diff --git a/main/admin/course_list.php b/main/admin/course_list.php index c454bf1fe4..4883c0d818 100755 --- a/main/admin/course_list.php +++ b/main/admin/course_list.php @@ -41,6 +41,13 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc { $addTeacherColumn = api_get_configuration_value('add_teachers_in_course_list'); $table = Database::get_main_table(TABLE_MAIN_COURSE); + $from = (int) $from; + $number_of_items = (int) $number_of_items; + $column = (int) $column; + + if (!in_array(strtolower($direction), ['asc', 'desc'])) { + $direction = 'desc'; + } $teachers = ''; if ($addTeacherColumn) { @@ -250,6 +257,14 @@ function get_course_data_by_session($from, $number_of_items, $column, $direction $session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE); $session = Database::get_main_table(TABLE_MAIN_SESSION); + $from = (int) $from; + $number_of_items = (int) $number_of_items; + $column = (int) $column; + + if (!in_array(strtolower($direction), ['asc', 'desc'])) { + $direction = 'desc'; + } + $sql = "SELECT c.code AS col0, c.title AS col1, diff --git a/main/admin/course_list_admin.php b/main/admin/course_list_admin.php index c22cf8a9b0..9ca041610d 100644 --- a/main/admin/course_list_admin.php +++ b/main/admin/course_list_admin.php @@ -42,6 +42,14 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc $addTeacherColumn = true; $table = Database::get_main_table(TABLE_MAIN_COURSE); + $from = (int) $from; + $number_of_items = (int) $number_of_items; + $column = (int) $column; + + if (!in_array(strtolower($direction), ['asc', 'desc'])) { + $direction = 'desc'; + } + $teachers = ''; if ($addTeacherColumn) { $teachers = " GROUP_CONCAT(cu.user_id SEPARATOR ',') as col4, "; diff --git a/main/admin/course_request_review.php b/main/admin/course_request_review.php index 6be31c1616..eb58cb3c71 100755 --- a/main/admin/course_request_review.php +++ b/main/admin/course_request_review.php @@ -129,6 +129,11 @@ function get_request_data($from, $number_of_items, $column, $direction) global $keyword; $course_request_table = Database::get_main_table(TABLE_MAIN_COURSE_REQUEST); + $from = (int) $from; + $number_of_items = (int) $number_of_items; + $column = (int) $column; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; + if (DELETE_ACTION_ENABLED) { $sql = "SELECT id AS col0, code AS col1, @@ -177,7 +182,7 @@ function get_request_data($from, $number_of_items, $column, $direction) function email_filter($teacher) { $teacher = Database::escape_string($teacher); - $sql = "SELECT user_id FROM ".Database::get_main_table(TABLE_MAIN_COURSE_REQUEST)." + $sql = "SELECT user_id FROM ".Database::get_main_table(TABLE_MAIN_COURSE_REQUEST)." WHERE tutor_name LIKE '".$teacher."'"; $res = Database::query($sql); $info = Database::fetch_array($res); diff --git a/main/admin/settings.lib.php b/main/admin/settings.lib.php index 3e5ac2b857..18d6bdf399 100755 --- a/main/admin/settings.lib.php +++ b/main/admin/settings.lib.php @@ -1279,6 +1279,11 @@ function getTemplateData($from, $number_of_items, $column, $direction) // Database table definition. $table_system_template = Database::get_main_table('system_template'); + $from = (int) $from; + $number_of_items = (int) $number_of_items; + $column = (int) $column; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; + // The sql statement. $sql = "SELECT image as col0, title as col1, id as col2 FROM $table_system_template"; $sql .