[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb: [431] trunk
- Subject: SF.net SVN: ledger-smb: [431] trunk
- From: ..hidden..
- Date: Tue, 31 Oct 2006 13:45:35 -0800
Revision: 431
http://svn.sourceforge.net/ledger-smb/?rev=431&view=rev
Author: einhverfr
Date: 2006-10-31 13:45:30 -0800 (Tue, 31 Oct 2006)
Log Message:
-----------
Moved OP to new API, and got rid of SQL injection isues
Modified Paths:
--------------
trunk/Changelog
trunk/LedgerSMB/OP.pm
Modified: trunk/Changelog
===================================================================
--- trunk/Changelog 2006-10-31 20:51:53 UTC (rev 430)
+++ trunk/Changelog 2006-10-31 21:45:30 UTC (rev 431)
@@ -15,6 +15,7 @@
* Audited IS.pm, GL.pm, IR.pm for SQL injection and moved to new API. (Chris T)
* Audited User.pm for SQL injection. (Chris T)
* Audited HR.pm, removed old, stale payroll code, moved to new API (Chris T)
+* Audited OP.pm and moved to new API (Chris T)
Localization:
* Moved localization files to standard codes (Seneca)
Modified: trunk/LedgerSMB/OP.pm
===================================================================
--- trunk/LedgerSMB/OP.pm 2006-10-31 20:51:53 UTC (rev 430)
+++ trunk/LedgerSMB/OP.pm 2006-10-31 21:45:30 UTC (rev 431)
@@ -23,7 +23,7 @@
#
#======================================================================
#
-# This file has NOT undergone whitespace cleanup.
+# This file has undergone whitespace cleanup.
#
#======================================================================
#
@@ -35,82 +35,103 @@
package OP;
sub overpayment {
- my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_;
+ my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_;
- my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2);
- my ($paymentaccno) = split /--/, $form->{account};
+ my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2);
+ my ($paymentaccno) = split /--/, $form->{account};
- my ($null, $department_id) = split /--/, $form->{department};
- $department_id *= 1;
+ my ($null, $department_id) = split /--/, $form->{department};
+ $department_id *= 1;
- my $uid = localtime;
- $uid .= "$$";
+ my $uid = localtime;
+ $uid .= "$$";
- # add AR/AP header transaction with a payment
- $query = qq|INSERT INTO $form->{arap} (invnumber, employee_id)
- VALUES ('$uid', (SELECT id FROM employee
- WHERE login = '$form->{login}'))|;
- $dbh->do($query) || $form->dberror($query);
+ # add AR/AP header transaction with a payment
+ my $login = $dbh->quote($form->{login});
+ $query = qq|
+ INSERT INTO $form->{arap} (invnumber, employee_id)
+ VALUES ('$uid', (SELECT id FROM employee
+ WHERE login = $login))|;
+ $dbh->do($query) || $form->dberror($query);
- $query = qq|SELECT id FROM $form->{arap}
- WHERE invnumber = '$uid'|;
- ($uid) = $dbh->selectrow_array($query);
+ $query = qq|SELECT id FROM $form->{arap} WHERE invnumber = '$uid'|;
+ ($uid) = $dbh->selectrow_array($query);
- my $invnumber = $form->{invnumber};
- $invnumber = $form->update_defaults($myconfig, ($form->{arap} eq 'ar') ? "sinumber" : "vinumber", $dbh) unless $invnumber;
+ my $invnumber = $form->{invnumber};
+ $invnumber = $form->update_defaults(
+ $myconfig,
+ ($form->{arap} eq 'ar')
+ ? "sinumber"
+ : "vinumber",
+ $dbh) unless $invnumber;
- $query = qq|UPDATE $form->{arap} set
- invnumber = |.$dbh->quote($invnumber).qq|,
- $form->{vc}_id = $form->{"$form->{vc}_id"},
- transdate = '$form->{datepaid}',
- datepaid = '$form->{datepaid}',
- duedate = '$form->{datepaid}',
- netamount = 0,
- amount = 0,
- paid = $fxamount,
- curr = '$form->{currency}',
- department_id = $department_id
- WHERE id = $uid|;
- $dbh->do($query) || $form->dberror($query);
+ $query = qq|
+ UPDATE $form->{arap}
+ set invnumber = ?,
+ $form->{vc}_id = ?,
+ transdate = ?,
+ datepaid = ?,
+ duedate = ?,
+ netamount = 0,
+ amount = 0,
+ paid = ?,
+ curr = ?,
+ department_id = ?
