From 4905d4b514caad557dd86c4c9ff47d074766672c Mon Sep 17 00:00:00 2001
From: "greeshma.kk" <greeshma.kk@vtiger.com>
Date: Tue, 10 Sep 2019 16:31:38 +0530
Subject: [PATCH] Calendar feed action pull task sql injection fix

---
 modules/Calendar/actions/Feed.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/Calendar/actions/Feed.php b/modules/Calendar/actions/Feed.php
index f34b61ac2..c053754e4 100644
--- a/modules/Calendar/actions/Feed.php
+++ b/modules/Calendar/actions/Feed.php
@@ -411,9 +411,11 @@ class Calendar_Feed_Action extends Vtiger_BasicAjax_Action {
 		$hideCompleted = $currentUser->get('hidecompletedevents');
 		if($hideCompleted)
 			$query.= "vtiger_activity.status != 'Completed' AND ";
-		$query.= " ((date_start >= '$start' AND due_date < '$end') OR ( due_date >= '$start'))";
-		$params = $userAndGroupIds;
-		$query.= " AND vtiger_crmentity.smownerid IN (".generateQuestionMarks($params).")";
+		$query.= " ((date_start >= ? AND due_date < ? ) OR ( due_date >= ? ))";
+		$params=array($start,$end,$start);
+		$userIds = $userAndGroupIds;
+		$query.= " AND vtiger_crmentity.smownerid IN (".generateQuestionMarks($userIds).")";
+		$params=array_merge($params,$userIds);
 		$queryResult = $db->pquery($query,$params);
 
 		while($record = $db->fetchByAssoc($queryResult)){
-- 
GitLab