diff --git a/modules/Accounts/models/Module.php b/modules/Accounts/models/Module.php
index 82e31bcd5fde52aa825c50092f50cd521c7efaee..874073fcc08c70a72245f48483f378471f0cc2af 100644
--- a/modules/Accounts/models/Module.php
+++ b/modules/Accounts/models/Module.php
@@ -157,7 +157,6 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
$focus = CRMEntity::getInstance($this->getName());
$focus->id = $recordId;
$entityIds = $focus->getRelatedContactsIds();
- $entityIds = implode(',', $entityIds);
$params = array();
$query = "SELECT DISTINCT vtiger_crmentity.crmid, (CASE WHEN (crmentity2.crmid not like '') THEN crmentity2.crmid ELSE crmentity3.crmid END) AS parent_id,
@@ -199,7 +198,7 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
array_push($params, $recordId);
if ($entityIds) {
$query .= " OR vtiger_cntactivityrel.contactid IN (" . generateQuestionMarks($entityIds) . "))";
- array_push($params, $entityIds);
+ $params = array_merge($params, $entityIds);
} else {
$query .= ")";
}
diff --git a/modules/Settings/Picklist/actions/SaveAjax.php b/modules/Settings/Picklist/actions/SaveAjax.php
index 2388760f1102325af112098d802132c9d519d780..da391e3f88ddcc1b719884b86bb3465e770fdb21 100644
--- a/modules/Settings/Picklist/actions/SaveAjax.php
+++ b/modules/Settings/Picklist/actions/SaveAjax.php
@@ -40,20 +40,23 @@ class Settings_Picklist_SaveAjax_Action extends Settings_Vtiger_Basic_Action {
$defaultFieldName = 'defaultactivitytype';
else
$defaultFieldName = 'defaulteventstatus';
- $queryToGetId = 'SELECT id FROM vtiger_users WHERE '.$defaultFieldName.' IN (';
+ $queryToGetId = "SELECT id FROM vtiger_users WHERE ".$defaultFieldName." IN (";
+ $params = array();
if(is_array($oldValue)) {
for($i=0;$i<count($oldValue);$i++) {
- $queryToGetId .= '"'.$oldValue[$i].'"';
+ $queryToGetId .= "?";
+ array_push($params, $oldValue[$i]);
if($i<(count($oldValue)-1)) {
- $queryToGetId .= ',';
+ $queryToGetId .= ",";
}
}
- $queryToGetId .= ')';
+ $queryToGetId .= ")";
}
else {
- $queryToGetId .= '"'.$oldValue.'")';
+ $queryToGetId .= "?)";
+ array_push($params, $oldValue);
}
- $result = $db->pquery($queryToGetId, array());
+ $result = $db->pquery($queryToGetId, $params);
$rowCount = $db->num_rows($result);
for($i=0; $i<$rowCount; $i++) {
$recordId = $db->query_result_rowdata($result, $i);
diff --git a/modules/Settings/Picklist/models/Field.php b/modules/Settings/Picklist/models/Field.php
index f7b64bd6b702fb1320bf7560e9b2737157b88028..1af6edee6cfd3dc87c8431049901f9a0d64ecdff 100644
--- a/modules/Settings/Picklist/models/Field.php
+++ b/modules/Settings/Picklist/models/Field.php
@@ -39,7 +39,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
return Vtiger_Cache::get('PicklistRoleBasedValues',$this->getName().implode('_', $roleIdList));
}
$db = PearDatabase::getInstance();
- $fieldName = $this->getName();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($this->getName());
$tableName = 'vtiger_'.$fieldName;
$idColName = $fieldName.'id';
$query = 'SELECT '.$fieldName;
@@ -103,6 +103,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
* @return type -- array of values
*/
public function getEditablePicklistValues($fieldName){
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$cache = Vtiger_Cache::getInstance();
$EditablePicklistValues = $cache->get('EditablePicklistValues', $fieldName);
if($EditablePicklistValues) {
@@ -129,6 +130,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
* @return type -- array of values
*/
public static function getNonEditablePicklistValues($fieldName){
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$cache = Vtiger_Cache::getInstance();
$NonEditablePicklistValues = $cache->get('NonEditablePicklistValues', $fieldName);
if($NonEditablePicklistValues) {
diff --git a/modules/Settings/Picklist/models/Module.php b/modules/Settings/Picklist/models/Module.php
index 325c0e467f8ae264814901ecf84e23dfe2fac031..344aa6f651e720296115871efb6599922fb2bbfc 100644
--- a/modules/Settings/Picklist/models/Module.php
+++ b/modules/Settings/Picklist/models/Module.php
@@ -74,6 +74,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function renamePickListValues($pickListFieldName, $oldValue, $newValue, $moduleName, $id, $rolesList = false, $color = '') {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$query = 'SELECT tablename, fieldid, columnname FROM vtiger_field WHERE fieldname=? and presence IN (0,2)';
