Fixing SQL queries

main/course_home/2column.php

@@ -19,12 +19,12 @@ require_once api_get_path(LIBRARY_PATH).'course_home.lib.php';
 
 /* 	Work with data post askable by admin of course (franglais, clean this) */
 
-if (api_is_allowed_to_edit(null, true)) {
+$id = isset($_GET['id']) ? intval($_GET['id']) : null;
+$course_id = api_get_course_int_id();
 
+if (api_is_allowed_to_edit(null, true)) {
 	/*  Processing request */
-
 	/*	Modify home page */
-
 	/*
 	 * Display message to confirm that a tool must be hidden from the list of available tools (visibility 0,1->2)
 	 */
@@ -32,7 +32,7 @@ if (api_is_allowed_to_edit(null, true)) {
 	if ($_GET['remove']) {
 		$msgDestroy = get_lang('DelLk').'<br />';
 		$msgDestroy .= '<a href="'.api_get_self().'">'.get_lang('No').'</a>&nbsp;|&nbsp;';
-		$msgDestroy .= '<a href="'.api_get_self().'?destroy=yes&amp;id='.$_GET['id'].'">'.get_lang('Yes').'</a>';
+		$msgDestroy .= '<a href="'.api_get_self().'?destroy=yes&amp;id='.$id.'">'.get_lang('Yes').'</a>';
 		Display :: display_confirmation_message($msgDestroy, false);
 	}
 
@@ -42,20 +42,20 @@ if (api_is_allowed_to_edit(null, true)) {
 	 */
 
 	elseif ($_GET['destroy']) {
-		Database::query("UPDATE $tool_table SET visibility='2' WHERE id='".$_GET['id']."'");
+		Database::query("UPDATE $tool_table SET visibility='2' WHERE c_id = $course_id AND id='".$id."'");
 	}
 
   	/*	HIDE */
 
 	elseif ($_GET['hide']) { // visibility 1 -> 0
-		Database::query("UPDATE $tool_table SET visibility=0 WHERE id='".$_GET['id']."'");
+		Database::query("UPDATE $tool_table SET visibility=0 WHERE c_id = $course_id AND id='".$id."'");
 		Display::display_confirmation_message(get_lang('ToolIsNowHidden'));
 	}
 
     /*	REACTIVATE */
 
 	elseif ($_GET["restore"]) { // visibility 0,2 -> 1
-		Database::query("UPDATE $tool_table SET visibility=1  WHERE id='".$_GET['id']."'");
+		Database::query("UPDATE $tool_table SET visibility=1  WHERE c_id = $course_id AND id='".$id."'");
 		Display::display_confirmation_message(get_lang('ToolIsNowVisible'));
 	}
 }
@@ -71,7 +71,7 @@ if (api_is_platform_admin()) {
 			<?php echo get_lang('DelLk'); ?>
 			<br />&nbsp;&nbsp;&nbsp;
 			<a href="<?php echo api_get_self(); ?>"><?php echo get_lang('No'); ?></a>&nbsp;|&nbsp;
-			<a href="<?php echo api_get_self(); ?>?delete=yes&id=<?php echo $_GET['id']; ?>"><?php echo get_lang('Yes'); ?></a>
+			<a href="<?php echo api_get_self(); ?>?delete=yes&id=<?php echo $id; ?>"><?php echo get_lang('Yes'); ?></a>
 			</div>
 <?php
 	}
@@ -82,7 +82,7 @@ if (api_is_platform_admin()) {
 	 */
 
 	elseif (isset($_GET['delete']) && $_GET['delete']) {
-		Database::query("DELETE FROM $tool_table WHERE id='$id' AND added_tool=1");
+		Database::query("DELETE FROM $tool_table WHERE c_id = $course_id AND id='$id' AND added_tool=1");
 	}
 }
 

main/course_home/activity.php

@@ -15,18 +15,20 @@
 
 require_once api_get_path(LIBRARY_PATH).'course_home.lib.php';
 
+$id = isset($_GET['id']) ? intval($_GET['id']) : null;
+
 //	MAIN CODE
 
 if (api_is_allowed_to_edit(null, true)) {
 	// HIDE
 	if (!empty($_GET['hide'])) {
-		$sql = "UPDATE $tool_table SET visibility=0 WHERE id=".intval($_GET['id']);
+		$sql = "UPDATE $tool_table SET visibility=0 WHERE c_id = $course_id AND id=".$id;
 		Database::query($sql);
 		Display::display_confirmation_message(get_lang('ToolIsNowHidden'));
 	} elseif (!empty($_GET['restore'])) {
 		// visibility 0,2 -> 1
 		// REACTIVATE
-		$sql = "UPDATE $tool_table SET visibility=1 WHERE id=".intval($_GET['id']);
+		$sql = "UPDATE $tool_table SET visibility=1 WHERE c_id = $course_id AND id=".$id;
 		Database::query($sql);
 		Display::display_confirmation_message(get_lang('ToolIsNowVisible'));
 	}
@@ -50,7 +52,7 @@ if (api_is_platform_admin()) {
 	elseif (isset($_GET['delete']) && $_GET['delete']) {
 		//where $id is set?
 		$id = intval($id);
-		Database::query("DELETE FROM $tool_table WHERE id='$id' AND added_tool=1");
+		Database::query("DELETE FROM $tool_table WHERE c_id = $course_id AND id='$id' AND added_tool=1");
 	}
 }