Adding - Database::escape_string

11 years ago · 37f683eb99
parent 3e1bc9f115
commit 37f683eb99
2 changed files with 4 additions and 3 deletions
--- a/main/exercice/exercise.lib.php
+++ b/main/exercice/exercise.lib.php
@ -870,11 +870,9 @@ function get_exam_results_hotpotatoes_data($in_from, $in_number_of_items, $in_co
    }

    $TBL_TRACK_HOTPOTATOES      = Database :: get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTPOTATOES);
-    $TBL_GROUP_REL_USER         = Database :: get_course_table(TABLE_GROUP_USER);
-    $TBL_GROUP                  = Database :: get_course_table(TABLE_GROUP);
    $TBL_USER                   = Database :: get_main_table(TABLE_MAIN_USER);

-    $sql .= "SELECT * FROM $TBL_TRACK_HOTPOTATOES thp JOIN $TBL_USER u ON thp.exe_user_id = u.user_id WHERE thp.exe_cours_id = '$course_code' AND exe_name LIKE '$in_hotpot_path%'";
+    $sql = "SELECT * FROM $TBL_TRACK_HOTPOTATOES thp JOIN $TBL_USER u ON thp.exe_user_id = u.user_id WHERE thp.exe_cours_id = '$course_code' AND exe_name LIKE '$in_hotpot_path%'";

    // just count how many answers
    if ($in_get_count) {
@ -882,6 +880,8 @@ function get_exam_results_hotpotatoes_data($in_from, $in_number_of_items, $in_co
        return Database::num_rows($res);
    }

+    $in_column = Database::escape_string($in_column);
+
    // get a number of sorted results
    $sql .= " $where_condition ORDER BY $in_column $in_direction  LIMIT $in_from, $in_number_of_items";

--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@ -1117,6 +1117,7 @@ class CourseManager
        // if the $order_by does not contain 'ORDER BY' we have to check if it is a valid field that can be sorted on
        if (!strstr($order_by,'ORDER BY')) {
            //if (!empty($order_by) AND in_array($order_by, array('lastname', 'firstname', 'username', 'email', 'official_code'))) {
+            $order_by = Database::escape_string($order_by);
            if (!empty($order_by)) {
                $order_by = 'ORDER BY '.$order_by;
            } else {