Re: [otrs] Stats-Module and problems with @Params

Hi Renee, short question, is that right (u.login = ?...): $Self->{DBObject}->Prepare(SQL => "SELECT ta.create_by, ta.time_unit, ta.ticket_id, t.customer_id, u.login, t.title FROM ticket t, time_accounting ta, users u WHERE t.id = ta.ticket_id AND (ta.change_by = u.id AND ( month( ta.change_time ) = $Month AND year( ta.change_time ) = $Year ) AND ( t.queue_id IN ( 5, 6, 8, 9, 10, 11, 12 ) ) AND ( u.login = ? ) )", Bind => [ \$User ], ); Regards Günther -------- Original-Nachricht --------

Datum: Wed, 26 Aug 2009 08:31:44 +0200 Von: "Renee Bäcker" An: "User questions and discussions about OTRS." Betreff: Re: [otrs] Stats-Module and problems with @Params

Petrucci schrieb:

...

Hi, push (@Params, { Frontend => 'User', Name => 'User', Multiple => 0, Size => 0, Data => { %UserList, },

and in sub Run():

my $User = $Param{UserList};

but it fails, cause $User is empty, why?:

Because you said, that the selectbox has the name "User" and not "UserList". You said it with "Name => 'User'"

BTW: You should not use the Variable in the SQL statement. Use the Bind mechanism instead as this will improve security (any special characters are quoted automatically).

Instead of

$Self->{DBObject}->Prepare( SQL => " ... UserLogin = $User" );

do this:

$Self->{DBObject}->Prepare( SQL => " ... UserLogin = ?", Bind => [ \$User ], );

Cheers, Renée

--

Perl-Magazin: http://perl-magazin.de Perl-Nachrichten: http://perl-nachrichten.de --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

-- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser