chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add int casting, fix "order by" queries

Browse Source
pull/3859/head
Julio Montoya 5 years ago
parent 13f196eec5
commit 473035f3a2
34 changed files with 163 additions and 110 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 15
      main/admin/course_list.php
  2. 8
      main/admin/course_list_admin.php
  3. 5
      main/admin/course_request_review.php
  4. 5
      main/admin/settings.lib.php
  5. 4
      main/cron/lang/langstats.class.php
  6. 2
      main/exercise/TestCategory.php
  7. 2
      main/exercise/exercise.class.php
  8. 4
      main/forum/forumfunction.inc.php
  9. 1
      main/group/group_space.php
  10. 2
      main/inc/ajax/exercise.ajax.php
  11. 43
      main/inc/ajax/model.ajax.php
  12. 2
      main/inc/lib/TicketManager.php
  13. 22
      main/inc/lib/agenda.lib.php
  14. 11
      main/inc/lib/api.lib.php
  15. 8
      main/inc/lib/course.lib.php
  16. 8
      main/inc/lib/database.lib.php
  17. 8
      main/inc/lib/exercise.lib.php
  18. 7
      main/inc/lib/groupmanager.lib.php
  19. 12
      main/inc/lib/myspace.lib.php
  20. 4
      main/inc/lib/notebook.lib.php
  21. 14
      main/inc/lib/online.inc.php
  22. 10
      main/inc/lib/sessionmanager.lib.php
  23. 2
      main/inc/lib/statistics.lib.php
  24. 5
      main/inc/lib/tracking.lib.php
  25. 9
      main/inc/lib/usermanager.lib.php
  26. 6
      main/inc/lib/zombie/zombie_manager.class.php
  27. 5
      main/session/session_category_list.php
  28. 2
      main/session/session_course_list.php
  29. 2
      main/session/session_course_user_list.php
  30. 2
      main/user/subscribe_user.php
  31. 10
      main/webservices/cm_webservice_inbox.php
  32. 2
      main/webservices/cm_webservice_user.php
  33. 15
      main/work/work.lib.php
  34. 4
      plugin/notebookteacher/src/NotebookTeacher.php

15
main/admin/course_list.php
Unescape View File

@ -41,6 +41,13 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
{
$addTeacherColumn = api_get_configuration_value('add_teachers_in_course_list');
$table = Database::get_main_table(TABLE_MAIN_COURSE);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
if (!in_array(strtolower($direction), ['asc', 'desc'])) {
$direction = 'desc';
}
$teachers = '';
if ($addTeacherColumn) {
@ -250,6 +257,14 @@ function get_course_data_by_session($from, $number_of_items, $column, $direction
$session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
$session = Database::get_main_table(TABLE_MAIN_SESSION);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
if (!in_array(strtolower($direction), ['asc', 'desc'])) {
$direction = 'desc';
}
$sql = "SELECT
c.code AS col0,
c.title AS col1,

8
main/admin/course_list_admin.php
Unescape View File

@ -42,6 +42,14 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
$addTeacherColumn = true;
$table = Database::get_main_table(TABLE_MAIN_COURSE);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
if (!in_array(strtolower($direction), ['asc', 'desc'])) {
$direction = 'desc';
}
$teachers = '';
if ($addTeacherColumn) {
$teachers = " GROUP_CONCAT(cu.user_id SEPARATOR ',') as col4, ";

5
main/admin/course_request_review.php
Unescape View File

@ -129,6 +129,11 @@ function get_request_data($from, $number_of_items, $column, $direction)
global $keyword;
$course_request_table = Database::get_main_table(TABLE_MAIN_COURSE_REQUEST);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
if (DELETE_ACTION_ENABLED) {
$sql = "SELECT id AS col0,
code AS col1,

5
main/admin/settings.lib.php
Unescape View File

@ -1279,6 +1279,11 @@ function getTemplateData($from, $number_of_items, $column, $direction)
// Database table definition.
$table_system_template = Database::get_main_table('system_template');
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
// The sql statement.
$sql = "SELECT image as col0, title as col1, id as col2 FROM $table_system_template";
$sql .= " ORDER BY col$column $direction ";

