From 617238b1add21c13795f75fc4b2d56b375e22df9 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Fri, 6 Sep 2019 18:25:21 +0530
Subject: [PATCH] Preventing SQL Injections
---
cron/intimateTaskStatus.php | 2 +-
cron/modules/SalesOrder/RecurringInvoice.service | 4 ++--
data/CRMEntity.php | 12 +++++++++---
include/PopulateComboValues.php | 5 +++--
include/Webservices/Custom/VtigerCompanyDetails.php | 1 +
5 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/cron/intimateTaskStatus.php b/cron/intimateTaskStatus.php
index 0e7252d9d..7cb6730e2 100755
--- a/cron/intimateTaskStatus.php
+++ b/cron/intimateTaskStatus.php
@@ -39,7 +39,7 @@ if($activevalue[0] == 1)
//get all those activities where the status is not completed even after the passing of 24 hours
$today = date("Ymd");
- $result = $adb->pquery("select vtiger_activity.status,vtiger_activity.activityid,subject,(vtiger_activity.date_start +1),vtiger_crmentity.smownerid from vtiger_activity inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_activity.activityid where vtiger_crmentity.deleted=0 and vtiger_activity.status <> 'Completed' and activitytype='Task' and ".$today." > (vtiger_activity.date_start+1)", array());
+ $result = $adb->pquery("select vtiger_activity.status,vtiger_activity.activityid,subject,(vtiger_activity.date_start +1),vtiger_crmentity.smownerid from vtiger_activity inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_activity.activityid where vtiger_crmentity.deleted=0 and vtiger_activity.status <> 'Completed' and activitytype='Task' and ? > (vtiger_activity.date_start+1)", array($today));
while ($myrow = $adb->fetch_array($result))
{
diff --git a/cron/modules/SalesOrder/RecurringInvoice.service b/cron/modules/SalesOrder/RecurringInvoice.service
index 422d75d32..ccb87f5b5 100644
--- a/cron/modules/SalesOrder/RecurringInvoice.service
+++ b/cron/modules/SalesOrder/RecurringInvoice.service
@@ -22,8 +22,8 @@ $sql="SELECT vtiger_salesorder.salesorderid, recurring_frequency, start_period,
payment_duration, invoice_status FROM vtiger_salesorder
INNER JOIN vtiger_crmentity ON vtiger_salesorder.salesorderid = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = 0
INNER JOIN vtiger_invoice_recurring_info ON vtiger_salesorder.salesorderid = vtiger_invoice_recurring_info.salesorderid
- WHERE DATE_FORMAT(start_period,'%Y-%m-%d') <= '$currentDate' AND DATE_FORMAT(end_period,'%Y-%m-%d') >= '$currentDate'";
-$result = $adb->pquery($sql, array());
+ WHERE DATE_FORMAT(start_period,'%Y-%m-%d') <= ? AND DATE_FORMAT(end_period,'%Y-%m-%d') >= ?";
+$result = $adb->pquery($sql, array($currentDate, $currentDate));
$no_of_salesorder = $adb->num_rows($result);
for($i=0; $i<$no_of_salesorder;$i++) {
diff --git a/data/CRMEntity.php b/data/CRMEntity.php
index 5ad321e65..0cea66f72 100644
--- a/data/CRMEntity.php
+++ b/data/CRMEntity.php
@@ -367,7 +367,8 @@ class CRMEntity {
$log->info("function insertIntoEntityTable " . $module . ' vtiger_table name ' . $table_name);
global $adb;
$insertion_mode = $this->mode;
-
+ $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
+
//Checkin whether an entry is already is present in the vtiger_table to update
if ($insertion_mode == 'edit') {
$tablekey = $this->tab_name_index[$table_name];
@@ -726,6 +727,7 @@ class CRMEntity {
*/
function deleteRelation($table_name) {
global $adb;
+ $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
$check_query = "select * from $table_name where " . $this->tab_name_index[$table_name] . "=?";
$check_result = $adb->pquery($check_query, array($this->id));
$num_rows = $adb->num_rows($check_result);
@@ -1094,6 +1096,7 @@ class CRMEntity {
*/
function checkIfCustomTableExists($tablename) {
global $adb;
+ $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
$query = "select * from " . $adb->sql_escape_string($tablename);
$result = $this->db->pquery($query, array());
$testrow = $this->db->num_fields($result);
@@ -1541,6 +1544,8 @@ class CRMEntity {
/* Function to check if the mod number already exits */
function checkModuleSeqNumber($table, $column, $no) {
global $adb;
+ $table = Vtiger_Util_Helper::validateStringForSql($table);
+ $column = Vtiger_Util_Helper::validateStringForSql($column);
$result = $adb->pquery("select " . $adb->sql_escape_string($column) .
