diff --git a/modules/Calendar4You/CalendarView.php b/modules/Calendar4You/CalendarView.php index cb98763597..9e08287bb6 100644 --- a/modules/Calendar4You/CalendarView.php +++ b/modules/Calendar4You/CalendarView.php @@ -206,7 +206,7 @@ ); if (isset($_REQUEST['viewOption']) && $_REQUEST['viewOption']!= '') { - $default_view = $_REQUEST['viewOption']; + $default_view = vtlib_purify($_REQUEST['viewOption']); } else { if ($current_user->activity_view == 'This Year') { $default_view = 'month'; @@ -228,7 +228,7 @@ $smarty->assign('upESTATUSBLOCK_DISPLAY', isset($Ch_Views['8']) ? $Ch_Views['8'] : 'block'); $smarty->assign('upTPRIORITYBLOCK_DISPLAY', isset($Ch_Views['9']) ? $Ch_Views['9'] : 'block'); if (isset($_REQUEST['user_view_type']) && $_REQUEST['user_view_type'] != '') { - $user_view_type = $_REQUEST['user_view_type']; + $user_view_type = vtlib_purify($_REQUEST['user_view_type']); } else { if ($Calendar_Settings['user_view']== 'all') { $user_view_type = 'all'; diff --git a/modules/Calendar4You/Events.php b/modules/Calendar4You/Events.php index 3dbabba01b..3309490b66 100644 --- a/modules/Calendar4You/Events.php +++ b/modules/Calendar4You/Events.php @@ -26,12 +26,12 @@ $save = (isset($_REQUEST['save']) ? vtlib_purify($_REQUEST['save']) : ''); $full_calendar_view = vtlib_purify($_REQUEST['view']); if (isset($_REQUEST['record']) && $_REQUEST['record'] != '') { - $record = $_REQUEST['record']; + $record = vtlib_purify($_REQUEST['record']); } if (!empty($_REQUEST['usersids'])) { $all_users = true; - $Users_Ids = explode(',', $_REQUEST['usersids']); + $Users_Ids = explode(',', vtlib_purify($_REQUEST['usersids'])); } else { $all_users = false; if ($user_view_type != 'all') { @@ -169,7 +169,7 @@ $showGroupEvents = GlobalVariable::getVariable('Calendar_Show_Group_Events', 1); $modtab = array_flip($tasklabel); foreach ($Users_Ids as $userid) { - if (!$userid) { + if (empty($userid) || !is_numeric($userid)) { continue; } if ($showGroupEvents) { @@ -264,10 +264,12 @@ } else { $list_query = getCalendar4YouListQuery($userid, $invites); if ($record != '') { - $list_query .= " AND vtiger_crmentity.crmid = '".$record."'"; + $list_query .= ' AND vtiger_crmentity.crmid=?'; + $list_array[] = $record; } else { - $list_query .= " AND vtiger_activity.dtstart <= '".$usredtime."'"; - $list_query .= " AND vtiger_activity.dtend >= '".$usrsttime."'"; + $list_query .= ' AND vtiger_activity.dtstart<=? AND vtiger_activity.dtend>=?'; + $list_array[] = $usredtime; + $list_array[] = $usrsttime; } if (!$invites) { if ($showGroupEvents && $groups != '') { diff --git a/modules/Calendar4You/SaveEventSettings.php b/modules/Calendar4You/SaveEventSettings.php index 2a7ea7696c..949bcbe8e1 100644 --- a/modules/Calendar4You/SaveEventSettings.php +++ b/modules/Calendar4You/SaveEventSettings.php @@ -10,7 +10,7 @@ require_once 'include/database/PearDatabase.php'; global $adb,$current_user; -$user_view_type = $_REQUEST['user_view_type']; +$user_view_type = vtlib_purify($_REQUEST['user_view_type']); $mode = vtlib_purify($_REQUEST['mode']); if ($mode=='module') { @@ -29,7 +29,7 @@ } $Save_Data = array(); -$save_fields = $_REQUEST['save_fields']; +$save_fields = vtlib_purify($_REQUEST['save_fields']); if ($save_fields == '1') { $event = $entity; @@ -40,9 +40,9 @@ $Views = array('day','week','month'); foreach ($Views as $view) { - $Save_Data[] = array($userid,$event,'1',$view,$_REQUEST[$view.'