Chris Cormack <crc@liblime.com> wrote:
On 30/08/2007, at 9:47 PM, Rick Welykochy wrote:
Which brings to mind another audit: one for SQL injection attacks. I haven't had a close at the code, but a grep of "->quote(" turns up 102 uses in Koha/2.2.9, which leaves one feeling somewhat confident that the problem has been addressed at one stage.
Yep, if quote isn't used place holders (?) are, which achieves the same thing.
Is this quote-or-placeholder policy enforced on patch submission now? I did the original clean-up a few years ago, but I've changed a few other additions since. It's probably worth double-checking at some point, but there shouldn't be too many possible flaws. Regards, -- MJ Ray - see/vidu http://mjr.towers.org.uk/email.html Experienced webmaster-developers for hire http://www.ttllp.co.uk/ Also: statistician, sysadmin, online shop builder, workers co-op. Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/