[Koha-bugs] [Bug 662] New: Probable insecure use of prepare()

bugzilla-daemon at wilbur.katipo.co.nz bugzilla-daemon at wilbur.katipo.co.nz
Thu Nov 6 16:19:29 CET 2003 

http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=662

           Summary: Probable insecure use of prepare()
           Product: Koha
           Version: CVS
          Platform: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Database
        AssignedTo: chris at katipo.co.nz
        ReportedBy: mjr at ttllp.co.uk
         QAContact: koha-bugs at lists.sourceforge.net


We need to get rid of non-placeholder SQL queries as mentioned in
http://sourceforge.net/mailarchive/message.php?msg_id=6362003 because they often
contribute to security problems (through lack of quoting) and misleading error
messages (usually "you have an error in your SQL near..." when a variable is not
set).

The following files should be examined and noted on this bug report when they
are cleaned to use placeholders:

$ grep -rl 'prepare(".*\$' .
./C4/Biblio.pm
./C4/SearchMarc.pm
./C4/Maintainance.pm
./C4/Circulation/Borrower.pm
./C4/Circulation/Circ2.pm
./C4/Search.pm
./C4/Accounts2.pm
./C4/Groups.pm
./C4/BookShelves.pm
./C4/Shelf.pm
./C4/Catalogue.pm
./marc/benchmarks/getdata-paul-regex
./marc/benchmarks/getdata-paul
./marc/benchmarks/getdata-steve
./marc/benchmarks/getdata-sergey
./admin/thesaurus.pl
./admin/checkmarc.pl
./admin/systempreferences.pl
./admin/authorised_values.pl
./admin/aqbudget.pl
./admin/marc_subfields_structure.pl
./admin/currency.pl
./admin/koha2marclinks.pl
./admin/printers.pl
./admin/itemtypes.pl
./admin/aqbookfund.pl
./admin/stopwords.pl
./admin/marctagstructure.pl
./admin/z3950servers.pl
./admin/categorie.pl
./admin/categoryitem.pl
./z3950/z3950import.pl
./updateitem.pl
./thesaurus_popup.pl
./updater/thesaurus_create.pl
./updater/updatedatabase
./bookcount.pl
./value_builder/unimarc_field_700_701_702.pl

A longer list of possibles can be found by grep -rn 'prepare.*\$' . in the koha
sources, but the above are the most likely.

Because this may indicate security bugs, I am marking this as "critical" and
invite the RM to make it "blocker" if appropriate.



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Koha-bugs mailing list