[Koha-patches] [PATCH] When searching the catalogue, if I get no results then hit the Z39.50 search the title field in the pop up window is populated with what I searched for.
Frère Sébastien Marie
semarie-koha at latrappe.fr
Thu Jun 30 06:47:35 CEST 2011
Hi,
Please use placeholders in SQL statement.
Your patch could result SQL injection if user may change C4::Branch::mybranch return value or result SQL error if branchname contains "'" (quote) character.
The 'safe' way should be:
$bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = ?");
$bsth->execute(C4::Branch::mybranch());
As here the 'prepare' is in if-clause, the 'execute' should be too (as parameters are dependant of placeholders), resulting something like:
my $bsth;
if ( C4::Context->preference("searchMyLibraryOnly") ) {
$bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = ?"); # FIXME : use C4::Branch::GetBranches
$bsth->execute(C4::Branch::mybranch());
} else {
$bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches");
$bsth->execute();
}
Thanks.
--
Frère Sébastien Marie
Abbaye Notre Dame de La Trappe
61380 Soligny-la-Trappe
Tél: 02.33.84.17.00
Fax: 02.33.34.98.57
Web: http://www.latrappe.fr/
On Wed, Jun 29, 2011 at 05:44:21PM +0100, Peter Lorimer wrote:
> If I search for a valid ISBN number and hit the Z39.50 search, the title field
> is populated with the ISBN number I searched for. This number should populate
> the ISBN field and not the title field.
> ---
> C4/Search.pm | 34 +++++++++++++++++++++++++++++-----
> 1 files changed, 29 insertions(+), 5 deletions(-)
[...]
>+ my $bsth;
>+ if ( C4::Context->preference("searchMyLibraryOnly") )
>+ {
>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = '". C4::Branch::mybranch() ."'
>+"); # FIXME : use C4::Branch::GetBranches
>+ }
>+ else
>+ {
>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches ");
>+ }
> $bsth->execute();
[...]
More information about the Koha-patches
mailing list