[ic] [wellwell/interchange6: 1/5] uid is not guaranteed to be numeric, so quote it

Fri Mar 3 09:09:06 UTC 2017

On 03/03/2017 09:47 AM, Peter wrote:
> On 03/03/17 20:53, Stefan Hornburg wrote:
>> -	$set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
>> +	$set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
>>  							$name, $uid);
> 
> Can we not quote properly here to avoid SQL injection?
> 
> $set = $db_carts->query(q{select code from carts where name = %s and uid
> = %s}, $db_carts->quote($name), $db_carts->quote($uid));
> 
> 
> Peter

Hello Peter,

thanks for your code review & vigilance.

Fixed in 9246736ea974230526225e1bbd244a4f7dcff91a.

Regards
	Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.