[Bug 662] New: Probable insecure use of prepare()
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=662 Summary: Probable insecure use of prepare() Product: Koha Version: CVS Platform: PC Status: NEW Severity: critical Priority: P2 Component: Database AssignedTo: chris@katipo.co.nz ReportedBy: mjr@ttllp.co.uk QAContact: koha-bugs@lists.sourceforge.net We need to get rid of non-placeholder SQL queries as mentioned in http://sourceforge.net/mailarchive/message.php?msg_id=6362003 because they often contribute to security problems (through lack of quoting) and misleading error messages (usually "you have an error in your SQL near..." when a variable is not set). The following files should be examined and noted on this bug report when they are cleaned to use placeholders: $ grep -rl 'prepare(".*\$' . ./C4/Biblio.pm ./C4/SearchMarc.pm ./C4/Maintainance.pm ./C4/Circulation/Borrower.pm ./C4/Circulation/Circ2.pm ./C4/Search.pm ./C4/Accounts2.pm ./C4/Groups.pm ./C4/BookShelves.pm ./C4/Shelf.pm ./C4/Catalogue.pm ./marc/benchmarks/getdata-paul-regex ./marc/benchmarks/getdata-paul ./marc/benchmarks/getdata-steve ./marc/benchmarks/getdata-sergey ./admin/thesaurus.pl ./admin/checkmarc.pl ./admin/systempreferences.pl ./admin/authorised_values.pl ./admin/aqbudget.pl ./admin/marc_subfields_structure.pl ./admin/currency.pl ./admin/koha2marclinks.pl ./admin/printers.pl ./admin/itemtypes.pl ./admin/aqbookfund.pl ./admin/stopwords.pl ./admin/marctagstructure.pl ./admin/z3950servers.pl ./admin/categorie.pl ./admin/categoryitem.pl ./z3950/z3950import.pl ./updateitem.pl ./thesaurus_popup.pl ./updater/thesaurus_create.pl ./updater/updatedatabase ./bookcount.pl ./value_builder/unimarc_field_700_701_702.pl A longer list of possibles can be found by grep -rn 'prepare.*\$' . in the koha sources, but the above are the most likely. Because this may indicate security bugs, I am marking this as "critical" and invite the RM to make it "blocker" if appropriate. ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
participants (1)
-
bugzilla-daemon@wilbur.katipo.co.nz