From 758a6a396de36327e63c79f8de13828e91cdcad9 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 18 Sep 2019 18:30:03 +0530
Subject: [PATCH] Test and corrected parametrized queries
---
modules/Campaigns/models/Record.php | 4 +-
modules/Contacts/models/Module.php | 60 +++++++++++++--------
modules/Emails/models/Module.php | 11 ++--
modules/Potentials/models/Module.php | 7 ++-
modules/Reports/models/Folder.php | 14 +++--
modules/Settings/Picklist/models/Module.php | 6 +--
modules/Vtiger/models/Module.php | 3 ++
7 files changed, 72 insertions(+), 33 deletions(-)
diff --git a/modules/Campaigns/models/Record.php b/modules/Campaigns/models/Record.php
index 1aa1e5373..fd743e673 100644
--- a/modules/Campaigns/models/Record.php
+++ b/modules/Campaigns/models/Record.php
@@ -28,11 +28,13 @@ class Campaigns_Record_Model extends Vtiger_Record_Model {
$query = "SELECT $fieldName FROM $tableName
INNER JOIN vtiger_crmentity ON $tableName.$fieldName = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = ?
WHERE campaignid = ?";
+ $params = array(0, $this->getId());
if ($excludedIds) {
$query .= " AND $fieldName NOT IN (". generateQuestionMarks($excludedIds) .")";
+ $params = array_merge($params, $excludedIds);
}
- $result = $db->pquery($query, array(0, $this->getId(), $excludedIds));
+ $result = $db->pquery($query, $params);
$numOfRows = $db->num_rows($result);
$selectedIdsList = array();
diff --git a/modules/Contacts/models/Module.php b/modules/Contacts/models/Module.php
index c2a6ad66a..d32a90070 100644
--- a/modules/Contacts/models/Module.php
+++ b/modules/Contacts/models/Module.php
@@ -160,69 +160,87 @@ class Contacts_Module_Model extends Vtiger_Module_Model {
* @return <String> - query
*/
function getSearchRecordsQuery($searchValue, $searchFields, $parentId=false, $parentModule=false) {
- if($parentId && $parentModule == 'Accounts') {
+ $db = PearDatabase::getInstance();
+ if($parentId && $parentModule == 'Accounts') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
- WHERE deleted = 0 AND vtiger_contactdetails.accountid = $parentId AND label like '%$searchValue%'";
- return $query;
+ WHERE deleted = 0 AND vtiger_contactdetails.accountid = ? AND label like ?";
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Potentials') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
LEFT JOIN vtiger_contpotentialrel ON vtiger_contpotentialrel.contactid = vtiger_contactdetails.contactid
LEFT JOIN vtiger_potential ON vtiger_potential.contact_id = vtiger_contactdetails.contactid
- WHERE deleted = 0 AND (vtiger_contpotentialrel.potentialid = $parentId OR vtiger_potential.potentialid = $parentId)
- AND label like '%$searchValue%'";
-
- return $query;
+ WHERE deleted = 0 AND (vtiger_contpotentialrel.potentialid = ? OR vtiger_potential.potentialid = ?)
+ AND label like ?";
+ $params = array($parentId, $parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'HelpDesk') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_troubletickets ON vtiger_troubletickets.contact_id = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_troubletickets.ticketid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_troubletickets.ticketid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Campaigns') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_campaigncontrel ON vtiger_campaigncontrel.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_campaigncontrel.campaignid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_campaigncontrel.campaignid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if($parentId && $parentModule == 'Vendors') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_vendorcontactrel ON vtiger_vendorcontactrel.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_vendorcontactrel.vendorid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_vendorcontactrel.vendorid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'Quotes') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_quotes ON vtiger_quotes.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_quotes.quoteid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_quotes.quoteid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'PurchaseOrder') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_purchaseorder ON vtiger_purchaseorder.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_purchaseorder.purchaseorderid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_purchaseorder.purchaseorderid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'SalesOrder') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_salesorder ON vtiger_salesorder.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_salesorder.salesorderid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_salesorder.salesorderid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
} else if ($parentId && $parentModule == 'Invoice') {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_contactdetails ON vtiger_contactdetails.contactid = vtiger_crmentity.crmid
INNER JOIN vtiger_invoice ON vtiger_invoice.contactid = vtiger_contactdetails.contactid
- WHERE deleted=0 AND vtiger_invoice.invoiceid = $parentId AND label like '%$searchValue%'";
+ WHERE deleted=0 AND vtiger_invoice.invoiceid = ? AND label like ?";
- return $query;
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
}
return parent::getSearchRecordsQuery($searchValue,$searchFields,$parentId, $parentModule);
diff --git a/modules/Emails/models/Module.php b/modules/Emails/models/Module.php
index 15a6487db..57e4ae774 100644
--- a/modules/Emails/models/Module.php
+++ b/modules/Emails/models/Module.php
@@ -64,6 +64,7 @@ class Emails_Module_Model extends Vtiger_Module_Model{
public function searchEmails($searchValue, $moduleName = false) {
global $current_user;
$emailsResult = array();
+ $params = array();
$db = PearDatabase::getInstance();
$EmailsModuleModel = Vtiger_Module_Model::getInstance('Emails');
@@ -91,13 +92,17 @@ class Emails_Module_Model extends Vtiger_Module_Model{
vtiger_emailslookup.fieldid in (".generateQuestionMarks($fieldIds).") and
vtiger_emailslookup.setype in (".generateQuestionMarks($activeModules).")
