From 37f683eb99b2aa846732165878c21f20d4b8c9d6 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 6 Nov 2013 12:27:22 +0100
Subject: [PATCH] Adding - Database::escape_string

---
 main/exercice/exercise.lib.php | 6 +++---
 main/inc/lib/course.lib.php    | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/main/exercice/exercise.lib.php b/main/exercice/exercise.lib.php
index 08aaae0b78..ede1dec93e 100644
--- a/main/exercice/exercise.lib.php
+++ b/main/exercice/exercise.lib.php
@@ -870,11 +870,9 @@ function get_exam_results_hotpotatoes_data($in_from, $in_number_of_items, $in_co
     }
 
     $TBL_TRACK_HOTPOTATOES      = Database :: get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTPOTATOES);
-    $TBL_GROUP_REL_USER         = Database :: get_course_table(TABLE_GROUP_USER);
-    $TBL_GROUP                  = Database :: get_course_table(TABLE_GROUP);
     $TBL_USER                   = Database :: get_main_table(TABLE_MAIN_USER);
 
-    $sql .= "SELECT * FROM $TBL_TRACK_HOTPOTATOES thp JOIN $TBL_USER u ON thp.exe_user_id = u.user_id WHERE thp.exe_cours_id = '$course_code' AND exe_name LIKE '$in_hotpot_path%'";
+    $sql = "SELECT * FROM $TBL_TRACK_HOTPOTATOES thp JOIN $TBL_USER u ON thp.exe_user_id = u.user_id WHERE thp.exe_cours_id = '$course_code' AND exe_name LIKE '$in_hotpot_path%'";
 
     // just count how many answers
     if ($in_get_count) {
@@ -882,6 +880,8 @@ function get_exam_results_hotpotatoes_data($in_from, $in_number_of_items, $in_co
         return Database::num_rows($res);
     }
 
+    $in_column = Database::escape_string($in_column);
+
     // get a number of sorted results
     $sql .= " $where_condition ORDER BY $in_column $in_direction  LIMIT $in_from, $in_number_of_items";
 
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
index 80a84381b6..d39a2764c3 100644
--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@@ -1117,6 +1117,7 @@ class CourseManager
         // if the $order_by does not contain 'ORDER BY' we have to check if it is a valid field that can be sorted on
         if (!strstr($order_by,'ORDER BY')) {
             //if (!empty($order_by) AND in_array($order_by, array('lastname', 'firstname', 'username', 'email', 'official_code'))) {
+            $order_by = Database::escape_string($order_by);
             if (!empty($order_by)) {
                 $order_by = 'ORDER BY '.$order_by;
             } else {