chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r21094] Security improvements FS#4261

Browse Source
skala
Julio Montoya 17 years ago
parent 3626c3917f
commit 4912bf99c2
1 changed files with 152 additions and 46 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 148
      main/reservation/rsys.php

148
main/reservation/rsys.php
Unescape View File

@ -58,7 +58,7 @@ class Rsys {
*/
function get_num_subscriptions_reservationperiods($res_id) {
$sql = "SELECT COUNT(*) FROM ".Rsys :: getTable("subscription")." s
WHERE s.reservation_id = '".$res_id."'";
WHERE s.reservation_id = '".Database::escape_string($res_id)."'";
return @ Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0);
}
@ -179,7 +179,7 @@ class Rsys {
* @return - boolean True or False
*/
function check_category($name, $id=0) {
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower($name)."' AND id<>".Database::escape_string($id)."";
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".Database::escape_string($id)."";
$Result = api_sql_query($sql, __FILE__, __LINE__);
return (Database::num_rows($Result) == 0);
}
@ -289,6 +289,13 @@ class Rsys {
$keyword = Database::escape_string($_GET['keyword']);
$sql .= " WHERE name LIKE '%".Database::escape_string($keyword)."%' OR id LIKE '%".Database::escape_string($keyword)."%'";
}
$from = intval($from);
$per_page = intval($per_page);
$column = intval($column);
if(!in_array($direction, array('ASC','DESC'))) {
$direction = 'ASC';
}
$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
$result = api_sql_query($sql, __FILE__, __LINE__);
while ($array = Database::fetch_array($result, 'NUM'))
@ -423,7 +430,7 @@ class Rsys {
LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
WHERE i.id='".$item_id."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
WHERE i.id='".Database::escape_string($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
return Database::num_rows(api_sql_query($sql, __FILE__, __LINE__)) > 0;
}
@ -505,7 +512,14 @@ class Rsys {
WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) {
$sql .= " AND ca.id = '".$_GET['cat']."' ";
$sql .= " AND ca.id = '".Database::escape_string($_GET['cat'])."' ";
}
$from = intval($from);
$per_page = intval($per_page);
$column = intval($column);
if(!in_array($direction, array('ASC','DESC'))) {
$direction = 'ASC';
}
$sql .= " GROUP BY i.id ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
@ -560,7 +574,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_table_itemrights($from, $per_page, $column, $direction) {
$itemid = $_GET['item_id'];
$itemid = Database::escape_string($_GET['item_id']);
$sql = "SELECT id, name FROM ".Database :: get_main_table(TABLE_MAIN_CLASS);
$result = api_sql_query($sql, __FILE__, __LINE__);
while ($array = Database::fetch_array($result, 'NUM')) {
@ -618,14 +632,20 @@ class Rsys {
}
function set_new_right($item_id, $class_id, $column, $value) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$value = Database::escape_string($value);
$column = Database::escape_string($column);
$sql = "SELECT item_id FROM ".Rsys :: getTable("item_rights")."WHERE item_id=".$item_id." AND class_id=".$class_id;
$result = api_sql_query($sql, __FILE__, __LINE__);
$switcher = Database::num_rows($result);
if ($switcher > 0) {
$sql = $sql = "UPDATE ".Rsys :: getTable("item_rights")." SET ".$column."='".Database::escape_string($value)."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'";
$sql = $sql = "UPDATE ".Rsys :: getTable("item_rights")." SET ".$column."='".$value."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'";
api_sql_query($sql, __FILE__, __LINE__);
} else {
$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,".$column.") VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($class_id)."','".$value."')";
$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,".$column.") VALUES ('".$item_id."','".$class_id."','".$value."')";
api_sql_query($sql, __FILE__, __LINE__);
}
}
@ -647,6 +667,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_itemfiltered_class($item_id) {
$item_id = Database::escape_string($item_id);
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
$arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__));
return $arr;
@ -659,6 +680,7 @@ class Rsys {
* @return - int The amount
*/
