chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adding intval function to querys see dt#4389

Browse Source
skala
Julio Montoya 16 years ago
parent 7217790b59
commit 87738b2fe7
1 changed files with 9 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 13
      main/messages/message.class.php

13
main/messages/message.class.php
Unescape View File

@ -206,6 +206,7 @@ class MessageManager
public static function delete_message_by_user_receiver ($user_receiver_id,$id) { public static function delete_message_by_user_receiver ($user_receiver_id,$id) {
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
if ($id != strval(intval($id))) return false;
$id = Database::escape_string($id); $id = Database::escape_string($id);
$sql="SELECT COUNT(*) as count FROM $table_message WHERE id=".$id." AND msg_status<>4;"; $sql="SELECT COUNT(*) as count FROM $table_message WHERE id=".$id." AND msg_status<>4;";
$rs=Database::query($sql,__FILE__,__LINE__); $rs=Database::query($sql,__FILE__,__LINE__);
@ -227,6 +228,7 @@ class MessageManager
* @return array * @return array
*/ */
public static function delete_message_by_user_sender ($user_sender_id,$id) { public static function delete_message_by_user_sender ($user_sender_id,$id) {
if ($id != strval(intval($id))) return false;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
$query = "DELETE FROM $table_message " . $query = "DELETE FROM $table_message " .
"WHERE user_sender_id=".Database::escape_string($user_sender_id)." AND id=".Database::escape_string($id); "WHERE user_sender_id=".Database::escape_string($user_sender_id)." AND id=".Database::escape_string($id);
@ -234,12 +236,14 @@ class MessageManager
return $result; return $result;
} }
public static function update_message ($user_id, $id) { public static function update_message ($user_id, $id) {
if ($id != strval(intval($id)) || $user_id != strval(intval($user_id))) return false;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
$query = "UPDATE $table_message SET msg_status = '0' WHERE msg_status<>4 AND user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'"; $query = "UPDATE $table_message SET msg_status = '0' WHERE msg_status<>4 AND user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
} }
public static function get_message_by_user ($user_id,$id) { public static function get_message_by_user ($user_id,$id) {
if ($id != strval(intval($id)) || $user_id != strval(intval($user_id))) return false;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
$query = "SELECT * FROM $table_message WHERE user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'"; $query = "SELECT * FROM $table_message WHERE user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
@ -253,6 +257,7 @@ class MessageManager
* @return boolean * @return boolean
*/ */
public static function exist_message ($user_id, $id) { public static function exist_message ($user_id, $id) {
if ($id != strval(intval($id)) || $user_id != strval(intval($user_id))) return false;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
$query = "SELECT id FROM $table_message WHERE user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'"; $query = "SELECT id FROM $table_message WHERE user_receiver_id=".Database::escape_string($user_id)." AND id='".Database::escape_string($id)."'";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
@ -335,14 +340,14 @@ class MessageManager
global $charset; global $charset;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
if (isset($_GET['id_send']) && is_numeric($_GET['id_send'])) { if (isset($_GET['id_send']) && is_numeric($_GET['id_send'])) {
$query = "SELECT * FROM $table_message WHERE user_sender_id=".api_get_user_id()." AND id=".Database::escape_string($_GET['id_send'])." AND msg_status=4;"; $query = "SELECT * FROM $table_message WHERE user_sender_id=".api_get_user_id()." AND id=".intval(Database::escape_string($_GET['id_send']))." AND msg_status=4;";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
$path='outbox.php'; $path='outbox.php';
} else { } else {
if (is_numeric($_GET['id'])) { if (is_numeric($_GET['id'])) {
$query = "UPDATE $table_message SET msg_status = '0' WHERE user_receiver_id=".api_get_user_id()." AND id='".Database::escape_string($_GET['id'])."';"; $query = "UPDATE $table_message SET msg_status = '0' WHERE user_receiver_id=".api_get_user_id()." AND id='".intval(Database::escape_string($_GET['id']))."';";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
$query = "SELECT * FROM $table_message WHERE msg_status<>4 AND user_receiver_id=".api_get_user_id()." AND id='".Database::escape_string($_GET['id'])."';"; $query = "SELECT * FROM $table_message WHERE msg_status<>4 AND user_receiver_id=".api_get_user_id()." AND id='".intval(Database::escape_string($_GET['id']))."';";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
} }
$path='inbox.php'; $path='inbox.php';
@ -399,7 +404,7 @@ class MessageManager
global $charset; global $charset;
$table_message = Database::get_main_table(TABLE_MESSAGE); $table_message = Database::get_main_table(TABLE_MESSAGE);
if (is_numeric($_GET['id_send'])) { if (is_numeric($_GET['id_send'])) {
$query = "SELECT * FROM $table_message WHERE user_sender_id=".api_get_user_id()." AND id=".Database::escape_string($_GET['id_send'])." AND msg_status=4;"; $query = "SELECT * FROM $table_message WHERE user_sender_id=".api_get_user_id()." AND id=".intval(Database::escape_string($_GET['id_send']))." AND msg_status=4;";
$result = Database::query($query,__FILE__,__LINE__); $result = Database::query($query,__FILE__,__LINE__);
} }
$path='outbox.php'; $path='outbox.php';

Write Preview
Loading…
Cancel
Save