[Koha-patches] [PATCH] When searching the catalogue, if I get no results then hit the Z39.50 search the title field in the pop up window is populated with what I searched for.
Nicole Engard
nengard at gmail.com
Thu Jun 30 12:23:04 CEST 2011
Also, what bug number is this patch for?
Nicole
2011/6/30 Frère Sébastien <semarie-koha at latrappe.fr>:
> Hi,
>
> Please use placeholders in SQL statement.
>
> Your patch could result SQL injection if user may change C4::Branch::mybranch return value or result SQL error if branchname contains "'" (quote) character.
>
> The 'safe' way should be:
> $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = ?");
> $bsth->execute(C4::Branch::mybranch());
>
> As here the 'prepare' is in if-clause, the 'execute' should be too (as parameters are dependant of placeholders), resulting something like:
>
> my $bsth;
> if ( C4::Context->preference("searchMyLibraryOnly") ) {
> $bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = ?"); # FIXME : use C4::Branch::GetBranches
> $bsth->execute(C4::Branch::mybranch());
> } else {
> $bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches");
> $bsth->execute();
> }
>
>
> Thanks.
> --
> Frère Sébastien Marie
> Abbaye Notre Dame de La Trappe
> 61380 Soligny-la-Trappe
> Tél: 02.33.84.17.00
> Fax: 02.33.34.98.57
> Web: http://www.latrappe.fr/
>
> On Wed, Jun 29, 2011 at 05:44:21PM +0100, Peter Lorimer wrote:
>> If I search for a valid ISBN number and hit the Z39.50 search, the title field
>> is populated with the ISBN number I searched for. This number should populate
>> the ISBN field and not the title field.
>> ---
>> C4/Search.pm | 34 +++++++++++++++++++++++++++++-----
>> 1 files changed, 29 insertions(+), 5 deletions(-)
>
> [...]
>
>>+ my $bsth;
>>+ if ( C4::Context->preference("searchMyLibraryOnly") )
>>+ {
>>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE branchcode = '". C4::Branch::mybranch() ."'
>>+"); # FIXME : use C4::Branch::GetBranches
>>+ }
>>+ else
>>+ {
>>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches ");
>>+ }
>> $bsth->execute();
>
> [...]
> _______________________________________________
> Koha-patches mailing list
> Koha-patches at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-patches
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
More information about the Koha-patches
mailing list