diff --git a/public/main/inc/lib/groupmanager.lib.php b/public/main/inc/lib/groupmanager.lib.php index fb461a98b3..7c4ce96f3d 100644 --- a/public/main/inc/lib/groupmanager.lib.php +++ b/public/main/inc/lib/groupmanager.lib.php @@ -1170,9 +1170,9 @@ class GroupManager g.iid = $group_id"; if (!empty($column) && !empty($direction)) { - $column = Database::escape_string($column, null, false); - $direction = ('ASC' == $direction ? 'ASC' : 'DESC'); - $sql .= " ORDER BY $column $direction"; + $column = Database::escape_string($column); + $direction = ('ASC' === $direction ? 'ASC' : 'DESC'); + $sql .= " ORDER BY `$column` $direction"; } if (!empty($start) && !empty($limit)) { diff --git a/public/main/inc/lib/myspace.lib.php b/public/main/inc/lib/myspace.lib.php index 816992995c..8d5cc70a6c 100644 --- a/public/main/inc/lib/myspace.lib.php +++ b/public/main/inc/lib/myspace.lib.php @@ -556,7 +556,7 @@ class MySpace } } if (!empty($order[$tracking_column])) { - $sqlCoachs .= ' ORDER BY '.$order[$tracking_column].' '.$tracking_direction; + $sqlCoachs .= " ORDER BY `".$order[$tracking_column]."` ".$tracking_direction; } $result_coaches = Database::query($sqlCoachs); @@ -1499,6 +1499,12 @@ class MySpace $column, $direction ) { + switch ($column) { + default: + case 1: + $column = 'title'; + break; + } $courses = CourseManager::get_courses_list( $from, $numberItems, @@ -1570,8 +1576,10 @@ class MySpace null, true ); - $progress += $progress_tmp[0]; - $nb_progress_lp += $progress_tmp[1]; + if ($progress_tmp) { + $progress += $progress_tmp[0]; + $nb_progress_lp += $progress_tmp[1]; + } $score_tmp = Tracking::get_avg_student_score( $userId, $course, @@ -2505,9 +2513,9 @@ class MySpace $direction = 'ASC'; } - $column = intval($column); - $from = intval($from); - $number_of_items = intval($number_of_items); + $column = (int) $column; + $from = (int) $from; + $number_of_items = (int) $number_of_items; $sql .= " ORDER BY col$column $direction "; $sql .= " LIMIT $from,$number_of_items"; @@ -2637,7 +2645,7 @@ class MySpace } $order = [ - "$column $direction", + " `$column` $direction", ]; $userList = UserManager::get_user_list([], $order, $from, $numberItems); $return = []; @@ -3324,6 +3332,7 @@ class MySpace $numberItems = (int) $numberItems; $column = (int) $column; $orderDirection = Database::escape_string($orderDirection); + $orderDirection = !in_array(strtolower(trim($orderDirection)), ['asc', 'desc']) ? 'asc' : $orderDirection; $user = Database::get_main_table(TABLE_MAIN_USER); $course = Database::get_main_table(TABLE_MAIN_COURSE); diff --git a/public/main/inc/lib/notebook.lib.php b/public/main/inc/lib/notebook.lib.php index 720c8645f4..132a3eb2cd 100644 --- a/public/main/inc/lib/notebook.lib.php +++ b/public/main/inc/lib/notebook.lib.php @@ -216,7 +216,7 @@ class NotebookManager // Database table definition $table = Database::get_course_table(TABLE_NOTEBOOK); - $order_by = ' ORDER BY '.$notebookView." $sort_direction "; + $order_by = " ORDER BY `$notebookView` $sort_direction "; // Condition for the session $condition_session = api_get_session_condition($sessionId); diff --git a/public/main/inc/lib/online.inc.php b/public/main/inc/lib/online.inc.php index 1f2304fa44..5f6f7d730f 100644 --- a/public/main/inc/lib/online.inc.php +++ b/public/main/inc/lib/online.inc.php @@ -10,9 +10,6 @@ use ChamiloSession as Session; * @author Denes Nagy, principal author * @author Bart Mollet * @author Roan Embrechts, cleaning and bugfixing - */ - -/** * Insert a login reference for the current user into the track_e_online stats * table. This table keeps trace of the last login. Nothing else matters (we * don't keep traces of anything older). @@ -287,12 +284,11 @@ function who_is_online( } } - $direction = strtolower($direction); if (empty($direction)) { $direction = 'DESC'; } else { - if (!in_array($direction, ['asc', 'desc'])) { + if (!in_array(strtolower($direction), ['asc', 'desc'])) { $direction = 'DESC'; } } @@ -313,14 +309,14 @@ function who_is_online( friend_user_id <> '".api_get_user_id()."' AND relation_type='".USER_RELATION_TYPE_FRIEND."' AND user_id = '".api_get_user_id()."