Fix queries: Add Database::escape_string

4 years ago · 93ed464519
parent f398b5b45c
commit 93ed464519
3 changed files with 27 additions and 23 deletions
--- a/main/admin/dashboard_add_users_to_user.php
+++ b/main/admin/dashboard_add_users_to_user.php
@ -67,6 +67,9 @@ function search_users($needle, $type = 'multiple')

    $xajax_response = new xajaxResponse();
    $return = '';
+    $needle = Database::escape_string($needle);
+    $type = Database::escape_string($type);
+
    if (!empty($needle) && !empty($type)) {
        $assigned_users_to_hrm = [];

--- a/main/inc/lib/add_courses_to_session_functions.lib.php
+++ b/main/inc/lib/add_courses_to_session_functions.lib.php
@ -32,10 +32,11 @@ class AddCourseToSession
            // xajax send utf8 datas... datas in db can be non-utf8 datas
            $charset = api_get_system_encoding();
            $needle = api_convert_encoding($needle, $charset, 'utf-8');
+            $needle = Database::escape_string($needle);

            $cond_course_code = '';
            if (!empty($id_session)) {
-                $id_session = intval($id_session);
+                $id_session = (int) $id_session;
                // check course_code from session_rel_course table
                $sql = 'SELECT c_id FROM '.$tbl_session_rel_course.'
                        WHERE session_id = '.$id_session;
--- a/main/session/session_add.php
+++ b/main/session/session_add.php
@ -13,7 +13,6 @@ $xajax->registerFunction('search_coachs');
 $this_section = SECTION_PLATFORM_ADMIN;

 SessionManager::protectSession(null, false);
-
 api_protect_limit_for_session_admin();

 $formSent = 0;
@ -35,6 +34,7 @@ function search_coachs($needle)
    $return = '';

    if (!empty($needle)) {
+        $needle = Database::escape_string($needle);
        $order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname, username' : ' ORDER BY lastname, firstname, username';

        // search users where username or firstname or lastname begins likes $needle