diff --git a/main/gradebook/gradebook.php b/main/gradebook/gradebook.php
index eda0718b6f..2c1bfd53e3 100755
--- a/main/gradebook/gradebook.php
+++ b/main/gradebook/gradebook.php
@@ -1,27 +1,5 @@
|
- |
-
+
|
@@ -67,7 +66,7 @@ if (isset($_GET['user_id']) && $_GET['user_id']==strval(intval($_GET['user_id'])
?>
|
|
- |
+ |
|
get_name())."'"
- .','.$this->get_user_id()
- .','.$this->get_weight()
- .','.$this->is_visible();
+ .','.intval($this->get_user_id())
+ .','.Database::escape_string($this->get_weight())
+ .','.intval($this->is_visible());
if (isset($this->description)) {
$sql .= ",'".Database::escape_string($this->get_description())."'";
}
if (isset($this->course_code)) {
- $sql .= ",'".$this->get_course_code()."'";
+ $sql .= ",'".Database::escape_string($this->get_course_code())."'";
}
if (isset($this->parent)) {
- $sql .= ','.$this->get_parent_id();
+ $sql .= ','.intval($this->get_parent_id());
}
if (!empty($this->session_id)) {
- $sql .= ', '.$this->get_session_id();
+ $sql .= ', '.intval($this->get_session_id());
}
$sql .= ')';
@@ -292,28 +292,28 @@ class Category implements GradebookItem
} else {
$sql .= 'null';
}
- $sql .= ', user_id = '.$this->get_user_id()
+ $sql .= ', user_id = '.intval($this->get_user_id())
.', course_code = ';
if (isset($this->course_code)) {
- $sql .= "'".$this->get_course_code()."'";
+ $sql .= "'".Database::escape_string($this->get_course_code())."'";
} else {
$sql .= 'null';
}
$sql .= ', parent_id = ';
if (isset ($this->parent)) {
- $sql .= $this->get_parent_id();
+ $sql .= intval($this->get_parent_id());
} else {
$sql .= 'null';
}
$sql .= ', certif_min_score = ';
if (isset ($this->certificate_min_score) && strcmp($this->certificate_min_score,'')!==0) {
- $sql .= $this->get_certificate_min_score();
+ $sql .= Database::escape_string($this->get_certificate_min_score());
} else {
$sql .= 'null';
}
- $sql .= ', weight = '.$this->get_weight()
- .', visible = '.$this->is_visible()
- .' WHERE id = '.$this->id;
+ $sql .= ', weight = '.Database::escape_string($this->get_weight())
+ .', visible = '.intval($this->is_visible())
+ .' WHERE id = '.intval($this->id);
Database::query($sql);
}
@@ -323,7 +323,7 @@ class Category implements GradebookItem
*/
public function delete() {
$tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
- $sql = 'DELETE FROM '.$tbl_grade_categories.' WHERE id = '.$this->id;
+ $sql = 'DELETE FROM '.$tbl_grade_categories.' WHERE id = '.intval($this->id);
Database::query($sql);
}
/**
@@ -331,7 +331,7 @@ class Category implements GradebookItem
*/
public function update_category_delete($course_id){
$tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
- $sql = 'UPDATE '.$tbl_grade_categories.' SET visible=3 WHERE course_code ="'.$course_id.'"';
+ $sql = 'UPDATE '.$tbl_grade_categories.' SET visible=3 WHERE course_code ="'.Database::escape_string($course_id).'"';
Database::query($sql);
}
/**
@@ -339,7 +339,7 @@ class Category implements GradebookItem
*/
public function show_message_resource_delete($course_id) {
$tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
- $sql = 'SELECT count(*) AS num from '.$tbl_grade_categories.' WHERE course_code ="'.$course_id.'" AND visible=3';
+ $sql = 'SELECT count(*) AS num from '.$tbl_grade_categories.' WHERE course_code ="'.Database::escape_string($course_id).'" AND visible=3';
$res=Database::query($sql);
$option=Database::fetch_array($res,'ASSOC');
if ($option['num']>=1) {
@@ -357,7 +357,7 @@ class Category implements GradebookItem
return null;
} else {
$tbl_category=Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
- $sql='SELECT name,description,user_id,course_code,parent_id,weight,visible,certif_min_score,session_id FROM '.$tbl_category.' c WHERE c.id='.$selectcat;
+ $sql='SELECT name,description,user_id,course_code,parent_id,weight,visible,certif_min_score,session_id FROM '.$tbl_category.' c WHERE c.id='.intval($selectcat);
$result=Database::query($sql);
$row=Database::fetch_array($result,'ASSOC');
return $row;
@@ -378,7 +378,7 @@ class Category implements GradebookItem
$tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
$sql = 'SELECT count(id) AS number'
.' FROM '.$tbl_grade_categories
- ." WHERE name = '".$name."'";
+ ." WHERE name = '".Database::escape_string($name)."'";
if (api_is_allowed_to_create_course()) {
$parent = Category::load($parent);
@@ -387,7 +387,7 @@ class Category implements GradebookItem
$main_course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$sql .= ' AND user_id IN ('
.' SELECT user_id FROM '.$main_course_user_table
- ." WHERE course_code = '".$code."'"
+ ." WHERE course_code = '".Database::escape_string($code)."'"
.' AND status = '.COURSEMANAGER
.')';
} else {
@@ -400,11 +400,11 @@ class Category implements GradebookItem
if (!isset ($parent)) {
$sql.= ' AND parent_id is null';
} else {
- $sql.= ' AND parent_id = '.$parent;
+ $sql.= ' AND parent_id = '.intval($parent);
}
$result = Database::query($sql);
- $number=Database::fetch_row($result);
+ $number = Database::fetch_row($result);
return ($number[0] != 0);
}
@@ -560,7 +560,7 @@ class Category implements GradebookItem
$sql .= ' AND course_code in'
.' (SELECT course_code'
.' FROM '.$main_course_user_table
- .' WHERE user_id = '.$stud_id
+ .' WHERE user_id = '.intval($stud_id)
.' AND status = '.STUDENT
.')';
}
@@ -587,7 +587,7 @@ class Category implements GradebookItem
}
}elseif (api_is_platform_admin()) {
if (isset($session_id) && $session_id!=0) {
- $sql.=' AND session_id='.$session_id;
+ $sql.=' AND session_id='.intval($session_id);
} else {
$sql.=' AND coalesce(session_id,0)=0';
}
@@ -633,7 +633,7 @@ class Category implements GradebookItem
$sql .= ' AND course_code in'
.' (SELECT course_code'
.' FROM '.$main_course_user_table
- .' WHERE user_id = '.$user_id
+ .' WHERE user_id = '.intval($user_id)
.')';
}
$result = Database::query($sql);
@@ -857,7 +857,7 @@ class Category implements GradebookItem
.' WHERE cc.code = cu.course_code'
.' AND cu.status = '.COURSEMANAGER;
if (!api_is_platform_admin()) {
- $sql .= ' AND cu.user_id = '.$user_id;
+ $sql .= ' AND cu.user_id = '.intval($user_id);
}
$result = Database::query($sql);
diff --git a/main/gradebook/lib/be/evaluation.class.php b/main/gradebook/lib/be/evaluation.class.php
index f99462c427..140bdb307c 100755
--- a/main/gradebook/lib/be/evaluation.class.php
+++ b/main/gradebook/lib/be/evaluation.class.php
@@ -210,25 +210,24 @@ class Evaluation implements GradebookItem
}
$sql .= ',created_at';
$sql .= ',type';
- $sql .= ") VALUES ('".Database::escape_string(Security::remove_XSS($this->get_name()))."'"
- .','.$this->get_user_id()
- .','.$this->get_weight()
- .','.$this->get_max()
- .','.$this->is_visible();
+ $sql .= ") VALUES ('".Database::escape_string($this->get_name())."'"
+ .','.intval($this->get_user_id())
+ .','.intval($this->get_weight())
+ .','.intval($this->get_max())
+ .','.intval($this->is_visible());
if (isset($this->description)) {
- $sql .= ",'".Database::escape_string(Security::remove_XSS($this->get_description()))."'";
+ $sql .= ",'".Database::escape_string($this->get_description())."'";
}
if (isset($this->course_code)) {
- $sql .= ",'".$this->get_course_code()."'";
+ $sql .= ",'".Database::escape_string($this->get_course_code())."'";
}
if (isset($this->category)) {
- $sql .= ','.$this->get_category_id();
+ $sql .= ','.intval($this->get_category_id());
}
-if (empty($this->type))
- {
+ if (empty($this->type)) {
$this->type = 'evaluation';
}
- $sql .= ',\''.$this->type.'\'';
+ $sql .= ',\''.Database::escape_string($this->type).'\'';
$sql .= ", '".api_get_utc_datetime()."'";
$sql .= ")";
@@ -252,7 +251,8 @@ if (empty($this->type))
$rs=Database::query($sql_eval);
$row_old_weight=Database::fetch_array($rs,'ASSOC');
$current_date=api_get_utc_datetime();
- $sql="INSERT INTO ".$tbl_grade_linkeval_log."(id_linkeval_log,name,description,created_at,weight,visible,type,user_id_log)VALUES('".Database::escape_string($arreval['id'])."','".Database::escape_string($arreval['name'])."','".Database::escape_string($arreval['description'])."','".$current_date."','".Database::escape_string($row_old_weight['weight'])."','".Database::escape_string($arreval['visible'])."','evaluation',".api_get_user_id().")";
+ $sql="INSERT INTO ".$tbl_grade_linkeval_log."(id_linkeval_log,name,description,created_at,weight,visible,type,user_id_log)
+ VALUES('".Database::escape_string($arreval['id'])."','".Database::escape_string($arreval['name'])."','".Database::escape_string($arreval['description'])."','".$current_date."','".Database::escape_string($row_old_weight['weight'])."','".Database::escape_string($arreval['visible'])."','evaluation',".api_get_user_id().")";
Database::query($sql);
}
}
@@ -263,35 +263,34 @@ if (empty($this->type))
public function save() {
$tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
$sql = 'UPDATE '.$tbl_grade_evaluations
- ." SET name = '".Database::escape_string(Security::remove_XSS($this->get_name()))."'"
+ ." SET name = '".Database::escape_string($this->get_name())."'"
.', description = ';
if (isset($this->description)) {
- $sql .= "'".Database::escape_string(Security::remove_XSS($this->get_description()))."'";
+ $sql .= "'".Database::escape_string($this->get_description())."'";
}else {
$sql .= 'null';
}
- $sql .= ', user_id = '.$this->get_user_id()
+ $sql .= ', user_id = '.intval($this->get_user_id())
.', course_code = ';
if (isset($this->course_code)) {
- $sql .= "'".$this->get_course_code()."'";
+ $sql .= "'".Database::escape_string($this->get_course_code())."'";
} else {
$sql .= 'null';
}
$sql .= ', category_id = ';
if (isset($this->category)) {
- $sql .= $this->get_category_id();
+ $sql .= intval($this->get_category_id());
} else {
$sql .= 'null';
}
- $sql .= ', weight = '.$this->get_weight()
- .', max = '.$this->get_max()
- .', visible = '.$this->is_visible()
- .' WHERE id = '.$this->id;
+ $sql .= ', weight = '.Database::escape_string($this->get_weight())
+ .', max = '.Database::escape_string($this->get_max())
+ .', visible = '.intval($this->is_visible())
+ .' WHERE id = '.intval($this->id);
//recorded history
$eval_log=new Evaluation();
$eval_log->add_evaluation_log($this->id);
Database::query($sql);
-
}
/**
@@ -299,7 +298,7 @@ if (empty($this->type))
*/
public function delete() {
$tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
- $sql = 'DELETE FROM '.$tbl_grade_evaluations.' WHERE id = '.$this->id;
+ $sql = 'DELETE FROM '.$tbl_grade_evaluations.' WHERE id = '.intval($this->id);
Database::query($sql);
}
@@ -318,7 +317,7 @@ if (empty($this->type))
$tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
$sql = 'SELECT count(id) AS number'
.' FROM '.$tbl_grade_evaluations
- ." WHERE name = '".$name."'";
+ ." WHERE name = '".Database::escape_string($name)."'";
if (api_is_allowed_to_create_course()) {
$parent = Category::load($parent);
@@ -327,7 +326,7 @@ if (empty($this->type))
$main_course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$sql .= ' AND user_id IN ('
.' SELECT user_id FROM '.$main_course_user_table
- ." WHERE course_code = '".$code."'"
+ ." WHERE course_code = '".Database::escape_string($code)."'"
