From ef50ee5217bd5f1b794d9ddd2c44a1f573fe79f8 Mon Sep 17 00:00:00 2001
From: acli <acli>
Date: Sat, 25 Jan 2003 20:05:20 +0000
Subject: [PATCH] Use ? for an SQL query to prevent SQL syntax errors

---
 C4/Search.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/C4/Search.pm b/C4/Search.pm
index 7a535aab55..e73b0c31c0 100755
--- a/C4/Search.pm
+++ b/C4/Search.pm
@@ -1,4 +1,5 @@
 package C4::Search;
+#require '/u/acli/lib/cvs.pl'; # XXX
 
 # Copyright 2000-2002 Katipo Communications
 #
@@ -1973,10 +1974,10 @@ sub getboracctrecord {
    my @acctlines;
    my $numlines=0;
    my $query= "Select * from accountlines where
-borrowernumber=$params->{'borrowernumber'} order by date desc,timestamp desc";
+borrowernumber=? order by date desc,timestamp desc";
    my $sth=$dbh->prepare($query);
 #   print $query;
-   $sth->execute;
+   $sth->execute($params->{'borrowernumber'});
    my $total=0;
    while (my $data=$sth->fetchrow_hashref){
 #      if ($data->{'itemnumber'} ne ''){
@@ -2175,6 +2176,8 @@ sub itemcount2 {
     # sort for this?
     if (my $data2=$sth2->fetchrow_hashref){
        $counts{'not available'}++;
+       #my $x = "Not available, data2=" . (defined $data2? CGI::escapeHTML(cvs($data2)): "undef");
+       #$counts{$x}++; #XXX
     } else {
        $counts{$data->{'branchname'}}++;
     }
-- 
2.39.2