Bug in usage/uploadComplete.php: Duplicate Quote Replacement in Publisher Name Search

[snorri]

Description: When searching for a publisher in the Publisher table, the publisher name search string that includes quotes has the quotes replaced twice in the SQL query—once in uploadComplete.php and once in Publisher.php.

Details:

• In uploadComplete.php:

$searchName = trim(str_replace ("'","''",$name));
$publisher = $publisher->getByName($searchName); 

• In Publisher.php:

public function getByName($publisherName){
   $query = "select publisherID from Publisher where upper(name) = upper('" . str_replace("'","''", $publisherName) . "') LIMIT 1;";

Issue: This double replacement of quotes causes publisher names that include quotes to never match an existing entry in the Publisher table, resulting in duplicate rows being created.

Suggested Solution: Remove one of the str_replace calls. Additionally, consider using prepared statements to avoid these replacements and improve security.