[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb: [168] trunk/LedgerSMB/AA.pm
- Subject: SF.net SVN: ledger-smb: [168] trunk/LedgerSMB/AA.pm
- From: ..hidden..
- Date: Fri, 29 Sep 2006 21:36:56 -0700
Revision: 168
http://svn.sourceforge.net/ledger-smb/?rev=168&view=rev
Author: einhverfr
Date: 2006-09-29 21:36:54 -0700 (Fri, 29 Sep 2006)
Log Message:
-----------
Audited AA.pm to 50% for SQL-Injection vulnerabilities
Modified Paths:
--------------
trunk/LedgerSMB/AA.pm
Modified: trunk/LedgerSMB/AA.pm
===================================================================
--- trunk/LedgerSMB/AA.pm 2006-09-30 02:40:48 UTC (rev 167)
+++ trunk/LedgerSMB/AA.pm 2006-09-30 04:36:54 UTC (rev 168)
@@ -41,7 +41,7 @@
my ($self, $myconfig, $form) = @_;
# connect to database
- my $dbh = $form->dbconnect_noauto($myconfig);
+ my $dbh = $form->{dbh};
my $query;
my $sth;
@@ -172,8 +172,13 @@
my $invamount = $invnetamount + $tax;
# adjust paidaccounts if there is no date in the last row
- $form->{paidaccounts}-- unless ($form->{"datepaid_$form->{paidaccounts}"});
+ $form->{paidaccounts}--
+ unless ($form->{"datepaid_$form->{paidaccounts}"});
+ if ($form->{vc} ne "customer"){
+ $form->{vc} = "vendor";
+ }
+
my $paid = 0;
my $fxamount;
@@ -202,28 +207,37 @@
$invamount = $form->round_amount($invamount, 2);
$paid = $form->round_amount($paid, 2);
- $paid = ($fxinvamount == $paid) ? $invamount : $form->round_amount($paid * $form->{exchangerate}, 2);
+ $paid = ($fxinvamount == $paid)
+ ? $invamount
+ : $form->round_amount($paid * $form->{exchangerate}, 2);
- $query = q|SELECT fxgain_accno_id, fxloss_accno_id
- FROM defaults|;
+ $query = q|
+ SELECT fxgain_accno_id, fxloss_accno_id
+ FROM defaults|;
+
my ($fxgain_accno_id, $fxloss_accno_id) = $dbh->selectrow_array($query);
($null, $form->{employee_id}) = split /--/, $form->{employee};
unless ($form->{employee_id}) {
- ($form->{employee}, $form->{employee_id}) = $form->get_employee($dbh);
+ ($form->{employee}, $form->{employee_id}) =
+ $form->get_employee($dbh);
}
# check if id really exists
if ($form->{id}) {
+ my $id = $dbh->quote($form->{id});
$keepcleared = 1;
- $query = qq|SELECT id FROM $table
- WHERE id = $form->{id}|;
+ $query = qq|
+ SELECT id
+ FROM $table
+ WHERE id = $id|;
if ($dbh->selectrow_array($query)) {
# delete detail records
- $query = qq|DELETE FROM acc_trans
- WHERE trans_id = $form->{id}|;
+ $query = qq|
+ DELETE FROM acc_trans
+ WHERE trans_id = $id|;
$dbh->do($query) || $form->dberror($query);
}
@@ -232,13 +246,15 @@
my $uid = localtime;
$uid .= "$$";
- $query = qq|INSERT INTO $table (invnumber)
- VALUES ('$uid')|;
+ $query = qq|
+ INSERT INTO $table (invnumber)
+ VALUES ('$uid')|;
$dbh->do($query) || $form->dberror($query);
- $query = qq|SELECT id FROM $table
- WHERE invnumber = '$uid'|;
+ $query = qq|
+ SELECT id FROM $table
+ WHERE invnumber = '$uid'|;
($form->{id}) = $dbh->selectrow_array($query);
}
@@ -252,34 +268,34 @@
$query = qq|
UPDATE $table
- SET invnumber = |.$dbh->quote($form->{invnumber}).qq|,
- ordnumber = |.$dbh->quote($form->{ordnumber}).qq|,
- transdate = '$form->{transdate}',
- $form->{vc}_id = $form->{"$form->{vc}_id"},
- taxincluded = '$form->{taxincluded}',
- amount = $invamount,
- duedate = '$form->{duedate}',
- paid = $paid,
- datepaid = $datepaid,
- netamount = $invnetamount,
- curr = '$form->{currency}',
- notes = |.$dbh->quote($form->{notes}).qq|,
- department_id = $form->{department_id},
- employee_id = $form->{employee_id},
- ponumber = |.$dbh->quote($form->{ponumber}).qq|
- WHERE id = $form->{id}
+ SET invnumber = ?,
+ ordnumber = ?,
+ transdate = ?,
+ $form->{vc}_id = ?,
+ taxincluded = ?,
+ amount = ?,
+ duedate = ?,
+ paid = ?,
+ datepaid = ?,
+ netamount = ?,
+ curr = ?,
+ notes = ?,
+ department_id = ?,
+ employee_id = ?,
+ ponumber = ?
