From 356f7c6b2feebac730a33fab1f8aa152621e6caf Mon Sep 17 00:00:00 2001 From: John Hinojosa Date: Mon, 1 Jun 2009 22:58:59 +0200 Subject: [PATCH] [svn r21173] change code, title survey character special- fixed FS#4269 --- main/survey/survey.lib.php | 44 +++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/main/survey/survey.lib.php b/main/survey/survey.lib.php index a92e7a0c2a..f21774fc9c 100644 --- a/main/survey/survey.lib.php +++ b/main/survey/survey.lib.php @@ -24,7 +24,7 @@ * @package dokeos.survey * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: survey.lib.php 21170 2009-06-01 20:53:44Z cfasanando $ +* @version $Id: survey.lib.php 21173 2009-06-01 20:58:59Z jhp1411 $ * * @todo move this file to inc/lib * @todo use consistent naming for the functions (save vs store for instance) @@ -239,24 +239,24 @@ class survey_manager } } } - $sql = "INSERT INTO $table_survey (code, title, subtitle, author, lang, avail_from, avail_till, is_shared, template, intro, surveythanks, creation_date, anonymous".$additional['columns'].", session_id) VALUES ( - '".Database::escape_string(Security::remove_XSS($values['survey_code']))."', - '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_title'])),COURSEMANAGERLOWSECURITY))."', - '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_subtitle'])),COURSEMANAGERLOWSECURITY))."', - '".Database::escape_string($_user['user_id'])."', - '".Database::escape_string($values['survey_language'])."', - '".Database::escape_string($values['start_date'])."', - '".Database::escape_string($values['end_date'])."', - '".Database::escape_string($shared_survey_id)."', - '".Database::escape_string('template')."', - '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_introduction'])),COURSEMANAGERLOWSECURITY))."', - '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_thanks'])),COURSEMANAGERLOWSECURITY))."', - '".date('Y-m-d H:i:s')."', - '".Database::escape_string($values['anonymous'])."'".$additional['values'].", - ".intval($_SESSION['id_session'])." - )"; - $result = api_sql_query($sql, __FILE__, __LINE__); - $survey_id = Database::insert_id(); + $sql = "INSERT INTO $table_survey (code, title, subtitle, author, lang, avail_from, avail_till, is_shared, template, intro, surveythanks, creation_date, anonymous".$additional['columns'].", session_id) VALUES ( + '".Database::escape_string(strtolower(generate_course_code(api_substr($values['survey_code']))))."', + '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_title'])),COURSEMANAGERLOWSECURITY))."', + '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_subtitle'])),COURSEMANAGERLOWSECURITY))."', + '".Database::escape_string($_user['user_id'])."', + '".Database::escape_string($values['survey_language'])."', + '".Database::escape_string($values['start_date'])."', + '".Database::escape_string($values['end_date'])."', + '".Database::escape_string($shared_survey_id)."', + '".Database::escape_string('template')."', + '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_introduction'])),COURSEMANAGERLOWSECURITY))."', + '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_thanks'])),COURSEMANAGERLOWSECURITY))."', + '".date('Y-m-d H:i:s')."', + '".Database::escape_string($values['anonymous'])."'".$additional['values'].", + ".intval($_SESSION['id_session'])." + )"; + $result = api_sql_query($sql, __FILE__, __LINE__); + $survey_id = Database::insert_id(); if($values['survey_type']==1 && !empty($values['parent_id'])){ survey_manager::copy_survey($values['parent_id'],$survey_id); } @@ -1368,7 +1368,7 @@ class question $this->html .= ' * '.get_lang('Question'); $this->html .= ' '; $this->html .= '
'; - $this->html .= api_return_html_area('question', api_html_entity_decode(stripslashes($form_content['question']), ENT_QUOTES, $charset)); + $this->html .= api_return_html_area('question', Security::remove_XSS(stripslashes($form_content['question']))); $this->html .= '
'; $this->html .= ' '; @@ -1393,7 +1393,7 @@ class question while($row = Database::fetch_array($rs,NUM)) { $glist .= ''; - } + } $grouplist = $grouplist1 = $grouplist2 = $glist; @@ -1532,7 +1532,7 @@ class question $_SESSION['temp_horizontalvertical'] = $form_content['horizontalvertical']; $_SESSION['temp_sys_message']=$message; $_SESSION['temp_answers']=$form_content['answers']; - $_SESSION['temp_values']=$form_content['values']; + $_SESSION['temp_values']=$form_content['values']; header('location:question.php?'.api_get_cidreq().'&question_id='.Security::remove_XSS($_GET['question_id']).'&survey_id='.Security::remove_XSS($_GET['survey_id']).'&action='.Security::remove_XSS($_GET['action']).'&type='.Security::remove_XSS($_GET['type']).''); } }