4
main/cron/lang/langstats.class.php
Unescape View File

@ -152,8 +152,10 @@ class langstats
*/
public function get_popular_terms($num = 1000)
{
$num = (int) $num;
$res = $this->db->query(
'SELECT * FROM lang_freq ORDER BY term_count DESC LIMIT '.$num
'SELECT * FROM lang_freq
ORDER BY term_count DESC LIMIT '.$num
);
$list = [];
while ($row = $res->fetchArray()) {

2
main/exercise/TestCategory.php
Unescape View File

@ -236,7 +236,7 @@ class TestCategory
$field = Database::escape_string($field);
$sql = "SELECT $field FROM $table
WHERE c_id = $courseId
ORDER BY $field ASC";
ORDER BY `$field` ASC";
$res = Database::query($sql);
while ($row = Database::fetch_array($res)) {
$categories[] = $row[$field];

2
main/exercise/exercise.class.php
Unescape View File

@ -666,7 +666,7 @@ class Exercise
if (!empty($sidx) && !empty($sord)) {
if ('question' === $sidx) {
if (in_array(strtolower($sord), ['desc', 'asc'])) {
$orderCondition = " ORDER BY q.$sidx $sord";
$orderCondition = " ORDER BY `q.$sidx` $sord";
}
}
}

4
main/forum/forumfunction.inc.php
Unescape View File

@ -6128,6 +6128,7 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit =
$course_info = api_get_course_info($course_code);
$course_id = $course_info['real_id'];
$limit = (int) $limit;
$sql = "SELECT * FROM $table_posts posts
LEFT JOIN $table_users users
@ -6136,7 +6137,8 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit =
posts.c_id = $course_id AND
posts.thread_id='".Database::escape_string($thread_id)."' AND
posts.poster_id='".Database::escape_string($user_id)."'
ORDER BY posts.post_id DESC LIMIT $limit ";
ORDER BY posts.post_id DESC
LIMIT $limit ";
$result = Database::query($sql);
$post_list = [];
while ($row = Database::fetch_array($result)) {

1
main/group/group_space.php
Unescape View File

@ -424,6 +424,7 @@ function get_number_of_group_users()
*/
function get_group_user_data($from, $number_of_items, $column, $direction)
{
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$groupInfo = GroupManager::get_group_properties(api_get_group_id());
$course_id = api_get_course_int_id();
$column = (int) $column;

2
main/inc/ajax/exercise.ajax.php
Unescape View File

@ -241,7 +241,7 @@ switch ($action) {
GROUP BY exe_user_id
) as aa
ON aa.exe_user_id = user_id
ORDER BY $sidx $sord
ORDER BY `$sidx` $sord
LIMIT $start, $limit";
$result = Database::query($sql);

