[wellwell/interchange6] Use proper quoting of query parameters in get_cart_by_name method.
Stefan Hornburg
interchange-cvs at icdevgroup.org
Fri Mar 3 09:07:17 UTC 2017
commit 9246736ea974230526225e1bbd244a4f7dcff91a
Author: Peter Ajamian <peter at pajamian.dhs.org>
Date: Fri Mar 3 10:03:25 2017 +0100
Use proper quoting of query parameters in get_cart_by_name method.
lib/WellWell/DatabaseCart.pm | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/lib/WellWell/DatabaseCart.pm b/lib/WellWell/DatabaseCart.pm
index 2f10f3c..1e5aca3 100644
--- a/lib/WellWell/DatabaseCart.pm
+++ b/lib/WellWell/DatabaseCart.pm
@@ -135,8 +135,8 @@ sub get_cart_by_name {
$db_carts = database_exists_ref('carts');
- $set = $db_carts->query(q{select carts_id from carts where name = '%s' and username = '%s'},
- $name, $uid);
+ $set = $db_carts->query(q{select carts_id from carts where name = %s and username = %s},
+ $db_carts->quote($name), $db_carts->quote($uid));
if (@$set) {
$code = $set->[0]->[0];
More information about the interchange-cvs
mailing list