PEAR.php

@@ -99,6 +99,7 @@ $GLOBALS['_PEAR_error_handler_stack']    = array();
  * @since      Class available since PHP 4.0.2
  * @link        http://pear.php.net/manual/en/core.pear.php#core.pear.pear
  */
+#[\AllowDynamicProperties]
 class PEAR
 {
     // {{{ properties
@@ -814,6 +815,7 @@ function _PEAR_call_destructors()
  * @see        PEAR::raiseError(), PEAR::throwError()
  * @since      Class available since PHP 4.0.2
  */
+#[\AllowDynamicProperties]
 class PEAR_Error
 {
     // {{{ properties

composer.json

@@ -22,6 +22,9 @@
         "dg/rss-php": "^1.5",
         "ezyang/htmlpurifier": "^4.16",
         "tecnickcom/tcpdf": "^6.6",
-	"monolog/monolog": "^3.5"
+	"monolog/monolog": "^3.5",
+        "league/oauth2-client": "^2.7",
+        "phpmailer/phpmailer": "^6.9",
+        "league/oauth2-google": "^4.0"
     }
 }

config.template.php

@@ -111,7 +111,7 @@ $allow_exports = 'all';
 
 // files with one of these extensions will have '.txt' appended to their filename on upload
 // upload_badext default value = php, php3, php4, php5, pl, cgi, py, asp, cfm, js, vbs, html, htm
-$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess');
+$upload_badext = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm', 'exe', 'bin', 'bat', 'sh', 'dll', 'phps', 'phtml', 'xhtml', 'rb', 'msi', 'jsp', 'shtml', 'sth', 'shtm', 'htaccess', 'phar');
 
 // list_max_entries_per_page default value = 20
 $list_max_entries_per_page = '20';

cron/SendReminder.service

@@ -22,8 +22,8 @@
 //file modified by richie
 
 require_once('include/utils/utils.php');
-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+//require_once("modules/Emails/class.smtp.php");
+//require_once("modules/Emails/class.phpmailer.php");
 require_once("modules/Emails/mail.php");
 require_once('include/logging.php');
 require_once("config.php");
@@ -232,7 +232,7 @@ function send_email($to,$from,$subject,$contents,$mail_server,$mail_server_usern
 	$log->info("This is send_mail function in SendReminder.php(vtiger home).");
 	global $root_directory;
 
-	$mail = new PHPMailer();
+	$mail = new PHPMailer\PHPMailer\PHPMailer();
 
 
 	$mail->Subject	= $subject;

cron/modules/Oauth2/TokenRefresher.service

+<?php
+/*+***********************************************************************************
+ * The contents of this file are subject to the vtiger CRM Public License Version 1.0
+ * ("License"); You may not use this file except in compliance with the License
+ * The Original Code is:  vtiger CRM Open Source
+ * The Initial Developer of the Original Code is vtiger.
+ * Portions created by vtiger are Copyright (C) vtiger.
+ * All Rights Reserved.
+ *************************************************************************************/
+
+require_once 'modules/Oauth2/handlers/TokenRefresher.php';
+
+$tokenRefresher = new Oauth2_TokenRefresher_Handler();
+$tokenRefresher->refreshAll();
\ No newline at end of file

cron/send_mail.php

@@ -22,13 +22,13 @@
 //file modified by richie
 
 
-require_once("modules/Emails/class.smtp.php");
-require_once("modules/Emails/class.phpmailer.php");
+// require_once("modules/Emails/class.smtp.php");
+// require_once("modules/Emails/class.phpmailer.php");
 require_once 'include/utils/CommonUtils.php';
 
 function sendmail($to,$from,$subject,$contents,$mail_server,$mail_server_username,$mail_server_password,$filename,$smtp_auth='')
 {
-  $mail = new PHPMailer();
+  $mail = new PHPMailer\PHPMailer\PHPMailer();
   $mail->Subject = $subject;
 	$mail->Body    = $contents;//"This is the HTML message body <b>in bold!</b>";
 

data/CRMEntity.php

@@ -35,6 +35,7 @@ class CRMEntity {
 	var $recordSource = 'CRM';
 	var $mode;
 
