bug 5086: fix setting claim date

Also removed a locus for SQL injection.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>

diff --git a/C4/Serials.pm b/C4/Serials.pm
index 9c22901..32e46be 100644 (file)
--- a/C4/Serials.pm
+++ b/C4/Serials.pm
@@ -287,10 +287,10 @@ sub UpdateClaimdateIssues {
     my $dbh = C4::Context->dbh;
     $date = strftime( "%Y-%m-%d", localtime ) unless ($date);
     my $query = "
-        UPDATE serial SET claimdate=$date,status=7
-        WHERE  serialid in (" . join( ",", @$serialids ) . ")";
+        UPDATE serial SET claimdate = ?, status = 7
+        WHERE  serialid in (" . join( ",", map { '?' } @$serialids ) . ")";
     my $rq = $dbh->prepare($query);
-    $rq->execute;
+    $rq->execute($date, @$serialids);
     return $rq->rows;
 }