43
main/inc/ajax/model.ajax.php
Unescape View File

@ -1015,7 +1015,7 @@ switch ($action) {
$result = $manager->get_all([
'where' => ['c_id = ? ' => $courseId],
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'LIMIT' => "$start , $limit",
]);
break;
@ -1068,7 +1068,7 @@ switch ($action) {
$object->table,
[
'where' => ['session_id = ? ' => $sessionId],
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'LIMIT' => "$start , $limit", ]
);
if ($result) {
@ -1231,7 +1231,7 @@ switch ($action) {
null,
null,
"LIMIT $start, $limit",
" $sidx $sord",
" `$sidx` $sord",
null,
null,
true,
@ -1251,7 +1251,7 @@ switch ($action) {
null,
null,
"LIMIT $start, $limit",
" $sidx $sord",
" `$sidx` $sord",
null,
null,
true,
@ -1909,7 +1909,7 @@ switch ($action) {
$result = SessionManager::get_sessions_admin_complete(
[
'where' => $whereCondition,
'order' => "$sidx $sord, s.name",
'order' => "`$sidx` $sord, s.name",
'extra' => $extra_fields,
'limit' => "$start , $limit",
]
@ -1922,7 +1922,7 @@ switch ($action) {
$result = SessionManager::formatSessionsAdminForGrid(
[
'where' => $whereCondition,
'order' => "$sidx $sord, s.name",
'order' => "`$sidx` $sord, s.name",
'extra' => $extra_fields,
'limit' => "$start , $limit",
],
@ -1964,7 +1964,7 @@ switch ($action) {
$date_to,
[
'where' => $whereCondition,
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'limit' => "$start , $limit",
]
);
@ -2000,7 +2000,7 @@ switch ($action) {
$date_to,
[
'where' => $whereCondition,
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'limit' => "$start , $limit",
]
);
@ -2041,7 +2041,7 @@ switch ($action) {
$date_to,
[
'where' => $whereCondition,
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'limit' => "$start , $limit",
]
);
@ -2104,7 +2104,7 @@ switch ($action) {
null,
[
'where' => $whereCondition,
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'limit' => "$start , $limit",
]
);
@ -2139,7 +2139,7 @@ switch ($action) {
$date_from,
[
'where' => $whereCondition,
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'limit' => "$start , $limit",
]
);
@ -2158,7 +2158,7 @@ switch ($action) {
'where' => [
'parent_id = ? AND c_id = ?' => ['0', $course_id],
],
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'LIMIT' => "$start , $limit",
]
);
@ -2184,7 +2184,7 @@ switch ($action) {
$result = Database::select(
'*',
$obj->table,
['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"]
['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"]
);
$new_result = [];
foreach ($result as $item) {
@ -2239,7 +2239,7 @@ switch ($action) {
$result = Database::select(
'*',
$obj->table,
['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"]
['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"]
);
$new_result = [];
foreach ($result as $item) {
@ -2265,7 +2265,7 @@ switch ($action) {
$result = Database::select(
'*',
$obj->table,
['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"]
['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"]
);
$new_result = [];
foreach ($result as $item) {
@ -2285,7 +2285,7 @@ switch ($action) {
$result = Database::select(
'p.id,p.name, p.description, c.name as career, p.status',
"$obj->table p LEFT JOIN ".Database::get_main_table(TABLE_CAREER)." c ON c.id = p.career_id ",
['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"]
['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"]
);
$new_result = [];
@ -2312,7 +2312,7 @@ switch ($action) {
$obj->table,
[
'where' => ['url_id = ? ' => api_get_current_access_url_id()],
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'LIMIT' => "$start , $limit",
]
);
@ -2331,7 +2331,7 @@ switch ($action) {
$result = Database::select(
'*',
"$obj->table ",
['order' => "$sidx $sord", 'LIMIT' => "$start , $limit"]
['order' => "`$sidx` $sord", 'LIMIT' => "$start , $limit"]
);
$new_result = [];
foreach ($result as $item) {
@ -2491,7 +2491,7 @@ switch ($action) {
$columns = ['display_text', 'option_value', 'option_order'];
$result = $obj->get_all([
'where' => ['field_id = ? ' => $field_id],
'order' => "$sidx $sord",
'order' => "`$sidx` $sord",
'LIMIT' => "$start , $limit",
]);
break;
@ -2516,10 +2516,7 @@ switch ($action) {
);
break;
case 'registered':
$result = $obj->getUserGroupInCourse(
$options,
$groupFilter
);
$result = $obj->getUserGroupInCourse($options, $groupFilter);
break;
}

2
main/inc/lib/TicketManager.php
Unescape View File

@ -930,7 +930,7 @@ class TicketManager
)
)";
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
$sql .= " LIMIT $from, $number_of_items";
$result = Database::query($sql);

