http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7447 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #3 from Paul Poulain <paul.poulain@biblibre.com> 2012-02-13 14:01:37 UTC --- (In reply to comment #2)
This patch doesn't do any kind of format-checking on the 'date' param, and then loads the variable directly into the SQL. This could cause the query to fail (at best), return completely different values than intended, or destroy entire tables (at very worst).
I disagree, the following line quote & make the query safe: + $date=$dbh->quote($date); It's needed, as, if there is no $date passed, then the date must be compared to NOW(), which is mad on the else: + $date="NOW()";
The date variable should be parameterized for the sth->execute(), and should be rigourously checked for proper date formatting. If the incoming value is not a correct date, either warn and use NOW(), or abort the script.
We don't do any format checking in most of the scripts, this script does not differ from others. If you think we must enforce our coding guidelines, and it's another topic (and I tend to agree with it), that should be discussed outside from this patch. Switching back to "needs signoff" -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.