function get_num_itemfiltered_class($item_id) {
$item_id = Database::escape_string($item_id);
$sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
return Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0);
}
@ -690,6 +712,9 @@ class Rsys {
* @return - int The id
*/
function edit_item_right($item_id, $class_id, $edit, $delete, $m_reservation) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
if (!Rsys :: item_allow($item_id, 'm_rights'))
return false;
$sql = "UPDATE ".Rsys :: getTable("item_rights")." SET edit_right='".Database::escape_string($edit)."', delete_right='".Database::escape_string($delete)."', m_reservation='".Database::escape_string($m_reservation)."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'";
@ -702,6 +727,9 @@ class Rsys {
* @param - int $id The id
*/
function delete_item_right($item_id, $class_id) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
if (!Rsys :: item_allow($item_id, 'm_rights'))
return false;
$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."' AND class_id='".$class_id."'";
@ -709,18 +737,23 @@ class Rsys {
}
function get_class_group($class_id) {
$class_id = Database::escape_string($class_id);
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id='".$class_id."'";
$arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__));
return $arr;
}
function get_item_rights($item_id, $class_id) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$sql = "SELECT * FROM ".Rsys :: getTable('item_rights')." WHERE item_id='".$item_id."' AND class_id='".$class_id."'";
$arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__));
return $arr;
}
function black_out_changer($item_id) {
$item_id = Database::escape_string($item_id);
$sql = "SELECT blackout FROM ".Rsys :: getTable("item")." WHERE id='".$item_id."'";
$Value = api_store_result(api_sql_query($sql, __FILE__, __LINE__));
($Value[0][0] == 0 ? $changedValue = 1 : $changedValue = 0);
@ -731,6 +764,9 @@ class Rsys {
}
function black_out_notifier($item_id, $value) {
$item_id = Database::escape_string($item_id);
$value = Database::escape_string($value);
$sql = "SELECT id, timepicker FROM ".Rsys :: getTable('reservation')."
WHERE item_id='".$item_id."' AND subscribers > '0'";
$value == 1 ? $sql .= " AND end_at >= (NOW()-7000000) " : $sql .= " AND end_at >= NOW()";
@ -796,6 +832,13 @@ class Rsys {
}
function check_date($item_id, $start_date, $end_date, $start_at, $end_at) {
$item_id = Database::escape_string($item_id);
$start_date = Database::escape_string($start_date);
$end_date = Database::escape_string($end_date);
$start_at = Database::escape_string($start_at);
$end_at = Database::escape_string($end_at);
$sql = "SELECT * FROM ".Rsys :: getTable('reservation')." WHERE item_id='".$item_id."' ORDER BY start_at";
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -824,6 +867,14 @@ class Rsys {
}
function check_date_edit($item_id, $start_date, $end_date, $start_at, $end_at, $reservation_id) {
$item_id = Database::escape_string($item_id);
$reservation_id = Database::escape_string($reservation_id);
$start_date = Database::escape_string($start_date);
$end_date = Database::escape_string($end_date);
$start_at = Database::escape_string($start_at);
$end_at = Database::escape_string($end_at);
$sql = "SELECT * FROM ".Rsys :: getTable('reservation')." WHERE item_id='".$item_id."' AND id <> '".$reservation_id."' ORDER BY start_at";
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -872,6 +923,7 @@ class Rsys {
* Returns an array with items from a category linked to rights(used by m_reservations.php)
*/
function get_cat_r_items($category) {
$category = Database::escape_string($category);
$sql = "SELECT i.id,i.name as catitem
FROM ".Rsys :: getTable('item')." i
INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@ -890,6 +942,7 @@ class Rsys {
* Returns an array with [ itemID => "category/item" ] with view_rights (used by reservation.php)
*/
function get_cat_items($category) {
$category = Database::escape_string($category);
$sql = "SELECT i.id,i.name as catitem
FROM ".Rsys :: getTable('item')." i
INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@ -926,6 +979,14 @@ class Rsys {
$keyword = Database::escape_string($_GET['keyword']);
$sql .= "AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
}
$from = intval($from);
