SuiteCRM Pull Request Party hosted by SalesAgility
Welcome, Guest
Username: Password: Remember me

TOPIC: Possible Code Issue in Event's responseEntryPoint.php?

Possible Code Issue in Event's responseEntryPoint.php? 4 months 1 week ago #74034

  • dano2
  • dano2's Avatar
  • Offline
  • Junior Member
  • Posts: 26
  • Karma: 0
Hi. I'm not too familiar with suitecrm code. But looking at modules/FP_events/responseEntryPoint.php...
Shouldn't all SELECTs and UPDATEs to the delegate list tables be limited to where "deleted=0"? Otherwise you could be updating and making decisions off of "archived" records, I believe. Or am I missing something?

Some example code:
$check_q = 'SELECT email_responded FROM fp_events_leads_1_c WHERE ffp_events_leads_1fp_events_ida="'.$event->id.'" AND fp_events_leads_1leads_idb="'.$delegate_id.'"';
$check = $db->getOne($check_q);
//update contact to accepted
$query = 'UPDATE fp_events_leads_1_c SET accept_status="Accepted", email_responded="1" WHERE fp_events_leads_1fp_events_ida="'.$event->id.'" AND fp_events_leads_1leads_idb="'.$delegate_id.'" AND email_responded="0"';
 if ($db->query($query) && $check != '1') {
Last Edit: 4 months 1 week ago by dano2.
The administrator has disabled public write access.

Possible Code Issue in Event's responseEntryPoint.php? 4 months 1 week ago #74062

  • pgr
  • pgr's Avatar
  • Offline
  • Administrator
  • Posts: 9324
  • Thank you received: 1406
  • Karma: 338
In general, you are right.

I wonder about this specific case, though, since the action is coming from a user action specifically directed at one event id, and one participant id. So they really mean that record, maybe it doesn't make much difference if it's in "DELETED=1" state or not.

Or perhaps it does, perhaps the user should get a message like "There was a problem with the link please contact the sender of the invite"

If you are a developer, and willing to contribute, then I venture suggesting...

1. Add those DELETED checks

2. Make all those english strings into module translatable labels (see

3. Wrap all those variables coming in the HTTP GET in proper $db->quote() function calls for security purposes (injection attacks)

4. For extra points, simplify the 3 times repeated code (for Contacts, Leads, Targets) into a single code block. :-)

My SuiteCRM In-depth blog.
Thank you for always stating your SuiteCRM version, checking your logs, reading the Docs, and searching before you ask!
The administrator has disabled public write access.
Time to create page: 0.095 seconds
Powered by Kunena Forum