chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r18765] Security - Added filtering

Browse Source
skala
Julio Montoya 17 years ago
parent fb3f0932c0
commit 89db80d33e
3 changed files with 13 additions and 9 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      main/admin/access_url_add_courses_to_url.php
  2. 19
      main/admin/add_courses_to_session.php
  3. 1
      main/admin/add_users_to_session.php

2
main/admin/access_url_add_courses_to_url.php
Unescape View File

@ -125,6 +125,8 @@ if(empty($first_letter_user))
}
unset($result);
}
$first_letter_course = Database::escape_string($first_letter_course);
$sql = "SELECT code, title FROM $tbl_course
WHERE title LIKE '".$first_letter_course."%' OR title LIKE '".strtolower($first_letter_course)."%'
ORDER BY title, code DESC ";

19
main/admin/add_courses_to_session.php
Unescape View File

@ -191,22 +191,23 @@ if ($_POST['formSent']) {
foreach($CourseList as $enreg_course) {
$enreg_course = Database::escape_string($enreg_course);
$exists = false;
foreach($existingCourses as $existingCourse) {
if($enreg_course == $existingCourse['course_code']) {
$exists=true;
}
}
if(!$exists) {
api_sql_query("INSERT INTO $tbl_session_rel_course(id_session,course_code, id_coach) VALUES('$id_session','$enreg_course','$id_coach')",__FILE__,__LINE__);
if(!$exists) {
$sql_insert_rel_course= "INSERT INTO $tbl_session_rel_course(id_session,course_code, id_coach) VALUES('$id_session','$enreg_course','$id_coach')";
api_sql_query($sql_insert_rel_course ,__FILE__,__LINE__);
//We add in the existing courses table the current course, to not try to add another time the current course
$existingCourses[]=array('course_code'=>$enreg_course);
$nbr_users=0;
foreach ($UserList as $enreg_user) {
$enreg_user = $enreg_user['id_user'];
api_sql_query("INSERT IGNORE INTO $tbl_session_rel_course_rel_user(id_session,course_code,id_user) VALUES('$id_session','$enreg_course','$enreg_user')",__FILE__,__LINE__);
foreach ($UserList as $enreg_user) {
$enreg_user = Database::escape_string($enreg_user['id_user']);
$sql_insert = "INSERT IGNORE INTO $tbl_session_rel_course_rel_user(id_session,course_code,id_user) VALUES('$id_session','$enreg_course','$enreg_user')";
api_sql_query($sql_insert,__FILE__,__LINE__);
if(Database::affected_rows()) {
$nbr_users++;
}
@ -311,11 +312,11 @@ if ($ajax_search) {
unset($Courses);
if($add_type == 'multiple') {
$link_add_type_unique = '<a href="'.api_get_self().'?id_session='.$id_session.'&add='.$_GET['add'].'&add_type=unique">'.get_lang('SessionAddTypeUnique').'</a>';
$link_add_type_unique = '<a href="'.api_get_self().'?id_session='.$id_session.'&add='.Security::remove_XSS($_GET['add']).'&add_type=unique">'.get_lang('SessionAddTypeUnique').'</a>';
$link_add_type_multiple = get_lang('SessionAddTypeMultiple');
} else {
$link_add_type_unique = get_lang('SessionAddTypeUnique');
$link_add_type_multiple = '<a href="'.api_get_self().'?id_session='.$id_session.'&add='.$_GET['add'].'&add_type=multiple">'.get_lang('SessionAddTypeMultiple').'</a>';
$link_add_type_multiple = '<a href="'.api_get_self().'?id_session='.$id_session.'&add='.Security::remove_XSS($_GET['add']).'&add_type=multiple">'.get_lang('SessionAddTypeMultiple').'</a>';
}
?>

1
main/admin/add_users_to_session.php
Unescape View File

@ -104,6 +104,7 @@ function search_users($needle)
// xajax send utf8 datas... datas in db can be non-utf8 datas
$charset = api_get_setting('platform_charset');
$needle = Database::escape_string($needle);
$needle = mb_convert_encoding($needle, $charset, 'utf-8');
// search users where username or firstname or lastname begins likes $needle

Write Preview
Loading…
Cancel
Save