Bug 37210: Properly escape SQL query parameters by using bind values
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This commit is contained in:
Julian Maurice
parent
91b727d5e7
commit
221b906004
1 changed files with 33 additions and 20 deletions
|
|
@ -222,13 +222,6 @@ if ($noreport) {
|
||||||
|
|
||||||
$bornamefilter =~s/\*/\%/g;
|
$bornamefilter =~s/\*/\%/g;
|
||||||
$bornamefilter =~s/\?/\_/g;
|
$bornamefilter =~s/\?/\_/g;
|
||||||
#scape single quote
|
|
||||||
$bornamefilter =~s/'/\\'/g;
|
|
||||||
$itemtypefilter =~s/'/\\'/g;
|
|
||||||
$borcatfilter =~s/'/\\'/g;
|
|
||||||
$holdingbranchfilter =~s/'/\\'/g;
|
|
||||||
$homebranchfilter =~s/'/\\'/g;
|
|
||||||
$branchfilter =~s/'/\\'/g;
|
|
||||||
|
|
||||||
my $strsth="SELECT date_due,
|
my $strsth="SELECT date_due,
|
||||||
borrowers.title as borrowertitle,
|
borrowers.title as borrowertitle,
|
||||||
|
|
@ -274,14 +267,22 @@ if ($noreport) {
|
||||||
WHERE 1=1 "; # placeholder, since it is possible that none of the additional
|
WHERE 1=1 "; # placeholder, since it is possible that none of the additional
|
||||||
# conditions will be selected by user
|
# conditions will be selected by user
|
||||||
$strsth.=" AND date_due < '" . $todaysdate . "' " unless ($showall or $datedueto);
|
$strsth.=" AND date_due < '" . $todaysdate . "' " unless ($showall or $datedueto);
|
||||||
$strsth.=" AND (borrowers.firstname like '".$bornamefilter."%' or borrowers.surname like '".$bornamefilter."%' or borrowers.cardnumber like '".$bornamefilter."%')" if($bornamefilter) ;
|
my @bind_values;
|
||||||
$strsth.=" AND borrowers.categorycode = '" . $borcatfilter . "' " if $borcatfilter;
|
if ($bornamefilter) {
|
||||||
|
$strsth .= " AND (borrowers.firstname like ? or borrowers.surname like ? or borrowers.cardnumber like ?)";
|
||||||
|
push @bind_values, "$bornamefilter%", "$bornamefilter%", "$bornamefilter%";
|
||||||
|
}
|
||||||
|
if ($borcatfilter) {
|
||||||
|
$strsth .= " AND borrowers.categorycode = ? ";
|
||||||
|
push @bind_values, $borcatfilter;
|
||||||
|
}
|
||||||
if( $itemtypefilter ){
|
if( $itemtypefilter ){
|
||||||
if( C4::Context->preference('item-level_itypes') ){
|
if( C4::Context->preference('item-level_itypes') ){
|
||||||
$strsth.=" AND items.itype = '" . $itemtypefilter . "' ";
|
$strsth .= " AND items.itype = ? ";
|
||||||
} else {
|
} else {
|
||||||
$strsth.=" AND biblioitems.itemtype = '" . $itemtypefilter . "' ";
|
$strsth .= " AND biblioitems.itemtype = ? ";
|
||||||
}
|
}
|
||||||
|
push @bind_values, $itemtypefilter;
|
||||||
}
|
}
|
||||||
if ( $borflagsfilter eq 'gonenoaddress' ) {
|
if ( $borflagsfilter eq 'gonenoaddress' ) {
|
||||||
$strsth .= " AND borrowers.gonenoaddress <> 0";
|
$strsth .= " AND borrowers.gonenoaddress <> 0";
|
||||||
|
|
@ -292,11 +293,26 @@ if ($noreport) {
|
||||||
elsif ( $borflagsfilter eq 'lost') {
|
elsif ( $borflagsfilter eq 'lost') {
|
||||||
$strsth .= " AND borrowers.lost <> 0";
|
$strsth .= " AND borrowers.lost <> 0";
|
||||||
}
|
}
|
||||||
$strsth.=" AND borrowers.branchcode = '" . $branchfilter . "' " if $branchfilter;
|
if ($branchfilter) {
|
||||||
$strsth.=" AND items.homebranch = '" . $homebranchfilter . "' " if $homebranchfilter;
|
$strsth .= " AND borrowers.branchcode = ? ";
|
||||||
$strsth.=" AND items.holdingbranch = '" . $holdingbranchfilter . "' " if $holdingbranchfilter;
|
push @bind_values, $branchfilter;
|
||||||
$strsth.=" AND date_due >= ?" if $dateduefrom;
|
}
|
||||||
$strsth.=" AND date_due <= ?" if $datedueto;
|
if ($homebranchfilter) {
|
||||||
|
$strsth .= " AND items.homebranch = ? ";
|
||||||
|
push @bind_values, $homebranchfilter;
|
||||||
|
}
|
||||||
|
if ($holdingbranchfilter) {
|
||||||
|
$strsth .= " AND items.holdingbranch = ? ";
|
||||||
|
push @bind_values, $holdingbranchfilter;
|
||||||
|
}
|
||||||
|
if ($dateduefrom) {
|
||||||
|
$strsth .= " AND date_due >= ?";
|
||||||
|
push @bind_values, DateTime::Format::MySQL->format_datetime($dateduefrom);
|
||||||
|
}
|
||||||
|
if ($datedueto) {
|
||||||
|
$strsth .= " AND date_due <= ?";
|
||||||
|
push @bind_values, DateTime::Format::MySQL->format_datetime($datedueto);
|
||||||
|
}
|
||||||
# restrict patrons (borrowers) to those matching the patron attribute filter(s), if any
|
# restrict patrons (borrowers) to those matching the patron attribute filter(s), if any
|
||||||
my $bnlist = $have_pattr_filter_data ? join(',',keys %borrowernumber_to_attributes) : '';
|
my $bnlist = $have_pattr_filter_data ? join(',',keys %borrowernumber_to_attributes) : '';
|
||||||
$strsth =~ s/WHERE 1=1/WHERE 1=1 AND borrowers.borrowernumber IN ($bnlist)/ if $bnlist;
|
$strsth =~ s/WHERE 1=1/WHERE 1=1 AND borrowers.borrowernumber IN ($bnlist)/ if $bnlist;
|
||||||
|
|
@ -304,10 +320,7 @@ if ($noreport) {
|
||||||
$strsth.=" ORDER BY date_due, surname, firstname";
|
$strsth.=" ORDER BY date_due, surname, firstname";
|
||||||
$template->param(sql=>$strsth);
|
$template->param(sql=>$strsth);
|
||||||
my $sth=$dbh->prepare($strsth);
|
my $sth=$dbh->prepare($strsth);
|
||||||
$sth->execute(
|
$sth->execute(@bind_values);
|
||||||
($dateduefrom ? DateTime::Format::MySQL->format_datetime($dateduefrom) : ()),
|
|
||||||
($datedueto ? DateTime::Format::MySQL->format_datetime($datedueto) : ()),
|
|
||||||
);
|
|
||||||
|
|
||||||
my @overduedata;
|
my @overduedata;
|
||||||
while (my $data = $sth->fetchrow_hashref) {
|
while (my $data = $sth->fetchrow_hashref) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue