[svn r14713] Fixed a few risky queries

Fixed the fact that the AJAX code crashed when a user was not subscribed to any course (see FS#2417)
17 years ago · 53fd169f0c
parent d4162eb6c3
commit 53fd169f0c
2 changed files with 53 additions and 42 deletions
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@ -1,9 +1,9 @@
-<?php // $Id: user_list.php 14708 2008-03-31 13:25:44Z pcool $
+<?php // $Id: user_list.php 14713 2008-04-02 04:58:20Z yannoo $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software

-	Copyright (c) 2004 Dokeos S.A.
+	Copyright (c) 2004-2008 Dokeos S.A.
 	Copyright (c) 2003 Ghent University (UGent)
 	Copyright (c) 2001 Universite catholique de Louvain (UCL)
 	Copyright (c) Olivier Brouckaert
@ -18,7 +18,7 @@

 	See the GNU General Public License for more details.

-	Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
+	Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium, info@dokeos.com
 ==============================================================================
 */
 /**
@ -49,11 +49,18 @@ function courses_of_user($arg)
 	// put it into a variable like $newContent
    //$newContent = 'werkt het? en met een beetje meer text, wordt dat goed opgelost? ';    
    $personal_course_list = UserManager::get_personal_session_course_list($arg);
-    foreach ($personal_course_list as $key=>$course)
+    $newContent = '';
+    if(count($personal_course_list)>0)
    {
-    	$newContent .= $course['i'].'<br />';
+	    foreach ($personal_course_list as $key=>$course)
+	    {
+	    	$newContent .= $course['i'].'<br />';
+	    }
    }
-    
+    else
+    {
+    	$newContent .= '- '.get_lang('None').' -<br />';
+    }    
 	// Instantiate the xajaxResponse object
 	$objResponse = new xajaxResponse();
        
@ -170,11 +177,11 @@ function login_user($user_id)

 		$sql_result = api_sql_query($sql_query, __FILE__, __LINE__);

-		if (mysql_num_rows($sql_result) > 0)
+		if (Database::num_rows($sql_result) > 0)
 		{
 			// Extracting the user data

-			$user_data = mysql_fetch_array($sql_result);
+			$user_data = Database::fetch_array($sql_result);

            //Delog the current user
 			 
@ -228,17 +235,17 @@ function get_number_of_users()
 	$sql = "SELECT COUNT(u.user_id) AS total_number_of_items FROM $user_table u";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%'  OR u.email LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%'";
 	}
 	elseif (isset ($_GET['keyword_firstname']))
 	{
 		$admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN);
-		$keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']);
-		$keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']);
-		$keyword_email = mysql_real_escape_string($_GET['keyword_email']);
-		$keyword_username = mysql_real_escape_string($_GET['keyword_username']);
-		$keyword_status = mysql_real_escape_string($_GET['keyword_status']);
+		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
+		$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
+		$keyword_email = Database::escape_string($_GET['keyword_email']);
+		$keyword_username = Database::escape_string($_GET['keyword_username']);
+		$keyword_status = Database::escape_string($_GET['keyword_status']);
 		$query_admin_table = '';
 		$keyword_admin = '';
 		if($keyword_status == 10)
@ -267,7 +274,7 @@ function get_number_of_users()
 		}
 	}
 	$res = api_sql_query($sql, __FILE__, __LINE__);
-	$obj = mysql_fetch_object($res);
+	$obj = Database::fetch_object($res);
 	return $obj->total_number_of_items;
 }
 /**
@ -292,17 +299,17 @@ function get_user_data($from, $number_of_items, $column, $direction)
                 $user_table u";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%'  OR u.username LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%'";
 	}
 	elseif (isset ($_GET['keyword_firstname']))
 	{
 		$admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN);
-		$keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']);
-		$keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']);
-		$keyword_email = mysql_real_escape_string($_GET['keyword_email']);
-		$keyword_username = mysql_real_escape_string($_GET['keyword_username']);
-		$keyword_status = mysql_real_escape_string($_GET['keyword_status']);
+		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
+		$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
+		$keyword_email = Database::escape_string($_GET['keyword_email']);
+		$keyword_username = Database::escape_string($_GET['keyword_username']);
+		$keyword_status = Database::escape_string($_GET['keyword_status']);
 		$query_admin_table = '';
 		$keyword_admin = '';
 		if($keyword_status == 10)
@ -333,7 +340,7 @@ function get_user_data($from, $number_of_items, $column, $direction)
 	$sql .= " LIMIT $from,$number_of_items";
 	$res = api_sql_query($sql, __FILE__, __LINE__);
 	$users = array ();
-	while ($user = mysql_fetch_row($res))
+	while ($user = Database::fetch_row($res))
 	{
 		$users[] = $user;
 	}
@ -438,7 +445,7 @@ function lock_unlock_user($status,$user_id)

 	if(($status_db=='1' OR $status_db=='0') AND is_numeric($user_id))
 	{
-		$sql="UPDATE $user_table SET active='".mysql_real_escape_string($status_db)."' WHERE user_id='".mysql_real_escape_string($user_id)."'";
+		$sql="UPDATE $user_table SET active='".Database::escape_string($status_db)."' WHERE user_id='".Database::escape_string($user_id)."'";
 		$result = api_sql_query($sql, __FILE__, __LINE__);
 	}

--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@ -1,9 +1,9 @@
-<?php
+<?php // $Id: usermanager.lib.php 14713 2008-04-02 04:58:20Z yannoo $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software

-	Copyright (c) 2004 Dokeos S.A.
+	Copyright (c) 2004-2008 Dokeos S.A.
 	Copyright (c) 2003 Ghent University (UGent)
 	Copyright (c) 2001 Universite catholique de Louvain (UCL)
 	Copyright (c) various contributors
@ -19,7 +19,7 @@

 	See the GNU General Public License for more details.

