Projekt

Allgemein

Profil

« Zurück | Weiter » 

Revision 165d1a99

Von Sven Schöling vor fast 11 Jahren hinzugefügt

  • ID 165d1a99e7402a0cbd600dfd4a56cec8feff9ae5
  • Vorgänger 3ea3a603
  • Nachfolger a581d5bd

SQL injection bei Zahlungsverkehr behoben

Unterschiede anzeigen:

SL/CP.pm
147 147

  
148 148
  my $buysell = $form->{vc} eq 'customer' ? "buy" : "sell";
149 149
  my $arap = $form->{arap} eq "ar" ? "ar" : "ap";
150
  my $invnumber = $form->{invnumber};
151
  $invnumber =~ s/^\s+//m;
152
  $invnumber =~ s/\s+$//m;
153
  
154
  my $whereinvoice = $invnumber ? qq| AND a.invnumber LIKE '| . $invnumber . qq|' | : undef;
150

  
151
  my @values = (conv_i($form->{"${vc}_id"}), "$form->{currency}");
152
  my $whereinvoice = '';
153
  if ($::form->{invnumber}) {
154
    $whereinvoice = ' AND a.invnumber LIKE ? ';
155
    push @values, $::form->{invnumber};
156
  }
155 157

  
156 158
  my $query =
157 159
     qq|SELECT a.id, a.invnumber, a.transdate, a.amount, a.paid, cu.name AS curr | .
158 160
     qq|FROM $arap a | .
159 161
     qq|LEFT JOIN currencies cu ON (cu.id=a.currency_id)| .
160 162
     qq|WHERE (a.${vc}_id = ?) AND cu.name = ? AND NOT (a.amount = a.paid)| .
161
	 $whereinvoice .
163
     $whereinvoice .
162 164
     qq|ORDER BY a.id|;
163
	 
164
  my $sth = prepare_execute_query($form, $dbh, $query,
165
                                  conv_i($form->{"${vc}_id"}),
166
                                  "$form->{currency}");
165

  
166
  my $sth = prepare_execute_query($form, $dbh, $query, @values);
167 167

  
168 168
  $form->{PR} = [];
169 169
  while (my $ref = $sth->fetchrow_hashref("NAME_lc")) {

Auch abrufbar als: Unified diff