From 4cba27b69dc65adeb0fb5b90335302a8f7407fa3 Mon Sep 17 00:00:00 2001 From: "G. Richardson" Date: Mon, 18 Jun 2012 17:48:14 +0200 Subject: [PATCH] =?utf8?q?Erlaubte=20Sortierparameter=20f=C3=BCr=20Verkauf?= =?utf8?q?sbericht=20filtern?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Parameter nicht ungeprüft übergeben, aber Liste der erlauben Parameter muß gepflegt werden. --- SL/VK.pm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/SL/VK.pm b/SL/VK.pm index 9cf8bed8b..55c46f234 100644 --- a/SL/VK.pm +++ b/SL/VK.pm @@ -77,8 +77,13 @@ sub invoice_transactions { # Bestandteile von Erzeugnissen herausfiltern $where .= " AND i.assemblyitem is not true "; - my $sortorder; + # filter allowed parameters for mainsort and subsort as passed by POST + my @databasefields = qw(description customername country partsgroup business salesman month); + my ($mainsort) = grep { /^$form->{mainsort}$/ } @databasefields; + my ($subsort) = grep { /^$form->{subsort}$/ } @databasefields; + die "illegal parameter for mainsort or subsort" unless $mainsort and $subsort; + my $sortorder; # sorting by month is a special case, we don't want to sort alphabetically by # month name, so we also extract a numerical month in the from YYYYMM to sort # by in case of month sorting @@ -88,16 +93,15 @@ sub invoice_transactions { if ($form->{mainsort} eq 'month') { $sortorder .= "nummonth," } else { - $sortorder .= $form->{mainsort} . ","; + $sortorder .= $mainsort . ","; }; if ($form->{subsort} eq 'month') { $sortorder .= "nummonth," } else { - $sortorder .= $form->{subsort} . ","; + $sortorder .= $subsort . ","; }; $sortorder .= 'ar.transdate,ar.invnumber'; # Default sorting order after mainsort und subsort - if ($form->{customer_id}) { $where .= " AND ar.customer_id = ?"; push(@values, $form->{customer_id}); -- 2.20.1