diff --git a/main/survey/create_new_survey.php b/main/survey/create_new_survey.php index 94aa2cbd66..8c77a0622a 100644 --- a/main/survey/create_new_survey.php +++ b/main/survey/create_new_survey.php @@ -25,7 +25,7 @@ * @author unknown, the initial survey that did not make it in 1.8 because of bad code * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code * @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: create_new_survey.php 19000 2009-03-12 15:48:07Z juliomontoya $ +* @version $Id: create_new_survey.php 19004 2009-03-12 18:04:08Z juliomontoya $ * * @todo only the available platform languages should be used => need an api get_languages and and api_get_available_languages (or a parameter) */ @@ -82,11 +82,11 @@ if (!api_is_allowed_to_edit()) } // getting the survey information -$survey_data = survey_manager::get_survey($_GET['survey_id']); -$urlname =substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); +$survey_id = Security::remove_XSS($_GET['survey_id']); +$survey_data = survey_manager::get_survey($survey_id); -if (strlen(strip_tags($survey_data['title'])) > 40) -{ +$urlname =strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); +if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; } @@ -96,18 +96,18 @@ if ($_GET['action'] == 'add') $interbreadcrumb[] = array ("url" => "survey_list.php", "name" => get_lang('SurveyList')); $tool_name = get_lang('CreateNewSurvey'); } -if ($_GET['action'] == 'edit' && is_numeric($_GET['survey_id'])) +if ($_GET['action'] == 'edit' && is_numeric($survey_id)) { $interbreadcrumb[] = array ("url" => "survey_list.php", "name" => get_lang('SurveyList')); - $interbreadcrumb[] = array ("url" => "survey.php?survey_id=".$_GET['survey_id'], "name" => $urlname); + $interbreadcrumb[] = array ("url" => "survey.php?survey_id=".$survey_id, "name" => strip_tags($urlname)); $tool_name = get_lang('EditSurvey'); } // getting the default values -if ($_GET['action'] == 'edit' AND isset($_GET['survey_id']) AND is_numeric($_GET['survey_id'])) +if ($_GET['action'] == 'edit' AND isset($survey_id) AND is_numeric($survey_id)) { $defaults = $survey_data; - $defaults['survey_id'] = $_GET['survey_id']; + $defaults['survey_id'] = $survey_id; /* $defaults['survey_share'] = array(); $defaults['survey_share']['survey_share'] = $survey_data['survey_share']; @@ -136,10 +136,10 @@ else } // initiate the object -$form = new FormValidator('survey', 'post', api_get_self().'?action='.Security::remove_XSS($_GET['action']).'&survey_id='.Security::remove_XSS($_GET['survey_id'])); +$form = new FormValidator('survey', 'post', api_get_self().'?action='.Security::remove_XSS($_GET['action']).'&survey_id='.$survey_id); // settting the form elements -if ($_GET['action'] == 'edit' AND isset($_GET['survey_id']) AND is_numeric($_GET['survey_id'])) +if ($_GET['action'] == 'edit' AND isset($survey_id) AND is_numeric($survey_id)) { $form->addElement('hidden', 'survey_id'); } @@ -151,7 +151,7 @@ if ($_GET['action'] == 'edit') { } $fck_attribute['Width'] = '100%'; -$fck_attribute['Height'] = '120'; +$fck_attribute['Height'] = '200'; $fck_attribute['ToolbarSet'] = 'Survey'; $form->addElement('html_editor', 'survey_title', get_lang('SurveyTitle')); $fck_attribute['Config']['ToolbarStartExpanded']='false'; @@ -171,7 +171,7 @@ $form->addElement('datepickerdate', 'end_date', get_lang('EndDate'), array('form /** TODO maybe it is better to change this into false instead see line 95 in survey.lib.php */ //$group[] =& HTML_QuickForm::createElement('radio', 