Query parametirization

include/Webservices/Utils.php

@@ -855,15 +855,15 @@ function vtws_transferOwnership($ownerId, $newOwnerId, $delete=true) {
 				$sql = "UPDATE $row->tablename set $row->columnname=? WHERE $row->columnname=? AND setype<>?";
 				$db->pquery($sql, array($newOwnerId, $ownerId, 'ModComments'));
 			} elseif ($row->tablename == 'vtiger_users' && $row->columnname == 'reports_to_id') {
-				$sql = "UPDATE $row->tablename SET $row->columnname = CASE WHEN id=$newOwnerId THEN ? ELSE ? END WHERE $row->columnname=?";
-				$db->pquery($sql, array('', $newOwnerId, $ownerId));
+				$sql = "UPDATE $row->tablename SET $row->columnname = CASE WHEN id=? THEN ? ELSE ? END WHERE $row->columnname=?";
+				$db->pquery($sql, array($newOwnerId, '', $newOwnerId, $ownerId));
 			} else {
 				$sql = "UPDATE $row->tablename SET $row->columnname=? WHERE $row->columnname=?";
 				$db->pquery($sql, array($newOwnerId, $ownerId));
 			}
 		}
 	}
-
+                    
 	//update webforms assigned userid
 	$db->pquery("UPDATE vtiger_webforms SET ownerid = ? WHERE ownerid = ?", array($newOwnerId, $ownerId));
 

include/utils/InventoryUtils.php

@@ -942,6 +942,7 @@ function getInventoryProductTaxValue($id, $productId, $taxName, $lineItemId = 0)
 	global $log, $adb;
 	$log->debug("Entering into function getInventoryProductTaxValue($id, $productId, $taxName, $lineItemId).");
 
+    $taxName = Vtiger_Util_Helper::validateStringForSql($taxName);
 	$query = "SELECT $taxName FROM vtiger_inventoryproductrel WHERE id = ? AND productid = ?";
 	$params = array($id, $productId);
 
@@ -971,6 +972,7 @@ function getInventorySHTaxPercent($id, $taxname)
 	global $log, $adb;
 	$log->debug("Entering into function getInventorySHTaxPercent($id, $taxname)");
 
+    $taxName = Vtiger_Util_Helper::validateStringForSql($taxName);
 	$res = $adb->pquery("select $taxname from vtiger_inventoryshippingrel where id= ?", array($id));
 	$taxpercentage = $adb->query_result($res,0,$taxname);
 

modules/Accounts/models/Module.php

@@ -158,6 +158,7 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
 		$focus->id = $recordId;
 		$entityIds = $focus->getRelatedContactsIds();
 		$entityIds = implode(',', $entityIds);
+        $params = array();
 
 		$query = "SELECT DISTINCT vtiger_crmentity.crmid, (CASE WHEN (crmentity2.crmid not like '') THEN crmentity2.crmid ELSE crmentity3.crmid END) AS parent_id, 
 					(CASE WHEN (crmentity2.setype not like '') then crmentity2.setype ELSE crmentity3.setype END) AS crmentity2module, vtiger_crmentity.smownerid, vtiger_crmentity.setype, vtiger_activity.* FROM vtiger_activity
@@ -184,18 +185,21 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
 		}
 
 		if ($mode === 'upcoming') {
-			$query .= " AND CASE WHEN vtiger_activity.activitytype='Task' THEN due_date >= '$currentDate' ELSE CONCAT(due_date,' ',time_end) >= '$nowInDBFormat' END";
+			$query .= " AND CASE WHEN vtiger_activity.activitytype='Task' THEN due_date >= ? ELSE CONCAT(due_date,' ',time_end) >= ? END";
+            $params[] = $currentDate;
+            $params[] = $nowInDBFormat;
 		} elseif ($mode === 'overdue') {
-			$query .= " AND CASE WHEN vtiger_activity.activitytype='Task' THEN due_date < '$currentDate' ELSE CONCAT(due_date,' ',time_end) < '$nowInDBFormat' END";
+			$query .= " AND CASE WHEN vtiger_activity.activitytype='Task' THEN due_date < ? ELSE CONCAT(due_date,' ',time_end) < ? END";
+            $params[] = $currentDate;
+            $params[] = $nowInDBFormat;
 		}
 
-		$params = array();
-
 		if ($recordId) {
 			$query .= " AND (vtiger_seactivityrel.crmid = ?";
 			array_push($params, $recordId);
 			if ($entityIds) {
-				$query .= " OR vtiger_cntactivityrel.contactid IN (" . $entityIds . "))";
+				$query .= " OR vtiger_cntactivityrel.contactid IN (" . generateQuestionMarks($entityIds) . "))";
+                array_push($params, $entityIds);
 			} else {
 				$query .= ")";
 			}