$per_page = intval($per_page);
$column = intval($column);
if(!in_array($direction, array('ASC','DESC'))) {
$direction = 'ASC';
}
$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
$result = api_sql_query($sql, __FILE__, __LINE__);
while ($array = Database::fetch_array($result, 'NUM')) {
@ -935,6 +996,7 @@ class Rsys {
}
function check_edit_right($id) {
$id = Database::escape_string($id);
$sql = "SELECT r.id
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -950,6 +1012,7 @@ class Rsys {
}
function check_delete_right($id) {
$id = Database::escape_string($id);
$sql = "SELECT r.id
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -965,6 +1028,7 @@ class Rsys {
}
function check_auto_accept($id) {
$id = Database::escape_string($id);
$sql = "SELECT auto_accept FROM ".Rsys :: getTable('reservation')." WHERE id='".$id."'";
return Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0);
}
@ -1059,6 +1123,8 @@ class Rsys {
*
*/
function edit_reservation($id, $item_id, $auto_accept, $max_users, $start_at, $end_at, $subscribe_from, $subscribe_until, $notes, $timepicker) {
$id = Database::escape_string($id);
if (!Rsys :: item_allow($item_id, 'm_reservation'))
return false;
$stamp_start = Rsys :: mysql_datetime_to_timestamp($start_at);
@ -1100,6 +1166,8 @@ class Rsys {
* Deletes a reservation
*/
function delete_reservation($id) {
$id = Database::escape_string($id);
$sql = "SELECT id FROM ".Rsys :: getTable("reservation")."WHERE id='".$id."' OR subid='".$id."'";
$result2 = api_sql_query($sql, __FILE__, __LINE__);
while ($arr = Database::fetch_array($result2, 'NUM')) {
@ -1121,6 +1189,7 @@ class Rsys {
}
function is_owner_item($id) {
$id = Database::escape_string($id);
$sql = "SELECT creator FROM ".Rsys :: getTable('item')."i ,".Rsys :: getTable('reservation')." r
where i.id = r.item_id
and r.id = '".$id."'
@ -1132,6 +1201,8 @@ class Rsys {
}
function get_reservation($id) {
$id = Database::escape_string($id);
$sql = "SELECT *
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -1171,6 +1242,13 @@ class Rsys {
function get_table_subcribed_reservations($from, $per_page, $column, $direction) {
$from = intval($from);
$per_page = intval($per_page);
$column = intval($column);
if(!in_array($direction, array('ASC','DESC'))) {
$direction = 'ASC';
}
$sql = "SELECT i1.name as col0,c.name as col1,
DATE_FORMAT(r1.start_at ,'%Y-%m-%d %H:%i') as col2,
DATE_FORMAT(r1.end_at ,'%Y-%m-%d %H:%i') as col3, CONCAT(u.lastname,' ',u.firstname) as col4,
@ -1242,6 +1320,15 @@ class Rsys {
}
function get_table_waiting_users($from, $per_page, $column, $direction) {
$from = intval($from);
$per_page = intval($per_page);
$column = intval($column);
if(!in_array($direction, array('ASC','DESC'))) {
$direction = 'ASC';
}
/*$sql = "SELECT dummy AS col0, CONCAT(u.lastname,' ',u.firstname) AS col1, s.user_id AS col2, accepted AS col3
FROM ".Rsys :: getTable('subscription')." s
INNER JOIN ".Database :: get_main_table(TABLE_MAIN_USER)." u ON s.user_id = u.user_id ";
@ -1255,7 +1342,7 @@ class Rsys {
and s.reservation_id = r.id";
if (!empty ($_GET['rid'])) {
$sql .= " and r.id = '".$_GET['rid']."'";
$sql .= " and r.id = '".Database::escape_string($_GET['rid'])."'";
}
$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -1307,6 +1394,9 @@ class Rsys {
function set_accepted($id, $value) {
global $subscription;
$id = Database::escape_string($id);
$value = Database::escape_string($value);
$sql = "UPDATE ".Rsys :: getTable('subscription')." SET ACCEPTED='".$value."' WHERE dummy='".$id."'";
api_sql_query($sql, __FILE__, __LINE__);
$user_info = api_get_user_info($subscription[0]);
@ -1358,6 +1448,11 @@ class Rsys {
*/
function check_date_subscription($reservation_id, $start_at, $end_at) {
$reservation_id = Database::escape_string($reservation_id);
$start_at = Database::escape_string($start_at);
$end_at = Database::escape_string($end_at);
$sql = "SELECT id, start_at, end_at FROM ".Rsys :: getTable('reservation')."
WHERE start_at > '".$start_at."' AND id='".$reservation_id."' ";
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -1407,6 +1502,9 @@ class Rsys {
}
function check_date_month_calendar($date, $itemid) {
$itemid = Database::escape_string($itemid);
$date = Database::escape_string($date);
$sql = "SELECT id FROM ".Rsys :: getTable('reservation')."
