[Koha-devel] Many DBI updates going through as part of bug 662 fix

[MJ Ray]

I'm reviewing nearly all DBI calls in koha after finding 
non-placeholder use of user values. They could leave koha open to SQL 
insertion attacks, possible from users. I really don't want that to 
happen. I'm about 10% done. The main changes I'm making are:

1. Rephrasing anything like
     $sth = $dbh->prepare("select * from borrowers where 
borrowernum=$bornum");
     $sth->execute();
   into
     $sth = $dbh->prepare("select * from borrowers where 
borrowernum=?");
     $sth->execute($bornum);

2. Rephrasing
     $query = "some string";
     $sth = $dbh->prepare($query);
   into
     $sth = $dbh->prepare("some string");

3. Removing suggestions about using $dbh->do("select * from foo where 
id=$bar") from comments.

I'm trying to be really careful about this, but the sheer number of 
calls may mean that I introduce a new bug. The various search pages 
are the most likely to show symptoms, so I'll try to test those before 
the next release.

If any maintainers want to warn me off their code and make these 
changes themselves, please email me. I'm still wandering around 
C4/Circulation and working in roughly alphabetical order.

--
MJR/slef     My Opinion Only and possibly not of any group I know.
Please http://remember.to/edit_messages on lists to be sure I read
http://mjr.towers.org.uk/ gopher://g.towers.org.uk/ address@hidden
 Creative copyleft computing services via http://www.ttllp.co.uk/