Hi,
Please use placeholders in SQL statement.
Your patch could result SQL injection if user may change C4::Branch::mybranch
return value or result SQL error if branchname contains "'" (quote) character.
The 'safe' way should be:
$bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches WHERE
branchcode = ?");
$bsth->execute(C4::Branch::mybranch());
As here the 'prepare' is in if-clause, the 'execute' should be too (as
parameters are dependant of placeholders), resulting something like:
my $bsth;
if ( C4::Context->preference("searchMyLibraryOnly") ) {
$bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches WHERE
branchcode = ?"); # FIXME : use C4::Branch::GetBranches
$bsth->execute(C4::Branch::mybranch());
} else {
$bsth = $dbh->prepare("SELECT branchcode,branchname FROM branches");
$bsth->execute();
}
Thanks.
--
Frère Sébastien Marie
Abbaye Notre Dame de La Trappe
61380 Soligny-la-Trappe
Tél: 02.33.84.17.00
Fax: 02.33.34.98.57
Web: http://www.latrappe.fr/
On Wed, Jun 29, 2011 at 05:44:21PM +0100, Peter Lorimer wrote:
> If I search for a valid ISBN number and hit the Z39.50 search, the title field
> is populated with the ISBN number I searched for. This number should populate
> the ISBN field and not the title field.
> ---
> C4/Search.pm | 34 +++++++++++++++++++++++++++++-----
> 1 files changed, 29 insertions(+), 5 deletions(-)
[...]
>+ my $bsth;
>+ if ( C4::Context->preference("searchMyLibraryOnly") )
>+ {
>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches
>WHERE branchcode = '". C4::Branch::mybranch() ."'
>+"); # FIXME : use C4::Branch::GetBranches
>+ }
>+ else
>+ {
>+ $bsth =$dbh->prepare("SELECT branchcode,branchname FROM branches
>");
>+ }
> $bsth->execute();
[...]
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