_showed_field']); + $Save_Data[] = array($userid,$event,'1',$view,vtlib_purify($_REQUEST[$view.'_showed_field'])); - $Selected_Fields = explode(';', $_REQUEST[$view.'_selected_fields']); + $Selected_Fields = explode(';', vtlib_purify($_REQUEST[$view.'_selected_fields'])); if (count($Selected_Fields) > 0) { foreach ($Selected_Fields as $fieldname) { diff --git a/modules/Calendar4You/updateCalendarSharing.php b/modules/Calendar4You/updateCalendarSharing.php index 72366bb333..e7f063b6dd 100644 --- a/modules/Calendar4You/updateCalendarSharing.php +++ b/modules/Calendar4You/updateCalendarSharing.php @@ -17,28 +17,28 @@ $hour_format = '12'; } -$activity_view = $_REQUEST['activity_view']; +$activity_view = vtlib_purify($_REQUEST['activity_view']); -$user_view = $_REQUEST['user_view']; +$user_view = vtlib_purify($_REQUEST['user_view']); -$adb->pquery('delete from vtiger_sharedcalendar where userid=?', array($_REQUEST['current_userid'])); +$adb->pquery('delete from vtiger_sharedcalendar where userid=?', array(vtlib_purify($_REQUEST['current_userid']))); -$selectedid = $_REQUEST['shar_userid']; +$selectedid = vtlib_purify($_REQUEST['shar_userid']); $sharedid = explode(';', $selectedid); if (isset($sharedid) && $sharedid != null) { foreach ($sharedid as $sid) { if ($sid != '') { - $adb->pquery('insert into vtiger_sharedcalendar values (?,?)', array($_REQUEST['current_userid'], $sid)); + $adb->pquery('insert into vtiger_sharedcalendar values (?,?)', array(vtlib_purify($_REQUEST['current_userid']), $sid)); } } } if (isset($_REQUEST['start_hour']) && $_REQUEST['start_hour'] != '') { - $adb->pquery('update vtiger_users set start_hour=? where id=?', array($_REQUEST['start_hour'], $current_user->id)); + $adb->pquery('update vtiger_users set start_hour=? where id=?', array(vtlib_purify($_REQUEST['start_hour']), $current_user->id)); } $adb->pquery('update vtiger_users set hour_format=?, activity_view=? where id=?', array($hour_format, $activity_view, $current_user->id)); -$dayoftheweek = $_REQUEST['dayoftheweek']; +$dayoftheweek = vtlib_purify($_REQUEST['dayoftheweek']); if (isset($_REQUEST['show_weekends']) && $_REQUEST['show_weekends'] == '1') { $show_weekends = '1'; @@ -57,7 +57,7 @@ $adb->pquery($sql3, array($current_user->id, $dayoftheweek, $show_weekends, $user_view)); } -$update_google_account = (isset($_REQUEST['update_google_account']) ? $_REQUEST['update_google_account'] : '0'); +$update_google_account = (isset($_REQUEST['update_google_account']) ? vtlib_purify($_REQUEST['update_google_account']) : '0'); if ($update_google_account == '1') { $google_login = vtlib_purify($_REQUEST['google_login']); @@ -92,6 +92,6 @@ RecalculateSharingRules(); $url = 'Location: index.php?action=index&module=Calendar4You&viewOption='.vtlib_purify($_REQUEST['view']).'&hour='.vtlib_purify($_REQUEST['hour']) - .'&day='.vtlib_purify($_REQUEST['day']).'&month='.vtlib_purify($_REQUEST['month']).'&year='.vtlib_purify($_REQUEST['year']).'&user_view_type='.$user_view; + .'&day='.vtlib_purify($_REQUEST['day']).'&month='.vtlib_purify($_REQUEST['month']).'&year='.vtlib_purify($_REQUEST['year']).'&user_view_type='.urlencode($user_view); header($url); ?>