[svn r18861] Security improvements

skala
Julio Montoya 16 years ago
parent 7a1980492a
commit 8203f4c34c
  1. 5
      main/admin/access_url_edit_courses_to_url.php
  2. 4
      main/admin/access_url_edit_sessions_to_url.php
  3. 4
      main/admin/access_url_edit_users_to_url.php
  4. 8
      main/admin/add_courses_to_session.php
  5. 4
      main/admin/add_users_to_session.php

@ -61,12 +61,13 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult
$add_type = 'multiple'; $add_type = 'multiple';
if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
$add_type = $_REQUEST['add_type']; $add_type = Security::remove_XSS($_REQUEST['add_type']);
} }
$access_url_id=1; $access_url_id=1;
if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){ if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
$access_url_id = $_REQUEST['access_url_id']; $access_url_id = Security::remove_XSS($_REQUEST['access_url_id']);
} }
function search_courses($needle, $id) function search_courses($needle, $id)

@ -61,12 +61,12 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult
$add_type = 'multiple'; $add_type = 'multiple';
if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
$add_type = $_REQUEST['add_type']; $add_type = Security::remove_XSS($_REQUEST['add_type']);
} }
$access_url_id=1; $access_url_id=1;
if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){ if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
$access_url_id = $_REQUEST['access_url_id']; $access_url_id = Security::remove_XSS($_REQUEST['access_url_id']);
} }
function search_sessions($needle, $id) function search_sessions($needle, $id)

@ -61,12 +61,12 @@ $interbreadcrumb[] = array ('url' => 'access_urls.php', 'name' => get_lang('Mult
$add_type = 'multiple'; $add_type = 'multiple';
if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
$add_type = $_REQUEST['add_type']; $add_type = Security::remove_XSS($_REQUEST['add_type']);
} }
$access_url_id=1; $access_url_id=1;
if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){ if(isset($_REQUEST['access_url_id']) && $_REQUEST['access_url_id']!=''){
$access_url_id = $_REQUEST['access_url_id']; $access_url_id = Security::remove_XSS($_REQUEST['access_url_id']);
} }
function search_users($needle, $id) function search_users($needle, $id)

@ -65,15 +65,13 @@ $id_session=intval($_GET['id_session']);
$add_type = 'multiple'; $add_type = 'multiple';
if(isset($_GET['add_type']) && $_GET['add_type']!=''){ if(isset($_GET['add_type']) && $_GET['add_type']!=''){
$add_type = $_GET['add_type']; $add_type = Security::remove_XSS($_REQUEST['add_type']);
} }
if(!api_is_platform_admin()) if (!api_is_platform_admin()) {
{
$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session; $sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
$rs = api_sql_query($sql,__FILE__,__LINE__); $rs = api_sql_query($sql,__FILE__,__LINE__);
if(Database::result($rs,0,0)!=$_user['user_id']) if (Database::result($rs,0,0)!=$_user['user_id']) {
{
api_not_allowed(true); api_not_allowed(true);
} }
} }

@ -69,10 +69,10 @@ $id_session=intval($_GET['id_session']);
$add_type = 'multiple'; $add_type = 'multiple';
if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
$add_type = $_REQUEST['add_type']; $add_type = Security::remove_XSS($_REQUEST['add_type']);
} }
if(!api_is_platform_admin()) { if (!api_is_platform_admin()) {
$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session; $sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
$rs = api_sql_query($sql,__FILE__,__LINE__); $rs = api_sql_query($sql,__FILE__,__LINE__);
if(Database::result($rs,0,0)!=$_user['user_id']) { if(Database::result($rs,0,0)!=$_user['user_id']) {

Loading…
Cancel
Save