+	public $moduleName;
 	/**
 	 * Detect if we are in bulk save mode, where some features can be turned-off
 	 * to improve performance.
@@ -300,7 +301,6 @@ class CRMEntity {
         $this->column_fields['label'] = $label;
 
 		if ($this->mode == 'edit') {
-
 			$description_val = from_html($this->column_fields['description'], ($insertion_mode == 'edit') ? true : false);
 
 			$tabid = getTabid($module);
@@ -411,6 +411,7 @@ class CRMEntity {
 		global $current_user, $app_strings;
 		$log->info("function insertIntoEntityTable " . $module . ' vtiger_table name ' . $table_name);
 		global $adb;
+		global $_FILES;
 		$insertion_mode = $this->mode;
         $table_name = Vtiger_Util_Helper::validateStringForSql($table_name);
 		$tablekey = $this->tab_name_index[$table_name];
@@ -601,7 +602,7 @@ class CRMEntity {
 						$fldvalue = decode_html($this->column_fields[$fieldname]);
 					}
 				} elseif ($uitype == 8) {
-					$this->column_fields[$fieldname] = rtrim($this->column_fields[$fieldname], ',');
+					$this->column_fields[$fieldname] = isset($this->column_fields[$fieldname]) ? rtrim($this->column_fields[$fieldname], ',') : '';
 					$ids = explode(',', $this->column_fields[$fieldname]);
 					$json = new Zend_Json();
 					$fldvalue = $json->encode($ids);
@@ -649,9 +650,9 @@ class CRMEntity {
 						if(php7_count($IMG_FILES)){
 							foreach($IMG_FILES as $fileIndex => $file) {
 								if($file['error'] == 0 && $file['name'] != '' && $file['size'] > 0) {
-									if($_REQUEST[$fileIndex.'_hidden'] != '')
+									if(isset($_REQUEST[$fileIndex.'_hidden']) && $_REQUEST[$fileIndex.'_hidden'] != '') {
 										$file['original_name'] = vtlib_purify($_REQUEST[$fileIndex.'_hidden']);
-									else {
+									} else {
 										$file['original_name'] = stripslashes($file['name']);
 									}
 									$file['original_name'] = str_replace('"','',$file['original_name']);
@@ -958,6 +959,13 @@ class CRMEntity {
 					if (isset($resultrow[$fieldkey])) {
 						$fieldvalue = $resultrow[$fieldkey];
 					}
+
+					// load picklist value with umlatus with explict decoding
+					// required for field-value strict check during save.
+					if ($fieldinfo["uitype"] == 15 || $fieldinfo["uitype"] == 16) {
+						$fieldvalue = decode_html($fieldvalue);
+					}
+
 					$this->column_fields[$fieldinfo['fieldname']] = $fieldvalue;
 				}
 			}
@@ -986,7 +994,7 @@ class CRMEntity {
 
 		//Event triggering code
 		require_once("include/events/include.inc");
-
+		$em = null;
 		//In Bulk mode stop triggering events
 		if(!self::isBulkSaveMode()) {
 			$em = new VTEventsManager($adb);
@@ -2040,7 +2048,7 @@ class CRMEntity {
 	 */
 	function transferRelatedRecords($module, $transferEntityIds, $entityId) {
 		global $adb, $log;
-		$log->debug("Entering function transferRelatedRecords ($module, $transferEntityIds, $entityId)");
+		$log->debug("Entering function transferRelatedRecords ($module, ".implode(',',$transferEntityIds).", $entityId)");
 		foreach ($transferEntityIds as $transferId) {
 
 			// Pick the records related to the entity to be transfered, but do not pick the once which are already related to the current entity.
@@ -2429,7 +2437,7 @@ class CRMEntity {
 			$fields[] = $value;
 		}
 		$pritablename = $tables[0];
-		$sectablename = $tables[1];
+		$sectablename = isset($tables[1]) ? $tables[1] : '';
 		$prifieldname = $fields[0][0];
 		$secfieldname = $fields[0][1];
 		$tmpname = $pritablename . 'tmp' . $secmodule;
@@ -2469,7 +2477,7 @@ class CRMEntity {
 
 		$secQuery = 'SELECT '.$selectColumns.' '.$secQueryFrom;
 
-		$secQueryTempTableQuery = $queryPlanner->registerTempTable($secQuery, array($column_name, $fields[1], $prifieldname),$secmodule);
+		$secQueryTempTableQuery = $queryPlanner->registerTempTable($secQuery, array($column_name, isset($fields[1]) ? $fields[1] : '', $prifieldname),$secmodule);
 