" from " . $adb->sql_escape_string($table) .
" where " . $adb->sql_escape_string($column) . " = ?", array($no));
@@ -1577,8 +1582,8 @@ class CRMEntity {
$fld_column = $adb->query_result($fieldinfo, 0, 'columnname');
if ($fld_table == $this->table_name) {
- $records = $adb->query("SELECT $this->table_index AS recordid FROM $this->table_name " .
- "WHERE $fld_column = '' OR $fld_column is NULL");
+ $records = $adb->pquery("SELECT $this->table_index AS recordid FROM $this->table_name " .
+ "WHERE $fld_column = '' OR $fld_column is NULL", array());
if ($records && $adb->num_rows($records)) {
$returninfo['totalrecords'] = $adb->num_rows($records);
@@ -2722,6 +2727,7 @@ class CRMEntity {
$module = getTabModuleName($tabId);
}
$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+ $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key) ignore " .
$query;
$db = PearDatabase::getInstance();
diff --git a/include/PopulateComboValues.php b/include/PopulateComboValues.php
index bc7337fdd..6dc4dc812 100644
--- a/include/PopulateComboValues.php
+++ b/include/PopulateComboValues.php
@@ -31,6 +31,7 @@ class PopulateComboValues
function insertComboValues($values, $tableName,$picklistid)
{
global $log;
+ $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
$log->debug("Entering insertComboValues(".$values.", ".$tableName.") method ...");
global $adb;
//inserting the value in the vtiger_picklistvalues_seq for the getting uniqueID for each picklist values...
@@ -81,7 +82,7 @@ class PopulateComboValues
global $app_list_strings,$adb;
global $combo_strings;
- $comboRes = $adb->query("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('15') OR fieldname = 'salutationtype' and vtiger_field.presence in (0,2)");
+ $comboRes = $adb->pquery("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('15') OR fieldname = 'salutationtype' and vtiger_field.presence in (0,2)", array());
$noOfCombos = $adb->num_rows($comboRes);
for($i=0; $i<$noOfCombos; $i++)
{
@@ -124,7 +125,7 @@ class PopulateComboValues
global $app_list_strings,$adb;
global $combo_strings;
// uitype -> 16 - Non standard picklist, 115 - User status, 83 - Tax Class
- $comboRes = $adb->query("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('16','115','83') AND fieldname NOT IN ('hdnTaxType','email_flag') and vtiger_field.presence in (0,2)");
+ $comboRes = $adb->pquery("SELECT distinct fieldname FROM vtiger_field WHERE uitype IN ('16','115','83') AND fieldname NOT IN ('hdnTaxType','email_flag') and vtiger_field.presence in (0,2)", array());
$noOfCombos = $adb->num_rows($comboRes);
for($i=0; $i<$noOfCombos; $i++)
{
diff --git a/include/Webservices/Custom/VtigerCompanyDetails.php b/include/Webservices/Custom/VtigerCompanyDetails.php
index 8b8076bb5..ced8ebb66 100644
--- a/include/Webservices/Custom/VtigerCompanyDetails.php
+++ b/include/Webservices/Custom/VtigerCompanyDetails.php
@@ -17,6 +17,7 @@ require_once 'include/Webservices/VtigerActorOperation.php';
class VtigerCompanyDetails extends VtigerActorOperation {
public function create($elementType, $element) {
$db = PearDatabase::getInstance();
+ $params = array();
$sql = 'select * from vtiger_organizationdetails';
$result = $db->pquery($sql,$params);
$rowCount = $db->num_rows($result);
--
GitLab