On Mon, 2006-10-02 at 10:21 -0700, Chris Travers wrote:
> Actually, $form->{vc} should be whitelisted. I will check this and if
> necessary add the code.
It is reset every execution in bin/*/(ar|ap).pl so as you say it should
be fine to put it straight into the query. I hadn't noticed that until
Chris,
> I am wondering what sort of requirements people have for contact
> management for LedgerSMB. I am looking at making the customers/vendors
> handling a major priority for my work on 1.3. Among other issues:
> 1) The customer and vendor tables will likely be merged.
> 2) The contact rec
Gmail isn't working well with Sourceforge at the moment so I am
sending this to both places.
I think a test suite will be very important. There are, however, a
few challenges:
1) I don't think SQL-Ledger ever underwent any sort of formal testing
(as evidenced by the COGS bug I found). Therefore
Hi all;
I am wondering what sort of requirements people have for contact management
for LedgerSMB. I am looking at making the customers/vendors handling a
major priority for my work on 1.3. Among other issues:
1) The customer and vendor tables will likely be merged.
2) The contact records will
Hey all:
I'm excited to see a more open process for the development of
the code base which Dieter created and particularly for the
development of documentation which might make it easier to
propogate this code more broadly.
I'm curious to know where this may all head and hope to perhaps
work with
Chris Travers wrote:
> In many cases I agree. For this application, I think it is the wrong
> solution.
I was only speaking to stating that we require at least DBI 1.21.
Joshua D. Drake
>
> I don't think we should trust any user input enough to allow it to
> arbitrarily specify any non-white-l
> DBI->quote_identifier(...) was added in DBI 1.21, released Feb 2002.
> That doesn't seem like and unreasonable prerequisite to me. What does
> the list think?
That is 5 years here shortly. I think that is more than acceptable. :)
Sincerely,
Joshua D. Drake
--
=== The PostgreSQL Compan
On Mon, 2006-10-02 at 00:32 -0700, Tony Fraser wrote:
> Well, at least this will execute without errors:
>
> $form->{vc} =~ s/"/""/g;
> $query = qq|
> SELECT SUM(amount - paid)
> FROM $arap
>WHERE "$form->{vc}_id" = ?|;
>
> $sth = $d
On Sun, 2006-10-01 at 19:20 -0700, Joshua D. Drake wrote:
> Tony Fraser wrote:
> > Is anyone even minimally testing what gets committed on the SVN head?
> >
> > I checked it out to see what was going on and I can't believe what's
> > gotten checked in. I know SQL Ledger is full of SQL Injection
>
