Feature #5397 - Replacing mysql_real_escape_string() with Database::escape_string().

16 years ago · bb90a73e87
parent f41848b652
commit bb90a73e87
17 changed files with 69 additions and 69 deletions
--- a/main/admin/course_add.php
+++ b/main/admin/course_add.php
@ -182,7 +182,7 @@ if( $form->validate()) {
 		$pictures_array=fill_course_repository($currentCourseRepository);
 		fill_Db_course($currentCourseDbName, $currentCourseRepository, $course_language,$pictures_array);
 		register_course($currentCourseId, $currentCourseCode, $currentCourseRepository, $currentCourseDbName, $tutor_name, $category, $title, $course_language, $teacher_id, $expiration_date,$course_teachers);
-		$sql = "UPDATE $table_course SET disk_quota = '".$disk_quota."', visibility = '".mysql_real_escape_string($course['visibility'])."', subscribe = '".mysql_real_escape_string($course['subscribe'])."', unsubscribe='".mysql_real_escape_string($course['unsubscribe'])."' WHERE code = '".$currentCourseId."'";
+		$sql = "UPDATE $table_course SET disk_quota = '".$disk_quota."', visibility = '".Database::escape_string($course['visibility'])."', subscribe = '".Database::escape_string($course['subscribe'])."', unsubscribe='".Database::escape_string($course['unsubscribe'])."' WHERE code = '".$currentCourseId."'";
 		Database::query($sql,__FILE__,__LINE__);
 		header('Location: course_list.php');
 		exit ();
--- a/main/admin/settings.php
+++ b/main/admin/settings.php
@ -86,7 +86,7 @@ if (!empty($_GET['category']) && !in_array($_GET['category'], array('Plugins', '
 	$renderer = & $form->defaultRenderer();
 	$renderer->setHeaderTemplate('<div class="sectiontitle">{header}</div>'."\n");
 	$renderer->setElementTemplate('<div class="sectioncomment">{label}</div>'."\n".'<div class="sectionvalue">{element}</div>'."\n");
-	$my_category = mysql_real_escape_string($_GET['category']);
+	$my_category = Database::escape_string($_GET['category']);

 	$sqlcountsettings = "SELECT COUNT(*) FROM $table_settings_current WHERE category='".$my_category."' AND type<>'checkbox'";
 	$resultcountsettings = Database::query($sqlcountsettings, __FILE__, __LINE__);
@ -296,7 +296,7 @@ if (!empty($_GET['category']) && !in_array($_GET['category'], array('Plugins', '
 		{
 			if (!is_array($value))
 			{
-				//$sql = "UPDATE $table_settings_current SET selected_value='".mysql_real_escape_string($value)."' WHERE variable='$key'";
+				//$sql = "UPDATE $table_settings_current SET selected_value='".Database::escape_string($value)."' WHERE variable='$key'";
 				//$result = Database::query($sql, __FILE__, __LINE__);

 				if (api_get_setting($key) != $value) $keys[] = $key;
--- a/main/course_info/infocours.php
+++ b/main/course_info/infocours.php
@ -106,7 +106,7 @@ $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
 $tbl_course = Database :: get_main_table(TABLE_MAIN_COURSE);

 // Get all course categories
-$sql = "SELECT code,name FROM ".$table_course_category." WHERE auth_course_child ='TRUE'  OR code = '".mysql_real_escape_string($_course['categoryCode'])."'  ORDER BY tree_pos";
+$sql = "SELECT code,name FROM ".$table_course_category." WHERE auth_course_child ='TRUE'  OR code = '".Database::escape_string($_course['categoryCode'])."'  ORDER BY tree_pos";
 $res = Database::query($sql, __FILE__, __LINE__);

