From 369f87768ad0e2b5680277b274677c86efd621a5 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Thu, 8 Aug 2019 16:37:49 +0530
Subject: [PATCH] Sql injection on email templates has been addressed

---
 .../EmailTemplates/models/ListView.php        | 27 ++++++++++++-------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
index a039ab10d..99a383040 100644
--- a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
+++ b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
@@ -97,26 +97,35 @@ class EmailTemplates_ListView_Model extends Vtiger_ListView_Model {
 		$searchKey = $this->get('search_key');
 		$searchValue = $this->get('search_value');
 
-		$whereQuery .= ' WHERE ';
-		if(!empty($searchKey) && !empty($searchValue)) {
-			$whereQuery .= "$searchKey LIKE '$searchValue%' AND ";
-		}
+		$params = array();
+ 		if(!empty($searchKey) && !empty($searchValue)) {
+			$whereQuery .= " WHERE ? LIKE ? AND ";
+			$params[] = $searchKey;
+			$params[] = "%".$searchValue."%";
+ 		} else {
+ 			$whereQuery .= " WHERE ";
+ 		}
 
 		//module should be enabled or module should be empty then allow
-		$moduleActiveCheck = '(vtiger_tab.presence IN (0,2) OR vtiger_emailtemplates.module IS null OR vtiger_emailtemplates.module = "")';
+		$moduleActiveCheck = '(vtiger_tab.presence IN (0,2) OR vtiger_emailtemplates.module IS NULL OR vtiger_emailtemplates.module = "")';
 		$listQuery .= $whereQuery. $moduleActiveCheck;
 		//To retrieve only selected module records
 		if ($sourceModule) {
-			$listQuery .= " AND vtiger_emailtemplates.module = '".$sourceModule."'";
+			$listQuery .= " AND vtiger_emailtemplates.module = ?";
+			$params[] = $sourceModule;
 		}
 
 		if ($orderBy) {
-			$listQuery .= " ORDER BY $orderBy $sortOrder";
+			$listQuery .= " ORDER BY ? ?";
+			$params[] = $orderBy;
+			$params[] = $sortOrder;
 		} else {
 			$listQuery .= " ORDER BY templateid DESC";
 		}
-		$listQuery .= " LIMIT $startIndex,".($pageLimit+1);
-		$result = $db->pquery($listQuery, array());
+		$listQuery .= " LIMIT ?,?";
+		$params[] = $startIndex;
+		$params[] = $pageLimit + 1;
+		$result = $db->pquery($listQuery, $params);
 		$num_rows = $db->num_rows($result);
 
 		$listViewRecordModels = array();
-- 
GitLab