.' AND status = '.COURSEMANAGER
.')';
} else {
@@ -341,7 +340,7 @@ if (empty($this->type))
if (!isset ($parent)) {
$sql.= ' AND category_id is null';
} else {
- $sql.= ' AND category_id = '.$parent;
+ $sql.= ' AND category_id = '.intval($parent);
}
$result = Database::query($sql);
$number=Database::fetch_row($result);
@@ -355,7 +354,7 @@ if (empty($this->type))
public function has_results() {
$tbl_grade_results = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_RESULT);
$sql='SELECT count(id) AS number FROM '.$tbl_grade_results
- .' WHERE evaluation_id = '.$this->id;
+ .' WHERE evaluation_id = '.intval($this->id);
$result = Database::query($sql);
$number=Database::fetch_row($result);
@@ -367,7 +366,7 @@ if (empty($this->type))
*/
public function delete_results() {
$tbl_grade_results = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_RESULT);
- $sql = 'DELETE FROM '.$tbl_grade_results.' WHERE evaluation_id = '.$this->id;
+ $sql = 'DELETE FROM '.$tbl_grade_results.' WHERE evaluation_id = '.intval($this->id);
Database::query($sql);
}
@@ -496,12 +495,12 @@ if (empty($this->type))
$sql = 'SELECT * FROM '.$tbl_grade_evaluations
.' WHERE id IN'
.'(SELECT evaluation_id FROM '.$tbl_grade_results
- .' WHERE user_id = '.$stud_id.' AND score IS NOT NULL)';
+ .' WHERE user_id = '.intval($stud_id).' AND score IS NOT NULL)';
if (!api_is_allowed_to_create_course()) {
$sql .= ' AND visible = 1';
}
if (isset($cat_id)) {
- $sql .= ' AND category_id = '.$cat_id;
+ $sql .= ' AND category_id = '.intval($cat_id);
} else {
$sql .= ' AND category_id >= 0';
}
@@ -521,11 +520,11 @@ if (empty($this->type))
$tbl_grade_results = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_RESULT);
$sql = 'SELECT user_id,lastname,firstname,username FROM '.$tbl_user
- ." WHERE lastname LIKE '".$first_letter_user."%'"
+ ." WHERE lastname LIKE '".Database::escape_string($first_letter_user)."%'"
.' AND status = '.STUDENT
.' AND user_id NOT IN'
.' (SELECT user_id FROM '.$tbl_grade_results
- .' WHERE evaluation_id = '.$this->id
+ .' WHERE evaluation_id = '.intval($this->id)
.' )'
.' ORDER BY lastname';
diff --git a/main/gradebook/lib/be/forumthreadlink.class.php b/main/gradebook/lib/be/forumthreadlink.class.php
index a003bcf89e..1b49a511f6 100755
--- a/main/gradebook/lib/be/forumthreadlink.class.php
+++ b/main/gradebook/lib/be/forumthreadlink.class.php
@@ -46,7 +46,7 @@ class ForumThreadLink extends AbstractLink
.' forum_thread WHERE thread_id NOT IN'
.' (SELECT ref_id FROM '.$tbl_grade_links
.' WHERE type = '.LINK_FORUM_THREAD
- ." AND course_code = '".$this->get_course_code()."'"
+ ." AND course_code = '".Database::escape_string($this->get_course_code())."'"
