https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41918 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- Hmm this is interesting. It does rely on your database user not having the PROCESS privilege. If your database user isn't set up correctly, you could get incorrect results on a shared server. But then you'll have other problems too anyway. -- I think it would be a good idea to change "user_id" to "borrowernumber" or "patron_id", because the POD in Koha/Reports.pm says it's $user->userid but it's not. It's using the borrowernumber. Initially, I was concerned about seeing $user->userid, because that would be a SQL injection vulnerability, but the data injected into the SQL in koha/Report.pm looks like it should be system controlled. (Still might not hurt to throw int() around those variables before passing them into the SQL.) -- You are receiving this mail because: You are watching all bug changes.