From 16e55c1f3283402f766ed844baa5db333ed2f585 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 11 Feb 2016 10:16:12 +0000
Subject: [PATCH] Bug 15760: Avoid SQL injections

Asking on #dbix-class, ribasushi told me to set quote_names to the
connection options.

Indeed it does the fix, globally :)

Test plan:
1/ Add the following snippet to the a script (mainpage.pl is a good candidate)
 use Koha::Virtualshelves;
 my $s = Koha::Virtualshelves->search({}, { order_by => '1,(select case when (3*2*1=6 AND 000227=000227) then 1 else 1*(select table_name from information_schema.tables)end)=1' });
 $s->next;
2/ Execute the script
=> Without the patch, you should not get any error. If you have the mysql logs
enable, you will see the query
=> With the patch applied, you will get a "unknown column" error

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
---
 Koha/Database.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Koha/Database.pm b/Koha/Database.pm
index 82d831f180..a8f4eab9a8 100644
--- a/Koha/Database.pm
+++ b/Koha/Database.pm
@@ -79,6 +79,7 @@ sub _new_schema {
             RaiseError => $ENV{DEBUG} ? 1 : 0,
             PrintError => 1,
             unsafe => 1,
+            quote_names => 1,
             on_connect_do => [
                 $encoding_query || (),
                 $tz_query || (),
-- 
2.20.1