https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39866
--- Comment #7 from Marcel de Rooy <[email protected]> --- QA Comment: Thx for patching this! This script is not optimal indeed. my $line = $input->param("Line"); WHERE $line IS NOT NULL This script has issues with parameter validation all together. We can post stuff to it without using the template. And it does not expect that. We should be sure that this is not some 'nice' SQL injection thing. Same for $column btw. Prevent 500s like CGI::Compile::ROOT::usr_share_koha_reports_acquisitions_stats_2epl::calculate(): DBI Exception: DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '; FROM aqorders LEFT JOIN aqbasket ON (aqorders.basketno = ...' at line 1 at /usr/share/koha/reports/acquisitions_stats.pl line 70 => Adding a simple bailout in follow-up. (Did not add checking the actual field in the regex here.) - WHERE $line IS NOT NULL AND $line <> '' "; + WHERE $line IS NOT NULL AND COALESCE($line,'') <> '' "; Same for $column $column is a database field now. If it is NULL the first part is false. If it is not NULL, the second part is the same as $line <> "". No need to change. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
