diff --git a/modules/Vtiger/models/ListView.php b/modules/Vtiger/models/ListView.php
index f9841f95b4ca862fc9c481619c5afe840423d980..f218a9e9474cff67a9363c929b3f93cc5cf5aae8 100644
--- a/modules/Vtiger/models/ListView.php
+++ b/modules/Vtiger/models/ListView.php
@@ -232,12 +232,14 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {
$startIndex = $pagingModel->getStartIndex();
$pageLimit = $pagingModel->getPageLimit();
+ $paramArray = array();
if(!empty($orderBy) && $orderByFieldModel) {
if($orderBy == 'roleid' && $moduleName == 'Users'){
$listQuery .= ' ORDER BY vtiger_role.rolename '.' '. $sortOrder;
} else {
- $listQuery .= ' ORDER BY '.$queryGenerator->getOrderByColumn($orderBy).' '.$sortOrder;
+ $listQuery .= ' ORDER BY ? '.$sortOrder;
+ array_push($paramArray, $queryGenerator->getOrderByColumn($orderBy));
}
if ($orderBy == 'first_name' && $moduleName == 'Users') {
@@ -256,9 +258,11 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {
ListViewSession::setSessionQuery($moduleName, $listQuery, $viewid);
- $listQuery .= " LIMIT $startIndex,".($pageLimit+1);
-
- $listResult = $db->pquery($listQuery, array());
+ $listQuery .= " LIMIT ?, ?";
+ array_push($paramArray, $startIndex);
+ array_push($paramArray, ($pageLimit+1));
+
+ $listResult = $db->pquery($listQuery, $paramArray);
$listViewRecordModels = array();
$listViewEntries = $listViewContoller->getListViewRecords($moduleFocus,$moduleName, $listResult);
diff --git a/modules/Vtiger/models/MiniList.php b/modules/Vtiger/models/MiniList.php
index ea33da1ac378ef42f6a4b895492b4b88de3dd4f6..dbc5bf800306a775bd292ed8fbc83dc6983991df 100644
--- a/modules/Vtiger/models/MiniList.php
+++ b/modules/Vtiger/models/MiniList.php
@@ -105,13 +105,13 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
if(empty($pageLimit)) {
$pageLimit = 10;
}
- return $pageLimit;
+ return intval($pageLimit);
}
function getStartIndex() {
$nextPage = $this->get('nextPage');
$startIndex = (($nextPage - 1) * $this->getRecordLimit());
- return $startIndex;
+ return intval($startIndex);
}
public function getRecords() {
@@ -121,15 +121,18 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
if (!$this->listviewRecords) {
$db = PearDatabase::getInstance();
+ $paramArray = array();
$query = $this->queryGenerator->getQuery();
$query .= ' ORDER BY vtiger_crmentity.modifiedtime DESC';
- $query .= ' LIMIT ' . $this->getStartIndex() . ',' . $this->getRecordLimit();
+ $query .= ' LIMIT ? , ?';
+ array_push($paramArray, $this->getStartIndex());
+ array_push($paramArray, $this->getRecordLimit());
$query = str_replace(" FROM ", ",vtiger_crmentity.crmid as id FROM ", $query);
if($this->getTargetModule() == 'Calendar') {
$query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
}
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $paramArray);
$targetModuleName = $this->getTargetModule();
$targetModuleFocus= CRMEntity::getInstance($targetModuleName);
@@ -152,14 +155,17 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
$this->initListViewController();
$db = PearDatabase::getInstance();
$query = $this->queryGenerator->getQuery();
+ $paramArray = array();
$startIndex = $this->getStartIndex() + $this->getRecordLimit();
- $query .= ' LIMIT ' . $startIndex . ',' . $this->getRecordLimit();
+ $query .= ' LIMIT ?, ?';
+ array_push($paramArray, $startIndex);
+ array_push($paramArray, $this->getRecordLimit());
if($this->getTargetModule() == 'Calendar') {
$query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
}
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $paramArray);
if($db->num_rows($result) > 0) {
return true;
}