diff --git a/include/QueryGenerator/QueryGenerator.php b/include/QueryGenerator/QueryGenerator.php
index d5a21f9e2dd1f2656783644ba6b79951c4c7bca1..bafbd821a7433f68c9553be0eb0f551593b9ae1c 100644
--- a/include/QueryGenerator/QueryGenerator.php
+++ b/include/QueryGenerator/QueryGenerator.php
@@ -1418,19 +1418,19 @@ class QueryGenerator {
public function getDashBoardConditionList() {
if(isset($_REQUEST['leadsource'])) {
- $leadSource = $_REQUEST['leadsource'];
+ $leadSource = vtlib_purify($_REQUEST['leadsource']);
}
if(isset($_REQUEST['date_closed'])) {
- $dateClosed = $_REQUEST['date_closed'];
+ $dateClosed = vtlib_purify($_REQUEST['date_closed']);
}
if(isset($_REQUEST['sales_stage'])) {
- $salesStage = $_REQUEST['sales_stage'];
+ $salesStage = vtlib_purify($_REQUEST['sales_stage']);
}
if(isset($_REQUEST['closingdate_start'])) {
- $dateClosedStart = $_REQUEST['closingdate_start'];
+ $dateClosedStart = vtlib_purify($_REQUEST['closingdate_start']);
}
if(isset($_REQUEST['closingdate_end'])) {
- $dateClosedEnd = $_REQUEST['closingdate_end'];
+ $dateClosedEnd = vtlib_purify($_REQUEST['closingdate_end']);
}
if(isset($_REQUEST['owner'])) {
$owner = vtlib_purify($_REQUEST['owner']);
diff --git a/include/utils/ExportUtils.php b/include/utils/ExportUtils.php
index bb412bf21c7b1ae1a57a179355639b6641d318ae..0cf16816df693aff9c06351f38967db732027445 100644
--- a/include/utils/ExportUtils.php
+++ b/include/utils/ExportUtils.php
@@ -80,7 +80,7 @@ function getFieldsListFromQuery($query)
global $adb, $log;
$log->debug("Entering into the function getFieldsListFromQuery($query)");
- $result = $adb->query($query);
+ $result = $adb->pquery($query, array());
$num_rows = $adb->num_rows($result);
for($i=0; $i < $num_rows;$i++)
diff --git a/modules/Settings/Leads/models/Mapping.php b/modules/Settings/Leads/models/Mapping.php
index 3100f8e4790c140cb16e74419614650c6bf06615..313cb0c1bb76f24ec7ea0dbb970e44457b22dae3 100644
--- a/modules/Settings/Leads/models/Mapping.php
+++ b/modules/Settings/Leads/models/Mapping.php
@@ -180,14 +180,16 @@ class Settings_Leads_Mapping_Model extends Settings_Vtiger_Module_Model {
$insertQuery = 'INSERT INTO vtiger_convertleadmapping(leadfid, accountfid, contactfid, potentialfid) VALUES ';
$count = count($createMappingsList);
+ $params = array();
for ($i=0; $i<$count; $i++) {
$mappingDetails = $createMappingsList[$i];
- $insertQuery .= '('. $mappingDetails['lead'] .', '. $mappingDetails['account'] .', '. $mappingDetails['contact'] .', '. $mappingDetails['potential'] .')';
+ $insertQuery .= '(?, ?, ?, ?)';
+ array_push($params, $mappingDetails['lead'], $mappingDetails['account'], $mappingDetails['contact'], $mappingDetails['potential']);
if ($i !== $count-1) {
$insertQuery .= ', ';
}
}
- $db->pquery($insertQuery, array());
+ $db->pquery($insertQuery, $params);
}
if ($updateMappingsList) {
diff --git a/modules/Settings/LoginHistory/models/ListView.php b/modules/Settings/LoginHistory/models/ListView.php
index 635658d39b4c2501809d6a9aa0bbfc1bb04ab5be..e682545d5793cbb14c8bc4cf192fa6ba566487b0 100644
--- a/modules/Settings/LoginHistory/models/ListView.php
+++ b/modules/Settings/LoginHistory/models/ListView.php
@@ -14,6 +14,7 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
* @return type
*/
public function getBasicListQuery() {
+ $db = PearDatabase::getInstance();
$module = $this->getModule();
$userNameSql = getSqlForNameInDisplayFormat(array('first_name'=>'vtiger_users.first_name', 'last_name' => 'vtiger_users.last_name'), 'Users');
@@ -23,11 +24,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
$search_key = $this->get('search_key');
$value = Vtiger_Functions::realEscapeString($this->get('search_value'));
+ $params = array();
