chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20776] removing all addslashes and stripslashes to prevent double escaping.

Browse Source
skala
Patrick Cool 17 years ago
parent 2dd88c1006
commit 7274f82852
10 changed files with 62 additions and 86 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 28
      main/exercice/admin.php
  2. 16
      main/exercice/answer.class.php
  3. 6
      main/exercice/answer_admin.inc.php
  4. 4
      main/exercice/exercice.php
  5. 18
      main/exercice/exercice_submit.php
  6. 12
      main/exercice/exercise.class.php
  7. 24
      main/exercice/exercise_result.php
  8. 18
      main/exercice/exercise_show.php
  9. 4
      main/exercice/hotspot_admin.inc.php
  10. 18
      main/exercice/question.class.php

28
main/exercice/admin.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: admin.php 20522 2009-05-12 00:43:47Z yannoo $
<?php // $Id: admin.php 20776 2009-05-18 12:43:44Z pcool $
/*
==============================================================================
@ -67,7 +67,7 @@
*
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: admin.php 20522 2009-05-12 00:43:47Z yannoo $
* @version $Id: admin.php 20776 2009-05-18 12:43:44Z pcool $
*/
@ -95,29 +95,7 @@ define(ALLOWED_TO_INCLUDE,1);
include_once(api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include_once(api_get_path(LIBRARY_PATH).'document.lib.php');
/****************************/
/* stripslashes POST data */
/****************************/
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
foreach($_POST as $key=>$val)
{
if(is_string($val))
{
$_POST[$key]=stripslashes($val);
}
elseif(is_array($val))
{
foreach($val as $key2=>$val2)
{
$_POST[$key][$key2]=stripslashes($val2);
}
}
$GLOBALS[$key]=$_POST[$key];
}
}
// get vars from GET
if ( empty ( $exerciseId ) )
@ -469,7 +447,7 @@ $description = $objExercise->selectDescription();
echo '<div class="sectiontitle">'.$objExercise->selectTitle().'</div>';
if(!empty($description))
{
echo '<div class="sectioncomment">'.stripslashes($description).'</div>';
echo '<div class="sectioncomment">'.$description.'</div>';
}
*/

16
main/exercice/answer.class.php
Unescape View File

@ -23,7 +23,7 @@
* 5 arrays are created to receive the attributes of each answer belonging to a specified question
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: answer.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
* @version $Id: answer.class.php 20776 2009-05-18 12:43:44Z pcool $
*/
@ -241,7 +241,7 @@ class Answer
if(!empty($this->answer[$i])){
$list[] = array(
'id'=>$i,
'answer'=>addslashes($this->answer[$i]),
'answer'=>$this->answer[$i],
'comment'=>$this->comment[$i],
'grade' => $this->weighting[$i],
'hotspot_coord' => $this->hotspot_coordinates[$i],
@ -401,8 +401,8 @@ class Answer
$questionId=$this->questionId;
$sql = "UPDATE $TBL_REPONSES SET " .
"answer = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($answer)),COURSEMANAGER))."', " .
"comment = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($comment)),COURSEMANAGER))."', " .
"answer = '".Database::escape_string(Security::remove_XSS(api_html_entity_decode($answer),COURSEMANAGER))."', " .
"comment = '".Database::escape_string(Security::remove_XSS(api_html_entity_decode($comment),COURSEMANAGER))."', " .
"ponderation = '".Database::escape_string($weighting)."', " .
"position = '".Database::escape_string($position)."', " .
"destination = '".Database::escape_string($destination)."' " .
@ -434,9 +434,9 @@ class Answer
for($i=1;$i <= $this->new_nbrAnswers;$i++)
{
$answer = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->new_answer[$i])),COURSEMANAGER));
$answer = Database::escape_string(Security::remove_XSS(api_html_entity_decode($this->new_answer[$i]),COURSEMANAGER));
$correct = Database::escape_string($this->new_correct[$i]);
$comment = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->new_comment[$i])),COURSEMANAGER));
$comment = Database::escape_string(Security::remove_XSS(api_html_entity_decode($this->new_comment[$i]),COURSEMANAGER));
$weighting = Database::escape_string($this->new_weighting[$i]);
$position = Database::escape_string($this->new_position[$i]);
$hotspot_coordinates = Database::escape_string($this->new_hotspot_coordinates[$i]);
@ -484,9 +484,9 @@ class Answer
for($i=1;$i <= $this->nbrAnswers;$i++)
{
$answer = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->answer[$i])),COURSEMANAGER));
$answer = Database::escape_string(Security::remove_XSS(api_html_entity_decode($this->answer[$i]),COURSEMANAGER));
$correct = Database::escape_string($this->correct[$i]);
$comment = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->comment[$i])),COURSEMANAGER));
$comment = Database::escape_string(Security::remove_XSS(api_html_entity_decode($this->comment[$i]),COURSEMANAGER));
$weighting = Database::escape_string($this->weighting[$i]);
$position = Database::escape_string($this->position[$i]);
$hotspot_coordinates = Database::escape_string($this->hotspot_coordinates[$i]);

6
main/exercice/answer_admin.inc.php
Unescape View File

@ -22,7 +22,7 @@
* This script allows to manage answers. It is included from the script admin.php
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: answer_admin.inc.php 20748 2009-05-17 10:35:35Z ivantcholakov $
* @version $Id: answer_admin.inc.php 20776 2009-05-18 12:43:44Z pcool $
*/
@ -570,7 +570,7 @@ if($submitAnswers || $buttonBack)
if($debug>0){echo str_repeat('&nbsp;',4).'$answerType is HOT_SPOT'."<br />\n";}
$reponse[$i]=trim($reponse[$i]);
$comment[$i]=addslashes(trim($comment[$i]));
$comment[$i]=trim($comment[$i]);
$weighting[$i]=intval($weighting[$i]);
if($weighting[$i])
{
@ -1370,7 +1370,7 @@ if($modifyAnswers)
?>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td colspan="2" style="border:1px solid #4271b5; border-bottom:none;"><?php echo stripslashes(get_lang('HotspotChoose')); ?></td>
<td colspan="2" style="border:1px solid #4271b5; border-bottom:none;"><?php echo get_lang('HotspotChoose'); ?></td>
</tr>
<tr>
<td width="550" valign="top">

4
main/exercice/exercice.php
Unescape View File

@ -1,5 +1,5 @@
<?php
// $Id: exercice.php 20716 2009-05-16 07:28:22Z ivantcholakov $
// $Id: exercice.php 20776 2009-05-18 12:43:44Z pcool $
/*
==============================================================================
@ -352,7 +352,7 @@ if ($show == 'result' && $_REQUEST['comments'] == 'update' && ($is_allowedToEdit
$mess = str_replace("#test#", Security::remove_XSS($test), $message);
//$message= str_replace("#ques_name#",$ques_name,$mess);
$message = str_replace("#url#", $url, $mess);
$mess = stripslashes($message);
$mess = $message;
$headers = " MIME-Version: 1.0 \r\n";
$headers .= "User-Agent: Dokeos/1.6";
$headers .= "Content-Transfer-Encoding: 7bit";

18
main/exercice/exercice_submit.php
Unescape View File

@ -1,5 +1,5 @@
<?php
// $Id: exercice_submit.php 20369 2009-05-06 16:12:55Z cfasanando $
// $Id: exercice_submit.php 20776 2009-05-18 12:43:44Z pcool $
/*
==============================================================================
@ -43,7 +43,7 @@
* @package dokeos.exercise
* @author Olivier Brouckaert
* @author Julio Montoya multiple fill in blank option added
* @version $Id: exercice_submit.php 20369 2009-05-06 16:12:55Z cfasanando $
* @version $Id: exercice_submit.php 20776 2009-05-18 12:43:44Z pcool $
*/
include ('exercise.class.php');
@ -416,7 +416,7 @@ if ($formSent) {
break;
}
$choice[$j] = trim($choice[$j]);
$user_tags[] = stripslashes(strtolower($choice[$j]));
$user_tags[] = strtolower($choice[$j]);
//put the contents of the [] answer tag into correct_tags[]
$correct_tags[] = strtolower(substr($temp, 0, $pos));
$j++;
@ -440,12 +440,12 @@ if ($formSent) {
// increments total score
$totalScore += $answerWeighting[$i];
// adds the word in green at the end of the string
$answer .= stripslashes($correct_tags[$i]);
$answer .= $correct_tags[$i];
}
// else if the word entered by the student IS NOT the same as the one defined by the professor
elseif (!empty ($user_tags[$i])) {
// adds the word in red at the end of the string, and strikes it
$answer .= '<font color="red"><s>' . stripslashes($user_tags[$i]) . '</s></font>';
$answer .= '<font color="red"><s>' . $user_tags[$i] . '</s></font>';
} else {
// adds a tabulation if no word has been typed by the student
$answer .= '&nbsp;&nbsp;&nbsp;';
@ -461,12 +461,12 @@ if ($formSent) {
// increments total score
$totalScore += $answerWeighting[$i];
// adds the word in green at the end of the string
$answer .= stripslashes($user_tags[$i]);
$answer .= $user_tags[$i];
}
elseif (!empty ($user_tags[$i])) {
// else if the word entered by the student IS NOT the same as the one defined by the professor
// adds the word in red at the end of the string, and strikes it
$answer .= '<font color="red"><s>' . stripslashes($user_tags[$i]) . '</s></font>';
$answer .= '<font color="red"><s>' . $user_tags[$i] . '</s></font>';
} else {
// adds a tabulation if no word has been typed by the student
$answer .= '&nbsp;&nbsp;&nbsp;';
@ -565,7 +565,7 @@ if ($formSent) {
if (preg_match_all('#<font color="red"><s>([0-9a-z ]*)</s></font>#', $val, $arr1)) {
$val = $arr1[1][0];
}
$val = addslashes($val);
$val = $val;
$val = strip_tags($val);
$sql = "select position from $table_ans where question_id='" . Database :: escape_string($questionId) . "' and answer='" . Database :: escape_string($val) . "' AND correct=0";
$res = api_sql_query($sql, __FILE__, __LINE__);
@ -682,7 +682,7 @@ $quizID = $objExercise->selectId();
$exerciseAttempts = $objExercise->selectAttempts();
$exerciseTitle = $objExercise->selectTitle();
$exerciseDescription = $objExercise->selectDescription();
$exerciseDescription = stripslashes($exerciseDescription);
$exerciseDescription = $exerciseDescription;
$exerciseSound = $objExercise->selectSound();
$randomQuestions = $objExercise->isRandom();
$exerciseType = $objExercise->selectType();

12
main/exercice/exercise.class.php
Unescape View File

@ -25,7 +25,7 @@
* Exercise class: This class allows to instantiate an object of type Exercise
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: exercise.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
* @version $Id: exercise.class.php 20776 2009-05-18 12:43:44Z pcool $
*/
@ -521,9 +521,9 @@ class Exercise
$TBL_QUIZ_QUESTION= Database::get_course_table(TABLE_QUIZ_TEST_QUESTION);
$id=$this->id;
$exercise=addslashes($this->exercise);
$description=addslashes($this->description);
$sound=addslashes($this->sound);
$exercise=$this->exercise;
$description=$this->description;
$sound=$this->sound;
$type=$this->type;
$attempts=$this->attempts;
$feedbacktype=$this->feedbacktype;
@ -540,7 +540,7 @@ class Exercise
if($id) {
$sql="UPDATE $TBL_EXERCICES SET
title='".Database::escape_string(Security::remove_XSS($exercise))."',
description='".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."'";
description='".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."'";
if ($type_e != 'simple') {
$sql .= ", sound='".Database::escape_string($sound)."',
type='".Database::escape_string($type)."',
@ -568,7 +568,7 @@ class Exercise
VALUES(
'$start_time','$end_time',
'".Database::escape_string(Security::remove_XSS($exercise))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
'".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."',
'".Database::escape_string($sound)."',
'".Database::escape_string($type)."',
'".Database::escape_string($random)."',

24
main/exercice/exercise_result.php
Unescape View File

@ -29,7 +29,7 @@
* @author Olivier Brouckaert, main author
* @author Roan Embrechts, some refactoring
* @author Julio Montoya Armas switchable fill in blank option added
* @version $Id: exercise_result.php 20697 2009-05-15 15:42:37Z cvargas1 $
* @version $Id: exercise_result.php 20776 2009-05-18 12:43:44Z pcool $
*
* @todo split more code up in functions, move functions to library?
*/
@ -150,7 +150,6 @@ if(!is_array($exerciseResult) || !is_array($questionList) || !is_object($objExer
// define basic exercise info to print on screen
$exerciseTitle=$objExercise->selectTitle();
$exerciseDescription=$objExercise->selectDescription();
$exerciseDescription=stripslashes($exerciseDescription);
$gradebook = '';
if (isset($_SESSION['gradebook'])){
@ -350,10 +349,10 @@ function display_unique_or_multiple_answer($answerType, $studentChoice, $answer,
{
if(!$answerCorrect)
{
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable($answerComment)).'</span>';
}
else{
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable($answerComment)).'</span>';
}
}
else
@ -382,7 +381,7 @@ function display_free_answer($answer)
?>
<tr>
<td width="55%">
<?php echo nl2br(stripslashes(Security::remove_XSS($answer,COURSEMANAGER))); ?>
<?php echo nl2br(Security::remove_XSS($answer,COURSEMANAGER)); ?>
</td>
<td width="45%">
<?php echo get_lang('notCorrectedYet');?>
@ -428,7 +427,7 @@ function display_hotspot_answer($answerId, $answer, $studentChoice, $answerComme
} else {
echo '<span style="font-weight: bold; color: #FF0000;">';
}
echo stripslashes($answerComment);
echo $answerComment;
echo '</span>';
?>
</td>
@ -696,7 +695,7 @@ foreach ($questionList as $questionId) {
break;
}
$choice[$j]=trim($choice[$j]);
$user_tags[]=stripslashes(api_strtolower($choice[$j]));
$user_tags[]=api_strtolower($choice[$j]);
//put the contents of the [] answer tag into correct_tags[]
$correct_tags[]=api_strtolower(api_substr($temp,0,$pos));
$j++;
@ -723,13 +722,13 @@ foreach ($questionList as $questionId) {
// increments total score
$totalScore+=$answerWeighting[$i];
// adds the word in green at the end of the string
$answer.=stripslashes($correct_tags[$i]);
$answer.=$correct_tags[$i];
}
// else if the word entered by the student IS NOT the same as the one defined by the professor
elseif(!empty($user_tags[$i]))
{
// adds the word in red at the end of the string, and strikes it
$answer.='<font color="red"><s>'.stripslashes($user_tags[$i]).'</s></font>';
$answer.='<font color="red"><s>'.$user_tags[$i].'</s></font>';
}
else
{
@ -747,12 +746,12 @@ foreach ($questionList as $questionId) {
// increments total score
$totalScore+=$answerWeighting[$i];
// adds the word in green at the end of the string
$answer.=stripslashes($user_tags[$i]);
$answer.=$user_tags[$i];
} // else if the word entered by the student IS NOT the same as the one defined by the professor
elseif(!empty($user_tags[$i]))
{
// adds the word in red at the end of the string, and strikes it
$answer.='<font color="red"><s>'.stripslashes($user_tags[$i]).'</s></font>';
$answer.='<font color="red"><s>'.$user_tags[$i].'</s></font>';
}
else
{
@ -976,7 +975,6 @@ foreach ($questionList as $questionId) {
$val = $choice[$j];
if (preg_match_all ('#<font color="red"><s>([0-9a-z ]*)</s></font>#', $val, $arr1))
$val = $arr1[1][0];
$val=addslashes($val);
$val=strip_tags($val);
$sql = "SELECT position from $table_ans where question_id='".Database::escape_string($questionId)."' and answer='".Database::escape_string($val)."' AND correct=0";
$res = api_sql_query($sql, __FILE__, __LINE__);
@ -1137,7 +1135,7 @@ if(count($arrques)>0) {
<a href="#url#">#url#</a></span></body></html>';
$msg1= str_replace("#url#",$url,$msg);
$mail_content = stripslashes($msg1);
$mail_content = $msg1;
$student_name = $_SESSION['_user']['firstName'].' '.$_SESSION['_user']['lastName'];
$subject = get_lang('OpenQuestionsAttempted');

