diff --git a/modules/Calendar/Activity.php b/modules/Calendar/Activity.php
index 77f4cb79a186500949ebfc3bae241f77b97a565f..e40a285a67d68aea203d902831af955870f2bce3 100644
--- a/modules/Calendar/Activity.php
+++ b/modules/Calendar/Activity.php
@@ -1165,6 +1165,8 @@ function insertIntoRecurringTable(& $recurObj)
$tabId = getTabid("Calendar");
$eventTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_events'.$scope;
$taskTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_task'.$scope;
+ $eventTempTable = Vtiger_Util_Helper::validateStringForSql($eventTempTable);
+ $taskTempTable = Vtiger_Util_Helper::validateStringForSql($taskTempTable);
$query = " ($eventTempTable.shared IS NOT NULL OR $taskTempTable.shared IS NOT NULL) ";
}
return $query;
diff --git a/modules/Campaigns/models/Record.php b/modules/Campaigns/models/Record.php
index 718d22e990be2cc265d859c35370ee4ef0a2cca5..1aa1e53732a131081b35d3a25b654928173256d6 100644
--- a/modules/Campaigns/models/Record.php
+++ b/modules/Campaigns/models/Record.php
@@ -29,10 +29,10 @@ class Campaigns_Record_Model extends Vtiger_Record_Model {
INNER JOIN vtiger_crmentity ON $tableName.$fieldName = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = ?
WHERE campaignid = ?";
if ($excludedIds) {
- $query .= " AND $fieldName NOT IN (". implode(',', $excludedIds) .")";
+ $query .= " AND $fieldName NOT IN (". generateQuestionMarks($excludedIds) .")";
}
- $result = $db->pquery($query, array(0, $this->getId()));
+ $result = $db->pquery($query, array(0, $this->getId(), $excludedIds));
$numOfRows = $db->num_rows($result);
$selectedIdsList = array();
diff --git a/modules/Emails/Emails.php b/modules/Emails/Emails.php
index f3dac4473ecedbf522c468277a292c54188eb6e3..19316b7a2604b3654cd133694f40323ff0e60de4 100644
--- a/modules/Emails/Emails.php
+++ b/modules/Emails/Emails.php
@@ -550,6 +550,7 @@ class Emails extends CRMEntity {
$module = getTabname($tabId);
}
$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+ $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key, shared int(1) default 0) ignore ".$query;
$db = PearDatabase::getInstance();
$result = $db->pquery($query, array());
diff --git a/modules/Emails/models/Module.php b/modules/Emails/models/Module.php
index c591f976d61a36eaa60685779a6ba3d895acd291..15a6487db94dd7a6641ebd6b461e35ef429527cd 100644
--- a/modules/Emails/models/Module.php
+++ b/modules/Emails/models/Module.php
@@ -88,8 +88,8 @@ class Emails_Module_Model extends Vtiger_Module_Model{
$query = "SELECT vtiger_emailslookup.crmid, vtiger_emailslookup.setype, vtiger_emailslookup.value,
vtiger_crmentity.label FROM vtiger_emailslookup INNER JOIN vtiger_crmentity on
vtiger_crmentity.crmid = vtiger_emailslookup.crmid AND vtiger_crmentity.deleted=0 WHERE
- vtiger_emailslookup.fieldid in (".implode(',', $fieldIds).") and
- vtiger_emailslookup.setype in (".implode(',', $activeModules).")
+ vtiger_emailslookup.fieldid in (".generateQuestionMarks($fieldIds).") and
+ vtiger_emailslookup.setype in (".generateQuestionMarks($activeModules).")
and (vtiger_emailslookup.value LIKE ? OR vtiger_crmentity.label LIKE ?)";
$emailOptOutIds = $this->getEmailOptOutRecordIds();
@@ -97,7 +97,7 @@ class Emails_Module_Model extends Vtiger_Module_Model{
$query .= " AND vtiger_emailslookup.crmid NOT IN (".implode(',', $emailOptOutIds).")";
}
- $result = $db->pquery($query, array('%'.$searchValue.'%', '%'.$searchValue.'%'));
+ $result = $db->pquery($query, array($fieldIds, $activeModules, '%'.$searchValue.'%', '%'.$searchValue.'%'));
$isAdmin = is_admin($current_user);
while ($row = $db->fetchByAssoc($result)) {
if (!$isAdmin) {