diff --git a/include/QueryGenerator/QueryGenerator.php b/include/QueryGenerator/QueryGenerator.php
index d5a21f9e2dd1f2656783644ba6b79951c4c7bca1..bafbd821a7433f68c9553be0eb0f551593b9ae1c 100644
--- a/include/QueryGenerator/QueryGenerator.php
+++ b/include/QueryGenerator/QueryGenerator.php
@@ -1418,19 +1418,19 @@ class QueryGenerator {
public function getDashBoardConditionList() {
if(isset($_REQUEST['leadsource'])) {
- $leadSource = $_REQUEST['leadsource'];
+ $leadSource = vtlib_purify($_REQUEST['leadsource']);
}
if(isset($_REQUEST['date_closed'])) {
- $dateClosed = $_REQUEST['date_closed'];
+ $dateClosed = vtlib_purify($_REQUEST['date_closed']);
}
if(isset($_REQUEST['sales_stage'])) {
- $salesStage = $_REQUEST['sales_stage'];
+ $salesStage = vtlib_purify($_REQUEST['sales_stage']);
}
if(isset($_REQUEST['closingdate_start'])) {
- $dateClosedStart = $_REQUEST['closingdate_start'];
+ $dateClosedStart = vtlib_purify($_REQUEST['closingdate_start']);
}
if(isset($_REQUEST['closingdate_end'])) {
- $dateClosedEnd = $_REQUEST['closingdate_end'];
+ $dateClosedEnd = vtlib_purify($_REQUEST['closingdate_end']);
}
if(isset($_REQUEST['owner'])) {
$owner = vtlib_purify($_REQUEST['owner']);
diff --git a/include/utils/ExportUtils.php b/include/utils/ExportUtils.php
index bb412bf21c7b1ae1a57a179355639b6641d318ae..0cf16816df693aff9c06351f38967db732027445 100644
--- a/include/utils/ExportUtils.php
+++ b/include/utils/ExportUtils.php
@@ -80,7 +80,7 @@ function getFieldsListFromQuery($query)
global $adb, $log;
$log->debug("Entering into the function getFieldsListFromQuery($query)");
- $result = $adb->query($query);
+ $result = $adb->pquery($query, array());
$num_rows = $adb->num_rows($result);
for($i=0; $i < $num_rows;$i++)
diff --git a/include/utils/InventoryUtils.php b/include/utils/InventoryUtils.php
index 2aa41675d062b4644609b9f5ccb73b2061217cf6..1388f65b082eda25302cb7b286fa2e5fa325ee5a 100644
--- a/include/utils/InventoryUtils.php
+++ b/include/utils/InventoryUtils.php
@@ -1312,9 +1312,10 @@ function createRecords($obj) {
$moduleFields = $moduleMeta->getModuleFields();
$focus = CRMEntity::getInstance($moduleName);
- $tableName = Import_Utils_Helper::getDbTableName($obj->user);
- $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE .' GROUP BY subject';
-
+ $params = array();
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+ $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = ? GROUP BY subject';
+ $params[] = Import_Data_Action::$IMPORT_RECORD_NONE;
if($obj->batchImport) {
$importBatchLimit = getImportBatchLimit();
$sql .= ' LIMIT '. $importBatchLimit;
@@ -1323,7 +1324,7 @@ function createRecords($obj) {
$pagingLimit = $configReader->get('importPagingLimit');
$sql .= ' LIMIT '.$pagingLimit;
}
- $result = $adb->query($sql);
+ $result = $adb->pquery($sql, $params);
$numberOfRecords = $adb->num_rows($result);
if ($numberOfRecords <= 0) {
@@ -1343,8 +1344,10 @@ function createRecords($obj) {
$subject = $row['subject'];
$subject = str_replace("\\", "\\\\", $subject);
$subject = str_replace('"', '""', $subject);
- $sql = "SELECT * FROM $tableName WHERE status = ".Import_Data_Action::$IMPORT_RECORD_NONE." AND subject = '$subject'";
- $subjectResult = $adb->query($sql);
+ $sql = "SELECT * FROM $tableName WHERE status = ? AND subject = ?";
+ $params = array();
+ array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE, $subject);
+ $subjectResult = $adb->pquery($sql, $params);
$count = $adb->num_rows($subjectResult);
$subjectRowIDs = array();
for ($j = 0; $j < $count; ++$j) {
@@ -1519,8 +1522,8 @@ function importRecord($obj, $inventoryFieldData, $lineItemDetails) {
function getImportStatusCount($obj) {
global $adb;
- $tableName = Import_Utils_Helper::getDbTableName($obj->user);
- $result = $adb->query('SELECT status FROM '.$tableName. ' GROUP BY subject');
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+ $result = $adb->pquery('SELECT status FROM '.$tableName. ' GROUP BY subject', array());
$statusCount = array('TOTAL' => 0, 'IMPORTED' => 0, 'FAILED' => 0, 'PENDING' => 0,
'CREATED' => 0, 'SKIPPED' => 0, 'UPDATED' => 0, 'MERGED' => 0);
@@ -1562,15 +1565,14 @@ function undoLastImport($obj, $user) {
$owner->id = $ownerId;
$owner->retrieve_entity_info($ownerId, 'Users');
- $dbTableName = Import_Utils_Helper::getDbTableName($owner);
+ $dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($owner));
if(!is_admin($user) && $user->id != $owner->id) {
$viewer = new Vtiger_Viewer();
$viewer->view('OperationNotPermitted.tpl', 'Vtiger');
exit;
}
- $result = $adb->query("SELECT recordid FROM $dbTableName WHERE status = ". Import_Data_Controller::$IMPORT_RECORD_CREATED
- ." AND recordid IS NOT NULL GROUP BY subject");
+ $result = $adb->pquery("SELECT recordid FROM $dbTableName WHERE status = ? AND recordid IS NOT NULL GROUP BY subject", array(Import_Data_Controller::$IMPORT_RECORD_CREATED));
$noOfRecords = $adb->num_rows($result);
$noOfRecordsDeleted = 0;
for($i=0; $i<$noOfRecords; ++$i) {
diff --git a/include/utils/UserInfoUtil.php b/include/utils/UserInfoUtil.php
index f782f7591b3872563ffd9a158f27ef90618d476f..5d34fccba6174a6c28edee9b0dc22c0b5c42a2c8 100755
--- a/include/utils/UserInfoUtil.php
+++ b/include/utils/UserInfoUtil.php
@@ -2225,9 +2225,9 @@ function getSharingModuleList($eliminateModules=false)
if(!in_array('Events', $eliminateModules)) $eliminateModules[] = 'Events';
$query = "SELECT name FROM vtiger_tab WHERE presence=0 AND ownedby = 0 AND isentitytype = 1";
- $query .= " AND name NOT IN('" . implode("','", $eliminateModules) . "')";
+ $query .= " AND name NOT IN(" . generateQuestionMarks($eliminateModules) . ")";
- $result = $adb->query($query);
+ $result = $adb->pquery($query, $eliminateModules);
while($resrow = $adb->fetch_array($result)) {
$sharingModuleArray[] = $resrow['name'];
}
diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 51b35ba0e2341e08956629c2ba7d40b93f9fb4ba..dbf16efb05ff2c524bf4a9bab6c980d7e07767ea 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -122,7 +122,7 @@ function vtlib_isModuleActive($module) {
*/
function vtlib_RecreateUserPrivilegeFiles() {
global $adb;
- $userres = $adb->query('SELECT id FROM vtiger_users WHERE deleted = 0');
+ $userres = $adb->pquery('SELECT id FROM vtiger_users WHERE deleted = 0', array());
if($userres && $adb->num_rows($userres)) {
while($userrow = $adb->fetch_array($userres)) {
createUserPrivilegesfile($userrow['id']);
@@ -194,7 +194,7 @@ function vtlib_getToggleModuleInfo() {
$modinfo = Array();
- $sqlresult = $adb->query("SELECT name, presence, customized, isentitytype FROM vtiger_tab WHERE name NOT IN ('Users','Home') AND presence IN (0,1) ORDER BY name");
+ $sqlresult = $adb->pquery("SELECT name, presence, customized, isentitytype FROM vtiger_tab WHERE name NOT IN ('Users','Home') AND presence IN (0,1) ORDER BY name", array());
$num_rows = $adb->num_rows($sqlresult);
for($idx = 0; $idx < $num_rows; ++$idx) {
$module = $adb->query_result($sqlresult, $idx, 'name');
@@ -219,7 +219,7 @@ function vtlib_getToggleLanguageInfo() {
$adb->dieOnError = false;
$langinfo = Array();
- $sqlresult = $adb->query("SELECT * FROM vtiger_language");
+ $sqlresult = $adb->pquery("SELECT * FROM vtiger_language", array());
if($sqlresult) {
for($idx = 0; $idx < $adb->num_rows($sqlresult); ++$idx) {
$row = $adb->fetch_array($sqlresult);
@@ -532,7 +532,7 @@ function vtlib_getPicklistValues_AccessibleToAll($field_columnname) {
$tablename = "vtiger_$columnname";
// Gather all the roles (except H1 which is organization role)
- $roleres = $adb->query("SELECT roleid FROM vtiger_role WHERE roleid != 'H1'");
+ $roleres = $adb->pquery("SELECT roleid FROM vtiger_role WHERE roleid != 'H1'", array());
$roleresCount= $adb->num_rows($roleres);
$allroles = Array();
if($roleresCount) {
@@ -542,10 +542,10 @@ function vtlib_getPicklistValues_AccessibleToAll($field_columnname) {
sort($allroles);
// Get all the picklist values associated to roles (except H1 - organization role).