$result = $db->pquery($query, array($pickListFieldName));
$num_rows = $db->num_rows($result);
@@ -128,6 +129,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
if(!is_array($valueToDeleteId)) {
$valueToDeleteId = array($valueToDeleteId);
}
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$pickListValues = array();
@@ -224,6 +226,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$dieOnErrorOldValue = $db->dieOnError;
$db->dieOnError = false;
+ $picklistFieldName = Vtiger_Util_Helper::validateStringForSql($picklistFieldName);
$sql = "select picklistid from vtiger_picklist where name=?";
$result = $db->pquery($sql, array($picklistFieldName));
$picklistid = $db->query_result($result,0,"picklistid");
@@ -272,8 +275,8 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$deleteValueList[] = ' ( roleid = "'.$roleId.'" AND '.'picklistvalueid = "'.$pickListValueId.'") ';
}
}
- $query = 'INSERT IGNORE INTO vtiger_role2picklist (roleid,picklistvalueid,picklistid) VALUES '.implode(',',$insertValueList);
- $result = $db->pquery($query,array());
+ $query = 'INSERT IGNORE INTO vtiger_role2picklist (roleid,picklistvalueid,picklistid) VALUES '. generateQuestionMarks($insertValueList);
+ $result = $db->pquery($query, $insertValueList);
$deleteQuery = 'DELETE FROM vtiger_role2picklist WHERE '.implode(' OR ',$deleteValueList);
@@ -307,9 +310,9 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$query = "SELECT distinct vtiger_tab.tablabel, vtiger_tab.name as tabname
FROM vtiger_tab
inner join vtiger_field on vtiger_tab.tabid=vtiger_field.tabid
- WHERE uitype IN (15,33,16,114) and vtiger_field.tabid NOT IN (". implode(',', $unsupportedModuleIds) .") and vtiger_tab.presence != 1 and vtiger_field.presence in (0,2)
+ WHERE uitype IN (15,33,16,114) and vtiger_field.tabid NOT IN (". generateQuestionMarks($unsupportedModuleIds) .") and vtiger_tab.presence != 1 and vtiger_field.presence in (0,2)
ORDER BY vtiger_tab.tabid ASC";
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $unsupportedModuleIds);
$modulesModelsList = array();
while($row = $db->fetch_array($result)){
@@ -430,6 +433,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$pickListDeleteValue = array();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$getPickListValueQuery = "SELECT $pickListFieldName FROM " . $this->getPickListTableName($pickListFieldName) . " WHERE $primaryKey IN (" . generateQuestionMarks($valueToDeleteID) . ")";
$result = $db->pquery($getPickListValueQuery, array($valueToDeleteID));
$num_rows = $db->num_rows($result);
@@ -447,6 +451,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColor($pickListFieldName, $pickListId) {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$colums = $db->getColumnNames("vtiger_$pickListFieldName");
if(in_array('color',$colums)) {
@@ -484,11 +489,12 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColorMap($fieldName, $key = false) {
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($fieldName);
$colums = $db->getColumnNames("vtiger_$fieldName");
if(in_array('color',$colums)) {
$query = 'SELECT '.$primaryKey.',color,'.$fieldName.' FROM vtiger_'.$fieldName;
- $result = $db->pquery($query);
+ $result = $db->pquery($query, array());
$pickListColorMap = array();
$isRoleBasedPicklist = vtws_isRoleBasedPicklist($fieldName);
$accessablePicklistValues = self::getAccessiblePicklistValues($fieldName);
@@ -524,6 +530,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColorByValue($fieldName, $fieldValue) {
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$tableName = "vtiger_$fieldName";
if(Vtiger_Utils::CheckTable($tableName)) {
$colums = $db->getColumnNames($tableName);
@@ -554,6 +561,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
//As older look utf8 characters are pushed as html-entities,and in new utf8 characters are pushed to database
//so we are checking for both the values
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
if(!empty($color)) {
$query = 'UPDATE ' . $this->getPickListTableName($pickListFieldName) . ' SET color = ? WHERE '.$primaryKey.' = ?';
diff --git a/modules/Settings/Potentials/models/Mapping.php b/modules/Settings/Potentials/models/Mapping.php
index df33a0a4c06b97c3d6d5f61f9f92e99ce33563a3..6770bc66b8a54ac195260405839c81b3b70d6dd9 100644
--- a/modules/Settings/Potentials/models/Mapping.php
+++ b/modules/Settings/Potentials/models/Mapping.php
