From 27bb768cadc6107d4004c723be2dfd7a5f07779b Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Wed, 6 Oct 2010 07:43:15 -0400 Subject: [PATCH] bug 5086: fix setting claim date Also removed a locus for SQL injection. Signed-off-by: Galen Charlton --- C4/Serials.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/C4/Serials.pm b/C4/Serials.pm index 9c22901daf..32e46becae 100644 --- a/C4/Serials.pm +++ b/C4/Serials.pm @@ -287,10 +287,10 @@ sub UpdateClaimdateIssues { my $dbh = C4::Context->dbh; $date = strftime( "%Y-%m-%d", localtime ) unless ($date); my $query = " - UPDATE serial SET claimdate=$date,status=7 - WHERE serialid in (" . join( ",", @$serialids ) . ")"; + UPDATE serial SET claimdate = ?, status = 7 + WHERE serialid in (" . join( ",", map { '?' } @$serialids ) . ")"; my $rq = $dbh->prepare($query); - $rq->execute; + $rq->execute($date, @$serialids); return $rq->rows; } -- 2.39.5