diff --git a/main/admin/dashboard_add_courses_to_user.php b/main/admin/dashboard_add_courses_to_user.php
index 2629de17ac..0bd50f4f1a 100755
--- a/main/admin/dashboard_add_courses_to_user.php
+++ b/main/admin/dashboard_add_courses_to_user.php
@@ -59,16 +59,17 @@ if (!api_is_platform_admin()) {
api_not_allowed(true);
}
-function search_courses($needle,$type)
+function search_courses($needle, $type)
{
- global $_configuration, $tbl_course, $tbl_course_rel_user, $tbl_course_rel_access_url,$user_id;
+ global $_configuration, $tbl_course, $tbl_course_rel_access_url,$user_id;
$xajax_response = new XajaxResponse();
$return = '';
- if(!empty($needle) && !empty($type)) {
+ if (!empty($needle) && !empty($type)) {
// xajax send utf8 datas... datas in db can be non-utf8 datas
$charset = api_get_system_encoding();
$needle = api_convert_encoding($needle, $charset, 'utf-8');
+ $needle = Database::escape_string($needle);
$assigned_courses_to_hrm = CourseManager::get_courses_followed_by_drh($user_id);
$assigned_courses_code = array_keys($assigned_courses_to_hrm);
@@ -190,9 +191,10 @@ if (count($assigned_courses_code) > 0) {
}
$needle = '%';
+$firstLetter = null;
if (isset($_POST['firstLetterCourse'])) {
- $needle = Database::escape_string($_POST['firstLetterCourse']);
- $needle = "$needle%";
+ $firstLetter = $_POST['firstLetterCourse'];
+ $needle = Database::escape_string($firstLetter.'%');
}
if (api_is_multiple_url_enabled()) {
@@ -249,7 +251,7 @@ if(!empty($msg)) {
diff --git a/main/admin/dashboard_add_sessions_to_user.php b/main/admin/dashboard_add_sessions_to_user.php
index 296c6dfea3..0bae98dffa 100755
--- a/main/admin/dashboard_add_sessions_to_user.php
+++ b/main/admin/dashboard_add_sessions_to_user.php
@@ -59,7 +59,7 @@ if (!api_is_platform_admin() && !api_is_session_admin()) {
api_not_allowed(true);
}
-function search_sessions($needle,$type)
+function search_sessions($needle, $type)
{
global $_configuration, $tbl_session_rel_access_url, $tbl_session, $user_id;
@@ -69,6 +69,7 @@ function search_sessions($needle,$type)
// xajax send utf8 datas... datas in db can be non-utf8 datas
$charset = api_get_system_encoding();
$needle = api_convert_encoding($needle, $charset, 'utf-8');
+ $needle = Database::escape_string($needle);
$assigned_sessions_to_hrm = SessionManager::get_sessions_followed_by_drh($user_id);
$assigned_sessions_id = array_keys($assigned_sessions_to_hrm);
@@ -93,6 +94,7 @@ function search_sessions($needle,$type)
$return .= '';
$xajax_response->addAssign('ajax_list_sessions_multiple','innerHTML',api_utf8_encode($return));
}
+
return $xajax_response;
}
@@ -192,8 +194,7 @@ if (count($assigned_sessions_id) > 0) {
$needle = '%';
if (!empty($firstLetterSession)) {
- $needle = Database::escape_string($firstLetterSession);
- $needle = "$needle%";
+ $needle = Database::escape_string($firstLetterSession.'%');
}
if (api_is_multiple_url_enabled()) {
@@ -222,7 +223,8 @@ $result = Database::query($sql);
| : |
|
-
+ |
+
|
-
+
|
:
|