diff --git a/main/blog/blog.php b/main/blog/blog.php index 82e9942326..0dad8a5275 100644 --- a/main/blog/blog.php +++ b/main/blog/blog.php @@ -248,7 +248,15 @@ switch ($current_page) $fck_attribute['Width'] = '100%'; $fck_attribute['Height'] = '300'; $fck_attribute['ToolbarSet'] = 'Introduction'; - +echo '
'; +?> + + + + +'; + Display::display_introduction_section(TOOL_BLOG); $fck_attribute = null; // Clearing this global variable immediatelly after it has been used. @@ -269,21 +277,7 @@ $year = (int)$_GET['year'] ? (int)$_GET['year'] : date('Y'); Blog :: display_minimonthcalendar($month, $year, $blog_id); ?>
- - - - - - - -
-
    -
    • -
    • -
    • -
    • -
-
+
diff --git a/main/inc/lib/blog.lib.php b/main/inc/lib/blog.lib.php index 3bc791ba12..e8a4ee5739 100644 --- a/main/inc/lib/blog.lib.php +++ b/main/inc/lib/blog.lib.php @@ -4,7 +4,7 @@ ============================================================================== Dokeos - elearning and course management software - Copyright (c) 2004-2008 Dokeos SPRL + Copyright (c) 2004-2009 Dokeos SPRL Copyright (c) 2003 Ghent University (UGent) Copyright (c) 2001 Universite catholique de Louvain (UCL) Copyright (c) various contributors @@ -32,6 +32,7 @@ * @version 1.0 * @package dokeos.blogs * @author Toon Keppens + * @author Julio Montoya - Cleaning code * */ class Blog @@ -54,11 +55,10 @@ class Blog $sql = " SELECT `blog_name` FROM " . $tbl_blogs . " - WHERE `blog_id` = " . mysql_real_escape_string((int)$blog_id); + WHERE `blog_id` = " . Database::escape_string((int)$blog_id); $result = api_sql_query($sql, __FILE__, __LINE__); - $blog = mysql_fetch_array($result); - + $blog = Database::fetch_array($result); return stripslashes($blog['blog_name']); } } @@ -76,9 +76,9 @@ class Blog { // init $tbl_blogs = Database::get_course_table(TABLE_BLOGS); - $sql = "SELECT blog_subtitle FROM $tbl_blogs WHERE blog_id ='".mysql_real_escape_string((int)$blog_id)."'"; + $sql = "SELECT blog_subtitle FROM $tbl_blogs WHERE blog_id ='".Database::escape_string((int)$blog_id)."'"; $result = api_sql_query($sql, __FILE__, __LINE__); - $blog = mysql_fetch_array($result); + $blog = Database::fetch_array($result); return stripslashes($blog['blog_subtitle']); } @@ -107,12 +107,12 @@ class Blog user.lastname FROM " . $tbl_blogs_rel_user . " blogs_rel_user INNER JOIN " . $tbl_users . " user ON blogs_rel_user.user_id = user.user_id - WHERE blogs_rel_user.blog_id = '" . mysql_real_escape_string((int)$blog_id)."'"; + WHERE blogs_rel_user.blog_id = '" . Database::escape_string((int)$blog_id)."'"; $result = api_sql_query($sql, __FILE__, __LINE__); $blog_members = array (); - while($user = mysql_fetch_array($result)) + while($user = Database::fetch_array($result)) { $blog_members[$user['user_id']] = $user['lastname']." " . $user['firstname']; } @@ -142,18 +142,18 @@ class Blog // Create the blog $sql = "INSERT INTO $tbl_blogs (`blog_name`, `blog_subtitle`, `date_creation`, `visibility` ) - VALUES ('".mysql_real_escape_string($title)."', '".mysql_real_escape_string($subtitle)."', NOW(), '1');"; + VALUES ('".Database::escape_string($title)."', '".Database::escape_string($subtitle)."', NOW(), '1');"; api_sql_query($sql, __FILE__, __LINE__); $this_blog_id = Database::get_last_insert_id(); // Make first post. :) $sql = "INSERT INTO $tbl_blogs_posts (`title`, `full_text`, `date_creation`, `blog_id`, `author_id` ) - VALUES ('".get_lang("Welcome")."', '" . get_lang('FirstPostText')."', NOW(), '".mysql_real_escape_string((int)$this_blog_id)."', '".mysql_real_escape_string((int)$_user['user_id'])."');"; + VALUES ('".get_lang("Welcome")."', '" . get_lang('FirstPostText')."', NOW(), '".Database::escape_string((int)$this_blog_id)."', '".Database::escape_string((int)$_user['user_id'])."');"; api_sql_query($sql, __FILE__, __LINE__); // Put it on course homepage $sql = "INSERT INTO $tbl_tool (name, link, image, visibility, admin, address, added_tool) - VALUES ('".mysql_real_escape_string($title)."','blog/blog.php?blog_id=".