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } else { $query = "SELECT DISTINCT login_user_id, login_date FROM ".$track_online_table." e INNER JOIN ".$table_user." u ON (u.id = e.login_user_id) WHERE u.status != ".ANONYMOUS." AND login_date >= '".$current_date."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } @@ -336,7 +332,7 @@ function who_is_online( login_date >= '".$current_date."' AND friend_user_id <> '".api_get_user_id()."' AND relation_type='".USER_RELATION_TYPE_FRIEND."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } else { // all users online @@ -346,7 +342,7 @@ function who_is_online( ON (u.id=track.login_user_id) WHERE u.status != ".ANONYMOUS." AND track.access_url_id = $access_url_id AND login_date >= '".$current_date."' - ORDER BY $column $direction + ORDER BY `$column` $direction LIMIT $from, $number_of_items"; } } diff --git a/public/main/inc/lib/sessionmanager.lib.php b/public/main/inc/lib/sessionmanager.lib.php index b520989b41..f59f1e7b3b 100644 --- a/public/main/inc/lib/sessionmanager.lib.php +++ b/public/main/inc/lib/sessionmanager.lib.php @@ -822,7 +822,7 @@ class SessionManager $options ) { //escaping vars - $sessionId = 'T' == $sessionId ? 'T' : intval($sessionId); + $sessionId = $sessionId === 'T' ? 'T' : intval($sessionId); $courseId = intval($courseId); //tables @@ -832,7 +832,7 @@ class SessionManager $course = api_get_course_info_by_id($courseId); $sessionCond = 'and session_id = %s'; - if ('T' == $sessionId) { + if ($sessionId === 'T') { $sessionCond = ''; } @@ -849,7 +849,7 @@ class SessionManager $order = null; if (!empty($options['order'])) { - $order = " ORDER BY ".$options['order']; + $order = " ORDER BY ".$options['order']." "; } $sql = "SELECT u.id as user_id, u.lastname, u.firstname, u.username, u.email, s.c_id @@ -878,7 +878,7 @@ class SessionManager ]; $sessionCond = 'AND v.session_id = %d'; - if ('T' == $sessionId) { + if ($sessionId == 'T') { $sessionCond = ""; } @@ -6235,7 +6235,7 @@ class SessionManager if (!empty($column) && !empty($direction)) { $column = str_replace('u.', '', $column); - $sql .= " ORDER BY $column $direction "; + $sql .= " ORDER BY `$column` $direction "; } $limitCondition = ''; diff --git a/public/main/inc/lib/statistics.lib.php b/public/main/inc/lib/statistics.lib.php index 46d788d9c4..dd49bb15ac 100644 --- a/public/main/inc/lib/statistics.lib.php +++ b/public/main/inc/lib/statistics.lib.php @@ -991,7 +991,7 @@ class Statistics HAVING t.c_id <> '' AND DATEDIFF( '".api_get_utc_datetime()."' , access_date ) <= ".$date_diff; } - $sql .= ' ORDER BY '.$columns[$column].' '.$sql_order[$direction]; + $sql .= ' ORDER BY `'.$columns[$column].'` '.$sql_order[$direction]; $from = ($page_nr - 1) * $per_page; $sql .= ' LIMIT '.$from.','.$per_page; diff --git a/public/main/inc/lib/tracking.lib.php b/public/main/inc/lib/tracking.lib.php index a684555285..5853fe7dff 100644 --- a/public/main/inc/lib/tracking.lib.php +++ b/public/main/inc/lib/tracking.lib.php @@ -3828,7 +3828,7 @@ class Tracking if (in_array($orderByName, ['name', 'access_start_date'])) { $orderByDirection = in_array(strtolower($orderByDirection), ['asc', 'desc']) ? $orderByDirection : 'asc'; $orderByName = Database::escape_string($orderByName); - $orderBy .= " ORDER BY $orderByName $orderByDirection"; + $orderBy .= " ORDER BY `$orderByName` $orderByDirection"; } } @@ -7729,7 +7729,8 @@ class TrackingCourseLog $table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY); $table_user = Database::get_main_table(TABLE_MAIN_USER); $table_session = Database::get_main_table(TABLE_MAIN_SESSION); - $session_id = intval($session_id); + $column = (int) $column; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; $sql = "SELECT tool as col0, diff --git a/public/main/inc/lib/usermanager.lib.php b/public/main/inc/lib/usermanager.lib.php index 723e6bad75..5a12140ef7 100644 --- a/public/main/inc/lib/usermanager.lib.php +++ b/public/main/inc/lib/usermanager.lib.php @@ -2163,8 +2163,8 @@ class UserManager $field_filter = (int) $field_filter; $sqlf .