From e2d1bafa22f213658fc040d541534299c126bd1b Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Mon, 30 Jan 2017 11:52:56 +0000 Subject: [PATCH] Revert "Bug 17902: Fix possible SQL injection in serials editing" This reverts commit 8924439054fec94acabef6045f21369117e528f0. Signed-off-by: Kyle M Hall --- C4/Serials.pm | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/C4/Serials.pm b/C4/Serials.pm index d1f92993bd..543b1dceb0 100644 --- a/C4/Serials.pm +++ b/C4/Serials.pm @@ -739,20 +739,19 @@ sub GetSerials2 { return unless ($subscription and @$statuses); + my $statuses_string = join ',', @$statuses; + my $dbh = C4::Context->dbh; - my $query = q| + my $query = qq| SELECT serialid,serialseq, status, planneddate, publisheddate, publisheddatetext, notes, routingnotes FROM serial - WHERE subscriptionid=? - | - . q| AND status IN (| . join( ",", ('?') x @$statuses ) . ")" . q|)| - . q| + WHERE subscriptionid=$subscription AND status IN ($statuses_string) ORDER BY publisheddate,serialid DESC - |; + |; $debug and warn "GetSerials2 query: $query"; my $sth = $dbh->prepare($query); - $sth->execute( $subscription, @$statuses ); + $sth->execute; my @serials; while ( my $line = $sth->fetchrow_hashref ) { -- 2.39.5