From e8da5f250da1dbf39891cc81b0075458c48938fa Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Wed, 9 Apr 2008 15:46:45 -0500 Subject: [PATCH] bug 1953: removing potential SQL injection in C4::Acquisition::GetParcels Signed-off-by: Joshua Ferraro --- C4/Acquisition.pm | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm index 5ceb8fbf5c..12981a5101 100644 --- a/C4/Acquisition.pm +++ b/C4/Acquisition.pm @@ -911,6 +911,7 @@ a pointer on a hash list containing parcel informations as such : sub GetParcels { my ($bookseller,$order, $code, $datefrom, $dateto) = @_; my $dbh = C4::Context->dbh; + my @query_params = (); my $strsth =" SELECT aqorders.booksellerinvoicenumber, datereceived,purchaseordernumber, @@ -921,18 +922,31 @@ sub GetParcels { WHERE aqbasket.booksellerid = $bookseller and datereceived IS NOT NULL "; - $strsth .= "and aqorders.booksellerinvoicenumber like \"$code%\" " if ($code); - - $strsth .= "and datereceived >=" . $dbh->quote($datefrom) . " " if ($datefrom); + if ( defined $code ) { + $strsth .= ' and aqorders.booksellerinvoicenumber like ? '; + # add a % to the end of the code to allow stemming. + push @query_params, "$code%"; + } + + if ( defined $datefrom ) { + $strsth .= ' and datereceived >= ? '; + push @query_params, $datefrom; + } - $strsth .= "and datereceived <=" . $dbh->quote($dateto) . " " if ($dateto); + if ( defined $dateto ) { + $strsth .= 'and datereceived <= ? '; + push @query_params, $dateto; + } $strsth .= "group by aqorders.booksellerinvoicenumber,datereceived "; + + # can't use a placeholder to place this column name. + # but, we could probably be checking to make sure it is a column that will be fetched. $strsth .= "order by $order " if ($order); -### $strsth + my $sth = $dbh->prepare($strsth); - $sth->execute; + $sth->execute( @query_params ); my $results = $sth->fetchall_arrayref({}); $sth->finish; return @$results; -- 2.39.5