 $s_select_course_tutor_name="SELECT tutor_name FROM $tbl_course WHERE code='$course_code'";
--- a/main/dropbox/dropbox_download.php
+++ b/main/dropbox/dropbox_download.php
@ -42,17 +42,17 @@ if ( isset($_GET['cat_id']) AND is_numeric($_GET['cat_id']) AND $_GET['action']=
 	{
 		// here we also incorporate the person table to make sure that deleted sent documents are not included.
 		$sql="SELECT DISTINCT file.id, file.filename, file.title FROM ".$dropbox_cnf["tbl_file"]." file, ".$dropbox_cnf["tbl_person"]." person
-				WHERE file.uploader_id='".mysql_real_escape_string($_user['user_id'])."'
-				AND file.cat_id='".mysql_real_escape_string($_GET['cat_id'])."'
-				AND person.user_id='".mysql_real_escape_string($_user['user_id'])."'
+				WHERE file.uploader_id='".Database::escape_string($_user['user_id'])."'
+				AND file.cat_id='".Database::escape_string($_GET['cat_id'])."'
+				AND person.user_id='".Database::escape_string($_user['user_id'])."'
 				AND person.file_id=file.id
 				" ;
 	}
 	if ($_GET['sent_received']=='received')
 	{
 		$sql="SELECT DISTINCT file.id, file.filename, file.title FROM ".$dropbox_cnf["tbl_file"]." file, ".$dropbox_cnf["tbl_person"]." person, ".$dropbox_cnf["tbl_post"]." post
-				WHERE post.cat_id='".mysql_real_escape_string($_GET['cat_id'])."'
-				AND person.user_id='".mysql_real_escape_string($_user['user_id'])."'
+				WHERE post.cat_id='".Database::escape_string($_GET['cat_id'])."'
+				AND person.user_id='".Database::escape_string($_user['user_id'])."'
 				AND person.file_id=file.id
 				AND post.file_id=file.id
 				" ;
@ -97,7 +97,7 @@ if ( ! isset( $_GET['id']) || ! is_numeric( $_GET['id']))
 $allowed_to_download=false;

