From ac08e0a6ccb7612191234988f426a2d8297429f4 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Fri, 19 Jul 2019 18:23:45 +0530
Subject: [PATCH] Pagination queries had been parameterized
---
modules/Vtiger/models/ListView.php | 12 ++++++++----
modules/Vtiger/models/MiniList.php | 18 ++++++++++++------
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/modules/Vtiger/models/ListView.php b/modules/Vtiger/models/ListView.php
index f9841f95b..f218a9e94 100644
--- a/modules/Vtiger/models/ListView.php
+++ b/modules/Vtiger/models/ListView.php
@@ -232,12 +232,14 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {
$startIndex = $pagingModel->getStartIndex();
$pageLimit = $pagingModel->getPageLimit();
+ $paramArray = array();
if(!empty($orderBy) && $orderByFieldModel) {
if($orderBy == 'roleid' && $moduleName == 'Users'){
$listQuery .= ' ORDER BY vtiger_role.rolename '.' '. $sortOrder;
} else {
- $listQuery .= ' ORDER BY '.$queryGenerator->getOrderByColumn($orderBy).' '.$sortOrder;
+ $listQuery .= ' ORDER BY ? '.$sortOrder;
+ array_push($paramArray, $queryGenerator->getOrderByColumn($orderBy));
}
if ($orderBy == 'first_name' && $moduleName == 'Users') {
@@ -256,9 +258,11 @@ class Vtiger_ListView_Model extends Vtiger_Base_Model {
ListViewSession::setSessionQuery($moduleName, $listQuery, $viewid);
- $listQuery .= " LIMIT $startIndex,".($pageLimit+1);
-
- $listResult = $db->pquery($listQuery, array());
+ $listQuery .= " LIMIT ?, ?";
+ array_push($paramArray, $startIndex);
+ array_push($paramArray, ($pageLimit+1));
+
+ $listResult = $db->pquery($listQuery, $paramArray);
$listViewRecordModels = array();
$listViewEntries = $listViewContoller->getListViewRecords($moduleFocus,$moduleName, $listResult);
diff --git a/modules/Vtiger/models/MiniList.php b/modules/Vtiger/models/MiniList.php
index ea33da1ac..dbc5bf800 100644
--- a/modules/Vtiger/models/MiniList.php
+++ b/modules/Vtiger/models/MiniList.php
@@ -105,13 +105,13 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
if(empty($pageLimit)) {
$pageLimit = 10;
}
- return $pageLimit;
+ return intval($pageLimit);
}
function getStartIndex() {
$nextPage = $this->get('nextPage');
$startIndex = (($nextPage - 1) * $this->getRecordLimit());
- return $startIndex;
+ return intval($startIndex);
}
public function getRecords() {
@@ -121,15 +121,18 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
if (!$this->listviewRecords) {
$db = PearDatabase::getInstance();
+ $paramArray = array();
$query = $this->queryGenerator->getQuery();
$query .= ' ORDER BY vtiger_crmentity.modifiedtime DESC';
- $query .= ' LIMIT ' . $this->getStartIndex() . ',' . $this->getRecordLimit();
+ $query .= ' LIMIT ? , ?';
+ array_push($paramArray, $this->getStartIndex());
+ array_push($paramArray, $this->getRecordLimit());
$query = str_replace(" FROM ", ",vtiger_crmentity.crmid as id FROM ", $query);
if($this->getTargetModule() == 'Calendar') {
$query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
}
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $paramArray);
$targetModuleName = $this->getTargetModule();
$targetModuleFocus= CRMEntity::getInstance($targetModuleName);
@@ -152,14 +155,17 @@ class Vtiger_MiniList_Model extends Vtiger_Widget_Model {
$this->initListViewController();
$db = PearDatabase::getInstance();
$query = $this->queryGenerator->getQuery();
+ $paramArray = array();
$startIndex = $this->getStartIndex() + $this->getRecordLimit();
- $query .= ' LIMIT ' . $startIndex . ',' . $this->getRecordLimit();
+ $query .= ' LIMIT ?, ?';
+ array_push($paramArray, $startIndex);
+ array_push($paramArray, $this->getRecordLimit());
if($this->getTargetModule() == 'Calendar') {
$query = str_replace(" WHERE ", " WHERE vtiger_crmentity.setype = 'Calendar' AND ", $query);
}
- $result = $db->pquery($query, array());
+ $result = $db->pquery($query, $paramArray);
if($db->num_rows($result) > 0) {
return true;
}
--
GitLab