- $picklistres = $adb->query(
+ $picklistres = $adb->pquery(
"SELECT $columnname as pickvalue, roleid FROM $tablename
INNER JOIN vtiger_role2picklist ON $tablename.picklist_valueid=vtiger_role2picklist.picklistvalueid
- WHERE roleid != 'H1'");
+ WHERE roleid != 'H1'", array());
$picklistresCount = $adb->num_rows($picklistres);
@@ -578,7 +578,7 @@ function vtlib_getPicklistValues($field_columnname) {
$columnname = $adb->sql_escape_string($field_columnname);
$tablename = "vtiger_$columnname";
- $picklistres = $adb->query("SELECT $columnname as pickvalue FROM $tablename");
+ $picklistres = $adb->pquery("SELECT $columnname as pickvalue FROM $tablename", array());
$picklistresCount = $adb->num_rows($picklistres);
diff --git a/include/utils/utils.php b/include/utils/utils.php
index 965910a3f85cb8906a7571806ac87490a44d11d9..fc250c377a47f30faf3464479efdc9ba750ccc0b 100755
--- a/include/utils/utils.php
+++ b/include/utils/utils.php
@@ -1230,7 +1230,7 @@ function getAccessPickListValues($module)
$temp_status = Array();
for($i=0;$i < $adb->num_rows($result);$i++)
{
- $fieldname = $adb->query_result($result,$i,"fieldname");
+ $fieldname = Vtiger_Util_Helper::validateStringForSql($adb->query_result($result,$i,"fieldname"));
$fieldlabel = $adb->query_result($result,$i,"fieldlabel");
$columnname = $adb->query_result($result,$i,"columnname");
$tabid = $adb->query_result($result,$i,"tabid");
@@ -1247,7 +1247,7 @@ function getAccessPickListValues($module)
$mulsel="select distinct $fieldname from vtiger_$fieldname inner join vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldname.picklist_valueid where roleid ='".$roleid."' and picklistid in (select picklistid from vtiger_$fieldname) order by sortid asc";
}
if($fieldname != 'firstname')
- $mulselresult = $adb->query($mulsel);
+ $mulselresult = $adb->pquery($mulsel, array());
for($j=0;$j < $adb->num_rows($mulselresult);$j++)
{
$fieldvalues[] = $adb->query_result($mulselresult,$j,$fieldname);
@@ -1755,7 +1755,7 @@ function com_vtGetModules($adb) {
inner join vtiger_tab
on vtiger_field.tabid=vtiger_tab.tabid
where vtiger_field.tabid not in(9,10,16,15,29) and vtiger_tab.presence = 0 and vtiger_tab.isentitytype=1";
- $it = new SqlResultIterator($adb, $adb->query($sql));
+ $it = new SqlResultIterator($adb, $adb->pquery($sql, array()));
$modules = array();
foreach($it as $row) {
if(isPermitted($row->name,'index') == "yes") {
diff --git a/modules/Accounts/models/Module.php b/modules/Accounts/models/Module.php
index 82e31bcd5fde52aa825c50092f50cd521c7efaee..874073fcc08c70a72245f48483f378471f0cc2af 100644
--- a/modules/Accounts/models/Module.php
+++ b/modules/Accounts/models/Module.php
@@ -157,7 +157,6 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
$focus = CRMEntity::getInstance($this->getName());
$focus->id = $recordId;
$entityIds = $focus->getRelatedContactsIds();
- $entityIds = implode(',', $entityIds);
$params = array();
$query = "SELECT DISTINCT vtiger_crmentity.crmid, (CASE WHEN (crmentity2.crmid not like '') THEN crmentity2.crmid ELSE crmentity3.crmid END) AS parent_id,
@@ -199,7 +198,7 @@ class Accounts_Module_Model extends Vtiger_Module_Model {
array_push($params, $recordId);
if ($entityIds) {
$query .= " OR vtiger_cntactivityrel.contactid IN (" . generateQuestionMarks($entityIds) . "))";
- array_push($params, $entityIds);
+ $params = array_merge($params, $entityIds);
} else {
$query .= ")";
}
diff --git a/modules/Calendar/Activity.php b/modules/Calendar/Activity.php
index 77f4cb79a186500949ebfc3bae241f77b97a565f..5b8bb355f68c9da391ba670b769c3b125bc06074 100644
--- a/modules/Calendar/Activity.php
+++ b/modules/Calendar/Activity.php
@@ -579,7 +579,7 @@ function insertIntoRecurringTable(& $recurObj)
left join vtiger_contactdetails on vtiger_contactdetails.contactid= vtiger_cntactivityrel.contactid
left join vtiger_seactivityrel on vtiger_seactivityrel.activityid = vtiger_activity.activityid
WHERE vtiger_crmentity.deleted=0 ".$criteria;
- $result =& $this->db->query($query);
+ $result =& $this->db->pquery($query, array());
if($this->db->getRowCount($result) > 0){
// We have some data.
@@ -675,7 +675,7 @@ function insertIntoRecurringTable(& $recurObj)
{
global $log;
$log->debug("Entering process_list_query1(".$query.") method ...");
- $result =& $this->db->query($query,true,"Error retrieving $this->object_name list: ");
+ $result =& $this->db->pquery($query,array(),true,"Error retrieving $this->object_name list: ");
$list = Array();
$rows_found = $this->db->getRowCount($result);
if($rows_found != 0)
@@ -1165,6 +1165,8 @@ function insertIntoRecurringTable(& $recurObj)
$tabId = getTabid("Calendar");
$eventTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_events'.$scope;
$taskTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_task'.$scope;
+ $eventTempTable = Vtiger_Util_Helper::validateStringForSql($eventTempTable);
+ $taskTempTable = Vtiger_Util_Helper::validateStringForSql($taskTempTable);
$query = " ($eventTempTable.shared IS NOT NULL OR $taskTempTable.shared IS NOT NULL) ";
}
return $query;
diff --git a/modules/Calendar/iCalExport.php b/modules/Calendar/iCalExport.php
index 41c79c9f2e9b3ca9648691110a0881de519c5b76..47eb1c9d10a3d4d3641e165fd0e4539450478588 100644
--- a/modules/Calendar/iCalExport.php
+++ b/modules/Calendar/iCalExport.php
@@ -16,10 +16,10 @@ global $current_user,$adb,$default_timezone;
$filename = $_REQUEST['filename'];
$ical_query = "select vtiger_activity.*,vtiger_crmentity.description,vtiger_activity_reminder.reminder_time from vtiger_activity inner join vtiger_crmentity on vtiger_activity.activityid = vtiger_crmentity.crmid " .
" LEFT JOIN vtiger_activity_reminder ON vtiger_activity_reminder.activity_id=vtiger_activity.activityid AND vtiger_activity_reminder.recurringid=0" .
- " where vtiger_crmentity.deleted = 0 and vtiger_crmentity.smownerid = " . $current_user->id .
+ " where vtiger_crmentity.deleted = 0 and vtiger_crmentity.smownerid = ?" .
" and vtiger_activity.activitytype NOT IN ('Emails')";
-$calendar_results = $adb->query($ical_query);
+$calendar_results = $adb->pquery($ical_query, array($current_user->id));
// Send the right content type and filename
header ("Content-type: text/calendar");
diff --git a/modules/Campaigns/Campaigns.php b/modules/Campaigns/Campaigns.php
index cc99d855fdbe03ec6a22a15fe0e655dc9634972b..93fa0c1a0161c44dc97b21fe40877f429880a8ed 100644
--- a/modules/Campaigns/Campaigns.php
+++ b/modules/Campaigns/Campaigns.php
@@ -535,7 +535,7 @@ class Campaigns extends CRMEntity {
if(!$this->campaignrelstatus)
{
- $result = $adb->query('SELECT * FROM vtiger_campaignrelstatus;');
+ $result = $adb->pquery('SELECT * FROM vtiger_campaignrelstatus;', array());
while($row = $adb->fetchByAssoc($result))
{
$this->campaignrelstatus[$row['campaignrelstatus']] = $row;
diff --git a/modules/Campaigns/models/Record.php b/modules/Campaigns/models/Record.php
index 718d22e990be2cc265d859c35370ee4ef0a2cca5..fd743e673ded2bae377daa8bedbf87d0fe9301fb 100644
--- a/modules/Campaigns/models/Record.php
+++ b/modules/Campaigns/models/Record.php
@@ -28,11 +28,13 @@ class Campaigns_Record_Model extends Vtiger_Record_Model {
$query = "SELECT $fieldName FROM $tableName
INNER JOIN vtiger_crmentity ON $tableName.$fieldName = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = ?
WHERE campaignid = ?";
+ $params = array(0, $this->getId());
if ($excludedIds) {
- $query .= " AND $fieldName NOT IN (". implode(',', $excludedIds) .")";
+ $query .= " AND $fieldName NOT IN (". generateQuestionMarks($excludedIds) .")";
+ $params = array_merge($params, $excludedIds);
}
- $result = $db->pquery($query, array(0, $this->getId()));
+ $result = $db->pquery($query, $params);
$numOfRows = $db->num_rows($result);
$selectedIdsList = array();
diff --git a/modules/Contacts/Contacts.php b/modules/Contacts/Contacts.php
index 2e33d8b7a454478ec00962d35a10b1d1053ec84c..1a53e84d561d641057f1c4c9d955ca7c6b503d5e 100644
--- a/modules/Contacts/Contacts.php
+++ b/modules/Contacts/Contacts.php
@@ -197,7 +197,7 @@ class Contacts extends CRMEntity {
global $log;
$log->debug("Entering process_list_query1(".$query.") method ...");
- $result =& $this->db->query($query,true,"Error retrieving $this->object_name list: ");
+ $result =& $this->db->pquery($query,array(),true,"Error retrieving $this->object_name list: ");
$list = Array();
$rows_found = $this->db->getRowCount($result);
if($rows_found != 0)
@@ -266,7 +266,7 @@ class Contacts extends CRMEntity {
$permitted_field_lists[] = $adb->query_result($result1,$i,'columnname');
}
- $result =& $this->db->query($query,true,"Error retrieving $this->object_name list: ");
+ $result =& $this->db->pquery($query,array(),true,"Error retrieving $this->object_name list: ");
$list = Array();
$rows_found = $this->db->getRowCount($result);
if($rows_found != 0)
diff --git a/modules/Contacts/models/Module.php b/modules/Contacts/models/Module.php
index c2a6ad66a1851088acdf197f6fd2c7022289ea85..d32a90070f22b0a3d6bf693733a13c8f5f2531e5 100644
--- a/modules/Contacts/models/Module.php
+++ b/modules/Contacts/models/Module.php
@@ -160,69 +160,87 @@ class Contacts_Module_Model extends Vtiger_Module_Model {
* @return <String> - query
*/
function getSearchRecordsQuery($searchValue, $searchFields, $parentId=false, $parentModule=false) {
- if($parentId && $parentModule == 'Accounts') {
+ $db = PearDatabase::getInstance();
+ if($parentId && $parentModule == 'Accounts') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
- WHERE deleted = 0 AND vtiger_contactdetails.accountid = $parentId AND label like '%$searchValue%'";
- return $query;
+ WHERE deleted = 0 AND vtiger_contactdetails.accountid = ? AND label like ?";
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Potentials') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
LEFT JOIN vtiger_contpotentialrel ON vtiger_contpotentialrel.contactid = vtiger_contactdetails.contactid
LEFT JOIN vtiger_potential ON vtiger_potential.contact_id = vtiger_contactdetails.contactid
- WHERE deleted = 0 AND (vtiger_contpotentialrel.potentialid = $parentId OR vtiger_potential.potentialid = $parentId)
- AND label like '%$searchValue%'";
-
- return $query;
+ WHERE deleted = 0 AND (vtiger_contpotentialrel.potentialid = ? OR vtiger_potential.potentialid = ?)
