chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix queries: Add Database::escape_string

Browse Source
pull/3883/head
Julio Montoya 4 years ago
parent f398b5b45c
commit 93ed464519
3 changed files with 27 additions and 23 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      main/admin/dashboard_add_users_to_user.php
  2. 3
      main/inc/lib/add_courses_to_session_functions.lib.php
  3. 40
      main/session/session_add.php

7
main/admin/dashboard_add_users_to_user.php
Unescape View File

@ -67,6 +67,9 @@ function search_users($needle, $type = 'multiple')
$xajax_response = new xajaxResponse(); $xajax_response = new xajaxResponse();
$return = ''; $return = '';
$needle = Database::escape_string($needle);
$type = Database::escape_string($type);
if (!empty($needle) && !empty($type)) { if (!empty($needle) && !empty($type)) {
$assigned_users_to_hrm = []; $assigned_users_to_hrm = [];
@ -387,8 +390,8 @@ if (!empty($conditions)) {
if (api_is_multiple_url_enabled()) { if (api_is_multiple_url_enabled()) {
$sql = "SELECT user.user_id, username, lastname, firstname $sql = "SELECT user.user_id, username, lastname, firstname
FROM $tbl_user user FROM $tbl_user user
LEFT JOIN $tbl_access_url_rel_user au LEFT JOIN $tbl_access_url_rel_user au
ON (au.user_id = user.user_id) ON (au.user_id = user.user_id)
WHERE WHERE
$without_assigned_users $without_assigned_users

3
main/inc/lib/add_courses_to_session_functions.lib.php
Unescape View File

@ -32,10 +32,11 @@ class AddCourseToSession
// xajax send utf8 datas... datas in db can be non-utf8 datas // xajax send utf8 datas... datas in db can be non-utf8 datas
$charset = api_get_system_encoding(); $charset = api_get_system_encoding();
$needle = api_convert_encoding($needle, $charset, 'utf-8'); $needle = api_convert_encoding($needle, $charset, 'utf-8');
$needle = Database::escape_string($needle);
$cond_course_code = ''; $cond_course_code = '';
if (!empty($id_session)) { if (!empty($id_session)) {
$id_session = intval($id_session); $id_session = (int) $id_session;
// check course_code from session_rel_course table // check course_code from session_rel_course table
$sql = 'SELECT c_id FROM '.$tbl_session_rel_course.' $sql = 'SELECT c_id FROM '.$tbl_session_rel_course.'
WHERE session_id = '.$id_session; WHERE session_id = '.$id_session;

40
main/session/session_add.php
Unescape View File

@ -13,7 +13,6 @@ $xajax->registerFunction('search_coachs');
$this_section = SECTION_PLATFORM_ADMIN; $this_section = SECTION_PLATFORM_ADMIN;
SessionManager::protectSession(null, false); SessionManager::protectSession(null, false);
api_protect_limit_for_session_admin(); api_protect_limit_for_session_admin();
$formSent = 0; $formSent = 0;
@ -35,6 +34,7 @@ function search_coachs($needle)
$return = ''; $return = '';
if (!empty($needle)) { if (!empty($needle)) {
$needle = Database::escape_string($needle);
$order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname, username' : ' ORDER BY lastname, firstname, username'; $order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname, username' : ' ORDER BY lastname, firstname, username';
// search users where username or firstname or lastname begins likes $needle // search users where username or firstname or lastname begins likes $needle
@ -166,44 +166,44 @@ $(function() {
$('#access').val(0); $('#access').val(0);
$('#access').selectpicker('render'); $('#access').selectpicker('render');
accessSwitcher(0); accessSwitcher(0);
$('#duration').val(parseInt(data.duration)); $('#duration').val(parseInt(data.duration));
} else { } else {
$('#access').val(1); $('#access').val(1);
$('#access').selectpicker('render'); $('#access').selectpicker('render');
accessSwitcher(1); accessSwitcher(1);
var variables = [ var variables = [
'display_start_date', 'display_start_date',
'access_start_date', 'access_start_date',
'coach_access_start_date', 'coach_access_start_date',
'display_end_date', 'display_end_date',
'access_end_date', 'access_end_date',
'coach_access_end_date' 'coach_access_end_date'
]; ];
variables.forEach(function(variable) { variables.forEach(function(variable) {
var variableName = variable + '_to_local_time'; var variableName = variable + '_to_local_time';
if (data[variableName]) { if (data[variableName]) {
var parsedDate = $.datepicker.parseDateTime( var parsedDate = $.datepicker.parseDateTime(
'yy-mm-dd', 'yy-mm-dd',
'hh:mm:ss', 'hh:mm:ss',
data[variableName] data[variableName]
); );
if (parsedDate) { if (parsedDate) {
$('#'+variable).datetimepicker('setDate', parsedDate); $('#'+variable).datetimepicker('setDate', parsedDate);
} }
} }
}); });
} }
$('[name=\'show_description\']').prop('checked', false); $('[name=\'show_description\']').prop('checked', false);
if (data.show_description) { if (data.show_description) {
$('[name=\'show_description\']').prop('checked', true); $('[name=\'show_description\']').prop('checked', true);
} }
$('[name=\'send_subscription_notification\']').prop('checked', false); $('[name=\'send_subscription_notification\']').prop('checked', false);
if (data.send_subscription_notification) { if (data.send_subscription_notification) {
$('[name=\'send_subscription_notification\']').prop('checked', true); $('[name=\'send_subscription_notification\']').prop('checked', true);
} }
$.each(data.extra_fields, function(i, item) { $.each(data.extra_fields, function(i, item) {
var fieldName = 'extra_'+item.variable; var fieldName = 'extra_'+item.variable;
@ -250,7 +250,7 @@ $(function() {
break; break;
case '4': // simple select case '4': // simple select
case '5': // multiple select case '5': // multiple select
var options = item.value.split(';'); var options = item.value.split(';');
$('#'+fieldName+'').val(options); $('#'+fieldName+'').val(options);
$('#'+fieldName+'').selectpicker('render'); $('#'+fieldName+'').selectpicker('render');
break; break;
@ -328,20 +328,20 @@ $(function() {
if (item.value) { if (item.value) {
// $('input[name='+fieldName+']').val(item.value); // $('input[name='+fieldName+']').val(item.value);
var url = '".$urlUpload."'; var url = '".$urlUpload."';
url = url + item.value; url = url + item.value;
var divFormGroup = fieldName + '-form-group'; var divFormGroup = fieldName + '-form-group';
var divWrapper = fieldName + '_crop_image'; var divWrapper = fieldName + '_crop_image';
var divPreview = fieldName + '_preview_image'; var divPreview = fieldName + '_preview_image';
var divCropButton = fieldName + '_crop_button'; var divCropButton = fieldName + '_crop_button';
var cropResult = fieldName + '_crop_result'; var cropResult = fieldName + '_crop_result';
$('[name=\''+cropResult+'\']').val('import_file_from_session::' + sessionId); $('[name=\''+cropResult+'\']').val('import_file_from_session::' + sessionId);
$('#' + divFormGroup).show(); $('#' + divFormGroup).show();
$('#' + divWrapper).show(); $('#' + divWrapper).show();
$('#' + divCropButton).hide(); $('#' + divCropButton).hide();
$('#' + divPreview).attr('src', url); $('#' + divPreview).attr('src', url);
//$('[name=\''+fieldName+'\']') //$('[name=\''+fieldName+'\']')
} }
break; break;

Write Preview
Loading…
Cancel
Save