Query Sanitization and parametrization

77591074 · Uma · c22d5ba0 · 77591074 · 77591074 · 77591074
Commit 77591074 authored 5 years ago by Uma
--- a/modules/Calendar/Activity.php
+++ b/modules/Calendar/Activity.php
@@ -1165,6 +1165,8 @@ function insertIntoRecurringTable(& $recurObj)
 			$tabId = getTabid("Calendar");
 			$eventTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_events'.$scope;
 			$taskTempTable = 'vt_tmp_u'.$userModel->id.'_t'.$tabId.'_task'.$scope;
+            $eventTempTable = Vtiger_Util_Helper::validateStringForSql($eventTempTable);
+            $taskTempTable = Vtiger_Util_Helper::validateStringForSql($taskTempTable);
 			$query = " ($eventTempTable.shared IS NOT NULL OR $taskTempTable.shared IS NOT NULL) ";
 		}
 		return $query;

--- a/modules/Campaigns/models/Record.php
+++ b/modules/Campaigns/models/Record.php
@@ -29,10 +29,10 @@ class Campaigns_Record_Model extends Vtiger_Record_Model {
 					INNER JOIN vtiger_crmentity ON $tableName.$fieldName = vtiger_crmentity.crmid AND vtiger_crmentity.deleted = ?
 					WHERE campaignid = ?";
 		if ($excludedIds) {
-			$query .= " AND $fieldName NOT IN (". implode(',', $excludedIds) .")";
+			$query .= " AND $fieldName NOT IN (". generateQuestionMarks($excludedIds) .")";
 		}
-		$result = $db->pquery($query, array(0, $this->getId()));
+		$result = $db->pquery($query, array(0, $this->getId(), $excludedIds));
 		$numOfRows = $db->num_rows($result);
 		$selectedIdsList = array();

--- a/modules/Emails/Emails.php
+++ b/modules/Emails/Emails.php
@@ -550,6 +550,7 @@ class Emails extends CRMEntity {
 			$module = getTabname($tabId);
 		}
 		$query = $this->getNonAdminAccessQuery($module, $user, $parentRole, $userGroups);
+        $tableName = Vtiger_Util_Helper::validateStringForSql($tableName);
 		$query = "create temporary table IF NOT EXISTS $tableName(id int(11) primary key, shared int(1) default 0) ignore ".$query;
 		$db = PearDatabase::getInstance();
 		$result = $db->pquery($query, array());

--- a/modules/Emails/models/Module.php
+++ b/modules/Emails/models/Module.php
@@ -88,8 +88,8 @@ class Emails_Module_Model extends Vtiger_Module_Model{
            $query = "SELECT vtiger_emailslookup.crmid, vtiger_emailslookup.setype, vtiger_emailslookup.value, 
                          vtiger_crmentity.label FROM vtiger_emailslookup INNER JOIN vtiger_crmentity on 
                          vtiger_crmentity.crmid = vtiger_emailslookup.crmid AND vtiger_crmentity.deleted=0 WHERE 
-						  vtiger_emailslookup.fieldid in (".implode(',', $fieldIds).") and 
+						  vtiger_emailslookup.fieldid in (".generateQuestionMarks($fieldIds).") and 
-						  vtiger_emailslookup.setype in (".implode(',', $activeModules).") 
+						  vtiger_emailslookup.setype in (".generateQuestionMarks($activeModules).") 
                          and (vtiger_emailslookup.value LIKE ? OR vtiger_crmentity.label LIKE ?)";
 			$emailOptOutIds = $this->getEmailOptOutRecordIds();
@@ -97,7 +97,7 @@ class Emails_Module_Model extends Vtiger_Module_Model{
 				$query .= " AND vtiger_emailslookup.crmid NOT IN (".implode(',', $emailOptOutIds).")";
 			}
-			$result = $db->pquery($query, array('%'.$searchValue.'%', '%'.$searchValue.'%'));
+			$result = $db->pquery($query, array($fieldIds, $activeModules, '%'.$searchValue.'%', '%'.$searchValue.'%'));
            $isAdmin = is_admin($current_user);
 			while ($row = $db->fetchByAssoc($result)) {
 				if (!$isAdmin) {