Use placeholders in sql

Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/admin/auth_tag_structure.pl b/admin/auth_tag_structure.pl
index 27c48e9..9c55df3 100755 (executable)
--- a/admin/auth_tag_structure.pl
+++ b/admin/auth_tag_structure.pl
@@ -188,9 +188,10 @@ if ($op eq 'add_form') {
 # called by delete_confirm, used to effectively confirm deletion of data in DB
 } elsif ($op eq 'delete_confirmed') {
        unless (C4::Context->config('demo') eq 1) {
-               $dbh->do("delete from auth_tag_structure where tagfield='$searchfield' and authtypecode='$authtypecode'");
-               $dbh->do("delete from auth_subfield_structure where tagfield='$searchfield' and authtypecode='$authtypecode'");
-        # FIXME: Secuity vulnerability -- use placeholders, prepare and execute!
+               my $sth = $dbh->prepare("delete from auth_tag_structure where tagfield=? and authtypecode=?");
+               $sth->execute($searchfield,$authtypecode);
+               my $sth = $dbh->prepare("delete from auth_subfield_structure where tagfield=? and authtypecode=?");
+               $sth->execute($searchfield,$authtypecode);
        }
     print "Content-Type: text/html\n\n<META HTTP-EQUIV=Refresh CONTENT=\"0; URL=auth_tag_structure.pl?searchfield=".$input->param('tagfield')."&authtypecode=$authtypecode\">";
     exit;