From 6ade3cf57e37b517ef054723112cd369ce270728 Mon Sep 17 00:00:00 2001
From: Colin Campbell <colin.campbell@ptfs-europe.com>
Date: Wed, 23 Jan 2013 10:52:28 +0000
Subject: [PATCH] Bug 9454: Use placeholders when adding basket

Should always use placeholders when passing variables
to DBI; avoids unforeseen bugs and security issues.

Also:

- reformated the long lists of parameters to add CR
- moved the setting of defaults out of the call to ModBasket to
  clarify code
- Setting parameters to undef if they were not defined
  was unnecessary bloat and obscuration

Testing:
Patch should not change functional behaviour. To test check that
order baskets can still be correctly created.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests and QA script pass.
Created a new basket, added order lines and closed basket.
Checked everything worked in the staff interface, also checked
the entry for the new basket in aqbasket in the database.
Logs are clean too.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
---
 C4/Acquisition.pm | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm
index 249f10dd7f..376a20bb5d 100644
--- a/C4/Acquisition.pm
+++ b/C4/Acquisition.pm
@@ -190,18 +190,21 @@ The other parameters are optional, see ModBasketHeader for more info on them.
 =cut
 
 sub NewBasket {
-    my ( $booksellerid, $authorisedby, $basketname, $basketnote, $basketbooksellernote, $basketcontractnumber, $deliveryplace, $billingplace ) = @_;
+    my ( $booksellerid, $authorisedby, $basketname, $basketnote,
+        $basketbooksellernote, $basketcontractnumber, $deliveryplace,
+        $billingplace ) = @_;
     my $dbh = C4::Context->dbh;
-    my $query = "
-        INSERT INTO aqbasket
-                (creationdate,booksellerid,authorisedby)
-        VALUES  (now(),'$booksellerid','$authorisedby')
-    ";
-    my $sth =
-    $dbh->do($query);
-#find & return basketno MYSQL dependant, but $dbh->last_insert_id always returns null :-(
-    my $basket = $dbh->{'mysql_insertid'};
-    ModBasketHeader($basket, $basketname || '', $basketnote || '', $basketbooksellernote || '', $basketcontractnumber || undef, $booksellerid, $deliveryplace || undef, $billingplace || undef );
+    my $query =
+        'INSERT INTO aqbasket (creationdate,booksellerid,authorisedby) '
+      . 'VALUES  (now(),?,?)';
+    $dbh->do( $query, {}, $booksellerid, $authorisedby );
+
+    my $basket = $dbh->{mysql_insertid};
+    $basketname           ||= q{}; # default to empty strings
+    $basketnote           ||= q{};
+    $basketbooksellernote ||= q{};
+    ModBasketHeader( $basket, $basketname, $basketnote, $basketbooksellernote,
+        $basketcontractnumber, $booksellerid, $deliveryplace, $billingplace );
     return $basket;
 }
 
-- 
2.20.1