= " ORDER BY col$column $direction "; diff --git a/main/cron/lang/langstats.class.php b/main/cron/lang/langstats.class.php index 60c630d125..02a15830aa 100755 --- a/main/cron/lang/langstats.class.php +++ b/main/cron/lang/langstats.class.php @@ -152,8 +152,10 @@ class langstats */ public function get_popular_terms($num = 1000) { + $num = (int) $num; $res = $this->db->query( - 'SELECT * FROM lang_freq ORDER BY term_count DESC LIMIT '.$num + 'SELECT * FROM lang_freq + ORDER BY term_count DESC LIMIT '.$num ); $list = []; while ($row = $res->fetchArray()) { diff --git a/main/exercise/TestCategory.php b/main/exercise/TestCategory.php index ce8c68bbb1..90be5b5c21 100644 --- a/main/exercise/TestCategory.php +++ b/main/exercise/TestCategory.php @@ -236,7 +236,7 @@ class TestCategory $field = Database::escape_string($field); $sql = "SELECT $field FROM $table WHERE c_id = $courseId - ORDER BY $field ASC"; + ORDER BY `$field` ASC"; $res = Database::query($sql); while ($row = Database::fetch_array($res)) { $categories[] = $row[$field]; diff --git a/main/exercise/exercise.class.php b/main/exercise/exercise.class.php index 1a1550d30f..6ac6396ae3 100755 --- a/main/exercise/exercise.class.php +++ b/main/exercise/exercise.class.php @@ -666,7 +666,7 @@ class Exercise if (!empty($sidx) && !empty($sord)) { if ('question' === $sidx) { if (in_array(strtolower($sord), ['desc', 'asc'])) { - $orderCondition = " ORDER BY q.$sidx $sord"; + $orderCondition = " ORDER BY `q.$sidx` $sord"; } } } diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php index 13773f6b6f..d9c37572e4 100755 --- a/main/forum/forumfunction.inc.php +++ b/main/forum/forumfunction.inc.php @@ -6128,6 +6128,7 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit = $course_info = api_get_course_info($course_code); $course_id = $course_info['real_id']; + $limit = (int) $limit; $sql = "SELECT * FROM $table_posts posts LEFT JOIN $table_users users @@ -6136,7 +6137,8 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit = posts.c_id = $course_id AND posts.thread_id='".Database::escape_string($thread_id)."' AND posts.poster_id='".Database::escape_string($user_id)."' - ORDER BY posts.post_id DESC LIMIT $limit "; + ORDER BY posts.post_id DESC + LIMIT $limit "; $result = Database::query($sql); $post_list = []; while ($row = Database::fetch_array($result)) { diff --git a/main/group/group_space.php b/main/group/group_space.php index f663a5f944..d9ddec97bb 100755 --- a/main/group/group_space.php +++ b/main/group/group_space.php @@ -424,6 +424,7 @@ function get_number_of_group_users() */ function get_group_user_data($from, $number_of_items, $column, $direction) { + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; $groupInfo = GroupManager::get_group_properties(api_get_group_id()); $course_id = api_get_course_int_id(); $column = (int) $column; diff --git a/main/inc/ajax/exercise.ajax.php b/main/inc/ajax/exercise.ajax.php index b2038dc249..8aaf248a6f 100755 --- a/main/inc/ajax/exercise.ajax.php +++ b/main/inc/ajax/exercise.ajax.php @@ -241,7 +241,7 @@ switch ($action) { GROUP BY exe_user_id ) as aa ON aa.exe_user_id = user_id - ORDER BY $sidx $sord + ORDER BY `$sidx` $sord LIMIT $start, $limit"; $result = Database::query($sql); diff --git a/main/inc/ajax/model.ajax.php b/main/inc/ajax/model.ajax.php index 3f52204ba3..8d4956d9d1 100755 --- a/main/inc/ajax/model.ajax.php +++ b/main/inc/ajax/model.ajax.php @@ -1015,7 +1015,7 @@ switch ($action) { $result = $manager->get_all([ 'where' => ['c_id = ? ' => $courseId], - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit", ]); break; @@ -1068,7 +1068,7 @@ switch ($action) { $object->table, [ 'where' => ['session_id = ? ' => $sessionId], - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit", ] ); if ($result) { @@ -1231,7 +1231,7 @@ switch ($action) { null, null, "LIMIT $start, $limit", - " $sidx $sord", + " `$sidx` $sord", null, null, true, @@ -1251,7 +1251,7 @@ switch ($action) { null, null, "LIMIT $start, $limit", - " $sidx $sord", + " `$sidx` $sord", null, null, true, @@ -1909,7 +1909,7 @@ switch ($action) { $result = SessionManager::get_sessions_admin_complete( [ 'where' => $whereCondition, - 'order' => "$sidx $sord, s.name", + 'order' => "`$sidx` $sord, s.name", 'extra' => $extra_fields, 'limit' => "$start , $limit", ] @@ -1922,7 +1922,7 @@ switch ($action) { $result = SessionManager::formatSessionsAdminForGrid( [ 'where' => $whereCondition, - 'order' => "$sidx $sord, s.name", + 'order' => "`$sidx` $sord, s.name", 'extra' => $extra_fields, 'limit' => "$start , $limit", ], @@ -1964,7 +1964,7 @@ switch ($action) { $date_to, [ 'where' => $whereCondition, - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'limit' => "$start , $limit", ] ); @@ -2000,7 +2000,7 @@ switch ($action) { $date_to, [ 'where' => $whereCondition, - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'limit' => "$start , $limit", ] ); @@ -2041,7 +2041,7 @@ switch ($action) { $date_to, [ 'where' => $whereCondition, - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'limit' => "$start , $limit", ] ); @@ -2104,7 +2104,7 @@ switch ($action) { null, [ 'where' => $whereCondition, - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'limit' => "$start , $limit", ] ); @@ -2139,7 +2139,7 @@ switch ($action) { $date_from, [ 'where' => $whereCondition, - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'limit' => "$start , $limit", ] ); @@ -2158,7 +2158,7 @@ switch ($action) { 'where' => [ 'parent_id = ? AND c_id = ?' => ['0', $course_id], ], - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit", ] ); @@ -2184,7 +2184,7 @@ switch ($action) { $result = Database::select( '*', $obj->table, - ['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"] + ['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"] ); $new_result = []; foreach ($result as $item) { @@ -2239,7 +2239,7 @@ switch ($action) { $result = Database::select( '*', $obj->table, - ['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"] + ['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"] ); $new_result = []; foreach ($result as $item) { @@ -2265,7 +2265,7 @@ switch ($action) { $result = Database::select( '*', $obj->table, - ['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"] + ['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"] ); $new_result = []; foreach ($result as $item) { @@ -2285,7 +2285,7 @@ switch ($action) { $result = Database::select( 'p.id,p.name, p.description, c.name as career, p.status', "$obj->table p LEFT JOIN ".Database::get_main_table(TABLE_CAREER)." c ON c.id = p.career_id ", - ['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"] + ['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"] ); $new_result = []; @@ -2312,7 +2312,7 @@ switch ($action) { $obj->table, [ 'where' => ['url_id = ? ' => api_get_current_access_url_id()], - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit", ] ); @@ -2331,7 +2331,7 @@ switch ($action) { $result = Database::select( '*', "$obj->table ", - ['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"] + ['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"] ); $new_result = []; foreach ($result as $item) { @@ -2491,7 +2491,7 @@ switch ($action) { $columns = ['display_text', 'option_value', 'option_order']; $result = $obj->get_all([ 'where' => ['field_id = ? ' => $field_id], - 'order' => "$sidx $sord", + 'order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit", ]); break; @@ -2516,10 +2516,7 @@ switch ($action) { ); break; case 'registered': - $result = $obj->getUserGroupInCourse( - $options, - $groupFilter - ); + $result = $obj->getUserGroupInCourse($options, $groupFilter); break; } diff --git a/main/inc/lib/TicketManager.php b/main/inc/lib/TicketManager.php index 0ee2e6587f..aec9e4ad67 100644 --- a/main/inc/lib/TicketManager.php +++ b/main/inc/lib/TicketManager.php @@ -930,7 +930,7 @@ class TicketManager ) )"; } - $sql .= " ORDER BY $column $direction"; + $sql .= " ORDER BY `$column` $direction"; $sql .= " LIMIT $from, $number_of_items"; $result = Database::query($sql); diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php index 73e00517ad..900bffa356 100644 --- a/main/inc/lib/agenda.lib.php +++ b/main/inc/lib/agenda.lib.php @@ -1240,9 +1240,7 @@ class Agenda if (!empty($sessionList)) { foreach ($sessionList as $sessionItem) { $sessionId = $sessionItem['id']; - $courses = SessionManager::get_course_list_by_session_id( - $sessionId - ); + $courses = SessionManager::get_course_list_by_session_id($sessionId); $sessionInfo = [ 'session_id' => $sessionId, 'courses' => $courses, @@ -3404,9 +3402,14 @@ class Agenda $current_access_url_id = api_get_current_access_url_id(); - if ($type == "month_view" or $type == "") { + if ($type == "month_view" || $type == "") { // We are in month view - $sql = "SELECT * FROM ".$tbl_global_agenda." WHERE MONTH(start_date) = ".$month." AND YEAR(start_date) = ".$year." AND access_url_id = $current_access_url_id ORDER BY start_date ASC"; + $sql = "SELECT * FROM ".$tbl_global_agenda." + WHERE + MONTH(start_date) = ".$month." AND + YEAR(start_date) = ".$year." AND + access_url_id = $current_access_url_id + ORDER BY start_date ASC"; } // 2. creating the SQL statement for getting the personal agenda items in WEEK view if ($type == "week_view") { // we are in week view @@ -3537,9 +3540,14 @@ class Agenda $user_id = intval($user_id); // 1. creating the SQL statement for getting the personal agenda items in MONTH view - if ($type == "month_view" or $type == "") { + if ($type === "month_view" || $type === "") { // we are in month view - $sql = "SELECT * FROM ".$tbl_personal_agenda." WHERE user='".$user_id."' and MONTH(date)='".$month."' AND YEAR(date) = '".$year."' ORDER BY date ASC"; + $sql = "SELECT * FROM $tbl_personal_agenda + WHERE + user='".$user_id."' AND + MONTH(date)='".$month."' AND + YEAR(date) = '".$year."' + ORDER BY date ASC"; } // 2. creating the SQL statement for getting the personal agenda items in WEEK view diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php index 9b9eb8f2eb..cf28131ea5 100644 --- a/main/inc/lib/api.lib.php +++ b/main/inc/lib/api.lib.php @@ -5070,7 +5070,8 @@ function api_get_languages() function api_get_languages_to_array() { $tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE); - $sql = "SELECT * FROM $tbl_language WHERE available='1' ORDER BY original_name ASC"; + $sql = "SELECT * FROM $tbl_language + WHERE available='1' ORDER BY original_name ASC"; $result = Database::query($sql); $languages = []; while ($row = Database::fetch_array($result)) { @@ -6223,11 +6224,13 @@ function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $directio $table = Database::get_main_table(TABLE_MAIN_ACCESS_URL); $from = (int) $from; $to = (int) $to; - $order = Database::escape_string($order, null, false); - $direction = Database::escape_string($direction, null, false); + $order = Database::escape_string($order); + $direction = Database::escape_string($direction); + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; + $sql = "SELECT id, url, description, active, created_by, tms FROM $table - ORDER BY $order $direction + ORDER BY `$order` $direction LIMIT $to OFFSET $from"; $res = Database::query($sql); diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php index f56329f3d3..bfddfe8135 100755 --- a/main/inc/lib/course.lib.php +++ b/main/inc/lib/course.lib.php @@ -239,7 +239,7 @@ class CourseManager } if (!empty($orderby)) { - $sql .= " ORDER BY ".Database::escape_string($orderby)." "; + $sql .= " ORDER BY `".Database::escape_string($orderby)."` "; } else { $sql .= ' ORDER BY 1 '; } @@ -247,11 +247,11 @@ class CourseManager if (!in_array($orderdirection, ['ASC', 'DESC'])) { $sql .= 'ASC'; } else { - $sql .= ($orderdirection == 'ASC' ? 'ASC' : 'DESC'); + $sql .= ($orderdirection === 'ASC' ? 'ASC' : 'DESC'); } if (!empty($howmany) && is_int($howmany) and $howmany > 0) { - $sql .= ' LIMIT '.Database::escape_string($howmany); + $sql .= ' LIMIT '.(int) $howmany; } else { $sql .= ' LIMIT 1000000'; //virtually no limit } @@ -1534,7 +1534,7 @@ class CourseManager // we have to check if it is a valid field that can be sorted on if (!strstr($order_by, 'ORDER BY')) { if (!empty($order_by)) { - $order_by = "ORDER BY $order_by"; + $order_by = "ORDER BY $order_by "; } else { $order_by = ''; } diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php index 18ffddc694..ea9752776c 100755 --- a/main/inc/lib/database.lib.php +++ b/main/inc/lib/database.lib.php @@ -665,7 +665,7 @@ class Database } } else { $value_array = self::escape_string($value_array); - $clean_values = $value_array; + $clean_values = [$value_array]; } if (!empty($condition) && $clean_values != '') { @@ -693,7 +693,7 @@ class Database if (!empty($order_array)) { // 'order' => 'id desc, name desc' - $order_array = self::escape_string($order_array, null, false); + $order_array = self::escape_string($order_array); $new_order_array = explode(',', $order_array); $temp_value = []; @@ -708,10 +708,10 @@ class Database if (in_array($element[1], ['desc', 'asc'])) { $order = $element[1]; } - $temp_value[] = $element[0].' '.$order.' '; + $temp_value[] = ' `'.$element[0].'` '.$order.' '; } else { //by default DESC - $temp_value[] = $element[0].' DESC '; + $temp_value[] = ' `'.$element[0].'` DESC '; } } if (!empty($temp_value)) { diff --git a/main/inc/lib/exercise.lib.php b/main/inc/lib/exercise.lib.php index ef0cf4691a..ce5eb4738b 100644 --- a/main/inc/lib/exercise.lib.php +++ b/main/inc/lib/exercise.lib.php @@ -1987,8 +1987,9 @@ HOTSPOT; } $in_hotpot_path = Database::escape_string($in_hotpot_path); $in_direction = Database::escape_string($in_direction); + $in_direction = !in_array(strtolower(trim($in_direction)), ['asc', 'desc']) ? 'asc' : $in_direction; $in_column = Database::escape_string($in_column); - $in_number_of_items = intval($in_number_of_items); + $in_number_of_items = (int) $in_number_of_items; $in_from = (int) $in_from; $TBL_TRACK_HOTPOTATOES = Database::get_main_table( @@ -2012,7 +2013,7 @@ HOTSPOT; } // get a number of sorted results $sql .= " $where_condition - ORDER BY $in_column $in_direction + ORDER BY `$in_column` $in_direction LIMIT $in_from, $in_number_of_items"; $res = Database::query($sql); @@ -2448,9 +2449,10 @@ HOTSPOT; $column = !empty($column) ? Database::escape_string($column) : null; $from = (int) $from; $number_of_items = (int) $number_of_items; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; if (!empty($column)) { - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; } if (!