Bug 15760: Avoid SQL injections
Asking on #dbix-class, ribasushi told me to set quote_names to the
connection options.
Indeed it does the fix, globally :)
Test plan:
1/ Add the following snippet to the a script (mainpage.pl is a good candidate)
use Koha::Virtualshelves;
my $s = Koha::Virtualshelves->search({}, { order_by => '1,(select case when (3*2*1=6 AND 000227=000227) then 1 else 1*(select table_name from information_schema.tables)end)=1' });
$s->next;
2/ Execute the script
=> Without the patch, you should not get any error. If you have the mysql logs
enable, you will see the query
=> With the patch applied, you will get a "unknown column" error
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit
16e55c1f3283402f766ed844baa5db333ed2f585)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
projects / koha.git / commit