From 2775752a41f462bc1159b242353e3504e0dd6b4f Mon Sep 17 00:00:00 2001
From: Isaac Connor <iconnor@pseudo.connortechnology.com>
Date: Fri, 6 Dec 2013 16:46:21 -0500
Subject: [PATCH] use proper DBI parameter passing to improve security remark
 out call to zmupdate.pl -f

---
 scripts/zmpkg.pl.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/zmpkg.pl.in b/scripts/zmpkg.pl.in
index 1158a1a29..25488636f 100644
--- a/scripts/zmpkg.pl.in
+++ b/scripts/zmpkg.pl.in
@@ -57,9 +57,9 @@ if ( !$command || $command !~ /^(?:start|stop|restart|status|logrot)$/ )
 	if ( $command )
 	{
 		# Check to see if it's a valid run state
-		my $sql = "select * from States where Name = '$command'";
+		my $sql = 'select * from States where Name = ?';
 		my $sth = $dbh->prepare_cached( $sql ) or Fatal( "Can't prepare '$sql': ".$dbh->errstr() );
-		my $res = $sth->execute() or Fatal( "Can't execute: ".$sth->errstr() );
+		my $res = $sth->execute( $command ) or Fatal( "Can't execute: ".$sth->errstr() );
 		if ( $state = $sth->fetchrow_hashref() )
 		{
 			$state->{Name} = $command;
@@ -138,7 +138,7 @@ if ( $command =~ /^(?:stop|restart)$/ )
 	}
 }
 
-runCommand( "zmupdate.pl -f" );
+#runCommand( "zmupdate.pl -f" );
 
 if ( $command =~ /^(?:start|restart)$/ )
 {