From 165d1a99e7402a0cbd600dfd4a56cec8feff9ae5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Sven=20Sch=C3=B6ling?= <s.schoeling@linet-services.de>
Date: Wed, 8 Jan 2014 14:35:44 +0100
Subject: [PATCH] SQL injection bei Zahlungsverkehr behoben

---
 SL/CP.pm | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/SL/CP.pm b/SL/CP.pm
index 21e74de3c..e2b9f48cb 100644
--- a/SL/CP.pm
+++ b/SL/CP.pm
@@ -147,23 +147,23 @@ sub get_openinvoices {
 
   my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";
   my $arap = $form->{arap} eq "ar" ? "ar" : "ap";
-  my $invnumber = $form->{invnumber};
-  $invnumber =~ s/^\s+//m;
-  $invnumber =~ s/\s+$//m;
-  
-  my $whereinvoice = $invnumber ? qq| AND a.invnumber LIKE '| . $invnumber . qq|' | : undef;
+
+  my @values = (conv_i($form->{"${vc}_id"}), "$form->{currency}");
+  my $whereinvoice = '';
+  if ($::form->{invnumber}) {
+    $whereinvoice = ' AND a.invnumber LIKE ? ';
+    push @values, $::form->{invnumber};
+  }
 
   my $query =
      qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, cu.name AS curr | .
      qq|FROM $arap a | .
      qq|LEFT JOIN currencies cu ON (cu.id=a.currency_id)| .
      qq|WHERE (a.${vc}_id = ?) AND cu.name = ? AND NOT (a.amount = a.paid)| .
-	 $whereinvoice .
+     $whereinvoice .
      qq|ORDER BY a.id|;
-	 
-  my $sth = prepare_execute_query($form, $dbh, $query,
-                                  conv_i($form->{"${vc}_id"}),
-                                  "$form->{currency}");
+
+  my $sth = prepare_execute_query($form, $dbh, $query, @values);
 
   $form->{PR} = [];
   while (my $ref = $sth->fetchrow_hashref("NAME_lc")) {
-- 
2.20.1