Hi, On Wed, Aug 4, 2010 at 10:08 AM, Michael Hafen <[email protected]> wrote: > I would think that the $dbh->quote() function should be used here. > Especially if $date can come from the browser. A place holder and > passing $date through $rq->execute() would accomplish the same thing.
... and remove a possible entry point for SQL injection. I've submitted and will push a new patch that uses placeholders. Direct interpolation of strings in to queries should be removed on sight, and if for some reason a placeholder cannot be used, $dbh->quote() should be used. Regards, Galen -- Galen Charlton [email protected] _______________________________________________ Koha-patches mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-patches
