[Koha-patches] [PATCH] Bug 1953 [2/3]: refactoring SQL in C4::Items::GetItemsForInventory to use placeholders
paul POULAIN
paul.poulain at biblibre.com
Thu Jul 31 15:09:31 CEST 2008
Andrew Moore a écrit :
> On Thu, Jul 31, 2008 at 7:31 AM, paul POULAIN <paul.poulain at biblibre.com> wrote:
>
>> /me disagree : the $dbh->quote() does exactly the same thing as the
>> placeholder : ie escaping SQL to avoir SQL injections. So this patch
>> solves nothing on this aspect ;-)
>>
> Very well. I wouldn't object to backing these patches out.
>
The resulting code is correct. The previous code was also correct. So I
think both are valid. It's fair not to rollback according. I just wanted
to point for future, that there is no injection risk with quote()
(I remember having added many $quote to avoid that years ago, that why I
emailed)
--
Paul POULAIN
http://www.biblibre.com
Expert en Logiciels Libres pour l'info-doc
NOUVEAU TELEPHONE : 04 91 81 35 08
More information about the Koha-patches
mailing list