(int)$this_blog_id."','blog.gif','1','0','pastillegris.gif',0)"; + VALUES ('".Database::escape_string($title)."','blog/blog.php?blog_id=".(int)$this_blog_id."','blog.gif','1','0','pastillegris.gif',0)"; api_sql_query($sql, __FILE__, __LINE__); // Subscribe the teacher to this blog @@ -181,12 +181,12 @@ class Blog $tbl_tool = Database::get_course_table(TABLE_TOOL_LIST); // Update the blog - $sql = "UPDATE $tbl_blogs SET blog_name = '".mysql_real_escape_string($title)."', blog_subtitle = '".mysql_real_escape_string($subtitle)."' WHERE blog_id ='".mysql_real_escape_string((int)$blog_id)."' LIMIT 1"; + $sql = "UPDATE $tbl_blogs SET blog_name = '".Database::escape_string($title)."', blog_subtitle = '".Database::escape_string($subtitle)."' WHERE blog_id ='".Database::escape_string((int)$blog_id)."' LIMIT 1"; api_sql_query($sql, __FILE__, __LINE__); $this_blog_id = Database::get_last_insert_id(); // Update course homepage link - $sql = "UPDATE $tbl_tool SET name = '".mysql_real_escape_string($title)."' WHERE link = 'blog/blog.php?blog_id=".mysql_real_escape_string((int)$blog_id)."' LIMIT 1"; + $sql = "UPDATE $tbl_tool SET name = '".Database::escape_string($title)."' WHERE link = 'blog/blog.php?blog_id=".Database::escape_string((int)$blog_id)."' LIMIT 1"; api_sql_query($sql, __FILE__, __LINE__); return void; @@ -338,7 +338,7 @@ class Blog $tbl_blogs_posts = Database::get_course_table(TABLE_BLOGS_POSTS); // Create the post - $sql = "UPDATE $tbl_blogs_posts SET title = '" . mysql_real_escape_string($title)."', full_text = '" . mysql_real_escape_string($full_text)."' WHERE post_id ='".(int)$post_id."' AND blog_id ='".(int)$blog_id."' LIMIT 1 ;"; + $sql = "UPDATE $tbl_blogs_posts SET title = '" . Database::escape_string($title)."', full_text = '" . Database::escape_string($full_text)."' WHERE post_id ='".(int)$post_id."' AND blog_id ='".(int)$blog_id."' LIMIT 1 ;"; api_sql_query($sql, __FILE__, __LINE__); return void; @@ -413,7 +413,7 @@ class Blog // Create the comment $sql = "INSERT INTO $tbl_blogs_comments (`title`, `comment`, `author_id`, `date_creation`, `blog_id`, `post_id`, `parent_comment_id`, `task_id` ) - VALUES ('".mysql_real_escape_string($title)."', '".mysql_real_escape_string($full_text)."', '".(int)$_user['user_id']."', NOW(), '".(int)$blog_id."', '".(int)$post_id."', '".(int)$parent_id."', '".(int)$task_id."')"; + VALUES ('".Database::escape_string($title)."', '".Database::escape_string($full_text)."', '".(int)$_user['user_id']."', NOW(), '".(int)$blog_id."', '".(int)$post_id."', '".(int)$parent_id."', '".(int)$task_id."')"; api_sql_query($sql, __FILE__, __LINE__); // Empty post values, or they are shown on the page again @@ -488,7 +488,7 @@ class Blog $result = api_sql_query($sql, __FILE__, __LINE__); // Delete them recursively - while($comment = mysql_fetch_array($result)) + while($comment = Database::fetch_array($result)) { Blog::delete_comment($blog_id,$post_id,$comment['comment_id']); } @@ -518,7 +518,7 @@ class Blog // Create the task $sql = "INSERT INTO $tbl_blogs_tasks (`blog_id`, `title`, `description`, `color`, `system_task` ) - VALUES ('".