+ AND label like ?";
+ $params = array($parentId, $parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'HelpDesk') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_troubletickets ON vtiger_troubletickets.contact_id = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_troubletickets.ticketid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_troubletickets.ticketid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Campaigns') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_campaigncontrel ON vtiger_campaigncontrel.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_campaigncontrel.campaignid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_campaigncontrel.campaignid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Vendors') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_vendorcontactrel ON vtiger_vendorcontactrel.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_vendorcontactrel.vendorid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_vendorcontactrel.vendorid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'Quotes') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_quotes ON vtiger_quotes.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_quotes.quoteid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_quotes.quoteid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'PurchaseOrder') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_purchaseorder ON vtiger_purchaseorder.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_purchaseorder.purchaseorderid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_purchaseorder.purchaseorderid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'SalesOrder') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_salesorder ON vtiger_salesorder.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_salesorder.salesorderid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_salesorder.salesorderid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'Invoice') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_invoice ON vtiger_invoice.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_invoice.invoiceid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_invoice.invoiceid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
}
return parent::getSearchRecordsQuery($searchValue,$searchFields,$parentId, $parentModule);
diff --git a/modules/CustomView/ListViewTop.php b/modules/CustomView/ListViewTop.php
index f175168a62fe270c914414f8cb16599ba2bd78d2..f676baa60bc7cad70102b3448e2690764a398e4a 100644
--- a/modules/CustomView/ListViewTop.php
+++ b/modules/CustomView/ListViewTop.php
@@ -79,7 +79,7 @@ function getKeyMetrics($maxval,$calCnt)
$oCustomView = new CustomView($metriclist['module']);
$metricsql = $oCustomView->getModifiedCvListQuery($metriclist['id'],$listquery,$metriclist['module']);
$metricsql = Vtiger_Functions::mkCountQuery($metricsql);
- $metricresult = $adb->query($metricsql);
+ $metricresult = $adb->pquery($metricsql, array());
if($metricresult)
{
$rowcount = $adb->fetch_array($metricresult);
@@ -91,7 +91,7 @@ function getKeyMetrics($maxval,$calCnt)
$queryGenerator->initForCustomViewById($metriclist['id']);
$metricsql = $queryGenerator->getQuery();
$metricsql = Vtiger_Functions::mkCountQuery($metricsql);
- $metricresult = $adb->query($metricsql);
+ $metricresult = $adb->pquery($metricsql, array());
if($metricresult)
{
$rowcount = $adb->fetch_array($metricresult);
diff --git a/modules/CustomView/models/Record.php b/modules/CustomView/models/Record.php
index 2c2cf5b13acc608ccce9025a8e26763337a0b504..e0161d030637b781b7a13f6ce9c555a60b25b0d5 100644
--- a/modules/CustomView/models/Record.php
+++ b/modules/CustomView/models/Record.php
@@ -232,9 +232,10 @@ class CustomView_Record_Model extends Vtiger_Base_Model {
}
if($skipRecords && !empty($skipRecords) && is_array($skipRecords) && count($skipRecords) > 0) {
- $listQuery .= ' AND '.$baseTableName.'.'.$baseTableId.' NOT IN ('. implode(',', $skipRecords) .')';
+ $listQuery .= ' AND '.$baseTableName.'.'.$baseTableId.' NOT IN ('. generateQuestionMarks($skipRecords) .')';
+ $params = array($skipRecords);
}
- $result = $db->query($listQuery);
+ $result = $db->pquery($listQuery, $params);
$noOfRecords = $db->num_rows($result);
$recordIds = array();
for($i=0; $i<$noOfRecords; ++$i) {
diff --git a/modules/Emails/Emails.php b/modules/Emails/Emails.php
index f3dac4473ecedbf522c468277a292c54188eb6e3..19316b7a2604b3654cd133694f40323ff0e60de4 100644
--- a/modules/Emails/Emails.php
+++ b/modules/Emails/Emails.php
@@ -550,6 +550,7 @@ class Emails extends CRMEntity {
$module = getTabname($tabId);
}
$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+ $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key, shared int(1) default 0) ignore ".$query;
$db = PearDatabase::getInstance();
$result = $db->pquery($query, array());
diff --git a/modules/Emails/models/Module.php b/modules/Emails/models/Module.php
index c591f976d61a36eaa60685779a6ba3d895acd291..57e4ae774b9aa2d70c73f6185bb7f70e7054e221 100644
--- a/modules/Emails/models/Module.php
+++ b/modules/Emails/models/Module.php
@@ -64,6 +64,7 @@ class Emails_Module_Model extends Vtiger_Module_Model{
public function searchEmails($searchValue, $moduleName = false) {
global $current_user;
$emailsResult = array();
+ $params = array();
$db = PearDatabase::getInstance();
$EmailsModuleModel = Vtiger_Module_Model::getInstance('Emails');
@@ -88,16 +89,20 @@ class Emails_Module_Model extends Vtiger_Module_Model{
$query = "SELECT vtiger_emailslookup.crmid, vtiger_emailslookup.setype, vtiger_emailslookup.value,
vtiger_crmentity.label FROM vtiger_emailslookup INNER JOIN vtiger_crmentity on
vtiger_crmentity.crmid = vtiger_emailslookup.crmid AND vtiger_crmentity.deleted=0 WHERE
- vtiger_emailslookup.fieldid in (".implode(',', $fieldIds).") and
- vtiger_emailslookup.setype in (".implode(',', $activeModules).")
+ vtiger_emailslookup.fieldid in (".generateQuestionMarks($fieldIds).") and
+ vtiger_emailslookup.setype in (".generateQuestionMarks($activeModules).")
and (vtiger_emailslookup.value LIKE ? OR vtiger_crmentity.label LIKE ?)";
-
+ $params = array_merge($params, $fieldIds);
+ $params = array_merge($params, $activeModules);
+ array_push($params, "%$searchValue%");
+ array_push($params, "%$searchValue%");
$emailOptOutIds = $this->getEmailOptOutRecordIds();
if (!empty($emailOptOutIds)) {
- $query .= " AND vtiger_emailslookup.crmid NOT IN (".implode(',', $emailOptOutIds).")";
+ $query .= " AND vtiger_emailslookup.crmid NOT IN (". generateQuestionMarks($emailOptOutIds).")";
+ $params = array_merge($params, $emailOptOutIds);
}
- $result = $db->pquery($query, array('%'.$searchValue.'%', '%'.$searchValue.'%'));
+ $result = $db->pquery($query, $params);
$isAdmin = is_admin($current_user);
while ($row = $db->fetchByAssoc($result)) {
if (!$isAdmin) {
diff --git a/modules/HelpDesk/HelpDesk.php b/modules/HelpDesk/HelpDesk.php
index 9bd40d4b25ebf6650569aebb1df5269fcd8d1d63..0d83c3d3a9926af7b77129c90d6ffa295a1d05e7 100644
--- a/modules/HelpDesk/HelpDesk.php
+++ b/modules/HelpDesk/HelpDesk.php
@@ -305,7 +305,7 @@ class HelpDesk extends CRMEntity {
global $log;
$log->debug("Entering process_list_query(".$query.") method ...");
- $result =& $this->db->query($query,true,"Error retrieving $this->object_name list: ");
+ $result =& $this->db->pquery($query,array(),true,"Error retrieving $this->object_name list: ");
$list = Array();
$rows_found = $this->db->getRowCount($result);
if($rows_found != 0)
diff --git a/modules/PickList/PickListUtils.php b/modules/PickList/PickListUtils.php
index c742a78355adc3c8a9ff3644dd87ed280082947a..bd5b04705bb1803bf388d1f0571459c853167e2f 100644
--- a/modules/PickList/PickListUtils.php
+++ b/modules/PickList/PickListUtils.php
@@ -112,7 +112,7 @@ function getAllPickListValues($fieldName,$lang = Array() ){
$arr = array_map('decode_html', $userRecordModel->getAccessibleUsers());
}else {
$sql = 'SELECT * FROM vtiger_'.$adb->sql_escape_string($fieldName);
- $result = $adb->query($sql);
+ $result = $adb->pquery($sql, array());
$count = $adb->num_rows($result);
$arr = array();
@@ -143,7 +143,7 @@ function getEditablePicklistValues($fieldName, $lang= array(), $adb){
$values = array();
$fieldName = $adb->sql_escape_string($fieldName);
$sql="select $fieldName from vtiger_$fieldName where presence=1 and $fieldName <> '--None--'";
- $res = $adb->query($sql);
+ $res = $adb->pquery($sql, array());
$RowCount = $adb->num_rows($res);
if($RowCount > 0){
for($i=0;$i<$RowCount;$i++){
@@ -169,7 +169,7 @@ function getNonEditablePicklistValues($fieldName, $lang=array(), $adb){
$values = array();
$fieldName = $adb->sql_escape_string($fieldName);
$sql = "select $fieldName from vtiger_$fieldName where presence=0";
- $result = $adb->query($sql);
+ $result = $adb->pquery($sql, array());
$count = $adb->num_rows($result);
for($i=0;$i<$count;$i++){
$non_val = $adb->query_result($result,$i,$fieldName);
diff --git a/modules/Potentials/models/Module.php b/modules/Potentials/models/Module.php
index d33ec91eb2dcd255324ad32d200910e48c93e665..bb6a9a7a342bc4e0214120d1085187c3424dc2b7 100644
--- a/modules/Potentials/models/Module.php
+++ b/modules/Potentials/models/Module.php
@@ -360,11 +360,14 @@ class Potentials_Module_Model extends Vtiger_Module_Model {
* @return <String> - query
*/
public function getSearchRecordsQuery($searchValue,$searchFields, $parentId=false, $parentModule=false) {
+ $db = PearDatabase::getInstance();
if($parentId && in_array($parentModule, array('Accounts', 'Contacts'))) {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_potential ON vtiger_potential.potentialid = vtiger_crmentity.crmid
- WHERE deleted = 0 AND vtiger_potential.related_to = $parentId AND label like '%$searchValue%'";
- return $query;
+ WHERE deleted = 0 AND vtiger_potential.related_to = ? AND label like ?";
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
}
return parent::getSearchRecordsQuery($parentId, $parentModule);
}
diff --git a/modules/PriceBooks/PriceBooks.php b/modules/PriceBooks/PriceBooks.php
index 725c35611df5760e7ef36ca88ae772e5cb3361b4..916a3dc2e84dc4c7ca91e7ae0961201627033dd9 100755
--- a/modules/PriceBooks/PriceBooks.php
+++ b/modules/PriceBooks/PriceBooks.php
@@ -346,14 +346,16 @@ class PriceBooks extends CRMEntity {
$focus = CRMEntity::getInstance($moduleName);
$moduleSubject = 'bookname';
- $tableName = Import_Utils_Helper::getDbTableName($obj->user);
- $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE .' GROUP BY '. $moduleSubject;
-
+ $params = array();
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+ $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = ? GROUP BY ?';
+ array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
+ array_push($params, $moduleSubject);
if($obj->batchImport) {
$importBatchLimit = getImportBatchLimit();
$sql .= ' LIMIT '. $importBatchLimit;
}
- $result = $adb->query($sql);
+ $result = $adb->pquery($sql, $params);
$numberOfRecords = $adb->num_rows($result);
if ($numberOfRecords <= 0) {
@@ -370,8 +372,11 @@ class PriceBooks extends CRMEntity {
$fieldData = array();
$subject = str_replace("\\", "\\\\", $subject);
$subject = str_replace('"', '""', $subject);
- $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE .' AND '. $moduleSubject . ' = "'. $subject .'"';
- $subjectResult = $adb->query($sql);
+ $params = array();
+ $sql = 'SELECT * FROM ' . $tableName . ' WHERE status = ? AND '. $moduleSubject . ' = ? ';
+ array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
+ array_push($params, $subject);
+ $subjectResult = $adb->pquery($sql, $params);
$count = $adb->num_rows($subjectResult);
$subjectRowIDs = $fieldArray = $productList = array();
for ($j = 0; $j < $count; ++$j) {
diff --git a/modules/Reports/ReportRun.php b/modules/Reports/ReportRun.php
index 617ec6ba55daa40109d76f160164342ef131f4cf..7a2469d5961897fbe04913b3a7b35ca993cc43f0 100644
--- a/modules/Reports/ReportRun.php
+++ b/modules/Reports/ReportRun.php
@@ -3159,7 +3159,7 @@ class ReportRun extends CRMEntity {
