[freeside-commits] freeside/FS/FS svc_acct.pm, 1.268.2.24, 1.268.2.25

[Jeff Finucane,420,,]

Update of /home/cvs/cvsroot/freeside/FS/FS
In directory wavetail.420.am:/tmp/cvs-serv23390/FS/FS

Modified Files:
      Tag: FREESIDE_1_9_BRANCH
	svc_acct.pm 
Log Message:
avoid sql injection

Index: svc_acct.pm
===================================================================
RCS file: /home/cvs/cvsroot/freeside/FS/FS/svc_acct.pm,v
retrieving revision 1.268.2.24
retrieving revision 1.268.2.25
diff -u -w -d -r1.268.2.24 -r1.268.2.25
--- svc_acct.pm	23 May 2010 01:59:20 -0000	1.268.2.24
+++ svc_acct.pm	13 Jun 2010 18:01:36 -0000	1.268.2.25
@@ -1228,6 +1228,10 @@
               || $self->ut_snumbern('upbytes')
               || $self->ut_snumbern('downbytes')
               || $self->ut_snumbern('totalbytes')
+              || $self->ut_snumbern('seconds_threshold')
+              || $self->ut_snumbern('upbytes_threshold')
+              || $self->ut_snumbern('downbytes_threshold')
+              || $self->ut_snumbern('totalbytes_threshold')
               || $self->ut_enum('_password_encoding', ['',qw(plain crypt ldap)])
               || $self->ut_enum('password_selfchange', [ '', 'Y' ])
               || $self->ut_enum('password_recover',    [ '', 'Y' ])
@@ -2305,7 +2309,7 @@
   #die $error if $error;         #services not explicity changed via the UI
 
   my $sql = "UPDATE svc_acct SET " .
-    join (',', map { "$_ =  $handyhash{$_}" } (keys %handyhash) ).
+    join (',', map { "$_ =  ?" } (keys %handyhash) ).
     " WHERE svcnum = ". $self->svcnum;
 
   warn "$me $sql\n"
@@ -2314,7 +2318,7 @@
   if (scalar(keys %handyhash)) {
     my $sth = $dbh->prepare( $sql )
       or die "Error preparing $sql: ". $dbh->errstr;
-    my $rv = $sth->execute();
+    my $rv = $sth->execute(values %handyhash);
     die "Error executing $sql: ". $sth->errstr
       unless defined($rv);
     die "Can't update usage for svcnum ". $self->svcnum