if(!empty($search_key) && !empty($value)) {
- $query .= " WHERE $module->baseTable.$search_key = '$value'";
+ $query .= " WHERE $module->baseTable.$search_key = ?";
+ $params[] = $value;
}
$query .= " ORDER BY login_time DESC";
- return $query;
+ return $db->convert2Sql($query, $params);
}
public function getListViewLinks() {
@@ -47,12 +50,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
$search_key = $this->get('search_key');
$value = $this->get('search_value');
-
+ $params = array();
if(!empty($search_key) && !empty($value)) {
- $listQuery .= " WHERE $module->baseTable.$search_key = '$value'";
+ $listQuery .= " WHERE $module->baseTable.$search_key = ?";
+ $params[] = $value;
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
}
diff --git a/modules/Vtiger/helpers/Util.php b/modules/Vtiger/helpers/Util.php
index 3d330a5799724d2e1a115e354a580b1bfee20ae7..23b7f18e71a61e4dac0b0a3f55f1f35a1e33481b 100644
--- a/modules/Vtiger/helpers/Util.php
+++ b/modules/Vtiger/helpers/Util.php
@@ -326,6 +326,7 @@ class Vtiger_Util_Helper {
}
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($fieldName);
$query = 'SELECT '.$primaryKey.', '.$fieldName.' FROM vtiger_'.$fieldName.' order by sortorderid';
$values = array();
@@ -361,6 +362,7 @@ class Vtiger_Util_Helper {
}
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$query = "SELECT $fieldName
FROM vtiger_$fieldName
INNER JOIN vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldName.picklist_valueid
diff --git a/modules/Vtiger/models/Module.php b/modules/Vtiger/models/Module.php
index 43e683c4d14e9a8436a9b9cd4b7ac0a579df74d6..5e9c2edeaeecb2ff039bbf94ffda81fca6f2a7eb 100644
--- a/modules/Vtiger/models/Module.php
+++ b/modules/Vtiger/models/Module.php
@@ -1452,7 +1452,9 @@ class Vtiger_Module_Model extends Vtiger_Module {
* @return <String> - query
*/
public function getSearchRecordsQuery($searchValue,$searchFields, $parentId=false, $parentModule=false) {
- return "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE '%$searchValue%' AND vtiger_crmentity.deleted = 0";
+ $db = PearDatabase::getInstance();
+ $query = $db->convert2Sql("SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE ? AND vtiger_crmentity.deleted = 0", array("%$searchValue%"));
+ return $query;
}
/**
diff --git a/modules/Vtiger/models/Tag.php b/modules/Vtiger/models/Tag.php
index 25327741d195a47cce325c6415c50b16708f1df9..bb0a01c4daf70565226b73d9784c13b4f1025def 100644
--- a/modules/Vtiger/models/Tag.php
+++ b/modules/Vtiger/models/Tag.php
@@ -276,14 +276,10 @@ class Vtiger_Tag_Model extends Vtiger_Base_Model {
$db = PearDatabase::getInstance();
$query = "SELECT * FROM vtiger_freetags WHERE (tag=? OR raw_tag=?) AND (owner=? OR visibility=?)";
$params = array($name, $name, $userId, self::PUBLIC_TYPE);
- global $log;
- $log->fatal($excludedTagId);
if($excludedTagId !== false) {
$query .= ' AND id != ?';
array_push($params, $excludedTagId);
}
- global $log;
- $log->fatal($db->convert2Sql($query , $params));
$result = $db->pquery($query, $params);
$tagModel = false;
if($db->num_rows($result) > 0) {
diff --git a/modules/Vtiger/views/Import.php b/modules/Vtiger/views/Import.php
index 076a7109ba869f7857156b82a789df40705b8908..21a619a079f379f0270805dc0bf12d2176387fe1 100644
--- a/modules/Vtiger/views/Import.php
+++ b/modules/Vtiger/views/Import.php
@@ -247,7 +247,7 @@ class Vtiger_Import_View extends Vtiger_Index_View {
$ownerId = $request->get('foruser');
$user = Users_Record_Model::getCurrentUserModel();
- $dbTableName = Import_Utils_Helper::getDbTableName($user);
+ $dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
if(!$user->isAdminUser() && $user->id != $ownerId) {
$viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));