Sql security parameterized of queries is done

modules/Campaigns/models/Relation.php

@@ -53,12 +53,16 @@ class Campaigns_Relation_Model extends Vtiger_Relation_Model {
 				$tableName = $emailEnabledModulesInfo[$relatedModuleName]['tableName'];
 				$db = PearDatabase::getInstance();
 
+				$paramArray = array();
 				$updateQuery = "UPDATE $tableName SET campaignrelstatusid = CASE $fieldName ";
 				foreach ($statusDetails as $relatedRecordId => $status) {
-					$updateQuery .= " WHEN $relatedRecordId THEN $status ";
+					$updateQuery .= " WHEN ? THEN ? ";
+					array_push($paramArray, $relatedRecordId);
+					array_push($paramArray, $status);
 				}
 				$updateQuery .= "ELSE campaignrelstatusid END WHERE campaignid = ?";
-				$db->pquery($updateQuery, array($sourceRecordId));
+				array_push($paramArray, $sourceRecordId);
+				$db->pquery($updateQuery, $paramArray);
 			}
 		}
 	}

modules/Settings/Leads/models/Mapping.php

@@ -195,20 +195,28 @@ class Settings_Leads_Mapping_Model extends Settings_Vtiger_Module_Model {
 			$accountQuery	= ' accountfid = CASE ';
 			$contactQuery	= ' contactfid = CASE ';
 			$potentialQuery	= ' potentialfid = CASE ';
-
+			$paramArray = array();
 			foreach ($updateMappingsList as $mappingDetails) {
-				$mappingId		 = $mappingDetails['mappingId'];
-				$leadQuery		.= " WHEN cfmid = $mappingId THEN ". $mappingDetails['lead'];
-				$accountQuery	.= " WHEN cfmid = $mappingId THEN ". $mappingDetails['account'];
-				$contactQuery	.= " WHEN cfmid = $mappingId THEN ". $mappingDetails['contact'];
-				$potentialQuery	.= " WHEN cfmid = $mappingId THEN ". $mappingDetails['potential'];
+				$mappingId = $mappingDetails['mappingId'];
+				$leadQuery .= ' WHEN cfmid = ? THEN ?';
+				array_push($paramArray, $mappingId);
+				array_push($paramArray, $mappingDetails['lead']);
+				$accountQuery	.= ' WHEN cfmid = ? THEN ?';
+				array_push($paramArray, $mappingId);
+				array_push($paramArray, $mappingDetails['account']);
+				$contactQuery	.= ' WHEN cfmid = ? THEN ?';
+				array_push($paramArray, $mappingId);
+				array_push($paramArray, $mappingDetails['contact']);
+				$potentialQuery	.= ' WHEN cfmid = ? THEN ?';
+				array_push($paramArray, $mappingId);
+				array_push($paramArray, $mappingDetails['potential']);
 			}
 			$leadQuery		.= ' ELSE leadfid END ';
 			$accountQuery	.= ' ELSE accountfid END ';
 			$contactQuery	.= ' ELSE contactfid END ';
 			$potentialQuery .= ' ELSE potentialfid END ';
-
-			$db->pquery("UPDATE vtiger_convertleadmapping $leadQuery, $accountQuery, $contactQuery, $potentialQuery WHERE editable = ?", array(1));
+			array_push($paramArray, 1);
+			$db->pquery("UPDATE vtiger_convertleadmapping $leadQuery, $accountQuery, $contactQuery, $potentialQuery WHERE editable = ?", $paramArray);
 		}
 	}
 

modules/Settings/Picklist/models/Module.php

@@ -261,18 +261,21 @@ class Settings_Picklist_Module_Model extends Vtiger_Module_Model {
 
     }
 
-    public function updateSequence($pickListFieldName , $picklistValues) {
-        $db = PearDatabase::getInstance();
+    public function updateSequence($pickListFieldName , $picklistValues, $rolesList = false) {
+		$db = PearDatabase::getInstance();
 
 		$primaryKey = Vtiger_Util_Helper::getPickListId($pickListFieldName);
-		
-        $query = 'UPDATE '.$this->getPickListTableName($pickListFieldName).' SET sortorderid = CASE ';
-        foreach($picklistValues as $values => $sequence) {
-            $query .= ' WHEN '.$primaryKey.'="'.$values.'" THEN "'.$sequence.'"';
-        }
+		$paramArray = array();
+		$query = 'UPDATE '.$this->getPickListTableName($pickListFieldName).' SET sortorderid = CASE ';
+		foreach($picklistValues as $values => $sequence) {
+			$query .= ' WHEN '.$primaryKey.'=? THEN ?';
+			array_push($paramArray, $values);
+			array_push($paramArray, $sequence);
+		}
 		$query .= ' END';
-        $db->pquery($query, array());
-    }
+		$db->pquery($query, $paramArray);
+		Vtiger_Cache::flushPicklistCache($pickListFieldName, $rolesList);
+	}
 
 
     public static function getPicklistSupportedModules() {

modules/Vtiger/models/Block.php

@@ -141,16 +141,26 @@ class Vtiger_Block_Model extends Vtiger_Block {
 		return $blockModel;
 	}
     
