[ic] [wellwell/interchange6: 1/5] uid is not guaranteed to be numeric, so quote it
Peter
peter at pajamian.dhs.org
Fri Mar 3 08:47:15 UTC 2017
On 03/03/17 20:53, Stefan Hornburg wrote:
> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
> $name, $uid);
Can we not quote properly here to avoid SQL injection?
$set = $db_carts->query(q{select code from carts where name = %s and uid
= %s}, $db_carts->quote($name), $db_carts->quote($uid));
Peter
More information about the interchange-users
mailing list