[Koha-patches] [PATCH] Bug 1953 [2/3]: refactoring SQL in C4::Items::GetItemsForInventory to use placeholders
paul POULAIN
paul.poulain at biblibre.com
Thu Jul 31 14:31:07 CEST 2008
Andrew Moore a écrit :
> The SQL in C4::Items::GetItemsForInventory wasn't using placeholders and
> bind parameters, possibly leaving itself open ot SQL injection attacks. This
> patch changes that.
>
> - $query.= " AND items.location=".$dbh->quote($location) if $location;
>
/me disagree : the $dbh->quote() does exactly the same thing as the
placeholder : ie escaping SQL to avoir SQL injections. So this patch
solves nothing on this aspect ;-)
--
Paul POULAIN
http://www.biblibre.com
Expert en Logiciels Libres pour l'info-doc
NOUVEAU TELEPHONE : 04 91 81 35 08
More information about the Koha-patches
mailing list