+ WHERE id = ?
|;
- $dbh->do($query) || $form->dberror($query);
+ my @queryargs = ($form->{invnumber}, $form->{ordnumber},
+ $form->{transdate}, $form->{"$form->{vc}_id"},
+ $form->{taxincluded}, $invamount, $form->{duedate}, $paid,
+ $datepaid, $invnetamout, $form->{currency}, $form->{notes},
+ $form->{department_id}, $form->{employee_id},
+ $form->{ponumber}, $form->{id});
+ $dbh->prepare($query)->execute(@queryargs) || $form->dberror($query);
+
@queries = $form->get_custom_queries($table, 'INSERT');
- for (@queries){
- $query = shift (@{$_});
- $sth = $dbh->prepare($query) || $form->db_error($query);
- $sth->execute(@{$_}, $form->{id})|| $form->dberror($query);;
- $sth->finish;
- $did_insert = 1;
- }
# update exchangerate
my $buy = $form->{exchangerate};
my $sell = 0;
@@ -289,7 +305,9 @@
}
if (($form->{currency} ne $form->{defaultcurrency}) && !$exchangerate) {
- $form->update_exchangerate($dbh, $form->{currency}, $form->{transdate}, $buy, $sell);
+ $form->update_exchangerate(
+ $dbh, $form->{currency}, $form->{transdate},
+ $buy, $sell);
}
my $ref;
@@ -299,30 +317,40 @@
# insert detail records in acc_trans
if ($ref->{amount}) {
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount, transdate,
- project_id, memo, fx_transaction, cleared)
- VALUES ($form->{id}, (SELECT id FROM chart
- WHERE accno = '$ref->{accno}'),
- $ref->{amount} * $ml, '$form->{transdate}',
- $ref->{project_id}, |.$dbh->quote($ref->{description}).qq|,
- '$ref->{fx_transaction}', '$ref->{cleared}')|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id, amount,
+ transdate, project_id, memo,
+ fx_transaction, cleared)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = ?),
+ ? * ?, ?, ?, ?, ?, ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id}, $ref->{accno},
+ $ref->{amount}, $ml, $form->{transdate},
+ $ref->{project_id}, $ref->{description},
+ $ref->{fx_transaction}, $ref->{cleared});
+ $dbh->prepare($query)->execute(@queryargs)
+ || $form->dberror($query);
}
}
# save taxes
foreach $ref (@{ $form->{acc_trans}{taxes} }) {
if ($ref->{amount}) {
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount,
- transdate, fx_transaction)
- VALUES ($form->{id},
- (SELECT id FROM chart
- WHERE accno = '$ref->{accno}'),
- $ref->{amount} * $ml, '$form->{transdate}',
- '$ref->{fx_transaction}')|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id, amount,
+ transdate, fx_transaction)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = ?),
+ ? * ?, ?, ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id}, $ref->{accno},
+ $ref->{amount}, $ml, $form->{transdate},
+ $ref->{fx_transaction});
+ $dbh->prepare($query)->execute(@queryargs)
+ || $form->dberror($query);
}
}
@@ -333,13 +361,17 @@
if (($arap = $invamount)) {
($accno) = split /--/, $form->{$ARAP};
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount, transdate)
- VALUES ($form->{id},
- (SELECT id FROM chart
- WHERE accno = '$accno'),
- $invamount * -1 * $ml, '$form->{transdate}')|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id, amount, transdate)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = '?'),
+ ? * -1 * $ml, ?)|;
+ @queryargs = ($form->{id}, $accno, $invamount,
+ $form->{transdate});
- $dbh->do($query) || $form->dberror($query);
+ $dbh->prepare($query)->execute(@queryargs)
+ || $form->dberror($query);
}
# if there is no amount force ar/ap
@@ -363,27 +395,40 @@
if ($form->{currency} eq $form->{defaultcurrency}) {
$form->{"exchangerate_$i"} = 1;
} else {
- $exchangerate = $form->check_exchangerate($myconfig, $form->{currency}, $form->{"datepaid_$i"}, $buysell);
+ $exchangerate = $form->check_exchangerate(
+ $myconfig, $form->{currency},
+ $form->{"datepaid_$i"}, $buysell);
- $form->{"exchangerate_$i"} = ($exchangerate) ? $exchangerate : $form->parse_amount($myconfig, $form->{"exchangerate_$i"});
+ $form->{"exchangerate_$i"} = ($exchangerate)
+ ? $exchangerate
+ : $form->parse_amount(
+ $myconfig,
+ $form->{"exchangerate_$i"});
}
# if there is no amount
if ($fxinvamount == 0) {
- $form->{exchangerate} = $form->{"exchangerate_$i"};
