[svn r19527] Avoiding sql errors see FS#3909

17 years ago · 53a51077dc
parent de5f52e120
commit 53a51077dc
3 changed files with 27 additions and 13 deletions
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@ -39,10 +39,17 @@ api_block_anonymous_users();
 if (!api_is_allowed_to_create_course()) {
 	header('Location: /index.php');
 }
+
+$my_selectcat=isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : '';
+if (empty($my_selectcat)) {
+	api_not_allowed();
+}
+
 // --------------------------------------------------------------------------------
 // -                       DISPLAY HEADERS AND MESSAGES                           -
 // --------------------------------------------------------------------------------

+
 if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
 	if (isset ($_GET['studentoverview'])) {
 		$interbreadcrumb[]= array (
@ -74,7 +81,7 @@ if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
 $table_link = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
 $table_evaluation = Database::get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
 //$table_forum_thread=Database::get_course_table(TABLE_FORUM_THREAD);
-$my_selectcat=isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : '';
+
 $my_db_name=get_database_name_by_link_id($my_selectcat);
 $table_forum_thread = Database :: get_course_table(TABLE_FORUM_THREAD,$my_db_name);
 /*
--- a/main/gradebook/gradebook_edit_result.php
+++ b/main/gradebook/gradebook_edit_result.php
@ -33,6 +33,10 @@ require_once ('lib/scoredisplay.class.php');
 api_block_anonymous_users();
 block_students();
 $select_eval=Security::remove_XSS($_GET['selecteval']);
+if (empty($select_eval)) {
+	api_not_allowed();
+}
+
 $resultedit = Result :: load (null,null,$select_eval);
 $evaluation = Evaluation :: load ($select_eval);
 $edit_result_form = new EvalForm(EvalForm :: TYPE_ALL_RESULTS_EDIT, $evaluation[0], $resultedit, 'edit_result_form', null, api_get_self() . '?&selecteval='.$select_eval);
--- a/main/gradebook/gradebook_view_result.php
+++ b/main/gradebook/gradebook_view_result.php
@ -46,6 +46,9 @@ $interbreadcrumb[]= array (
 ));
 //load the evaluation & category
 $select_eval=Security::remove_XSS($_GET['selecteval']);
+if (empty($select_eval)) {
+	api_not_allowed();
+}
 $displayscore = Scoredisplay :: instance();
 $eval= Evaluation :: load($select_eval);
 $overwritescore= 0;
@ -113,18 +116,18 @@ $current_value= $data;
 * @return array All userinformation read from the file
 */
 function parse_xml_data($file) {
-global $current_tag;
-global $current_value;
-global $user;
-global $users;
-	$users= array ();
-	$parser= xml_parser_create();
-	xml_set_element_handler($parser, 'element_start', 'element_end');
-	xml_set_character_data_handler($parser, "character_data");
-	xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
-	xml_parse($parser, file_get_contents($file));
-	xml_parser_free($parser);
-	return $users;
+	global $current_tag;
+	global $current_value;
+	global $user;
+	global $users;
+		$users= array ();
+		$parser= xml_parser_create();
+		xml_set_element_handler($parser, 'element_start', 'element_end');
+		xml_set_character_data_handler($parser, "character_data");
+		xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
+		xml_parse($parser, file_get_contents($file));
+		xml_parser_free($parser);
+		return $users;
 }
 if (isset ($_GET['editres'])) {
 	$edit_res_xml=Security::remove_XSS($_GET['editres']);