From fcb7acf90c1f764e70afe642a058403c2e3a502d Mon Sep 17 00:00:00 2001 From: einhverfr Date: Tue, 31 Oct 2006 21:45:30 +0000 Subject: Moved OP to new API, and got rid of SQL injection isues git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@431 4979c152-3d1c-0410-bac9-87ea11338e46 --- Changelog | 1 + LedgerSMB/OP.pm | 149 ++++++++++++++++++++++++++++++++------------------------ 2 files changed, 86 insertions(+), 64 deletions(-) diff --git a/Changelog b/Changelog index 7b80a370..39b9dfbe 100644 --- a/Changelog +++ b/Changelog @@ -15,6 +15,7 @@ Security: * Audited IS.pm, GL.pm, IR.pm for SQL injection and moved to new API. (Chris T) * Audited User.pm for SQL injection. (Chris T) * Audited HR.pm, removed old, stale payroll code, moved to new API (Chris T) +* Audited OP.pm and moved to new API (Chris T) Localization: * Moved localization files to standard codes (Seneca) diff --git a/LedgerSMB/OP.pm b/LedgerSMB/OP.pm index 47744526..13f9da01 100755 --- a/LedgerSMB/OP.pm +++ b/LedgerSMB/OP.pm @@ -23,7 +23,7 @@ # #====================================================================== # -# This file has NOT undergone whitespace cleanup. +# This file has undergone whitespace cleanup. # #====================================================================== # @@ -35,82 +35,103 @@ package OP; sub overpayment { - my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_; + my ($self, $myconfig, $form, $dbh, $amount, $ml) = @_; - my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2); - my ($paymentaccno) = split /--/, $form->{account}; + my $fxamount = $form->round_amount($amount * $form->{exchangerate}, 2); + my ($paymentaccno) = split /--/, $form->{account}; - my ($null, $department_id) = split /--/, $form->{department}; - $department_id *= 1; + my ($null, $department_id) = split /--/, $form->{department}; + $department_id *= 1; - my $uid = localtime; - $uid .= "$$"; + my $uid = localtime; + $uid .= "$$"; - # add AR/AP header transaction with a payment - $query = qq|INSERT INTO $form->{arap} (invnumber, employee_id) - VALUES ('$uid', (SELECT id FROM employee - WHERE login = '$form->{login}'))|; - $dbh->do($query) || $form->dberror($query); + # add AR/AP header transaction with a payment + my $login = $dbh->quote($form->{login}); + $query = qq| + INSERT INTO $form->{arap} (invnumber, employee_id) + VALUES ('$uid', (SELECT id FROM employee + WHERE login = $login))|; + $dbh->do($query) || $form->dberror($query); - $query = qq|SELECT id FROM $form->{arap} - WHERE invnumber = '$uid'|; - ($uid) = $dbh->selectrow_array($query); + $query = qq|SELECT id FROM $form->{arap} WHERE invnumber = '$uid'|; + ($uid) = $dbh->selectrow_array($query); - my $invnumber = $form->{invnumber}; - $invnumber = $form->update_defaults($myconfig, ($form->{arap} eq 'ar') ? "sinumber" : "vinumber", $dbh) unless $invnumber; + my $invnumber = $form->{invnumber}; + $invnumber = $form->update_defaults( + $myconfig, + ($form->{arap} eq 'ar') + ? "sinumber" + : "vinumber", + $dbh) unless $invnumber; - $query = qq|UPDATE $form->{arap} set - invnumber = |.$dbh->quote($invnumber).qq|, - $form->{vc}_id = $form->{"$form->{vc}_id"}, - transdate = '$form->{datepaid}', - datepaid = '$form->{datepaid}', - duedate = '$form->{datepaid}', - netamount = 0, - amount = 0, - paid = $fxamount, - curr = '$form->{currency}', - department_id = $department_id - WHERE id = $uid|; - $dbh->do($query) || $form->dberror($query); + $query = qq| + UPDATE $form->{arap} + set invnumber = ?, + $form->{vc}_id = ?, + transdate = ?, + datepaid = ?, + duedate = ?, + netamount = 0, + amount = 0, + paid = ?, + curr = ?, + department_id = ? + WHERE id = ?|; + $sth = $dbh->prepare($query); + $sth->execute( + $invnumber, $form->{"$form->{vc}_id"}, $form->{datepaid}, + $form->{datepaid}, $form->{datepaid}, $fxamount, + $form->{currency}, $department_id, $uid + ) || $form->dberror($query); - # add AR/AP - ($accno) = split /--/, $form->{$form->{ARAP}}; + # add AR/AP + ($accno) = split /--/, $form->{$form->{ARAP}}; - $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate, amount) - VALUES ($uid, (SELECT id FROM chart - WHERE accno = '$accno'), - '$form->{datepaid}', $fxamount * $ml)|; - $dbh->do($query) || $form->dberror($query); + $query = qq| + INSERT INTO acc_trans (trans_id, chart_id, transdate, amount) + VALUES (?, (SELECT id FROM chart + WHERE accno = ?), ?, ?)|; + $sth = $dbh->prepare($query); + $sth->execute($uid, $accno, $form->{datepaid}, $fxamount * $ml) + || $form->dberror($query); - # add payment - $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate, - amount, source, memo) - VALUES ($uid, (SELECT id FROM chart - WHERE accno = '$paymentaccno'), - '$form->{datepaid}', $amount * $ml * -1, | - .$dbh->quote($form->{source}).qq|, | - .$dbh->quote($form->{memo}).qq|)|; - $dbh->do($query) || $form->dberror($query); + # add payment + $query = qq| + INSERT INTO acc_trans (trans_id, chart_id, transdate, + amount, source, memo) + VALUES (?, (SELECT id FROM chart WHERE accno = ?), + ?, ?, ?, ?)|; + $sth = $dbh->prepare($query); + $sth->execute( + $uid, $paymentaccno, $form->{datepaid}, $amount * $ml * -1, + $form->{source}, $form->{memo} + )|| $form->dberror($query); - # add exchangerate difference - if ($fxamount != $amount) { - $query = qq|INSERT INTO acc_trans (trans_id, chart_id, transdate, - amount, cleared, fx_transaction, source) - VALUES ($uid, (SELECT id FROM chart - WHERE accno = '$paymentaccno'), - '$form->{datepaid}', ($fxamount - $amount) * $ml * -1, - '1', '1', | - .$dbh->quote($form->{source}).qq|)|; - $dbh->do($query) || $form->dberror($query); - } + # add exchangerate difference + if ($fxamount != $amount) { + $query = qq| + INSERT INTO acc_trans (trans_id, chart_id, transdate, + amount, cleared, fx_transaction, source) + VALUES (?, (SELECT id FROM chart WHERE accno = ?), + ?, ?, '1', '1', ?)|; + $sth = $dbh->prepare($query); + $sth->execute($uid, $paymentaccno, $form->{datepaid}, + ($fxamount - $amount) * $ml * -1, $form->{source} + ) || $form->dberror($query); + } - my %audittrail = ( tablename => $form->{arap}, - reference => $invnumber, - formname => ($form->{arap} eq 'ar') ? 'deposit' : 'pre-payment', - action => 'posted', - id => $uid ); + my %audittrail = ( + tablename => $form->{arap}, + reference => $invnumber, + formname => + ($form->{arap} eq 'ar') + ? 'deposit' + : 'pre-payment', + action => 'posted', + id => $uid ); - $form->audittrail($dbh, "", \%audittrail); + $form->audittrail($dbh, "", \%audittrail); } -- cgit v1.2.3