 		$query = '';
 		if ($pritablename == 'vtiger_crmentityrel') {
@@ -2786,7 +2794,7 @@ class CRMEntity {
 	 * @param <type> $userGroups
 	 */
 	function getNonAdminUserGroupAccessQuery($userGroups) {
-		$query .= " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
+		$query = " UNION (SELECT groupid FROM vtiger_groups WHERE groupid IN (".implode(",", $userGroups)."))";
 		return $query;
 	}
 
@@ -2799,7 +2807,7 @@ class CRMEntity {
 		require('user_privileges/sharing_privileges_' . $user->id . '.php');
 		$tabId = getTabid($module);
 		$sharingRuleInfoVariable = $module . '_share_read_permission';
-		$sharingRuleInfo = $$sharingRuleInfoVariable;
+		$sharingRuleInfo = isset($$sharingRuleInfoVariable) ? $$sharingRuleInfoVariable : array();
 		$sharedTabId = null;
 		$query = '';
 		if (!empty($sharingRuleInfo) && (php7_count($sharingRuleInfo['ROLE']) > 0 ||
@@ -3009,6 +3017,7 @@ class CRMEntity {
 	 * @return string
 	 */
 	function getQueryForDuplicates($module, $tableColumns, $selectedColumns = '', $ignoreEmpty = false,$requiredTables = array(),$columnTypes = null) {
+		$query='';
 		if(is_array($tableColumns)) {
 			$tableColumnsString = implode(',', $tableColumns);
 		}
@@ -3059,6 +3068,7 @@ class CRMEntity {
 		}
 
 		$i = 1;
+		$duplicateCheckClause='';
 		foreach($tableColumns as $tableColumn){
 			$tableInfo = explode('.', $tableColumn);
 			$duplicateCheckClause .= " ifnull($tableColumn,'null') = ifnull(temp.$tableInfo[1],'null')";
@@ -3140,7 +3150,7 @@ class TrackableObject implements ArrayAccess, IteratorAggregate {
 
 	#[\ReturnTypeWillChange]
 	function offsetSet($key, $value) {
-		if(is_array($value)) $value = empty($value) ? "" : (array_key_exists(0, $value) ? $value[0] : ""); //it is an associative array without a key 0 modified to prevent warning of Undefined array key 0 .
+		if(is_array($value)) $value = empty($value) ? "" : (array_key_exists(0, $value) ? $value[0] : ""); //it is an associative (if array without a key 0) modified to prevent warning of Undefined array key 0 .
 		if($this->tracking && $this->trackingEnabled) {
 			$olderValue = $this->offsetGet($key);
 			// decode_html only expects string

data/VTEntityDelta.php

@@ -92,12 +92,12 @@ class VTEntityDelta extends VTEventHandler {
 
 	function getOldValue($moduleName, $recordId, $fieldName) {
 		$entityDelta = self::$entityDelta[$moduleName][$recordId];
-		return $entityDelta[$fieldName]['oldValue'];
+		return isset($entityDelta[$fieldName]['oldValue']) ? $entityDelta[$fieldName]['oldValue'] : "";
 	}
 
 	function getCurrentValue($moduleName, $recordId, $fieldName) {
 		$entityDelta = self::$entityDelta[$moduleName][$recordId];
-		return $entityDelta[$fieldName]['currentValue'];
+		return isset($entityDelta[$fieldName]['currentValue']) ? $entityDelta[$fieldName]['currentValue'] : "";
 	}
 
 	function getOldEntity($moduleName, $recordId) {
@@ -109,6 +109,7 @@ class VTEntityDelta extends VTEventHandler {
 	}
 	
 	function hasChanged($moduleName, $recordId, $fieldName, $fieldValue = NULL) {
+		$result = false;
 		if(empty(self::$oldEntity[$moduleName][$recordId])) {
 			return false;
 		}
@@ -119,7 +120,9 @@ class VTEntityDelta extends VTEventHandler {
 		if(is_array($fieldDelta)) {
 			$fieldDelta = array_map('decode_html', $fieldDelta);
 		}
-		$result = $fieldDelta['oldValue'] != $fieldDelta['currentValue'];
+		if(isset($fieldDelta['oldValue']) && isset($fieldDelta['currentValue'])) {
+			$result = $fieldDelta['oldValue'] != $fieldDelta['currentValue'];
+		}
 		if ($fieldValue !== NULL) {
 			$result = $result && ($fieldDelta['currentValue'] === $fieldValue);
 		}