(int)$blog_id."', '" . mysql_real_escape_string($title)."', '" . mysql_real_escape_string($description)."', '" . mysql_real_escape_string($color)."', '0');"; + VALUES ('".(int)$blog_id."', '" . Database::escape_string($title)."', '" . Database::escape_string($description)."', '" . Database::escape_string($color)."', '0');"; api_sql_query($sql, __FILE__, __LINE__); $task_id = mysql_insert_id(); @@ -533,7 +533,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_delete' )"; @@ -549,7 +549,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_edit' )"; @@ -565,7 +565,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_comments_delete' )"; @@ -594,9 +594,9 @@ class Blog // Create the task $sql = "UPDATE $tbl_blogs_tasks SET - title = '".mysql_real_escape_string($title)."', - description = '".mysql_real_escape_string($description)."', - color = '".mysql_real_escape_string($color)."' + title = '".Database::escape_string($title)."', + description = '".Database::escape_string($description)."', + color = '".Database::escape_string($color)."' WHERE task_id ='".(int)$task_id."' LIMIT 1"; api_sql_query($sql, __FILE__, __LINE__); @@ -617,7 +617,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_delete' )"; @@ -633,7 +633,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_edit' )"; @@ -649,7 +649,7 @@ class Blog `action` ) VALUES ( '" . (int)$task_id . "', - '" . mysql_real_escape_string($tool) . "', + '" . Database::escape_string($tool) . "', 'article_comments_delete' )"; @@ -721,7 +721,7 @@ class Blog if(mysql_numrows($result) > 0) { echo '
@@ -1646,7 +1647,7 @@ class Blog $sql = "SELECT blog_id, task_id, title, description, color FROM $tbl_blogs_tasks WHERE task_id = '".(int)$task_id."'"; $result = api_sql_query($sql, __FILE__, __LINE__); - $task = mysql_fetch_array($result); + $task = Database::fetch_array($result); // Display echo ' @@ -1674,7 +1675,7 @@ class Blog $arrPermissions = array(); - while($row = @mysql_fetch_array($result)) + while($row = @Database::fetch_array($result)) $arrPermissions[] = $row['action']; echo "\t" . '' . "\n"; @@ -1748,7 +1749,7 @@ class Blog WHERE blogs_rel_user.blog_id = '".(int)$blog_id."'"; $result = api_sql_query($sql, __FILE__, __LINE__); $select_user_list = ''; - while($task = mysql_fetch_array($result)) + while($task = Database::fetch_array($result)) { $select_task_list .= ''; } @@ -1781,7 +1782,7 @@ class Blog // Display echo ' -
' . get_lang('AssignTask') . '
+
' . get_lang('AssignTask') . '
' . get_lang('Title') . ':  
@@ -1905,7 +1906,7 @@ class Blog $select_user_list = ''; - while($task = mysql_fetch_array($result)) + while($task = Database::fetch_array($result)) { //if(!in_array($task['task_id'], $arrUserTasks) || $task_id == $task['task_id']) $select_task_list .= ''; @@ -2044,7 +2045,7 @@ class Blog '" . (int)$blog_id . "', '" . (int)$user_id . "', '" . (int)$task_id . "', - '" . mysql_real_escape_string($target_date) . "' + '" . Database::escape_string($target_date) . "' )"; $result = @api_sql_query($sql, __FILE__, __LINE__); @@ -2075,12 +2076,12 @@ class Blog SET `user_id` = " . (int)$user_id . ", `task_id` = " . (int)$task_id . ", - `target_date` = '" . mysql_real_escape_string($target_date) . "' + `target_date` = '" . Database::escape_string($target_date) . "' WHERE `blog_id` = " . (int)$blog_id . " AND `user_id` = " . (int)$old_user_id . " AND `task_id` = " . (int)$old_task_id . " AND - `target_date` = '" . mysql_real_escape_string($old_target_date) . "' + `target_date` = '" . Database::escape_string($old_target_date) . "' "; $result = @api_sql_query($sql, __FILE__, __LINE__); @@ -2124,9 +2125,9 @@ class Blog echo ''.stripslashes($row['description']) . '

