chamilo-lms/main/survey/survey.download.inc.php

<?php
/* For licensing terms, see /license.txt */

/**
 * @author Arnaud Ligot <arnaud@cblue.be>
 *
 * A small peace of code to enable user to access images included into survey
 * which are accessible by non authenticated users. This file is included
 * by document/download.php
 */
function check_download_survey($course, $invitation, $doc_url)
{
    // Getting all the course information
    $_course = api_get_course_info($course);
    $course_id = $_course['real_id'];

    // Database table definitions
    $table_survey = Database::get_course_table(TABLE_SURVEY);
    $table_survey_question = Database::get_course_table(TABLE_SURVEY_QUESTION);
    $table_survey_question_option = Database::get_course_table(TABLE_SURVEY_QUESTION_OPTION);
    $table_survey_invitation = Database::get_course_table(TABLE_SURVEY_INVITATION);

    // Now we check if the invitationcode is valid
    $sql = "SELECT * FROM $table_survey_invitation
            WHERE
                c_id = $course_id AND
                invitation_code = '".Database::escape_string($invitation)."'";
    $result = Database::query($sql);
    if (Database::num_rows($result) < 1) {
        echo Display::return_message(get_lang('WrongInvitationCode'), 'error', false);
        exit;
    }
    $survey_invitation = Database::fetch_assoc($result);

    // Now we check if the user already filled the survey
    /*if ($survey_invitation['answered'] == 1) {
        echo Display::return_message(get_lang('YouAlreadyFilledThisSurvey'), 'error', false);
        exit;
    }*/

    // Very basic security check: check if a text field from
    // a survey/answer/option contains the name of the document requested
    // Fetch survey ID
    // If this is the case there will be a language choice
    $sql = "SELECT * FROM $table_survey
            WHERE
                c_id = $course_id AND
                code='".Database::escape_string($survey_invitation['survey_code'])."'";
    $result = Database::query($sql);
    if (Database::num_rows($result) > 1) {
        if ($_POST['language']) {
            $survey_invitation['survey_id'] = $_POST['language'];
        } else {
            echo '<form
                id="language"
                name="language"
                method="POST"
                action="'.api_get_self().'?course='.Security::remove_XSS($_GET['course']).'&invitationcode='.Security::remove_XSS($_GET['invitationcode']).'">';
            echo '  <select name="language">';
            while ($row = Database::fetch_assoc($result)) {
                echo '<option value="'.$row['survey_id'].'">'.$row['lang'].'</option>';
            }
            echo '</select>';
            echo '  <input type="submit" name="Submit" value="'.get_lang('Ok').'" />';
            echo '</form>';
            Display::display_footer();
            exit;
        }
    } else {
        $row = Database::fetch_assoc($result);
        $survey_invitation['survey_id'] = $row['survey_id'];
    }

    $doc_url = Database::escape_string($doc_url);
    $survey_invitation['survey_id'] = Database::escape_string($survey_invitation['survey_id']);

    $sql = "SELECT count(*)
            FROM $table_survey
            WHERE
                c_id = $course_id AND
                survey_id = ".$survey_invitation['survey_id']." AND (
                    title LIKE '%$doc_url%'
                    or subtitle LIKE '%$doc_url%'
                    or intro LIKE '%$doc_url%'
                    or surveythanks LIKE '%$doc_url%'
                )
            UNION
                SELECT count(*)
                FROM $table_survey_question
                WHERE
                    c_id = $course_id AND
                    survey_id = ".$survey_invitation['survey_id']." AND (
                        survey_question LIKE '%$doc_url%' OR
                        survey_question_comment LIKE '%$doc_url%'
                    )
            UNION
                SELECT count(*)
                FROM $table_survey_question_option
                WHERE
                    c_id = $course_id AND
                    survey_id = ".$survey_invitation['survey_id']." AND (
                        option_text LIKE '%$doc_url%'
                    )";
    $result = Database::query($sql);
    if (Database::num_rows($result) == 0) {
        echo Display::return_message(get_lang('WrongInvitationCode'), 'error', false);
        exit;
    }

