chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r14713] Fixed a few risky queries

Browse Source 
Fixed the fact that the AJAX code crashed when a user was not subscribed to any course (see FS#2417)
skala
Yannick Warnier 17 years ago
parent d4162eb6c3
commit 53fd169f0c
2 changed files with 53 additions and 42 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 53
      main/admin/user_list.php
  2. 42
      main/inc/lib/usermanager.lib.php

53
main/admin/user_list.php
Unescape View File

@ -1,9 +1,9 @@
<?php // $Id: user_list.php 14708 2008-03-31 13:25:44Z pcool $ <?php // $Id: user_list.php 14713 2008-04-02 04:58:20Z yannoo $
/* /*
============================================================================== ==============================================================================
Dokeos - elearning and course management software Dokeos - elearning and course management software
Copyright (c) 2004 Dokeos S.A. Copyright (c) 2004-2008 Dokeos S.A.
Copyright (c) 2003 Ghent University (UGent) Copyright (c) 2003 Ghent University (UGent)
Copyright (c) 2001 Universite catholique de Louvain (UCL) Copyright (c) 2001 Universite catholique de Louvain (UCL)
Copyright (c) Olivier Brouckaert Copyright (c) Olivier Brouckaert
@ -18,7 +18,7 @@
See the GNU General Public License for more details. See the GNU General Public License for more details.
Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium, info@dokeos.com
============================================================================== ==============================================================================
*/ */
/** /**
@ -49,11 +49,18 @@ function courses_of_user($arg)
// put it into a variable like $newContent // put it into a variable like $newContent
//$newContent = 'werkt het? en met een beetje meer text, wordt dat goed opgelost? '; //$newContent = 'werkt het? en met een beetje meer text, wordt dat goed opgelost? ';
$personal_course_list = UserManager::get_personal_session_course_list($arg); $personal_course_list = UserManager::get_personal_session_course_list($arg);
foreach ($personal_course_list as $key=>$course) $newContent = '';
if(count($personal_course_list)>0)
{ {
$newContent .= $course['i'].'<br />'; foreach ($personal_course_list as $key=>$course)
{
$newContent .= $course['i'].'<br />';
}
} }
else
{
$newContent .= '- '.get_lang('None').' -<br />';
}
// Instantiate the xajaxResponse object // Instantiate the xajaxResponse object
$objResponse = new xajaxResponse(); $objResponse = new xajaxResponse();
@ -170,11 +177,11 @@ function login_user($user_id)
$sql_result = api_sql_query($sql_query, __FILE__, __LINE__); $sql_result = api_sql_query($sql_query, __FILE__, __LINE__);
if (mysql_num_rows($sql_result) > 0) if (Database::num_rows($sql_result) > 0)
{ {
// Extracting the user data // Extracting the user data
$user_data = mysql_fetch_array($sql_result); $user_data = Database::fetch_array($sql_result);
//Delog the current user //Delog the current user
@ -228,17 +235,17 @@ function get_number_of_users()
$sql = "SELECT COUNT(u.user_id) AS total_number_of_items FROM $user_table u"; $sql = "SELECT COUNT(u.user_id) AS total_number_of_items FROM $user_table u";
if (isset ($_GET['keyword'])) if (isset ($_GET['keyword']))
{ {
$keyword = mysql_real_escape_string($_GET['keyword']); $keyword = Database::escape_string($_GET['keyword']);
$sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'"; $sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'";
} }
elseif (isset ($_GET['keyword_firstname'])) elseif (isset ($_GET['keyword_firstname']))
{ {
$admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN); $admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN);
$keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']); $keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
$keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']); $keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
$keyword_email = mysql_real_escape_string($_GET['keyword_email']); $keyword_email = Database::escape_string($_GET['keyword_email']);
$keyword_username = mysql_real_escape_string($_GET['keyword_username']); $keyword_username = Database::escape_string($_GET['keyword_username']);
$keyword_status = mysql_real_escape_string($_GET['keyword_status']); $keyword_status = Database::escape_string($_GET['keyword_status']);
$query_admin_table = ''; $query_admin_table = '';
$keyword_admin = ''; $keyword_admin = '';
if($keyword_status == 10) if($keyword_status == 10)
@ -267,7 +274,7 @@ function get_number_of_users()
} }
} }
$res = api_sql_query($sql, __FILE__, __LINE__); $res = api_sql_query($sql, __FILE__, __LINE__);
$obj = mysql_fetch_object($res); $obj = Database::fetch_object($res);
return $obj->total_number_of_items; return $obj->total_number_of_items;
} }
/** /**
@ -292,17 +299,17 @@ function get_user_data($from, $number_of_items, $column, $direction)
$user_table u"; $user_table u";
if (isset ($_GET['keyword'])) if (isset ($_GET['keyword']))
{ {
$keyword = mysql_real_escape_string($_GET['keyword']); $keyword = Database::escape_string($_GET['keyword']);
$sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'"; $sql .= " WHERE u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%' OR u.official_code LIKE '%".$keyword."%'";
} }
elseif (isset ($_GET['keyword_firstname'])) elseif (isset ($_GET['keyword_firstname']))
{ {
$admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN); $admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN);
$keyword_firstname = mysql_real_escape_string($_GET['keyword_firstname']); $keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
$keyword_lastname = mysql_real_escape_string($_GET['keyword_lastname']); $keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
$keyword_email = mysql_real_escape_string($_GET['keyword_email']); $keyword_email = Database::escape_string($_GET['keyword_email']);
$keyword_username = mysql_real_escape_string($_GET['keyword_username']); $keyword_username = Database::escape_string($_GET['keyword_username']);
$keyword_status = mysql_real_escape_string($_GET['keyword_status']); $keyword_status = Database::escape_string($_GET['keyword_status']);
$query_admin_table = ''; $query_admin_table = '';
$keyword_admin = ''; $keyword_admin = '';
if($keyword_status == 10) if($keyword_status == 10)
@ -333,7 +340,7 @@ function get_user_data($from, $number_of_items, $column, $direction)
$sql .= " LIMIT $from,$number_of_items"; $sql .= " LIMIT $from,$number_of_items";
$res = api_sql_query($sql, __FILE__, __LINE__); $res = api_sql_query($sql, __FILE__, __LINE__);
$users = array (); $users = array ();
while ($user = mysql_fetch_row($res)) while ($user = Database::fetch_row($res))
{ {
$users[] = $user; $users[] = $user;
} }
@ -438,7 +445,7 @@ function lock_unlock_user($status,$user_id)
if(($status_db=='1' OR $status_db=='0') AND is_numeric($user_id)) if(($status_db=='1' OR $status_db=='0') AND is_numeric($user_id))
{ {
$sql="UPDATE $user_table SET active='".mysql_real_escape_string($status_db)."' WHERE user_id='".mysql_real_escape_string($user_id)."'"; $sql="UPDATE $user_table SET active='".Database::escape_string($status_db)."' WHERE user_id='".Database::escape_string($user_id)."'";
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
} }

