Fix database field from 1.11.x

f7f93579ed
5 years ago · 005dc8e9ec
parent a52eb22c8d
commit 005dc8e9ec
3 changed files with 22 additions and 17 deletions
--- a/public/main/inc/ajax/model.ajax.php
+++ b/public/main/inc/ajax/model.ajax.php
@ -109,6 +109,8 @@ function getWhereClause($col, $oper, $val)
        'nc' => 'NOT LIKE',  //doesn't contain
    ];

+    $col = Database::escapeField($col);
+
    if (empty($col)) {
        return '';
    }
@ -1442,8 +1444,9 @@ switch ($action) {
        }

        $whereCondition = " AND $whereCondition ";
+        $columnOrderValidList = array_merge(['firstname', 'lastname'], $columns);
+        $sidx = in_array($sidx, $columnOrderValidList) ? $sidx : 'title';

-        $sidx = in_array($sidx, $columns) ? $sidx : 'title';
        $result = get_work_user_list(
            $start,
            $limit,
@ -2505,18 +2508,11 @@ switch ($action) {
                }
                $result = $obj->getUserGroupNotInCourse(
                    $options,
-                    $groupFilter,
-                    false,
-                    true
+                    $groupFilter
                );
                break;
            case 'registered':
-                $result = $obj->getUserGroupInCourse(
-                    $options,
-                    $groupFilter,
-                    false,
-                    true
-                );
+                $result = $obj->getUserGroupInCourse($options, $groupFilter);
                break;
        }

--- a/public/main/inc/lib/database.lib.php
+++ b/public/main/inc/lib/database.lib.php
@ -751,4 +751,9 @@ class Database
    {
        return self::getManager()->getConnection()->getSchemaManager()->listTableColumns($table);
    }
+
+    public static function escapeField($field)
+    {
+        return self::escape_string(preg_replace("/[^a-zA-Z0-9_]/", '', $field));
+    }
 }
--- a/public/main/inc/lib/extra_field.lib.php
+++ b/public/main/inc/lib/extra_field.lib.php
@ -1584,7 +1584,7 @@ class ExtraField extends Model
                        if ($freezeElement) {
                            $form->freeze('extra_'.$variable);
                        }
-                        break;
+                        break;                        
                    case self::FIELD_TYPE_FILE:
                        $fieldVariable = "extra_{$variable}";
                        $fieldTexts = [
@ -2608,6 +2608,7 @@ JAVASCRIPT;
                    }
                } else {
                    // Extra fields
+                    $ruleField = Database::escapeField($rule->field);
                    if (false === strpos($rule->field, '_second')) {
                        //No _second
                        $original_field = str_replace($stringToSearch, '', $rule->field);
@ -2630,7 +2631,7 @@ JAVASCRIPT;
                                $conditionArray[] = ' ('
                                .$this->get_where_clause($rule->field, $rule->op, $rule->data)
                                .') ';
-                                $extraFields[] = ['field' => $rule->field, 'id' => $field_option['id']];
+                                $extraFields[] = ['field' => $ruleField, 'id' => $field_option['id']];
                            }
                                break;
                            case self::FIELD_TYPE_TAG:
@ -2639,10 +2640,11 @@ JAVASCRIPT;
                                    break;
                                }

+                                    // Where will be injected in the parseConditions()
                                //$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
                                //$conditionArray[] = " ( $where ) ";
                                $extraFields[] = [
-                                'field' => $rule->field,
+                                        'field' => $ruleField,
                                'id' => $field_option['id'],
                                'data' => $rule->data,
                            ];
@ -2656,7 +2658,7 @@ JAVASCRIPT;
                                    $where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
                                    $conditionArray[] = " ( $where ) ";
                                    $extraFields[] = [
-                                        'field' => $rule->field,
+                                        'field' => $ruleField,
                                        'id' => $field_option['id'],
                                        'data' => $rule->data,
                                    ];
@ -2668,7 +2670,7 @@ JAVASCRIPT;
                        $original_field = str_replace($stringToSearch, '', $my_field);
                        $field_option = $this->get_handler_field_info_by_field_variable($original_field);
                        $extraFields[] = [
-                        'field' => $rule->field,
+                            'field' => $ruleField,
                        'id' => $field_option['id'],
                    ];
                    }
@ -2689,6 +2691,8 @@ JAVASCRIPT;
     */
    public function get_where_clause($col, $oper, $val, $conditionBetweenOptions = 'OR')
    {
+        $col = Database::escapeField($col);
+
        if (empty($col)) {
            return '';
        }
@ -2755,7 +2759,7 @@ JAVASCRIPT;
                            $inject_extra_fields .= " fvo$counter.display_text as {$extra['field']}, ";
                            break;
                        case self::FIELD_TYPE_TAG:
-                            //$inject_extra_fields .= " tag$counter.tag as {$extra['field']}, ";
+                            // If using OR
                            // If using AND
                            $newCounter = 1;
                            $fields = [];
@ -3201,7 +3205,7 @@ JAVASCRIPT;
        );

        if (empty($defaultValueId)) {
-            $slct->addOption(get_lang('Please select an option'), '');
+            $slct->addOption(get_lang('Please select an option'));
        }

        foreach ($options as $value => $text) {