'; - if(mysql_num_rows($result) > 0) + if(Database::num_rows($result) > 0) { - while($blog_post = mysql_fetch_array($result)) + while($blog_post = Database::fetch_array($result)) { echo ''.stripslashes($blog_post['title']) . ', ' . get_lang('WrittenBy') . ' ' . $blog_post['firstname'] . ' '.stripslashes($blog_post['lastname']) . '
'; } @@ -2209,7 +2210,7 @@ class Blog $result = api_sql_query($sql, __FILE__, __LINE__); $blog_member_ids = array (); - while($user = mysql_fetch_array($result)) + while($user = Database::fetch_array($result)) { $blog_member_ids[] = $user['user_id']; } @@ -2326,7 +2327,7 @@ class Blog $user_data = array (); - while($myrow = mysql_fetch_array($sql_result)) + while($myrow = Database::fetch_array($sql_result)) { $row = array (); $row[] = ''; @@ -2343,26 +2344,17 @@ class Blog $task = ''; - while($r = mysql_fetch_array($sql_res)) - { + while($r = Database::fetch_array($sql_res)) { $task .= stripslashes($r['task']) . ', '; } - - echo $task; - - $task = (strlen(trim($task)) != 0) ? substr($task, 0, strlen($task) - 2) : 'reader'; - - - + //echo $task; + $task = (strlen(trim($task)) != 0) ? substr($task, 0, strlen($task) - 2) : get_lang('Reader'); $row[] = $task; //Link to register users - if($myrow["user_id"] != $_user['user_id']) - { + if($myrow["user_id"] != $_user['user_id']) { $row[] = "" . get_lang('UnRegister').""; - } - else - { + } else { $row[] = ''; } @@ -2374,12 +2366,13 @@ class Blog echo ''; Display::display_sortable_table($column_header, $user_data,null,null,$query_vars); $link = ''; - $link .= isset ($_GET['action']) ? 'action=' . $_GET['action'] . '&' : ''; + $link .= isset ($_GET['action']) ? 'action=' . Security::remove_XSS($_GET['action']). '&' : ''; $link .= "blog_id=$blog_id&"; $link .= isset ($_GET['page_nr']) ? 'page_nr=' . (int)$_GET['page_nr'] . '&' : ''; $link .= isset ($_GET['per_page']) ? 'per_page=' . (int)$_GET['per_page'] . '&' : ''; $link .= isset ($_GET['column']) ? 'column=' . (int)$_GET['column'] . '&' : ''; - $link .= isset ($_GET['direction']) ? 'direction=' . $_GET['direction'] . '&' : '';; + $link .= isset ($_GET['direction']) ? 'direction=' . $_GET['direction'] . '&' : ''; + echo '' . get_lang('SelectAll') . ' - '; echo '' . get_lang('UnSelectAll') . ' '; echo get_lang('WithSelected') . ' : '; @@ -2537,7 +2530,7 @@ class Blog // We will create an array of days on which there are posts. if( Database::num_rows($result) > 0) { - while($blog_post = mysql_fetch_array($result)) + while($blog_post = Database::fetch_array($result)) { // If the day of this post is not yet in the array, add it. if(!in_array($blog_post['post_day'], $posts)) @@ -2565,7 +2558,7 @@ class Blog if(mysql_numrows($result) > 0) { - while($mytask = mysql_fetch_array($result)) + while($mytask = Database::fetch_array($result)) { $tasks[$mytask['task_day']][$mytask['task_id']]['task_id'] = $mytask['task_id']; @@ -2689,7 +2682,7 @@ class Blog $sql = "SELECT blog_id, blog_name, blog_subtitle FROM $tbl_blogs WHERE blog_id = '".(int)$blog_id."'"; $result = api_sql_query($sql, __FILE__, __LINE__); - $blog = mysql_fetch_array($result); + $blog = Database::fetch_array($result); echo '
' . get_lang('SelectUser') . ':  
@@ -2730,7 +2723,7 @@ class Blog $sql = "SELECT `blog_id`, `blog_name`, `blog_subtitle`, `visibility` FROM $tbl_blogs ORDER BY `blog_name`"; $result = api_sql_query($sql, __FILE__, __LINE__); - while($blog = mysql_fetch_array($result)) + while($blog = Database::fetch_array($result)) { $counter++; $css_class = (($counter % 2)==0) ? "row_odd" : "row_even";