diff --git a/pkg/vtiger/modules/Assets/modules/Assets/Assets.php b/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
index ada5a98d13c133ce8ba632948a5c23f13ad3ff0c..5f3a98af104df6c53f8d4091c14ae2156912933e 100644
--- a/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
+++ b/pkg/vtiger/modules/Assets/modules/Assets/Assets.php
@@ -418,11 +418,11 @@ class Assets extends CRMEntity {
$maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($assetsTabId,1,$nextSequence)");
+ $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?,?,?)", array($assetsTabId,1,$nextSequence));
}
$checkAlreadyExists = $adb->pquery('SELECT 1 FROM vtiger_customerportal_prefs WHERE tabid=?', array($assetsTabId));
if($checkAlreadyExists && $adb->num_rows($checkAlreadyExists) < 1) {
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($assetsTabId,'showrelatedinfo',1)");
+ $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?,?,?)", array($assetsTabId,'showrelatedinfo',1));
}
}
}
diff --git a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
index da1a6d1b75d2cc6021e4a1b05f929c6898203728..94a8e6bcd87058d7f336a6cc2c50be2d1445106b 100644
--- a/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
+++ b/pkg/vtiger/modules/EmailTemplates/modules/EmailTemplates/models/ListView.php
@@ -207,12 +207,14 @@ class EmailTemplates_ListView_Model extends Vtiger_ListView_Model {
$listQuery = $listQuery. ' FROM ' .$split[$i];
}
}
- $searchKey = $this->get('search_key');
+ $searchKey = $this->getForSql('search_key');
$searchValue = $this->get('search_value');
$whereQuery .= " WHERE ";
+ $params = array();
if(!empty($searchKey) && !empty($searchValue)) {
- $whereQuery .= "$searchKey LIKE '$searchValue%' AND ";
+ $whereQuery .= "$searchKey LIKE ? AND ";
+ array_push($params, "%$searchValue%");
}
//module should be enabled or module should be empty then allow
@@ -221,10 +223,11 @@ class EmailTemplates_ListView_Model extends Vtiger_ListView_Model {
$sourceModule = $this->get('sourceModule');
if ($sourceModule) {
- $listQuery .= ' AND vtiger_emailtemplates.module= "' . $sourceModule . '" ';
+ $listQuery .= ' AND vtiger_emailtemplates.module= ?';
+ array_push($params, $sourceModule);
}
- $listResult = $db->pquery($listQuery, array());
+ $listResult = $db->pquery($listQuery, $params);
return $db->query_result($listResult, 0, 'count');
}
diff --git a/pkg/vtiger/modules/Import/modules/Import/actions/Data.php b/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
index 3a639a561873a2c163283c73b9c2e172a8a99001..d2e928c77bc67d0b137c2715fa16fa0089537832 100644
--- a/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
+++ b/pkg/vtiger/modules/Import/modules/Import/actions/Data.php
@@ -196,8 +196,10 @@ class Import_Data_Action extends Vtiger_Action_Controller {
$createdRecords = array();
$entityData = array();
- $tableName = Import_Utils_Helper::getDbTableName($this->user);
- $sql = 'SELECT * FROM '.$tableName.' WHERE status = '.Import_Data_Action::$IMPORT_RECORD_NONE;
+ $tableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($this->user));
+ $params = array();
+ $sql = 'SELECT * FROM '.$tableName.' WHERE status = ?';
+ array_push($params, Import_Data_Action::$IMPORT_RECORD_NONE);
$configReader = new Import_Config_Model();
if ($this->batchImport) {
@@ -208,7 +210,7 @@ class Import_Data_Action extends Vtiger_Action_Controller {
$sql .= ' LIMIT '. $pagingLimit;
}
- $result = $adb->pquery($sql, array());
+ $result = $adb->pquery($sql, $params);
$numberOfRecords = $adb->num_rows($result);
if ($numberOfRecords <= 0) {
diff --git a/pkg/vtiger/modules/Import/modules/Import/models/ListView.php b/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
index 9e6714f03eefcc93eb989867ac0d575b47850f45..d8b005752839f922b2810590ef8a98b9e87504a0 100644
--- a/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
+++ b/pkg/vtiger/modules/Import/modules/Import/models/ListView.php
@@ -171,7 +171,7 @@ class Import_ListView_Model extends Vtiger_ListView_Model {
$db = PearDatabase::getInstance();
$user = Users_Record_Model::getCurrentUserModel();
- $userDBTableName = Import_Utils_Helper::getDbTableName($user);
+ $userDBTableName = Vtiger_Util_Helper::validateStringForSql(Import_Utils_Helper::getDbTableName($user));
$result = $db->pquery('SELECT recordid FROM '.$userDBTableName.' WHERE status NOT IN (?,?) AND recordid IS NOT NULL',Array(Import_Data_Action::$IMPORT_RECORD_FAILED, Import_Data_Action::$IMPORT_RECORD_SKIPPED));
