From 9ecd632001b994a45a48e78b2dd7fcb7ff9dd088 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Tue, 29 Jul 2008 11:42:46 -0500 Subject: [PATCH] Bug 1953 [2/6]: refactoring SQL in C4::Koha::displayServers to use placeholders. The SQL call in displayServers was not using placeholders, leaving itself open to potential SQL injection attacks. I've rewritten it to use placeholders. Signed-off-by: Galen Charlton Signed-off-by: Joshua Ferraro --- C4/Koha.pm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/C4/Koha.pm b/C4/Koha.pm index 401dd9c985..5a7fe4dbea 100644 --- a/C4/Koha.pm +++ b/C4/Koha.pm @@ -890,11 +890,22 @@ SELECT lib, sub displayServers { my ( $position, $type ) = @_; my $dbh = C4::Context->dbh; + my $strsth = "SELECT * FROM z3950servers where 1"; - $strsth .= " AND position=\"$position\"" if ($position); - $strsth .= " AND type=\"$type\"" if ($type); + my @bind_params; + + if ( $position ) { + push @bind_params, $position; + $strsth .= ' AND position = ? '; + } + + if ( $type ) { + push @bind_params, $type; + $strsth .= ' AND type = ? '; + } + my $rq = $dbh->prepare($strsth); - $rq->execute; + $rq->execute( @bind_params ); my @primaryserverloop; while ( my $data = $rq->fetchrow_hashref ) { -- 2.39.5