From 616eb89aa96f12570056f81a9b4e0bdf211e8fb8 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 1 Mar 2010 10:31:16 -0500
Subject: [PATCH] Security issue: intval function added

---
 main/calendar/agenda.inc.php | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/main/calendar/agenda.inc.php b/main/calendar/agenda.inc.php
index bda2ebb77e..de93bbabda 100755
--- a/main/calendar/agenda.inc.php
+++ b/main/calendar/agenda.inc.php
@@ -1649,22 +1649,21 @@ function store_edited_agenda_item($id_attach,$file_comment)
 */
 function save_edit_agenda_item($id,$title,$content,$start_date,$end_date)
 {
-	$TABLEAGENDA 		= Database::get_course_table(TABLE_AGENDA);
-	$id=Database::escape_string($id);
-	$title=Database::escape_string(Security::remove_XSS($title));
-	$content=stripslashes($content);
-	$content = Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY));
-	$start_date=Database::escape_string($start_date);
-	$end_date=Database::escape_string($end_date);
+	$TABLEAGENDA= Database::get_course_table(TABLE_AGENDA);
+	$id			= Database::escape_string($id);
+	$title		= Database::escape_string(Security::remove_XSS($title));	
+	$content 	= Database::escape_string(Security::remove_XSS($content,COURSEMANAGERLOWSECURITY));
+	$start_date	= Database::escape_string($start_date);
+	$end_date	= Database::escape_string($end_date);
 
 	// store the modifications in the table calendar_event
 	$sql = "UPDATE ".$TABLEAGENDA."
-								SET title='".$title."',
-									content='".$content."',
-									start_date='".$start_date."',
-									end_date='".$end_date."'
-								WHERE id='".$id."'";
-	$result = Database::query($sql) or die (Database::error());
+			SET title		='".$title."',
+				content		='".$content."',
+				start_date	='".$start_date."',
+				end_date	='".$end_date."'
+			WHERE id='".$id."'";
+	$result = Database::query($sql);
 	return true;
 }
 
@@ -1687,7 +1686,7 @@ function delete_agenda_item($id)
 		{
 		    $t_agenda     = Database::get_course_table(TABLE_AGENDA);
             $t_agenda_r   = Database::get_course_table(TABLE_AGENDA_REPEAT);
-            $id=(int)addslashes($_GET['id']);
+            $id=intval($_GET['id']);
             $sql = "SELECT * FROM $t_agenda_r WHERE cal_id = $id";
             $res = Database::query($sql);
             if(Database::num_rows($res)>0)