summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoreinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2007-09-16 03:09:45 +0000
committereinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2007-09-16 03:09:45 +0000
commit7dfd737d1389215622de711c147be436d4247daf (patch)
treeb807fa181caeca6ac1d23eb109f2c47848494300
parentbc7aa50d96c4f70e3f44bf41e4976424d8928564 (diff)
Correcting (trunk only) SQL injection issue in stored procedure interface.
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@1615 4979c152-3d1c-0410-bac9-87ea11338e46
-rwxr-xr-xLedgerSMB.pm3
1 files changed, 3 insertions, 0 deletions
diff --git a/LedgerSMB.pm b/LedgerSMB.pm
index f61ae9a8..502b81e6 100755
--- a/LedgerSMB.pm
+++ b/LedgerSMB.pm
@@ -546,6 +546,9 @@ sub call_procedure {
my $order_by = $args{order_by};
my $argstr = "";
my @results;
+
+ $procname = $self->{dbh}->quote_identifier($procname);
+
for ( 1 .. scalar @call_args ) {
$argstr .= "?, ";
}