[Koha-devel] Many DBI updates going through as part of bug 662 fix
MJ Ray
mjr at dsl.pipex.com
Wed Dec 3 04:00:05 CET 2003
I'm reviewing nearly all DBI calls in koha after finding
non-placeholder use of user values. They could leave koha open to SQL
insertion attacks, possible from users. I really don't want that to
happen. I'm about 10% done. The main changes I'm making are:
1. Rephrasing anything like
$sth = $dbh->prepare("select * from borrowers where
borrowernum=$bornum");
$sth->execute();
into
$sth = $dbh->prepare("select * from borrowers where
borrowernum=?");
$sth->execute($bornum);
2. Rephrasing
$query = "some string";
$sth = $dbh->prepare($query);
into
$sth = $dbh->prepare("some string");
3. Removing suggestions about using $dbh->do("select * from foo where
id=$bar") from comments.
I'm trying to be really careful about this, but the sheer number of
calls may mean that I introduce a new bug. The various search pages
are the most likely to show symptoms, so I'll try to test those before
the next release.
If any maintainers want to warn me off their code and make these
changes themselves, please email me. I'm still wandering around
C4/Circulation and working in roughly alphabetical order.
--
MJR/slef My Opinion Only and possibly not of any group I know.
Please http://remember.to/edit_messages on lists to be sure I read
http://mjr.towers.org.uk/ gopher://g.towers.org.uk/ slef at jabber.at
Creative copyleft computing services via http://www.ttllp.co.uk/
More information about the Koha-devel
mailing list