Moved OP to new API, and got rid of SQL injection isues

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@431 4979c152-3d1c-0410-bac9-87ea11338e46
author: einhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46> 2006-10-31 21:45:30 +0000
committer: einhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46> 2006-10-31 21:45:30 +0000
commit: fcb7acf90c1f764e70afe642a058403c2e3a502d (patch)
tree: 36b286c1b718a25e6a3539700e3fea0ddd0267f6
parent: 35326004c150b291d29ef2f4beb26dcdf5d4983c (diff)
2 files changed, 86 insertions, 64 deletions
diff --git a/Changelog b/Changelog
index 7b80a370..39b9dfbe 100644
--- a/Changelog
+++ b/Changelog
@@ -15,6 +15,7 @@ Security:
 * Audited IS.pm, GL.pm, IR.pm for SQL injection and moved to new API. (Chris T)
 * Audited User.pm for SQL injection. (Chris T)
 * Audited HR.pm, removed old, stale payroll code, moved to new API (Chris T)
+* Audited OP.pm and moved to new API (Chris T)
 
 Localization:
 * Moved localization files to standard codes (Seneca)
diff --git a/LedgerSMB/OP.pm b/LedgerSMB/OP.pm
index 47744526..13f9da01 100755
--- a/LedgerSMB/OP.pm
+++ b/LedgerSMB/OP.pm
@@ -23,7 +23,7 @@
 #
 #======================================================================
 #
-# This file has NOT undergone whitespace cleanup.
+# This file has undergone whitespace cleanup.
 #
 #======================================================================
 #
@@ -35,82 +35,103 @@
 package OP;
 
 sub overpayment {
-  my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_;
+	my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_;
  
-  my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2);
-  my ($paymentaccno) = split /--/, $form->{account};
+	my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2);
+	my ($paymentaccno) = split /--/, $form->{account};
 
-  my ($null, $department_id) = split /--/, $form->{department};
-  $department_id *= 1;
+	my ($null, $department_id) = split /--/, $form->{department};
+	$department_id *= 1;
 
-  my $uid = localtime;
-  $uid .= "$$";
+	my $uid = localtime;
+	$uid .= "$$";
 
-  # add AR/AP header transaction with a payment
-  $query = qq|INSERT INTO $form->{arap} (invnumber, employee_id)
-	      VALUES ('$uid', (SELECT id FROM employee
-			     WHERE login = '$form->{login}'))|;
-  $dbh->do($query) || $form->dberror($query);
+	# add AR/AP header transaction with a payment
+	my $login = $dbh->quote($form->{login});
+	$query = qq|
+		INSERT INTO $form->{arap} (invnumber, employee_id)
+		     VALUES ('$uid', (SELECT id FROM employee
+		      WHERE login = $login))|;
+	$dbh->do($query) || $form->dberror($query);
 
-  $query = qq|SELECT id FROM $form->{arap}
-	    WHERE invnumber = '$uid'|;
-  ($uid) = $dbh->selectrow_array($query);
+	$query = qq|SELECT id FROM $form->{arap} WHERE invnumber = '$uid'|;
+	($uid) = $dbh->selectrow_array($query);
 
-  my $invnumber = $form->{invnumber};
-  $invnumber = $form->update_defaults($myconfig, ($form->{arap} eq 'ar') ? "sinumber" : "vinumber", $dbh) unless $invnumber;
+	my $invnumber = $form->{invnumber};
+	$invnumber = $form->update_defaults(
+		$myconfig, 
+			($form->{arap} eq 'ar') 
+			? "sinumber" 
+			: "vinumber", 
+		$dbh) unless $invnumber;
 
-  $query = qq|UPDATE $form->{arap} set
-	      invnumber = |.$dbh->quote($invnumber).qq|,
-	      $form->{vc}_id = $form->{"$form->{vc}_id"},
-	      transdate = '$form->{datepaid}',
-	      datepaid = '$form->{datepaid}',
-	      duedate = '$form->{datepaid}',
-	      netamount = 0,
-	      amount = 0,
-	      paid = $fxamount,
-	      curr = '$form->{currency}',
-	      department_id = $department_id
-	      WHERE id = $uid|;
-  $dbh->do($query) || $form->dberror($query);
+	$query = qq|
+		UPDATE $form->{arap} 
+		   set invnumber = ?,
+		       $form->{vc}_id = ?,
+		       transdate = ?,
+		       datepaid = ?,
+		       duedate = ?,
+		       netamount = 0,
+		       amount = 0,
+		       paid = ?,
+		       curr = ?,
+		       department_id = ?
+		 WHERE id = ?|;
+	$sth = $dbh->prepare($query);
+	$sth->execute(
+		$invnumber, $form->{"$form->{vc}_id"}, $form->{datepaid},
+		$form->{datepaid}, $form->{datepaid}, $fxamount, 
+		$form->{currency}, $department_id, $uid
+		) || $form->dberror($query);
 
