Query parametrization and sanitization is addressed

16ddaccf · Uma · e8ff613a · 16ddaccf · 16ddaccf · 16ddaccf
Commit 16ddaccf authored 5 years ago by Uma
--- a/include/QueryGenerator/QueryGenerator.php
+++ b/include/QueryGenerator/QueryGenerator.php
@@ -1418,19 +1418,19 @@ class QueryGenerator {

 	public function getDashBoardConditionList() {
 		if(isset($_REQUEST['leadsource'])) {
-			$leadSource = $_REQUEST['leadsource'];
+			$leadSource = vtlib_purify($_REQUEST['leadsource']);
 		}
 		if(isset($_REQUEST['date_closed'])) {
-			$dateClosed = $_REQUEST['date_closed'];
+			$dateClosed = vtlib_purify($_REQUEST['date_closed']);
 		}
 		if(isset($_REQUEST['sales_stage'])) {
-			$salesStage = $_REQUEST['sales_stage'];
+			$salesStage = vtlib_purify($_REQUEST['sales_stage']);
 		}
 		if(isset($_REQUEST['closingdate_start'])) {
-			$dateClosedStart = $_REQUEST['closingdate_start'];
+			$dateClosedStart = vtlib_purify($_REQUEST['closingdate_start']);
 		}
 		if(isset($_REQUEST['closingdate_end'])) {
-			$dateClosedEnd = $_REQUEST['closingdate_end'];
+			$dateClosedEnd = vtlib_purify($_REQUEST['closingdate_end']);
 		}
 		if(isset($_REQUEST['owner'])) {
 			$owner = vtlib_purify($_REQUEST['owner']);

--- a/include/utils/ExportUtils.php
+++ b/include/utils/ExportUtils.php
@@ -80,7 +80,7 @@ function getFieldsListFromQuery($query)
 	global $adb, $log;
 	$log->debug("Entering into the function getFieldsListFromQuery($query)");

-	$result = $adb->query($query);
+	$result = $adb->pquery($query, array());
 	$num_rows = $adb->num_rows($result);

 	for($i=0; $i < $num_rows;$i++)

--- a/modules/Settings/Leads/models/Mapping.php
+++ b/modules/Settings/Leads/models/Mapping.php
@@ -180,14 +180,16 @@ class Settings_Leads_Mapping_Model extends Settings_Vtiger_Module_Model {
 			$insertQuery = 'INSERT INTO vtiger_convertleadmapping(leadfid, accountfid, contactfid, potentialfid) VALUES ';

 			$count = count($createMappingsList);
+            $params = array();
 			for ($i=0; $i<$count; $i++) {
 				$mappingDetails = $createMappingsList[$i];
-				$insertQuery .= '('. $mappingDetails['lead'] .', '. $mappingDetails['account'] .', '. $mappingDetails['contact'] .', '. $mappingDetails['potential'] .')';
+				$insertQuery .= '(?, ?, ?, ?)';
+                array_push($params, $mappingDetails['lead'], $mappingDetails['account'], $mappingDetails['contact'], $mappingDetails['potential']);
 				if ($i !== $count-1) {
 					$insertQuery .= ', ';
 				}
 			}
-			$db->pquery($insertQuery, array());
+			$db->pquery($insertQuery, $params);
 		}

 		if ($updateMappingsList) {

--- a/modules/Settings/LoginHistory/models/ListView.php
+++ b/modules/Settings/LoginHistory/models/ListView.php
@@ -14,6 +14,7 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
 	 * @return type
 	 */
    public function getBasicListQuery() {
+        $db = PearDatabase::getInstance();
        $module = $this->getModule();
 		$userNameSql = getSqlForNameInDisplayFormat(array('first_name'=>'vtiger_users.first_name', 'last_name' => 'vtiger_users.last_name'), 'Users');
 		
@@ -23,11 +24,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
 		$search_key = $this->get('search_key');
 		$value = Vtiger_Functions::realEscapeString($this->get('search_value'));

