Context Navigation

← Previous Changeset
Next Changeset →

Changeset 10423

Timestamp:

Mar 13, 2007 2:21:18 PM (13 years ago)

Author:

saraj

Message:

sql injection in dashboard fixed. Fixes #3196

Location:

vtigercrm/branches/5.0.3

Files:

: 3 edited

include/utils/SearchUtils.php (modified) (2 diffs)
modules/Potentials/Charts.php (modified) (12 diffs)
modules/Potentials/Potentials.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

vtigercrm/branches/5.0.3/include/utils/SearchUtils.php

-                      r10381
+                      r10423
         if (isset($_REQUEST['closingdate_start'])) $date_closed_start = $_REQUEST['closingdate_start'];
         if (isset($_REQUEST['closingdate_end'])) $date_closed_end = $_REQUEST['closingdate_end'];
-        if (isset($_REQUEST['assigned_user_id'])) $assigned_user_id = $_REQUEST['assigned_user_id'];
 …
                 $url_string .= "&leadsource=".$lead_source;
+        }
-        if(isset($assigned_user_id) && $assigned_user_id != "") {
-                array_push($where_clauses, "vtiger_crmentity.smownerid = ".$assigned_user_id);
-                $url_string .= "&assigned_user_id=".$assigned_user_id;
+                }
         if(isset($date_closed) && $date_closed != "") {
                 array_push($where_clauses, $adb->getDBDateString("vtiger_potential.closingdate")." like ".$adb->quote($date_closed.'%')."");

vtigercrm/branches/5.0.3/modules/Potentials/Charts.php

-                      r9762
+                      r10423
                         //build the where clause for the query that matches $user
                         $where = "(";
+                        $where = "";
                         $first = true;
                         $current = 0;
                         foreach ($user_id as $the_id) {
+                        /*foreach ($user_id as $the_id) {
                                 if (!$first) $where .= "OR ";
                                 $first = false;
                                 $where .= "vtiger_crmentity.smcreatorid='$the_id' ";
+                        }
                         $where .= ") ";
+                        $where .= ") ";*/
                         //build the where clause for the query that matches $date_start and $date_end
                         $where .= "AND closingdate >= '$date_start' AND closingdate <= '$date_end'";
+                        $where .= " closingdate >= '$date_start' AND closingdate <= '$date_end'";
                         $subtitle = $current_module_strings['LBL_DATE_RANGE']." ".getDisplayDate($date_start)." ".$current_module_strings['LBL_DATE_RANGE_TO']." ".getDisplayDate($date_end)."\n";
 …
                         //query for opportunity data that matches $datay and $user
                         $opp = new Potentials();
                         $opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+                        $opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
                         //build pipeline by sales stage data
 …
                         $where="";
                         //build the where clause for the query that matches $user
                         $count = count($user_id);
+                        /*$count = count($user_id);
                         if ($count>0) {
                                 $where = "(";
 …
+                                }
                                 $where .= ") ";
+                        }
+                        }*/
                         //build the where clause for the query that matches $datay
                         $count = count($datay);
                         if ($count>0) {
                                 $where .= "AND ( ";
+                                $where .= " ( ";
                                 unset($first);
                                 $first = true;
 …
                         //query for opportunity data that matches $datay and $user
                         $opp = new Potentials();
                         $opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+                        $opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
                         //build pipeline by sales stage data
 …
                         $where="";
                         //build the where clause for the query that matches $user
                         $count = count($user_id);
+                        /*$count = count($user_id);
                         if ($count>0) {
                                 $where = "(";
 …
+                                }
                                 $where .= ") ";
+                        }
+                        }*/
                         //build the where clause for the query that matches $datax
                         $count = count($datax);
                         if ($count>0) {
                                 $where .= "AND ( ";
+                                $where .= " ( ";
                                 unset($first);
                                 $first = true;
 …
                         //query for opportunity data that matches $datax and $user
                         $opp = new Potentials();
                         $opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+                        $opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
                         //build pipeline by sales stage data
 …
                                         array_push($aAlts[$the_id], "");
+                                }
                                 array_push($aTargets[$the_id], "index.php?module=Potentials&action=ListView&assigned_user_id=$the_id&sales_stage=".urlencode($stage_key)."&closingdate_start=".urlencode($date_start)."&closingdate_end=".urlencode($date_end)."&query=true&type=dbrd");
+                                array_push($aTargets[$the_id], "index.php?module=Potentials&action=ListView&sales_stage=".urlencode($stage_key)."&closingdate_start=".urlencode($date_start)."&closingdate_end=".urlencode($date_end)."&query=true&type=dbrd");
+                          }
                           array_push($legend,$stage_translation);
 …
                         $where="";
                         //build the where clause for the query that matches $user
                         $count = count($user_id);
+                        /*$count = count($user_id);
                         if ($count>0) {
                                 $where = "(";
 …
+                                }
                                 $where .= ") ";
+                        }
+                        }*/
                         //build the where clause for the query that matches $datax
                         $count = count($legends);
                         if ($count>0) {
                                 $where .= "AND ( ";
+                                $where .= " ( ";
                                 $first = true;
                                 foreach ($legends as $key=>$value) {
 …
                         $opp = new Potentials();
                         $opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+                        $opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
                         //build pipeline by lead source data

vtigercrm/branches/5.0.3/modules/Potentials/Potentials.php

-                      r10174
+                      r10423
         function create_list_query($order_by, $where)
+        {
+                global $log;
+                global $log,$current_user;
+                require('user_privileges/user_privileges_'.$current_user->id.'.php');
+                require('user_privileges/sharing_privileges_'.$current_user->id.'.php');
+                $tab_id = getTabid("Potentials");
                 $log->debug("Entering create_list_query(".$order_by.",". $where.") method ...");
                 // Determine if the vtiger_account name is present in the where clause.
 …
                 else
+                {
                         $query = 'SELECT potentialid, potentialname, smcreatorid, closingdate FROM vtiger_potential inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_potential.potentialid ';
                         $where_auto = 'AND vtiger_crmentity.deleted=0';
+                        $query = 'SELECT vtiger_potential.potentialid, vtiger_potential.potentialname, vtiger_crmentity.smcreatorid, vtiger_potential.closingdate FROM vtiger_potential inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_potential.potentialid LEFT JOIN vtiger_potentialgrouprelation on vtiger_potential.potentialid = vtiger_potentialgrouprelation.potentialid LEFT JOIN vtiger_groups on vtiger_groups.groupname = vtiger_potentialgrouprelation.groupname left join vtiger_users on vtiger_users.id = vtiger_crmentity.smownerid ';
+                        $where_auto = 'AND vtiger_crmentity.deleted=0 ';
+                }
 …
                 else
                         $query .= "where ".$where_auto;
+                if($is_admin==false && $profileGlobalPermission[1] == 1 && $profileGlobalPermission[2] == 1 && $defaultOrgSharingPermission[$tab_id] == 3)
+                {
+                                $sec_parameter=getListViewSecurityParameter("Potentials");
+                                $query .= $sec_parameter;
+                }
                 if($order_by != "")
                         $query .= " ORDER BY vtiger_potential.$order_by";
                 else
                         $query .= " ORDER BY vtiger_potential.potentialname";
+                        $query .= " ORDER BY $order_by";
+                else
+                        $query .= " ORDER BY vtiger_potential.potentialname ";

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: