From d2af63dcf5c43009390fcd14120c92ea9e4e0eeb Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Fri, 3 May 2024 18:56:52 +0530
Subject: [PATCH] Fixed building pquery or vtws_query for mail lookup with
 searchTerm

---
 .../modules/MailManager/MailManager.php         | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/pkg/vtiger/modules/MailManager/modules/MailManager/MailManager.php b/pkg/vtiger/modules/MailManager/modules/MailManager/MailManager.php
index 6c59266f4..857b0224f 100644
--- a/pkg/vtiger/modules/MailManager/modules/MailManager/MailManager.php
+++ b/pkg/vtiger/modules/MailManager/modules/MailManager/MailManager.php
@@ -35,21 +35,24 @@ class MailManager {
 			$searchFieldList = array_merge($referenceModuleEmailFields, $referenceModuleEntityFieldsArray);
 			if(!empty($searchFieldList) && !empty($referenceModuleEmailFields)) {
 				$searchFieldListString = implode(',', $referenceModuleEmailFields);
-				$where = null;
+				$where = "";
+				$params = array();
 				for($i=0; $i<php7_count($searchFieldList); $i++) {
 					if($i == php7_count($searchFieldList) - 1) {
-						$where .= sprintf($searchFieldList[$i]." like '%s'", $searchTerm);
+						$where .= ($searchFieldList[$i]." like '%s'");
+						$params[] = $searchTerm;
 					} else {
-						$where .= sprintf($searchFieldList[$i]." like '%s' or ", $searchTerm);
+						$where .= ($searchFieldList[$i]." like '%s' or ");
+						$params[] = $searchTerm;
 					}
 				}
-				if(!empty($where)) $where = "WHERE $where";
 				if($referenceModule == 'Users' && !is_admin($user)){
 					//Have to do seperate query since webservices will throw permission denied for users module for non admin users
 					global $adb;
+					if(!empty($where)) $where = "WHERE " . (str_replace("'%s'", '?', $where)); // query placeholders
 					$where .= " AND vtiger_users.status='Active'";
 					$query = "select $searchFieldListString,id from vtiger_users $where";
-					$dbResult = $adb->pquery($query,array());
+					$dbResult = $adb->pquery($query, $params);
 					$num_rows = $adb->num_rows($dbResult);
 					$result = array();
 					for($i=0;$i<$num_rows;$i++) {
@@ -60,6 +63,10 @@ class MailManager {
 						$result[] = $row;
 					}
 				}else{
+					if(!empty($where)) {
+						array_unshift($params, $where);
+						$where = "WHERE " . call_user_func_array("sprintf", $params); // webservice query strings
+					}
 					$result = vtws_query("select $searchFieldListString from $referenceModule $where;", $user);
 				}
 
-- 
GitLab