+        $params = array();
 		if(!empty($search_key) && !empty($value)) {
-			$query .= " WHERE $module->baseTable.$search_key = '$value'";
+			$query .= " WHERE $module->baseTable.$search_key = ?";
+            $params[] = $value;
 		}
        $query .= " ORDER BY login_time DESC"; 
- 	 return $query; 
+ 	 return $db->convert2Sql($query, $params); 
    }

 	public function getListViewLinks() {
@@ -47,12 +50,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode

 		$search_key = $this->get('search_key');
 		$value = $this->get('search_value');
-		
+		$params = array();
 		if(!empty($search_key) && !empty($value)) {
-			$listQuery .= " WHERE $module->baseTable.$search_key = '$value'";
+			$listQuery .= " WHERE $module->baseTable.$search_key = ?";
+            $params[] = $value;
 		}

-		$listResult = $db->pquery($listQuery, array());
+		$listResult = $db->pquery($listQuery, $params);
 		return $db->query_result($listResult, 0, 'count');
 	}
 }
--- a/modules/Vtiger/helpers/Util.php
+++ b/modules/Vtiger/helpers/Util.php
@@ -326,6 +326,7 @@ class Vtiger_Util_Helper {
 		}
 		$db = PearDatabase::getInstance();

+        $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
 		$primaryKey = Vtiger_Util_Helper::getPickListId($fieldName);
 		$query = 'SELECT '.$primaryKey.', '.$fieldName.' FROM vtiger_'.$fieldName.' order by sortorderid';
 		$values = array();
@@ -361,6 +362,7 @@ class Vtiger_Util_Helper {
 		}
 		$db = PearDatabase::getInstance();

+        $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
 		$query = "SELECT $fieldName
 				  FROM vtiger_$fieldName
 					  INNER JOIN vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldName.picklist_valueid

--- a/modules/Vtiger/models/Module.php
+++ b/modules/Vtiger/models/Module.php
@@ -1452,7 +1452,9 @@ class Vtiger_Module_Model extends Vtiger_Module {
 	 * @return <String> - query
 	 */
 	public function getSearchRecordsQuery($searchValue,$searchFields, $parentId=false, $parentModule=false) {
-		return "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE '%$searchValue%' AND vtiger_crmentity.deleted = 0";
+        $db = PearDatabase::getInstance();
+        $query = $db->convert2Sql("SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE ? AND vtiger_crmentity.deleted = 0", array("%$searchValue%"));
+		return $query;
 	}

 	/**

--- a/modules/Vtiger/models/Tag.php
+++ b/modules/Vtiger/models/Tag.php
@@ -276,14 +276,10 @@ class Vtiger_Tag_Model extends Vtiger_Base_Model {
 		$db = PearDatabase::getInstance();
 		$query = "SELECT * FROM vtiger_freetags WHERE (tag=? OR raw_tag=?) AND (owner=? OR visibility=?)";
 		$params = array($name, $name, $userId, self::PUBLIC_TYPE);
-		global $log;
-		$log->fatal($excludedTagId);
 		if($excludedTagId !== false) {
 			$query .= ' AND id != ?';
 			array_push($params, $excludedTagId);
 		}
-		global $log;
-		$log->fatal($db->convert2Sql($query , $params));
 		$result = $db->pquery($query, $params);
 		$tagModel = false;
 		if($db->num_rows($result) > 0) {

--- a/modules/Vtiger/views/Import.php
+++ b/modules/Vtiger/views/Import.php
@@ -247,7 +247,7 @@ class Vtiger_Import_View extends Vtiger_Index_View {
 		$ownerId = $request->get('foruser');

 		$user = Users_Record_Model::getCurrentUserModel();
-		$dbTableName = Import_Utils_Helper::getDbTableName($user);
+		$dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));

 		if(!$user->isAdminUser() && $user->id != $ownerId) {
 			$viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));