Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 37210: Properly escape SQL query parameters by using bind values

Browse source 
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
This commit is contained in:
Julian Maurice 2024-07-02 16:32:32 +02:00 committed by wainuiwitikapark
parent 91b727d5e7
commit 221b906004
1 changed files with 33 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
circ/overdue.pl
View file

@ -222,13 +222,6 @@ if ($noreport) {
$bornamefilter =~s/\*/\%/g;
$bornamefilter =~s/\?/\_/g;
#scape single quote
$bornamefilter =~s/'/\\'/g;
$itemtypefilter =~s/'/\\'/g;
$borcatfilter =~s/'/\\'/g;
$holdingbranchfilter =~s/'/\\'/g;
$homebranchfilter =~s/'/\\'/g;
$branchfilter =~s/'/\\'/g;
my $strsth="SELECT date_due,
borrowers.title as borrowertitle,
@ -274,14 +267,22 @@ if ($noreport) {
WHERE 1=1 "; # placeholder, since it is possible that none of the additional
# conditions will be selected by user
$strsth.=" AND date_due < '" . $todaysdate . "' " unless ($showall or $datedueto);
$strsth.=" AND (borrowers.firstname like '".$bornamefilter."%' or borrowers.surname like '".$bornamefilter."%' or borrowers.cardnumber like '".$bornamefilter."%')" if($bornamefilter) ;
$strsth.=" AND borrowers.categorycode = '" . $borcatfilter . "' " if $borcatfilter;
my @bind_values;
if ($bornamefilter) {
$strsth .= " AND (borrowers.firstname like ? or borrowers.surname like ? or borrowers.cardnumber like ?)";
push @bind_values, "$bornamefilter%", "$bornamefilter%", "$bornamefilter%";
}
if ($borcatfilter) {
$strsth .= " AND borrowers.categorycode = ? ";
push @bind_values, $borcatfilter;
}
if( $itemtypefilter ){
if( C4::Context->preference('item-level_itypes') ){
$strsth.=" AND items.itype = '" . $itemtypefilter . "' ";
$strsth .= " AND items.itype = ? ";
} else {
$strsth.=" AND biblioitems.itemtype = '" . $itemtypefilter . "' ";
$strsth .= " AND biblioitems.itemtype = ? ";
}
push @bind_values, $itemtypefilter;
}
if ( $borflagsfilter eq 'gonenoaddress' ) {
$strsth .= " AND borrowers.gonenoaddress <> 0";
@ -292,11 +293,26 @@ if ($noreport) {
elsif ( $borflagsfilter eq 'lost') {
$strsth .= " AND borrowers.lost <> 0";
}
$strsth.=" AND borrowers.branchcode = '" . $branchfilter . "' " if $branchfilter;
$strsth.=" AND items.homebranch = '" . $homebranchfilter . "' " if $homebranchfilter;
$strsth.=" AND items.holdingbranch = '" . $holdingbranchfilter . "' " if $holdingbranchfilter;
$strsth.=" AND date_due >= ?" if $dateduefrom;
$strsth.=" AND date_due <= ?" if $datedueto;
if ($branchfilter) {
$strsth .= " AND borrowers.branchcode = ? ";
push @bind_values, $branchfilter;
}
if ($homebranchfilter) {
$strsth .= " AND items.homebranch = ? ";
push @bind_values, $homebranchfilter;
}
if ($holdingbranchfilter) {
$strsth .= " AND items.holdingbranch = ? ";
push @bind_values, $holdingbranchfilter;
}
if ($dateduefrom) {
$strsth .= " AND date_due >= ?";
push @bind_values, DateTime::Format::MySQL->format_datetime($dateduefrom);
}
if ($datedueto) {
$strsth .= " AND date_due <= ?";
push @bind_values, DateTime::Format::MySQL->format_datetime($datedueto);
}
# restrict patrons (borrowers) to those matching the patron attribute filter(s), if any
my $bnlist = $have_pattr_filter_data ? join(',',keys %borrowernumber_to_attributes) : '';
$strsth =~ s/WHERE 1=1/WHERE 1=1 AND borrowers.borrowernumber IN ($bnlist)/ if $bnlist;
@ -304,10 +320,7 @@ if ($noreport) {
$strsth.=" ORDER BY date_due, surname, firstname";
$template->param(sql=>$strsth);
my $sth=$dbh->prepare($strsth);
$sth->execute(
($dateduefrom ? DateTime::Format::MySQL->format_datetime($dateduefrom) : ()),
($datedueto ? DateTime::Format::MySQL->format_datetime($datedueto) : ()),
);
$sth->execute(@bind_values);
my @overduedata;
while (my $data = $sth->fetchrow_hashref) {