http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10276 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gmcharlt@gmail.com --- Comment #34 from Galen Charlton <gmcharlt@gmail.com> --- (In reply to Chris Cormack from comment #33)
So we dont need to bother doing the escaping ourself, eg, what if branchcode had a character that would bust the query, GetIndependentGroupModificationRights is doing no escaping/sanitation, ie it is handing back what is in the db, with , '.
And $dbh->quote() is not the answer, either. I am taking a hard line on this: I will never knowingly push patches that add violations of SQL10 (and certainly not a bunch of them in one fell swoop). I see no upside for the short- and long-term health of the codebase to do so. (In reply to Kyle M Hall from comment #27)
Using placeholders would end up complicating every single query in an extreme manner.
No, it wouldn't. There is an example of how to handle it in code you've written yourself, i.e., ModCourseInstructors(). -- You are receiving this mail because: You are watching all bug changes.