Security issues: Adding database::escape_string function (avoiding SQL injection) see #3601

14 years ago · 1e549334c6
parent b056dd4a47
commit 1e549334c6
3 changed files with 17 additions and 17 deletions
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@ -41,22 +41,20 @@ if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
 	} else {
 		$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=1', 'name' => get_lang('Gradebook'));
 		$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?&selectcat='.Security::remove_XSS($_GET['selectcat']),'name' => get_lang('EditAllWeights'));
-
 		Display :: display_header('');
-
 	}
 }



-$table_link = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
-$table_evaluation = Database::get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
+$table_link           = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
+$table_evaluation     = Database::get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
 //$table_forum_thread=Database::get_course_table(TABLE_FORUM_THREAD);

 $my_db_name=get_database_name_by_link_id($my_selectcat);
-$tbl_forum_thread = Database :: get_course_table(TABLE_FORUM_THREAD,$my_db_name);
-$tbl_work = Database :: get_course_table(TABLE_STUDENT_PUBLICATION,$my_db_name);
-$tbl_attendance = Database :: get_course_table(TABLE_ATTENDANCE,$my_db_name);
+$tbl_forum_thread     = Database :: get_course_table(TABLE_FORUM_THREAD,$my_db_name);
+$tbl_work             = Database :: get_course_table(TABLE_STUDENT_PUBLICATION,$my_db_name);
+$tbl_attendance       = Database :: get_course_table(TABLE_ATTENDANCE,$my_db_name);
 /*
 if($_SERVER['REQUEST_METHOD']=='POST'):
 	foreach($_POST['link'] as $key => $value){
@ -106,7 +104,7 @@ $result = Database::query($sql);
 		if(isset($_POST['link'][$row['id']]) && $_POST['link'][$row['id']] != $row['weight']) {

 			AbstractLink::add_link_log($row['id']);
-			Database::query('UPDATE '.$table_link.' SET weight = '."'".trim($_POST['link'][$row['id']])."'".' WHERE id = '.$row['id']);
+			Database::query('UPDATE '.$table_link.' SET weight = '."'".Database::escape_string(trim($_POST['link'][$row['id']]))."'".' WHERE id = '.$row['id']);
 			$row['weight'] = trim($_POST['link'][$row['id']]);

 			//Update weight for attendance
@ -121,7 +119,7 @@ $result = Database::query($sql);
 			$sql_t='UPDATE '.$tbl_forum_thread.' SET thread_weight='.floatval($_POST['link'][$row['id']]).' WHERE thread_id= (SELECT ref_id FROM '.$table_link.' WHERE id='.intval($row['id']).' AND type='.LINK_FORUM_THREAD.');';
 			Database::query($sql_t);
 			//Update weight into student publication(work)
-			$sql_t='UPDATE '.$tbl_work.' SET weight='.floatval($_POST['link'][$row['id']]).' WHERE id= (SELECT ref_id FROM '.$table_link.' WHERE id='.intval($row['id']).' AND type = '.LINK_STUDENTPUBLICATION.');';
+			$sql_t='UPDATE '.$tbl_work.' SET weight='.floatval($_POST['link'][$row['id']]).' WHERE id = (SELECT ref_id FROM '.$table_link.' WHERE id='.intval($row['id']).' AND type = '.LINK_STUDENTPUBLICATION.');';
 			Database::query($sql_t);
 		}

@ -142,7 +140,7 @@ $result = Database::query($sql);
 		//update only if value changed
 		if(isset($_POST['evaluation'][$row['id']]) && $_POST['evaluation'][$row['id']] != $row['weight']) {
 			Evaluation::add_evaluation_log($row['id']);
-			Database::query('UPDATE '.$table_evaluation.' SET weight = '."'".trim($_POST['evaluation'][$row['id']])."'".' WHERE id = '.$row['id']);
+			Database::query('UPDATE '.$table_evaluation.' SET weight = '."'".Database::escape_string(trim($_POST['evaluation'][$row['id']]))."'".' WHERE id = '.$row['id']);
 			$row['weight'] = trim($_POST['evaluation'][$row['id']]);
 		}
 	$type_evaluated = isset($row['type']) ? $table_evaluated[$type_evaluated][3] : null;
--- a/main/messages/download.php
+++ b/main/messages/download.php
@ -33,18 +33,19 @@ $file_url = str_replace('/..', '', $file_url); //echo $doc_url;
 $tbl_messsage = Database::get_main_table(TABLE_MESSAGE);
 $tbl_messsage_attachment = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT);

-$sql= "SELECT filename,message_id FROM $tbl_messsage_attachment WHERE path LIKE BINARY '$file_url'";
+$file_url = Database::escape_string($file_url);
+$sql= "SELECT filename, message_id FROM $tbl_messsage_attachment WHERE path LIKE BINARY '$file_url'";

-$result= Database::query($sql);
-$row= Database::fetch_array($result, 'ASSOC');
-$title = str_replace(' ','_', $row['filename']);
+$result     = Database::query($sql);
+$row        = Database::fetch_array($result, 'ASSOC');
+$title      = str_replace(' ','_', $row['filename']);
 $message_id = $row['message_id'];

 // allow download only for user sender and user receiver
 $sql = "SELECT user_sender_id, user_receiver_id, group_id FROM $tbl_messsage WHERE id = '$message_id'";
-$rs= Database::query($sql);
-$row_users= Database::fetch_array($rs, 'ASSOC');
-$current_uid = api_get_user_id();
+$rs           = Database::query($sql);
+$row_users    = Database::fetch_array($rs, 'ASSOC');
+$current_uid  = api_get_user_id();

 // get message user id for inbox/outbox
 $message_uid = '';
--- a/main/work/download.php
+++ b/main/work/download.php
@ -42,6 +42,7 @@ $tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION)
 // launch event
 event_download($doc_url);

+$doc_url = Database::escape_string($doc_url);
 $sql = 'SELECT title FROM '.$tbl_student_publication.'WHERE url LIKE BINARY "'.$doc_url.'"';

 $result = Database::query($sql);