 // Check if the user has sent or received the file.
-$sql="SELECT * FROM ".$dropbox_cnf["tbl_person"]." WHERE file_id='".mysql_real_escape_string($_GET['id'])."' AND user_id='".mysql_real_escape_string($_user['user_id'])."'";
+$sql="SELECT * FROM ".$dropbox_cnf["tbl_person"]." WHERE file_id='".Database::escape_string($_GET['id'])."' AND user_id='".Database::escape_string($_user['user_id'])."'";
 $result=Database::query($sql);
 if (mysql_num_rows($result)>0)
 {
--- a/main/inc/lib/classmanager.lib.php
+++ b/main/inc/lib/classmanager.lib.php
@ -56,7 +56,7 @@ class ClassManager
 	function set_name($name, $class_id)
 	{
 		$table_class = Database :: get_main_table(TABLE_MAIN_CLASS);
-		$sql = "UPDATE $table_class SET name='".mysql_real_escape_string($name)."' WHERE id='".$class_id."'";
+		$sql = "UPDATE $table_class SET name='".Database::escape_string($name)."' WHERE id='".$class_id."'";
 		$res = Database::query($sql, __FILE__, __LINE__);
 	}
 	/**
@ -66,7 +66,7 @@ class ClassManager
 	function create_class($name)
 	{
 		$table_class = Database :: get_main_table(TABLE_MAIN_CLASS);
-		$sql = "INSERT INTO $table_class SET name='".mysql_real_escape_string($name)."'";
+		$sql = "INSERT INTO $table_class SET name='".Database::escape_string($name)."'";
 		Database::query($sql, __FILE__, __LINE__);
 		return mysql_affected_rows() == 1;
 	}
@ -77,7 +77,7 @@ class ClassManager
 	function class_name_exists($name)
 	{
 		$table_class = Database :: get_main_table(TABLE_MAIN_CLASS);
-		$sql = "SELECT * FROM $table_class WHERE name='".mysql_real_escape_string($name)."'";
+		$sql = "SELECT * FROM $table_class WHERE name='".Database::escape_string($name)."'";
 		$res = Database::query($sql, __FILE__, __LINE__);
 		return mysql_num_rows($res) != 0;
 	}
@ -190,9 +190,9 @@ class ClassManager
 		$tbl_course_class = Database :: get_main_table(TABLE_MAIN_COURSE_CLASS);
 		$tbl_class_user = Database :: get_main_table(TABLE_MAIN_CLASS_USER);
 		$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
-		$sql = "INSERT IGNORE INTO $tbl_course_class SET course_code = '".mysql_real_escape_string($course_code)."', class_id = '".mysql_real_escape_string($class_id)."'";
+		$sql = "INSERT IGNORE INTO $tbl_course_class SET course_code = '".Database::escape_string($course_code)."', class_id = '".Database::escape_string($class_id)."'";
 		Database::query($sql, __FILE__, __LINE__);
-		$sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".mysql_real_escape_string($class_id)."'";
+		$sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."'";
 		$res = Database::query($sql, __FILE__, __LINE__);
 		while ($user = Database::fetch_object($res))
 		{
@ -210,11 +210,11 @@ class ClassManager
 	{
 		$tbl_course_class = Database :: get_main_table(TABLE_MAIN_COURSE_CLASS);
 		$tbl_class_user = Database :: get_main_table(TABLE_MAIN_CLASS_USER);
-		$sql = "SELECT cu.user_id,COUNT(cc.class_id) FROM $tbl_course_class cc, $tbl_class_user cu WHERE  cc.class_id = cu.class_id AND cc.course_code = '".mysql_real_escape_string($course_code)."' GROUP BY cu.user_id HAVING COUNT(cc.class_id) = 1";
+		$sql = "SELECT cu.user_id,COUNT(cc.class_id) FROM $tbl_course_class cc, $tbl_class_user cu WHERE  cc.class_id = cu.class_id AND cc.course_code = '".Database::escape_string($course_code)."' GROUP BY cu.user_id HAVING COUNT(cc.class_id) = 1";
 		$single_class_users = Database::query($sql, __FILE__, __LINE__);
 		while ($single_class_user = Database::fetch_object($single_class_users))
 		{
-			$sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".mysql_real_escape_string($class_id)."' AND user_id = '".mysql_real_escape_string($single_class_user->user_id)."'";
+			$sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."' AND user_id = '".Database::escape_string($single_class_user->user_id)."'";
 			$res = Database::query($sql, __FILE__, __LINE__);
 			if (mysql_num_rows($res) > 0)
 			{
@ -224,7 +224,7 @@ class ClassManager
 				}
 			}
 		}
-		$sql = "DELETE FROM $tbl_course_class WHERE course_code = '".mysql_real_escape_string($course_code)."' AND class_id = '".mysql_real_escape_string($class_id)."'";
+		$sql = "DELETE FROM $tbl_course_class WHERE course_code = '".Database::escape_string($course_code)."' AND class_id = '".Database::escape_string($class_id)."'";
 		Database::query($sql, __FILE__, __LINE__);
 	}

@ -250,7 +250,7 @@ class ClassManager
 	{
 		$table_class = Database :: get_main_table(TABLE_MAIN_CLASS);
 		$table_course_class = Database :: get_main_table(TABLE_MAIN_COURSE_CLASS);
-		$sql = "SELECT cl.* FROM $table_class cl, $table_course_class cc WHERE cc.course_code = '".mysql_real_escape_string($course_code)."' AND cc.class_id = cl.id";
+		$sql = "SELECT cl.* FROM $table_class cl, $table_course_class cc WHERE cc.course_code = '".Database::escape_string($course_code)."' AND cc.class_id = cl.id";
 		$res = Database::query($sql, __FILE__, __LINE__);
 		$classes = array ();
 		while ($class = Database::fetch_array($res, 'ASSOC'))
--- a/main/inc/lib/surveymanager.lib.php
+++ b/main/inc/lib/surveymanager.lib.php
@ -1625,7 +1625,7 @@ function get_status()
 	global $_user;

