From 209d4f1dc9f75e0d4c0e4b51aa4f78c4b6a7373c Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Tue, 18 Jul 2023 13:19:40 -0500
Subject: [PATCH 1/3] Internal: Mark function as deprecated

---
 main/inc/lib/sessionmanager.lib.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/main/inc/lib/sessionmanager.lib.php b/main/inc/lib/sessionmanager.lib.php
index aab4797829..4dd3f7c180 100755
--- a/main/inc/lib/sessionmanager.lib.php
+++ b/main/inc/lib/sessionmanager.lib.php
@@ -6701,6 +6701,8 @@ class SessionManager
      * @param int $courseId
      *
      * @return bool
+     *
+     * @deprecated
      */
     public static function installCourse($sessionId, $courseId)
     {

From 43dedbc7c84f124d7b6d256a94075ab9aa85decc Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Tue, 18 Jul 2023 13:29:15 -0500
Subject: [PATCH 2/3] Internal: Format code +  add undefined variables + code
 readability

---
 main/session/session_import.php | 36 ++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/main/session/session_import.php b/main/session/session_import.php
index 18e769b75c..ff3a39a2e9 100644
--- a/main/session/session_import.php
+++ b/main/session/session_import.php
@@ -32,16 +32,17 @@ set_time_limit(0);
 $purification_option_for_usernames = false;
 $inserted_in_course = [];
 
+$error_message = '';
+
 $warn = null;
 if (isset($_POST['formSent']) && $_POST['formSent']) {
-    if (isset($_FILES['import_file']['tmp_name']) &&
-        !empty($_FILES['import_file']['tmp_name'])
+    if (!empty($_FILES['import_file']['tmp_name'])
     ) {
         $form_sent = $_POST['formSent'];
-        $file_type = isset($_POST['file_type']) ? $_POST['file_type'] : null;
+        $file_type = $_POST['file_type'] ?? null;
         $send_mail = isset($_POST['sendMail']) && $_POST['sendMail'] ? 1 : 0;
-        $isOverwrite = isset($_POST['overwrite']) && $_POST['overwrite'] ? true : false;
-        $deleteUsersNotInList = isset($_POST['delete_users_not_in_list']) ? true : false;
+        $isOverwrite = isset($_POST['overwrite']) && $_POST['overwrite'];
+        $deleteUsersNotInList = isset($_POST['delete_users_not_in_list']);
         $sessions = [];
         $session_counter = 0;
 
@@ -168,7 +169,7 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 
                         // Looking up for the teacher.
                         $username = trim(api_utf8_decode($courseNode->CourseTeacher));
-                        $sql = "SELECT user_id, lastname, firstname FROM $tbl_user WHERE username='$username'";
+                        $sql = "SELECT user_id, lastname, firstname FROM $tbl_user WHERE username = '$username'";
                         $rs = Database::query($sql);
                         list($user_id, $lastname, $firstname) = Database::fetch_array($rs);
 
@@ -364,13 +365,13 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
                                     $coach_id = UserManager::get_user_id_from_username($course_coach);
                                     if ($coach_id !== false) {
                                         $sql = "INSERT IGNORE INTO $tbl_session_course_user SET
-                                                user_id='$coach_id',
+                                                user_id = '$coach_id',
                                                 c_id = '$courseId',
                                                 session_id = '$session_id',
                                                 status = 2 ";
                                         $rs_coachs = Database::query($sql);
                                     } else {
-                                        $error_message .= get_lang('UserDoesNotExist').' : '.$user.'<br />';
+                                        $error_message .= get_lang('UserDoesNotExist').' : '.$course_coach.'<br />';
                                     }
                                 }
 
@@ -415,8 +416,8 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
             }
         } else {
             // CSV
-            $updateCourseCoaches = isset($_POST['update_course_coaches']) ? true : false;
-            $addOriginalCourseTeachersAsCourseSessionCoaches = isset($_POST['add_me_as_coach']) ? true : false;
+            $updateCourseCoaches = isset($_POST['update_course_coaches']);
+            $addOriginalCourseTeachersAsCourseSessionCoaches = isset($_POST['add_me_as_coach']);
 
             $result = SessionManager::importCSV(
                 $_FILES['import_file']['tmp_name'],
@@ -444,7 +445,7 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
             $error_message = get_lang('ButProblemsOccured').' :<br />'.$error_message;
         }
 
