]> git.koha-community.org Git - koha.git/commit
Bug 27715: Use $dbh->quote_identifier to quote untrusted input
authorJoonas Kylmälä <joonas.kylmala@helsinki.fi>
Fri, 19 Feb 2021 12:18:15 +0000 (14:18 +0200)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 23 Feb 2021 23:12:59 +0000 (00:12 +0100)
commitb2b5570f083c30a8f22f6b4e93a1a1e44bc55778
tree324005776fb8bcac7b1540a52e37d5e6c994f75f
parent9223d4d9be7cbf1b978f1d6a7855fccc703c27e8
Bug 27715: Use $dbh->quote_identifier to quote untrusted input

The sanitization using regex and \w class of characters might be
enough but given the vast number of unicode characters in \w and
possibility of in the future the database engines interpreting some of
those characters with special meaning it is better to wrap the column
identifier to quotes using $dbh->quote_identifier so it is only
interpreted as identifier and nothing else.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
C4/Utils/DataTables.pm
t/db_dependent/Utils/Datatables.t