using placeholders and > bind parameters, possibly leaving itself open ot SQL injection attacks. This > patch changes that. > > - $query.= " AND items.location=".$dbh->quote($location) if $location; > /me disagree : the $dbh->quote() does exactly the same thing as the placeholder : ie escaping SQL to avoir SQL injections. So this patch solves nothing on this aspect ;-)
-- Paul POULAIN http://www.biblibre.com Expert en Logiciels Libres pour l'info-doc NOUVEAU TELEPHONE : 04 91 81 35 08 _______________________________________________ Koha-patches mailing list [email protected] http://lists.koha.org/mailman/listinfo/koha-patches