22
main/inc/lib/agenda.lib.php
Unescape View File

@ -1240,9 +1240,7 @@ class Agenda
if (!empty($sessionList)) {
foreach ($sessionList as $sessionItem) {
$sessionId = $sessionItem['id'];
$courses = SessionManager::get_course_list_by_session_id(
$sessionId
);
$courses = SessionManager::get_course_list_by_session_id($sessionId);
$sessionInfo = [
'session_id' => $sessionId,
'courses' => $courses,
@ -3404,9 +3402,14 @@ class Agenda
$current_access_url_id = api_get_current_access_url_id();
if ($type == "month_view" or $type == "") {
if ($type == "month_view" || $type == "") {
// We are in month view
$sql = "SELECT * FROM ".$tbl_global_agenda." WHERE MONTH(start_date) = ".$month." AND YEAR(start_date) = ".$year." AND access_url_id = $current_access_url_id ORDER BY start_date ASC";
$sql = "SELECT * FROM ".$tbl_global_agenda."
WHERE
MONTH(start_date) = ".$month." AND
YEAR(start_date) = ".$year." AND
access_url_id = $current_access_url_id
ORDER BY start_date ASC";
}
// 2. creating the SQL statement for getting the personal agenda items in WEEK view
if ($type == "week_view") { // we are in week view
@ -3537,9 +3540,14 @@ class Agenda
$user_id = intval($user_id);
// 1. creating the SQL statement for getting the personal agenda items in MONTH view
if ($type == "month_view" or $type == "") {
if ($type === "month_view" || $type === "") {
// we are in month view
$sql = "SELECT * FROM ".$tbl_personal_agenda." WHERE user='".$user_id."' and MONTH(date)='".$month."' AND YEAR(date) = '".$year."' ORDER BY date ASC";
$sql = "SELECT * FROM $tbl_personal_agenda
WHERE
user='".$user_id."' AND
MONTH(date)='".$month."' AND
YEAR(date) = '".$year."'
ORDER BY date ASC";
}
// 2. creating the SQL statement for getting the personal agenda items in WEEK view

11
main/inc/lib/api.lib.php
Unescape View File

@ -5070,7 +5070,8 @@ function api_get_languages()
function api_get_languages_to_array()
{
$tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE);
$sql = "SELECT * FROM $tbl_language WHERE available='1' ORDER BY original_name ASC";
$sql = "SELECT * FROM $tbl_language
WHERE available='1' ORDER BY original_name ASC";
$result = Database::query($sql);
$languages = [];
while ($row = Database::fetch_array($result)) {
@ -6223,11 +6224,13 @@ function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $directio
$table = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
$from = (int) $from;
$to = (int) $to;
$order = Database::escape_string($order, null, false);
$direction = Database::escape_string($direction, null, false);
$order = Database::escape_string($order);
$direction = Database::escape_string($direction);
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$sql = "SELECT id, url, description, active, created_by, tms
FROM $table
ORDER BY $order $direction
ORDER BY `$order` $direction
LIMIT $to OFFSET $from";
$res = Database::query($sql);

8
main/inc/lib/course.lib.php
Unescape View File

@ -239,7 +239,7 @@ class CourseManager
}
if (!empty($orderby)) {
$sql .= " ORDER BY ".Database::escape_string($orderby)." ";
$sql .= " ORDER BY `".Database::escape_string($orderby)."` ";
} else {
$sql .= ' ORDER BY 1 ';
}
@ -247,11 +247,11 @@ class CourseManager
if (!in_array($orderdirection, ['ASC', 'DESC'])) {
$sql .= 'ASC';
} else {
$sql .= ($orderdirection == 'ASC' ? 'ASC' : 'DESC');
$sql .= ($orderdirection === 'ASC' ? 'ASC' : 'DESC');
}
if (!empty($howmany) && is_int($howmany) and $howmany > 0) {
$sql .= ' LIMIT '.Database::escape_string($howmany);
$sql .= ' LIMIT '.(int) $howmany;
} else {
$sql .= ' LIMIT 1000000'; //virtually no limit
}
@ -1534,7 +1534,7 @@ class CourseManager
// we have to check if it is a valid field that can be sorted on
if (!strstr($order_by, 'ORDER BY')) {
if (!empty($order_by)) {
$order_by = "ORDER BY $order_by";
$order_by = "ORDER BY $order_by ";
} else {
$order_by = '';
}