-        if (count($inserted_in_course) > 1) {
+        if (!empty($inserted_in_course)) {
             $warn = get_lang('SeveralCoursesSubscribedToSessionBecauseOfSameVisualCode').': ';
             foreach ($inserted_in_course as $code => $title) {
                 $warn .= ' '.$title.' ('.$code.'),';
@@ -457,12 +458,11 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
             }
             Display::addFlash(Display::return_message($warn));
             header('Location: resume_session.php?id_session='.$session_id);
-            exit;
         } else {
             Display::addFlash(Display::return_message(get_lang('FileImported').' '.$error_message, 'normal', false));
             header('Location: session_list.php');
-            exit;
         }
+        exit;
     } else {
         $error_message = get_lang('NoInputFile');
     }
@@ -471,7 +471,7 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 // Display the header.
 Display::display_header($tool_name);
 
-if (count($inserted_in_course) > 1) {
+if (!empty($inserted_in_course)) {
     $msg = get_lang('SeveralCoursesSubscribedToSessionBecauseOfSameVisualCode').': ';
     foreach ($inserted_in_course as $code => $title) {
         $msg .= ' '.$title.' ('.$title.'),';
@@ -546,15 +546,15 @@ Display::return_message(get_lang('TheXMLImportLetYouAddMoreInfoAndCreateResource
 $form->display();
 
 ?>
-<p><?php echo get_lang('CSVMustLookLike').' ('.get_lang('MandatoryFields').')'; ?> :</p>
-<pre>
+    <p><?php echo get_lang('CSVMustLookLike').' ('.get_lang('MandatoryFields').')'; ?> :</p>
+    <pre>
 <strong>SessionName</strong>;Coach;<strong>DateStart</strong>;<strong>DateEnd</strong>;Users;Courses;VisibilityAfterExpiration;DisplayStartDate;DisplayEndDate;CoachStartDate;CoachEndDate;Classes
 <strong>Example 1</strong>;username;<strong>yyyy/mm/dd;yyyy/mm/dd</strong>;username1|username2;course1[coach1][username1,...]|course2[coach1][username1,...];read_only;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;class1|class2
 <strong>Example 2</strong>;username;<strong>yyyy/mm/dd;yyyy/mm/dd</strong>;username1|username2;course1[coach1][username1,...]|course2[coach1][username1,...];accessible;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;class3|class4
 <strong>Example 3</strong>;username;<strong>yyyy/mm/dd;yyyy/mm/dd</strong>;username1|username2;course1[coach1][username1,...]|course2[coach1][username1,...];not_accessible;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;yyyy/mm/dd;class5|class6
 </pre>
-<p><?php echo get_lang('XMLMustLookLike').' ('.get_lang('MandatoryFields').')'; ?> :</p>
-<pre>
+    <p><?php echo get_lang('XMLMustLookLike').' ('.get_lang('MandatoryFields').')'; ?> :</p>
+    <pre>
 &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
 &lt;Sessions&gt;
     &lt;Users&gt;

From 258eb11aee0b04dbbeac99792d9e2b639d0835de Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Tue, 18 Jul 2023 13:55:27 -0500
Subject: [PATCH 3/3] Security: Session: Avoid SQL when importing session

---
 main/session/session_import.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/main/session/session_import.php b/main/session/session_import.php
index ff3a39a2e9..e023ccb2cb 100644
--- a/main/session/session_import.php
+++ b/main/session/session_import.php
@@ -169,9 +169,14 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 
                         // Looking up for the teacher.
                         $username = trim(api_utf8_decode($courseNode->CourseTeacher));
-                        $sql = "SELECT user_id, lastname, firstname FROM $tbl_user WHERE username = '$username'";
-                        $rs = Database::query($sql);
-                        list($user_id, $lastname, $firstname) = Database::fetch_array($rs);
+                        $rs = Database::select(
+                            ['user_id', 'lastname', 'firstname'],
+                            $tbl_user,
+                            ['where' => ['username = ?' => $username]],
+                            'first',
+                            'NUM'
+                        );
+                        list($user_id, $lastname, $firstname) = $rs;
 
                         $params['teachers'] = $user_id;
                         CourseManager::create_course($params);