include/InventoryPDFController.php

@@ -17,7 +17,7 @@ include_once 'vtlib/Vtiger/PDF/inventory/ContentViewer2.php';
 include_once 'vtlib/Vtiger/PDF/viewers/PagerViewer.php';
 include_once 'vtlib/Vtiger/PDF/PDFGenerator.php';
 include_once 'data/CRMEntity.php';
-
+#[\AllowDynamicProperties]
 class Vtiger_InventoryPDFController {
 
 	protected $module;
@@ -114,7 +114,7 @@ class Vtiger_InventoryPDFController {
 			$taxable_total = number_format($taxable_total, $no_of_decimal_places,'.','');
 			$producttotal = $taxable_total;
 			if($this->focus->column_fields["hdnTaxType"] == "individual") {
-				for($tax_count=0;$tax_count<php7_count($productLineItem['taxes']);$tax_count++) {
+				foreach($productLineItem['taxes'] as $tax_count => $productLinetItemTaxInfo) {
 					$tax_percent = $productLineItem['taxes'][$tax_count]['percentage'];
 					$total_tax_percent += $tax_percent;
 					$tax_amount = (($taxable_total*$tax_percent)/100);
@@ -131,7 +131,7 @@ class Vtiger_InventoryPDFController {
 			$discountPercentage = $productLineItem["discount_percent{$productLineItemIndex}"];
 			$productName = decode_html($productLineItem["productName{$productLineItemIndex}"]);
 			//get the sub product
-			$subProducts = $productLineItem["subProductArray{$productLineItemIndex}"];
+			$subProducts = isset($productLineItem["subProductArray{$productLineItemIndex}"]) ? $productLineItem["subProductArray{$productLineItemIndex}"] : "";
 			if($subProducts != '') {
 				foreach($subProducts as $subProduct) {
 					$productName .="\n"." - ".decode_html($subProduct);
@@ -201,14 +201,14 @@ class Vtiger_InventoryPDFController {
 		//To calculate the group tax amount
 		if($final_details['taxtype'] == 'group') {
 			$group_tax_details = $final_details['taxes'];
-			for($i=0;$i<php7_count($group_tax_details);$i++) {
-				$group_total_tax_percent += $group_tax_details[$i]['percentage'];
+			foreach($group_tax_details as $i => $group_tax_info) {
+				$group_total_tax_percent += isset($group_tax_details[$i]['percentage']) ? $group_tax_details[$i]['percentage'] : 0.00;
 			}
 			$summaryModel->set(getTranslatedString("Tax:", $this->moduleName)."($group_total_tax_percent%)", $this->formatPrice($final_details['tax_totalamount']));
 		}
 		//Shipping & Handling taxes
 		$sh_tax_details = $final_details['sh_taxes'];
-		for($i=0;$i<php7_count($sh_tax_details);$i++) {
+		foreach($sh_tax_details as $i => $sh_tax_info) {
 			$sh_tax_percent = $sh_tax_percent + $sh_tax_details[$i]['percentage'];
 		}
 		//obtain the Currency Symbol
@@ -429,4 +429,4 @@ class Vtiger_InventoryPDFController {
 	}
 
 }
-?>
\ No newline at end of file
+?>

include/ListView/ListViewController.php

@@ -273,7 +273,7 @@ class ListViewController {
 				}
 
 				if(in_array($uitype,array(15,33,16))){
-					$value = html_entity_decode($rawValue,ENT_QUOTES,$default_charset); 
+					$value = isset($rawValue) ? html_entity_decode($rawValue,ENT_QUOTES,$default_charset) : ''; 
 				} else { 
 					$value = $rawValue; 
 				}
@@ -464,7 +464,7 @@ class ListViewController {
 					if(php7_count($moduleList) == 1) {
 						$parentModule = $moduleList[0];
 					} else {
-						$parentModule = $this->typeList[$value];
+						$parentModule = isset($this->typeList[$value]) ? $this->typeList[$value] : '';
 					}
 					if(!empty($value) && !empty($this->nameList[$fieldName]) && !empty($parentModule)) {
 						$parentMeta = $this->queryGenerator->getMeta($parentModule);