8
main/inc/lib/database.lib.php
Unescape View File

@ -665,7 +665,7 @@ class Database
}
} else {
$value_array = self::escape_string($value_array);
$clean_values = $value_array;
$clean_values = [$value_array];
}
if (!empty($condition) && $clean_values != '') {
@ -693,7 +693,7 @@ class Database
if (!empty($order_array)) {
// 'order' => 'id desc, name desc'
$order_array = self::escape_string($order_array, null, false);
$order_array = self::escape_string($order_array);
$new_order_array = explode(',', $order_array);
$temp_value = [];
@ -708,10 +708,10 @@ class Database
if (in_array($element[1], ['desc', 'asc'])) {
$order = $element[1];
}
$temp_value[] = $element[0].' '.$order.' ';
$temp_value[] = ' `'.$element[0].'` '.$order.' ';
} else {
//by default DESC
$temp_value[] = $element[0].' DESC ';
$temp_value[] = ' `'.$element[0].'` DESC ';
}
}
if (!empty($temp_value)) {

8
main/inc/lib/exercise.lib.php
Unescape View File

@ -1987,8 +1987,9 @@ HOTSPOT;
}
$in_hotpot_path = Database::escape_string($in_hotpot_path);
$in_direction = Database::escape_string($in_direction);
$in_direction = !in_array(strtolower(trim($in_direction)), ['asc', 'desc']) ? 'asc' : $in_direction;
$in_column = Database::escape_string($in_column);
$in_number_of_items = intval($in_number_of_items);
$in_number_of_items = (int) $in_number_of_items;
$in_from = (int) $in_from;
$TBL_TRACK_HOTPOTATOES = Database::get_main_table(
@ -2012,7 +2013,7 @@ HOTSPOT;
}
// get a number of sorted results
$sql .= " $where_condition
ORDER BY $in_column $in_direction
ORDER BY `$in_column` $in_direction
LIMIT $in_from, $in_number_of_items";
$res = Database::query($sql);
@ -2448,9 +2449,10 @@ HOTSPOT;
$column = !empty($column) ? Database::escape_string($column) : null;
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
if (!empty($column)) {
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
}
if (!$getOnlyIds) {

7
main/inc/lib/groupmanager.lib.php
Unescape View File

@ -1,4 +1,5 @@
<?php
/* For licensing terms, see /license.txt */
use Chamilo\CourseBundle\Entity\CGroupRelUser;
@ -1233,9 +1234,9 @@ class GroupManager
g.id = $group_id";
if (!empty($column) && !empty($direction)) {
$column = Database::escape_string($column, null, false);
$direction = ('ASC' == $direction ? 'ASC' : 'DESC');
$sql .= " ORDER BY $column $direction";
$column = Database::escape_string($column);
$direction = ('ASC' === $direction ? 'ASC' : 'DESC');
$sql .= " ORDER BY `$column` $direction";
}
if (!empty($start) && !empty($limit)) {

12
main/inc/lib/myspace.lib.php
Unescape View File

@ -552,7 +552,7 @@ class MySpace
}
}
if (!empty($order[$tracking_column])) {
$sqlCoachs .= ' ORDER BY '.$order[$tracking_column].' '.$tracking_direction;
$sqlCoachs .= " ORDER BY `".$order[$tracking_column]."` ".$tracking_direction;
}
$result_coaches = Database::query($sqlCoachs);
@ -3041,9 +3041,10 @@ class MySpace
$direction = 'ASC';
}
$column = intval($column);
$from = intval($from);
$number_of_items = intval($number_of_items);
$column = (int) $column;
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$sql .= " ORDER BY col$column $direction ";
$sql .= " LIMIT $from,$number_of_items";
@ -3173,7 +3174,7 @@ class MySpace
}
$order = [
"$column $direction",
" `$column` $direction",
];
$userList = UserManager::get_user_list([], $order, $from, $numberItems);
$return = [];
@ -3874,6 +3875,7 @@ class MySpace
$numberItems = (int) $numberItems;
$column = (int) $column;
$orderDirection = Database::escape_string($orderDirection);
$orderDirection = !in_array(strtolower(trim($orderDirection)), ['asc', 'desc']) ? 'asc' : $orderDirection;
$user = Database::get_main_table(TABLE_MAIN_USER);
$course = Database::get_main_table(TABLE_MAIN_COURSE);