$noOfRecords = $db->num_rows($result);
diff --git a/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php b/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
index a431ed28fbe7195c5d8d00240da07d0429140972..b7e65d428b00e892e1d3c87667743a189de3a7df 100644
--- a/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
+++ b/pkg/vtiger/modules/Projects/Project/modules/Project/Project.php
@@ -354,7 +354,7 @@ class Project extends CRMEntity {
// Add Gnatt chart to the related list of the module
$relation_id = $adb->getUniqueID('vtiger_relatedlists');
$max_sequence = 0;
- $result = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=$projectTabid");
+ $result = $adb->pquery("SELECT max(sequence) as maxsequence FROM vtiger_relatedlists WHERE tabid=?", array($projectTabid));
if($adb->num_rows($result)) $max_sequence = $adb->query_result($result, 0, 'maxsequence');
$sequence = $max_sequence+1;
$adb->pquery("INSERT INTO vtiger_relatedlists(relation_id,tabid,related_tabid,name,sequence,label,presence) VALUES(?,?,?,?,?,?,?)",
@@ -555,6 +555,9 @@ class Project extends CRMEntity {
/** Function to unlink an entity with given Id from another entity */
function unlinkRelationship($id, $return_module, $return_id) {
global $log, $currentModule;
+ $id = Vtiger_Util_Helper::validateStringForSql($id);
+ $return_module = Vtiger_Util_Helper::validateStringForSql($return_module);
+ $return_id = Vtiger_Util_Helper::validateStringForSql($return_id);
if($return_module == 'Accounts') {
$focus = CRMEntity::getInstance($return_module);
diff --git a/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php b/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
index 42991b14f568f18cac1fb7477b48c038e18ce5c4..2c7102f0b75c49728481f25c9715f04cbb75e9df 100644
--- a/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
+++ b/pkg/vtiger/modules/Projects/ProjectMilestone/modules/ProjectMilestone/ProjectMilestone.php
@@ -339,8 +339,8 @@ class ProjectMilestone extends CRMEntity {
$maxSequenceQuery = $adb->query("SELECT max(sequence) as maxsequence FROM vtiger_customerportal_tabs");
$maxSequence = $adb->query_result($maxSequenceQuery, 0, 'maxsequence');
$nextSequence = $maxSequence+1;
- $adb->query("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES ($projectmilestoneTabid,1,$nextSequence)");
- $adb->query("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES ($projectmilestoneTabid,'showrelatedinfo',1)");
+ $adb->pquery("INSERT INTO vtiger_customerportal_tabs(tabid,visible,sequence) VALUES (?,?,?)", array($projectmilestoneTabid,1,$nextSequence));
+ $adb->pquery("INSERT INTO vtiger_customerportal_prefs(tabid,prefkey,prefvalue) VALUES (?,?,?)", array($projectmilestoneTabid,'showrelatedinfo',1));
}
}
diff --git a/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php b/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
index 1f9225c0ecbe6f600d65c26460bbfc9eac012953..d63ec22015fd984cad18cdb1f13697c9d2fc0366 100644
--- a/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
+++ b/pkg/vtiger/modules/ServiceContracts/modules/ServiceContracts/ServiceContracts.php
@@ -390,7 +390,7 @@ class ServiceContracts extends CRMEntity {
$adb->pquery("INSERT into vtiger_modentity_num values(?,?,?,?,?,?)",array($adb->getUniqueId("vtiger_modentity_num"),$moduleName,'SERCON',1,1,1));
// Make the picklist value 'Complete' for status as non-editable
- $adb->query("UPDATE vtiger_contract_status SET presence=0 WHERE contract_status='Complete'");
+ $adb->pquery("UPDATE vtiger_contract_status SET presence=0 WHERE contract_status=?", array('Complete'));
// Mark the module as Standard module
$adb->pquery('UPDATE vtiger_tab SET customized=0 WHERE name=?', array($moduleName));
@@ -601,6 +601,9 @@ class ServiceContracts extends CRMEntity {
/** Function to unlink an entity with given Id from another entity */
function unlinkRelationship($id, $return_module, $return_id) {
global $log, $currentModule;
+ $id = Vtiger_Util_Helper::validateStringForSql($id);
+ $return_module = Vtiger_Util_Helper::validateStringForSql($return_module);
+ $return_id = Vtiger_Util_Helper::validateStringForSql($return_id);
if($return_module == 'Accounts') {
$focus = CRMEntity::getInstance($return_module);
diff --git a/vtlib/Vtiger/Filter.php b/vtlib/Vtiger/Filter.php