$getOnlyIds) { diff --git a/main/inc/lib/groupmanager.lib.php b/main/inc/lib/groupmanager.lib.php index caf6883cb9..741a3a5d22 100755 --- a/main/inc/lib/groupmanager.lib.php +++ b/main/inc/lib/groupmanager.lib.php @@ -1,4 +1,5 @@ ''" : ' '; + $cond_extra = $notebookView === 'update_date' ? " AND update_date <> ''" : ' '; $course_id = api_get_course_int_id(); $sql = "SELECT * FROM $table diff --git a/main/inc/lib/online.inc.php b/main/inc/lib/online.inc.php index 1581c5c9a2..daa27eca24 100755 --- a/main/inc/lib/online.inc.php +++ b/main/inc/lib/online.inc.php @@ -1,4 +1,5 @@ '".api_get_user_id()."' AND relation_type='".USER_RELATION_TYPE_FRIEND."' AND user_id = '".api_get_user_id()."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } else { $query = "SELECT DISTINCT login_user_id, login_date FROM ".$track_online_table." e INNER JOIN ".$table_user." u ON (u.id = e.login_user_id) WHERE u.status != ".ANONYMOUS." AND login_date >= '".$current_date."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } @@ -357,7 +353,7 @@ function who_is_online( login_date >= '".$current_date."' AND friend_user_id <> '".api_get_user_id()."' AND relation_type='".USER_RELATION_TYPE_FRIEND."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } else { // all users online @@ -367,7 +363,7 @@ function who_is_online( ON (u.id=track.login_user_id) WHERE u.status != ".ANONYMOUS." AND track.access_url_id = $access_url_id AND login_date >= '".$current_date."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } } diff --git a/main/inc/lib/sessionmanager.lib.php b/main/inc/lib/sessionmanager.lib.php index d859fe24dc..53df9fb6d5 100755 --- a/main/inc/lib/sessionmanager.lib.php +++ b/main/inc/lib/sessionmanager.lib.php @@ -803,7 +803,7 @@ class SessionManager $options ) { //escaping vars - $sessionId = $sessionId == 'T' ? 'T' : intval($sessionId); + $sessionId = $sessionId === 'T' ? 'T' : intval($sessionId); $courseId = intval($courseId); //tables @@ -813,7 +813,7 @@ class SessionManager $course = api_get_course_info_by_id($courseId); $sessionCond = 'and session_id = %s'; - if ($sessionId == 'T') { + if ($sessionId === 'T') { $sessionCond = ''; } @@ -830,7 +830,7 @@ class SessionManager $order = null; if (!empty($options['order'])) { - $order = " ORDER BY ".$options['order']; + $order = " ORDER BY ".$options['order']." "; } $sql = "SELECT u.id as user_id, u.lastname, u.firstname, u.username, u.email, s.c_id @@ -3347,7 +3347,7 @@ class SessionManager } if (!empty($order)) { - $sql_query .= " ORDER BY $order $direction "; + $sql_query .= " ORDER BY `$order` $direction "; } } @@ -6286,7 +6286,7 @@ class SessionManager if (!empty($column) && !empty($direction)) { $column = str_replace('u.', '', $column); - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; } $limitCondition = ''; diff --git a/main/inc/lib/statistics.lib.php b/main/inc/lib/statistics.lib.php index 2c157eca18..c8e9be9a05 100644 --- a/main/inc/lib/statistics.lib.php +++ b/main/inc/lib/statistics.lib.php @@ -977,7 +977,7 @@ class Statistics HAVING t.c_id <> '' AND DATEDIFF( '".api_get_utc_datetime()."' , access_date ) <= ".$date_diff; } - $sql .= ' ORDER BY '.$columns[$column].' '.$sql_order[$direction]; + $sql .= ' ORDER BY `'.$columns[$column].'` '.$sql_order[$direction]; $from = ($page_nr - 1) * $per_page; $sql .= ' LIMIT '.$from.','.