From 47f8182d72623d061837ce97b77ddfcb959c9889 Mon Sep 17 00:00:00 2001
From: "greeshma.kk" <greeshma.kk@vtiger.com>
Date: Mon, 9 Sep 2019 17:25:07 +0530
Subject: [PATCH] Calendar_FetchAgendaEvents_sqlinjection_fix

---
 modules/Calendar/actions/FetchAgendaEvents.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/Calendar/actions/FetchAgendaEvents.php b/modules/Calendar/actions/FetchAgendaEvents.php
index d0cac901f..0d5b00aaa 100644
--- a/modules/Calendar/actions/FetchAgendaEvents.php
+++ b/modules/Calendar/actions/FetchAgendaEvents.php
@@ -37,15 +37,18 @@ class Calendar_FetchAgendaEvents_Action extends Vtiger_BasicAjax_Action {
 		if ($hideCompleted) {
 			$query.= "vtiger_activity.eventstatus != 'HELD' AND ";
 		}
-		$query.= " (concat(date_start,'',time_start)) >= '$dbStartDateTime' AND (concat(date_start,'',time_start)) < '$dbEndDateTime'";
+		$query.= " (concat(date_start,'',time_start)) >= ? AND (concat(date_start,'',time_start)) < ?";
+       
+		$params = array($dbStartDateTime, $dbEndDateTime);
 
 		$eventUserId = $currentUser->getId();
-		$params = array_merge(array($eventUserId), $this->getGroupsIdsForUsers($eventUserId));
-
-		$query.= " AND vtiger_crmentity.smownerid IN (".generateQuestionMarks($params).")";
+		$userIds = array_merge(array($eventUserId), $this->getGroupsIdsForUsers($eventUserId));
+		$query.= " AND vtiger_crmentity.smownerid IN (".generateQuestionMarks($userIds).")";
 		$query.= ' ORDER BY time_start';
 
+		$params = array_merge($params, $userIds);
 		$queryResult = $db->pquery($query, $params);
+
 		while ($record = $db->fetchByAssoc($queryResult)) {
 			$item = array();
 			$item['id']				= $record['activityid'];
-- 
GitLab