Bug 1953: removing potential SQL injections from C4::Calendar::_init
This patch changes the 4 select statements in C4::Calendar::_init.
tests for this method were included in a previous patch.
There are more potential problems in C4::Calendar::delete_holiday, but that
method seems to have deeper bugs than just these. I'll open another bug for
them if I can figure out how it's supposed to work.
No documentation changes necessary.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
my$week_days_sql=$dbh->prepare("select weekday, title, description from repeatable_holidays where ('$self->{branchcode}' = branchcode) and (NOT(ISNULL(weekday)))");
my$day_month_sql=$dbh->prepare("select day, month, title, description from repeatable_holidays where ('$self->{branchcode}' = branchcode) and ISNULL(weekday)");