[Patches] [PATCH] Bug 7013 : Fixing sql injection problems

koha-patchbot at kohaaloha.com koha-patchbot at kohaaloha.com
Tue Dec 6 04:50:02 NZDT 2011


From: Chris Cormack <chrisc at catalyst.net.nz>
Date: Tue, 6 Dec 2011 04:48:16 +1300
Subject: [PATCH] Bug 7013 : Fixing sql injection problems

---
 admin/authorised_values.pl |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/admin/authorised_values.pl b/admin/authorised_values.pl
index b713f08..d4fed0e 100755
--- a/admin/authorised_values.pl
+++ b/admin/authorised_values.pl
@@ -106,13 +106,13 @@ if ($op eq 'add_form') {
 
     if ( $new_authorised_value =~ /^[a-zA-Z0-9\-_]+$/ ) {
         if ( $id ) { # Update
-            my $sth = $dbh->prepare( "SELECT category, authorised_value FROM authorised_values WHERE id='$id' ");
-            $sth->execute();
+            my $sth = $dbh->prepare( "SELECT category, authorised_value FROM authorised_values WHERE id=? ");
+            $sth->execute($id);
             my ($category, $authorised_value) = $sth->fetchrow_array();
             if ( $authorised_value ne $new_authorised_value ) {
                 my $sth = $dbh->prepare_cached( "SELECT COUNT(*) FROM authorised_values " .
-                    "WHERE category = '$new_category' AND authorised_value = '$new_authorised_value' and id<>$id");
-                $sth->execute();
+                    "WHERE category = ? AND authorised_value = ? and id <> ?");
+                $sth->execute($new_category,$new_authorised_value,$id);
                 ($duplicate_entry) = $sth->fetchrow_array();
                 warn "**** duplicate_entry = $duplicate_entry";
             }
@@ -135,8 +135,8 @@ if ($op eq 'add_form') {
         }
         else { # Insert
             my $sth = $dbh->prepare_cached( "SELECT COUNT(*) FROM authorised_values " .
-                "WHERE category = '$new_category' AND authorised_value = '$new_authorised_value' ");
-            $sth->execute();
+                "WHERE category = ? AND authorised_value = ? ");
+            $sth->execute($new_category,$new_authorised_value);
             ($duplicate_entry) = $sth->fetchrow_array();
             unless ( $duplicate_entry ) {
                 my $sth=$dbh->prepare( 'INSERT INTO authorised_values
-- 
1.7.5.4


More information about the Patches mailing list