$per_page; diff --git a/main/inc/lib/tracking.lib.php b/main/inc/lib/tracking.lib.php index ab37e9fdc4..f258bdddf1 100755 --- a/main/inc/lib/tracking.lib.php +++ b/main/inc/lib/tracking.lib.php @@ -3784,7 +3784,7 @@ class Tracking if (in_array($orderByName, ['name', 'access_start_date'])) { $orderByDirection = in_array(strtolower($orderByDirection), ['asc', 'desc']) ? $orderByDirection : 'asc'; $orderByName = Database::escape_string($orderByName); - $orderBy .= " ORDER BY $orderByName $orderByDirection"; + $orderBy .= " ORDER BY `$orderByName` $orderByDirection"; } } @@ -7780,7 +7780,8 @@ class TrackingCourseLog $table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY); $table_user = Database::get_main_table(TABLE_MAIN_USER); $table_session = Database::get_main_table(TABLE_MAIN_SESSION); - $session_id = intval($session_id); + $column = (int) $column; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; $sql = "SELECT tool as col0, diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php index 1e5ced3ef8..d72b2503a0 100755 --- a/main/inc/lib/usermanager.lib.php +++ b/main/inc/lib/usermanager.lib.php @@ -2874,7 +2874,7 @@ class UserManager $field_filter = (int) $field_filter; $sqlf .= " AND filter = $field_filter "; } - $sqlf .= " ORDER BY ".$columns[$column]." $sort_direction "; + $sqlf .= " ORDER BY `".$columns[$column]."` $sort_direction "; if ($number_of_items != 0) { $sqlf .= " LIMIT ".intval($from).','.intval($number_of_items); } @@ -4468,7 +4468,9 @@ class UserManager // all the information of the field $sql = "SELECT DISTINCT id, tag from $table_user_tag - WHERE field_id = $field_id AND tag LIKE '$tag%' ORDER BY tag LIMIT $limit"; + WHERE field_id = $field_id AND tag LIKE '$tag%' + ORDER BY tag + LIMIT $limit"; $result = Database::query($sql); $return = []; if (Database::num_rows($result) > 0) { @@ -5487,7 +5489,6 @@ class UserManager $userConditions ) $teacherSelect - ) as t1"; if ($getSql) { @@ -5511,7 +5512,7 @@ class UserManager if (!empty($column) && !empty($direction)) { // Fixing order due the UNIONs $column = str_replace('u.', '', $column); - $orderBy = " ORDER BY $column $direction "; + $orderBy = " ORDER BY `$column` $direction "; } } diff --git a/main/inc/lib/zombie/zombie_manager.class.php b/main/inc/lib/zombie/zombie_manager.class.php index b04b721bed..25185f9475 100755 --- a/main/inc/lib/zombie/zombie_manager.class.php +++ b/main/inc/lib/zombie/zombie_manager.class.php @@ -86,10 +86,10 @@ class ZombieManager $sql .= ' AND user.active = 1'; } - $sql .= " ORDER BY $column $direction"; + $sql .= " ORDER BY `$column` $direction"; if (!is_null($from) && !is_null($count)) { - $count = intval($count); - $from = intval($from); + $count = (int) $count; + $from = (int) $from; $sql .= " LIMIT $from, $count "; } diff --git a/main/session/session_category_list.php b/main/session/session_category_list.php index a48011857c..77308b4cca 100644 --- a/main/session/session_category_list.php +++ b/main/session/session_category_list.php @@ -1,9 +1,8 @@ verifyUserPass($username, $password) == "valid") { $user_id = UserManager::get_user_id_from_username($username); $table_message = Database::get_main_table(TABLE_MESSAGE); - $sql_query = "SELECT id FROM $table_message - WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX." - ORDER BY send_date LIMIT $from,$number_of_items"; + $sql_query = "SELECT id FROM $table_message + WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX." + ORDER BY send_date + LIMIT $from,$number_of_items"; $sql_result = Database::query($sql_query); $message = "#"; @@ -122,9 +126,9 @@ class WSCMInbox extends WSCM } return $message; - } else { - return get_lang('InvalidId'); } + + return get_lang('InvalidId'); } public function get_message_data_sent($username, $password, $id, $field) @@ -204,7 +208,7 @@ class WSCMInbox extends WSCM protected function set_message_as_read($user_id, $message_id) { $table_message = Database::get_main_table(TABLE_MESSAGE); - $query = "UPDATE $table_message SET msg_status = '".MESSAGE_STATUS_NEW."' + $query = "UPDATE $table_message SET msg_status = '".MESSAGE_STATUS_NEW."' WHERE user_receiver_id=".