and (vtiger_emailslookup.value LIKE ? OR vtiger_crmentity.label LIKE ?)";
-
+ $params = array_merge($params, $fieldIds);
+ $params = array_merge($params, $activeModules);
+ array_push($params, "%$searchValue%");
+ array_push($params, "%$searchValue%");
$emailOptOutIds = $this->getEmailOptOutRecordIds();
if (!empty($emailOptOutIds)) {
- $query .= " AND vtiger_emailslookup.crmid NOT IN (".implode(',', $emailOptOutIds).")";
+ $query .= " AND vtiger_emailslookup.crmid NOT IN (". generateQuestionMarks($emailOptOutIds).")";
+ $params = array_merge($params, $emailOptOutIds);
}
- $result = $db->pquery($query, array($fieldIds, $activeModules, '%'.$searchValue.'%', '%'.$searchValue.'%'));
+ $result = $db->pquery($query, $params);
$isAdmin = is_admin($current_user);
while ($row = $db->fetchByAssoc($result)) {
if (!$isAdmin) {
diff --git a/modules/Potentials/models/Module.php b/modules/Potentials/models/Module.php
index d33ec91eb..bb6a9a7a3 100644
--- a/modules/Potentials/models/Module.php
+++ b/modules/Potentials/models/Module.php
@@ -360,11 +360,14 @@ class Potentials_Module_Model extends Vtiger_Module_Model {
* @return <String> - query
*/
public function getSearchRecordsQuery($searchValue,$searchFields, $parentId=false, $parentModule=false) {
+ $db = PearDatabase::getInstance();
if($parentId && in_array($parentModule, array('Accounts', 'Contacts'))) {
$query = "SELECT ".implode(',',$searchFields)." FROM vtiger_crmentity
INNER JOIN vtiger_potential ON vtiger_potential.potentialid = vtiger_crmentity.crmid
- WHERE deleted = 0 AND vtiger_potential.related_to = $parentId AND label like '%$searchValue%'";
- return $query;
+ WHERE deleted = 0 AND vtiger_potential.related_to = ? AND label like ?";
+ $params = array($parentId, "%$searchValue%");
+ $returnQuery = $db->convert2Sql($query, $params);
+ return $returnQuery;
}
return parent::getSearchRecordsQuery($parentId, $parentModule);
}
diff --git a/modules/Reports/models/Folder.php b/modules/Reports/models/Folder.php
index ab166717e..a7e64d2a5 100644
--- a/modules/Reports/models/Folder.php
+++ b/modules/Reports/models/Folder.php
@@ -283,7 +283,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
public function getReportsCount() {
$db = PearDatabase::getInstance();
$params = array();
-
+ global $log;
+ $log->fatal('get reports count api');
// To get the report ids which are permitted for the user
$query = "SELECT reportmodulesid, primarymodule from vtiger_reportmodules";
$result = $db->pquery($query, array());
@@ -300,7 +301,7 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$sql = "SELECT count(*) AS count FROM vtiger_report
INNER JOIN vtiger_reportfolder ON vtiger_reportfolder.folderid = vtiger_report.folderid AND
vtiger_report.reportid in (". generateQuestionMarks($allowedReportIds).")";
- array_push($params, $allowedReportIds);
+ $params = array_merge($params, $allowedReportIds);
$fldrId = $this->getId();
if($fldrId == 'All') {
$fldrId = false;
@@ -324,7 +325,8 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$groupId = implode(',',$currentUserModel->get('groups'));
if ($groupId) {
- $groupQuery = "(SELECT reportid from vtiger_reportsharing WHERE shareid IN ($groupId) AND setype = 'groups') OR ";
+ $groupQuery = "(SELECT reportid from vtiger_reportsharing WHERE shareid IN (". generateQuestionMarks($currentUserModel->get('groups')).") AND setype = 'groups') OR ";
