http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9458
--- Comment #23 from Kyle M Hall <k...@bywatersolutions.com> --- Good catch! We cannot use a placeholder for ORDER BY fields, but we *can* escape it using quote_identifier to ensure it cannot be used for SQL injection attacks. I've attached a second followup to add this. (In reply to comment #21) > I am concerned about the way $sortfield is included directly in the query. > Does it provide an SQL injection vector? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/