$user_id." AND id='".$message_id."';"; Database::query($query); } diff --git a/main/webservices/cm_webservice_user.php b/main/webservices/cm_webservice_user.php index 87187271f0..4b5fe04d69 100755 --- a/main/webservices/cm_webservice_user.php +++ b/main/webservices/cm_webservice_user.php @@ -196,7 +196,7 @@ class WSCMUser extends WSCM } $order = ''; foreach ($order_by as $orderByItem) { - $order .= Database::escape_string($orderByItem, null, false).', '; + $order .= Database::escape_string($orderByItem).', '; } $order = substr($order, 0, -2); if (count($order_by) > 0) { diff --git a/main/work/work.lib.php b/main/work/work.lib.php index f3ec075c2e..93023364e6 100755 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -1272,7 +1272,7 @@ function getWorkListStudent( $where_condition "; - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; if (!empty($start) && !empty($limit)) { $sql .= " LIMIT $start, $limit"; @@ -1469,7 +1469,7 @@ function getAllWorkListStudent( $where "; - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; if (!empty($start) && !empty($limit)) { $sql .= " LIMIT $start, $limit"; @@ -1628,7 +1628,7 @@ function getWorkListTeacher( parent_id = 0 AND post_group_id = $groupIid $where_condition - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $start, $limit"; $result = Database::query($sql); @@ -1876,7 +1876,7 @@ function get_work_user_list_from_documents( return $result['count']; } - $sql .= " ORDER BY $column $direction"; + $sql .= " ORDER BY `$column` $direction"; $sql .= " LIMIT $start, $limit"; $result = Database::query($sql); @@ -2157,7 +2157,7 @@ function get_work_user_list( $whereCondition $condition_session AND u.status != ".INVITEE." - ORDER BY $column $direction"; + ORDER BY `$column` $direction"; if (!empty($start) && !empty($limit)) { $sql .= " LIMIT $start, $limit"; @@ -2686,7 +2686,7 @@ function getAllWork( $statusCondition AND u.status != ".INVITEE; - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; if (!empty($start) && !empty($limit)) { $sql .= " LIMIT $start, $limit"; @@ -5765,10 +5765,9 @@ function getWorkUserList($courseCode, $sessionId, $groupId, $start, $limit, $sid } $orderBy = null; - if (!empty($sidx) && !empty($sord)) { if (in_array($sidx, ['firstname', 'lastname'])) { - $orderBy = "ORDER BY $sidx $sord"; + $orderBy = "ORDER BY `$sidx` $sord"; } } diff --git a/plugin/notebookteacher/src/NotebookTeacher.php b/plugin/notebookteacher/src/NotebookTeacher.php index 69659f4a5f..664c927657 100644 --- a/plugin/notebookteacher/src/NotebookTeacher.php +++ b/plugin/notebookteacher/src/NotebookTeacher.php @@ -301,9 +301,9 @@ class NotebookTeacher // Database table definition $tableNotebook = Database::get_main_table(NotebookTeacherPlugin::TABLE_NOTEBOOKTEACHER); if ($view == 'creation_date' || $view == 'update_date') { - $orderBy = " ORDER BY $view $sortDirection "; + $orderBy = " ORDER BY `$view` $sortDirection "; } else { - $orderBy = " ORDER BY $view $sortDirection "; + $orderBy = " ORDER BY `$view` $sortDirection "; } // condition for the session