WHERE ((DATE_FORMAT(start_at, '%Y-%m-%e') = '".$date."' OR DATE_FORMAT(end_at, '%Y-%m-%e') = '".$date."'
OR (start_at <= '".$date." 00:00:00' AND end_at >= '".$date." 00:00:00' ) OR (start_at>='".$date." 00:00:00' AND start_at<='".$date." 23:59:59')) AND (subscribers < max_users OR timepicker=1)) AND item_id= '".$itemid."'";
@ -1428,6 +1526,10 @@ class Rsys {
* @param - int $reservation_id The id off the reservation
*/
function add_subscription($reservation_id, $user_id, $accepted) {
$reservation_id = Database::escape_string($reservation_id);
$user_id = Database::escape_string($user_id);
$accepted = Database::escape_string($accepted);
$sql = "SELECT user_id FROM ".Rsys :: getTable("subscription")." WHERE user_id='".$user_id."' AND reservation_id='".$reservation_id."'";
if (Database::num_rows(api_sql_query($sql, __FILE__, __LINE__)) == 0) {
$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."')";
@ -1455,6 +1557,10 @@ class Rsys {
* @param - int $reservation_id The id off the reservation
*/
function add_subscription_timepicker($reservation_id, $user_id, $start_date, $end_date, $accepted, $min, $max) {
$start_date = Database::escape_string($start_date);
$end_date = Database::escape_string($end_date);
if (Rsys :: check_date_subscription($reservation_id, $start_date, $end_date) <> 0)
return 1;
if (!($min==0 && $max ==0)){
@ -1472,9 +1578,9 @@ class Rsys {
* Delete subscription
*/
function delete_subscription($reservation_id, $dummy) {
$sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".$dummy."'";
$sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".Database::escape_string($dummy)."'";
api_sql_query($sql, __FILE__, __LINE__);
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".$reservation_id."'";
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".Database::escape_string($reservation_id)."'";
api_sql_query($sql, __FILE__, __LINE__);
}
@ -1569,6 +1675,12 @@ class Rsys {
* ['max_end_at'] = the maximal end_at in all reservations (usefull to build table)
*/
function get_item_reservations($from, $till, $itemid) {
$itemid = Database::escape_string($itemid);
$till = Database::escape_string($till);
$from = Database::escape_string($from);
$sql = "SELECT r.*,i.name as item_name FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id
@ -1619,6 +1731,7 @@ class Rsys {
* Returns $reservation_id=>"START_AT - END_AT"
*/
function get_item_subfiltered_reservations($item_id) {
$itemid = Database::escape_string($itemid);
$sql = "SELECT r.id AS reservation_id, r.start_at, r.end_at
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -1636,6 +1749,9 @@ class Rsys {
* @param - String $till DateTime
*/
function get_subscriptions($from, $till) {
$till = Database::escape_string($till);
$from = Database::escape_string($from);
// TODO: only return for current user...
$sql = "SELECT r.*,s.start_at AS tp_start,s.end_at AS tp_end,s.accepted FROM ".Rsys :: getTable('subscription')." s INNER JOIN ".Rsys :: getTable('reservation')." r ON s.reservation_id = r.id WHERE ((r.timepicker=0 AND r.start_at>='".$from."' AND r.end_at<='".$till."') OR (s.start_at>='".$from."' AND s.end_at<='".$till."'))";
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -1650,6 +1766,7 @@ class Rsys {
}
function get_item_id($item_name)
{
$item_name = Database::escape_string($item_name);
$sql = "SELECT id FROM ".Rsys :: getTable('item')." WHERE name='".$item_name."'";
$result = api_sql_query($sql, __FILE__, __LINE__);
$result_array = Database::fetch_array($result);
@ -1663,15 +1780,4 @@ Rsys :: init();
require_once 'rcalendar.php';
require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
/*
$img=imagecreate(1,1);
$color=imagecolorallocate($img, 220, 90, 0);
imagefill($img,0,0,$color);
imagejpeg($img,'../img/px_orange.gif',100);
$img=imagecreate(1,1);
$color=imagecolorallocate($img, 0, 0, 0);
imagefill($img,0,0,$color);
imagejpeg($img,'../img/px_black.gif',100);
*/
?>
Write Preview
Loading…
Cancel
Save