http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7447
Paul Poulain <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #3 from Paul Poulain <[email protected]> 2012-02-13 14:01:37 UTC --- (In reply to comment #2) > This patch doesn't do any kind of format-checking on the 'date' param, and > then > loads the variable directly into the SQL. This could cause the query to fail > (at best), return completely different values than intended, or destroy entire > tables (at very worst). I disagree, the following line quote & make the query safe: + $date=$dbh->quote($date); It's needed, as, if there is no $date passed, then the date must be compared to NOW(), which is mad on the else: + $date="NOW()"; > The date variable should be parameterized for the sth->execute(), and should > be > rigourously checked for proper date formatting. If the incoming value is not > a > correct date, either warn and use NOW(), or abort the script. We don't do any format checking in most of the scripts, this script does not differ from others. If you think we must enforce our coding guidelines, and it's another topic (and I tend to agree with it), that should be discussed outside from this patch. Switching back to "needs signoff" -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
