[svn r17779] Fixed excessive filtering added in SVN#17605

main/exercice/exercice.php

@@ -1,4 +1,4 @@
-<?php // $Id: exercice.php 17769 2009-01-16 04:07:35Z ivantcholakov $
+<?php // $Id: exercice.php 17779 2009-01-16 17:06:30Z yannoo $
 
 /*
 ==============================================================================
@@ -272,13 +272,12 @@ api_mail_html($emailid, $emailid, $subject, $mess, $from_name, $from);
 if (in_array($origin, array('tracking_course','user_course'))){
 		// update score  when you qualify the exercises in Learning path detail
 		if (isset($_REQUEST['lp_item_id']) && isset($_REQUEST['lp_item_view_id']) && isset($_REQUEST['student_id']) && isset($_REQUEST['total_score'])) {
-			$lp_item_id = Security::remove_XSS($_REQUEST['lp_item_id']);
-			$lp_item_view_id = Security::remove_XSS($_REQUEST['lp_item_view_id']);
-			$student_id = Security::remove_XSS($_REQUEST['student_id']);
-			$score = Security::remove_XSS($_REQUEST['total_score']);			
-			$sql = "UPDATE $TBL_LP_ITEM_VIEW SET score = '$score' WHERE lp_item_id = '$lp_item_id'
-					AND lp_view_id = (SELECT id from $TBL_LP_VIEW  WHERE user_id = '$student_id' and lp_id='$lp_item_view_id')";
-			api_sql_query($sql,__FILE__,__LINE__);	
+			if ($lp_item_id == strval(intval($lp_item_id)) && $lp_item_view_id == strval(intval($lp_item_view_id)) && $student_id == strval(intval($student_id))) {
+    			$score = Database::escape_string($_REQUEST['total_score']);			
+    			$sql = "UPDATE $TBL_LP_ITEM_VIEW SET score = '$score' WHERE lp_item_id = '$lp_item_id'
+    					AND lp_view_id = (SELECT id from $TBL_LP_VIEW  WHERE user_id = '$student_id' and lp_id='$lp_item_view_id')";
+    			api_sql_query($sql,__FILE__,__LINE__);	
+            }
 		}
 		//Redirect to the reporting		
 		header('location: ../mySpace/myStudents.php?origin='.$origin.'&student='.$_GET['student'].'&details=true&course='.$_GET['course']);

main/newscorm/learnpathItem.class.php

@@ -2191,9 +2191,8 @@ function get_terms()
 	     	//now save into DB
 	     	$res = 0;
 	     	if(Database::num_rows($check_res)<1){
-	     		if ($this->type=='quiz') {
-	     				$my_status = ' ';
-	     		}else {
+                $my_status = '';
+	     		if ($this->type!='quiz') {
 	     				$my_status = $this->get_status(false);	
 	     		}
 		     	$sql = "INSERT INTO $item_view_table " .

main/newscorm/lp_view.php

@@ -127,8 +127,8 @@ switch($lp_type)
 if (isset($_GET['lp_id']) && isset($_GET['lp_item_id'])) {
     $TBL_LP_ITEM_VIEW		= Database::get_course_table(TABLE_LP_ITEM_VIEW);
 	$TBL_LP_VIEW			= Database::get_course_table(TABLE_LP_VIEW);	
-	$learnpath_item_id = Security::remove_XSS($_GET['lp_item_id']);
-    $learnpath_id = Security::remove_XSS($_GET['lp_id']);   	
+	$learnpath_item_id      = Security::remove_XSS($_GET['lp_item_id']);
+    $learnpath_id           = Security::remove_XSS($_GET['lp_id']);   	
 	
 	$sql = "UPDATE $TBL_LP_ITEM_VIEW SET status = 'completed' WHERE lp_item_id = '".Database::escape_string($learnpath_item_id)."'
 			 AND lp_view_id = (SELECT lp_view.id FROM $TBL_LP_VIEW lp_view WHERE user_id = '".Database::escape_string($user_id)."' AND lp_id='".Database::escape_string($learnpath_id)."')";