From 53fd169f0c0513276f7794e7c540bc6411608288 Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Wed, 2 Apr 2008 06:58:20 +0200 Subject: [PATCH] [svn r14713] Fixed a few risky queries Fixed the fact that the AJAX code crashed when a user was not subscribed to any course (see FS#2417) --- main/admin/user_list.php | 53 ++++++++++++++++++-------------- main/inc/lib/usermanager.lib.php | 42 +++++++++++++------------ 2 files changed, 53 insertions(+), 42 deletions(-) diff --git a/main/admin/user_list.php b/main/admin/user_list.php index 4ab82182e5..f08922d4a9 100644 --- a/main/admin/user_list.php +++ b/main/admin/user_list.php @@ -1,9 +1,9 @@ -$course) + $newContent = ''; + if(count($personal_course_list)>0) { - $newContent .= $course['i'].'
'; + foreach ($personal_course_list as $key=>$course) + { + $newContent .= $course['i'].'
'; + } } - + else + { + $newContent .= '- '.get_lang('None').' -
'; + } // Instantiate the xajaxResponse object $objResponse = new xajaxResponse(); @@ -170,11 +177,11 @@ function login_user($user_id) $sql_result = api_sql_query($sql_query, __FILE__, __LINE__); - if (mysql_num_rows($sql_result) > 0) + if (Database::num_rows($sql_result) > 0) { // Extracting the user data - $user_data = mysql_fetch_array($sql_result); + $user_data = Database::fetch_array($sql_result); //Delog the current user @@ -228,17 +235,17 @@ function get_number_of_users() $sql = "SELECT COUNT(u.user_id) AS total_number_of_items FROM $user_table u"; if (isset ($_GET['keyword'])) { - $keyword = mysql_real_escape_string($_GET['keyword']); + $keyword = Database::escape_string($_GET['keyword']); $sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'"; } elseif (isset ($_GET['keyword_firstname'])) { $admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN); - $keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']); - $keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']); - $keyword_email = mysql_real_escape_string($_GET['keyword_email']); - $keyword_username = mysql_real_escape_string($_GET['keyword_username']); - $keyword_status = mysql_real_escape_string($_GET['keyword_status']); + $keyword_firstname = Database::escape_string($_GET['keyword_firstname']); + $keyword_lastname = Database::escape_string($_GET['keyword_lastname']); + $keyword_email = Database::escape_string($_GET['keyword_email']); + $keyword_username = Database::escape_string($_GET['keyword_username']); + $keyword_status = Database::escape_string($_GET['keyword_status']); $query_admin_table = ''; $keyword_admin = ''; if($keyword_status == 10) @@ -267,7 +274,7 @@ function get_number_of_users() } } $res = api_sql_query($sql, __FILE__, __LINE__); - $obj = mysql_fetch_object($res); + $obj = Database::fetch_object($res); return $obj->total_number_of_items; } /** @@ -292,17 +299,17 @@ function get_user_data($from, $number_of_items, $column, $direction) $user_table u"; if (isset ($_GET['keyword'])) { - $keyword = mysql_real_escape_string($_GET['keyword']); + $keyword = Database::escape_string($_GET['keyword']); $sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'"; } elseif (isset ($_GET['keyword_firstname'])) { $admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN); - $keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']); - $keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']); - $keyword_email = mysql_real_escape_string($_GET['keyword_email']); - $keyword_username = mysql_real_escape_string($_GET['keyword_username']); - $keyword_status = mysql_real_escape_string($_GET['keyword_status']); + $keyword_firstname = Database::escape_string($_GET['keyword_firstname']); + $keyword_lastname = Database::escape_string($_GET['keyword_lastname']); + $keyword_email = Database::escape_string($_GET['keyword_email']); + $keyword_username = Database::escape_string($_GET['keyword_username']); + $keyword_status = Database::escape_string($_GET['keyword_status']); $query_admin_table = ''; $keyword_admin = ''; if($keyword_status == 10) @@ -333,7 +340,7 @@ function get_user_data($from, $number_of_items, $column, $direction) $sql .= " LIMIT $from,$number_of_items"; $res = api_sql_query($sql, __FILE__, __LINE__); $users = array (); - while ($user = mysql_fetch_row($res)) + while ($user = Database::fetch_row($res)) { $users[] = $user; } @@ -438,7 +445,7 @@ function lock_unlock_user($status,$user_id) if(($status_db=='1' OR $status_db=='0') AND is_numeric($user_id)) { - $sql="UPDATE $user_table SET active='".mysql_real_escape_string($status_db)."' WHERE user_id='".mysql_real_escape_string($user_id)."'"; + $sql="UPDATE $user_table SET active='".Database::escape_string($status_db)."' WHERE user_id='".Database::escape_string($user_id)."'"; $result = api_sql_query($sql, __FILE__, __LINE__); } diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php index 65b1ee1c05..9d79df1493 100644 --- a/main/inc/lib/usermanager.lib.php +++ b/main/inc/lib/usermanager.lib.php @@ -1,9 +1,9 @@ -= NOW() OR date_start='0000-00-00') - ORDER BY date_start, date_end, name",__FILE__,__LINE__); + ORDER BY date_start, date_end, name"; + $result = api_sql_query($sessions_sql,__FILE__,__LINE__); $sessions=api_store_result($result); $sessions = array_merge($sessions , api_store_result($result)); // get the list of sessions where the user is subscribed as coach in a course - $result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end + $sessions_sql = "SELECT DISTINCT id, name, date_start, date_end FROM $tbl_session as session INNER JOIN $tbl_session_course as session_rel_course ON session_rel_course.id_coach = $user_id AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00') - ORDER BY date_start, date_end, name",__FILE__,__LINE__); + ORDER BY date_start, date_end, name"; + $result = api_sql_query($sessions_sql,__FILE__,__LINE__); $session_is_coach = api_store_result($result); $sessions = array_merge($sessions , $session_is_coach); // get the list of sessions where the user is subscribed as coach - $result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end + $sessions_sql = "SELECT DISTINCT id, name, date_start, date_end FROM $tbl_session as session WHERE session.id_coach = $user_id AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00') - ORDER BY date_start, date_end, name",__FILE__,__LINE__); + ORDER BY date_start, date_end, name"; + $result = api_sql_query($sessions_sql,__FILE__,__LINE__); $sessions = array_merge($sessions , api_store_result($result)); @@ -1056,7 +1060,7 @@ class UserManager $course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__); - while ($result_row = mysql_fetch_array($course_list_sql_result)) + while ($result_row = Database::fetch_array($course_list_sql_result)) { $result_row['s'] = 2; $key = $result_row['id_session'].' - '.$result_row['k']; @@ -1085,7 +1089,7 @@ class UserManager $course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__); - while ($result_row = mysql_fetch_array($course_list_sql_result)) + while ($result_row = Database::fetch_array($course_list_sql_result)) { $key = $result_row['id_session'].' - '.$result_row['k']; $result_row['s'] = $result_row['14'];