Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

bug 1953: removing possible SQL injections from C4::Acquisition::GetHistory

Browse source 
I think this is the last sub in this module that needs to be changed.
there should be no functionality or no documentation changes with this patch.
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=1953

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
This commit is contained in:
Andrew Moore 2008-04-11 11:32:58 -05:00 committed by Joshua Ferraro
parent 5966f77b5c
commit 49be89c735
1 changed files with 51 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
C4/Acquisition.pm
View file

@ -1087,9 +1087,31 @@ sub GetLateOrders {
=over 4
(\@order_loop, $total_qty, $total_price, $total_qtyreceived)=&GetHistory( $title, $author, $name, $from_placed_on, $to_placed_on )
(\@order_loop, $total_qty, $total_price, $total_qtyreceived) = GetHistory( $title, $author, $name, $from_placed_on, $to_placed_on );
this function get the search history.
Retreives some acquisition history information
returns:
$order_loop is a list of hashrefs that each look like this:
{
'author' => 'Twain, Mark',
'basketno' => '1',
'biblionumber' => '215',
'count' => 1,
'creationdate' => 'MM/DD/YYYY',
'datereceived' => undef,
'ecost' => '1.00',
'id' => '1',
'invoicenumber' => undef,
'name' => '',
'ordernumber' => '1',
'quantity' => 1,
'quantityreceived' => undef,
'title' => 'The Adventures of Huckleberry Finn'
}
$total_qty is the sum of all of the quantities in $order_loop
$total_price is the cost of each in $order_loop times the quantity
$total_qtyreceived is the sum of all of the quantityreceived entries in $order_loop
=back
@ -1127,35 +1149,45 @@ sub GetHistory {
$query .= " LEFT JOIN borrowers ON aqbasket.authorisedby=borrowers.borrowernumber"
if ( C4::Context->preference("IndependantBranches") );
$query .= " WHERE 1 ";
$query .= " AND biblio.title LIKE " . $dbh->quote( "%" . $title . "%" )
if $title;
$query .= " WHERE (datecancellationprinted is NULL or datecancellationprinted='0000-00-00') ";
my @query_params = ();
if ( defined $title ) {
$query .= " AND biblio.title LIKE ? ";
push @query_params, "%$title%";
}
$query .=
" AND biblio.author LIKE " . $dbh->quote( "%" . $author . "%" )
if $author;
if ( defined $author ) {
$query .= " AND biblio.author LIKE ? ";
push @query_params, "%$author%";
}
$query .= " AND name LIKE " . $dbh->quote( "%" . $name . "%" ) if $name;
if ( defined $name ) {
$query .= " AND name LIKE ? ";
push @query_params, "%$name%";
}
$query .= " AND creationdate >" . $dbh->quote($from_placed_on)
if $from_placed_on;
if ( defined $from_placed_on ) {
$query .= " AND creationdate > ? ";
push @query_params, $from_placed_on;
}
$query .= " AND creationdate<" . $dbh->quote($to_placed_on)
if $to_placed_on;
$query .= " AND (datecancellationprinted is NULL or datecancellationprinted='0000-00-00')";
if ( defined $to_placed_on ) {
$query .= " AND creationdate < ? ";
push @query_params, $to_placed_on;
}
if ( C4::Context->preference("IndependantBranches") ) {
my $userenv = C4::Context->userenv;
if ( ($userenv) && ( $userenv->{flags} != 1 ) ) {
$query .=
" AND (borrowers.branchcode = '"
. $userenv->{branch}
. "' OR borrowers.branchcode ='')";
$query .= " AND (borrowers.branchcode = ? OR borrowers.branchcode ='' ) ";
push @query_params, $userenv->{branch};
}
}
$query .= " ORDER BY booksellerid";
my $sth = $dbh->prepare($query);
$sth->execute;
$sth->execute( @query_params );
my $cnt = 1;
while ( my $line = $sth->fetchrow_hashref ) {
$line->{count} = $cnt++;