index 217007487a5189cd3e4e37312b1216846a456347..7dcccc1394656c8d1230ef8b588325b42cb36cae 100644
--- a/vtlib/Vtiger/Filter.php
+++ b/vtlib/Vtiger/Filter.php
@@ -281,9 +281,9 @@ class Vtiger_Filter {
$cvids[] = $adb->query_result($cvidres, $index, 'cvid');
}
if(!empty($cvids)) {
- $adb->pquery("DELETE FROM vtiger_cvadvfilter WHERE cvid IN (" . implode(',', $cvids) . ")", array());
- $adb->pquery("DELETE FROM vtiger_cvcolumnlist WHERE cvid IN (" . implode(',', $cvids) . ")", array());
- $adb->pquery("DELETE FROM vtiger_customview WHERE cvid IN (" . implode(',', $cvids) . ")", array());
+ $adb->pquery("DELETE FROM vtiger_cvadvfilter WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
+ $adb->pquery("DELETE FROM vtiger_cvcolumnlist WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
+ $adb->pquery("DELETE FROM vtiger_customview WHERE cvid IN (" . generateQuestionMarks($cvids) . ")", array($cvids));
}
}
}
diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index 840421bb863ddff0ad429d13629530e8651258b6..9dbd03e8959d8c8218d3592030a6c624029bf9d8 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -729,6 +729,8 @@ class Vtiger_Functions {
static function getSingleFieldValue($tablename, $fieldname, $idname, $id) {
global $adb;
+ $fieldname = Vtiger_Util_Helper::validateStringForSql($fieldname);
+ $idname = Vtiger_Util_Helper::validateStringForSql($idname);
$fieldval = $adb->query_result($adb->pquery("select $fieldname from $tablename where $idname = ?", array($id)), 0, $fieldname);
return $fieldval;
}
@@ -955,6 +957,7 @@ class Vtiger_Functions {
static function getPickListValuesFromTableForRole($tablename, $roleid) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$query = "select $tablename from vtiger_$tablename inner join vtiger_role2picklist on vtiger_role2picklist.picklistvalueid = vtiger_$tablename.picklist_valueid where roleid=? and picklistid in (select picklistid from vtiger_picklist) order by sortorderid";
$result = $adb->pquery($query, array($roleid));
$fldVal = Array();
diff --git a/vtlib/Vtiger/Link.php b/vtlib/Vtiger/Link.php
index c006fb5075b2ab9152f6462249441e7297a1ddc2..5b827368d09f1a3fa84e7ef8d074ec2e642f832b 100644
--- a/vtlib/Vtiger/Link.php
+++ b/vtlib/Vtiger/Link.php
@@ -295,17 +295,21 @@ class Vtiger_Link {
$isColumnUpdate = false;
$sql = 'UPDATE vtiger_links SET ';
+ $params = array();
foreach ($linkInfo as $column => $columnValue) {
if (in_array($column, $columnsList)) {
$columnValue = ($column == 'sequence') ? intval($columnValue) : $columnValue;
- $sql .= "$column='$columnValue',";
+ $column = Vtiger_Util_Helper::validateStringForSql($column);
+ $sql .= "$column = ?,";
+ array_push($params, $columnValue);
$isColumnUpdate = true;
}
}
if ($isColumnUpdate) {
$sql = trim($sql, ',').' WHERE tabid=? AND linkid=?';
- $db->pquery($sql, array($tabId, $linkId));
+ array_push($params, $tabId, $linkId);
+ $db->pquery($sql, $params);
}
}
}
diff --git a/vtlib/Vtiger/Utils.php b/vtlib/Vtiger/Utils.php
index 885e2143b4796e141372d4ef432bc882f7087188..452ea7ab364261a4ab2724c29b999c8565ea7668 100644
--- a/vtlib/Vtiger/Utils.php
+++ b/vtlib/Vtiger/Utils.php
@@ -171,6 +171,7 @@ class Vtiger_Utils {
static function CreateTable($tablename, $criteria, $suffixTableMeta=false) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$org_dieOnError = $adb->dieOnError;
$adb->dieOnError = false;
$sql = "CREATE TABLE " . $tablename . $criteria;
@@ -196,6 +197,7 @@ class Vtiger_Utils {
*/
static function AlterTable($tablename, $criteria) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$adb->query("ALTER TABLE " . $tablename . $criteria);
}
@@ -220,6 +222,7 @@ class Vtiger_Utils {
*/
static function TableHasForeignKey($tablename, $key) {
$db = PearDatabase::getInstance();
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$rs = $db->pquery("SELECT 1 FROM information_schema.TABLE_CONSTRAINTS WHERE CONSTRAINT_TYPE = 'FOREIGN KEY' AND TABLE_SCHEMA = ? AND TABLE_NAME = ? AND CONSTRAINT_NAME = ?", array($db->dbName, $tablename, $key));
return $db->num_rows($rs) > 0 ? true : false;
}
@@ -246,6 +249,7 @@ class Vtiger_Utils {
static function CreateTableSql($tablename) {
global $adb;
+ $tablename = Vtiger_Util_Helper::validateStringForSql($tablename);
$create_table = $adb->pquery("SHOW CREATE TABLE $tablename", array());
$sql = decode_html($adb->query_result($create_table, 0, 1));
return $sql;