[Koha-bugs] [Bug 7365] Koha uses MySQL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 27 08:23:11 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7365
--- Comment #19 from Marc Balmer <marc at msys.ch> ---
The proposed patch does not introduce new vulnerabilities or possibilities for
SQL injection and you can not prevent the placeholder system. It does a mere
text replacement, so when you feed '?' to one of the (date) functions, the
resulting SQL code will contain the '?' at the right place and $dbh->prepare()
will do it's job like before.
The right flow of things is as follows:
$sql = $dbq->dateDiff('?', '?')
$qth = $dbh->prepare($sql)
$res = $qth->execute()
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list