From 536d8089450f47fe9b111c01be1ba2779eb2216a Mon Sep 17 00:00:00 2001
From: Yannick Warnier <yannick.warnier@beeznest.com>
Date: Mon, 29 Dec 2008 13:38:58 +0100
Subject: [PATCH] [svn r17472] Improved language translation and SQL filtering
 (FS#3387)

---
 main/notebook/index.php                | 16 +++++++--------
 main/notebook/notebookfunction.inc.php | 27 +++++++++++++++-----------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/main/notebook/index.php b/main/notebook/index.php
index c8417470d5..6ad2152695 100755
--- a/main/notebook/index.php
+++ b/main/notebook/index.php
@@ -33,7 +33,7 @@ $icon_delete ='delete.gif';
 
 //---------------------------------------------------------
 
-echo '<a href="index.php?action=addnotebook">'.Display::return_icon($icon_add,get_lang('NewNotebook')).get_lang('NewNotebook').'</a>';
+echo '<a href="index.php?action=addnotebook">'.Display::return_icon($icon_add,get_lang('NewNote')).get_lang('NewNote').'</a>';
 
 if (isset($_REQUEST['action']) && $_REQUEST['action']=='addnotebook') {
 	echo '<table class="notebook-add-form" id="notebook-add">';	
@@ -41,8 +41,8 @@ if (isset($_REQUEST['action']) && $_REQUEST['action']=='addnotebook') {
 	echo '<form name="frm_add_notebook" method="post">';	
 	echo '<input type="hidden" name="sec_token" value="'.$stok.'" />';
 	echo '<input type="hidden" name="action" value="addnotebook">';
-	echo '<div class="add-desc-notebook"><textarea class="style-add-textarea" rows="5" cols="80" name="description" maxlength="255" onfocus="this.value=\'\';document.getElementById(\'msg_add_error\').style.display=\'none\';"><<'.get_lang("WriteHereYourNote").'>></textarea></div>';
-	echo '<div class="action_notebook"><input type="button" value="'.get_lang('Ok').'" onclick="return add_notebook()"><input type="button" value="'.get_lang('Cancel').'" onclick="document.getElementById(\'notebook-add\').style.display = \'none\';document.getElementById(\'msg_add_error\').style.display=\'none\';"></div>';
+	echo '<div class="add-desc-notebook"><textarea class="style-add-textarea" rows="5" cols="80" name="description" maxlength="255" onfocus="this.value=\'\';document.getElementById(\'msg_add_error\').style.display=\'none\';"><<'.get_lang('WriteYourNoteHere').'>></textarea></div>';
+	echo '<div class="action_notebook"><input type="button" value="'.get_lang('SaveNote').'" onclick="return add_notebook()"><input type="button" value="'.get_lang('Cancel').'" onclick="document.getElementById(\'notebook-add\').style.display = \'none\';document.getElementById(\'msg_add_error\').style.display=\'none\';"></div>';
 	echo '<span class="msg_error" id="msg_add_error"></span>';
 	echo '</form>';	
 	echo '</td></tr>';			
@@ -58,7 +58,7 @@ if ($ctok==$_POST['sec_token']) {
 			$description = Security::remove_XSS($_REQUEST['description']);
 			$add_notebook= add_notebook_details($user_id,$course_id,$session_id,$description,$date);	
 			if($add_notebook) {
-				Display::display_confirmation_message(get_lang('NotebookAdded'));
+				Display::display_confirmation_message(get_lang('NoteCreated'));
 			}							
 	}		
 }
@@ -72,7 +72,7 @@ if ($ctok==$_POST['sec_token']) {
 		$description = Security::remove_XSS($_REQUEST['upd_description']);
 		$edit_notebook= edit_notebook_details($notebook_id,$user_id,$course_id,$session_id,$description,$date);	
 		if($edit_notebook) {
-			Display::display_confirmation_message(get_lang('NotebookUpdated'));
+			Display::display_confirmation_message(get_lang('NoteUpdated'));
 		}
 	}	
 	
@@ -86,7 +86,7 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete_notebook'){
 	$notebook_id = Security::remove_XSS($_REQUEST['notebook_id']);	
 	$delete_notebook = delete_notebook_details($notebook_id);	
 	if($delete_notebook) {
-		Display::display_confirmation_message(get_lang('NotebookDeleted'));
+		Display::display_confirmation_message(get_lang('NoteDeleted'));
 	}					
 }
 
