From 55af15be84334cc6735f2377dbb3e9060d2cbfdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= Date: Sun, 27 Feb 2011 13:56:43 +0100 Subject: [PATCH] Use placeholders in sql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Frère Sébastien Marie Signed-off-by: Chris Cormack --- admin/auth_tag_structure.pl | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/admin/auth_tag_structure.pl b/admin/auth_tag_structure.pl index 27c48e9bf2..9c55df35be 100755 --- a/admin/auth_tag_structure.pl +++ b/admin/auth_tag_structure.pl @@ -188,9 +188,10 @@ if ($op eq 'add_form') { # called by delete_confirm, used to effectively confirm deletion of data in DB } elsif ($op eq 'delete_confirmed') { unless (C4::Context->config('demo') eq 1) { - $dbh->do("delete from auth_tag_structure where tagfield='$searchfield' and authtypecode='$authtypecode'"); - $dbh->do("delete from auth_subfield_structure where tagfield='$searchfield' and authtypecode='$authtypecode'"); - # FIXME: Secuity vulnerability -- use placeholders, prepare and execute! + my $sth = $dbh->prepare("delete from auth_tag_structure where tagfield=? and authtypecode=?"); + $sth->execute($searchfield,$authtypecode); + my $sth = $dbh->prepare("delete from auth_subfield_structure where tagfield=? and authtypecode=?"); + $sth->execute($searchfield,$authtypecode); } print "Content-Type: text/html\n\nparam('tagfield')."&authtypecode=$authtypecode\">"; exit;