.') AND forum_thread.session_id='.api_get_session_id().'';
$result = Database::query($sql);
@@ -112,7 +112,7 @@ class ForumThreadLink extends AbstractLink
$sql = 'SELECT * FROM '.$thread_qualify.' WHERE thread_id = '.$this->get_ref_id();
if (isset($stud_id)){
- $sql .= ' AND user_id = '."'".$stud_id."'";
+ $sql .= ' AND user_id = '."'".intval($stud_id)."'";
}
// order by id, that way the student's first attempt is accessed first
diff --git a/main/gradebook/lib/be/gradebookitem.class.php b/main/gradebook/lib/be/gradebookitem.class.php
index 82b9e6743c..24271ef5cc 100755
--- a/main/gradebook/lib/be/gradebookitem.class.php
+++ b/main/gradebook/lib/be/gradebookitem.class.php
@@ -8,7 +8,6 @@
interface GradebookItem
{
public function get_item_type();
-
public function get_id();
public function get_name();
public function get_description();
@@ -16,9 +15,6 @@ interface GradebookItem
public function get_weight();
public function get_date();
public function is_visible();
-
public function get_icon_name();
-
public function calc_score($stud_id = null);
-
}
diff --git a/main/gradebook/lib/be/learnpathlink.class.php b/main/gradebook/lib/be/learnpathlink.class.php
index 4875f1b409..500cf73ab5 100755
--- a/main/gradebook/lib/be/learnpathlink.class.php
+++ b/main/gradebook/lib/be/learnpathlink.class.php
@@ -108,7 +108,7 @@ class LearnpathLink extends AbstractLink
." WHERE lp_id = ".$this->get_ref_id();
if (isset($stud_id))
- $sql .= ' AND user_id = '.$stud_id;
+ $sql .= ' AND user_id = '.intval($stud_id);
// order by id, that way the student's first attempt is accessed first
$sql .= ' ORDER BY view_count DESC';
diff --git a/main/gradebook/lib/be/studentpublicationlink.class.php b/main/gradebook/lib/be/studentpublicationlink.class.php
index 747f7fb290..1427832113 100755
--- a/main/gradebook/lib/be/studentpublicationlink.class.php
+++ b/main/gradebook/lib/be/studentpublicationlink.class.php
@@ -34,7 +34,7 @@ class StudentPublicationLink extends AbstractLink
.' FROM '.$this->get_itemprop_table().' prop, '
.$this->get_studpub_table().' pub'
." WHERE prop.tool = 'work'"
- .' AND prop.insert_user_id = '.$stud_id
+ .' AND prop.insert_user_id = '.intval($stud_id)
.' AND prop.ref = pub.id'
." AND pub.title = '".Database::escape_string($eval->get_name())."' AND pub.session_id=".api_get_session_id()."";
@@ -80,7 +80,7 @@ class StudentPublicationLink extends AbstractLink
.' pup WHERE has_properties != '."''".' AND id NOT IN'
.' (SELECT ref_id FROM '.$tbl_grade_links
.' WHERE type = '.LINK_STUDENTPUBLICATION
- ." AND course_code = '".$this->get_course_code()."'"
+ ." AND course_code = '".Database::escape_string($this->get_course_code())."'"
.') AND pub.session_id='.api_get_session_id().'';
$result = Database::query($sql);
@@ -118,7 +118,7 @@ class StudentPublicationLink extends AbstractLink
public function has_results() {
$course_info = api_get_course_info($this->course_code);
$tbl_grade_links = Database :: get_course_table(TABLE_STUDENT_PUBLICATION,$course_info['dbName']);
- $sql = 'SELECT count(*) AS number FROM '.$tbl_grade_links." WHERE parent_id = '".$this->get_ref_id()."' AND session_id=".api_get_session_id()."";
+ $sql = 'SELECT count(*) AS number FROM '.$tbl_grade_links." WHERE parent_id = '".intval($this->get_ref_id())."' AND session_id=".api_get_session_id()."";
$result = Database::query($sql);
$number=Database::fetch_row($result);
return ($number[0] != 0);
@@ -132,7 +132,7 @@ class StudentPublicationLink extends AbstractLink
if (is_null($database_name)===true) {
return false;
}
- $sql = 'SELECT * FROM '.$tbl_stats." WHERE id = '".$this->get_ref_id()."' AND session_id=".api_get_session_id()."";
+ $sql = 'SELECT * FROM '.$tbl_stats." WHERE id = '".intval($this->get_ref_id())."' AND session_id=".api_get_session_id()."";
$query = Database::query($sql);
$assignment = Database::fetch_array($query);
