From d2b017a0f6b7d1ec279a7f0eff77853a184c423e Mon Sep 17 00:00:00 2001 From: Fridolyn SOMERS Date: Fri, 12 Apr 2013 17:24:17 +0200 Subject: [PATCH] Bug 10033 - dangerous query in _koha_modify_item The SQL query build in C4::Items::_koha_modify_item performs an update on a row of items table identified by itemnumber. Actually the query is build using a hash of datas : for my $key ( keys %$item ) { $query.="$key=?,"; push @bind, $item->{$key}; } But this hash contains 'itemnumber' key, so you get an update including the primary key. It is actually harmless but may be dangerous. This patch simply skips itemnumber key in above loop. Test plan : Check you can create and modify items. Signed-off-by: Kyle M Hall Signed-off-by: Marcel de Rooy Signed-off-by: Jared Camins-Esakov (cherry picked from commit 598dfe27224f517fafa06df75521c623992ecbe0) Signed-off-by: Jared Camins-Esakov (cherry picked from commit ba8e383cf6835e204259063e6c18ac9c3892029b) Signed-off-by: Chris Cormack --- C4/Items.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/C4/Items.pm b/C4/Items.pm index 3483d69af9..e62dca961e 100644 --- a/C4/Items.pm +++ b/C4/Items.pm @@ -2251,6 +2251,7 @@ sub _koha_modify_item { my $query = "UPDATE items SET "; my @bind; for my $key ( keys %$item ) { + next if ( $key eq 'itemnumber' ); $query.="$key=?,"; push @bind, $item->{$key}; } -- 2.39.5