 	$table_user = Database::get_main_table(TABLE_MAIN_USER);
-	$sqlm = "SELECT  status FROM  $table_user WHERE user_id = '".mysql_real_escape_string($_user['user_id'])."'";
+	$sqlm = "SELECT  status FROM  $table_user WHERE user_id = '".Database::escape_string($_user['user_id'])."'";
 	$resm = Database::query($sqlm,__FILE__,__LINE__);
 	$objm=@Database::fetch_object($resm);
 	$ss = $objm->status ;
--- a/main/newscorm/aicc.class.php
+++ b/main/newscorm/aicc.class.php
@ -93,16 +93,16 @@ class aicc extends learnpath {

 			//CRS distribute crs params into the aicc object
 			if(!empty($crs_params['course']['course_creator'])){
-				$this->course_creator = mysql_real_escape_string($crs_params['course']['course_creator']);
+				$this->course_creator = Database::escape_string($crs_params['course']['course_creator']);
 			}
 			if(!empty($crs_params['course']['course_id'])){
-				$this->course_id = mysql_real_escape_string($crs_params['course']['course_id']);
+				$this->course_id = Database::escape_string($crs_params['course']['course_id']);
 			}
 			if(!empty($crs_params['course']['course_system'])){
 				$this->course_system = $crs_params['course']['course_system'];
 			}
 			if(!empty($crs_params['course']['course_title'])){
-				$this->course_title = mysql_real_escape_string($crs_params['course']['course_title']);
+				$this->course_title = Database::escape_string($crs_params['course']['course_title']);
 			}
 			if(!empty($crs_params['course']['course_level'])){
 				$this->course_level = $crs_params['course']['course_level'];
@ -129,7 +129,7 @@ class aicc extends learnpath {
 				$this->course_version = $crs_params['course']['version'];
 			}
 			if(!empty($crs_params['course_description'])){
-				$this->course_description = mysql_real_escape_string($crs_params['course_description']);
+				$this->course_description = Database::escape_string($crs_params['course_description']);
 			}

     		// Parse the Descriptor File (.des) - csv-type
--- a/main/newscorm/aiccItem.class.php
+++ b/main/newscorm/aiccItem.class.php
@ -50,37 +50,37 @@ class aiccItem extends learnpathItem{
 			     		switch($a)
 			     		{
            				case 'system_id':
-            					$this->identifier = mysql_real_escape_string(strtolower($value));
+            					$this->identifier = Database::escape_string(strtolower($value));
            					break;
            				case 'type':
-            					$this->au_type = mysql_real_escape_string($value);
+            					$this->au_type = Database::escape_string($value);
            					break;
            				case 'command_line':
-            					$this->command_line = mysql_real_escape_string($value);
+            					$this->command_line = Database::escape_string($value);
            					break;
            				case 'max_time_allowed':
-            					$this->maxtimeallowed = mysql_real_escape_string($value);
+            					$this->maxtimeallowed = Database::escape_string($value);
            					break;
            				case 'time_limit_action':
-            					$this->timelimitaction = mysql_real_escape_string($value);
+            					$this->timelimitaction = Database::escape_string($value);
            					break;
            				case 'max_score':
-            					$this->max_score = mysql_real_escape_string($value);
+            					$this->max_score = Database::escape_string($value);
            					break;
            				case 'core_vendor':
-            					$this->core_vendor = mysql_real_escape_string($value);
+            					$this->core_vendor = Database::escape_string($value);
            					break;
            				case 'system_vendor':
-            					$this->system_vendor = mysql_real_escape_string($value);
+            					$this->system_vendor = Database::escape_string($value);
            					break;
            				case 'file_name':
-            					$this->path = mysql_real_escape_string($value);
+            					$this->path = Database::escape_string($value);
            					break;
            				case 'mastery_score':
-            					$this->masteryscore = mysql_real_escape_string($value);
+            					$this->masteryscore = Database::escape_string($value);
            					break;
            				case 'web_launch':
-            					$this->parameters = mysql_real_escape_string($value);
+            					$this->parameters = Database::escape_string($value);
            					break;
 			     		}
 			     	}
--- a/main/newscorm/learnpathList.class.php
+++ b/main/newscorm/learnpathList.class.php
@ -35,12 +35,12 @@ class learnpathList {
    	}
    	$this->course_code = $course_code;
    	$this->user_id = $user_id;
-    	
+
    	//condition for the session
 		$session_id = api_get_session_id();
 		$condition_session = api_get_session_condition($session_id, false);
-    	
-    	$sql = "SELECT * FROM $lp_table $condition_session ORDER BY display_order ASC, name ASC";    	
+
+    	$sql = "SELECT * FROM $lp_table $condition_session ORDER BY display_order ASC, name ASC";
    	$res = Database::query($sql);
    	$names = array();
    	while ($row = Database::fetch_array($res))
@ -48,7 +48,7 @@ class learnpathList {
    		//check if published
    		$pub = '';
    		$tbl_tool = Database::get_course_table(TABLE_TOOL_LIST);
-    		//use domesticate here instead of mysql_real_escape_string because
+    		//use domesticate here instead of Database::escape_string because
    		//it prevents ' to be slashed and the input (done by learnpath.class.php::toggle_visibility())
    		//is done using domesticate()
    		$myname = domesticate($row['name']);
@ -67,7 +67,7 @@ class learnpathList {