@@ -247,7 +247,7 @@ class StudentPublicationLink extends AbstractLink
if ($tbl_name=='') {
return false;
} elseif (!isset($this->exercise_data)) {
- $sql = 'SELECT * FROM '.$this->get_studpub_table()." WHERE id = '".$this->get_ref_id()."' AND session_id=".api_get_session_id()."";
+ $sql = 'SELECT * FROM '.$this->get_studpub_table()." WHERE id = '".intval($this->get_ref_id())."' AND session_id=".api_get_session_id()."";
$query = Database::query($sql);
$this->exercise_data = Database::fetch_array($query);
}
@@ -264,7 +264,7 @@ class StudentPublicationLink extends AbstractLink
public function is_valid_link() {
$sql = 'SELECT count(id) from '.$this->get_studpub_table()
- .' WHERE id = '.$this->get_ref_id().' AND session_id='.api_get_session_id().'';
+ .' WHERE id = '.intval($this->get_ref_id()).' AND session_id='.api_get_session_id().'';
$result = Database::query($sql);
$number=Database::fetch_row($result);
return ($number[0] != 0);
diff --git a/main/gradebook/lib/fe/gradebooktable.class.php b/main/gradebook/lib/fe/gradebooktable.class.php
index 71bc5c7d6e..450b80aeeb 100755
--- a/main/gradebook/lib/fe/gradebooktable.class.php
+++ b/main/gradebook/lib/fe/gradebooktable.class.php
@@ -117,6 +117,7 @@ class GradebookTable extends SortableTable
$course_code=api_get_course_id();
$status_user=api_get_status_of_user_in_course ($user_id,$course_code);
$data_array = $this->datagen->get_data($sorting, $from, $this->per_page);
+
// generate the data to display
$sortable_data = array();
$weight_total_links = 0;
@@ -197,9 +198,8 @@ class GradebookTable extends SortableTable
 . 'img/dokeos.gif)
'.$scoretotal_display;
//register gradebook certificate
- $current_user_id=api_get_user_id();
- $date_certificate=date('Y-m-d H:i:s',time());
- register_user_info_about_certificate($id,$current_user_id,$my_score_in_gradebook,$date_certificate);
+ $current_user_id=api_get_user_id();
+ register_user_info_about_certificate($id,$current_user_id,$my_score_in_gradebook,api_get_utc_datetime());
} else {
$certificates = '-';
@@ -209,15 +209,14 @@ class GradebookTable extends SortableTable
if ($get_date=='' || is_null($get_date)) {
$row[4]='-';
} else {
- $row[4] = date('d/m/y H:i:s',strtotime($get_date));
+ $row[4] = api_convert_and_format_date($get_date);
}
$row[] = $certificates;
- } elseif ($_GET['selectcat'] == 1) {
+ } else {
if (isset($certificate_min_score) && (int)$item_value >= (int)$certificate_min_score) {
//register gradebook certificate
$current_user_id=api_get_user_id();
- $date_certificate=date('Y-m-d H:i:s',time());
- register_user_info_about_certificate($id,$current_user_id,$my_score_in_gradebook,$date_certificate);
+ register_user_info_about_certificate($_GET['selectcat'],$current_user_id,$my_score_in_gradebook,api_get_utc_datetime());
}
}
@@ -227,8 +226,7 @@ class GradebookTable extends SortableTable
// warning messages
- if (api_is_allowed_to_edit()) {
-
+ if (api_is_allowed_to_edit()) {
if (isset($_GET['selectcat']) && $_GET['selectcat'] > 0 && $_GET['view'] <> 'presence') {
$id_cat = intval($_GET['selectcat']);
$category = Category :: load($id_cat);
diff --git a/main/gradebook/lib/flatview_data_generator.class.php b/main/gradebook/lib/flatview_data_generator.class.php
index 44288891fe..5188606cab 100755
--- a/main/gradebook/lib/flatview_data_generator.class.php
+++ b/main/gradebook/lib/flatview_data_generator.class.php
@@ -3,7 +3,7 @@
/**
* Class to select, sort and transform object data into array data,
* used for the teacher's flat view
- * @author Bert Stepp�
+ * @author Bert Steppé
*/
class FlatViewDataGenerator
{
diff --git a/main/gradebook/lib/gradebook_data_generator.class.php b/main/gradebook/lib/gradebook_data_generator.class.php
index bc02bbb7d8..bbaa38c6e4 100755
--- a/main/gradebook/lib/gradebook_data_generator.class.php
+++ b/main/gradebook/lib/gradebook_data_generator.class.php
@@ -3,7 +3,7 @@
/**