'survey_share',null, get_lang('No'),0); -$fck_attribute['Height'] = '150'; +$fck_attribute['Height'] = '130'; //$form->addGroup($group, 'survey_share', get_lang('ShareSurvey'), ' '); $form->addElement('checkbox', 'anonymous', get_lang('Anonymous')); $form->addElement('html_editor', 'survey_introduction', get_lang('SurveyIntroduction')); @@ -210,7 +210,7 @@ if ($survey_data['survey_type']==1 || $_GET['action'] == 'add' ) $form->addElement('checkbox', 'shuffle', get_lang('ActivateShuffle')); } -if ((isset($_GET['action']) && $_GET['action'] == 'edit') && !empty($_GET['survey_id']) ) +if ((isset($_GET['action']) && $_GET['action'] == 'edit') && !empty($survey_id) ) { if ($survey_data['anonymous']==0 ) { // Aditional Parameters @@ -312,25 +312,18 @@ if( $form->validate() ) { // displaying a feedback message Display::display_confirmation_message($return['message'], false); - } - else - { + } else { // redirecting to the survey page (whilst showing the return message header('location:survey.php?survey_id='.$return['id'].'&message='.$return['message']); } -} -else -{ +} else { // Displaying the header Display::display_header($tool_name); - // Displaying the tool title //api_display_tool_title($tool_name); - // display the form $form->display(); } - // Footer Display :: display_footer(); ?> \ No newline at end of file diff --git a/main/survey/preview.php b/main/survey/preview.php index f8fdae367c..94592cb2f8 100644 --- a/main/survey/preview.php +++ b/main/survey/preview.php @@ -47,31 +47,38 @@ $table_course = Database :: get_main_table(TABLE_MAIN_COURSE); $table_user = Database :: get_main_table(TABLE_MAIN_USER); // We exit here if ther is no valid $_GET parameter -if (!isset($_GET['survey_id']) OR !is_numeric($_GET['survey_id'])) -{ - Display :: display_header(); +if (!isset($_GET['survey_id']) OR !is_numeric($_GET['survey_id'])){ + Display :: display_header(get_lang('SurveyPreview')); Display :: display_error_message(get_lang('InvallidSurvey'), false); Display :: display_footer(); exit; } + // getting the survey information -$survey_data = survey_manager::get_survey($_GET['survey_id']); -$urlname = substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); -if (strlen(strip_tags($survey_data['title'])) > 40) -{ +$survey_id = Security::remove_XSS($_GET['survey_id']); +$survey_data = survey_manager::get_survey($survey_id); +if (empty($survey_data)) { + Display :: display_header(get_lang('SurveyPreview')); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} + +$urlname = strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); +if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; } // breadcrumbs $interbreadcrumb[] = array ("url" => 'survey_list.php', 'name' => get_lang('SurveyList')); -$interbreadcrumb[] = array ("url" => "survey.php?survey_id=".$_GET['survey_id'], "name" => $urlname); +$interbreadcrumb[] = array ("url" => "survey.php?survey_id=".$survey_id, "name" => $urlname); // Header Display :: display_header(get_lang('SurveyPreview')); // We exit here is the first or last question is a pagebreak (which causes errors) -SurveyUtil::check_first_last_question($_GET['survey_id'], false); +SurveyUtil::check_first_last_question($survey_id, false); // only a course admin is allowed to preview a survey: you are NOT a course admin => error message if (!api_is_allowed_to_edit(false,true)) @@ -107,7 +114,7 @@ else $questions_displayed = array(); $counter = 0; $sql = "SELECT * FROM $table_survey_question - WHERE survey_id = '".Database::escape_string($_GET['survey_id'])."' + WHERE