Preventing SQL Injections

617238b1 · Uma · 4efd0c15 · 617238b1 · 617238b1 · 617238b1
Commit 617238b1 authored 5 years ago by Uma
--- a/cron/intimateTaskStatus.php
+++ b/cron/intimateTaskStatus.php
@@ -39,7 +39,7 @@ if($activevalue[0] == 1)

 	//get all those activities where the status is not completed even after the passing of 24 hours
 	$today = date("Ymd"); 
-	$result = $adb->pquery("select vtiger_activity.status,vtiger_activity.activityid,subject,(vtiger_activity.date_start +1),vtiger_crmentity.smownerid from vtiger_activity inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_activity.activityid where vtiger_crmentity.deleted=0 and vtiger_activity.status <> 'Completed' and activitytype='Task' and ".$today." > (vtiger_activity.date_start+1)", array());
+	$result = $adb->pquery("select vtiger_activity.status,vtiger_activity.activityid,subject,(vtiger_activity.date_start +1),vtiger_crmentity.smownerid from vtiger_activity inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_activity.activityid where vtiger_crmentity.deleted=0 and vtiger_activity.status <> 'Completed' and activitytype='Task' and ? > (vtiger_activity.date_start+1)", array($today));

 	while ($myrow = $adb->fetch_array($result))
 	{

--- a/cron/modules/SalesOrder/RecurringInvoice.service
+++ b/cron/modules/SalesOrder/RecurringInvoice.service
@@ -22,8 +22,8 @@ $sql="SELECT vtiger_salesorder.salesorderid, recurring_frequency, start_period,
 		 payment_duration, invoice_status FROM vtiger_salesorder
 		 INNER JOIN vtiger_crmentity ON vtiger_salesorder.salesorderid = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = 0
 		 INNER JOIN vtiger_invoice_recurring_info ON vtiger_salesorder.salesorderid = vtiger_invoice_recurring_info.salesorderid
-		 WHERE DATE_FORMAT(start_period,'%Y-%m-%d') <= '$currentDate' AND DATE_FORMAT(end_period,'%Y-%m-%d') >= '$currentDate'";
-$result = $adb->pquery($sql, array());
+		 WHERE DATE_FORMAT(start_period,'%Y-%m-%d') <= ? AND DATE_FORMAT(end_period,'%Y-%m-%d') >= ?";
+$result = $adb->pquery($sql, array($currentDate, $currentDate));
 $no_of_salesorder = $adb->num_rows($result);

 for($i=0; $i<$no_of_salesorder;$i++) {

--- a/data/CRMEntity.php
+++ b/data/CRMEntity.php
@@ -367,7 +367,8 @@ class CRMEntity {
 		$log->info("function insertIntoEntityTable " . $module . ' vtiger_table name ' . $table_name);
 		global $adb;
 		$insertion_mode = $this->mode;
-
+        $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
+        
 		//Checkin whether an entry is already is present in the vtiger_table to update
 		if ($insertion_mode == 'edit') {
 			$tablekey = $this->tab_name_index[$table_name];
@@ -726,6 +727,7 @@ class CRMEntity {
 	 */
 	function deleteRelation($table_name) {
 		global $adb;
+        $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
 		$check_query = "select * from $table_name where " . $this->tab_name_index[$table_name] . "=?";
 		$check_result = $adb->pquery($check_query, array($this->id));
 		$num_rows = $adb->num_rows($check_result);
@@ -1094,6 +1096,7 @@ class CRMEntity {
 	 */
 	function checkIfCustomTableExists($tablename) {
 		global $adb;
+        $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
 		$query = "select * from " . $adb->sql_escape_string($tablename);
 		$result = $this->db->pquery($query, array());
 		$testrow = $this->db->num_fields($result);
@@ -1541,6 +1544,8 @@ class CRMEntity {
 	/* Function to check if the mod number already exits */
 	function checkModuleSeqNumber($table, $column, $no) {
 		global $adb;
+        $table = Vtiger_Util_Helper::validateStringForSql($table);
+        $column = Vtiger_Util_Helper::validateStringForSql($column);
 		$result = $adb->pquery("select " . $adb->sql_escape_string($column) .
 				" from " . $adb->sql_escape_string($table) .
 				" where " . $adb->sql_escape_string($column) . " = ?", array($no));
@@ -1577,8 +1582,8 @@ class CRMEntity {
 			$fld_column = $adb->query_result($fieldinfo, 0, 'columnname');

 			if ($fld_table == $this->table_name) {
-				$records = $adb->query("SELECT $this->table_index AS recordid FROM $this->table_name " .
-						"WHERE $fld_column = '' OR $fld_column is NULL");
+				$records = $adb->pquery("SELECT $this->table_index AS recordid FROM $this->table_name " .
+						"WHERE $fld_column = '' OR $fld_column is NULL", array());

 				if ($records && $adb->num_rows($records)) {
 					$returninfo['totalrecords'] = $adb->num_rows($records);
@@ -2722,6 +2727,7 @@ class CRMEntity {
 			$module = getTabModuleName($tabId);
 		}
 		$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+        $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
 		$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key) ignore " .
 				$query;
 		$db = PearDatabase::getInstance();

--- a/include/PopulateComboValues.php
+++ b/include/PopulateComboValues.php
@@ -31,6 +31,7 @@ class PopulateComboValues
 	function insertComboValues($values, $tableName,$picklistid)
 	{
 		global $log;
+        $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
 		$log->debug("Entering insertComboValues(".$values.", ".$tableName.") method ...");
 		global $adb;
 		//inserting the value in the vtiger_picklistvalues_seq for the getting uniqueID for each picklist values...
@@ -81,7 +82,7 @@ class PopulateComboValues
 				
 		global $app_list_strings,$adb;
 		global $combo_strings;
-		$comboRes = $adb->query("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('15') OR fieldname = 'salutationtype' and vtiger_field.presence in (0,2)");
+		$comboRes = $adb->pquery("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('15') OR fieldname = 'salutationtype' and vtiger_field.presence in (0,2)", array());
 		$noOfCombos = $adb->num_rows($comboRes);
 		for($i=0; $i<$noOfCombos; $i++)
 		{
@@ -124,7 +125,7 @@ class PopulateComboValues
 		global $app_list_strings,$adb;
 		global $combo_strings;
 		// uitype -> 16 - Non standard picklist, 115 - User status, 83 - Tax Class
-		$comboRes = $adb->query("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('16','115','83') AND fieldname NOT IN ('hdnTaxType','email_flag') and vtiger_field.presence in (0,2)");
+		$comboRes = $adb->pquery("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('16','115','83') AND fieldname NOT IN ('hdnTaxType','email_flag') and vtiger_field.presence in (0,2)", array());
 		$noOfCombos = $adb->num_rows($comboRes);
 		for($i=0; $i<$noOfCombos; $i++)
 		{

--- a/include/Webservices/Custom/VtigerCompanyDetails.php
+++ b/include/Webservices/Custom/VtigerCompanyDetails.php
@@ -17,6 +17,7 @@ require_once 'include/Webservices/VtigerActorOperation.php';
 class VtigerCompanyDetails extends VtigerActorOperation {
 	public function create($elementType, $element) {
 		$db = PearDatabase::getInstance();
+        $params = array();
 		$sql = 'select * from vtiger_organizationdetails';
 		$result = $db->pquery($sql,$params);
 		$rowCount = $db->num_rows($result);