Pagination queries had been parameterized

ac08e0a6 · Uma · 9b33d4f7 · ac08e0a6 · ac08e0a6
Commit ac08e0a6 authored 5 years ago by Uma
--- a/modules/Vtiger/models/ListView.php
+++ b/modules/Vtiger/models/ListView.php
@@ -232,12 +232,14 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {

 		$startIndex = $pagingModel->getStartIndex();
 		$pageLimit = $pagingModel->getPageLimit();
+		$paramArray = array();

 		if(!empty($orderBy) && $orderByFieldModel) {
 			if($orderBy == 'roleid' && $moduleName == 'Users'){
 				$listQuery .= ' ORDER BY vtiger_role.rolename '.' '. $sortOrder; 
 			} else {
-				$listQuery .= ' ORDER BY '.$queryGenerator->getOrderByColumn($orderBy).' '.$sortOrder;
+				$listQuery .= ' ORDER BY ? '.$sortOrder;
+				array_push($paramArray, $queryGenerator->getOrderByColumn($orderBy));
 			}

 			if ($orderBy == 'first_name' && $moduleName == 'Users') {
@@ -256,9 +258,11 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {

 		ListViewSession::setSessionQuery($moduleName, $listQuery, $viewid);

-		$listQuery .= " LIMIT $startIndex,".($pageLimit+1);
-
-		$listResult = $db->pquery($listQuery, array());
+		$listQuery .= " LIMIT ?, ?";
+		array_push($paramArray, $startIndex);
+		array_push($paramArray, ($pageLimit+1));
+		
+		$listResult = $db->pquery($listQuery, $paramArray);

 		$listViewRecordModels = array();
 		$listViewEntries =  $listViewContoller->getListViewRecords($moduleFocus,$moduleName, $listResult);

--- a/modules/Vtiger/models/MiniList.php
+++ b/modules/Vtiger/models/MiniList.php
@@ -105,13 +105,13 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
        if(empty($pageLimit)) {
            $pageLimit = 10;
        }
-        return $pageLimit;
+        return intval($pageLimit);
 	}
    
    function getStartIndex() {
        $nextPage = $this->get('nextPage');
        $startIndex = (($nextPage - 1) * $this->getRecordLimit());
-        return $startIndex;
+        return intval($startIndex);
    }

 	public function getRecords() {
@@ -121,15 +121,18 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
 		if (!$this->listviewRecords) {
 			$db = PearDatabase::getInstance();

+			$paramArray = array();
 			$query = $this->queryGenerator->getQuery();
 			$query .= ' ORDER BY vtiger_crmentity.modifiedtime DESC';
-			$query .= ' LIMIT ' . $this->getStartIndex() . ',' . $this->getRecordLimit();
+			$query .= ' LIMIT ? , ?';
+			array_push($paramArray, $this->getStartIndex());
+			array_push($paramArray, $this->getRecordLimit());
 			$query = str_replace(" FROM ", ",vtiger_crmentity.crmid as id FROM ", $query);
            if($this->getTargetModule() == 'Calendar') {
                $query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
            }

-			$result = $db->pquery($query, array());
+			$result = $db->pquery($query, $paramArray);

 			$targetModuleName = $this->getTargetModule();
 			$targetModuleFocus= CRMEntity::getInstance($targetModuleName);
@@ -152,14 +155,17 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
        $this->initListViewController();
        $db = PearDatabase::getInstance();
        $query = $this->queryGenerator->getQuery();
+		$paramArray = array();
        
        $startIndex = $this->getStartIndex() + $this->getRecordLimit();
-        $query .= ' LIMIT ' . $startIndex . ',' . $this->getRecordLimit();
+        $query .= ' LIMIT ?, ?';
+		array_push($paramArray, $startIndex);
+		array_push($paramArray, $this->getRecordLimit());
        if($this->getTargetModule() == 'Calendar') {
            $query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
        }
        
-        $result = $db->pquery($query, array());
+        $result = $db->pquery($query, $paramArray);
        if($db->num_rows($result) > 0) {
            return true;
        }