Projekt

Allgemein

Profil

« Zurück | Weiter » 

Revision b96aeec0

Von Bernd Bleßmann vor fast 8 Jahren hinzugefügt

  • ID b96aeec0aa41e81c1fce82ba095486b05d601b31
  • Vorgänger 0a98a0dc
  • Nachfolger 6e594d28

Historien Suchmaschine: SQL-Injektion verhindern.

Unterschiede anzeigen:

bin/mozilla/am.pl
1251 1251
    $restriction  .= qq| AND employee_id = (SELECT id FROM employee WHERE name ILIKE | . $dbh->quote('%' . $form->{mitarbeiter} . '%') . qq|)|;
1252 1252
  }
1253 1253

  
1254
  my $query = qq|SELECT trans_id AS id FROM history_erp | .
1255
    (  $form->{'searchid'} ? qq| WHERE snumbers = '|  . $searchNo{$form->{'what2search'}} . qq|_| . $form->{'searchid'} . qq|'|
1256
     :                       qq| WHERE snumbers ~ '^| . $searchNo{$form->{'what2search'}} . qq|'|);
1254
  my $snumbers_where = '';
1255
  my $snumbers_value;
1256
  if ($form->{'searchid'}) {
1257
    $snumbers_where = ' WHERE snumbers = ?';
1258
    $snumbers_value = $searchNo{$form->{'what2search'}} . '_' . $form->{'searchid'};
1259
  } else {
1260
    $snumbers_where = ' WHERE snumbers ~ ?';
1261
    $snumbers_value = '^' . $searchNo{$form->{'what2search'}};
1262
  }
1263
  my $query = qq|SELECT trans_id AS id FROM history_erp $snumbers_where|;
1257 1264

  
1258
  my @ids    = grep { $_ * 1 } selectall_array_query($form, $dbh, $query);
1265
  my @ids    = grep { $_ * 1 } selectall_array_query($form, $dbh, $query, $snumbers_value);
1259 1266
  my $daten .= shift @ids;
1260 1267
  if (scalar(@ids) > 0 ) {
1261 1268
    $daten  .= ' OR trans_id IN (' . join(',', @ids) . ')';

Auch abrufbar als: Unified diff