$sSQL = $this->sGetSQLforReport($this->reportid, $filtersql, "COLUMNSTOTOTAL");
if (isset($this->totallist)) {
if ($sSQL != "") {
- $result = $adb->query($sSQL);
+ $result = $adb->pquery($sSQL, array());
$y = $adb->num_fields($result);
$custom_field_values = $adb->fetch_array($result);
@@ -3325,7 +3325,7 @@ class ReportRun extends CRMEntity {
$sSQL = $this->sGetSQLforReport($this->reportid, $filtersql, "COLUMNSTOTOTAL");
if (isset($this->totallist)) {
if ($sSQL != '') {
- $result = $adb->query($sSQL);
+ $result = $adb->pquery($sSQL, array());
$y = $adb->num_fields($result);
$custom_field_values = $adb->fetch_array($result);
@@ -3540,7 +3540,7 @@ class ReportRun extends CRMEntity {
if (isset($this->totallist)) {
if ($sSQL != "") {
- $result = $adb->query($sSQL);
+ $result = $adb->pquery($sSQL, array());
$y = $adb->num_fields($result);
$custom_field_values = $adb->fetch_array($result);
$reportModule = 'Reports';
@@ -3764,7 +3764,7 @@ class ReportRun extends CRMEntity {
$sSQL = $this->sGetSQLforReport($this->reportid, $filtersql, "COLUMNSTOTOTAL");
if (isset($this->totallist)) {
if ($sSQL != "") {
- $result = $adb->query($sSQL);
+ $result = $adb->pquery($sSQL, array());
$y = $adb->num_fields($result);
$custom_field_values = $adb->fetch_array($result);
$reportModule = 'Reports';
@@ -4173,7 +4173,7 @@ class ReportRun extends CRMEntity {
$mulsel = "select distinct $fieldname from vtiger_$fieldname inner join vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldname.picklist_valueid where roleid ='" . $roleid . "' and picklistid in (select picklistid from vtiger_$fieldname)"; // order by sortid asc - not requried
}
if ($fieldname != 'firstname')
- $mulselresult = $adb->query($mulsel);
+ $mulselresult = $adb->pquery($mulsel, array());
for ($j = 0; $j < $adb->num_rows($mulselresult); $j++) {
$fldvalue = $adb->query_result($mulselresult, $j, $fieldname);
if (in_array($fldvalue, $fieldvalues))
diff --git a/modules/Reports/ReportSharing.php b/modules/Reports/ReportSharing.php
index 6481cd48adeb8b78f0158dc2e69e982286e8c09e..30fcc9daec8b9900adc04079e6f0c10bceb503ee 100644
--- a/modules/Reports/ReportSharing.php
+++ b/modules/Reports/ReportSharing.php
@@ -107,7 +107,7 @@ function getVisibleCriteria($recordid='')
if($selcriteria == ""){
$selcriteria = 'Public';
}
- $filter_result = $adb->query("select * from vtiger_reportfilters");
+ $filter_result = $adb->pquery("select * from vtiger_reportfilters", array());
$numrows = $adb->num_rows($filter_result);
for($j=0;$j<$numrows;$j++)
{
diff --git a/modules/Reports/models/Folder.php b/modules/Reports/models/Folder.php
index 6c3c4c5a47ee2633f2501a52dd060c72c8e33e0c..a7e64d2a5db4c7bd8df02c487f8f7b6847353b19 100644
--- a/modules/Reports/models/Folder.php
+++ b/modules/Reports/models/Folder.php
@@ -283,7 +283,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
public function getReportsCount() {
$db = PearDatabase::getInstance();
$params = array();
-
+ global $log;
+ $log->fatal('get reports count api');
// To get the report ids which are permitted for the user
$query = "SELECT reportmodulesid, primarymodule from vtiger_reportmodules";
$result = $db->pquery($query, array());
@@ -299,7 +300,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
//End
$sql = "SELECT count(*) AS count FROM vtiger_report
INNER JOIN vtiger_reportfolder ON vtiger_reportfolder.folderid = vtiger_report.folderid AND
- vtiger_report.reportid in (".implode(',',$allowedReportIds).")";
+ vtiger_report.reportid in (". generateQuestionMarks($allowedReportIds).")";
+ $params = array_merge($params, $allowedReportIds);
$fldrId = $this->getId();
if($fldrId == 'All') {
$fldrId = false;
@@ -323,7 +325,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$groupId = implode(',',$currentUserModel->get('groups'));
if ($groupId) {
- $groupQuery = "(SELECT reportid from vtiger_reportsharing WHERE shareid IN ($groupId) AND setype = 'groups') OR ";
+ $groupQuery = "(SELECT reportid from vtiger_reportsharing WHERE shareid IN (". generateQuestionMarks($currentUserModel->get('groups')).") AND setype = 'groups') OR ";
+ $params = array_merge($params, $currentUserModel->get('groups'));
}
$sql .= " AND (vtiger_report.reportid IN (SELECT reportid from vtiger_reportsharing WHERE $groupQuery shareid = ? AND setype = 'users')
@@ -337,6 +340,12 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$parentRoleSeq = $currentUserModel->get('parent_role_seq').'::%';
array_push($params, $currentUserId, $currentUserId, $parentRoleSeq);
}
+ $log->fatal('Final query params are => ');
+ $log->fatal($params);
+ $log->fatal('sql query is => ');
+ $log->fatal($sql);
+ $log->fatal('Converted query is => ');
+ $log->fatal($db->convert2sql($sql, $params));
$result = $db->pquery($sql, $params);
return $db->query_result($result, 0, 'count');
}
@@ -373,9 +382,9 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$listQuery = $this->getListViewQuery($folderId, $searchParams);
if($skipRecords && !empty($skipRecords) && is_array($skipRecords) && count($skipRecords) > 0) {
- $listQuery .= ' AND '.$baseTableName.'.'.$baseTableId.' NOT IN ('. implode(',', $skipRecords) .')';
+ $listQuery .= ' AND '.$baseTableName.'.'.$baseTableId.' NOT IN ('. generateQuestionMarks($skipRecords) .')';
}
- $result = $db->query($listQuery);
+ $result = $db->pquery($listQuery, $skipRecords);
$noOfRecords = $db->num_rows($result);
$recordIds = array();
for($i=0; $i<$noOfRecords; ++$i) {
diff --git a/modules/Reports/models/Record.php b/modules/Reports/models/Record.php
index 96101870a2b177eadea38b180a21cd61b5807f63..86c626065d746a3a8ef796042c19311ec5f33370 100644
--- a/modules/Reports/models/Record.php
+++ b/modules/Reports/models/Record.php
@@ -793,7 +793,7 @@ class Reports_Record_Model extends Vtiger_Record_Model {
$query = $this->get('recordCountQuery');
global $adb;
$count = 0;
- $result = $adb->query($query, array());
+ $result = $adb->pquery($query, array());
if($adb->num_rows($result) > 0 ){
$count = $adb->query_result($result, 0, 'count');
}
diff --git a/modules/Rss/models/Module.php b/modules/Rss/models/Module.php
index 83d8717160b2d8dbb1f8fdbc4bfb5bfb1287ba90..9d96b95ec56fbb4ac2f30eef76d5e9a9ee68586a 100644
--- a/modules/Rss/models/Module.php
+++ b/modules/Rss/models/Module.php
@@ -51,7 +51,7 @@ class Rss_Module_Model extends Vtiger_Module_Model {
public function getRssSources() {
$db = PearDatabase::getInstance();
- $sql = 'Select *from vtiger_rss';
+ $sql = 'Select * from vtiger_rss';
$result = $db->pquery($sql, array());
$noOfRows = $db->num_rows($result);
diff --git a/modules/Settings/Leads/models/Mapping.php b/modules/Settings/Leads/models/Mapping.php
index 3100f8e4790c140cb16e74419614650c6bf06615..313cb0c1bb76f24ec7ea0dbb970e44457b22dae3 100644
--- a/modules/Settings/Leads/models/Mapping.php
+++ b/modules/Settings/Leads/models/Mapping.php
@@ -180,14 +180,16 @@ class Settings_Leads_Mapping_Model extends Settings_Vtiger_Module_Model {
$insertQuery = 'INSERT INTO vtiger_convertleadmapping(leadfid, accountfid, contactfid, potentialfid) VALUES ';
$count = count($createMappingsList);
+ $params = array();
for ($i=0; $i<$count; $i++) {
$mappingDetails = $createMappingsList[$i];
- $insertQuery .= '('. $mappingDetails['lead'] .', '. $mappingDetails['account'] .', '. $mappingDetails['contact'] .', '. $mappingDetails['potential'] .')';
+ $insertQuery .= '(?, ?, ?, ?)';
+ array_push($params, $mappingDetails['lead'], $mappingDetails['account'], $mappingDetails['contact'], $mappingDetails['potential']);
if ($i !== $count-1) {
$insertQuery .= ', ';
}
}
- $db->pquery($insertQuery, array());
+ $db->pquery($insertQuery, $params);
}
if ($updateMappingsList) {
diff --git a/modules/Settings/LoginHistory/models/ListView.php b/modules/Settings/LoginHistory/models/ListView.php
index 635658d39b4c2501809d6a9aa0bbfc1bb04ab5be..e682545d5793cbb14c8bc4cf192fa6ba566487b0 100644
--- a/modules/Settings/LoginHistory/models/ListView.php
+++ b/modules/Settings/LoginHistory/models/ListView.php
@@ -14,6 +14,7 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
* @return type
*/
public function getBasicListQuery() {
+ $db = PearDatabase::getInstance();
$module = $this->getModule();
$userNameSql = getSqlForNameInDisplayFormat(array('first_name'=>'vtiger_users.first_name', 'last_name' => 'vtiger_users.last_name'), 'Users');
@@ -23,11 +24,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
$search_key = $this->get('search_key');
$value = Vtiger_Functions::realEscapeString($this->get('search_value'));
+ $params = array();
if(!empty($search_key) && !empty($value)) {
- $query .= " WHERE $module->baseTable.$search_key = '$value'";
+ $query .= " WHERE $module->baseTable.$search_key = ?";
+ $params[] = $value;
}
$query .= " ORDER BY login_time DESC";
- return $query;
+ return $db->convert2Sql($query, $params);
}
public function getListViewLinks() {
@@ -47,12 +50,13 @@ class Settings_LoginHistory_ListView_Model extends Settings_Vtiger_ListView_Mode
$search_key = $this->get('search_key');
$value = $this->get('search_value');
-
+ $params = array();
if(!empty($search_key) && !empty($value)) {
- $listQuery .= " WHERE $module->baseTable.$search_key = '$value'";
+ $listQuery .= " WHERE $module->baseTable.$search_key = ?";
+ $params[] = $value;
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
}
diff --git a/modules/Settings/Picklist/actions/SaveAjax.php b/modules/Settings/Picklist/actions/SaveAjax.php
index 2388760f1102325af112098d802132c9d519d780..da391e3f88ddcc1b719884b86bb3465e770fdb21 100644
--- a/modules/Settings/Picklist/actions/SaveAjax.php
+++ b/modules/Settings/Picklist/actions/SaveAjax.php
@@ -40,20 +40,23 @@ class Settings_Picklist_SaveAjax_Action extends Settings_Vtiger_Basic_Action {
$defaultFieldName = 'defaultactivitytype';
else
$defaultFieldName = 'defaulteventstatus';
- $queryToGetId = 'SELECT id FROM vtiger_users WHERE '.$defaultFieldName.' IN (';
+ $queryToGetId = "SELECT id FROM vtiger_users WHERE ".$defaultFieldName." IN (";
+ $params = array();
if(is_array($oldValue)) {
for($i=0;$i<count($oldValue);$i++) {
- $queryToGetId .= '"'.$oldValue[$i].'"';
+ $queryToGetId .= "?";
+ array_push($params, $oldValue[$i]);
if($i<(count($oldValue)-1)) {
- $queryToGetId .= ',';
+ $queryToGetId .= ",";
}
}
- $queryToGetId .= ')';
+ $queryToGetId .= ")";
}
else {
- $queryToGetId .= '"'.$oldValue.'")';
+ $queryToGetId .= "?)";
+ array_push($params, $oldValue);
}
- $result = $db->pquery($queryToGetId, array());
+ $result = $db->pquery($queryToGetId, $params);
$rowCount = $db->num_rows($result);
for($i=0; $i<$rowCount; $i++) {
$recordId = $db->query_result_rowdata($result, $i);
diff --git a/modules/Settings/Picklist/models/Field.php b/modules/Settings/Picklist/models/Field.php
index f7b64bd6b702fb1320bf7560e9b2737157b88028..1af6edee6cfd3dc87c8431049901f9a0d64ecdff 100644
--- a/modules/Settings/Picklist/models/Field.php
+++ b/modules/Settings/Picklist/models/Field.php
@@ -39,7 +39,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
return Vtiger_Cache::get('PicklistRoleBasedValues',$this->getName().implode('_', $roleIdList));
}
$db = PearDatabase::getInstance();
- $fieldName = $this->getName();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($this->getName());
$tableName = 'vtiger_'.$fieldName;
$idColName = $fieldName.'id';
$query = 'SELECT '.$fieldName;
@@ -103,6 +103,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
* @return type -- array of values
*/
public function getEditablePicklistValues($fieldName){
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$cache = Vtiger_Cache::getInstance();
$EditablePicklistValues = $cache->get('EditablePicklistValues', $fieldName);
if($EditablePicklistValues) {
@@ -129,6 +130,7 @@ class Settings_Picklist_Field_Model extends Vtiger_Field_Model {
* @return type -- array of values
*/
public static function getNonEditablePicklistValues($fieldName){
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$cache = Vtiger_Cache::getInstance();
$NonEditablePicklistValues = $cache->get('NonEditablePicklistValues', $fieldName);
if($NonEditablePicklistValues) {