include/ListView/ListViewSession.php

@@ -76,6 +76,7 @@ class ListViewSession {
 		$cv = new CustomView();
 		$viewId = $cv->getViewId($currentModule);
 		$recordNavigationInfo = array();
+		$searchKey = array();
 		if(!empty($_SESSION[$currentModule.'_DetailView_Navigation'.$viewId])){
 			$recordNavigationInfo = Zend_Json::decode($_SESSION[$currentModule.'_DetailView_Navigation'.$viewId]);
 			$pageNumber =0;

include/QueryGenerator/EnhancedQueryGenerator.php

@@ -90,6 +90,7 @@ class EnhancedQueryGenerator extends QueryGenerator {
 		$dateSpecificConditions = $customView->getStdFilterConditions();
 		$specialDateTimeConditions = Vtiger_Functions::getSpecialDateTimeCondtions();
 		foreach ($advFilterList as $groupindex => $groupcolumns) {
+			if(! $groupcolumns)continue;
 			$filtercolumns = $groupcolumns['columns'];
 			if (php7_count($filtercolumns) > 0) {
 				$this->startGroup('');
@@ -196,7 +197,7 @@ class EnhancedQueryGenerator extends QueryGenerator {
 					}
 				}
 				$this->endGroup();
-				$groupConditionGlue = $groupcolumns['condition'];
+				$groupConditionGlue = isset($groupcolumns['condition']) ? $groupcolumns['condition'] : "";
 				if ($groupConditionGlue) {
 					$this->addConditionGlue($groupConditionGlue);
 				}

include/QueryGenerator/QueryGenerator.php

@@ -53,6 +53,7 @@ class QueryGenerator {
 	public static $AND = 'AND';
 	public static $OR = 'OR';
 	protected $customViewFields;
+	protected $referenceModuleField;
 	/**
 	 * Import Feature
 	 */
@@ -1339,7 +1340,7 @@ class QueryGenerator {
 
 	public function addUserSearchConditions($input) {
 		global $log,$default_charset;
-		if($input['searchtype']=='advance') {
+		if(isset($input['searchtype']) && $input['searchtype']=='advance') {
 
 			$json = new Zend_Json();
 			$advft_criteria = $_REQUEST['advft_criteria'];
@@ -1386,7 +1387,7 @@ class QueryGenerator {
 				}
 			}
 			$this->endGroup();
-		} elseif($input['type']=='dbrd') {
+		} elseif(isset($input['type']) && $input['type']=='dbrd') {
 			if($this->conditionInstanceCount > 0) {
 				$this->startGroup(self::$AND);
 			} else {

include/Webservices/ConvertLead.php

@@ -145,18 +145,25 @@ function vtws_convertlead($entityvalues, $user) {
 
 
 	try {
-		$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
-		$accountId = $accountIdComponents[1];
-
-		$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
-		$contactId = $contactIdComponents[1];
-
-		if(!empty($entityIds['Potentials'])){
+		$accountId = null;
+		if (isset($entityIds['Accounts']) && $entityIds['Accounts']) {
+			$accountIdComponents = vtws_getIdComponents($entityIds['Accounts']);
+			$accountId = $accountIdComponents[1];
+		}
+		
+		$contactId = null;		
+		if (isset($entityIds['Contacts']) && $entityIds['Contacts']) {
+			$contactIdComponents = vtws_getIdComponents($entityIds['Contacts']);
+			$contactId = $contactIdComponents[1];
+		}
+		
+		$potentialId = null;
+		if(isset($entityIds['Potentials']) && $entityIds['Potentials']){
 			$potentialIdComponents = vtws_getIdComponents($entityIds['Potentials']);
 			$potentialId = $potentialIdComponents[1];
 		}
 
-		if (!empty($accountId) && !empty($contactId) && !empty($potentialId)) {
+		if (!empty($contactId) && !empty($potentialId)) {
 			$sql = "insert into vtiger_contpotentialrel values(?,?)";
 			$result = $adb->pquery($sql, array($contactId, $potentialId));
 			if ($result === false) {

include/Webservices/DataTransform.php

@@ -39,7 +39,7 @@
 		}
 
 		static function filterAndSanitize($row,$meta){
-			$recordLabel = $row['label'];
+			$recordLabel = isset($row['label']) ? $row['label'] :"";
 			$row = DataTransform::filterAllColumns($row,$meta);
 			$row = DataTransform::sanitizeData($row,$meta);
 			if(!empty($recordLabel)){
@@ -139,6 +139,7 @@
 
