chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r15801] Fixed possible overflow of database name in course.db_name field - see FS#2426

Browse Source
skala
Yannick Warnier 17 years ago
parent efac786fb7
commit 3d41ca367c
4 changed files with 54 additions and 37 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      main/admin/course_add.php
  2. 41
      main/admin/course_import.php
  3. 15
      main/create_course/add_course.php
  4. 16
      main/install/install_functions.inc.php

19
main/admin/course_add.php
Unescape View File

@ -1,10 +1,10 @@
<?php
// $Id: course_add.php 14291 2008-02-14 08:17:23Z elixir_inter $
// $Id: course_add.php 15801 2008-07-17 04:23:35Z yannoo $
/*
==============================================================================
Dokeos - elearning and course management software
Copyright (c) 2004 Dokeos S.A.
Copyright (c) 2004-2008 Dokeos SPRL
Copyright (c) 2003 Ghent University (UGent)
Copyright (c) 2001 Universite catholique de Louvain (UCL)
Copyright (c) Olivier Brouckaert
@ -20,7 +20,8 @@
See the GNU General Public License for more details.
Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels
Belgium, info@dokeos.com
==============================================================================
*/
/**
@ -68,11 +69,17 @@ while($obj = mysql_fetch_object($res))
{
$teachers[$obj->user_id] = $obj->lastname.' '.$obj->firstname;
}
global $_configuration;
$dbnamelength = strlen($_configuration['db_prefix']);
//Ensure the database prefix + database name do not get over 40 characters
$maxlength = 40 - $dbnamelength;
// Build the form
$form = new FormValidator('update_course');
$form->add_textfield( 'visual_code', get_lang('CourseCode'),false,array('size'=>'20','maxlength'=>20));
$form->applyFilter('visual_code','strtoupper');
$form->addRule('wanted_code',get_lang('Max'),'maxlength',20);
$form->addRule('wanted_code',get_lang('Max'),'maxlength',$maxlength);
$form->addElement('select', 'tutor_id', get_lang('CourseTitular'), $teachers);
$form->addElement('select', 'course_teachers', get_lang('CourseTeachers'), $teachers, 'multiple=multiple size=5');
$form->add_textfield('title', get_lang('Title'),true, array ('size' => '60'));
@ -131,7 +138,7 @@ if( $form->validate())
$department_url = 'http://'.$department_url;
}
if(trim($code) == ''){
$code = generate_course_code(substr($title,0,20));
$code = generate_course_code(substr($title,0,$maxlength));
}
$keys = define_course_keys($code, "", $_configuration['db_prefix']);
if (sizeof($keys))
@ -162,4 +169,4 @@ $form->display();
==============================================================================
*/
Display :: display_footer();
?>
?>

41
main/admin/course_import.php
Unescape View File

@ -1,10 +1,9 @@
<?php
// $Id: course_import.php 8216 2006-03-15 16:33:13Z turboke $
<?php // $Id: course_import.php 8216 2006-03-15 16:33:13Z turboke $
/*
==============================================================================
Dokeos - elearning and course management software
Copyright (c) 2008 Dokeos SPRL
Copyright (c) 2005 Bart Mollet <bart.mollet@hogent.be>
For a full list of contributors, see "credits.txt".
@ -17,7 +16,7 @@
See the GNU General Public License for more details.
Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium, info@dokeos.com
==============================================================================
*/
/**
@ -30,17 +29,19 @@
/**
* validate the imported data
*/
function validate_data($courses)
{
function validate_data($courses) {
global $_configuration;
$dbnamelength = strlen($_configuration['db_prefix']);
//Ensure the prefix + database name do not get over 40 characters
$maxlength = 40 - $dbnamelength;
$errors = array ();
$coursecodes = array ();
foreach ($courses as $index => $course)
{
foreach ($courses as $index => $course) {
$course['line'] = $index +1;
//1. check if mandatory fields are set
$mandatory_fields = array ('Code', 'Title', 'CourseCategory', 'Teacher');
foreach ($mandatory_fields as $key => $field)
{
foreach ($mandatory_fields as $key => $field) {
if (!isset ($course[$field]) || strlen($course[$field]) == 0)
{
$course['error'] = get_lang($field.'Mandatory');
@ -48,27 +49,21 @@ function validate_data($courses)
}
}
//2. check if code isn't in use
if (isset ($course['Code']) && strlen($course['Code']) != 0)
{
if (isset ($course['Code']) && strlen($course['Code']) != 0) {
//2.1 check if code allready used in this CVS-file
if (isset ($coursecodes[$course['Code']]))
{
if (isset ($coursecodes[$course['Code']])) {
$course['error'] = get_lang('CodeTwiceInFile');
$errors[] = $course;
}
elseif(strlen($course['Code']) > 20)
{
} elseif (strlen(($course['Code']) > $maxlength)) {
$course['error'] = get_lang('Max');
$errors[] = $course;
}
//2.3 check if code allready used in DB
else
{
else {
$course_table = Database :: get_main_table(TABLE_MAIN_COURSE);
$sql = "SELECT * FROM $course_table WHERE code = '".mysql_real_escape_string($course['Code'])."'";
$sql = "SELECT * FROM $course_table WHERE code = '".Database::escape_string($course['Code'])."'";
$res = api_sql_query($sql, __FILE__, __LINE__);
if (mysql_num_rows($res) > 0)
{
if (Database::num_rows($res) > 0) {
$course['error'] = get_lang('CodeExists');
$errors[] = $course;
}
@ -222,4 +217,4 @@ BIO0015;Biology;BIO;username
==============================================================================
*/
Display :: display_footer();
?>
?>