-    public static function updateSequenceNumber($sequenceList) {
+	public static function updateSequenceNumber($sequenceList, $moduleName = false) {
         $db = PearDatabase::getInstance();
         $query = 'UPDATE vtiger_blocks SET sequence = CASE blockid ';
+		$paramArray = array();
         foreach ($sequenceList as $blockId => $sequence){
-            $query .=' WHEN '.$blockId.' THEN '.$sequence;
+            $query .=' WHEN ? THEN ?';
+			array_push($paramArray, $blockId);
+			array_push($paramArray, $sequence);
         }
         $query .=' END ';
         $query .= ' WHERE blockid IN ('.generateQuestionMarks($sequenceList).')';
-        $db->pquery($query, array_keys($sequenceList));
-    }
+		$resultArray = array_merge($paramArray, array_keys($sequenceList));
+        $db->pquery($query, $resultArray);
+        
+        // To clear cache
+        if($moduleName){
+            $moduleInstance = Vtiger_Module_Model::getInstance($moduleName);
+            Vtiger_Cache::flushModuleBlocksCache($moduleInstance);
+		}
+	}
     
     public static function checkFieldsExists($blockId) {
         $db = PearDatabase::getInstance();

modules/Vtiger/models/Relation.php

@@ -249,28 +249,35 @@ class Vtiger_Relation_Model extends Vtiger_Base_Model{
 	}
     
     public static  function updateRelationSequenceAndPresence($relatedInfoList, $sourceModuleTabId) {
-        $db = PearDatabase::getInstance();
-        $query = 'UPDATE vtiger_relatedlists SET sequence=CASE ';
-        $relation_ids = array();
-        foreach($relatedInfoList as $relatedInfo){
-            $relation_id = $relatedInfo['relation_id'];
-            $relation_ids[] = $relation_id;
-            $sequence = $relatedInfo['sequence'];
-            $presence = $relatedInfo['presence'];
-            $query .= ' WHEN relation_id='.$relation_id.' THEN '.$sequence;
-        }
-        $query.= ' END , ';
-        $query.= ' presence = CASE ';
-        foreach($relatedInfoList as $relatedInfo){
-            $relation_id = $relatedInfo['relation_id'];
-            $relation_ids[] = $relation_id;
-            $sequence = $relatedInfo['sequence'];
-            $presence = $relatedInfo['presence'];
-            $query .= ' WHEN relation_id='.$relation_id.' THEN '.$presence;
-        }
-        $query .= ' END WHERE tabid=? AND relation_id IN ('.  generateQuestionMarks($relation_ids).')';
-        $result = $db->pquery($query, array($sourceModuleTabId,$relation_ids));
-    }
+		$db = PearDatabase::getInstance();
+		$query = 'UPDATE vtiger_relatedlists SET sequence=CASE ';
+		$relation_ids = array();
+		$paramArray = array();
+		foreach($relatedInfoList as $relatedInfo){
+			$relation_id = $relatedInfo['relation_id'];
+			$relation_ids[] = $relation_id;
+			$sequence = $relatedInfo['sequence'];
+			$presence = $relatedInfo['presence'];
+			array_push($paramArray, $relation_id);
+			array_push($paramArray, $sequence);
+			$query .= ' WHEN relation_id=? THEN ?';
+		}
+		$query.= ' END , ';
+		$query.= ' presence = CASE ';
+		foreach($relatedInfoList as $relatedInfo){
+			$relation_id = $relatedInfo['relation_id'];
+			$relation_ids[] = $relation_id;
+			$sequence = $relatedInfo['sequence'];
+			$presence = $relatedInfo['presence'];
+			array_push($paramArray, $relation_id);
+			array_push($paramArray, $presence);
+			$query .= ' WHEN relation_id=? THEN ?';
+		}
+		array_push($paramArray, $sourceModuleTabId);
+		$resultArray = array_merge($paramArray, $relation_ids);
+		$query .= ' END WHERE tabid=? AND relation_id IN ('.  generateQuestionMarks($relation_ids).')';
+		$result = $db->pquery($query, $resultArray);
+	}
 	
 	public function isActive() {
 		return $this->get('presence') == 0 ? true : false;