Security issues: Adding database::escape_string function (avoiding SQL injection) see #3601

14 years ago · 1e549334c6
parent b056dd4a47
commit 1e549334c6
3 changed files with 17 additions and 17 deletions
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@ -41,9 +41,7 @@ if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
 	} else {
 		$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=1', 'name' => get_lang('Gradebook'));
 		$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?&selectcat='.Security::remove_XSS($_GET['selectcat']),'name' => get_lang('EditAllWeights'));
-
 		Display :: display_header('');
-
 	}
 }

@ -106,7 +104,7 @@ $result = Database::query($sql);
 		if(isset($_POST['link'][$row['id']]) && $_POST['link'][$row['id']] != $row['weight']) {

 			AbstractLink::add_link_log($row['id']);
-			Database::query('UPDATE '.$table_link.' SET weight = '."'".trim($_POST['link'][$row['id']])."'".' WHERE id = '.$row['id']);
+			Database::query('UPDATE '.$table_link.' SET weight = '."'".Database::escape_string(trim($_POST['link'][$row['id']]))."'".' WHERE id = '.$row['id']);
 			$row['weight'] = trim($_POST['link'][$row['id']]);

 			//Update weight for attendance
@ -142,7 +140,7 @@ $result = Database::query($sql);
 		//update only if value changed
 		if(isset($_POST['evaluation'][$row['id']]) && $_POST['evaluation'][$row['id']] != $row['weight']) {
 			Evaluation::add_evaluation_log($row['id']);
-			Database::query('UPDATE '.$table_evaluation.' SET weight = '."'".trim($_POST['evaluation'][$row['id']])."'".' WHERE id = '.$row['id']);
+			Database::query('UPDATE '.$table_evaluation.' SET weight = '."'".Database::escape_string(trim($_POST['evaluation'][$row['id']]))."'".' WHERE id = '.$row['id']);
 			$row['weight'] = trim($_POST['evaluation'][$row['id']]);
 		}
 	$type_evaluated = isset($row['type']) ? $table_evaluated[$type_evaluated][3] : null;
--- a/main/messages/download.php
+++ b/main/messages/download.php
@ -33,6 +33,7 @@ $file_url = str_replace('/..', '', $file_url); //echo $doc_url;
 $tbl_messsage = Database::get_main_table(TABLE_MESSAGE);
 $tbl_messsage_attachment = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT);

+$file_url = Database::escape_string($file_url);
 $sql= "SELECT filename, message_id FROM $tbl_messsage_attachment WHERE path LIKE BINARY '$file_url'";

 $result     = Database::query($sql);
--- a/main/work/download.php
+++ b/main/work/download.php
@ -42,6 +42,7 @@ $tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION)
 // launch event
 event_download($doc_url);

+$doc_url = Database::escape_string($doc_url);
 $sql = 'SELECT title FROM '.$tbl_student_publication.'WHERE url LIKE BINARY "'.$doc_url.'"';

 $result = Database::query($sql);