Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/t/db_dependent/Utils/Datatables.t
Joonas Kylmälä b2b5570f08 Bug 27715: Use $dbh->quote_identifier to quote untrusted input 
The sanitization using regex and \w class of characters might be
enough but given the vast number of unicode characters in \w and
possibility of in the future the database engines interpreting some of
those characters with special meaning it is better to wrap the column
identifier to quotes using $dbh->quote_identifier so it is only
interpreted as identifier and nothing else.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-02-24 00:12:59 +01:00

61 lines
1.9 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use Test::More tests => 1;
use C4::Utils::DataTables;
use t::lib::Mocks;
use t::lib::TestBuilder;
use Koha::Database;
my $schema = Koha::Database->new->schema;
$schema->storage->txn_begin;
my $builder = t::lib::TestBuilder->new;
subtest 'dt_build_orderby' => sub {
plan tests => 2;
my $dt_params = {
iSortCol_0 => 5,
sSortDir_0 => "asc",
mDataProp_5 => "branch",
name_sorton => "borrowers.surname borrowers.firstname",
iSortCol_1 => 2,
sSortDir_1 => "desc",
mDataProp_2 => "name",
branch_sorton => "branches.branchname",
};
my $orderby = dt_build_orderby($dt_params);
is( $orderby, " ORDER BY `branches`.`branchname` ASC,`borrowers`.`surname` DESC,`borrowers`.`firstname` DESC ", 'ORDER BY has been correctly built' );
$dt_params = {
%$dt_params,
iSortCol_2 => 3,
sSortDir_2 => "asc",
mDataProp_3 => "branch,somethingelse",
};
$orderby = dt_build_orderby($dt_params);
is( $orderby, " ORDER BY `branches`.`branchname` ASC,`borrowers`.`surname` DESC,`borrowers`.`firstname` DESC ", 'ORDER BY has been correctly built, even with invalid stuff');
};
View git blame Copy permalink