26 Feb
2013
26 Feb
'13
3:36 p.m.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9458 --- Comment #23 from Kyle M Hall <kyle@bywatersolutions.com> --- Good catch! We cannot use a placeholder for ORDER BY fields, but we *can* escape it using quote_identifier to ensure it cannot be used for SQL injection attacks. I've attached a second followup to add this. (In reply to comment #21)
I am concerned about the way $sortfield is included directly in the query. Does it provide an SQL injection vector?
-- You are receiving this mail because: You are watching all bug changes.