42
main/inc/lib/usermanager.lib.php
Unescape View File

@ -1,9 +1,9 @@
<?php <?php // $Id: usermanager.lib.php 14713 2008-04-02 04:58:20Z yannoo $
/* /*
============================================================================== ==============================================================================
Dokeos - elearning and course management software Dokeos - elearning and course management software
Copyright (c) 2004 Dokeos S.A. Copyright (c) 2004-2008 Dokeos S.A.
Copyright (c) 2003 Ghent University (UGent) Copyright (c) 2003 Ghent University (UGent)
Copyright (c) 2001 Universite catholique de Louvain (UCL) Copyright (c) 2001 Universite catholique de Louvain (UCL)
Copyright (c) various contributors Copyright (c) various contributors
@ -19,7 +19,7 @@
See the GNU General Public License for more details. See the GNU General Public License for more details.
Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com Contact: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium, info@dokeos.com
============================================================================== ==============================================================================
*/ */
/** /**
@ -965,10 +965,11 @@ class UserManager
function get_personal_session_course_list($user_id) function get_personal_session_course_list($user_id)
{ {
// Database Table Definitions // Database Table Definitions
$main_course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER); $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$tbl_course = Database :: get_main_table(TABLE_MAIN_COURSE); $tbl_course = Database :: get_main_table(TABLE_MAIN_COURSE);
$tbl_user = Database :: get_main_table(TABLE_MAIN_USER); $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
$tbl_session = Database :: get_main_table(TABLE_MAIN_SESSION); $tbl_session = Database :: get_main_table(TABLE_MAIN_SESSION);
$tbl_session_user = Database :: get_main_table(TABLE_MAIN_SESSION_USER);
$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER); $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$tbl_session_course = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE); $tbl_session_course = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE);
$tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER); $tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
@ -986,53 +987,56 @@ class UserManager
AND course_rel_user.user_id = '".$user_id."' AND course_rel_user.user_id = '".$user_id."'
ORDER BY course_rel_user.user_course_cat, course_rel_user.sort ASC,i";*/ ORDER BY course_rel_user.user_course_cat, course_rel_user.sort ASC,i";*/
$tbl_user_course_category = Database :: get_user_personal_database(); $tbl_user_course_category = Database :: get_user_personal_table(TABLE_USER_COURSE_CATEGORY);
$personal_course_list_sql = "SELECT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, course.tutor_name t, course.course_language l, course_rel_user.status s, course_rel_user.sort sort, course_rel_user.user_course_cat user_course_cat $personal_course_list_sql = "SELECT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, course.tutor_name t, course.course_language l, course_rel_user.status s, course_rel_user.sort sort, course_rel_user.user_course_cat user_course_cat
FROM ".$main_course_user_table."course_rel_user FROM ".$tbl_course_user." course_rel_user
LEFT JOIN ".$tbl_course."course LEFT JOIN ".$tbl_course." course
ON course.code = course_rel_user.course_code ON course.code = course_rel_user.course_code
LEFT JOIN `".$tbl_user_course_category."`.`user_course_category` LEFT JOIN ".$tbl_user_course_category." user_course_category
ON course_rel_user.user_course_cat = user_course_category.id ON course_rel_user.user_course_cat = user_course_category.id
WHERE course_rel_user.user_id = '".$user_id."' WHERE course_rel_user.user_id = '".$user_id."'
ORDER BY user_course_category.sort, course_rel_user.sort ASC,i"; ORDER BY user_course_category.sort, course_rel_user.sort ASC, i";
$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__); $course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
while ($result_row = mysql_fetch_array($course_list_sql_result)) while ($result_row = Database::fetch_array($course_list_sql_result))
{ {
$personal_course_list[] = $result_row; $personal_course_list[] = $result_row;
} }
// get the list of sessions where the user is subscribed as student // get the list of sessions where the user is subscribed as student
$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end $sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
FROM session_rel_user, session FROM $tbl_session_user, $tbl_session
WHERE id_session=id AND id_user=$user_id WHERE id_session=id AND id_user=$user_id
AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00') AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
ORDER BY date_start, date_end, name",__FILE__,__LINE__); ORDER BY date_start, date_end, name";
$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
$sessions=api_store_result($result); $sessions=api_store_result($result);
$sessions = array_merge($sessions , api_store_result($result)); $sessions = array_merge($sessions , api_store_result($result));
// get the list of sessions where the user is subscribed as coach in a course // get the list of sessions where the user is subscribed as coach in a course
$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end $sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
FROM $tbl_session as session FROM $tbl_session as session
INNER JOIN $tbl_session_course as session_rel_course INNER JOIN $tbl_session_course as session_rel_course
ON session_rel_course.id_coach = $user_id ON session_rel_course.id_coach = $user_id
AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00') AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
ORDER BY date_start, date_end, name",__FILE__,__LINE__); ORDER BY date_start, date_end, name";
$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
$session_is_coach = api_store_result($result); $session_is_coach = api_store_result($result);
$sessions = array_merge($sessions , $session_is_coach); $sessions = array_merge($sessions , $session_is_coach);
// get the list of sessions where the user is subscribed as coach // get the list of sessions where the user is subscribed as coach
$result=api_sql_query("SELECT DISTINCT id, name, date_start, date_end $sessions_sql = "SELECT DISTINCT id, name, date_start, date_end
FROM $tbl_session as session FROM $tbl_session as session
WHERE session.id_coach = $user_id WHERE session.id_coach = $user_id
AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00') AND (date_start <= NOW() AND date_end >= NOW() OR date_start='0000-00-00')
ORDER BY date_start, date_end, name",__FILE__,__LINE__); ORDER BY date_start, date_end, name";
$result = api_sql_query($sessions_sql,__FILE__,__LINE__);
$sessions = array_merge($sessions , api_store_result($result)); $sessions = array_merge($sessions , api_store_result($result));
@ -1056,7 +1060,7 @@ class UserManager
$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__); $course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
while ($result_row = mysql_fetch_array($course_list_sql_result)) while ($result_row = Database::fetch_array($course_list_sql_result))
{ {
$result_row['s'] = 2; $result_row['s'] = 2;
$key = $result_row['id_session'].' - '.$result_row['k']; $key = $result_row['id_session'].' - '.$result_row['k'];
@ -1085,7 +1089,7 @@ class UserManager
$course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__); $course_list_sql_result = api_sql_query($personal_course_list_sql, __FILE__, __LINE__);
while ($result_row = mysql_fetch_array($course_list_sql_result)) while ($result_row = Database::fetch_array($course_list_sql_result))
{ {
$key = $result_row['id_session'].' - '.$result_row['k']; $key = $result_row['id_session'].' - '.$result_row['k'];
$result_row['s'] = $result_row['14']; $result_row['s'] = $result_row['14'];

Write Preview
Loading…
Cancel
Save