From 44e8084a0fc69c9e9afea5531186eb28a1b2473a Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Mon, 29 Jul 2013 15:18:43 +0200 Subject: [PATCH] steuerfilterung.pl: SQL injection verhindern --- sql/Pg-upgrade2/steuerfilterung.pl | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/sql/Pg-upgrade2/steuerfilterung.pl b/sql/Pg-upgrade2/steuerfilterung.pl index 36bc5f2dc..1b454e3b0 100644 --- a/sql/Pg-upgrade2/steuerfilterung.pl +++ b/sql/Pg-upgrade2/steuerfilterung.pl @@ -19,7 +19,6 @@ sub run { $self->db_query($query); if ( $::form->{continued_tax} ) { - my $update_query; foreach my $i (1 .. $::form->{rowcount}) { $tax_id = $::form->{"tax_id_$i"}; $categories = ''; @@ -29,11 +28,9 @@ sub run { $categories .= 'C' if $::form->{"costs_$i"}; $categories .= 'I' if $::form->{"revenue_$i"}; $categories .= 'E' if $::form->{"expense_$i"}; - $update_query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|; - $self->db_query($update_query); + $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $categories, $tax_id ]); } - $update_query = qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|; - $self->db_query($update_query); + $self->db_query(qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|); return 1; } @@ -75,10 +72,7 @@ sub run { && ($ref->{taxdescription} =~ $_->{taxdescription}) } @well_known_taxes; if ($well_known_tax) { - $categories = $well_known_tax->{categories}; - $tax_id = $ref->{tax_id}; - $query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|; - $self->db_query($query); + $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $well_known_tax->{categories}, $ref->{tax_id} ]); } else { $ref->{rate} = $::form->format_amount(\%::myconfig, $ref->{rate} * 100); push @{ $::form->{PARTS} }, $ref; -- 2.20.1