survey_id = '".Database::escape_string($survey_id)."' ORDER BY sort ASC"; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -130,7 +137,7 @@ else FROM $table_survey_question survey_question LEFT JOIN $table_survey_question_option survey_question_option ON survey_question.question_id = survey_question_option.question_id - WHERE survey_question.survey_id = '".Database::escape_string($_GET['survey_id'])."' + WHERE survey_question.survey_id = '".Database::escape_string($survey_id)."' AND survey_question.question_id IN (".Database::escape_string(implode(',',$paged_questions[$_GET['show']])).") ORDER BY survey_question.sort, survey_question_option.sort ASC"; @@ -162,7 +169,7 @@ else } } // selecting the maximum number of pages - $sql = "SELECT * FROM $table_survey_question WHERE type='".Database::escape_string('pagebreak')."' AND survey_id='".Database::escape_string($_GET['survey_id'])."'"; + $sql = "SELECT * FROM $table_survey_question WHERE type='".Database::escape_string('pagebreak')."' AND survey_id='".Database::escape_string($survey_id)."'"; $result = api_sql_query($sql, __FILE__, __LINE__); $numberofpages = Database::num_rows($result) + 1; // Displaying the form with the questions @@ -174,7 +181,7 @@ else { $show = 0; } - echo '
'; + echo ''; if(is_array($questions) && count($questions)>0) { foreach ($questions as $key=>$question) @@ -185,7 +192,7 @@ else } if (($show < $numberofpages) OR !$_GET['show']) { - //echo 'NEXT'; + //echo 'NEXT'; echo '
'; } if ($show >= $numberofpages AND $_GET['show']) diff --git a/main/survey/question.php b/main/survey/question.php index c890935056..968ae854bd 100644 --- a/main/survey/question.php +++ b/main/survey/question.php @@ -23,7 +23,7 @@ * @package dokeos.survey * @author unknown, the initial survey that did not make it in 1.8 because of bad code * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts of the code -* @version $Id: question.php 18472 2009-02-12 18:00:38Z juliomontoya $ +* @version $Id: question.php 19004 2009-03-12 18:04:08Z juliomontoya $ */ // name of the language file that needs to be included @@ -45,7 +45,6 @@ if (!api_is_allowed_to_edit(false,true)) { } // Database table definitions -/** @todo use database constants for the survey tables */ $table_survey = Database :: get_course_table(TABLE_SURVEY); $table_survey_question = Database :: get_course_table(TABLE_SURVEY_QUESTION); $table_survey_question_option = Database :: get_course_table(TABLE_SURVEY_QUESTION_OPTION); @@ -54,6 +53,14 @@ $table_user = Database :: get_main_table(TABLE_MAIN_USER); // getting the survey information $survey_data = survey_manager::get_survey($_GET['survey_id']); +if (empty($survey_data)) { + Display :: display_header(get_lang('Survey')); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} + + $urlname = substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; @@ -70,7 +77,7 @@ if($survey_data['survey_type']==1) { // breadcrumbs $interbreadcrumb[] = array ("url" => 'survey_list.php', 'name' => get_lang('SurveyList')); -$interbreadcrumb[] = array ("url" => 'survey.php?survey_id='.$_GET['survey_id'], 'name' => $urlname); +$interbreadcrumb[] = array ("url" => 'survey.php?survey_id='.Security::remove_XSS($_GET['survey_id']), 'name' => strip_tags($urlname)); // Tool name if ($_GET['action'] == 'add') { diff --git a/main/survey/reporting.php b/main/survey/reporting.php index a9f24a1253..90a50bf587 100644 --- a/main/survey/reporting.php +++ b/main/survey/reporting.php @@ -1,4 +1,4 @@ -, Ghent University: cleanup, refactoring and rewriting large parts of the code -* @version $Id: reporting.php 17927 2009-01-22 09:06:25Z pcool $ +* @version $Id: reporting.php 19004 2009-03-12 18:04:08Z juliomontoya $ * * @todo The question has to be more clearly indicated (same style as when filling the survey) */ @@ -38,6 +38,9 @@ $language_file = 'survey'; require ('../inc/global.inc.php'); require_once('survey.lib.php'); +$survey_id = Security::remove_XSS($_GET['survey_id']); + + // export /** * @todo use export_table_csv($data, $filename = 'export') @@ -47,17 +50,17 @@ if ($_POST['export_report']) switch($_POST['export_format']) { case 'xls': - $survey_data = survey_manager::get_survey($_GET['survey_id']); - $filename = 'survey_results_'.$_GET['survey_id'].'.xls'; + $survey_data = survey_manager::get_survey($survey_id); + $filename = 'survey_results_'.$survey_id.'.xls'; $data = SurveyUtil::export_complete_report_xls($filename, $_GET['user_id']); exit; break; case 'csv': default: - $survey_data = survey_manager::get_survey($_GET['survey_id']); + $survey_data = survey_manager::get_survey($survey_id); $data = SurveyUtil::export_complete_report($_GET['user_id']); //$filename = 'fileexport.csv'; - $filename = 'survey_results_'.$_GET['survey_id'].'.csv'; + $filename = 'survey_results_'.$survey_id.'.csv'; header('Content-type: application/octet-stream'); header('Content-Type: application/force-download'); @@ -78,7 +81,6 @@ if ($_POST['export_report']) } header('Content-Description: '.$filename); header('Content-transfer-encoding: binary'); - echo $data; exit; break; @@ -110,8 +112,15 @@ $table_user = Database :: get_main_table(TABLE_MAIN_USER); $user_info = Database :: get_main_table(TABLE_MAIN_SURVEY_REMINDER); // getting the survey information -$survey_data = survey_manager::get_survey($_GET['survey_id']); -$urlname = substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); + +$survey_data = survey_manager::get_survey($survey_id); +if (empty($survey_data)) { + Display :: display_header(get_lang('Survey')); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} +$urlname = strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; @@ -119,14 +128,14 @@ if (strlen(strip_tags($survey_data['title'])) > 40) // breadcrumbs $interbreadcrumb[] = array ("url" => "survey_list.php", "name" => get_lang('SurveyList')); -$interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$_GET['survey_id'], 'name' => $urlname); +$interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$survey_id, 'name' => $urlname); if (!$_GET['action'] OR $_GET['action'] == 'overview') { $tool_name = get_lang('Reporting'); } else { - $interbreadcrumb[] = array ("url" => "reporting.php?survey_id=".$_GET['survey_id'], "name" => get_lang('Reporting')); + $interbreadcrumb[] = array ("url" => "reporting.php?survey_id=".$survey_id, "name" => get_lang('Reporting')); switch ($_GET['action']) { case 'questionreport': @@ -149,9 +158,8 @@ Display::display_header($tool_name,'Survey'); // Action handling SurveyUtil::handle_reporting_actions(); -if (!$_GET['action'] OR $_GET['action'] == 'overview') -{ - $myweb_survey_id = Security::remove_XSS($_GET['survey_id']); +if (!$_GET['action'] OR $_GET['action'] == 'overview') { + $myweb_survey_id = $survey_id; echo '
'.get_lang('DetailedReportByQuestion').'
'.get_lang('DetailedReportByQuestionDetail').'
'; echo '
'.get_lang('DetailedReportByUser').'
'.get_lang('DetailedReportByUserDetail').'.
'; echo '
'.get_lang('ComparativeReport').'
'.get_lang('ComparativeReportDetail').'.
