Bug 17903: Fix possible SQL injection in serial claims
[koha.git] / C4 / Barcodes / ValueBuilder.pm
blob81747dee674a7bd0dd095347cc2d3d78d8db09cb
1 #!/usr/bin/perl
3 # Copyright 2008-2010 Foundations Bible College
4 # Parts copyright 2012 C & P Bibliography Services
6 # This file is part of Koha.
8 # Koha is free software; you can redistribute it and/or modify it
9 # under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # Koha is distributed in the hope that it will be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 package C4::Barcodes::ValueBuilder::incremental;
22 use C4::Context;
23 my $DEBUG = 0;
25 sub get_barcode {
26 my ($args) = @_;
27 my $nextnum;
28 # not the best, two catalogers could add the same barcode easily this way :/
29 my $query = "select max(abs(barcode)) from items";
30 my $sth = C4::Context->dbh->prepare($query);
31 $sth->execute();
32 while (my ($count)= $sth->fetchrow_array) {
33 $nextnum = $count;
35 $nextnum++;
36 return $nextnum;
41 package C4::Barcodes::ValueBuilder::hbyymmincr;
42 use C4::Context;
43 my $DEBUG = 0;
45 sub get_barcode {
46 my ($args) = @_;
47 my $nextnum = 0;
48 my $year = substr($args->{year}, -2);
49 my $month = $args->{mon};
50 my $query = "SELECT MAX(CAST(SUBSTRING(barcode,-4) AS signed)) AS number FROM items WHERE barcode REGEXP ?";
51 my $sth = C4::Context->dbh->prepare($query);
52 $sth->execute("^[-a-zA-Z]{1,}$year$month");
53 while (my ($count)= $sth->fetchrow_array) {
54 $nextnum = $count if $count;
55 $nextnum = 0 if $nextnum == 9999; # this sequence only allows for cataloging 9999 items per month
56 warn "Existing incremental number = $nextnum" if $DEBUG;
58 $nextnum++;
59 $nextnum = sprintf("%0*d", "4",$nextnum);
60 $nextnum = $year . $month . $nextnum;
61 warn "New hbyymmincr Barcode = $nextnum" if $DEBUG;
62 my $scr = "
63 var form = document.getElementById('f');
64 if ( !form ) {
65 form = document.getElementById('serials_edit');
67 if ( !form ) {
68 form = document.getElementById('Aform');
70 for (i=0 ; i<form.field_value.length ; i++) {
71 if (form.tag[i].value == '$args->{loctag}' && form.subfield[i].value == '$args->{locsubfield}') {
72 fnum = i;
75 if (\$('#' + id).val() == '') {
76 \$('#' + id).val(form.field_value[fnum].value + '$nextnum');
79 return $nextnum, $scr;
83 package C4::Barcodes::ValueBuilder::annual;
84 use C4::Context;
85 my $DEBUG = 0;
87 sub get_barcode {
88 my ($args) = @_;
89 my $nextnum;
90 my $query = "select max(cast( substring_index(barcode, '-',-1) as signed)) from items where barcode like ?";
91 my $sth=C4::Context->dbh->prepare($query);
92 $sth->execute("$args->{year}%");
93 while (my ($count)= $sth->fetchrow_array) {
94 warn "Examining Record: $count" if $DEBUG;
95 $nextnum = $count if $count;
97 $nextnum++;
98 $nextnum = sprintf("%0*d", "4",$nextnum);
99 $nextnum = "$args->{year}-$nextnum";
100 return $nextnum;
106 =head1 Barcodes::ValueBuilder
108 This module is intended as a shim to ease the eventual transition from
109 having all barcode-related code in the value builder plugin .pl file
110 to using C4::Barcodes. Since the shift will require a rather significant
111 amount of refactoring, this module will return value builder-formatted
112 results, at first by merely running the code that was formerly in the
113 barcodes.pl value builder, but later by using C4::Barcodes.
115 =cut