@@ -121,14 +121,16 @@ class Settings_Potentials_Mapping_Model extends Settings_Leads_Mapping_Model {
$insertQuery = 'INSERT INTO vtiger_convertpotentialmapping(potentialfid, projectfid) VALUES ';
$count = count($createMappingsList);
+ $params = array();
for ($i=0; $i<$count; $i++) {
$mappingDetails = $createMappingsList[$i];
- $insertQuery .= '('. $mappingDetails['potential'] .', '. $mappingDetails['project'] .')';
+ $insertQuery .= '(?, ?)';
+ array_push($params, $mappingDetails['potential'], $mappingDetails['project']);
if ($i !== $count-1) {
$insertQuery .= ', ';
}
}
- $db->pquery($insertQuery, array());
+ $db->pquery($insertQuery, $params);
}
if ($updateMappingsList) {
diff --git a/modules/Settings/Profiles/models/Record.php b/modules/Settings/Profiles/models/Record.php
index 899389d13509aded0d655577966678f62f7028ec..dcba26e06511c3114cb9c61d48fc72358da6e916 100644
--- a/modules/Settings/Profiles/models/Record.php
+++ b/modules/Settings/Profiles/models/Record.php
@@ -571,11 +571,13 @@ class Settings_Profiles_Record_Model extends Settings_Vtiger_Record_Model {
//Standard permissions
$i = 0;
$count = count($actionsIdsList);
+ $params = array();
$actionsInsertQuery .= 'INSERT INTO vtiger_profile2standardpermissions(profileid, tabid, operation, permissions) VALUES ';
foreach ($actionsIdsList as $actionId => $permission) {
$actionEnabled = true;
$permissionValue = $this->tranformInputPermissionValue($permission);
- $actionsInsertQuery .= "($profileId, $tabId, $actionId, $permissionValue)";
+ $actionsInsertQuery .= "(?, ?, ?, ?)";
+ array_push($params, $profileId, $tabId, $actionId, $permissionValue);
if ($i !== $count-1) {
$actionsInsertQuery .= ', ';
@@ -589,10 +591,12 @@ class Settings_Profiles_Record_Model extends Settings_Vtiger_Record_Model {
//Utility permissions
$i = 0;
$count = count($utilityIdsList);
+ $params = array();
$utilityInsertQuery .= 'INSERT INTO vtiger_profile2utility(profileid, tabid, activityid, permission) VALUES ';
foreach($utilityIdsList as $actionId => $permission) {
$permissionValue = $this->tranformInputPermissionValue($permission);
- $utilityInsertQuery .= "($profileId, $tabId, $actionId, $permissionValue)";
+ $utilityInsertQuery .= "(?, ?, ?, ?)";
+ array_push($params, $profileId, $tabId, $actionId, $permissionValue);
if ($i !== $count-1) {
$utilityInsertQuery .= ', ';
diff --git a/modules/Settings/Roles/models/Record.php b/modules/Settings/Roles/models/Record.php
index 41ebbfe890a541b19c13888f3d727a19b30d9648..f1990bc93c9068455279b10fd5f50f0acf320050 100644
--- a/modules/Settings/Roles/models/Record.php
+++ b/modules/Settings/Roles/models/Record.php
@@ -283,7 +283,7 @@ class Settings_Roles_Record_Model extends Settings_Vtiger_Record_Model {
*/
public function save() {
$db = PearDatabase::getInstance();
- $roleId = $this->getId();
+ $roleId = Vtiger_Util_Helper::validateStringForSql($this->getId());
$mode = 'edit';
if(empty($roleId)) {
diff --git a/modules/Settings/Workflows/models/ListView.php b/modules/Settings/Workflows/models/ListView.php
index 439468289f10c79e5a20b254c7a1fe95e1715493..e3f704f74b5d0f16ca357759df735539700fdebd 100644
--- a/modules/Settings/Workflows/models/ListView.php
+++ b/modules/Settings/Workflows/models/ListView.php
@@ -52,7 +52,8 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
}
if(!empty($search_value)) {
- $listQuery .= ' AND workflowname like "%'.$search_value.'%"';
+ $listQuery .= ' AND workflowname like ?';
+ array_push($params, "%$search_value%");
}
$startIndex = $pagingModel->getStartIndex();
@@ -136,6 +137,7 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
$db = PearDatabase::getInstance();
$module = $this->getModule();
+ $params = array();
$listQuery = 'SELECT count(*) AS count FROM ' . $module->baseTable . '
INNER JOIN vtiger_tab ON vtiger_tab.name = '. $module->baseTable .'.module_name
AND vtiger_tab.presence IN (0,2)';
@@ -143,13 +145,15 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
$sourceModule = $this->get('sourceModule');
if($sourceModule) {
$listQuery .= " WHERE module_name = '$sourceModule'";
+ array_push($params, $sourceModule);
}
$search_value = $this->get('search_value');
if(!empty($search_value)) {
- $listQuery .= ' AND workflowname like "%'.$search_value.'%"';
+ $listQuery .= ' AND workflowname like ?';
+ array_push($params, "%$search_value%");
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
}
\ No newline at end of file