= " AND filter = $field_filter "; } - $sqlf .= " ORDER BY ".$columns[$column]." $sort_direction "; - if (0 != $number_of_items) { + $sqlf .= " ORDER BY `".$columns[$column]."` $sort_direction "; + if ($number_of_items != 0) { $sqlf .= " LIMIT ".intval($from).','.intval($number_of_items); } $resf = Database::query($sqlf); @@ -4650,7 +4650,7 @@ class UserManager if (!empty($column) && !empty($direction)) { // Fixing order due the UNIONs $column = str_replace('u.', '', $column); - $orderBy = " ORDER BY $column $direction "; + $orderBy = " ORDER BY `$column` $direction "; } } diff --git a/public/main/session/session_category_list.php b/public/main/session/session_category_list.php index c222a20659..1a03313d6c 100644 --- a/public/main/session/session_category_list.php +++ b/public/main/session/session_category_list.php @@ -84,7 +84,7 @@ if (isset($_GET['search']) && 'advanced' === $_GET['search']) { ) as nbr_session FROM $tbl_session_category sc $where - ORDER BY $sort $order + ORDER BY `$sort` $order LIMIT $from,".($limit + 1); $query_rows = "SELECT count(*) as total_rows diff --git a/public/main/session/session_course_list.php b/public/main/session/session_course_list.php index 95518d6be8..f3a6fb9a24 100644 --- a/public/main/session/session_course_list.php +++ b/public/main/session/session_course_list.php @@ -58,7 +58,7 @@ $from = $page * $limit; $sql = "SELECT c.id, c.code, c.title, nbr_users FROM $tbl_session_rel_course, $tbl_course c WHERE c_id = c.id AND session_id='$id_session' - ORDER BY $sort + ORDER BY `$sort` LIMIT $from,".($limit + 1); $result = Database::query($sql); $Courses = Database::store_result($result); diff --git a/public/main/session/session_course_user_list.php b/public/main/session/session_course_user_list.php index 26c33cb133..0750f6ac9d 100644 --- a/public/main/session/session_course_user_list.php +++ b/public/main/session/session_course_user_list.php @@ -102,7 +102,7 @@ $sql = " WHERE s.session_id = $id_session AND url.access_url_id = $urlId - ORDER BY $sort $direction + ORDER BY `$sort` $direction LIMIT $from,".($limit + 1); if ('desc' === $direction) { diff --git a/public/main/user/subscribe_user.php b/public/main/user/subscribe_user.php index 17d31b4406..fa89cab225 100644 --- a/public/main/user/subscribe_user.php +++ b/public/main/user/subscribe_user.php @@ -659,6 +659,8 @@ function get_user_data($from, $number_of_items, $column, $direction) } $sql .= " AND u.status != ".ANONYMOUS." "; + $column = (int) $column; + $direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction; // Sorting and pagination (used by the sortable table) $sql .= " ORDER BY col$column $direction "; $from = (int) $from; diff --git a/public/main/webservices/cm_webservice_inbox.php b/public/main/webservices/cm_webservice_inbox.php index 9890df9280..348550f7c9 100644 --- a/public/main/webservices/cm_webservice_inbox.php +++ b/public/main/webservices/cm_webservice_inbox.php @@ -106,13 +106,17 @@ class WSCMInbox extends WSCM $from, $number_of_items ) { + $from = (int) $from; + $number_of_items = (int) $number_of_items; + if ("valid" == $this->verifyUserPass($username, $password)) { $user_id = UserManager::get_user_id_from_username($username); $table_message = Database::get_main_table(TABLE_MESSAGE); $sql_query = "SELECT id FROM $table_message WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX." - ORDER BY send_date LIMIT $from,$number_of_items"; + ORDER BY send_date + LIMIT $from,$number_of_items"; $sql_result = Database::query($sql_query); $message = "#"; diff --git a/public/main/webservices/cm_webservice_user.php b/public/main/webservices/cm_webservice_user.php index d47876c543..d99bf9ed0f 100644 --- a/public/main/webservices/cm_webservice_user.php +++ b/public/main/webservices/cm_webservice_user.php @@ -195,7 +195,7 @@ class WSCMUser extends WSCM } $order = ''; foreach ($order_by as $orderByItem) { - $order .= Database::escape_string($orderByItem, null, false).', '; + $order .= Database::escape_string($orderByItem).', '; } $order = substr($order, 0, -2); if (count($order_by) > 0) {