steuerfilterung.pl: SQL injection verhindern

diff --git a/sql/Pg-upgrade2/steuerfilterung.pl b/sql/Pg-upgrade2/steuerfilterung.pl
index 36bc5f2..1b454e3 100644 (file)
--- a/sql/Pg-upgrade2/steuerfilterung.pl
+++ b/sql/Pg-upgrade2/steuerfilterung.pl
@@ -19,7 +19,6 @@ sub run {
   $self->db_query($query);
 
   if ( $::form->{continued_tax} ) {
-    my $update_query;
     foreach my $i (1 .. $::form->{rowcount}) {
       $tax_id = $::form->{"tax_id_$i"};
       $categories = '';
@@ -29,11 +28,9 @@ sub run {
       $categories .= 'C' if $::form->{"costs_$i"};
       $categories .= 'I' if $::form->{"revenue_$i"};
       $categories .= 'E' if $::form->{"expense_$i"};
-      $update_query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|;
-      $self->db_query($update_query);
+      $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $categories, $tax_id ]);
     }
-    $update_query = qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|;
-    $self->db_query($update_query);
+    $self->db_query(qq|ALTER TABLE tax ALTER COLUMN chart_categories SET NOT NULL|);
     return 1;
   }
 
@@ -75,10 +72,7 @@ sub run {
       && ($ref->{taxdescription} =~ $_->{taxdescription})
     } @well_known_taxes;
     if ($well_known_tax) {
-      $categories = $well_known_tax->{categories};
-      $tax_id = $ref->{tax_id};
-      $query = qq|UPDATE tax SET chart_categories = '$categories' WHERE id=$tax_id;|;
-      $self->db_query($query);
+      $self->db_query(qq|UPDATE tax SET chart_categories = ? WHERE id = ?|, bind => [ $well_known_tax->{categories}, $ref->{tax_id} ]);
     } else {
       $ref->{rate} = $::form->format_amount(\%::myconfig, $ref->{rate} * 100);
       push @{ $::form->{PARTS} }, $ref;