[svn r21903] Cleaning code and Database::escape_string & Security::remove_XSS functions added see FS#4389

main/announcements/announcements.inc.php

@@ -1,4 +1,4 @@
-<?php //$Id: announcements.inc.php 20791 2009-05-18 17:47:11Z iflorespaz $
+<?php //$Id: announcements.inc.php 21903 2009-07-08 17:28:02Z juliomontoya $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -340,6 +340,9 @@ function load_edit_users($tool, $id)
 	global $_course;
 	global $tbl_item_property;
 	
+	$tool = Database::escape_string($tool);
+	$id = Database::escape_string($id);
+	
 	$sql="SELECT * FROM $tbl_item_property WHERE tool='$tool' AND ref='$id'";
 	$result=api_sql_query($sql,__FILE__,__LINE__) or die (mysql_error());
 	while ($row=Database::fetch_array($result))
@@ -632,12 +635,9 @@ function sent_to_form($sent_to_array)
 */
 function separate_users_groups($to)
 {
-	foreach($to as $to_item)
-	{
+	foreach($to as $to_item) {
 		list($type, $id) = explode(':', $to_item);
-
-		switch($type)
-		{
+		switch($type) {
 			case 'GROUP':
 				$grouplist[] =$id;
 				break;
@@ -666,11 +666,17 @@ function sent_to($tool, $id)
 	global $_course;
 	global $tbl_item_property;
 	
+	$tool = Database::escape_string($tool);
+	$id = Database::escape_string($id);
+	
+	$sent_to_group = array();
+	$sent_to = array();	
+	
 	$sql="SELECT * FROM $tbl_item_property WHERE tool='$tool' AND ref='".$id."'";
 	$result = api_sql_query($sql,__FILE__,__LINE__);
 
-	while ($row=Database::fetch_array($result))
-	{
+	
+	while ($row=Database::fetch_array($result)) {
 		// if to_group_id is null then it is sent to a specific user
 		// if to_group_id = 0 then it is sent to everybody
 		if (!is_null($row['to_group_id']))
@@ -708,6 +714,9 @@ function change_visibility_announcement($tool,$id)
 	global $_course;
 	global $tbl_item_property;	
 	
+	$tool = Database::escape_string($tool);
+	$id = Database::escape_string($id);
+	
 	$sql="SELECT * FROM $tbl_item_property WHERE tool='$tool' AND ref='$id'";
 
 	$result=api_sql_query($sql,__FILE__,__LINE__) or die (mysql_error());
@@ -901,13 +910,10 @@ function send_announcement_email($user_list, $course_code, $_course, $mail_title
 	global $charset;
 	global $_user;
 			
-	foreach ($user_list as $this_user)
-	{
+	foreach ($user_list as $this_user) {
 		/*  Header : Bericht van uw lesgever - GES ($course_code) - Morgen geen les! ($mail_title)
 			Body :  John Doe (prenom + nom) <john_doe@hotmail.com> (email)
-
 					Morgen geen les! ($mail_title)
-
 					Morgen is er geen les, de les wordt geschrapt wegens vergadering (newContent)
 		*/
 		$mail_subject = get_lang('professorMessage').' - '.$_course['official_code'].' - '.$mail_title;
@@ -931,17 +937,25 @@ function update_mail_sent($insert_id)
 {
 	global $_course;
 	global $tbl_announcement;
-
+	if ($insert_id != strval(intval($insert_id))) { return false; } 
+	$insert_id = Database::escape_string($insert_id);
 	// store the modifications in the table tbl_annoucement
 	$sql = "UPDATE $tbl_announcement SET email_sent='1' WHERE id='$insert_id'";
 	api_sql_query($sql,__FILE__,__LINE__);
 }
 
+/**
+ * Gets all announcements from a user by course 
+ * @param	string course db
+ * @param	int user id 
+ * @return	string an html with the content
+ */
 function get_all_annoucement_by_user_course($course_db, $user_id)
 {	
 	$tbl_announcement		= Database::get_course_table(TABLE_ANNOUNCEMENT, $course_db);
 	$tbl_item_property  	= Database::get_course_table(TABLE_ITEM_PROPERTY, $course_db);
-
+	if (!empty($user_id) && is_numeric($user_id)) {
+		$user_id = Database::escape_string($user_id);
 		$sql="SELECT announcement.*, toolitemproperties.*
 						FROM $tbl_announcement announcement, $tbl_item_property toolitemproperties
 						WHERE announcement.id = toolitemproperties.ref
@@ -968,4 +982,7 @@ function get_all_annoucement_by_user_course($course_db, $user_id)
 		} else {
 			return $content;
 		}
+	} else {
+		return '';
+	}
 }