[Koha-bugs] [Bug 662] New: Probable insecure use of prepare()
bugzilla-daemon at wilbur.katipo.co.nz
bugzilla-daemon at wilbur.katipo.co.nz
Thu Nov 6 16:19:29 CET 2003
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=662
Summary: Probable insecure use of prepare()
Product: Koha
Version: CVS
Platform: PC
Status: NEW
Severity: critical
Priority: P2
Component: Database
AssignedTo: chris at katipo.co.nz
ReportedBy: mjr at ttllp.co.uk
QAContact: koha-bugs at lists.sourceforge.net
We need to get rid of non-placeholder SQL queries as mentioned in
http://sourceforge.net/mailarchive/message.php?msg_id=6362003 because they often
contribute to security problems (through lack of quoting) and misleading error
messages (usually "you have an error in your SQL near..." when a variable is not
set).
The following files should be examined and noted on this bug report when they
are cleaned to use placeholders:
$ grep -rl 'prepare(".*\$' .
./C4/Biblio.pm
./C4/SearchMarc.pm
./C4/Maintainance.pm
./C4/Circulation/Borrower.pm
./C4/Circulation/Circ2.pm
./C4/Search.pm
./C4/Accounts2.pm
./C4/Groups.pm
./C4/BookShelves.pm
./C4/Shelf.pm
./C4/Catalogue.pm
./marc/benchmarks/getdata-paul-regex
./marc/benchmarks/getdata-paul
./marc/benchmarks/getdata-steve
./marc/benchmarks/getdata-sergey
./admin/thesaurus.pl
./admin/checkmarc.pl
./admin/systempreferences.pl
./admin/authorised_values.pl
./admin/aqbudget.pl
./admin/marc_subfields_structure.pl
./admin/currency.pl
./admin/koha2marclinks.pl
./admin/printers.pl
./admin/itemtypes.pl
./admin/aqbookfund.pl
./admin/stopwords.pl
./admin/marctagstructure.pl
./admin/z3950servers.pl
./admin/categorie.pl
./admin/categoryitem.pl
./z3950/z3950import.pl
./updateitem.pl
./thesaurus_popup.pl
./updater/thesaurus_create.pl
./updater/updatedatabase
./bookcount.pl
./value_builder/unimarc_field_700_701_702.pl
A longer list of possibles can be found by grep -rn 'prepare.*\$' . in the koha
sources, but the above are the most likely.
Because this may indicate security bugs, I am marking this as "critical" and
invite the RM to make it "blocker" if appropriate.
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Koha-bugs
mailing list