chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Feature #2099 - A TODO has been resolved. Various corrections for dealing with quote characters in entered strings. The Database::escape_string() method has been applied on its correct places.

Browse Source
skala
Ivan Tcholakov 15 years ago
parent 3dd16afe17
commit a55d288e71
3 changed files with 19 additions and 49 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      main/admin/course_request_edit.php
  2. 34
      main/create_course/add_course.php
  3. 32
      main/inc/lib/course_request.lib.php

2
main/admin/course_request_edit.php
Unescape View File

@ -148,7 +148,7 @@ if ($course_validation_feature) {
// Filter incoming data.
foreach ($course_request_values as &$value) {
$value = trim(Security::remove_XSS($value));
$value = trim(Security::remove_XSS(stripslashes($value)));
}
// Detection which submit button has been pressed.

34
main/create_course/add_course.php
Unescape View File

@ -180,38 +180,22 @@ $form->setDefaults($values);
if ($form->validate()) {
$course_values = $form->exportValues();
$wanted_code = Security::remove_XSS($course_values['wanted_code']);
$tutor_name = $course_values['tutor_name'];
$wanted_code = trim(Security::remove_XSS(stripslashes($course_values['wanted_code'])));
$tutor_name = stripslashes($course_values['tutor_name']);
$category_code = $course_values['category_code'];
$title = Security::remove_XSS($course_values['title']);
$title = Security::remove_XSS(stripslashes($course_values['title']));
$course_language = $course_values['course_language'];
$exemplary_content = !empty($course_values['exemplary_content']);
if ($course_validation_feature) {
$description = Security::remove_XSS($course_values['description']);
$objetives = Security::remove_XSS($course_values['objetives']);
$target_audience = Security::remove_XSS($course_values['target_audience']);
$description = Security::remove_XSS(stripslashes($course_values['description']));
$objetives = Security::remove_XSS(stripslashes($course_values['objetives']));
$target_audience = Security::remove_XSS(stripslashes($course_values['target_audience']));
$status = '0';
// TODO: Why escaping quotes is needed here?
$description = str_replace('"', '', $description);
$objetives = str_replace('"', '', $objetives);
$target_audience = str_replace('"', '', $target_audience);
}
$wanted_code = Database::escape_string($wanted_code);
$title = Database::escape_string($title);
if ($course_validation_feature) {
$description = Database::escape_string($description);
$objetives = Database::escape_string($objetives);
$target_audience = Database::escape_string($target_audience);
}
$wanted_code = trim($wanted_code);
if ($wanted_code == '') {
$wanted_code = generate_course_code(api_substr($title, 0, $maxlength));
$wanted_code = Database::escape_string($wanted_code);
}
// Check whether the requested course code has already been occupied.
@ -246,7 +230,7 @@ if ($form->validate()) {
// Preparing a confirmation message.
$link = api_get_path(WEB_COURSE_PATH).$directory.'/';
$message = get_lang('JustCreated');
$message .= ' <a href="'.$link.'">'.$title.'</a>';
$message .= ' <a href="'.$link.'">'.api_htmlentities($title, ENT_QUOTES).'</a>';
Display :: display_confirmation_message($message, false);
echo '<div style="float: right; margin:0px; padding: 0px;">' .
@ -270,9 +254,7 @@ if ($form->validate()) {
if ($request_id) {
$course_request_info = CourseRequestManager::get_course_request_info($request_id);
$visual_code = is_array($course_request_info) ? $course_request_info['visual_code'] : '';
$message = get_lang('CourseRequestCreated');
$message .= ' <strong>'.$visual_code.'</strong>';
$message = (is_array($course_request_info) ? '<strong>'.$course_request_info['code'].'</strong> : ' : '').get_lang('CourseRequestCreated');
Display :: display_confirmation_message($message, false);
echo '<div style="float: right; margin:0px; padding: 0px;">' .
'<a class="bottom-link" href="'.api_get_path(WEB_PATH).'user_portal.php">'.get_lang('Enter').'</a>' .

32
main/inc/lib/course_request.lib.php
Unescape View File

@ -52,13 +52,7 @@ class CourseRequestManager {
*/
public static function create_course_request($wanted_code, $title, $description, $category_code, $course_language, $objetives, $target_audience, $user_id, $exemplary_content) {
$wanted_code = trim(Database::escape_string($wanted_code));
$title = Database::escape_string($title);
$description = Database::escape_string($description);
$category_code = Database::escape_string($category_code);
$course_language = Database::escape_string($course_language);
$objetives = Database::escape_string($objetives);
$target_audience = Database::escape_string($target_audience);
$wanted_code = trim($wanted_code);
$user_id = (int)$user_id;
$exemplary_content = (bool)$exemplary_content ? 1 : 0;
@ -103,10 +97,10 @@ class CourseRequestManager {
"%s", "%s", "%s", "%s",
"%s", "%s", "%s",
"%s", "%s", "%s", "%s", "%s");', Database::get_main_table(TABLE_MAIN_COURSE_REQUEST),
$code, $user_id, $directory, $db_name,
$course_language, $title, $description, $category_code,
$tutor_name, $visual_code, $request_date,
$objetives, $target_audience, $status, $info, $exemplary_content);
Database::escape_string($code), Database::escape_string($user_id), Database::escape_string($directory), Database::escape_string($db_name),
Database::escape_string($course_language), Database::escape_string($title), Database::escape_string($description), Database::escape_string($category_code),
Database::escape_string($tutor_name), Database::escape_string($visual_code), Database::escape_string($request_date),
Database::escape_string($objetives), Database::escape_string($target_audience), Database::escape_string($status), Database::escape_string($info), Database::escape_string($exemplary_content));
$result_sql = Database::query($sql);
if (!$result_sql) {
@ -188,13 +182,7 @@ class CourseRequestManager {
public static function update_course_request($id, $wanted_code, $title, $description, $category_code, $course_language, $objetives, $target_audience, $user_id, $exemplary_content) {
$id = (int)$id;
$wanted_code = trim(Database::escape_string($wanted_code));
$title = Database::escape_string($title);
$description = Database::escape_string($description);
$category_code = Database::escape_string($category_code);
$course_language = Database::escape_string($course_language);
$objetives = Database::escape_string($objetives);
$target_audience = Database::escape_string($target_audience);
$wanted_code = trim($wanted_code);
$user_id = (int)$user_id;
$exemplary_content = (bool)$exemplary_content ? 1 : 0;
@ -258,10 +246,10 @@ class CourseRequestManager {
tutor_name = "%s", visual_code = "%s", request_date = "%s",
objetives = "%s", target_audience = "%s", status = "%s", info = "%s", exemplary_content = "%s"
WHERE id = '.$id, Database::get_main_table(TABLE_MAIN_COURSE_REQUEST),
$code, $user_id, $directory, $db_name,
$course_language, $title, $description, $category_code,
$tutor_name, $visual_code, $request_date,
$objetives, $target_audience, $status, $info, $exemplary_content);
Database::escape_string($code), Database::escape_string($user_id), Database::escape_string($directory), Database::escape_string($db_name),
Database::escape_string($course_language), Database::escape_string($title), Database::escape_string($description), Database::escape_string($category_code),
Database::escape_string($tutor_name), Database::escape_string($visual_code), Database::escape_string($request_date),
Database::escape_string($objetives), Database::escape_string($target_audience), Database::escape_string($status), Database::escape_string($info), Database::escape_string($exemplary_content));
$result_sql = Database::query($sql);
return $result_sql !== false;

Write Preview
Loading…
Cancel
Save