diff --git a/modules/Settings/Picklist/models/Module.php b/modules/Settings/Picklist/models/Module.php
index 325c0e467f8ae264814901ecf84e23dfe2fac031..906484910e5c05955bc3b27204098df73d100dee 100644
--- a/modules/Settings/Picklist/models/Module.php
+++ b/modules/Settings/Picklist/models/Module.php
@@ -30,7 +30,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function addPickListValues($fieldModel, $newValue, $rolesSelected = array(), $color = '') {
$db = PearDatabase::getInstance();
- $pickListFieldName = $fieldModel->getName();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($fieldModel->getName());
$id = $db->getUniqueID("vtiger_$pickListFieldName");
vimport('~~/include/ComboUtil.php');
$picklist_valueid = getUniquePicklistID();
@@ -74,6 +74,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function renamePickListValues($pickListFieldName, $oldValue, $newValue, $moduleName, $id, $rolesList = false, $color = '') {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$query = 'SELECT tablename, fieldid, columnname FROM vtiger_field WHERE fieldname=? and presence IN (0,2)';
$result = $db->pquery($query, array($pickListFieldName));
$num_rows = $db->num_rows($result);
@@ -128,6 +129,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
if(!is_array($valueToDeleteId)) {
$valueToDeleteId = array($valueToDeleteId);
}
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$pickListValues = array();
@@ -224,6 +226,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$dieOnErrorOldValue = $db->dieOnError;
$db->dieOnError = false;
+ $picklistFieldName = Vtiger_Util_Helper::validateStringForSql($picklistFieldName);
$sql = "select picklistid from vtiger_picklist where name=?";
$result = $db->pquery($sql, array($picklistFieldName));
$picklistid = $db->query_result($result,0,"picklistid");
@@ -272,8 +275,8 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$deleteValueList[] = ' ( roleid = "'.$roleId.'" AND '.'picklistvalueid = "'.$pickListValueId.'") ';
}
}
- $query = 'INSERT IGNORE INTO vtiger_role2picklist (roleid,picklistvalueid,picklistid) VALUES '.implode(',',$insertValueList);
- $result = $db->pquery($query,array());
+ $query = 'INSERT IGNORE INTO vtiger_role2picklist (roleid,picklistvalueid,picklistid) VALUES '. generateQuestionMarks($insertValueList);
+ $result = $db->pquery($query, $insertValueList);
$deleteQuery = 'DELETE FROM vtiger_role2picklist WHERE '.implode(' OR ',$deleteValueList);
@@ -287,6 +290,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function updateSequence($pickListFieldName , $picklistValues, $rolesList = false) {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$paramArray = array();
$query = 'UPDATE '.$this->getPickListTableName($pickListFieldName).' SET sortorderid = CASE ';
@@ -307,9 +311,9 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
$query = "SELECT distinct vtiger_tab.tablabel, vtiger_tab.name as tabname
FROM vtiger_tab
inner join vtiger_field on vtiger_tab.tabid=vtiger_field.tabid
- WHERE uitype IN (15,33,16,114) and vtiger_field.tabid NOT IN (". implode(',', $unsupportedModuleIds) .") and vtiger_tab.presence != 1 and vtiger_field.presence in (0,2)
+ WHERE uitype IN (15,33,16,114) and vtiger_field.tabid NOT IN (". generateQuestionMarks($unsupportedModuleIds) .") and vtiger_tab.presence != 1 and vtiger_field.presence in (0,2)
ORDER BY vtiger_tab.tabid ASC";
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $unsupportedModuleIds);
$modulesModelsList = array();
while($row = $db->fetch_array($result)){
@@ -427,7 +431,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
} else {
$valueToDeleteID = $valueToDelete;
}
-
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$pickListDeleteValue = array();
$getPickListValueQuery = "SELECT $pickListFieldName FROM " . $this->getPickListTableName($pickListFieldName) . " WHERE $primaryKey IN (" . generateQuestionMarks($valueToDeleteID) . ")";
@@ -447,6 +451,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColor($pickListFieldName, $pickListId) {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$colums = $db->getColumnNames("vtiger_$pickListFieldName");
if(in_array('color',$colums)) {
@@ -484,11 +489,12 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColorMap($fieldName, $key = false) {
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($fieldName);
$colums = $db->getColumnNames("vtiger_$fieldName");
if(in_array('color',$colums)) {
$query = 'SELECT '.$primaryKey.',color,'.$fieldName.' FROM vtiger_'.$fieldName;
- $result = $db->pquery($query);
+ $result = $db->pquery($query, array());
$pickListColorMap = array();
$isRoleBasedPicklist = vtws_isRoleBasedPicklist($fieldName);
$accessablePicklistValues = self::getAccessiblePicklistValues($fieldName);
@@ -524,6 +530,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
*/
public static function getPicklistColorByValue($fieldName, $fieldValue) {
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$tableName = "vtiger_$fieldName";
if(Vtiger_Utils::CheckTable($tableName)) {
$colums = $db->getColumnNames($tableName);
@@ -554,6 +561,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
//As older look utf8 characters are pushed as html-entities,and in new utf8 characters are pushed to database
//so we are checking for both the values
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
if(!empty($color)) {
$query = 'UPDATE ' . $this->getPickListTableName($pickListFieldName) . ' SET color = ? WHERE '.$primaryKey.' = ?';
diff --git a/modules/Settings/Potentials/models/Mapping.php b/modules/Settings/Potentials/models/Mapping.php
index df33a0a4c06b97c3d6d5f61f9f92e99ce33563a3..6770bc66b8a54ac195260405839c81b3b70d6dd9 100644
--- a/modules/Settings/Potentials/models/Mapping.php
+++ b/modules/Settings/Potentials/models/Mapping.php
@@ -121,14 +121,16 @@ class Settings_Potentials_Mapping_Model extends Settings_Leads_Mapping_Model {
$insertQuery = 'INSERT INTO vtiger_convertpotentialmapping(potentialfid, projectfid) VALUES ';
$count = count($createMappingsList);
+ $params = array();
for ($i=0; $i<$count; $i++) {
$mappingDetails = $createMappingsList[$i];
- $insertQuery .= '('. $mappingDetails['potential'] .', '. $mappingDetails['project'] .')';
+ $insertQuery .= '(?, ?)';
+ array_push($params, $mappingDetails['potential'], $mappingDetails['project']);
if ($i !== $count-1) {
$insertQuery .= ', ';
}
}
- $db->pquery($insertQuery, array());
+ $db->pquery($insertQuery, $params);
}
if ($updateMappingsList) {
diff --git a/modules/Settings/Profiles/models/Record.php b/modules/Settings/Profiles/models/Record.php
index 899389d13509aded0d655577966678f62f7028ec..dcba26e06511c3114cb9c61d48fc72358da6e916 100644
--- a/modules/Settings/Profiles/models/Record.php
+++ b/modules/Settings/Profiles/models/Record.php
@@ -571,11 +571,13 @@ class Settings_Profiles_Record_Model extends Settings_Vtiger_Record_Model {
//Standard permissions
$i = 0;
$count = count($actionsIdsList);
+ $params = array();
$actionsInsertQuery .= 'INSERT INTO vtiger_profile2standardpermissions(profileid, tabid, operation, permissions) VALUES ';
foreach ($actionsIdsList as $actionId => $permission) {
$actionEnabled = true;
$permissionValue = $this->tranformInputPermissionValue($permission);
- $actionsInsertQuery .= "($profileId, $tabId, $actionId, $permissionValue)";
+ $actionsInsertQuery .= "(?, ?, ?, ?)";
+ array_push($params, $profileId, $tabId, $actionId, $permissionValue);
if ($i !== $count-1) {
$actionsInsertQuery .= ', ';
@@ -589,10 +591,12 @@ class Settings_Profiles_Record_Model extends Settings_Vtiger_Record_Model {
//Utility permissions
$i = 0;
$count = count($utilityIdsList);
+ $params = array();
$utilityInsertQuery .= 'INSERT INTO vtiger_profile2utility(profileid, tabid, activityid, permission) VALUES ';
foreach($utilityIdsList as $actionId => $permission) {
$permissionValue = $this->tranformInputPermissionValue($permission);
- $utilityInsertQuery .= "($profileId, $tabId, $actionId, $permissionValue)";
+ $utilityInsertQuery .= "(?, ?, ?, ?)";
+ array_push($params, $profileId, $tabId, $actionId, $permissionValue);
if ($i !== $count-1) {
$utilityInsertQuery .= ', ';
diff --git a/modules/Settings/Roles/models/Record.php b/modules/Settings/Roles/models/Record.php
index 41ebbfe890a541b19c13888f3d727a19b30d9648..f1990bc93c9068455279b10fd5f50f0acf320050 100644
--- a/modules/Settings/Roles/models/Record.php
+++ b/modules/Settings/Roles/models/Record.php
@@ -283,7 +283,7 @@ class Settings_Roles_Record_Model extends Settings_Vtiger_Record_Model {
*/
public function save() {
$db = PearDatabase::getInstance();
- $roleId = $this->getId();
+ $roleId = Vtiger_Util_Helper::validateStringForSql($this->getId());
$mode = 'edit';
if(empty($roleId)) {
diff --git a/modules/Settings/Workflows/models/ListView.php b/modules/Settings/Workflows/models/ListView.php
index 439468289f10c79e5a20b254c7a1fe95e1715493..e3f704f74b5d0f16ca357759df735539700fdebd 100644
--- a/modules/Settings/Workflows/models/ListView.php
+++ b/modules/Settings/Workflows/models/ListView.php
@@ -52,7 +52,8 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
}
if(!empty($search_value)) {
- $listQuery .= ' AND workflowname like "%'.$search_value.'%"';
+ $listQuery .= ' AND workflowname like ?';
+ array_push($params, "%$search_value%");
}
$startIndex = $pagingModel->getStartIndex();
@@ -136,6 +137,7 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
$db = PearDatabase::getInstance();
$module = $this->getModule();
+ $params = array();
$listQuery = 'SELECT count(*) AS count FROM ' . $module->baseTable . '
INNER JOIN vtiger_tab ON vtiger_tab.name = '. $module->baseTable .'.module_name
AND vtiger_tab.presence IN (0,2)';
@@ -143,13 +145,15 @@ class Settings_Workflows_ListView_Model extends Settings_Vtiger_ListView_Model {
$sourceModule = $this->get('sourceModule');
if($sourceModule) {
$listQuery .= " WHERE module_name = '$sourceModule'";
+ array_push($params, $sourceModule);
}
$search_value = $this->get('search_value');
if(!empty($search_value)) {
- $listQuery .= ' AND workflowname like "%'.$search_value.'%"';
+ $listQuery .= ' AND workflowname like ?';
+ array_push($params, "%$search_value%");
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
}
\ No newline at end of file
diff --git a/modules/Users/Users.php b/modules/Users/Users.php
index b8c183aa402ddfa8125627c5a15aa6afb7898c19..7488c9d125aeec9675d9fdaccd06ad2d35220d22 100755
--- a/modules/Users/Users.php
+++ b/modules/Users/Users.php
@@ -1316,13 +1316,13 @@ class Users extends CRMEntity {
if($_REQUEST[$this->homeorder_array[$i]] != '')
{
$save_array[] = $this->homeorder_array[$i];
- $qry=" update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=0 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=".$id." and vtiger_homedefault.hometype='".$this->homeorder_array[$i]."'";//To show the default Homestuff on the the Home Page
- $result=$adb->pquery($qry, array());
+ $qry=" update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=0 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=? and vtiger_homedefault.hometype=?";//To show the default Homestuff on the the Home Page
+ $result=$adb->pquery($qry, array($id, $this->homeorder_array[$i]));
}
else
{
- $qry="update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=1 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=".$id." and vtiger_homedefault.hometype='".$this->homeorder_array[$i]."'";//To hide the default Homestuff on the the Home Page
- $result=$adb->pquery($qry, array());
+ $qry="update vtiger_homestuff,vtiger_homedefault set vtiger_homestuff.visible=1 where vtiger_homestuff.stuffid=vtiger_homedefault.stuffid and vtiger_homestuff.userid=? and vtiger_homedefault.hometype=?";//To hide the default Homestuff on the the Home Page
+ $result=$adb->pquery($qry, array($id, $this->homeorder_array[$i]));
}
}
if($save_array !="")
@@ -1690,9 +1690,9 @@ class Users extends CRMEntity {
$moduleName = $obj->module;
$createdRecords = array();
- $tableName = Import_Utils_Helper::getDbTableName($obj->user);
- $sql = 'SELECT * FROM '.$tableName.' WHERE status = '.Import_Data_Action::$IMPORT_RECORD_NONE;