+ WHERE id = ?|;
+ $sth = $dbh->prepare($query);
+ $sth->execute(
+ $invnumber, $form->{"$form->{vc}_id"}, $form->{datepaid},
+ $form->{datepaid}, $form->{datepaid}, $fxamount,
+ $form->{currency}, $department_id, $uid
+ ) || $form->dberror($query);
- # add AR/AP
- ($accno) = split /--/, $form->{$form->{ARAP}};
+ # add AR/AP
+ ($accno) = split /--/, $form->{$form->{ARAP}};
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate, amount)
- VALUES ($uid, (SELECT id FROM chart
- WHERE accno = '$accno'),
- '$form->{datepaid}', $fxamount * $ml)|;
- $dbh->do($query) || $form->dberror($query);
+ $query = qq|
+ INSERT INTO acc_trans (trans_id, chart_id, transdate, amount)
+ VALUES (?, (SELECT id FROM chart
+ WHERE accno = ?), ?, ?)|;
+ $sth = $dbh->prepare($query);
+ $sth->execute($uid, $accno, $form->{datepaid}, $fxamount * $ml)
+ || $form->dberror($query);
- # add payment
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate,
- amount, source, memo)
- VALUES ($uid, (SELECT id FROM chart
- WHERE accno = '$paymentaccno'),
- '$form->{datepaid}', $amount * $ml * -1, |
- .$dbh->quote($form->{source}).qq|, |
- .$dbh->quote($form->{memo}).qq|)|;
- $dbh->do($query) || $form->dberror($query);
+ # add payment
+ $query = qq|
+ INSERT INTO acc_trans (trans_id, chart_id, transdate,
+ amount, source, memo)
+ VALUES (?, (SELECT id FROM chart WHERE accno = ?),
+ ?, ?, ?, ?)|;
+ $sth = $dbh->prepare($query);
+ $sth->execute(
+ $uid, $paymentaccno, $form->{datepaid}, $amount * $ml * -1,
+ $form->{source}, $form->{memo}
+ )|| $form->dberror($query);
- # add exchangerate difference
- if ($fxamount != $amount) {
- $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate,
- amount, cleared, fx_transaction, source)
- VALUES ($uid, (SELECT id FROM chart
- WHERE accno = '$paymentaccno'),
- '$form->{datepaid}', ($fxamount - $amount) * $ml * -1,
- '1', '1', |
- .$dbh->quote($form->{source}).qq|)|;
- $dbh->do($query) || $form->dberror($query);
- }
+ # add exchangerate difference
+ if ($fxamount != $amount) {
+ $query = qq|
+ INSERT INTO acc_trans (trans_id, chart_id, transdate,
+ amount, cleared, fx_transaction, source)
+ VALUES (?, (SELECT id FROM chart WHERE accno = ?),
+ ?, ?, '1', '1', ?)|;
+ $sth = $dbh->prepare($query);
+ $sth->execute($uid, $paymentaccno, $form->{datepaid},
+ ($fxamount - $amount) * $ml * -1, $form->{source}
+ ) || $form->dberror($query);
+ }
- my %audittrail = ( tablename => $form->{arap},
- reference => $invnumber,
- formname => ($form->{arap} eq 'ar') ? 'deposit' : 'pre-payment',
- action => 'posted',
- id => $uid );
+ my %audittrail = (
+ tablename => $form->{arap},
+ reference => $invnumber,
+ formname =>
+ ($form->{arap} eq 'ar')
+ ? 'deposit'
+ : 'pre-payment',
+ action => 'posted',
+ id => $uid );
- $form->audittrail($dbh, "", \%audittrail);
+ $form->audittrail($dbh, "", \%audittrail);
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.