From 2df965f4ead8719892400aacbeac1d8391250557 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Thu, 10 Apr 2008 14:49:39 -0500 Subject: [PATCH] bug 1953: removing possible SQL injections from C4::Acquisition::GetLateOrders I decided to not make chagnes the the query that's executed on databases other than MySQL as I have no good way to test that. This change provides no functinality change and requires no documentation change. Signed-off-by: Joshua Ferraro --- C4/Acquisition.pm | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm index 12981a5101..67590067ec 100644 --- a/C4/Acquisition.pm +++ b/C4/Acquisition.pm @@ -980,6 +980,8 @@ sub GetLateOrders { my $strsth; my $dbdriver = C4::Context->config("db_scheme") || "mysql"; + my @query_params = (); + # warn " $dbdriver"; if ( $dbdriver eq "mysql" ) { $strsth = " @@ -1005,26 +1007,35 @@ sub GetLateOrders { (aqbasket LEFT JOIN borrowers ON aqbasket.authorisedby = borrowers.borrowernumber) LEFT JOIN aqbooksellers ON aqbasket.booksellerid = aqbooksellers.id WHERE aqorders.basketno = aqbasket.basketno - AND (closedate <= DATE_SUB(CURDATE( ),INTERVAL $delay DAY)) + AND (closedate <= DATE_SUB(CURDATE( ),INTERVAL ? DAY)) AND ((datereceived = '' OR datereceived is null) OR (aqorders.quantityreceived < aqorders.quantity) ) "; - $strsth .= " AND aqbasket.booksellerid = $supplierid " if ($supplierid); - $strsth .= " AND borrowers.branchcode like \'" . $branch . "\'" - if ($branch); - $strsth .= - " AND borrowers.branchcode like \'" - . C4::Context->userenv->{branch} . "\'" - if ( C4::Context->preference("IndependantBranches") - && C4::Context->userenv - && C4::Context->userenv->{flags} != 1 ); - $strsth .=" HAVING quantity<>0 - AND unitpricesupplier<>0 - AND unitpricelib<>0 - ORDER BY latesince,basketno,borrowers.branchcode, supplier - "; - } - else { + + push @query_params, $delay; + + if ( defined $supplierid ) { + $strsth .= ' AND aqbasket.booksellerid = ? '; + push @query_params, $supplierid; + } + + if ( defined $branch ) { + $strsth .= ' AND borrowers.branchcode like ? '; + push @query_params, $branch; + } + + if ( C4::Context->preference("IndependantBranches") + && C4::Context->userenv + && C4::Context->userenv->{flags} != 1 ) { + $strsth .= ' AND borrowers.branchcode like ? '; + push @query_params, C4::Context->userenv->{branch}; + } + + $strsth .= " HAVING quantity <> 0 + AND unitpricesupplier <> 0 + AND unitpricelib <> 0 + ORDER BY latesince, basketno, borrowers.branchcode, supplier "; + } else { $strsth = " SELECT aqbasket.basketno, DATE(aqbasket.closedate) AS orderdate, @@ -1057,7 +1068,7 @@ sub GetLateOrders { $strsth .=" ORDER BY latesince,basketno,borrowers.branchcode, supplier"; } my $sth = $dbh->prepare($strsth); - $sth->execute; + $sth->execute( @query_params ); my @results; my $hilighted = 1; while ( my $data = $sth->fetchrow_hashref ) { -- 2.39.5