- $result = $adb->query($sql);
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($obj->user));
+ $sql = 'SELECT * FROM '.$tableName.' WHERE status = ?';
+ $result = $adb->pquery($sql, array(Import_Data_Action::$IMPORT_RECORD_NONE));
$numberOfRecords = $adb->num_rows($result);
if($numberOfRecords <= 0) {
return;
diff --git a/modules/Users/views/Import.php b/modules/Users/views/Import.php
index 55a715cdcafb9a12b2bb1b18efc3a79fdfbd94f3..8da395dd48ece8b8ef692e897d92d43acdb4fdf5 100644
--- a/modules/Users/views/Import.php
+++ b/modules/Users/views/Import.php
@@ -44,7 +44,7 @@ class Users_Import_View extends Vtiger_Import_View {
$moduleName = $request->getModule();
$user = Users_Record_Model::getCurrentUserModel();
- $dbTableName = Import_Utils_Helper::getDbTableName($user);
+ $dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
$query = "SELECT recordid FROM $dbTableName WHERE status = ? AND recordid IS NOT NULL";
$result = $db->pquery($query, array(Import_Data_Action::$IMPORT_RECORD_CREATED));
diff --git a/modules/Vtiger/helpers/Util.php b/modules/Vtiger/helpers/Util.php
index 3d330a5799724d2e1a115e354a580b1bfee20ae7..23b7f18e71a61e4dac0b0a3f55f1f35a1e33481b 100644
--- a/modules/Vtiger/helpers/Util.php
+++ b/modules/Vtiger/helpers/Util.php
@@ -326,6 +326,7 @@ class Vtiger_Util_Helper {
}
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($fieldName);
$query = 'SELECT '.$primaryKey.', '.$fieldName.' FROM vtiger_'.$fieldName.' order by sortorderid';
$values = array();
@@ -361,6 +362,7 @@ class Vtiger_Util_Helper {
}
$db = PearDatabase::getInstance();
+ $fieldName = Vtiger_Util_Helper::validateStringForSql($fieldName);
$query = "SELECT $fieldName
FROM vtiger_$fieldName
INNER JOIN vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$fieldName.picklist_valueid
diff --git a/modules/Vtiger/models/Module.php b/modules/Vtiger/models/Module.php
index 43e683c4d14e9a8436a9b9cd4b7ac0a579df74d6..71880524dbe7ddc80f85a1580f619daeee5dda50 100644
--- a/modules/Vtiger/models/Module.php
+++ b/modules/Vtiger/models/Module.php
@@ -1452,7 +1452,9 @@ class Vtiger_Module_Model extends Vtiger_Module {
* @return <String> - query
*/
public function getSearchRecordsQuery($searchValue,$searchFields, $parentId=false, $parentModule=false) {
- return "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE '%$searchValue%' AND vtiger_crmentity.deleted = 0";
+ $db = PearDatabase::getInstance();
+ $query = $db->convert2Sql("SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity WHERE label LIKE ? AND vtiger_crmentity.deleted = 0", array("%$searchValue%"));
+ return $query;
}
/**
@@ -1464,11 +1466,14 @@ class Vtiger_Module_Model extends Vtiger_Module {
* @return <Array of Vtiger_Record_Model>
*/
public function searchRecord($searchValue, $parentId=false, $parentModule=false, $relatedModule=false) {
+ global $log;
+ $log->fatal('search record api is triggered => ');
$searchFields = array('crmid','label','setype');
if(!empty($searchValue) && empty($parentId) && empty($parentModule)) {
$matchingRecords = Vtiger_Record_Model::getSearchResult($searchValue, $this->getName());
} else if($parentId && $parentModule) {
$db = PearDatabase::getInstance();
+ $log->fatal('call getSearchRecordsQuery api');
$result = $db->pquery($this->getSearchRecordsQuery($searchValue,$searchFields, $parentId, $parentModule), array());
$noOfRows = $db->num_rows($result);
diff --git a/modules/Vtiger/models/Tag.php b/modules/Vtiger/models/Tag.php
index 25327741d195a47cce325c6415c50b16708f1df9..bb0a01c4daf70565226b73d9784c13b4f1025def 100644
--- a/modules/Vtiger/models/Tag.php
+++ b/modules/Vtiger/models/Tag.php
@@ -276,14 +276,10 @@ class Vtiger_Tag_Model extends Vtiger_Base_Model {
$db = PearDatabase::getInstance();
$query = "SELECT * FROM vtiger_freetags WHERE (tag=? OR raw_tag=?) AND (owner=? OR visibility=?)";
$params = array($name, $name, $userId, self::PUBLIC_TYPE);
- global $log;
- $log->fatal($excludedTagId);
if($excludedTagId !== false) {
$query .= ' AND id != ?';
array_push($params, $excludedTagId);
}
- global $log;
- $log->fatal($db->convert2Sql($query , $params));
$result = $db->pquery($query, $params);
$tagModel = false;
if($db->num_rows($result) > 0) {
diff --git a/modules/Vtiger/views/Import.php b/modules/Vtiger/views/Import.php
index 076a7109ba869f7857156b82a789df40705b8908..21a619a079f379f0270805dc0bf12d2176387fe1 100644
--- a/modules/Vtiger/views/Import.php
+++ b/modules/Vtiger/views/Import.php
@@ -247,7 +247,7 @@ class Vtiger_Import_View extends Vtiger_Index_View {
$ownerId = $request->get('foruser');
$user = Users_Record_Model::getCurrentUserModel();
- $dbTableName = Import_Utils_Helper::getDbTableName($user);
+ $dbTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
if(!$user->isAdminUser() && $user->id != $ownerId) {
$viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));
diff --git a/modules/com_vtiger_workflow/WorkFlowScheduler.php b/modules/com_vtiger_workflow/WorkFlowScheduler.php
index fce3a5fd562370b349682303eaa009da5fe2e2fb..04fbda18cd62da172830aa4951ce6dd1d4b57f82 100755
--- a/modules/com_vtiger_workflow/WorkFlowScheduler.php
+++ b/modules/com_vtiger_workflow/WorkFlowScheduler.php
@@ -57,7 +57,7 @@ class WorkFlowScheduler {
public function getEligibleWorkflowRecords($workflow, $start=0, $limit=0) {
$adb = $this->db;
$query = $this->getWorkflowQuery($workflow, $start, $limit);
- $result = $adb->query($query);
+ $result = $adb->pquery($query, array());
$noOfRecords = $adb->num_rows($result);
$recordsList = array();
for ($i = 0; $i < $noOfRecords; ++$i) {
diff --git a/pkg/vtiger/modules/Assets/modules/Assets/Assets.php b/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
index ada5a98d13c133ce8ba632948a5c23f13ad3ff0c..ba4c6b8e26914aebdfeb6a319060be3a2607266a 100644
--- a/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
+++ b/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
@@ -415,14 +415,14 @@ class Assets extends CRMEntity {
if(getTabid('CustomerPortal') && $assetsTabId) {
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_tabs WHERE tabid=?', array($assetsTabId));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
+ $maxSequenceQuery = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs", array());
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($assetsTabId,1,$nextSequence)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?,?,?)", array($assetsTabId,1,$nextSequence));
}
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_prefs WHERE tabid=?', array($assetsTabId));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($assetsTabId,'showrelatedinfo',1)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?,?,?)", array($assetsTabId,'showrelatedinfo',1));
}
}
}
diff --git a/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/CustomerPortal.php b/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/CustomerPortal.php
index e5d64a43b45ad337b7701a3019082eca085769ac..8fdc5bd75d856f5149c305fc56a010dd5edd9b02 100644
--- a/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/CustomerPortal.php
+++ b/pkg/vtiger/modules/CustomerPortal/modules/CustomerPortal/CustomerPortal.php
@@ -33,13 +33,13 @@ class CustomerPortal {
$tabId = $adb->query_result($tabIdResult, 0, 'tabid');
if($tabId) {
++$i;
- $adb->query("INSERT INTO vtiger_customerportal_tabs (tabid,visible,sequence) VALUES ($tabId,1,$i)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($tabId,'showrelatedinfo',1)");
+ $adb->query("INSERT INTO vtiger_customerportal_tabs (tabid,visible,sequence) VALUES (?, ?, ?)", array($tabId,1,$i));
+ $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?, ?, ?)", array($tabId,'showrelatedinfo',1));
}
}
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (0,'userid',1)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (0,'defaultassignee',1)");
+ $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?, ?, ?)", array(0,'userid',1));
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?, ?, ?)", array(0,'defaultassignee',1));
// Mark the module as Standard module
$adb->pquery('UPDATE vtiger_tab SET customized=0 WHERE name=?', array($moduleName));
diff --git a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
index da1a6d1b75d2cc6021e4a1b05f929c6898203728..94a8e6bcd87058d7f336a6cc2c50be2d1445106b 100644
--- a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
+++ b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
@@ -207,12 +207,14 @@ class EmailTemplates_ListView_Model extends Vtiger_ListView_Model {
$listQuery = $listQuery. ' FROM ' .$split[$i];
}
}
- $searchKey = $this->get('search_key');
+ $searchKey = $this->getForSql('search_key');
$searchValue = $this->get('search_value');
$whereQuery .= " WHERE ";
+ $params = array();
if(!empty($searchKey) && !empty($searchValue)) {
- $whereQuery .= "$searchKey LIKE '$searchValue%' AND ";
+ $whereQuery .= "$searchKey LIKE ? AND ";
+ array_push($params, "%$searchValue%");
}
//module should be enabled or module should be empty then allow
@@ -221,10 +223,11 @@ class EmailTemplates_ListView_Model extends Vtiger_ListView_Model {
$sourceModule = $this->get('sourceModule');
if ($sourceModule) {
- $listQuery .= ' AND vtiger_emailtemplates.module= "' . $sourceModule . '" ';
+ $listQuery .= ' AND vtiger_emailtemplates.module= ?';
+ array_push($params, $sourceModule);
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
diff --git a/pkg/vtiger/modules/Import/modules/Import/actions/Data.php b/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
index 3a639a561873a2c163283c73b9c2e172a8a99001..0de1652ab0377b215ddcce5275ab0910ebd502a7 100644
--- a/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
+++ b/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
@@ -196,8 +196,10 @@ class Import_Data_Action extends Vtiger_Action_Controller {
$createdRecords = array();
$entityData = array();
- $tableName = Import_Utils_Helper::getDbTableName($this->user);
- $sql = 'SELECT * FROM '.$tableName.' WHERE status = '.Import_Data_Action::$IMPORT_RECORD_NONE;
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($this->user));
+ $params = array();
+ $sql = 'SELECT * FROM '.$tableName.' WHERE status = ?';
+ array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
$configReader = new Import_Config_Model();
if ($this->batchImport) {
@@ -208,7 +210,7 @@ class Import_Data_Action extends Vtiger_Action_Controller {
$sql .= ' LIMIT '. $pagingLimit;
}
- $result = $adb->pquery($sql, array());
+ $result = $adb->pquery($sql, $params);
$numberOfRecords = $adb->num_rows($result);
if ($numberOfRecords <= 0) {
@@ -294,7 +296,7 @@ class Import_Data_Action extends Vtiger_Action_Controller {
$query = $queryGenerator->getQuery();
// to eliminate clash of next record values
$queryGenerator->clearConditionals();
- $duplicatesResult = $adb->query($query);
+ $duplicatesResult = $adb->pquery($query, array());
$noOfDuplicates = $adb->num_rows($duplicatesResult);
if ($noOfDuplicates > 0) {
@@ -823,7 +825,7 @@ class Import_Data_Action extends Vtiger_Action_Controller {
public function getImportStatusCount() {
$adb = PearDatabase::getInstance();
- $tableName = Import_Utils_Helper::getDbTableName($this->user);
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($this->user));
$focus = CRMEntity::getInstance($this->module);
if ($focus && method_exists($focus, 'getGroupQuery')) {
@@ -831,7 +833,7 @@ class Import_Data_Action extends Vtiger_Action_Controller {
} else {
$query = 'SELECT status FROM '.$tableName;
}
- $result = $adb->query($query, array());
+ $result = $adb->pquery($query, array());
$statusCount = array('TOTAL' => 0, 'IMPORTED' => 0, 'FAILED' => 0, 'PENDING' => 0, 'CREATED' => 0, 'SKIPPED' => 0, 'UPDATED' => 0, 'MERGED' => 0);
diff --git a/pkg/vtiger/modules/Import/modules/Import/helpers/Utils.php b/pkg/vtiger/modules/Import/modules/Import/helpers/Utils.php
index 55b7c396783ee09f1c11087cacdac8718e420f5c..ba3fdd45f285f8312a8a0d1279a4922c6779edf9 100644
--- a/pkg/vtiger/modules/Import/modules/Import/helpers/Utils.php
+++ b/pkg/vtiger/modules/Import/modules/Import/helpers/Utils.php
@@ -121,10 +121,10 @@ class Import_Utils_Helper {
