From cdfebb5085afaf1fe0f0278ca6172d5fe009bd9c Mon Sep 17 00:00:00 2001
From: Moritz Bunkus <m.bunkus@linet-services.de>
Date: Wed, 14 Nov 2007 10:08:32 +0000
Subject: [PATCH] =?utf8?q?SQL-Injection=20vermeiden.=20Fix=20f=C3=BCr=20Re?=
 =?utf8?q?visionen=202936,=202937.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 SL/IS.pm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/SL/IS.pm b/SL/IS.pm
index 2cf148268..8ecddffde 100644
--- a/SL/IS.pm
+++ b/SL/IS.pm
@@ -1513,7 +1513,13 @@ sub get_customer {
   }
 
   my $cid = conv_i($form->{customer_id});
-  my $payment_id = ($form->{payment_id}) ? "($form->{payment_id} = pt.id) OR" : "";
+  my $payment_id;
+
+  if ($form->{payment_id}) {
+    $payment_id = "(pt.id = ?) OR";
+    push @values, conv_i($form->{payment_id});
+  }
+
   # get customer
   $query =
     qq|SELECT
-- 
2.20.1