4
main/inc/lib/notebook.lib.php
Unescape View File

@ -274,12 +274,12 @@ class NotebookManager
// Database table definition
$table = Database::get_course_table(TABLE_NOTEBOOK);
$order_by = ' ORDER BY '.$notebookView." $sort_direction ";
$order_by = " ORDER BY `$notebookView` $sort_direction ";
// Condition for the session
$condition_session = api_get_session_condition($sessionId);
$cond_extra = $notebookView == 'update_date' ? " AND update_date <> ''" : ' ';
$cond_extra = $notebookView === 'update_date' ? " AND update_date <> ''" : ' ';
$course_id = api_get_course_int_id();
$sql = "SELECT * FROM $table

14
main/inc/lib/online.inc.php
Unescape View File

@ -1,4 +1,5 @@
<?php
/* For licensing terms, see /license.txt */
use ChamiloSession as Session;
@ -10,11 +11,6 @@ use ChamiloSession as Session;
* @author Denes Nagy, principal author
* @author Bart Mollet
* @author Roan Embrechts, cleaning and bugfixing
*
* @package chamilo.whoisonline
*/
/**
* Insert a login reference for the current user into the track_e_online stats
* table. This table keeps trace of the last login. Nothing else matters (we
* don't keep traces of anything older).
@ -334,14 +330,14 @@ function who_is_online(
friend_user_id <> '".api_get_user_id()."' AND
relation_type='".USER_RELATION_TYPE_FRIEND."' AND
user_id = '".api_get_user_id()."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
} else {
$query = "SELECT DISTINCT login_user_id, login_date
FROM ".$track_online_table." e
INNER JOIN ".$table_user." u ON (u.id = e.login_user_id)
WHERE u.status != ".ANONYMOUS." AND login_date >= '".$current_date."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
}
@ -357,7 +353,7 @@ function who_is_online(
login_date >= '".$current_date."' AND
friend_user_id <> '".api_get_user_id()."' AND
relation_type='".USER_RELATION_TYPE_FRIEND."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
} else {
// all users online
@ -367,7 +363,7 @@ function who_is_online(
ON (u.id=track.login_user_id)
WHERE u.status != ".ANONYMOUS." AND track.access_url_id = $access_url_id AND
login_date >= '".$current_date."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
}
}

10
main/inc/lib/sessionmanager.lib.php
Unescape View File

@ -803,7 +803,7 @@ class SessionManager
$options
) {
//escaping vars
$sessionId = $sessionId == 'T' ? 'T' : intval($sessionId);
$sessionId = $sessionId === 'T' ? 'T' : intval($sessionId);
$courseId = intval($courseId);
//tables
@ -813,7 +813,7 @@ class SessionManager
$course = api_get_course_info_by_id($courseId);
$sessionCond = 'and session_id = %s';
if ($sessionId == 'T') {
if ($sessionId === 'T') {
$sessionCond = '';
}
@ -830,7 +830,7 @@ class SessionManager
$order = null;
if (!empty($options['order'])) {
$order = " ORDER BY ".$options['order'];
$order = " ORDER BY ".$options['order']." ";
}
$sql = "SELECT u.id as user_id, u.lastname, u.firstname, u.username, u.email, s.c_id
@ -3347,7 +3347,7 @@ class SessionManager
}
if (!empty($order)) {
$sql_query .= " ORDER BY $order $direction ";
$sql_query .= " ORDER BY `$order` $direction ";
}
}
@ -6286,7 +6286,7 @@ class SessionManager
if (!empty($column) && !empty($direction)) {
$column = str_replace('u.', '', $column);
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
}
$limitCondition = '';

