From 8215cc8bad33ff1dd327ac17fbfecd59e6f06989 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Sun, 13 Mar 2011 20:30:13 +1300 Subject: [PATCH] Bug 5595 : Fixing a security glitch (please always use placeholders or dbh->quote and fixing the tests --- C4/Members/Attributes.pm | 6 +++--- t/db_dependent/Members.t | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/C4/Members/Attributes.pm b/C4/Members/Attributes.pm index b89b03a646..1db94247c0 100644 --- a/C4/Members/Attributes.pm +++ b/C4/Members/Attributes.pm @@ -102,16 +102,16 @@ sub GetBorrowerAttributes { sub SearchIdMatchingAttribute{ my $filter = shift; - my $finalfilter=$$filter[0]; + my $finalfilter=$filter->[0]; my $dbh = C4::Context->dbh(); my $query = qq{ SELECT borrowernumber FROM borrower_attributes JOIN borrower_attribute_types USING (code) WHERE staff_searchable = 1 -AND attribute like "%$finalfilter%"}; +AND attribute like ?}; my $sth = $dbh->prepare_cached($query); - $sth->execute(); + $sth->execute("%$finalfilter%"); return $sth->fetchall_arrayref; } diff --git a/t/db_dependent/Members.t b/t/db_dependent/Members.t index 8e2664360d..e28fbae742 100755 --- a/t/db_dependent/Members.t +++ b/t/db_dependent/Members.t @@ -39,13 +39,13 @@ is ($changedmember->{firstname}, "Marie", "Member Returned"); $member->{email}="Marie\@email.com"; ModMember(%$member); -my $searchemail=Search($member); -is ($member->{email}, "Marie\@email.com", "Email search works"); +$changedmember=GetMemberDetails("","TESTCARD01"); +is ($changedmember->{email}, "Marie\@email.com", "Email Set works"); $member->{ethnicity}="German"; ModMember(%$member); -my $searcheth=Search($member); -is ($member->{ethnicity}, "German", "Ethnicity Works"); +$changedmember=GetMemberDetails("","TESTCARD01"); +is ($changedmember->{ethnicity}, "German", "Ethnicity Works"); my @searchstring=("Mcknight"); my ($results) = Search(\@searchstring,undef,undef,undef,["surname"]); -- 2.39.5