-	Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
+	Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium, info@dokeos.com
 ==============================================================================
 */
 /**
@ -965,10 +965,11 @@ class UserManager
 	function get_personal_session_course_list($user_id)
 	{
 		// Database Table Definitions
-		$main_course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
+		$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
 		$tbl_course 				= Database :: get_main_table(TABLE_MAIN_COURSE);
 		$tbl_user 					= Database :: get_main_table(TABLE_MAIN_USER);
 		$tbl_session 				= Database :: get_main_table(TABLE_MAIN_SESSION);
+		$tbl_session_user			= Database :: get_main_table(TABLE_MAIN_SESSION_USER);
 		$tbl_course_user 			= Database :: get_main_table(TABLE_MAIN_COURSE_USER);
 		$tbl_session_course 		= Database :: get_main_table(TABLE_MAIN_SESSION_COURSE);
 		$tbl_session_course_user 	= Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
@ -986,53 +987,56 @@ class UserManager
 											AND   course_rel_user.user_id = '".$user_id."'
 											ORDER BY course_rel_user.user_course_cat, course_rel_user.sort ASC,i";*/
 	
-		$tbl_user_course_category    = Database :: get_user_personal_database();
+		$tbl_user_course_category    = Database :: get_user_personal_table(TABLE_USER_COURSE_CATEGORY);
 		
 		$personal_course_list_sql = "SELECT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, course.tutor_name t, course.course_language l, course_rel_user.status s, course_rel_user.sort sort, course_rel_user.user_course_cat user_course_cat
-										FROM    ".$main_course_user_table."course_rel_user
-										LEFT JOIN ".$tbl_course."course
+										FROM    ".$tbl_course_user." course_rel_user
+										LEFT JOIN ".$tbl_course." course
 										ON course.code = course_rel_user.course_code
-										LEFT JOIN `".$tbl_user_course_category."`.`user_course_category`
+										LEFT JOIN ".$tbl_user_course_category." user_course_category
 										ON course_rel_user.user_course_cat = user_course_category.id
 										WHERE  course_rel_user.user_id = '".$user_id."'
-										ORDER BY user_course_category.sort, course_rel_user.sort ASC,i";
+										ORDER BY user_course_category.sort, course_rel_user.sort ASC, i";
 		
 		$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
 		
-		while ($result_row = mysql_fetch_array($course_list_sql_result))
+		while ($result_row = Database::fetch_array($course_list_sql_result))
 		{
 			$personal_course_list[] = $result_row;
 		}
 	
 		// get the list of sessions where the user is subscribed as student
-		$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end
-								FROM session_rel_user, session
+		$sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
+								FROM $tbl_session_user, $tbl_session
 								WHERE id_session=id AND id_user=$user_id
 								AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
-								ORDER BY date_start, date_end, name",__FILE__,__LINE__);
+								ORDER BY date_start, date_end, name";
+		$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
 	
 		$sessions=api_store_result($result);
 	
 		$sessions = array_merge($sessions , api_store_result($result));
 	
 		// get the list of sessions where the user is subscribed as coach in a course
-		$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end
+		$sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
 								FROM $tbl_session as session
 								INNER JOIN $tbl_session_course as session_rel_course
 									ON session_rel_course.id_coach = $user_id
 								AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
-								ORDER BY date_start, date_end, name",__FILE__,__LINE__);
+								ORDER BY date_start, date_end, name";
+		$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
 	
 		$session_is_coach = api_store_result($result);
 	
 		$sessions = array_merge($sessions , $session_is_coach);
 	
 		// get the list of sessions where the user is subscribed as coach
-		$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end
+		$sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
 								FROM $tbl_session as session
 								WHERE session.id_coach = $user_id
 								AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
-								ORDER BY date_start, date_end, name",__FILE__,__LINE__);
+								ORDER BY date_start, date_end, name";
+		$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
 	
 		$sessions = array_merge($sessions , api_store_result($result));
 	
@ -1056,7 +1060,7 @@ class UserManager
 	
 				$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
 	
-				while ($result_row = mysql_fetch_array($course_list_sql_result))
+				while ($result_row = Database::fetch_array($course_list_sql_result))
 				{
 					$result_row['s'] = 2;
 					$key = $result_row['id_session'].' - '.$result_row['k'];
@ -1085,7 +1089,7 @@ class UserManager
 	
 			$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
 	
-			while ($result_row = mysql_fetch_array($course_list_sql_result))
+			while ($result_row = Database::fetch_array($course_list_sql_result))
 			{
 				$key = $result_row['id_session'].' - '.$result_row['k'];
 				$result_row['s'] = $result_row['14'];