@@ -112,7 +112,7 @@ while ($row_notebook_list=Database::fetch_array($notebook_list)){
 		echo '<form name="frm_edit_notebook" action="index.php" method="post"><input type="hidden" name="upd_notebook_id" value="'.$notebook_id.'" />';
 		echo '<input type="hidden" name="sec_token" value="'.$stok.'" />';				
 		echo '<div class="upd-desc-notebook"><textarea class="style-edit-textarea" rows="4" cols="120"  name="upd_description" maxlength="255" onfocus="this.select()">'.$row_notebook_list['description'].'</textarea></div>';
-		echo '<div class="action_notebook"><input type="button" value="'.get_lang('Ok').'" onclick="edit_notebook()"><input type="button" value="'.get_lang('Cancel').'" onclick="edit_cancel_notebook()"></div>';
+		echo '<div class="action_notebook"><input type="button" value="'.get_lang('SaveNote').'" onclick="edit_notebook()"><input type="button" value="'.get_lang('Cancel').'" onclick="edit_cancel_notebook()"></div>';
 		echo '<span class="msg_error" id="msg_edit_error"></span>';
 		echo '</form></div>';	
 	} else {				
@@ -121,7 +121,7 @@ while ($row_notebook_list=Database::fetch_array($notebook_list)){
 		echo '<span><a href="index.php?action=edit_notebook&notebook_id='.$row_notebook_list['notebook_id'].'#note-'.$row_notebook_list['notebook_id'].'" >'.Display::return_icon($icon_edit,get_lang('Edit')).'</a>&nbsp;';
 		echo '<a href="index.php?action=delete_notebook&notebook_id='.$row_notebook_list['notebook_id'].'" onclick="return confirmation(\''.$title.'\');">'.Display::return_icon($icon_delete,get_lang('Edit')).'</a></span>';
 		if ( $row_notebook_list['status']==1 ) {			
-			echo '&nbsp;&nbsp;<span class="date_information">'.get_lang('EndDate').'&nbsp;:&nbsp;'.$row_notebook_list['end_date'].'</span>';	
+			echo '&nbsp;&nbsp;<span class="date_information">'.get_lang('LastUpdateDate').'&nbsp;:&nbsp;'.$row_notebook_list['end_date'].'</span>';	
 		}			
 		echo '</div>';		
 	}
diff --git a/main/notebook/notebookfunction.inc.php b/main/notebook/notebookfunction.inc.php
index 9d699aafbc..0ca7acf2b1 100755
--- a/main/notebook/notebookfunction.inc.php
+++ b/main/notebook/notebookfunction.inc.php
@@ -5,9 +5,6 @@
  * @author Christian Fasanando
  * This library enables maintenance of the notebook tool
  */
- 
- 
- 
 /**
 * This function retrieves notebook details by users
 * @return	array Array of type ([notebook_id=>a,user_id=>b,course=>c,session_id=>d,description=>e,start_date=>f,end_date=>g,status=>h],[])
@@ -38,17 +35,20 @@ function get_notebook_details($user_id) {
 */
 function add_notebook_details($user_id,$course,$session_id,$description,$start_date) {
 	$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
+    if ($user_id !== strval(intval($user_id))) { return false;}
 	$safe_user_id = (int)$user_id;
 	$safe_course = Database::escape_string($course);
-	$safe_session_id = (int)$session_id;
+	if ($session_id !== strval(intval($session_id))) { return false;}
+    $safe_session_id = (int)$session_id;
 	$safe_description = Database::escape_string($description);
+    $safe_start_date = Database::escape_string($start_date);
 	
-	if (empty($description) || empty($start_date)) {
+	if (empty($description) || empty($safe_start_date)) {
 		return false;
 	}
 		
 	$sql = "INSERT INTO $t_notebook(user_id,course,session_id,description,start_date,status)  
-			VALUES('$safe_user_id' , '$safe_course','$safe_session_id','$safe_description','$start_date',0)";
+			VALUES('$safe_user_id' , '$safe_course','$safe_session_id','$safe_description','$safe_start_date',0)";
 
 	$result = api_sql_query($sql, __FILE__, __LINE__);
 	return $result;
@@ -69,11 +69,15 @@ function add_notebook_details($user_id,$course,$session_id,$description,$start_d
 function edit_notebook_details($notebook_id,$user_id,$course,$session_id,$description,$end_date) {
 	
 	$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
+    if ($notebook_id !== strval(intval($notebook_id))) { return false;}
 	$safe_notebook_id = (int)$notebook_id;
+    if ($user_id !== strval(intval($user_id))) { return false;}
 	$safe_user_id = (int)$user_id;
 	$safe_course = Database::escape_string($course);
-	$safe_session_id = (int)$session_id;
+    if ($session_id !== strval(intval($session_id))) { return false;}
+    $safe_session_id = (int)$session_id;
 	$safe_description = Database::escape_string($description);
+    $safe_end_date = Database::escape_string($end_date);
 	
 	if (empty($description) || empty($end_date)) {
 		return false;
@@ -94,6 +98,7 @@ function edit_notebook_details($notebook_id,$user_id,$course,$session_id,$descri
 */
 function delete_notebook_details($notebook_id) {
 	$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
+    if ($notebook_id !== strval(intval($notebook_id))) { return false;}
 	$safe_notebook_id = (int)$notebook_id;
 			
 	$sql = "DELETE FROM $t_notebook  WHERE notebook_id=$safe_notebook_id";
@@ -110,15 +115,15 @@ function to_javascript_notebook() {
 	return "<script type=\"text/javascript\">
 			function confirmation (name)
 			{
-				if (confirm(\" ". get_lang("AreYouSureToDeleteThis") ." \"+ name + \" ?\"))
+				if (confirm(\" ". get_lang('AreYouSureToDelete') ." \"+ name + \" ?\"))
 					{return true;}
 				else
 					{return false;}
 			}
 					
 			function add_notebook() {
-				msg_error='".get_lang("YouMustWriteANote")."';	
-				msg='<<".get_lang("WriteHereYourNote").">>';		
+				msg_error='".get_lang('YouMustWriteANote')."';	
+				msg='<<".get_lang('WriteYourNoteHere').">>';		
 				if(document.frm_add_notebook.description.value=='' || document.frm_add_notebook.description.value==msg) {
 					document.getElementById('msg_add_error').style.display='block';	
 					document.getElementById('msg_add_error').innerHTML=msg_error;
@@ -134,7 +139,7 @@ function to_javascript_notebook() {
 			}		
 			
 			function edit_notebook() {
-				msg_error='".get_lang("YouMustWriteANote")."';			
+				msg_error='".get_lang('YouMustWriteANote')."';			
 				if(document.frm_edit_notebook.upd_description.value=='') {
 					document.getElementById('msg_edit_error').style.display='block';	
 					document.getElementById('msg_edit_error').innerHTML=msg_error;