Possible Code Issue in Event's responseEntryPoint.php?

Hi. I’m not too familiar with suitecrm code. But looking at modules/FP_events/responseEntryPoint.php…
Shouldn’t all SELECTs and UPDATEs to the delegate list tables be limited to where “deleted=0”? Otherwise you could be updating and making decisions off of “archived” records, I believe. Or am I missing something?

Some example code:

$check_q = 'SELECT email_responded FROM fp_events_leads_1_c WHERE ffp_events_leads_1fp_events_ida="'.$event->id.'" AND fp_events_leads_1leads_idb="'.$delegate_id.'"';
$check = $db->getOne($check_q);
//update contact to accepted
$query = 'UPDATE fp_events_leads_1_c SET accept_status="Accepted", email_responded="1" WHERE fp_events_leads_1fp_events_ida="'.$event->id.'" AND fp_events_leads_1leads_idb="'.$delegate_id.'" AND email_responded="0"';
 if ($db->query($query) && $check != '1') {

In general, you are right.

I wonder about this specific case, though, since the action is coming from a user action specifically directed at one event id, and one participant id. So they really mean that record, maybe it doesn’t make much difference if it’s in “DELETED=1” state or not.

Or perhaps it does, perhaps the user should get a message like “There was a problem with the link please contact the sender of the invite”

If you are a developer, and willing to contribute, then I venture suggesting…

  1. Add those DELETED checks

  2. Make all those english strings into module translatable labels (see https://docs.suitecrm.com/developer/language-strings/)

  3. Wrap all those variables coming in the HTTP GET in proper $db->quote() function calls for security purposes (injection attacks)

  4. For extra points, simplify the 3 times repeated code (for Contacts, Leads, Targets) into a single code block. :slight_smile: