Projekt

Allgemein

Profil

« Zurück | Weiter » 

Revision 165d1a99

Von Sven Schöling vor mehr als 10 Jahren hinzugefügt

  • ID 165d1a99e7402a0cbd600dfd4a56cec8feff9ae5
  • Vorgänger 3ea3a603
  • Nachfolger a581d5bd

SQL injection bei Zahlungsverkehr behoben

Unterschiede anzeigen:

SL/CP.pm
147 147 

  		




  148
  148
  
    
  my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";


  		




  149
  149
  
    
  my $arap = $form->{arap} eq "ar" ? "ar" : "ap";


  		




  150
  
  
    
  my $invnumber = $form->{invnumber};


  		




  151
  
  
    
  $invnumber =~ s/^\s+//m;


  		




  152
  
  
    
  $invnumber =~ s/\s+$//m;


  		




  153
  
  
    
  


  		




  154
  
  
    
  my $whereinvoice = $invnumber ? qq| AND a.invnumber LIKE '| . $invnumber . qq|' | : undef;


  		




  
  150
  
    

  		




  
  151
  
    
  my @values = (conv_i($form->{"${vc}_id"}), "$form->{currency}");


  		




  
  152
  
    
  my $whereinvoice = '';


  		




  
  153
  
    
  if ($::form->{invnumber}) {


  		




  
  154
  
    
    $whereinvoice = ' AND a.invnumber LIKE ? ';


  		




  
  155
  
    
    push @values, $::form->{invnumber};


  		




  
  156
  
    
  }


  		




  155
  157
  
    

  		




  156
  158
  
    
  my $query =


  		




  157
  159
  
    
     qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, cu.name AS curr | .


  		




  158
  160
  
    
     qq|FROM $arap a | .


  		




  159
  161
  
    
     qq|LEFT JOIN currencies cu ON (cu.id=a.currency_id)| .


  		




  160
  162
  
    
     qq|WHERE (a.${vc}_id = ?) AND cu.name = ? AND NOT (a.amount = a.paid)| .


  		




  161
  
  
    
	 $whereinvoice .


  		




  
  163
  
    
     $whereinvoice .


  		




  162
  164
  
    
     qq|ORDER BY a.id|;


  		




  163
  
  
    
	 


  		




  164
  
  
    
  my $sth = prepare_execute_query($form, $dbh, $query,


  		




  165
  
  
    
                                  conv_i($form->{"${vc}_id"}),


  		




  166
  
  
    
                                  "$form->{currency}");


  		




  
  165
  
    

  		




  
  166
  
    
  my $sth = prepare_execute_query($form, $dbh, $query, @values);


  		




  167
  167
  
    

  		




  168
  168
  
    
  $form->{PR} = [];


  		




  169
  169
  
    
  while (my $ref = $sth->fetchrow_hashref("NAME_lc")) {


  		












Auch abrufbar als:  Unified diff