[Koha-patches] [PATCH] Koha Bug 2634 : stopgap fix for 'SELECT * FROM EVERY RELEVANT TABLE'

[Ryan Higgins]

Prevents marc and marcxml from being returned by the db by selecting
only columns that are used in the marc frameworks.
---
 C4/Items.pm |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/C4/Items.pm b/C4/Items.pm
index dd78f98..6421e66 100644
--- a/C4/Items.pm
+++ b/C4/Items.pm
@@ -1184,7 +1184,14 @@ If this is set, it is set to C<One Order>.
 sub GetItemsInfo {
     my ( $biblionumber, $type ) = @_;
     my $dbh   = C4::Context->dbh;
-    my $query = "SELECT *,items.notforloan as itemnotforloan
+    my $sthk = $dbh->prepare("SELECT DISTINCT kohafield FROM marc_subfield_structure WHERE kohafield IS NOT NULL AND kohafield <>''");
+    $sthk->execute;
+    my $fields =  $sthk->fetchall_arrayref ;
+    # FIXME : we want to exclude marc & marcxml, so we're selecting all fields that are linked in our frameworks
+    # see koha bug 2634.
+    # rudimentary injection protection with the grep below.  This is a temporary fix that needs to be  adressed more seriously.
+    my $kohafields = join ( ',', grep { $_ =~ /^biblio\.\w+$|^biblioitems\.\w+$|items\.\w+$/ } map { $_->[0] } @$fields);
+    my $query = "SELECT $kohafields, items.notforloan as itemnotforloan, itemtypes.*
                  FROM items 
                  LEFT JOIN biblio ON biblio.biblionumber = items.biblionumber
                  LEFT JOIN biblioitems ON biblioitems.biblioitemnumber = items.biblioitemnumber";
-- 
1.5.5.GIT