[Koha-bugs] [Bug 10276] Extend IndependentBranches to support groups of libraries

Wed Jan 15 23:42:20 CET 2014

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10276

Chris Cormack <chris at bigballofwax.co.nz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |chris at bigballofwax.co.nz

--- Comment #33 from Chris Cormack <chris at bigballofwax.co.nz> ---
(In reply to Kyle M Hall from comment #27)
> (In reply to Katrin Fischer from comment #26)
> > Hi Kyle, I am a bit worried about the stringify because it will break
> > escaping by dbi. I think it would be better using a list:
> > 
> > There is an example for that in our coding guidelines:
> > http://wiki.koha-community.org/wiki/Coding_Guidelines#SQL10:_Placeholders
> 
> Using placeholders would end up complicating every single query in an
> extreme manner. That practice of using placeholders is to prevent SQL
> injection attacks. That is not an issue here. An attack such as that is
> absolutely not possible in this case, since what we are turning into a
> string is a list of branchcodes that were just pulled from the database.
> Good question though!

It is absolutely possible, if someone, through XSS or CRSF or another means has
managed to get sql into the db, this will then fetch and run it. The only time
we should not use placeholders is in a case like

SELECT * FROM fish WHERE name="fish"; 

However, SQL injection is not the only reason, for using placeholders. They are
for db independence, they will escape characters in the way that is safe for
the rdbms running underneath. 

So we dont need to bother doing the escaping ourself, eg, what if branchcode
had a character that would bust the query, 
GetIndependentGroupModificationRights is doing no escaping/sanitation, ie it is
handing back what is in the db, with , '.

-- 
You are receiving this mail because:
You are watching all bug changes.