SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.
authorMoritz Bunkus <m.bunkus@linet-services.de>
Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
committerMoritz Bunkus <m.bunkus@linet-services.de>
Wed, 14 Nov 2007 10:08:32 +0000 (10:08 +0000)
SL/IS.pm

index 2cf1482..8ecddff 100644 (file)
--- a/SL/IS.pm
+++ b/SL/IS.pm
@@ -1513,7 +1513,13 @@ sub get_customer {
   }
 
   my $cid = conv_i($form->{customer_id});
-  my $payment_id = ($form->{payment_id}) ? "($form->{payment_id} = pt.id) OR" : "";
+  my $payment_id;
+
+  if ($form->{payment_id}) {
+    $payment_id = "(pt.id = ?) OR";
+    push @values, conv_i($form->{payment_id});
+  }
+
   # get customer
   $query =
     qq|SELECT