18
main/exercice/exercise_show.php
Unescape View File

@ -4,7 +4,7 @@
*
* @package dokeos.exercise
* @author Julio Montoya Armas Added switchable fill in blank option added
* @version $Id: exercise_show.php 20704 2009-05-15 17:17:48Z cvargas1 $
* @version $Id: exercise_show.php 20776 2009-05-18 12:43:44Z pcool $
*
* @todo remove the debug code and use the general debug library
* @todo use the Database:: functions
@ -230,10 +230,10 @@ function display_unique_or_multiple_answer($answerType, $studentChoice, $answer,
{
if(!$answerCorrect)
{
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable($answerComment)).'</span>';
}
else{
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable($answerComment)).'</span>';
}
}
else
@ -286,7 +286,7 @@ function display_free_answer($answer,$id,$questionId) {
?>
<tr>
<td>
<?php echo nl2br(stripslashes(Security::remove_XSS($answer,COURSEMANAGER))); ?>
<?php echo nl2br(Security::remove_XSS($answer,COURSEMANAGER)); ?>
</td> <?php if(!api_is_allowed_to_edit()) {?>
<td>
<?php
@ -339,9 +339,9 @@ function display_hotspot_answer($answerId, $answer, $studentChoice, $answerComme
<?php
$answerComment=api_parse_tex($answerComment);
if($studentChoice) {
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #008000;">'.nl2br(make_clickable($answerComment)).'</span>';
} else {
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable(stripslashes($answerComment))).'</span>';
echo '<span style="font-weight: bold; color: #FF0000;">'.nl2br(make_clickable($answerComment)).'</span>';
}
?>
</td>
@ -445,7 +445,7 @@ if ($show_results == true ) {
<?php echo '&nbsp;'.get_lang("Exercise").' :'; ?>
</td>
<td width="90%">
<?php echo stripslashes($test)?><br />
<?php echo $test; ?><br />
<?php echo $exerciseDescription; ?>
</td>
</tr>
@ -676,7 +676,7 @@ if ($show_results) {
$choice = $arr[1];
$choice[$j]=trim($choice[$j]);
// if the word entered by the student IS the same as the one defined by the professor
if (api_strtolower(api_substr($temp,0,$pos)) == stripslashes(api_strtolower($choice[$j]))) {
if (api_strtolower(api_substr($temp,0,$pos)) == api_strtolower($choice[$j])) {
// gives the related weighting to the student
$questionScore+=$answerWeighting[$j];
// increments total score
@ -719,7 +719,7 @@ if ($show_results) {
$choice = $arr[1];
$choice[$j]=trim($choice[$j]);
$user_tags[]=stripslashes(api_strtolower($choice[$j]));
$user_tags[]=api_strtolower($choice[$j]);
$correct_tags[]=api_strtolower(api_substr($temp,0,$pos));
$j++;

