[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb:[3671] branches/1.2/LedgerSMB
- Subject: SF.net SVN: ledger-smb:[3671] branches/1.2/LedgerSMB
- From: ..hidden..
- Date: Thu, 18 Aug 2011 21:30:50 +0000
Revision: 3671
http://ledger-smb.svn.sourceforge.net/ledger-smb/?rev=3671&view=rev
Author: einhverfr
Date: 2011-08-18 21:30:50 +0000 (Thu, 18 Aug 2011)
Log Message:
-----------
Correcting sql injection issues due to interpolated table names
Modified Paths:
--------------
branches/1.2/LedgerSMB/AA.pm
branches/1.2/LedgerSMB/BP.pm
branches/1.2/LedgerSMB/CP.pm
branches/1.2/LedgerSMB/OE.pm
branches/1.2/LedgerSMB/OP.pm
branches/1.2/LedgerSMB/PE.pm
branches/1.2/LedgerSMB/RP.pm
Modified: branches/1.2/LedgerSMB/AA.pm
===================================================================
--- branches/1.2/LedgerSMB/AA.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/AA.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -623,8 +623,8 @@
$form->audittrail( $dbh, "", \%audittrail );
- my $query = qq|DELETE FROM $table WHERE id = $form->{id}|;
- $dbh->do($query) || $form->dberror($query);
+ my $query = qq|DELETE FROM $table WHERE id = ?|;
+ $dbh->prepare($query)->execute( $form->{id} ) || $form->dberror($query);
$query = qq|DELETE FROM acc_trans WHERE trans_id = ?|;
$dbh->prepare($query)->execute( $form->{id} ) || $form->dberror($query);
@@ -682,6 +682,9 @@
$ARAP = 'AP';
$table = 'ap';
$buysell = 'sell';
+ $form->{vc} = 'vendor';
+ } else {
+ $form->{vc} = 'customer';
}
( $form->{transdatefrom}, $form->{transdateto} ) =
Modified: branches/1.2/LedgerSMB/BP.pm
===================================================================
--- branches/1.2/LedgerSMB/BP.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/BP.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -60,6 +60,7 @@
my $count;
my $item;
my $sth;
+ $form->{vc} = ($form->{vc} eq 'customer') ? 'customer' : 'vendor';
$item = $form->{dbh}->quote($item);
foreach $item ( @{ $arap{ $form->{type} } } ) {
@@ -124,6 +125,7 @@
my $query;
my $invnumber = "invnumber";
my $item;
+ $form->{vc} = ($form->{vc} eq 'customer') ? 'customer' : 'vendor';
my %arap = (
invoice => ['ar'],
Modified: branches/1.2/LedgerSMB/CP.pm
===================================================================
--- branches/1.2/LedgerSMB/CP.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/CP.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -202,6 +202,8 @@
my ( $self, $myconfig, $form ) = @_;
+ $form->{arap} = ($form->{arap} eq 'ar') ? 'ar' : 'ap';
+ $form->{vc} = ( $form->{vc} eq 'customer') ? 'customer' : 'vendor';
my $null;
my $department_id;
@@ -299,6 +301,8 @@
my ( $self, $myconfig, $form ) = @_;
+ $form->{arap} = ($form->{arap} eq 'ar') ? 'ar' : 'ap';
+ $form->{vc} = ( $form->{vc} eq 'customer') ? 'customer' : 'vendor';
# connect to database, turn AutoCommit off
my $dbh = $form->{dbh};
Modified: branches/1.2/LedgerSMB/OE.pm
===================================================================
--- branches/1.2/LedgerSMB/OE.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/OE.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -756,6 +756,9 @@
SELECT value, current_date FROM defaults
WHERE setting_key = 'curr'|;
( $form->{currencies}, $form->{transdate} ) = $dbh->selectrow_array($query);
+ if ( $form->{vc} ne 'customer' ) { # Sanitize $form->{vc}
+ $form->{vc} = 'vendor';
+ }
if ( $form->{id} ) {
Modified: branches/1.2/LedgerSMB/OP.pm
===================================================================
--- branches/1.2/LedgerSMB/OP.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/OP.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -38,6 +38,7 @@
my ( $self, $myconfig, $form, $dbh, $amount, $ml ) = @_;
my $invnumber = $form->{invnumber};
+ $form->{arap} = ( $form->{arap} eq 'ar' ) ? 'ar' : 'ap';
$invnumber =
$form->update_defaults( $myconfig, ( $form->{arap} eq 'ar' )
? "sinumber"
Modified: branches/1.2/LedgerSMB/PE.pm
===================================================================
--- branches/1.2/LedgerSMB/PE.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/PE.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -1453,6 +1453,7 @@
my $null;
my $var;
my $where;
+ $form->{vc} = ($form->{vc} eq 'customer') ? 'customer' : 'vendor';
if ( $form->{projectnumber} ) {
( $null, $var ) = split /--/, $form->{projectnumber};
Modified: branches/1.2/LedgerSMB/RP.pm
===================================================================
--- branches/1.2/LedgerSMB/RP.pm 2011-08-18 21:13:29 UTC (rev 3670)
+++ branches/1.2/LedgerSMB/RP.pm 2011-08-18 21:30:50 UTC (rev 3671)
@@ -1566,6 +1566,8 @@
my $dbh = $form->{dbh};
my $invoice = ( $form->{arap} eq 'ar' ) ? 'is' : 'ir';
+ $form->{ct} = ($form->{ct} eq 'customer') ? 'customer' : 'vendor';
+ $form->{arap} = ( $form->{arap} eq 'ar' ) ? 'ar' : 'ap';
my $query = qq|SELECT value FROM defaults WHERE setting_key = 'curr'|;
( $form->{currencies} ) = $dbh->selectrow_array($query);
@@ -1736,6 +1738,7 @@
sub get_customer {
my ( $self, $myconfig, $form ) = @_;
+ $form->{ct} = ($form->{ct} eq 'customer') ? 'customer' : 'vendor';
my $dbh = $form->{dbh};
my $query = qq|
@@ -1826,11 +1829,12 @@
my $table;
my $ARAP;
+ $form->{db} = ($form->{db} eq 'ar') ? 'ar' : 'ap';
+
if ( $form->{db} eq 'ar' ) {
$table = "customer";
$ARAP = "AR";
- }
- if ( $form->{db} eq 'ap' ) {
+ } elsif ( $form->{db} eq 'ap' ) {
$table = "vendor";
$ARAP = "AP";
}
@@ -2189,6 +2193,7 @@
my $dbh = $form->{dbh};
my $ml = 1;
+ $form->{db} = ($form->{db} eq 'ar') ? 'ar' : 'ap';
if ( $form->{db} eq 'ar' ) {
$table = 'customer';
$ml = -1;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.