SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.

author Moritz Bunkus <m.bunkus@linet-services.de>

Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)

committer Moritz Bunkus <m.bunkus@linet-services.de>

Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
author Moritz Bunkus <m.bunkus@linet-services.de>
Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
committer Moritz Bunkus <m.bunkus@linet-services.de>
Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
diff --git a/SL/IS.pm b/SL/IS.pm

index 2cf1482..8ecddff 100644 (file)
--- a/SL/IS.pm
+++ b/SL/IS.pm
@@ -1513,7 +1513,13 @@ sub get_customer {
    }
  
    my $cid = conv_i($form->{customer_id});
-  my $payment_id = ($form->{payment_id}) ? "($form->{payment_id} = pt.id) OR" : "";
+  my $payment_id;
+
+  if ($form->{payment_id}) {
+    $payment_id = "(pt.id = ?) OR";
+    push @values, conv_i($form->{payment_id});
+  }
+
    # get customer
    $query =
      qq|SELECT
author	Moritz Bunkus <m.bunkus@linet-services.de>
	Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
committer	Moritz Bunkus <m.bunkus@linet-services.de>
	Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)