Bug 5595 : Fixing a security glitch (please always use placeholders or

dbh->quote and fixing the tests

diff --git a/C4/Members/Attributes.pm b/C4/Members/Attributes.pm
index b89b03a..1db9424 100644 (file)
--- a/C4/Members/Attributes.pm
+++ b/C4/Members/Attributes.pm
@@ -102,16 +102,16 @@ sub GetBorrowerAttributes {
 
 sub SearchIdMatchingAttribute{
     my $filter = shift;
-       my $finalfilter=$$filter[0];
+    my $finalfilter=$filter->[0];
     my $dbh   = C4::Context->dbh();
     my $query = qq{
 SELECT borrowernumber
 FROM borrower_attributes
 JOIN borrower_attribute_types USING (code)
 WHERE staff_searchable = 1
-AND attribute like "%$finalfilter%"};
+AND attribute like ?};
     my $sth = $dbh->prepare_cached($query);
-    $sth->execute();
+    $sth->execute("%$finalfilter%");
     return $sth->fetchall_arrayref;
 }
 

diff --git a/t/db_dependent/Members.t b/t/db_dependent/Members.t
index 8e26643..e28fbae 100755 (executable)
--- a/t/db_dependent/Members.t
+++ b/t/db_dependent/Members.t
@@ -39,13 +39,13 @@ is ($changedmember->{firstname}, "Marie", "Member Returned");
 
 $member->{email}="Marie\@email.com";
 ModMember(%$member);
-my $searchemail=Search($member);
-is ($member->{email}, "Marie\@email.com", "Email search works");
+$changedmember=GetMemberDetails("","TESTCARD01");
+is ($changedmember->{email}, "Marie\@email.com", "Email Set works");
 
 $member->{ethnicity}="German";
 ModMember(%$member);
-my $searcheth=Search($member);
-is ($member->{ethnicity}, "German", "Ethnicity Works");
+$changedmember=GetMemberDetails("","TESTCARD01");
+is ($changedmember->{ethnicity}, "German", "Ethnicity Works");
 
 my @searchstring=("Mcknight");
 my ($results) = Search(\@searchstring,undef,undef,undef,["surname"]);