    return $_course;
}
[svn r20388] image in public survey 17 years ago			`<?php`
Feature #272 - "Surveys" tool: Revision and cleaning, part 2. 16 years ago			`/* For licensing terms, see /license.txt */`
[svn r20388] image in public survey 17 years ago
			`/**`
Minor - format code 9 years ago			`* @author Arnaud Ligot <arnaud@cblue.be>`
Feature #306 - Trimming totally trailing whitespace in php-source files, part 3 (final), 161 files. 16 years ago			`*`
Minor - format code 9 years ago			`* A small peace of code to enable user to access images included into survey`
			`* which are accessible by non authenticated users. This file is included`
			`* by document/download.php`
[svn r20388] image in public survey 17 years ago			`*/`
Remove survey.lib.php already loaded by composer 11 years ago			`function check_download_survey($course, $invitation, $doc_url)`
			`{`
Minor- Format code 10 years ago			`// Getting all the course information`
Minor - Replace deprecated function calls #scrutinizer 9 years ago			`$_course = api_get_course_info($course);`
Adding c_id see #3910 14 years ago			`$course_id = $_course['real_id'];`
Feature #306 - Trimming totally trailing whitespace in php-source files, part 3 (final), 161 files. 16 years ago
Minor- Format code 10 years ago			`// Database table definitions`
Minor - format function "Database ::" to "Database::" 9 years ago			`$table_survey = Database::get_course_table(TABLE_SURVEY);`
			`$table_survey_question = Database::get_course_table(TABLE_SURVEY_QUESTION);`
			`$table_survey_question_option = Database::get_course_table(TABLE_SURVEY_QUESTION_OPTION);`
			`$table_survey_invitation = Database::get_course_table(TABLE_SURVEY_INVITATION);`
[svn r20388] image in public survey 17 years ago
Minor- Format code 10 years ago			`// Now we check if the invitationcode is valid`
			`$sql = "SELECT * FROM $table_survey_invitation`
			`WHERE`
			`c_id = $course_id AND`
			`invitation_code = '".Database::escape_string($invitation)."'";`
			`$result = Database::query($sql);`
			`if (Database::num_rows($result) < 1) {`
Minor - Replace deprecated function calls #scrutinizer 9 years ago			`echo Display::return_message(get_lang('WrongInvitationCode'), 'error', false);`
Minor- Format code 10 years ago			`exit;`
			`}`
			`$survey_invitation = Database::fetch_assoc($result);`
[svn r20388] image in public survey 17 years ago
Minor- Format code 10 years ago			`// Now we check if the user already filled the survey`
Surveys: Allow images in survey title/subtitle/intro/thanks BT#17972 Fix issue when students don't have access to survey images 5 years ago			`/*if ($survey_invitation['answered'] == 1) {`
Minor - Replace deprecated function calls #scrutinizer 9 years ago			`echo Display::return_message(get_lang('YouAlreadyFilledThisSurvey'), 'error', false);`
Minor- Format code 10 years ago			`exit;`
Surveys: Allow images in survey title/subtitle/intro/thanks BT#17972 Fix issue when students don't have access to survey images 5 years ago			`}*/`
[svn r20388] image in public survey 17 years ago
Minor - format code 8 years ago			`// Very basic security check: check if a text field from`
			`// a survey/answer/option contains the name of the document requested`
Minor- Format code 10 years ago			`// Fetch survey ID`
			`// If this is the case there will be a language choice`
			`$sql = "SELECT * FROM $table_survey`
			`WHERE`
			`c_id = $course_id AND`
			`code='".Database::escape_string($survey_invitation['survey_code'])."'";`
			`$result = Database::query($sql);`
			`if (Database::num_rows($result) > 1) {`
			`if ($_POST['language']) {`
			`$survey_invitation['survey_id'] = $_POST['language'];`
			`} else {`
Surveys: Allow images in survey title/subtitle/intro/thanks BT#17972 Fix issue when students don't have access to survey images 5 years ago			`echo '<form`
			`id="language"`
			`name="language"`
			`method="POST"`
			`action="'.api_get_self().'?course='.Security::remove_XSS($_GET['course']).'&invitationcode='.Security::remove_XSS($_GET['invitationcode']).'">';`
Minor- Format code 10 years ago			`echo ' <select name="language">';`
			`while ($row = Database::fetch_assoc($result)) {`
			`echo '<option value="'.$row['survey_id'].'">'.$row['lang'].'</option>';`
			`}`
			`echo '</select>';`
			`echo ' <input type="submit" name="Submit" value="'.get_lang('Ok').'" />';`
			`echo '</form>';`
Fix class name 9 years ago			`Display::display_footer();`
Minor- Format code 10 years ago			`exit;`
			`}`
			`} else {`
			`$row = Database::fetch_assoc($result);`
			`$survey_invitation['survey_id'] = $row['survey_id'];`
			`}`
Feature #272 - "Surveys" tool: Revision and cleaning, part 2. 16 years ago
Surveys: Allow images in survey title/subtitle/intro/thanks BT#17972 Fix issue when students don't have access to survey images 5 years ago			`$doc_url = Database::escape_string($doc_url);`
			`$survey_invitation['survey_id'] = Database::escape_string($survey_invitation['survey_id']);`

Minor- Format code 10 years ago			`$sql = "SELECT count(*)`
			`FROM $table_survey`
			`WHERE`
			`c_id = $course_id AND`
			`survey_id = ".$survey_invitation['survey_id']." AND (`
Adding api_get_path() in URLs, replacing global values, format code. 12 years ago			`title LIKE '%$doc_url%'`
			`or subtitle LIKE '%$doc_url%'`
			`or intro LIKE '%$doc_url%'`
			`or surveythanks LIKE '%$doc_url%'`
			`)`
Minor- Format code 10 years ago			`UNION`
			`SELECT count(*)`
			`FROM $table_survey_question`
			`WHERE`
			`c_id = $course_id AND`
			`survey_id = ".$survey_invitation['survey_id']." AND (`
Surveys: Allow images in survey title/subtitle/intro/thanks BT#17972 Fix issue when students don't have access to survey images 5 years ago			`survey_question LIKE '%$doc_url%' OR`
			`survey_question_comment LIKE '%$doc_url%'`
Adding api_get_path() in URLs, replacing global values, format code. 12 years ago			`)`
Minor- Format code 10 years ago			`UNION`
			`SELECT count(*)`
			`FROM $table_survey_question_option`
			`WHERE`
			`c_id = $course_id AND`
			`survey_id = ".$survey_invitation['survey_id']." AND (`
Adding api_get_path() in URLs, replacing global values, format code. 12 years ago			`option_text LIKE '%$doc_url%'`
			`)";`
Minor- Format code 10 years ago			`$result = Database::query($sql);`
			`if (Database::num_rows($result) == 0) {`
Minor - Replace deprecated function calls #scrutinizer 9 years ago			`echo Display::return_message(get_lang('WrongInvitationCode'), 'error', false);`
Minor- Format code 10 years ago			`exit;`
			`}`

			`return $_course;`
Adding api_get_path() in URLs, replacing global values, format code. 12 years ago			`}`