[Koha-patches] [PATCH] Bug 5086 Pass claimed date correctly
Galen Charlton
gmcharlt at gmail.com
Wed Oct 6 13:45:05 CEST 2010
Hi,
On Wed, Aug 4, 2010 at 10:08 AM, Michael Hafen <mdhafen at tech.washk12.org> wrote:
> I would think that the $dbh->quote() function should be used here.
> Especially if $date can come from the browser. A place holder and
> passing $date through $rq->execute() would accomplish the same thing.
... and remove a possible entry point for SQL injection. I've
submitted and will push a new patch that uses placeholders. Direct
interpolation of strings in to queries should be removed on sight, and
if for some reason a placeholder cannot be used, $dbh->quote() should
be used.
Regards,
Galen
--
Galen Charlton
gmcharlt at gmail.com
More information about the Koha-patches
mailing list