15
main/create_course/add_course.php
Unescape View File

@ -1,5 +1,5 @@
<?php
// $Id: add_course.php 15674 2008-07-01 16:04:43Z juliomontoya $
// $Id: add_course.php 15801 2008-07-17 04:23:35Z yannoo $
/*
==============================================================================
Dokeos - elearning and course management software
@ -20,7 +20,7 @@
See the GNU General Public License for more details.
Contact address: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium
Mail: info@dokeos.com
Mail: info@dokeos.com
==============================================================================
*/
/**
@ -73,6 +73,11 @@ if (!api_is_allowed_to_create_course())
$table_course_category = Database :: get_main_table(TABLE_MAIN_CATEGORY);
$table_course = Database :: get_main_table(TABLE_MAIN_COURSE);
global $_configuration;
$dbnamelength = strlen($_configuration['db_prefix']);
//Ensure the database prefix + database name do not get over 40 characters
$maxlength = 40 - $dbnamelength;
// Build the form
$categories = array();
$form = new FormValidator('add_course');
@ -81,8 +86,8 @@ $form->addElement('static',null,null,get_lang('Ex'));
$categories_select = $form->addElement('select', 'category_code', get_lang('Fac'), $categories);
CourseManager::select_and_sort_categories($categories_select);
$form->addElement('static',null,null, get_lang('TargetFac'));
$form->add_textfield('wanted_code', get_lang('Code'),false,array('size'=>'20','maxlength'=>20));
$form->addRule('wanted_code',get_lang('Max'),'maxlength',20);
$form->add_textfield('wanted_code', get_lang('Code'),false,array('size'=>'$maxlength','maxlength'=>$maxlength));
$form->addRule('wanted_code',get_lang('Max'),'maxlength',$maxlength);
$titular= &$form->add_textfield('tutor_name', get_lang('Professors'),true,array('size'=>'60'));
$form->addElement('select_language', 'course_language', get_lang('Ln'));
$form->addElement('submit', null, get_lang('Ok'));
@ -111,7 +116,7 @@ if($form->validate())
$course_language = $course_values['course_language'];
if(trim($wanted_code) == ''){
$wanted_code = generate_course_code(substr($title,0,20));
$wanted_code = generate_course_code(substr($title,0,$maxlength));
}
$keys = define_course_keys($wanted_code, "", $_configuration['db_prefix']);

16
main/install/install_functions.inc.php
Unescape View File

@ -731,11 +731,21 @@ function display_database_parameter($install_type, $parameter_name, $form_field_
}
else
{
if ( $form_field_name == 'dbPassForm' ) {
echo '<td><input type="password" size="'.DATABASE_FORM_FIELD_DISPLAY_LENGTH.'" maxlength="'.MAX_FORM_FIELD_LENGTH.'" name="'.$form_field_name.'" id="'.$form_field_name.'" value="'.htmlentities($parameter_value).'" />'."</td>\n";
if ($form_field_name=='dbPassForm') {
$inputtype = 'password';
} else {
echo '<td><input type="text" size="'.DATABASE_FORM_FIELD_DISPLAY_LENGTH.'" maxlength="'.MAX_FORM_FIELD_LENGTH.'" name="'.$form_field_name.'" id="'.$form_field_name.'" value="'.htmlentities($parameter_value).'" />'."</td>\n";
$inputtype = 'text';
}
//Slightly limit the length of the database prefix to avoid
//having to cut down the databases names later on
if ($form_field_name=='dbPrefixForm') {
$maxlength = '15';
} else {
$maxlength = MAX_FORM_FIELD_LENGTH;
}
echo '<td><input type="'.$inputtype.'" size="'.DATABASE_FORM_FIELD_DISPLAY_LENGTH.'" maxlength="'.$maxlength.'" name="'.$form_field_name.'" id="'.$form_field_name.'" value="'.htmlentities($parameter_value).'" />'."</td>\n";
echo "<td>$extra_notice</td>\n";
}
echo "</tr>\n";

Write Preview
Loading…
Cancel
Save