4
main/exercice/hotspot_admin.inc.php
Unescape View File

@ -118,7 +118,7 @@ if($submitAnswers || $buttonBack)
if($debug>0){echo str_repeat('&nbsp;',4).'$answerType is HOT_SPOT'."<br />\n";}
$reponse[$i]=trim($reponse[$i]);
$comment[$i]=addslashes(trim($comment[$i]));
$comment[$i]=trim($comment[$i]);
$weighting[$i]=($weighting[$i]); //it can be float
if($weighting[$i]) {
$questionWeighting+=$weighting[$i];
@ -309,7 +309,7 @@ if($modifyAnswers)
<tr>
<td valign="top"><div style="height: 15px; width: 15px; background-color: <?php echo $hotspot_colors[$i]; ?>"> </div></td>
<td valign="top" align="left"><input type="text" name="reponse[<?php echo $i; ?>]" value="<?php echo api_htmlentities($reponse[$i], ENT_QUOTES, api_get_system_encoding()); ?>" size="45" /></td>
<td align="left"><textarea wrap="virtual" rows="1" cols="25" name="comment[<?php echo $i; ?>]" style="width: 100%"><?php echo stripslashes(api_htmlentities($comment[$i], ENT_QUOTES, api_get_system_encoding())); ?></textarea></td>
<td align="left"><textarea wrap="virtual" rows="1" cols="25" name="comment[<?php echo $i; ?>]" style="width: 100%"><?php echo api_htmlentities($comment[$i], ENT_QUOTES, api_get_system_encoding()); ?></textarea></td>
<td valign="top"><input type="text" name="weighting[<?php echo $i; ?>]" size="5" value="<?php echo (isset($weighting[$i]) ? float_format($weighting[$i],1) : 10); ?>" />
<input type="hidden" name="hotspot_coordinates[<?php echo $i; ?>]" value="<?php echo (empty($hotspot_coordinates[$i]) ? '0;0|0|0' : $hotspot_coordinates[$i]); ?>" />
<input type="hidden" name="hotspot_type[<?php echo $i; ?>]" value="<?php echo (empty($hotspot_type[$i]) ? 'square' : $hotspot_type[$i]); ?>" /></td>

18
main/exercice/question.class.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: question.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
<?php // $Id: question.class.php 20776 2009-05-18 12:43:44Z pcool $
/*
==============================================================================
@ -28,7 +28,7 @@
* File containing the Question class.
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: question.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
* @version $Id: question.class.php 20776 2009-05-18 12:43:44Z pcool $
*/
@ -579,19 +579,19 @@ abstract class Question
$TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION);
$id=$this->id;
$question=addslashes($this->question);
$description=addslashes($this->description);
$question=$this->question;
$description=$this->description;
$weighting=$this->weighting;
$position=$this->position;
$type=$this->type;
$picture=addslashes($this->picture);
$picture=$this->picture;
$level=$this->level;
// question already exists
if(!empty($id)) {
$sql="UPDATE $TBL_QUESTIONS SET
question ='".Database::escape_string(Security::remove_XSS($question))."',
description ='".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
description ='".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."',
ponderation ='".Database::escape_string($weighting)."',
position ='".Database::escape_string($position)."',
type ='".Database::escape_string($type)."',
@ -622,7 +622,7 @@ abstract class Question
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture,level) VALUES(
'".Database::escape_string(Security::remove_XSS($question))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
'".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."',
'".Database::escape_string($weighting)."',
'".Database::escape_string($position)."',
'".Database::escape_string($type)."',
@ -904,8 +904,8 @@ abstract class Question
function duplicate() {
global $TBL_QUESTIONS, $picturePath;
$question=addslashes($this->question);
$description=addslashes($this->description);
$question=$this->question;
$description=$this->description;
$weighting=$this->weighting;
$position=$this->position;
$type=$this->type;

Write Preview
Loading…
Cancel
Save