From 9ecd632001b994a45a48e78b2dd7fcb7ff9dd088 Mon Sep 17 00:00:00 2001
From: Andrew Moore <andrew.moore@liblime.com>
Date: Tue, 29 Jul 2008 11:42:46 -0500
Subject: [PATCH] Bug 1953 [2/6]: refactoring SQL in C4::Koha::displayServers
 to use placeholders.

The SQL call in displayServers was not using placeholders, leaving itself open
to potential SQL injection attacks. I've rewritten it to use placeholders.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
---
 C4/Koha.pm | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/C4/Koha.pm b/C4/Koha.pm
index 401dd9c985..5a7fe4dbea 100644
--- a/C4/Koha.pm
+++ b/C4/Koha.pm
@@ -890,11 +890,22 @@ SELECT lib,
 sub displayServers {
     my ( $position, $type ) = @_;
     my $dbh    = C4::Context->dbh;
+
     my $strsth = "SELECT * FROM z3950servers where 1";
-    $strsth .= " AND position=\"$position\"" if ($position);
-    $strsth .= " AND type=\"$type\""         if ($type);
+    my @bind_params;
+
+    if ( $position ) {
+        push @bind_params, $position;
+        $strsth .= ' AND position = ? ';
+    }
+
+    if ( $type ) {
+        push @bind_params, $type;
+        $strsth .= ' AND type = ? ';
+    }
+
     my $rq = $dbh->prepare($strsth);
-    $rq->execute;
+    $rq->execute( @bind_params );
     my @primaryserverloop;
 
     while ( my $data = $rq->fetchrow_hashref ) {
-- 
2.39.5