Bug 17902: Fix possible SQL injection in serials editing
/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*
The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit
f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit
14e2c2e5f70dc24a0621545aac8a1f8c568331d3)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>