'; diff --git a/main/survey/survey.lib.php b/main/survey/survey.lib.php index f088fa9f51..a9457f89b1 100644 --- a/main/survey/survey.lib.php +++ b/main/survey/survey.lib.php @@ -24,7 +24,7 @@ * @package dokeos.survey * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: survey.lib.php 18925 2009-03-10 14:09:33Z ndieschburg $ +* @version $Id: survey.lib.php 19004 2009-03-12 18:04:08Z juliomontoya $ * * @todo move this file to inc/lib * @todo use consistent naming for the functions (save vs store for instance) @@ -64,29 +64,34 @@ class survey_manager $sql = "SELECT * FROM $table_survey WHERE survey_id='".Database::escape_string($survey_id)."'"; $result = api_sql_query($sql, __FILE__, __LINE__); - $return = Database::fetch_array($result,'ASSOC'); - - // we do this (temporarily) to have the array match the quickform elements immediately - // idealiter the fields in the db match the quickform fields - $return['survey_code'] = $return['code']; - $return['survey_title'] = $return['title']; - $return['survey_subtitle'] = $return['subtitle']; - $return['survey_language'] = $return['lang']; - $return['start_date'] = $return['avail_from']; - $return['end_date'] = $return['avail_till']; - $return['survey_share'] = $return['is_shared']; - $return['survey_introduction'] = $return['intro']; - $return['survey_thanks'] = $return['surveythanks']; - $return['survey_type'] = $return['survey_type']; - $return['one_question_per_page']= $return['one_question_per_page']; - - $return['show_form_profile'] = $return['show_form_profile']; - $return['input_name_list'] = $return['input_name_list']; + $return = array(); - $return['shuffle'] = $return['shuffle']; - $return['parent_id'] = $return['parent_id']; - $return['survey_version'] = $return['survey_version']; - return $return; + if (Database::num_rows($result)> 0) { + $return = Database::fetch_array($result,'ASSOC'); + // we do this (temporarily) to have the array match the quickform elements immediately + // idealiter the fields in the db match the quickform fields + $return['survey_code'] = $return['code']; + $return['survey_title'] = $return['title']; + $return['survey_subtitle'] = $return['subtitle']; + $return['survey_language'] = $return['lang']; + $return['start_date'] = $return['avail_from']; + $return['end_date'] = $return['avail_till']; + $return['survey_share'] = $return['is_shared']; + $return['survey_introduction'] = $return['intro']; + $return['survey_thanks'] = $return['surveythanks']; + $return['survey_type'] = $return['survey_type']; + $return['one_question_per_page']= $return['one_question_per_page']; + + $return['show_form_profile'] = $return['show_form_profile']; + $return['input_name_list'] = $return['input_name_list']; + + $return['shuffle'] = $return['shuffle']; + $return['parent_id'] = $return['parent_id']; + $return['survey_version'] = $return['survey_version']; + return $return; + } else { + return $return; + } } /** diff --git a/main/survey/survey.php b/main/survey/survey.php index 1270d3fecb..a63e0ac3ea 100644 --- a/main/survey/survey.php +++ b/main/survey/survey.php @@ -1,9 +1,9 @@ -, Ghent University: cleanup, refactoring and rewriting large parts of the code -* @version $Id: survey.php 17900 2009-01-21 17:02:59Z cvargas1 $ +* @version $Id: survey.php 19004 2009-03-12 18:04:08Z juliomontoya $ * * @todo use quickforms for the forms */ @@ -69,9 +66,9 @@ $interbreadcrumb[] = array ("url" => "survey_list.php", "name" => get_lang('Surv $survey_data = survey_manager::get_survey($_GET['survey_id']); if (substr($survey_data['title'],0,3)!='

'){ - $tool_name = substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); + $tool_name = strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); }else{ - $tool_name = substr(html_entity_decode(substr($survey_data['title'],3,-4),ENT_QUOTES,$charset), 0, 40); + $tool_name = strip_tags(substr(html_entity_decode(substr($survey_data['title'],3,-4),ENT_QUOTES,$charset), 0, 40)); } $is_survey_type_1 = ($survey_data['survey_type']==1)?true:false; if (strlen(strip_tags($survey_data['title'])) > 40) @@ -112,15 +109,12 @@ if($is_survey_type_1 && ($_GET['action']=='addgroup')||($_GET['action']=='delete Display::display_header($tool_name,'Survey'); // Action handling -if (isset($_GET['action'])) -{ - if (($_GET['action'] == 'moveup' OR $_GET['action'] == 'movedown') AND isset($_GET['question_id'])) - { +if (isset($_GET['action'])) { + if (($_GET['action'] == 'moveup' OR $_GET['action'] == 'movedown') AND isset($_GET['question_id'])) { survey_manager::move_survey_question($_GET['action'], $_GET['question_id'], $_GET['survey_id']); Display::display_confirmation_message(get_lang('SurveyQuestionMoved'), false); } - if ($_GET['action'] == 'delete' AND is_numeric($_GET['question_id'])) - { + if ($_GET['action'] == 'delete' AND is_numeric($_GET['question_id'])) { survey_manager::delete_survey_question($_GET['survey_id'], $_GET['question_id'], $survey_data['is_shared']); } } @@ -157,33 +151,25 @@ $survey_actions .= ''.Display::return_icon('statistics.gif', get_lang('Reporting')).' '.get_lang('Reporting').''; echo '

'.$survey_actions.'
