On 03/03/17 20:53, Stefan Hornburg wrote:
> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
> $name, $uid);
Can we not quote properly here to avoid SQL injection?
$set = $db_carts->query(q{select code from carts where name = %s and uid
= %s}, $db_carts->quote($name), $db_carts->quote($uid));
Peter
_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
> $name, $uid);
Can we not quote properly here to avoid SQL injection?
$set = $db_carts->query(q{select code from carts where name = %s and uid
= %s}, $db_carts->quote($name), $db_carts->quote($uid));
Peter
_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users