]> git.koha-community.org Git - koha.git/commit
Bug 27715: Use $dbh->quote_identifier to quote untrusted input
authorJoonas Kylmälä <joonas.kylmala@helsinki.fi>
Fri, 19 Feb 2021 12:18:15 +0000 (14:18 +0200)
committerAndrew Fuerste-Henry <andrew@bywatersolutions.com>
Tue, 23 Feb 2021 17:52:36 +0000 (17:52 +0000)
commit27f79ee1c0bfcbe801ff2341135685a75f711ada
treea75001a81ad64876960a1a6ddbb573edea4819b7
parentf1edf3359f73f6875bbf6f124c42a6384bf8f7b6
Bug 27715: Use $dbh->quote_identifier to quote untrusted input

The sanitization using regex and \w class of characters might be
enough but given the vast number of unicode characters in \w and
possibility of in the future the database engines interpreting some of
those characters with special meaning it is better to wrap the column
identifier to quotes using $dbh->quote_identifier so it is only
interpreted as identifier and nothing else.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9a03861c8fc67f11c72dd78f17abcbe58cf1740e)

Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
C4/Utils/DataTables.pm
t/db_dependent/Utils/Datatables.t