2
main/inc/lib/statistics.lib.php
Unescape View File

@ -977,7 +977,7 @@ class Statistics
HAVING t.c_id <> ''
AND DATEDIFF( '".api_get_utc_datetime()."' , access_date ) <= ".$date_diff;
}
$sql .= ' ORDER BY '.$columns[$column].' '.$sql_order[$direction];
$sql .= ' ORDER BY `'.$columns[$column].'` '.$sql_order[$direction];
$from = ($page_nr - 1) * $per_page;
$sql .= ' LIMIT '.$from.','.$per_page;

5
main/inc/lib/tracking.lib.php
Unescape View File

@ -3784,7 +3784,7 @@ class Tracking
if (in_array($orderByName, ['name', 'access_start_date'])) {
$orderByDirection = in_array(strtolower($orderByDirection), ['asc', 'desc']) ? $orderByDirection : 'asc';
$orderByName = Database::escape_string($orderByName);
$orderBy .= " ORDER BY $orderByName $orderByDirection";
$orderBy .= " ORDER BY `$orderByName` $orderByDirection";
}
}
@ -7780,7 +7780,8 @@ class TrackingCourseLog
$table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
$table_user = Database::get_main_table(TABLE_MAIN_USER);
$table_session = Database::get_main_table(TABLE_MAIN_SESSION);
$session_id = intval($session_id);
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$sql = "SELECT
tool as col0,

9
main/inc/lib/usermanager.lib.php
Unescape View File

@ -2874,7 +2874,7 @@ class UserManager
$field_filter = (int) $field_filter;
$sqlf .= " AND filter = $field_filter ";
}
$sqlf .= " ORDER BY ".$columns[$column]." $sort_direction ";
$sqlf .= " ORDER BY `".$columns[$column]."` $sort_direction ";
if ($number_of_items != 0) {
$sqlf .= " LIMIT ".intval($from).','.intval($number_of_items);
}
@ -4468,7 +4468,9 @@ class UserManager
// all the information of the field
$sql = "SELECT DISTINCT id, tag from $table_user_tag
WHERE field_id = $field_id AND tag LIKE '$tag%' ORDER BY tag LIMIT $limit";
WHERE field_id = $field_id AND tag LIKE '$tag%'
ORDER BY tag
LIMIT $limit";
$result = Database::query($sql);
$return = [];
if (Database::num_rows($result) > 0) {
@ -5487,7 +5489,6 @@ class UserManager
$userConditions
)
$teacherSelect
) as t1";
if ($getSql) {
@ -5511,7 +5512,7 @@ class UserManager
if (!empty($column) && !empty($direction)) {
// Fixing order due the UNIONs
$column = str_replace('u.', '', $column);
$orderBy = " ORDER BY $column $direction ";
$orderBy = " ORDER BY `$column` $direction ";
}
}

6
main/inc/lib/zombie/zombie_manager.class.php
Unescape View File

@ -86,10 +86,10 @@ class ZombieManager
$sql .= ' AND user.active = 1';
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
if (!is_null($from) && !is_null($count)) {
$count = intval($count);
$from = intval($from);
$count = (int) $count;
$from = (int) $from;
$sql .= " LIMIT $from, $count ";
}

5
main/session/session_category_list.php
Unescape View File

@ -1,9 +1,8 @@
<?php
/* For licensing terms, see /license.txt */
/**
* List sessions categories.
*
* @package chamilo.admin
*/
$cidReset = true;
@ -87,7 +86,7 @@ if (isset($_GET['search']) && $_GET['search'] === 'advanced') {
) as nbr_session
FROM $tbl_session_category sc
$where
ORDER BY $sort $order
ORDER BY `$sort` $order
LIMIT $from,".($limit + 1);
$query_rows = "SELECT count(*) as total_rows

2
main/session/session_course_list.php
Unescape View File

@ -57,7 +57,7 @@ $from = $page * $limit;
$sql = "SELECT c.id, c.code, c.title, nbr_users
FROM $tbl_session_rel_course, $tbl_course c
WHERE c_id = c.id AND session_id='$id_session'
ORDER BY $sort
ORDER BY `$sort`
LIMIT $from,".($limit + 1);
$result = Database::query($sql);
$Courses = Database::store_result($result);