public static function isUserImportBlocked($user) {
$adb = PearDatabase::getInstance();
- $tableName = self::getDbTableName($user);
+ $tableName = Vtiger_Util_Helper::validateStringForSql(self::getDbTableName($user));
if(Vtiger_Utils::CheckTable($tableName)) {
- $result = $adb->query('SELECT 1 FROM '.$tableName.' WHERE status = '. Import_Data_Action::$IMPORT_RECORD_NONE);
+ $result = $adb->pquery('SELECT 1 FROM '.$tableName.' WHERE status = ?', array(Import_Data_Action::$IMPORT_RECORD_NONE));
if($adb->num_rows($result) > 0) {
return true;
}
@@ -136,7 +136,7 @@ class Import_Utils_Helper {
$adb = PearDatabase::getInstance();
$tableName = self::getDbTableName($user);
- $adb->query('DROP TABLE IF EXISTS '.$tableName);
+ $adb->pquery('DROP TABLE IF EXISTS '.$tableName, array());
Import_Lock_Action::unLock($user);
Import_Queue_Action::removeForUser($user);
}
diff --git a/pkg/vtiger/modules/Import/modules/Import/models/ListView.php b/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
index 9e6714f03eefcc93eb989867ac0d575b47850f45..d8b005752839f922b2810590ef8a98b9e87504a0 100644
--- a/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
+++ b/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
@@ -171,7 +171,7 @@ class Import_ListView_Model extends Vtiger_ListView_Model {
$db = PearDatabase::getInstance();
$user = Users_Record_Model::getCurrentUserModel();
- $userDBTableName = Import_Utils_Helper::getDbTableName($user);
+ $userDBTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
$result = $db->pquery('SELECT recordid FROM '.$userDBTableName.' WHERE status NOT IN (?,?) AND recordid IS NOT NULL',Array(Import_Data_Action::$IMPORT_RECORD_FAILED, Import_Data_Action::$IMPORT_RECORD_SKIPPED));
$noOfRecords = $db->num_rows($result);
diff --git a/pkg/vtiger/modules/Import/modules/Import/readers/FileReader.php b/pkg/vtiger/modules/Import/modules/Import/readers/FileReader.php
index 147512ed25aa4f60097a6293b18d9f71cad52086..52f5b3f53c6291c108b48754bfc465ca5a87cea1 100644
--- a/pkg/vtiger/modules/Import/modules/Import/readers/FileReader.php
+++ b/pkg/vtiger/modules/Import/modules/Import/readers/FileReader.php
@@ -102,7 +102,7 @@ class Import_FileReader_Reader {
public function createTable() {
$db = PearDatabase::getInstance();
- $tableName = Import_Utils_Helper::getDbTableName($this->user);
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($this->user));
$fieldMapping = $this->request->get('field_mapping');
$moduleFields = $this->moduleModel->getFields();
@@ -116,7 +116,7 @@ class Import_FileReader_Reader {
$columnsListQuery .= $this->getDBColumnType($fieldObject, $fieldTypes);
}
$createTableQuery = 'CREATE TABLE '. $tableName . ' ('.$columnsListQuery.') ENGINE=MyISAM ';
- $db->query($createTableQuery);
+ $db->pquery($createTableQuery, array());
return true;
}
diff --git a/pkg/vtiger/modules/Mobile/modules/Mobile/api/ws/RelatedRecordsWithGrouping.php b/pkg/vtiger/modules/Mobile/modules/Mobile/api/ws/RelatedRecordsWithGrouping.php
index f187b3ff0b8ae21574981e6e65313213fe4008c3..1e7a3151841049d2aad50024add7b626f45c49b8 100644
--- a/pkg/vtiger/modules/Mobile/modules/Mobile/api/ws/RelatedRecordsWithGrouping.php
+++ b/pkg/vtiger/modules/Mobile/modules/Mobile/api/ws/RelatedRecordsWithGrouping.php
@@ -48,7 +48,7 @@ class Mobile_WS_RelatedRecordsWithGrouping extends Mobile_WS_QueryWithGrouping {
}
$query = sprintf("SELECT vtiger_crmentity.crmid, $querySEtype %s", substr($query, stripos($query, 'FROM')));
- $queryResult = $adb->query($query);
+ $queryResult = $adb->pquery($query, array());
// Gather resolved record id's
$relatedRecords = array();
diff --git a/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php b/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
index a431ed28fbe7195c5d8d00240da07d0429140972..8438409e6b46de943066279500eb769ebfd63a74 100644
--- a/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
+++ b/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
@@ -343,18 +343,18 @@ class Project extends CRMEntity {
if(getTabid('CustomerPortal') && $projectTabid) {
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_tabs WHERE tabid=?', array($projectTabid));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
+ $maxSequenceQuery = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs", array());
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($projectTabid,1,$nextSequence)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($projectTabid,'showrelatedinfo',1)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?, ?, ?)", array($projectTabid,1,$nextSequence));
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?, ?, ?)", array($projectTabid,'showrelatedinfo',1));
}
}
// Add Gnatt chart to the related list of the module
$relation_id = $adb->getUniqueID('vtiger_relatedlists');
$max_sequence = 0;
- $result = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=$projectTabid");
+ $result = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=?", array($projectTabid));
if($adb->num_rows($result)) $max_sequence = $adb->query_result($result, 0, 'maxsequence');
$sequence = $max_sequence+1;
$adb->pquery("INSERT INTO vtiger_relatedlists(relation_id,tabid,related_tabid,name,sequence,label,presence) VALUES(?,?,?,?,?,?,?)",
@@ -401,7 +401,7 @@ class Project extends CRMEntity {
// Add Gnatt chart to the related list of the module
$relation_id = $adb->getUniqueID('vtiger_relatedlists');
$max_sequence = 0;
- $result = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=$projectTabid");
+ $result = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=?", array($projectTabid));
if($adb->num_rows($result)) $max_sequence = $adb->query_result($result, 0, 'maxsequence');
$sequence = $max_sequence+1;
$adb->pquery("INSERT INTO vtiger_relatedlists(relation_id,tabid,related_tabid,name,sequence,label,presence) VALUES(?,?,?,?,?,?,?)",
@@ -555,6 +555,9 @@ class Project extends CRMEntity {
/** Function to unlink an entity with given Id from another entity */
function unlinkRelationship($id, $return_module, $return_id) {
global $log, $currentModule;
+ $id = Vtiger_Util_Helper::validateStringForSql($id);
+ $return_module = Vtiger_Util_Helper::validateStringForSql($return_module);
+ $return_id = Vtiger_Util_Helper::validateStringForSql($return_id);
if($return_module == 'Accounts') {
$focus = CRMEntity::getInstance($return_module);
diff --git a/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php b/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
index 42991b14f568f18cac1fb7477b48c038e18ce5c4..706bbefab0803ef98f5bb5dd0f0efcf8d1d7c726 100644
--- a/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
+++ b/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
@@ -336,11 +336,11 @@ class ProjectMilestone extends CRMEntity {
if(getTabid('CustomerPortal')) {
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_tabs WHERE tabid=?', array($projectmilestoneTabid));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
+ $maxSequenceQuery = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs", array());
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($projectmilestoneTabid,1,$nextSequence)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($projectmilestoneTabid,'showrelatedinfo',1)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?,?,?)", array($projectmilestoneTabid,1,$nextSequence));
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?,?,?)", array($projectmilestoneTabid,'showrelatedinfo',1));
}
}
diff --git a/pkg/vtiger/modules/Projects/ProjectTask/modules/ProjectTask/ProjectTask.php b/pkg/vtiger/modules/Projects/ProjectTask/modules/ProjectTask/ProjectTask.php
index 1fea35246a732ecbcc88b8ef889188c6d0f1b1dc..c48c3e82dc5fb65d0497162200663e00349a00c2 100644
--- a/pkg/vtiger/modules/Projects/ProjectTask/modules/ProjectTask/ProjectTask.php
+++ b/pkg/vtiger/modules/Projects/ProjectTask/modules/ProjectTask/ProjectTask.php
@@ -342,11 +342,11 @@ class ProjectTask extends CRMEntity {
if(getTabid('CustomerPortal')) {
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_tabs WHERE tabid=?', array($projecttaskTabid));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
+ $maxSequenceQuery = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs", array());
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($projecttaskTabid,1,$nextSequence)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($projecttaskTabid,'showrelatedinfo',1)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?, ?, ?)", array($projecttaskTabid,1,$nextSequence));
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?, ?, ?)", array($projecttaskTabid,'showrelatedinfo',1));
}
}
diff --git a/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/models/Module.php b/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/models/Module.php
index d3cdec9291b9990523ca4bd7da2e2ac0b91d2dfe..e24f4040776aa24ce21f5ffb0c6de8f21aebcef5 100644
--- a/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/models/Module.php
+++ b/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/models/Module.php
@@ -134,8 +134,8 @@ class RecycleBin_Module_Model extends Vtiger_Module_Model {
}
}
$this->deleteFiles($recordIds);
- $db->query('DELETE FROM vtiger_crmentity WHERE deleted = 1');
- $db->query('DELETE FROM vtiger_relatedlists_rb');
+ $db->pquery('DELETE FROM vtiger_crmentity WHERE deleted = 1', array());
+ $db->pquery('DELETE FROM vtiger_relatedlists_rb', array());
return true;
}
diff --git a/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php b/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
index 1f9225c0ecbe6f600d65c26460bbfc9eac012953..d63ec22015fd984cad18cdb1f13697c9d2fc0366 100644
--- a/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
+++ b/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
@@ -390,7 +390,7 @@ class ServiceContracts extends CRMEntity {
$adb->pquery("INSERT into vtiger_modentity_num values(?,?,?,?,?,?)",array($adb->getUniqueId("vtiger_modentity_num"),$moduleName,'SERCON',1,1,1));
// Make the picklist value 'Complete' for status as non-editable
- $adb->query("UPDATE vtiger_contract_status SET presence=0 WHERE contract_status='Complete'");
+ $adb->pquery("UPDATE vtiger_contract_status SET presence=0 WHERE contract_status=?", array('Complete'));
// Mark the module as Standard module
$adb->pquery('UPDATE vtiger_tab SET customized=0 WHERE name=?', array($moduleName));
@@ -601,6 +601,9 @@ class ServiceContracts extends CRMEntity {
/** Function to unlink an entity with given Id from another entity */
function unlinkRelationship($id, $return_module, $return_id) {
global $log, $currentModule;
+ $id = Vtiger_Util_Helper::validateStringForSql($id);
+ $return_module = Vtiger_Util_Helper::validateStringForSql($return_module);
+ $return_id = Vtiger_Util_Helper::validateStringForSql($return_id);
if($return_module == 'Accounts') {
$focus = CRMEntity::getInstance($return_module);
diff --git a/pkg/vtiger/modules/Tooltip/modules/Tooltip/Tooltip.php b/pkg/vtiger/modules/Tooltip/modules/Tooltip/Tooltip.php
index 806ce55c5874affbc09676d272654226c268cd22..2bf0a7af6e0722ae108e5ba08cba069bc78f0082 100644
--- a/pkg/vtiger/modules/Tooltip/modules/Tooltip/Tooltip.php
+++ b/pkg/vtiger/modules/Tooltip/modules/Tooltip/Tooltip.php
@@ -34,9 +34,10 @@ class Tooltip {
$icon = 'quickview.png';
$description = 'LBL_TOOLTIP_MANAGEMENT_DESCRIPTION';
$links = 'index.php?module=Tooltip&action=QuickView&parenttab=Settings';
-
- $adb->query("INSERT INTO vtiger_settings_field (fieldid, blockid, name, iconpath, description, linkto)
- VALUES (".$adb->getUniqueID('vtiger_settings_field').", ".getSettingsBlockId($blockname).", '$name', '$icon', '$description', '$links')");
+ $params = array($adb->getUniqueID('vtiger_settings_field'), getSettingsBlockId($blockname), $name, $icon, $description, $links);
+
+ $adb->pquery("INSERT INTO vtiger_settings_field (fieldid, blockid, name, iconpath, description, linkto)
+ VALUES (". generateQuestionMarks($params).")", $params);
} else if($eventType == 'module.disabled') {
// TODO Handle actions when this module is disabled.
