[svn r18861] Security improvements

16 years ago · 8203f4c34c
parent 7a1980492a
commit 8203f4c34c
5 changed files with 12 additions and 13 deletions
--- a/main/admin/access_url_edit_courses_to_url.php
+++ b/main/admin/access_url_edit_courses_to_url.php
@ -61,12 +61,13 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult

 $add_type = 'multiple';
 if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
-	$add_type = $_REQUEST['add_type'];
+	$add_type = Security::remove_XSS($_REQUEST['add_type']);
+	 
 }

 $access_url_id=1;
 if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
-	$access_url_id = $_REQUEST['access_url_id']; 
+	$access_url_id = Security::remove_XSS($_REQUEST['access_url_id']); 
 }

 function search_courses($needle, $id)
--- a/main/admin/access_url_edit_sessions_to_url.php
+++ b/main/admin/access_url_edit_sessions_to_url.php
@ -61,12 +61,12 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult

 $add_type = 'multiple';
 if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
-	$add_type = $_REQUEST['add_type'];
+	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }

 $access_url_id=1;
 if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
-	$access_url_id = $_REQUEST['access_url_id']; 
+	$access_url_id = Security::remove_XSS($_REQUEST['access_url_id']); 
 }

 function search_sessions($needle, $id)
--- a/main/admin/access_url_edit_users_to_url.php
+++ b/main/admin/access_url_edit_users_to_url.php
@ -61,12 +61,12 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult

 $add_type = 'multiple';
 if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
-	$add_type = $_REQUEST['add_type'];
+	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }

 $access_url_id=1;
 if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
-	$access_url_id = $_REQUEST['access_url_id']; 
+	$access_url_id = Security::remove_XSS($_REQUEST['access_url_id']); 
 }

 function search_users($needle, $id)
--- a/main/admin/add_courses_to_session.php
+++ b/main/admin/add_courses_to_session.php
@ -65,15 +65,13 @@ $id_session=intval($_GET['id_session']);

 $add_type = 'multiple';
 if(isset($_GET['add_type']) && $_GET['add_type']!=''){
-	$add_type = $_GET['add_type'];
+	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }

-if(!api_is_platform_admin())
-{
+if (!api_is_platform_admin()) {
 	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
 	$rs = api_sql_query($sql,__FILE__,__LINE__);
-	if(Database::result($rs,0,0)!=$_user['user_id'])
-	{
+	if (Database::result($rs,0,0)!=$_user['user_id']) {
 		api_not_allowed(true);
 	}
 }
--- a/main/admin/add_users_to_session.php
+++ b/main/admin/add_users_to_session.php
@ -69,10 +69,10 @@ $id_session=intval($_GET['id_session']);

 $add_type = 'multiple';
 if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
-	$add_type = $_REQUEST['add_type'];
+	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }

-if(!api_is_platform_admin()) {
+if (!api_is_platform_admin()) {
 	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
 	$rs = api_sql_query($sql,__FILE__,__LINE__);
 	if(Database::result($rs,0,0)!=$_user['user_id']) {