From 53a51077dcad91f921715e1dca73df646fa0ca19 Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Fri, 3 Apr 2009 17:55:11 +0200 Subject: [PATCH] [svn r19527] Avoiding sql errors see FS#3909 --- main/gradebook/gradebook_edit_all.php | 9 +++++++- main/gradebook/gradebook_edit_result.php | 4 ++++ main/gradebook/gradebook_view_result.php | 27 +++++++++++++----------- 3 files changed, 27 insertions(+), 13 deletions(-) diff --git a/main/gradebook/gradebook_edit_all.php b/main/gradebook/gradebook_edit_all.php index 5e91c1077e..17c3da28b2 100755 --- a/main/gradebook/gradebook_edit_all.php +++ b/main/gradebook/gradebook_edit_all.php @@ -39,10 +39,17 @@ api_block_anonymous_users(); if (!api_is_allowed_to_create_course()) { header('Location: /index.php'); } + +$my_selectcat=isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : ''; +if (empty($my_selectcat)) { + api_not_allowed(); +} + // -------------------------------------------------------------------------------- // - DISPLAY HEADERS AND MESSAGES - // -------------------------------------------------------------------------------- + if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) { if (isset ($_GET['studentoverview'])) { $interbreadcrumb[]= array ( @@ -74,7 +81,7 @@ if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) { $table_link = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK); $table_evaluation = Database::get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION); //$table_forum_thread=Database::get_course_table(TABLE_FORUM_THREAD); -$my_selectcat=isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : ''; + $my_db_name=get_database_name_by_link_id($my_selectcat); $table_forum_thread = Database :: get_course_table(TABLE_FORUM_THREAD,$my_db_name); /* diff --git a/main/gradebook/gradebook_edit_result.php b/main/gradebook/gradebook_edit_result.php index f9e12d6dde..5abe3d56b5 100644 --- a/main/gradebook/gradebook_edit_result.php +++ b/main/gradebook/gradebook_edit_result.php @@ -33,6 +33,10 @@ require_once ('lib/scoredisplay.class.php'); api_block_anonymous_users(); block_students(); $select_eval=Security::remove_XSS($_GET['selecteval']); +if (empty($select_eval)) { + api_not_allowed(); +} + $resultedit = Result :: load (null,null,$select_eval); $evaluation = Evaluation :: load ($select_eval); $edit_result_form = new EvalForm(EvalForm :: TYPE_ALL_RESULTS_EDIT, $evaluation[0], $resultedit, 'edit_result_form', null, api_get_self() . '?&selecteval='.$select_eval); diff --git a/main/gradebook/gradebook_view_result.php b/main/gradebook/gradebook_view_result.php index 586961cb21..93336fa196 100644 --- a/main/gradebook/gradebook_view_result.php +++ b/main/gradebook/gradebook_view_result.php @@ -46,6 +46,9 @@ $interbreadcrumb[]= array ( )); //load the evaluation & category $select_eval=Security::remove_XSS($_GET['selecteval']); +if (empty($select_eval)) { + api_not_allowed(); +} $displayscore = Scoredisplay :: instance(); $eval= Evaluation :: load($select_eval); $overwritescore= 0; @@ -113,18 +116,18 @@ $current_value= $data; * @return array All userinformation read from the file */ function parse_xml_data($file) { -global $current_tag; -global $current_value; -global $user; -global $users; - $users= array (); - $parser= xml_parser_create(); - xml_set_element_handler($parser, 'element_start', 'element_end'); - xml_set_character_data_handler($parser, "character_data"); - xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); - xml_parse($parser, file_get_contents($file)); - xml_parser_free($parser); - return $users; + global $current_tag; + global $current_value; + global $user; + global $users; + $users= array (); + $parser= xml_parser_create(); + xml_set_element_handler($parser, 'element_start', 'element_end'); + xml_set_character_data_handler($parser, "character_data"); + xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); + xml_parse($parser, file_get_contents($file)); + xml_parser_free($parser); + return $users; } if (isset ($_GET['editres'])) { $edit_res_xml=Security::remove_XSS($_GET['editres']);