$moduleInstance = Vtiger_Module::getInstance('Tooltip');
diff --git a/vtlib/Vtiger/Access.php b/vtlib/Vtiger/Access.php
index 83d84025f2f54557da9a6f7275d55940600df606..ea24637d9656d83f4af3d2f5e16f2ba5bf383ff9 100644
--- a/vtlib/Vtiger/Access.php
+++ b/vtlib/Vtiger/Access.php
@@ -69,8 +69,8 @@ class Vtiger_Access {
static function initSharing($moduleInstance) {
global $adb;
- $result = $adb->query("SELECT share_action_id from vtiger_org_share_action_mapping WHERE share_action_name in
- ('Public: Read Only', 'Public: Read, Create/Edit', 'Public: Read, Create/Edit, Delete', 'Private')");
+ $result = $adb->pquery("SELECT share_action_id from vtiger_org_share_action_mapping WHERE share_action_name in
+ ('Public: Read Only', 'Public: Read, Create/Edit', 'Public: Read, Create/Edit, Delete', 'Private')", array());
for($index = 0; $index < $adb->num_rows($result); ++$index) {
$actionid = $adb->query_result($result, $index, 'share_action_id');
diff --git a/vtlib/Vtiger/Deprecated.php b/vtlib/Vtiger/Deprecated.php
index 43e7ec882b73e161ea9840ec03d4adcfe5587057..f574c1c5ae13a1ab39a9b3a86fe13910d8480b81 100644
--- a/vtlib/Vtiger/Deprecated.php
+++ b/vtlib/Vtiger/Deprecated.php
@@ -541,19 +541,19 @@ class Vtiger_Deprecated {
global $adb;
switch ($module) {
case "Invoice":
- $res = $adb->query("SELECT invoice_no FROM vtiger_invoice WHERE invoiceid = $recordId");
+ $res = $adb->pquery("SELECT invoice_no FROM vtiger_invoice WHERE invoiceid = ?", array($recordId));
$moduleSeqNo = $adb->query_result($res, 0, 'invoice_no');
break;
case "PurchaseOrder":
- $res = $adb->query("SELECT purchaseorder_no FROM vtiger_purchaseorder WHERE purchaseorderid = $recordId");
+ $res = $adb->pquery("SELECT purchaseorder_no FROM vtiger_purchaseorder WHERE purchaseorderid = ?", array($recordId));
$moduleSeqNo = $adb->query_result($res, 0, 'purchaseorder_no');
break;
case "Quotes":
- $res = $adb->query("SELECT quote_no FROM vtiger_quotes WHERE quoteid = $recordId");
+ $res = $adb->pquery("SELECT quote_no FROM vtiger_quotes WHERE quoteid = ?", array($recordId));
$moduleSeqNo = $adb->query_result($res, 0, 'quote_no');
break;
case "SalesOrder":
- $res = $adb->query("SELECT salesorder_no FROM vtiger_salesorder WHERE salesorderid = $recordId");
+ $res = $adb->pquery("SELECT salesorder_no FROM vtiger_salesorder WHERE salesorderid = ?", array($recordId));
$moduleSeqNo = $adb->query_result($res, 0, 'salesorder_no');
break;
}
diff --git a/vtlib/Vtiger/Filter.php b/vtlib/Vtiger/Filter.php
index 217007487a5189cd3e4e37312b1216846a456347..7dcccc1394656c8d1230ef8b588325b42cb36cae 100644
--- a/vtlib/Vtiger/Filter.php
+++ b/vtlib/Vtiger/Filter.php
@@ -281,9 +281,9 @@ class Vtiger_Filter {
$cvids[] = $adb->query_result($cvidres, $index, 'cvid');
}
if(!empty($cvids)) {
- $adb->pquery("DELETE FROM vtiger_cvadvfilter WHERE cvid IN (" . implode(',', $cvids) . ")", array());
- $adb->pquery("DELETE FROM vtiger_cvcolumnlist WHERE cvid IN (" . implode(',', $cvids) . ")", array());
- $adb->pquery("DELETE FROM vtiger_customview WHERE cvid IN (" . implode(',', $cvids) . ")", array());
+ $adb->pquery("DELETE FROM vtiger_cvadvfilter WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
+ $adb->pquery("DELETE FROM vtiger_cvcolumnlist WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
+ $adb->pquery("DELETE FROM vtiger_customview WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
}
}
}
diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index 840421bb863ddff0ad429d13629530e8651258b6..9dbd03e8959d8c8218d3592030a6c624029bf9d8 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -729,6 +729,8 @@ class Vtiger_Functions {
static function getSingleFieldValue($tablename, $fieldname, $idname, $id) {
global $adb;
+ $fieldname = Vtiger_Util_Helper::validateStringForSql($fieldname);
+ $idname = Vtiger_Util_Helper::validateStringForSql($idname);
$fieldval = $adb->query_result($adb->pquery("select $fieldname from $tablename where $idname = ?", array($id)), 0, $fieldname);
return $fieldval;
}
@@ -955,6 +957,7 @@ class Vtiger_Functions {
static function getPickListValuesFromTableForRole($tablename, $roleid) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$query = "select $tablename from vtiger_$tablename inner join vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$tablename.picklist_valueid where roleid=? and picklistid in (select picklistid from vtiger_picklist) order by sortorderid";
$result = $adb->pquery($query, array($roleid));
$fldVal = Array();
diff --git a/vtlib/Vtiger/Link.php b/vtlib/Vtiger/Link.php
index c006fb5075b2ab9152f6462249441e7297a1ddc2..5b827368d09f1a3fa84e7ef8d074ec2e642f832b 100644
--- a/vtlib/Vtiger/Link.php
+++ b/vtlib/Vtiger/Link.php
@@ -295,17 +295,21 @@ class Vtiger_Link {
$isColumnUpdate = false;
$sql = 'UPDATE vtiger_links SET ';
+ $params = array();
foreach ($linkInfo as $column => $columnValue) {
if (in_array($column, $columnsList)) {
$columnValue = ($column == 'sequence') ? intval($columnValue) : $columnValue;
- $sql .= "$column='$columnValue',";
+ $column = Vtiger_Util_Helper::validateStringForSql($column);
+ $sql .= "$column = ?,";
+ array_push($params, $columnValue);
$isColumnUpdate = true;
}
}
if ($isColumnUpdate) {
$sql = trim($sql, ',').' WHERE tabid=? AND linkid=?';
- $db->pquery($sql, array($tabId, $linkId));
+ array_push($params, $tabId, $linkId);
+ $db->pquery($sql, $params);
}
}
}
diff --git a/vtlib/Vtiger/ModuleBasic.php b/vtlib/Vtiger/ModuleBasic.php
index 3f2adc269493dd5ac7be8815f01784d9661cc92c..4e57fef5745b14c1af2f4c7f3938573016f5e9be 100644
--- a/vtlib/Vtiger/ModuleBasic.php
+++ b/vtlib/Vtiger/ModuleBasic.php
@@ -114,7 +114,7 @@ class Vtiger_ModuleBasic {
*/
function __getUniqueId() {
global $adb;
- $result = $adb->query("SELECT MAX(tabid) AS max_seq FROM vtiger_tab");
+ $result = $adb->pquery("SELECT MAX(tabid) AS max_seq FROM vtiger_tab", array());
$maxseq = $adb->query_result($result, 0, 'max_seq');
return ++$maxseq;
}
diff --git a/vtlib/Vtiger/Utils.php b/vtlib/Vtiger/Utils.php
index 885e2143b4796e141372d4ef432bc882f7087188..452ea7ab364261a4ab2724c29b999c8565ea7668 100644
--- a/vtlib/Vtiger/Utils.php
+++ b/vtlib/Vtiger/Utils.php
@@ -171,6 +171,7 @@ class Vtiger_Utils {
static function CreateTable($tablename, $criteria, $suffixTableMeta=false) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$org_dieOnError = $adb->dieOnError;
$adb->dieOnError = false;
$sql = "CREATE TABLE " . $tablename . $criteria;
@@ -196,6 +197,7 @@ class Vtiger_Utils {
*/
static function AlterTable($tablename, $criteria) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$adb->query("ALTER TABLE " . $tablename . $criteria);
}
@@ -220,6 +222,7 @@ class Vtiger_Utils {
*/
static function TableHasForeignKey($tablename, $key) {
$db = PearDatabase::getInstance();
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$rs = $db->pquery("SELECT 1 FROM information_schema.TABLE_CONSTRAINTS WHERE CONSTRAINT_TYPE = 'FOREIGN KEY' AND TABLE_SCHEMA = ? AND TABLE_NAME = ? AND CONSTRAINT_NAME = ?", array($db->dbName, $tablename, $key));
return $db->num_rows($rs) > 0 ? true : false;
}
@@ -246,6 +249,7 @@ class Vtiger_Utils {
static function CreateTableSql($tablename) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$create_table = $adb->pquery("SHOW CREATE TABLE $tablename", array());
$sql = decode_html($adb->query_result($create_table, 0, 1));
return $sql;