[Vtigercrm-commits] [vtiger-commits] r10423 - in /vtigercrm/branches/5.0.3: include/utils/SearchUtils.php modules/Potentials/Charts.php modules/Potentials/Potentials.php

vtigercrm-commits at vtiger.fosslabs.com vtigercrm-commits at vtiger.fosslabs.com
Tue Mar 13 10:21:27 EDT 2007 

Author: saraj
Date: Tue Mar 13 08:21:18 2007
New Revision: 10423

Log:
sql injection in dashboard fixed. Fixes #3196

Modified:
    vtigercrm/branches/5.0.3/include/utils/SearchUtils.php
    vtigercrm/branches/5.0.3/modules/Potentials/Charts.php
    vtigercrm/branches/5.0.3/modules/Potentials/Potentials.php

Modified: vtigercrm/branches/5.0.3/include/utils/SearchUtils.php
==============================================================================
--- vtigercrm/branches/5.0.3/include/utils/SearchUtils.php (original)
+++ vtigercrm/branches/5.0.3/include/utils/SearchUtils.php Tue Mar 13 08:21:18 2007
@@ -649,7 +649,6 @@
 	if (isset($_REQUEST['sales_stage'])) $sales_stage = $_REQUEST['sales_stage'];
 	if (isset($_REQUEST['closingdate_start'])) $date_closed_start = $_REQUEST['closingdate_start'];
 	if (isset($_REQUEST['closingdate_end'])) $date_closed_end = $_REQUEST['closingdate_end'];
-	if (isset($_REQUEST['assigned_user_id'])) $assigned_user_id = $_REQUEST['assigned_user_id'];
 	
 
 	if(isset($date_closed_start) && $date_closed_start != "" && isset($date_closed_end) && $date_closed_end != "")
@@ -669,10 +668,6 @@
 		array_push($where_clauses, "vtiger_potential.leadsource = ".$adb->quote($lead_source));
 		$url_string .= "&leadsource=".$lead_source;
 	}
-	if(isset($assigned_user_id) && $assigned_user_id != "") {
-	        array_push($where_clauses, "vtiger_crmentity.smownerid = ".$assigned_user_id);
-	        $url_string .= "&assigned_user_id=".$assigned_user_id;
-		}
 	if(isset($date_closed) && $date_closed != "") {
 		array_push($where_clauses, $adb->getDBDateString("vtiger_potential.closingdate")." like ".$adb->quote($date_closed.'%')."");
 		$url_string .= "&date_closed=".$date_closed;

Modified: vtigercrm/branches/5.0.3/modules/Potentials/Charts.php
==============================================================================
--- vtigercrm/branches/5.0.3/modules/Potentials/Charts.php (original)
+++ vtigercrm/branches/5.0.3/modules/Potentials/Charts.php Tue Mar 13 08:21:18 2007
@@ -86,24 +86,24 @@
 			$log->debug("cache_file_name is: $cache_file_name");
 
 			//build the where clause for the query that matches $user
-			$where = "(";
+			$where = "";
 			$first = true;
 			$current = 0;
-			foreach ($user_id as $the_id) {
+			/*foreach ($user_id as $the_id) {
 				if (!$first) $where .= "OR ";
 				$first = false;
 				$where .= "vtiger_crmentity.smcreatorid='$the_id' ";
 			}
-			$where .= ") ";
+			$where .= ") ";*/
 
 			//build the where clause for the query that matches $date_start and $date_end
-			$where .= "AND closingdate >= '$date_start' AND closingdate <= '$date_end'";
+			$where .= " closingdate >= '$date_start' AND closingdate <= '$date_end'";
 			$subtitle = $current_module_strings['LBL_DATE_RANGE']." ".getDisplayDate($date_start)." ".$current_module_strings['LBL_DATE_RANGE_TO']." ".getDisplayDate($date_end)."\n";
 
 			//Now do the db queries
 			//query for opportunity data that matches $datay and $user
 			$opp = new Potentials();
-			$opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+			$opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
 
 			//build pipeline by sales stage data
 			$total = 0;
@@ -412,7 +412,7 @@
 
 			$where="";
 			//build the where clause for the query that matches $user
-			$count = count($user_id);
+			/*$count = count($user_id);
 			if ($count>0) {
 				$where = "(";
 				$first = true;
@@ -423,12 +423,12 @@
 					$where .= "vtiger_crmentity.smcreatorid='$the_id' ";
 				}
 				$where .= ") ";
-			}
+			}*/
 
 			//build the where clause for the query that matches $datay
 			$count = count($datay);
 			if ($count>0) {
-				$where .= "AND ( ";
+				$where .= " ( ";
 				unset($first);
 				$first = true;
 				foreach ($datay as $key=>$value) {
@@ -442,7 +442,7 @@
 			//Now do the db queries
 			//query for opportunity data that matches $datay and $user
 			$opp = new Potentials();
-			$opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+			$opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
 
 			//build pipeline by sales stage data
 			$total = 0;
@@ -743,7 +743,7 @@
 
 			$where="";
 			//build the where clause for the query that matches $user
-			$count = count($user_id);
+			/*$count = count($user_id);
 			if ($count>0) {
 				$where = "(";
 				$first = true;
@@ -757,12 +757,12 @@
 					$where .= "vtiger_crmentity.smownerid='$the_id' ";
 				}
 				$where .= ") ";
-			}
+			}*/
 
