[Koha-bugs] [Bug 17227] New: SQL reserved words should be dis-allowed as branchcodes / authorized values / item types
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 30 23:18:36 CEST 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17227
Bug ID: 17227
Summary: SQL reserved words should be dis-allowed as
branchcodes / authorized values / item types
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Staff Client
Assignee: koha-bugs at lists.koha-community.org
Reporter: barton at bywatersolutions.com
QA Contact: testopia at bugs.koha-community.org
CC: gmcharlt at gmail.com
Related to bug 13727
It is possible for the report selectors
<<...|branch>>
<<...|[authorised value]>>
<<...|itemtypes>>
... etc.
To insert SQL keywords into the SQL of a report, causing a software error when
the report runs, because Koha will now allow SQL reserved words in the queries.
To replicate:
Create a branch with the branch code 'CREATE'
Then create a report using the following query:
SELECT *
FROM items
WHERE items.homebranch = <<Branch|branch>>
Run the report, and select the branch with branchcode 'CREATE'.
This will cause a software error.
There is no way around this (because we *don't* want to allow SQL reserved
words to be injected by user input). Therefore we *must* restrict the use of
SQL reserved words on branch/authorized value/itemtype creation.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list