]> git.koha-community.org Git - koha.git/commit
Bug 27715: Use $dbh->quote_identifier to quote untrusted input
authorJoonas Kylmälä <joonas.kylmala@helsinki.fi>
Fri, 19 Feb 2021 12:18:15 +0000 (14:18 +0200)
committerVictor Grousset/tuxayo <victor@tuxayo.net>
Tue, 23 Feb 2021 21:32:55 +0000 (22:32 +0100)
commit45d8d5f00466358d83b7fe8fce5109326026170a
tree42af064393cbf5d4f1d247377fbbcabf4263ed2d
parent794130dce4aff9c712cc7e78de5d27c485d47758
Bug 27715: Use $dbh->quote_identifier to quote untrusted input

The sanitization using regex and \w class of characters might be
enough but given the vast number of unicode characters in \w and
possibility of in the future the database engines interpreting some of
those characters with special meaning it is better to wrap the column
identifier to quotes using $dbh->quote_identifier so it is only
interpreted as identifier and nothing else.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
C4/Utils/DataTables.pm
t/db_dependent/Utils/Datatables.t