From 4dc7c32a3db11db2a3862e4979e62db23b2a208c Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Mon, 30 Jan 2017 12:12:08 +0000 Subject: [PATCH] Revert "Bug 17902: Fix possible SQL injection in serials editing" This reverts commit 904716f581102887c27d5bfc727430564cc12284. Signed-off-by: Kyle M Hall --- C4/Serials.pm | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/C4/Serials.pm b/C4/Serials.pm index d1f92993bd..543b1dceb0 100644 --- a/C4/Serials.pm +++ b/C4/Serials.pm @@ -739,20 +739,19 @@ sub GetSerials2 { return unless ($subscription and @$statuses); + my $statuses_string = join ',', @$statuses; + my $dbh = C4::Context->dbh; - my $query = q| + my $query = qq| SELECT serialid,serialseq, status, planneddate, publisheddate, publisheddatetext, notes, routingnotes FROM serial - WHERE subscriptionid=? - | - . q| AND status IN (| . join( ",", ('?') x @$statuses ) . ")" . q|)| - . q| + WHERE subscriptionid=$subscription AND status IN ($statuses_string) ORDER BY publisheddate,serialid DESC - |; + |; $debug and warn "GetSerials2 query: $query"; my $sth = $dbh->prepare($query); - $sth->execute( $subscription, @$statuses ); + $sth->execute; my @serials; while ( my $line = $sth->fetchrow_hashref ) { -- 2.39.5