'; -//print_r($survey_data); - -if ($survey_data['survey_type']==0) -{ - echo '
'; - echo ''.get_lang('YesNo').''; - echo ''.get_lang('MultipleChoice').''; - echo ''.get_lang('MultipleResponse').''; - echo ''.get_lang('Open').''; - echo ''.get_lang('Dropdown').''; - echo ''.get_lang('Percentage').''; - echo ''.get_lang('Score').''; - echo ''.get_lang('Comment').''; - echo ''.get_lang('Pagebreak').''; +if ($survey_data['survey_type']==0) { + echo '
'; + echo '
'.get_lang('YesNo').''; + echo '
'.get_lang('MultipleChoice').''; + echo '
'.get_lang('MultipleResponse').''; + echo '
'.get_lang('Open').''; + echo '
'.get_lang('Dropdown').''; + echo '
'.get_lang('Percentage').''; + echo '
'.get_lang('Score').''; + echo '
'.get_lang('Comment').''; + echo '
'.get_lang('Pagebreak').''; echo '
'; -} -else -{ - echo '
'; +} else { + echo '
'; //echo '
'.get_lang('Add groups').'
'; - echo ''.get_lang('PersonalityQuestion').'
'; + echo ''.get_lang('PersonalityQuestion').'
'; echo ''; } - - - // Displaying the table header with all the questions echo ''; echo ' '; @@ -192,19 +178,17 @@ echo ' '; echo ' '; echo ' '; echo ' '; -if($is_survey_type_1) -{ +if($is_survey_type_1) { echo ''; echo ''; } echo ' '; // Displaying the table contents with all the questions $question_counter = 1; -$sql = "SELECT * FROM $table_survey_question_group WHERE survey_id = '".(int)$_GET['survey_id']."' ORDER BY id"; +$sql = "SELECT * FROM $table_survey_question_group WHERE survey_id = '".Database::escape_string($_GET['survey_id'])."' ORDER BY id"; $result = api_sql_query($sql, __FILE__, __LINE__); $groups = array(); -while($row = Database::fetch_array($result)) -{ +while($row = Database::fetch_array($result)) { $groups[$row['id']] = $row['name']; } $sql = "SELECT survey_question.*, count(survey_question_option.question_option_id) as number_of_options @@ -216,17 +200,13 @@ $sql = "SELECT survey_question.*, count(survey_question_option.question_option_i ORDER BY survey_question.sort ASC"; $result = api_sql_query($sql, __FILE__, __LINE__); $question_counter_max = Database::num_rows($result); -while ($row = Database::fetch_array($result,'ASSOC')) -{ +while ($row = Database::fetch_array($result,'ASSOC')) { echo ''; echo ' '; echo ' '; @@ -274,19 +254,16 @@ if($is_survey_type_1) echo '
'.get_lang('Title').''.get_lang('Type').''.get_lang('NumberOfOptions').''.get_lang('Modify').''.get_lang('Condition').''.get_lang('Group').'