* Class to select, sort and transform object data into array data,
* used for the general gradebook view
- * @author Bert Stepp�
+ * @author Bert Steppé
*/
class GradebookDataGenerator
{
diff --git a/main/gradebook/lib/gradebook_functions.inc.php b/main/gradebook/lib/gradebook_functions.inc.php
index cd638067d3..dbcd5a1048 100755
--- a/main/gradebook/lib/gradebook_functions.inc.php
+++ b/main/gradebook/lib/gradebook_functions.inc.php
@@ -417,7 +417,7 @@ function parse_xml_data($file) {
$rs_exist=Database::query($sql_exist,__FILE__,__LINE__);
$row=Database::fetch_array($rs_exist);
if ($row['count']==0) {
- $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate)
+ $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,created_at)
VALUES("'.intval($cat_id).'","'.intval($user_id).'","'.Database::escape_string($score_certificate).'","'.Database::escape_string($date_certificate).'")';
$rs=Database::query($sql,__FILE__,__LINE__);
}
@@ -431,10 +431,10 @@ function parse_xml_data($file) {
*/
function get_certificate_date_by_user_id ($cat_id,$user_id) {
$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
- $sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'"';
+ $sql_get_date='SELECT created_at FROM '.$table_certificate.' WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'"';
$rs_get_date=Database::query($sql_get_date,__FILE__,__LINE__);
$row_get_date=Database::fetch_array($rs_get_date,'ASSOC');
- return $row_get_date['date_certificate'];
+ return $row_get_date['created_at'];
}
/**
@@ -450,7 +450,7 @@ function parse_xml_data($file) {
if (!is_null($cat_id) && $cat_id>0) {
$sql.=' WHERE cat_id='.Database::escape_string($cat_id);
}
- $sql.=' ORDER BY u.firstname';
+ $sql.=' ORDER BY u.firstname';
$rs=Database::query($sql,__FILE__,__LINE__);
$list_users=array();
while ($row=Database::fetch_array($rs)) {
@@ -467,11 +467,12 @@ function parse_xml_data($file) {
*/
function get_list_gradebook_certificates_by_user_id ($user_id,$cat_id=null) {
$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
- $sql='SELECT gc.score_certificate,gc.date_certificate,gc.path_certificate,gc.cat_id,gc.user_id FROM '.$table_certificate.' gc
+ $sql='SELECT gc.score_certificate,gc.created_at,gc.path_certificate,gc.cat_id,gc.user_id FROM '.$table_certificate.' gc
WHERE gc.user_id="'.Database::escape_string($user_id).'" ';
if (!is_null($cat_id) && $cat_id>0) {
$sql.=' AND cat_id='.Database::escape_string($cat_id);
}
+
$rs = Database::query($sql,__FILE__,__LINE__);
$list_certificate=array();
while ($row=Database::fetch_array($rs)) {
diff --git a/main/gradebook/lib/gradebook_functions_users.inc.php b/main/gradebook/lib/gradebook_functions_users.inc.php
index 09b961fd26..c937b689b9 100755
--- a/main/gradebook/lib/gradebook_functions_users.inc.php
+++ b/main/gradebook/lib/gradebook_functions_users.inc.php
@@ -2,20 +2,22 @@
/* For licensing terms, see /license.txt */
/**
* Various user related functions
- * @package dokeos.gradebook
+ * @author Julio Montoya adding security functions
+ * @package chamilo.gradebook
*/
/**
* returns users within a course given by param
* @param $course_id
*/
function get_users_in_course($course_id) {
- $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
- $tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
- $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
+ $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
+ $tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
+ $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
$order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname ASC' : ' ORDER BY lastname, firstname ASC';
$current_session = api_get_session_id();
+ $course_id = Databse::escape_string($course_id);
if (!empty($current_session)) {
$sql = "SELECT user.user_id,lastname,firstname
@@ -31,9 +33,6 @@ function get_users_in_course($course_id) {
." AND course_rel_user.course_code='".$course_id."'"