 			//build the where clause for the query that matches $datax
 			$count = count($datax);
 			if ($count>0) {
-				$where .= "AND ( ";
+				$where .= " ( ";
 				unset($first);
 				$first = true;
 				foreach ($datax as $key=>$value) {
@@ -780,7 +780,7 @@
 			//Now do the db queries
 			//query for opportunity data that matches $datax and $user
 			$opp = new Potentials();
-			$opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+			$opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
 
 			//build pipeline by sales stage data
 			$total = 0;
@@ -831,7 +831,7 @@
 					array_push($datay[$the_id], 0);
 					array_push($aAlts[$the_id], "");
 				}
-				array_push($aTargets[$the_id], "index.php?module=Potentials&action=ListView&assigned_user_id=$the_id&sales_stage=".urlencode($stage_key)."&closingdate_start=".urlencode($date_start)."&closingdate_end=".urlencode($date_end)."&query=true&type=dbrd");
+				array_push($aTargets[$the_id], "index.php?module=Potentials&action=ListView&sales_stage=".urlencode($stage_key)."&closingdate_start=".urlencode($date_start)."&closingdate_end=".urlencode($date_end)."&query=true&type=dbrd");
 			  }
 			  array_push($legend,$stage_translation);
 			}
@@ -1032,7 +1032,7 @@
 			//query for opportunity data that matches $legends and $user
 			$where="";
 			//build the where clause for the query that matches $user
-			$count = count($user_id);
+			/*$count = count($user_id);
 			if ($count>0) {
 				$where = "(";
 				$first = true;
@@ -1042,12 +1042,12 @@
 					$where .= "vtiger_crmentity.smcreatorid='$the_id' ";
 				}
 				$where .= ") ";
-			}
+			}*/
 
 			//build the where clause for the query that matches $datax
 			$count = count($legends);
 			if ($count>0) {
-				$where .= "AND ( ";
+				$where .= " ( ";
 				$first = true;
 				foreach ($legends as $key=>$value) {
 					if (!$first) $where .= "OR ";
@@ -1058,7 +1058,7 @@
 			}
 
 			$opp = new Potentials();
-			$opp_list = $opp->get_full_list("amount DESC, closingdate DESC", $where);
+			$opp_list = $opp->get_full_list("vtiger_potential.amount DESC, vtiger_potential.closingdate DESC", $where);
 
 			//build pipeline by lead source data
 			$total = 0;

Modified: vtigercrm/branches/5.0.3/modules/Potentials/Potentials.php
==============================================================================
--- vtigercrm/branches/5.0.3/modules/Potentials/Potentials.php (original)
+++ vtigercrm/branches/5.0.3/modules/Potentials/Potentials.php Tue Mar 13 08:21:18 2007
@@ -142,7 +142,10 @@
 	*/
 	function create_list_query($order_by, $where)
 	{
-		global $log;
+		global $log,$current_user;
+		require('user_privileges/user_privileges_'.$current_user->id.'.php');
+	        require('user_privileges/sharing_privileges_'.$current_user->id.'.php');
+        	$tab_id = getTabid("Potentials");
 		$log->debug("Entering create_list_query(".$order_by.",". $where.") method ...");
 		// Determine if the vtiger_account name is present in the where clause.
 		$account_required = ereg("accounts\.name", $where);
@@ -154,19 +157,25 @@
 		}
 		else
 		{
-			$query = 'SELECT potentialid, potentialname, smcreatorid, closingdate FROM vtiger_potential inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_potential.potentialid ';
-			$where_auto = 'AND vtiger_crmentity.deleted=0';
+			$query = 'SELECT vtiger_potential.potentialid, vtiger_potential.potentialname, vtiger_crmentity.smcreatorid, vtiger_potential.closingdate FROM vtiger_potential inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_potential.potentialid LEFT JOIN vtiger_potentialgrouprelation on vtiger_potential.potentialid = vtiger_potentialgrouprelation.potentialid LEFT JOIN vtiger_groups on vtiger_groups.groupname = vtiger_potentialgrouprelation.groupname left join vtiger_users on vtiger_users.id = vtiger_crmentity.smownerid ';
+			$where_auto = 'AND vtiger_crmentity.deleted=0 ';
 		}
 
 		if($where != "")
 			$query .= "where $where ".$where_auto;
 		else
 			$query .= "where ".$where_auto;
+		if($is_admin==false && $profileGlobalPermission[1] == 1 && $profileGlobalPermission[2] == 1 && $defaultOrgSharingPermission[$tab_id] == 3)
+                {
+                                $sec_parameter=getListViewSecurityParameter("Potentials");
+                                $query .= $sec_parameter;
+
+                }
 
 		if($order_by != "")
-			$query .= " ORDER BY vtiger_potential.$order_by";
-		else
-			$query .= " ORDER BY vtiger_potential.potentialname";
+			$query .= " ORDER BY $order_by";
+		else
+			$query .= " ORDER BY vtiger_potential.potentialname ";

More information about the vtigercrm-commits mailing list