'.$question_counter.''; - if (strlen($row['survey_question']) > 100) - { + if (strlen($row['survey_question']) > 100) { echo substr(strip_tags($row['survey_question']),0, 100).' ... '; - } - else - { + } else { echo $row['survey_question']; } echo '
'.get_lang('Name').''.get_lang('Description').'
'; echo ''; - if($_GET['action']=='editgroup') - { - $sql = 'SELECT name,description FROM '.$table_survey_question_group.' WHERE id = '.(int)$_GET['gid'].' AND survey_id = '.Database::escape_string($_GET['survey_id']).' limit 1'; + if($_GET['action']=='editgroup') { + $sql = 'SELECT name,description FROM '.$table_survey_question_group.' WHERE id = '.Database::escape_string($_GET['gid']).' AND survey_id = '.Database::escape_string($_GET['survey_id']).' limit 1'; $rs = api_sql_query($sql,__FILE__,__LINE__); $editedrow = Database::fetch_array($rs,'ASSOC'); echo ''; echo ''; - echo ''; - echo ''; - } - else - { + echo ''; + echo ''; + } else { echo ''; echo ''; echo ''. Display::return_icon('delete.gif', get_lang('Delete')).''. ''; - } - + } echo $grouplist.''; } diff --git a/main/survey/survey_invitation.php b/main/survey/survey_invitation.php index a55fd5fc8d..adf425c3e4 100644 --- a/main/survey/survey_invitation.php +++ b/main/survey/survey_invitation.php @@ -55,24 +55,41 @@ $table_course = Database :: get_main_table(TABLE_MAIN_COURSE); $table_user = Database :: get_main_table(TABLE_MAIN_USER); $table_survey_invitation = Database :: get_course_table(TABLE_SURVEY_INVITATION); +$tool_name = get_lang('SurveyInvitations'); + + // getting the survey information -$survey_data = survey_manager::get_survey($_GET['survey_id']); -$urlname =substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); -if (strlen(strip_tags($survey_data['title'])) > 40) +// We exit here if ther is no valid $_GET parameter +if (!isset($_GET['survey_id']) OR !is_numeric($_GET['survey_id'])) { + Display :: display_header($tool_name); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} +$survey_id = Security::remove_XSS($_GET['survey_id']); +$survey_data = survey_manager::get_survey($survey_id); +if (empty($survey_data)) { + Display :: display_header($tool_name); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} +$urlname =strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); +if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; } -// breadcrumbs +//breadcrumbs $interbreadcrumb[] = array ('url' => 'survey_list.php', 'name' => get_lang('SurveyList')); -$interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$_GET['survey_id'], 'name' => $urlname); -$tool_name = get_lang('SurveyInvitations'); +$interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$survey_id, 'name' => $urlname); + // Displaying the header Display::display_header($tool_name); // Checking the parameters -if (!is_numeric($_GET['survey_id'])) +if (!is_numeric($survey_id)) { Display::display_error_message(get_lang('Error'), false); Display::display_footer(); @@ -80,7 +97,7 @@ if (!is_numeric($_GET['survey_id'])) } // Getting all the people who have filled this survey -$answered_data = survey_manager::get_people_who_filled_survey($_GET['survey_id']); +$answered_data = survey_manager::get_people_who_filled_survey($survey_id); if ($survey_data['anonymous'] == 1) { Display::display_normal_message(get_lang('AnonymousSurveyCannotKnowWhoAnswered').' '.count($answered_data).' '.get_lang('PeopleAnswered')); @@ -94,7 +111,7 @@ if (!isset($_GET['view']) OR $_GET['view'] == 'invited') } else { - echo ' '.get_lang('ViewInvited').' |'; + echo ' '.get_lang('ViewInvited').' |'; } if ($_GET['view'] == 'answered') { @@ -102,7 +119,7 @@ if ($_GET['view'] == 'answered') } else { - echo ' '.get_lang('ViewAnswered').' |'; + echo ' '.get_lang('ViewAnswered').' |'; } if ($_GET['view'] == 'unanswered') { @@ -110,7 +127,7 @@ if ($_GET['view'] == 'unanswered') } else { - echo ' '.get_lang('ViewUnanswered').''; + echo ' '.get_lang('ViewUnanswered').''; } // table header @@ -142,7 +159,7 @@ while ($row = mysql_fetch_assoc($res)) echo ' '; if (in_array($row['user'], $answered_data)) { - echo ''.get_lang('ViewAnswers').''; + echo ''.get_lang('ViewAnswers').''; } else { diff --git a/main/survey/survey_invite.php b/main/survey/survey_invite.php index 0f02501fd7..1ad9ac84e2 100644 --- a/main/survey/survey_invite.php +++ b/main/survey/survey_invite.php @@ -3,7 +3,7 @@ ============================================================================== Dokeos - elearning and course management software - Copyright (c) 2008 Dokeos SPRL + Copyright (c) 2009 Dokeos SPRL For a full list of contributors, see "credits.txt". The full license can be read in "license.txt". @@ -24,7 +24,7 @@ * @package dokeos.survey * @author unknown, the initial survey that did not make it in 1.8 because of bad code * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts of the code -* @author Julio Montoya Dokeos: cleanup, refactoring +* @author Julio Montoya Dokeos: cleanup, refactoring, security improvements * @version $Id: survey_invite.php 10680 2007-01-11 21:26:23Z pcool $ * * @todo checking if the additional emails are valid (or add a rule for this) @@ -62,8 +62,17 @@ $table_user = Database :: get_main_table(TABLE_MAIN_USER); $user_info = Database :: get_main_table(TABLE_MAIN_SURVEY_REMINDER); // getting the survey information -$survey_data = survey_manager::get_survey($_GET['survey_id']); -$urlname =substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40); +$survey_id = Security::remove_XSS($_GET['survey_id']); +$survey_data = survey_manager::get_survey($survey_id); +if (empty($survey_data)) { + Display :: display_header(get_lang('Survey')); + Display :: display_error_message(get_lang('InvallidSurvey'), false); + Display :: display_footer(); + exit; +} + + +$urlname =strip_tags(substr(html_entity_decode($survey_data['title'],ENT_QUOTES,$charset), 0, 40)); if (strlen(strip_tags($survey_data['title'])) > 40) { $urlname .= '...'; @@ -72,9 +81,9 @@ if (strlen(strip_tags($survey_data['title'])) > 40) // breadcrumbs $interbreadcrumb[] = array ('url' => 'survey_list.php', 'name' => get_lang('SurveyList')); if (api_is_course_admin()) { - $interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$_GET['survey_id'], 'name' => $urlname); + $interbreadcrumb[] = array ('url' => 'survey.php?survey_id='.$survey_id, 'name' => $urlname); } else { - $interbreadcrumb[] = array ('url' => 'survey_invite.php?survey_id='.$_GET['survey_id'], 'name' => $urlname); + $interbreadcrumb[] = array ('url' => 'survey_invite.php?survey_id='.$survey_id, 'name' => $urlname); } $tool_name = get_lang('SurveyPublication'); @@ -101,7 +110,7 @@ if ($survey_data['invited'] > 0) } // building the form for publishing the survey -$form = new FormValidator('publish_form','post', api_get_self().'?survey_id='.$_GET['survey_id']); +$form = new FormValidator('publish_form','post', api_get_self().'?survey_id='.$survey_id); // Course users $complete_user_list = CourseManager :: get_user_list_from_course_code($_course['id'], true, $_SESSION['id_session'], '', 'ORDER BY lastname'); $possible_users = array (); @@ -196,7 +205,6 @@ else $defaults['mail_title'] = $survey_data['mail_subject']; $defaults['send_mail'] = 1; $form->setDefaults($defaults); - $form->display(); }