From 77591074caa08df225540d735aa8a986d99c1ba9 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Tue, 10 Sep 2019 18:23:44 +0530
Subject: [PATCH] Query Sanitization and parametrization
---
modules/Calendar/Activity.php | 2 ++
modules/Campaigns/models/Record.php | 4 ++--
modules/Emails/Emails.php | 1 +
modules/Emails/models/Module.php | 6 +++---
4 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/modules/Calendar/Activity.php b/modules/Calendar/Activity.php
index 77f4cb79a..e40a285a6 100644
--- a/modules/Calendar/Activity.php
+++ b/modules/Calendar/Activity.php
@@ -1165,6 +1165,8 @@ function insertIntoRecurringTable(& $recurObj)
$tabId = getTabid("Calendar");
$eventTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_events'.$scope;
$taskTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_task'.$scope;
+ $eventTempTable = Vtiger_Util_Helper::validateStringForSql($eventTempTable);
+ $taskTempTable = Vtiger_Util_Helper::validateStringForSql($taskTempTable);
$query = " ($eventTempTable.shared IS NOT NULL OR $taskTempTable.shared IS NOT NULL) ";
}
return $query;
diff --git a/modules/Campaigns/models/Record.php b/modules/Campaigns/models/Record.php
index 718d22e99..1aa1e5373 100644
--- a/modules/Campaigns/models/Record.php
+++ b/modules/Campaigns/models/Record.php
@@ -29,10 +29,10 @@ class Campaigns_Record_Model extends Vtiger_Record_Model {
INNER JOIN vtiger_crmentity ON $tableName.$fieldName = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = ?
WHERE campaignid = ?";
if ($excludedIds) {
- $query .= " AND $fieldName NOT IN (". implode(',', $excludedIds) .")";
+ $query .= " AND $fieldName NOT IN (". generateQuestionMarks($excludedIds) .")";
}
- $result = $db->pquery($query, array(0, $this->getId()));
+ $result = $db->pquery($query, array(0, $this->getId(), $excludedIds));
$numOfRows = $db->num_rows($result);
$selectedIdsList = array();
diff --git a/modules/Emails/Emails.php b/modules/Emails/Emails.php
index f3dac4473..19316b7a2 100644
--- a/modules/Emails/Emails.php
+++ b/modules/Emails/Emails.php
@@ -550,6 +550,7 @@ class Emails extends CRMEntity {
$module = getTabname($tabId);
}
$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+ $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key, shared int(1) default 0) ignore ".$query;
$db = PearDatabase::getInstance();
$result = $db->pquery($query, array());
diff --git a/modules/Emails/models/Module.php b/modules/Emails/models/Module.php
index c591f976d..15a6487db 100644
--- a/modules/Emails/models/Module.php
+++ b/modules/Emails/models/Module.php
@@ -88,8 +88,8 @@ class Emails_Module_Model extends Vtiger_Module_Model{
$query = "SELECT vtiger_emailslookup.crmid, vtiger_emailslookup.setype, vtiger_emailslookup.value,
vtiger_crmentity.label FROM vtiger_emailslookup INNER JOIN vtiger_crmentity on
vtiger_crmentity.crmid = vtiger_emailslookup.crmid AND vtiger_crmentity.deleted=0 WHERE
- vtiger_emailslookup.fieldid in (".implode(',', $fieldIds).") and
- vtiger_emailslookup.setype in (".implode(',', $activeModules).")
+ vtiger_emailslookup.fieldid in (".generateQuestionMarks($fieldIds).") and
+ vtiger_emailslookup.setype in (".generateQuestionMarks($activeModules).")
and (vtiger_emailslookup.value LIKE ? OR vtiger_crmentity.label LIKE ?)";
$emailOptOutIds = $this->getEmailOptOutRecordIds();
@@ -97,7 +97,7 @@ class Emails_Module_Model extends Vtiger_Module_Model{
$query .= " AND vtiger_emailslookup.crmid NOT IN (".implode(',', $emailOptOutIds).")";
}
- $result = $db->pquery($query, array('%'.$searchValue.'%', '%'.$searchValue.'%'));
+ $result = $db->pquery($query, array($fieldIds, $activeModules, '%'.$searchValue.'%', '%'.$searchValue.'%'));
$isAdmin = is_admin($current_user);
while ($row = $db->fetchByAssoc($result)) {
if (!$isAdmin) {
--
GitLab