.$order_clause;
}
-
-
-
$result = Database::query($sql);
return get_user_array_from_sql_result($result);
}
@@ -71,7 +70,7 @@ function get_all_users ($evals = array(), $links = array()) {
$sql = 'SELECT user.user_id,lastname,firstname'
.' FROM '.$tbl_res.' as res, '.$tbl_user.' as user'
- .' WHERE res.evaluation_id = '.$eval->get_id()
+ .' WHERE res.evaluation_id = '.intval($eval->get_id())
.' AND res.user_id = user.user_id';
$result = Database::query($sql);
$users = array_merge($users,get_user_array_from_sql_result($result));
@@ -99,6 +98,8 @@ function find_students($mask= '') {
if (!api_is_allowed_to_create_course() || empty ($mask)) {
return null;
}
+ $mask = Database::escape_string($mask);
+
$tbl_user= Database :: get_main_table(TABLE_MAIN_USER);
$tbl_cru= Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$sql= 'SELECT DISTINCT user.user_id, user.lastname, user.firstname, user.email' . ' FROM ' . $tbl_user . ' user';
@@ -126,7 +127,7 @@ function find_students($mask= '') {
*/
function get_user_info_from_id($userid) {
$user_table= Database :: get_main_table(TABLE_MAIN_USER);
- $sql= 'SELECT * FROM ' . $user_table . ' WHERE user_id=' . $userid;
+ $sql= 'SELECT * FROM ' . $user_table . ' WHERE user_id=' . intval($userid);
$res= Database::query($sql);
$user= Database::fetch_array($res,ASSOC);
return $user;
diff --git a/main/gradebook/lib/user_data_generator.class.php b/main/gradebook/lib/user_data_generator.class.php
index 430a35634d..5b0f5179bf 100755
--- a/main/gradebook/lib/user_data_generator.class.php
+++ b/main/gradebook/lib/user_data_generator.class.php
@@ -3,7 +3,7 @@
/**
* Class to select, sort and transform object data into array data,
* used for a student's general view
- * @author Bert Stepp�
+ * @author Bert Steppé
*/
class UserDataGenerator
{
diff --git a/main/inc/introductionSection.inc.php b/main/inc/introductionSection.inc.php
index 331d7a347f..d7bd580fe0 100755
--- a/main/inc/introductionSection.inc.php
+++ b/main/inc/introductionSection.inc.php
@@ -32,7 +32,6 @@ $TBL_INTRODUCTION = Database::get_course_table(TABLE_TOOL_INTRO);
$intro_editAllowed = $is_allowed_to_edit;
$session_id = api_get_session_id();
-
global $charset;
$intro_cmdEdit = empty($_GET['intro_cmdEdit']) ? '' : $_GET['intro_cmdEdit'];
$intro_cmdUpdate = isset($_POST['intro_cmdUpdate']);
@@ -85,17 +84,15 @@ $form->addElement('style_submit_button', 'intro_cmdUpdate', get_lang('SaveIntroT
/* INTRODUCTION MICRO MODULE - COMMANDS SECTION (IF ALLOWED) */
if ($intro_editAllowed) {
-
+ $moduleId = Database::escape_string($moduleId);
+
/* Replace command */
-
if ($intro_cmdUpdate) {
if ($form->validate()) {
-
$form_values = $form->exportValues();
- $intro_content = Security::remove_XSS(stripslashes(api_html_entity_decode($form_values['intro_content'])), COURSEMANAGERLOWSECURITY);
+ $intro_content = Security::remove_XSS(stripslashes(api_html_entity_decode($form_values['intro_content'])), COURSEMANAGERLOWSECURITY);
if (!empty($intro_content)) {
- $sql = "REPLACE $TBL_INTRODUCTION SET id='$moduleId',intro_text='".Database::escape_string($intro_content)."', session_id='".$session_id."'";
-
+ $sql = "REPLACE $TBL_INTRODUCTION SET id='$moduleId',intro_text='".Database::escape_string($intro_content)."', session_id='".intval($session_id)."'";
Database::query($sql);
Display::display_confirmation_message(get_lang('IntroductionTextUpdated'), false);
} else {
@@ -107,9 +104,8 @@ if ($intro_editAllowed) {
}
/* Delete Command */
-
if ($intro_cmdDel) {
- Database::query("DELETE FROM $TBL_INTRODUCTION WHERE id='".$moduleId."' AND session_id='".$session_id."'");
+ Database::query("DELETE FROM $TBL_INTRODUCTION WHERE id='".$moduleId."' AND session_id='".intval($session_id)."'");
Display::display_confirmation_message(get_lang('IntroductionTextDeleted'));
}
}
@@ -119,7 +115,7 @@ if ($intro_editAllowed) {
/* Retrieves the module introduction text, if exist */
-$sql = "SELECT intro_text FROM $TBL_INTRODUCTION WHERE id='".$moduleId."' AND session_id='".$session_id."'";
+$sql = "SELECT intro_text FROM $TBL_INTRODUCTION WHERE id='".Database::escape_string($moduleId)."' AND session_id='".intval($session_id)."'";
$intro_dbQuery = Database::query($sql);
$intro_dbResult = Database::fetch_array($intro_dbQuery);
$intro_content = $intro_dbResult['intro_text'];
@@ -222,7 +218,5 @@ if ($intro_dispCommand) {
}
echo '';
-
echo $thematic_description_html;
-
-echo '';
+echo '';
\ No newline at end of file