From: Moritz Bunkus Date: Mon, 29 Jul 2013 13:18:43 +0000 (+0200) Subject: steuerfilterung.pl: SQL injection verhindern X-Git-Tag: release-3.1.0beta1~131 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=44e8084a0fc69c9e9afea5531186eb28a1b2473a;p=kivitendo-erp.git steuerfilterung.pl: SQL injection verhindern --- diff --git a/sql/Pg-upgrade2/steuerfilterung.pl b/sql/Pg-upgrade2/steuerfilterung.pl index 36bc5f2dc..1b454e3b0 100644 --- a/sql/Pg-upgrade2/steuerfilterung.pl +++ b/sql/Pg-upgrade2/steuerfilterung.pl @@ -19,7 +19,6 @@ sub run { $self->db_query($query); if ( $::form->{continued_tax} ) { - my $update_query; foreach my $i (1 .. $::form->{rowcount}) { $tax_id = $::form->{"tax_id_$i"}; $categories = ''; @@ -29,11 +28,9 @@ sub run { $categories .= 'C' if $::form->{"costs_$i"}; $categories .= 'I' if $::form->{"revenue_$i"}; $categories .= 'E' if $::form->{"expense_$i"}; - $update_query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|; - $self->db_query($update_query); + $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $categories, $tax_id ]); } - $update_query = qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|; - $self->db_query($update_query); + $self->db_query(qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|); return 1; } @@ -75,10 +72,7 @@ sub run { && ($ref->{taxdescription} =~ $_->{taxdescription}) } @well_known_taxes; if ($well_known_tax) { - $categories = $well_known_tax->{categories}; - $tax_id = $ref->{tax_id}; - $query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|; - $self->db_query($query); + $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $well_known_tax->{categories}, $ref->{tax_id} ]); } else { $ref->{rate} = $::form->format_amount(\%::myconfig, $ref->{rate} * 100); push @{ $::form->{PARTS} }, $ref;