2
main/session/session_course_user_list.php
Unescape View File

@ -101,7 +101,7 @@ $sql = "
WHERE
s.session_id = $id_session AND
url.access_url_id = $urlId
ORDER BY $sort $direction
ORDER BY `$sort` $direction
LIMIT $from,".($limit + 1);
if ($direction === 'desc') {

2
main/user/subscribe_user.php
Unescape View File

@ -659,6 +659,8 @@ function get_user_data($from, $number_of_items, $column, $direction)
}
$sql .= " AND u.status != ".ANONYMOUS." ";
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
// Sorting and pagination (used by the sortable table)
$sql .= " ORDER BY col$column $direction ";
$from = (int) $from;

10
main/webservices/cm_webservice_inbox.php
Unescape View File

@ -107,13 +107,17 @@ class WSCMInbox extends WSCM
$from,
$number_of_items
) {
$from = (int) $from;
$number_of_items = (int) $number_of_items;
if ($this->verifyUserPass($username, $password) == "valid") {
$user_id = UserManager::get_user_id_from_username($username);
$table_message = Database::get_main_table(TABLE_MESSAGE);
$sql_query = "SELECT id FROM $table_message
WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX."
ORDER BY send_date LIMIT $from,$number_of_items";
ORDER BY send_date
LIMIT $from,$number_of_items";
$sql_result = Database::query($sql_query);
$message = "#";
@ -122,9 +126,9 @@ class WSCMInbox extends WSCM
}
return $message;
} else {
return get_lang('InvalidId');
}
return get_lang('InvalidId');
}
public function get_message_data_sent($username, $password, $id, $field)

2
main/webservices/cm_webservice_user.php
Unescape View File

@ -196,7 +196,7 @@ class WSCMUser extends WSCM
}
$order = '';
foreach ($order_by as $orderByItem) {
$order .= Database::escape_string($orderByItem, null, false).', ';
$order .= Database::escape_string($orderByItem).', ';
}
$order = substr($order, 0, -2);
if (count($order_by) > 0) {

15
main/work/work.lib.php
Unescape View File

@ -1272,7 +1272,7 @@ function getWorkListStudent(
$where_condition
";
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -1469,7 +1469,7 @@ function getAllWorkListStudent(
$where
";
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -1628,7 +1628,7 @@ function getWorkListTeacher(
parent_id = 0 AND
post_group_id = $groupIid
$where_condition
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $start, $limit";
$result = Database::query($sql);
@ -1876,7 +1876,7 @@ function get_work_user_list_from_documents(
return $result['count'];
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
$sql .= " LIMIT $start, $limit";
$result = Database::query($sql);
@ -2157,7 +2157,7 @@ function get_work_user_list(
$whereCondition
$condition_session
AND u.status != ".INVITEE."
ORDER BY $column $direction";
ORDER BY `$column` $direction";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -2686,7 +2686,7 @@ function getAllWork(
$statusCondition
AND u.status != ".INVITEE;
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -5765,10 +5765,9 @@ function getWorkUserList($courseCode, $sessionId, $groupId, $start, $limit, $sid
}
$orderBy = null;
if (!empty($sidx) && !empty($sord)) {
if (in_array($sidx, ['firstname', 'lastname'])) {
$orderBy = "ORDER BY $sidx $sord";
$orderBy = "ORDER BY `$sidx` $sord";
}
}

4
plugin/notebookteacher/src/NotebookTeacher.php
Unescape View File

@ -301,9 +301,9 @@ class NotebookTeacher
// Database table definition
$tableNotebook = Database::get_main_table(NotebookTeacherPlugin::TABLE_NOTEBOOKTEACHER);
if ($view == 'creation_date' || $view == 'update_date') {
$orderBy = " ORDER BY $view $sortDirection ";
$orderBy = " ORDER BY `$view` $sortDirection ";
} else {
$orderBy = " ORDER BY $view $sortDirection ";
$orderBy = " ORDER BY `$view` $sortDirection ";
}
// condition for the session

Write Preview
Loading…
Cancel
Save