 			$row = DataTransform::sanitizeDateFieldsForInsert($row,$meta);
 			$row = DataTransform::sanitizeCurrencyFieldsForInsert($row,$meta);
+			$row = DataTransform::sanitizeStringFields($row,$meta);
 
 			// New field added to store Source of Created Record
 			if (!isset($row['source'])) {
@@ -156,7 +157,7 @@
 			$allFields = $meta->getFieldColumnMapping();
 			$newRow = array();
 			foreach($allFields as $field=>$col){
-				$newRow[$field] = $row[$field];
+				$newRow[$field] = isset($row[$field]) ? $row[$field] : null;
 			}
 			if(isset($row[$recordString])){
 				$newRow[$recordString] = $row[$recordString];
@@ -187,7 +188,7 @@
 			}
 
 			if(!isset($row['id'])){
-				if($row[$meta->getObectIndexColumn()] ){
+				if(isset($row[$meta->getObectIndexColumn()] )){
 					$row['id'] = vtws_getId($meta->getEntityId(),$row[$meta->getObectIndexColumn()]);
 				}else{
 					//TODO Handle this.
@@ -211,11 +212,11 @@
 					continue;
 				}
 				if(strtolower($meta->getEntityName()) == "emails"){
-					if(isset($row['parent_id'])){
+					if (isset($row['parent_id']) && $row['parent_id'] !== null && strpos($row['parent_id'], '@') !== false) {					
 						list($row['parent_id'], $fieldId) = explode('@', $row['parent_id']);
 					}
 				}
-				if($row[$field]){
+				if(isset($row[$field]) && $row[$field]){
 					$found = false;
 					foreach ($typeList as $entity) {
 						$webserviceObject = VtigerWebserviceObject::fromName($adb,$entity);
@@ -273,7 +274,7 @@
             foreach ($moduleFields as $fieldName => $fieldObj) {
                 if (in_array($fieldObj->getUIType(), $supportedUITypes)) {
                     //while doing retrieve operation we have record_id and on query operation we have id.
-                    $id = $row['record_id'] ? $row['record_id'] : $row['id'];
+                    $id = isset($row['record_id']) ? $row['record_id'] : (isset($row['id']) ? $row['id'] : null);
                     $ids = Vtiger_Functions::getAttachmentIds($id, $meta->getEntityId());
                 if($ids) {
                         foreach($ids as $id){
@@ -315,7 +316,7 @@
 							$row[$fieldName."_raw"] = $row[$fieldName];
 							$row[$fieldName] = CurrencyField::convertToUserFormat($row[$fieldName],$current_user);
 						} else if($fieldObj->getUIType() == '72') {
-							$currencyConversionRate = $row['conversion_rate'];
+							$currencyConversionRate = isset($row['conversion_rate']) ? $row['conversion_rate'] : 0;
 							if (!empty($currencyConversionRate)) {
 								$rawBaseCurrencyValue = CurrencyField::convertToDollar($row[$fieldName], $currencyConversionRate);
 								$row[$fieldName."_raw"] = $rawBaseCurrencyValue;
@@ -332,5 +333,16 @@
 			}
 			return $row;
 		}
+
+		static function sanitizeStringFields($row,$meta){
+			if(in_array($meta->getEntityName(),array('Groups', 'Currency', 'Tax', 'ProductTaxes'))){
+				foreach ($row as $field => $value) {
+					if(is_string($value)){
+						$row[$field] = vtlib_purify($value);
+					}
+				}
+			}
+			return $row;
+		}
 	}	
 ?>

include/Webservices/LineItem/VtigerInventoryOperation.php

@@ -204,7 +204,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 		$element['LineItems'] = $lineItems;
 		$recordCompoundTaxesElement = $this->getCompoundTaxesElement($element, $lineItems);
 		$element = array_merge($element, $recordCompoundTaxesElement);
-		$element['productid'] = $lineItems[0]['productid'];
+		$element['productid'] = isset($lineItems[0]['productid']) ? $lineItems[0]['productid'] : "";
 		$element['LineItems_FinalDetails'] = $this->getLineItemFinalDetails($idComponents[1]);
 		return $element;
 	}
@@ -480,7 +480,7 @@ class VtigerInventoryOperation extends VtigerModuleOperation {
 			$result = $this->pearDB->pquery('SELECT * FROM vtiger_inventorychargesrel WHERE recordid = ?', array($id));
 			$rowData = $this->pearDB->fetch_array($result);
 
