From: Moritz Bunkus <m.bunkus@linet-services.de>
Date: Wed, 14 Nov 2007 10:08:32 +0000 (+0000)
Subject: SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.
X-Git-Tag: release-2.6.0beta1~409
X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=cdfebb5085afaf1fe0f0278ca6172d5fe009bd9c;p=kivitendo-erp.git

SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.
---

diff --git a/SL/IS.pm b/SL/IS.pm
index 2cf148268..8ecddffde 100644
--- a/SL/IS.pm
+++ b/SL/IS.pm
@@ -1513,7 +1513,13 @@ sub get_customer {
   }
 
   my $cid = conv_i($form->{customer_id});
-  my $payment_id = ($form->{payment_id}) ? "($form->{payment_id} = pt.id) OR" : "";
+  my $payment_id;
+
+  if ($form->{payment_id}) {
+    $payment_id = "(pt.id = ?) OR";
+    push @values, conv_i($form->{payment_id});
+  }
+
   # get customer
   $query =
     qq|SELECT