[Koha-bugs] [Bug 7447] Allow to specify a date in overdue_notice.pl
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Feb 13 15:01:37 CET 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7447
Paul Poulain <paul.poulain at biblibre.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Failed QA |Needs Signoff
--- Comment #3 from Paul Poulain <paul.poulain at biblibre.com> 2012-02-13 14:01:37 UTC ---
(In reply to comment #2)
> This patch doesn't do any kind of format-checking on the 'date' param, and then
> loads the variable directly into the SQL. This could cause the query to fail
> (at best), return completely different values than intended, or destroy entire
> tables (at very worst).
I disagree, the following line quote & make the query safe:
+ $date=$dbh->quote($date);
It's needed, as, if there is no $date passed, then the date must be compared to
NOW(), which is mad on the else:
+ $date="NOW()";
> The date variable should be parameterized for the sth->execute(), and should be
> rigourously checked for proper date formatting. If the incoming value is not a
> correct date, either warn and use NOW(), or abort the script.
We don't do any format checking in most of the scripts, this script does not
differ from others.
If you think we must enforce our coding guidelines, and it's another topic (and
I tend to agree with it), that should be discussed outside from this patch.
Switching back to "needs signoff"
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list