-			if ($rowData['charges']) {
+			if (isset($rowData['charges']) && $rowData['charges']) {
 				$allCharges = getAllCharges();
 				$shippingTaxes = array();
 				$allShippingTaxes = getAllTaxes('all', 'sh');

include/Webservices/Utils.php

@@ -117,10 +117,19 @@ function vtws_getUserWebservicesGroups($tabId,$user){
 }
 
 function vtws_getIdComponents($elementid){
+	$elementid = (string)$elementid;
+	if ($elementid && is_numeric($elementid)) return array($elementid); // during (UserId permission check)
+	if (!$elementid || !preg_match("/[0-9]+x[0-9]+/", $elementid)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return explode("x",$elementid);
 }
 
 function vtws_getId($objId, $elemId){
+	if(is_array($elemId)){$elemId=implode(' ',$elemId);}
+	if(!is_numeric($objId) || !is_numeric($elemId)) {
+		throw new WebServiceException(WebServiceErrorCode::$INVALIDID,"Id specified is incorrect");
+	}
 	return $objId."x".$elemId;
 }
 
@@ -694,7 +703,7 @@ function vtws_getFieldfromFieldId($fieldId, $fieldObjectList){
  */
 function vtws_getRelatedActivities($leadId,$accountId,$contactId,$relatedId) {
 
-	if(empty($leadId) || empty($relatedId) || (empty($accountId) && empty($contactId))){
+	if(empty($leadId) || empty($relatedId) || empty($contactId)){
 		throw new WebServiceException(WebServiceErrorCode::$LEAD_RELATED_UPDATE_FAILED,
 			"Failed to move related Activities/Emails");
 	}
@@ -1271,7 +1280,7 @@ function vtws_getCompanyId() {
 
 function vtws_recordExists($recordId) {
 	$ids = vtws_getIdComponents($recordId);
-	return !Vtiger_Util_Helper::CheckRecordExistance($ids[1]);
+	return isset($ids[1]) ? !Vtiger_Util_Helper::CheckRecordExistance($ids[1]) : null;
 }
 
 function vtws_isDuplicatesAllowed($webserviceObject){

include/Webservices/VTQL_Parser.php

@@ -298,7 +298,7 @@ function buildSelectStmt($sqlDump){
 				$this->query = $this->query.','.$columnTable[$fieldcol[$field]].".".$fieldcol[$field];
 			}
 		}
-		if($sqlDump['sortOrder']) {
+		if(isset($sqlDump['sortOrder'])) {
 			$this->query .= ' '.$sqlDump['sortOrder'];
 		}
 	}
@@ -1241,6 +1241,7 @@ $this->out['where_condition']['column_values'][php7_sizeof($this->out['where_con
 #line 1240 "e:\workspace\nonadmin\pkg\vtiger\extensions\Webservices\VTQL_parser.php"
 #line 82 "e:\workspace\nonadmin\pkg\vtiger\extensions\Webservices\VTQL_parser.y"
     function yy_r17(){
+        $this->out['where_condition']['column_values'] = isset($this->out['where_condition']['column_values']) ? $this->out['where_condition']['column_values'] : array();
 $length = ($this->out['where_condition']['column_values'])? php7_sizeof($this->out['where_condition']['column_values']):0;
 $pos = $length - 1;
 if($pos < 0){

include/Webservices/VtigerCRMObject.php

@@ -199,7 +199,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$exists = false;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select 1 from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){
@@ -213,7 +213,7 @@ class VtigerCRMObject{
 		global $adb;
 		
 		$seType = null;
-		$sql = "select * from vtiger_crmentity where crmid=? and deleted=0";
+		$sql = "select setype from vtiger_crmentity where crmid=? and deleted=0";
 		$result = $adb->pquery($sql , array($id));
 		if($result != null && isset($result)){
 			if($adb->num_rows($result)>0){