+ $params = array_merge($params, $currentUserModel->get('groups'));
}
$sql .= " AND (vtiger_report.reportid IN (SELECT reportid from vtiger_reportsharing WHERE $groupQuery shareid = ? AND setype = 'users')
@@ -338,6 +340,12 @@ class Reports_Folder_Model extends Vtiger_Base_Model {
$parentRoleSeq = $currentUserModel->get('parent_role_seq').'::%';
array_push($params, $currentUserId, $currentUserId, $parentRoleSeq);
}
+ $log->fatal('Final query params are => ');
+ $log->fatal($params);
+ $log->fatal('sql query is => ');
+ $log->fatal($sql);
+ $log->fatal('Converted query is => ');
+ $log->fatal($db->convert2sql($sql, $params));
$result = $db->pquery($sql, $params);
return $db->query_result($result, 0, 'count');
}
diff --git a/modules/Settings/Picklist/models/Module.php b/modules/Settings/Picklist/models/Module.php
index 344aa6f65..906484910 100644
--- a/modules/Settings/Picklist/models/Module.php
+++ b/modules/Settings/Picklist/models/Module.php
@@ -30,7 +30,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function addPickListValues($fieldModel, $newValue, $rolesSelected = array(), $color = '') {
$db = PearDatabase::getInstance();
- $pickListFieldName = $fieldModel->getName();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($fieldModel->getName());
$id = $db->getUniqueID("vtiger_$pickListFieldName");
vimport('~~/include/ComboUtil.php');
$picklist_valueid = getUniquePicklistID();
@@ -290,6 +290,7 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
public function updateSequence($pickListFieldName , $picklistValues, $rolesList = false) {
$db = PearDatabase::getInstance();
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$paramArray = array();
$query = 'UPDATE '.$this->getPickListTableName($pickListFieldName).' SET sortorderid = CASE ';
@@ -430,10 +431,9 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
} else {
$valueToDeleteID = $valueToDelete;
}
-
+ $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
$pickListDeleteValue = array();
- $pickListFieldName = Vtiger_Util_Helper::validateStringForSql($pickListFieldName);
$getPickListValueQuery = "SELECT $pickListFieldName FROM " . $this->getPickListTableName($pickListFieldName) . " WHERE $primaryKey IN (" . generateQuestionMarks($valueToDeleteID) . ")";
$result = $db->pquery($getPickListValueQuery, array($valueToDeleteID));
$num_rows = $db->num_rows($result);
diff --git a/modules/Vtiger/models/Module.php b/modules/Vtiger/models/Module.php
index 5e9c2edea..71880524d 100644
--- a/modules/Vtiger/models/Module.php
+++ b/modules/Vtiger/models/Module.php
@@ -1466,11 +1466,14 @@ class Vtiger_Module_Model extends Vtiger_Module {
* @return <Array of Vtiger_Record_Model>
*/
public function searchRecord($searchValue, $parentId=false, $parentModule=false, $relatedModule=false) {
+ global $log;
+ $log->fatal('search record api is triggered => ');
$searchFields = array('crmid','label','setype');
if(!empty($searchValue) && empty($parentId) && empty($parentModule)) {
$matchingRecords = Vtiger_Record_Model::getSearchResult($searchValue, $this->getName());
} else if($parentId && $parentModule) {
$db = PearDatabase::getInstance();
+ $log->fatal('call getSearchRecordsQuery api');
$result = $db->pquery($this->getSearchRecordsQuery($searchValue,$searchFields, $parentId, $parentModule), array());
$noOfRows = $db->num_rows($result);
--
GitLab