-  # add AR/AP
-  ($accno) = split /--/, $form->{$form->{ARAP}};
+	# add AR/AP
+	($accno) = split /--/, $form->{$form->{ARAP}};
   
-  $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate, amount)
-	      VALUES ($uid, (SELECT id FROM chart
-			     WHERE accno = '$accno'),
-	      '$form->{datepaid}', $fxamount * $ml)|;
-  $dbh->do($query) || $form->dberror($query);
+	$query = qq|
+		INSERT INTO acc_trans (trans_id, chart_id, transdate, amount)
+		     VALUES (?, (SELECT id FROM chart 
+		                  WHERE accno = ?), ?, ?)|;
+	$sth = $dbh->prepare($query);
+	$sth->execute($uid, $accno, $form->{datepaid}, $fxamount * $ml) 
+		|| $form->dberror($query);
 
-  # add payment
-  $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate,
-	      amount, source, memo)
-	      VALUES ($uid, (SELECT id FROM chart
-			     WHERE accno = '$paymentaccno'),
-		'$form->{datepaid}', $amount * $ml * -1, |
-		.$dbh->quote($form->{source}).qq|, |
-		.$dbh->quote($form->{memo}).qq|)|;
-  $dbh->do($query) || $form->dberror($query);
+	# add payment
+	$query = qq|
+		INSERT INTO acc_trans (trans_id, chart_id, transdate, 
+		                      amount, source, memo)
+		     VALUES (?, (SELECT id FROM chart WHERE accno = ?),
+		            ?, ?, ?, ?)|;
+	$sth = $dbh->prepare($query);
+	$sth->execute(
+		$uid, $paymentaccno, $form->{datepaid}, $amount * $ml * -1,
+		$form->{source}, $form->{memo}
+	 	)|| $form->dberror($query);
 
-  # add exchangerate difference
-  if ($fxamount != $amount) {
-    $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate,
-		amount, cleared, fx_transaction, source)
-		VALUES ($uid, (SELECT id FROM chart
-			       WHERE accno = '$paymentaccno'),
-	        '$form->{datepaid}', ($fxamount - $amount) * $ml * -1,
-	        '1', '1', |
-		.$dbh->quote($form->{source}).qq|)|;
-    $dbh->do($query) || $form->dberror($query);
-  }
+	# add exchangerate difference
+	if ($fxamount != $amount) {
+		$query = qq|
+			INSERT INTO acc_trans (trans_id, chart_id, transdate,
+			            amount, cleared, fx_transaction, source)
+			     VALUES (?, (SELECT id FROM chart WHERE accno = ?),
+			            ?, ?, '1', '1', ?)|;
+		$sth = $dbh->prepare($query);
+		$sth->execute($uid, $paymentaccno, $form->{datepaid}, 
+			($fxamount - $amount) * $ml * -1, $form->{source}
+			) || $form->dberror($query);
+	}
   
-  my %audittrail = ( tablename  => $form->{arap},
-                     reference  => $invnumber,
-		     formname   => ($form->{arap} eq 'ar') ? 'deposit' : 'pre-payment',
-		     action     => 'posted',
-		     id         => $uid );
+	my %audittrail = ( 
+		tablename  => $form->{arap},
+		reference  => $invnumber,
+		formname   => 
+			($form->{arap} eq 'ar') 
+			? 'deposit' 
+			: 'pre-payment',
+		action     => 'posted',
+		id         => $uid );
  
-  $form->audittrail($dbh, "", \%audittrail);
+	$form->audittrail($dbh, "", \%audittrail);
   
 }
author	einhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>	2006-10-31 21:45:30 +0000
committer	einhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>	2006-10-31 21:45:30 +0000
commit	fcb7acf90c1f764e70afe642a058403c2e3a502d (patch)
tree	36b286c1b718a25e6a3539700e3fea0ddd0267f6
parent	35326004c150b291d29ef2f4beb26dcdf5d4983c (diff)