+ $form->{exchangerate} =
+ $form->{"exchangerate_$i"};
}
# ar/ap amount
- if ($arap) {
+ if ($arap) {
($accno) = split /--/, $form->{$ARAP};
- # add ar/ap
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount,transdate)
- VALUES ($form->{id}, (SELECT id FROM chart
- WHERE accno = '$accno'),
- $paid{amount}{$i} * $ml, '$form->{"datepaid_$i"}')|;
+ # add ar/ap
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id,
+ amount,transdate)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = ?),
+ ? * $ml, ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id}, $paid{amount}{$i},
+ $form->{"datepaid_$i"});
+ $dbh->prepare($query)->execute(@queryargs)
+ || $form->dberror($query);
}
$arap = $paid{amount}{$i};
@@ -397,46 +442,84 @@
my $cleared = ($form->{"cleared_$i"}) ? 1 : 0;
$amount = $paid{fxamount}{$i};
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount,
- transdate, source, memo, cleared)
- VALUES ($form->{id}, (SELECT id FROM chart
- WHERE accno = '$accno'),
- $amount * -1 * $ml, '$form->{"datepaid_$i"}', |
- .$dbh->quote($form->{"source_$i"}).qq|, |
- .$dbh->quote($form->{"memo_$i"}).qq|, '$cleared')|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id, amount,
+ transdate, source, memo,
+ cleared)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = ?),
+ ? * -1 * $ml, ?, ?, ?, ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id}, $accno, $amount,
+ $form->{"datepaid_$i"},
+ $form->{"source_$i"},
+ $form->{"memo_$i"},
+ $cleared);
+ $dbh->prepare($query)->execute(@queryargs)
+ || $form->dberror($query);
- if ($form->{currency} ne $form->{defaultcurrency}) {
+ if ($form->{currency}
+ ne $form->{defaultcurrency}) {
# exchangerate gain/loss
- $amount = ($form->round_amount($paid{fxamount}{$i} * $form->{exchangerate},2) - $form->round_amount($paid{fxamount}{$i} * $form->{"exchangerate_$i"},2)) * -1;
+ $amount = ($form->round_amount(
+ $paid{fxamount}{$i}
+ * $form->{exchangerate},2) -
+ $form->round_amount(
+ $paid{fxamount}{$i}
+ * $form->{"exchangerate_$i"},
+ 2)) * -1;
if ($amount) {
my $accno_id = (($amount * $ml) > 0) ? $fxgain_accno_id : $fxloss_accno_id;
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount,
- transdate, fx_transaction, cleared)
- VALUES ($form->{id}, $accno_id,
- $amount * $ml, '$form->{"datepaid_$i"}', '1',
- '$cleared')|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id,
+ chart_id,
+ amount,
+ transdate,
+ fx_transaction,
+ cleared)
+ VALUES (?, ?,
+ ? * $ml,
+ ?, '1', ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id},
+ $accno_id, $amount,
+ $form->{"datepaid_$i"},
+ $cleared);
+ $sth = $dbh->prepare($query);
+ $sth->execute(@queryargs)
+ ||
+ $form->dberror($query);
}
# exchangerate difference
$amount = $paid{amount}{$i} - $paid{fxamount}{$i} + $amount;
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, amount,
- transdate, fx_transaction, cleared, source)
- VALUES ($form->{id}, (SELECT id FROM chart
- WHERE accno = '$accno'),
- $amount * -1 * $ml, '$form->{"datepaid_$i"}', '1',
- '$cleared', |
- .$dbh->quote($form->{"source_$i"}).qq|)|;
+ $query = qq|
+ INSERT INTO acc_trans
+ (trans_id, chart_id,
+ amount,
+ transdate,
+ fx_transaction,
+ cleared, source)
+ VALUES (?, (SELECT id
+ FROM chart
+ WHERE accno
+ = ?),
+ ? * -1 * $ml, ?,
+ '1', ?, ?)|;
- $dbh->do($query) || $form->dberror($query);
+ @queryargs = ($form->{id}, $accno,
+ $amount, $form->{"datepaid_$i"},
+ $cleared, $form->{"source_$i"});
+ $sth = $dbh->prepare($query) ;
+ $sth->execute(@queryargs)
+ || $form->dberror($query);
}
@@ -449,8 +532,13 @@
$sell = $form->{"exchangerate_$i"};
}
- if (($form->{currency} ne $form->{defaultcurrency}) && !$exchangerate) {
- $form->update_exchangerate($dbh, $form->{currency}, $form->{"datepaid_$i"}, $buy, $sell);
+ if (($form->{currency} ne
+ $form->{defaultcurrency}) && !$exchangerate) {
+
+ $form->update_exchangerate(
+ $dbh, $form->{currency},
+ $form->{"datepaid_$i"}, $buy,
+ $sell);
}
}
}
@@ -471,8 +559,6 @@
my $rc = $dbh->commit;
- $dbh->disconnect;
-
$rc;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.