    		$this->list[$row['id']] = array(
    			'lp_type' => $row['lp_type'],
-    			'lp_session' => $row['session_id'],    			
+    			'lp_session' => $row['session_id'],
    			'lp_name' => stripslashes($row['name']),
    			'lp_desc' => stripslashes($row['description']),
    			'lp_path' => $row['path'],
--- a/main/newscorm/lp_upload.php
+++ b/main/newscorm/lp_upload.php
@ -78,9 +78,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST'
 				$oAICC->import_aicc(api_get_course_id());
 			}
 			$proximity = '';
-			if(!empty($_REQUEST['content_proximity'])){$proximity = mysql_real_escape_string($_REQUEST['content_proximity']);}
+			if(!empty($_REQUEST['content_proximity'])){$proximity = Database::escape_string($_REQUEST['content_proximity']);}
 			$maker = '';
-			if(!empty($_REQUEST['content_maker'])){$maker = mysql_real_escape_string($_REQUEST['content_maker']);}
+			if(!empty($_REQUEST['content_maker'])){$maker = Database::escape_string($_REQUEST['content_maker']);}
 			$oAICC->set_proximity($proximity);
 			$oAICC->set_maker($maker);
 			$oAICC->set_jslib('aicc_api.php');
@ -134,9 +134,9 @@ elseif($_SERVER['REQUEST_METHOD'] == 'POST')
 			}

 			$proximity = '';
-			if(!empty($_REQUEST['content_proximity'])){$proximity = mysql_real_escape_string($_REQUEST['content_proximity']);}
+			if(!empty($_REQUEST['content_proximity'])){$proximity = Database::escape_string($_REQUEST['content_proximity']);}
 			$maker = '';
-			if(!empty($_REQUEST['content_maker'])){$maker = mysql_real_escape_string($_REQUEST['content_maker']);}
+			if(!empty($_REQUEST['content_maker'])){$maker = Database::escape_string($_REQUEST['content_maker']);}
 			$oScorm->set_proximity($proximity);
 			$oScorm->set_maker($maker);
 			$oScorm->set_jslib('scorm_api.php');
@ -150,9 +150,9 @@ elseif($_SERVER['REQUEST_METHOD'] == 'POST')
 				$oAICC->import_aicc(api_get_course_id());
 			}
 			$proximity = '';
-			if(!empty($_REQUEST['content_proximity'])){$proximity = mysql_real_escape_string($_REQUEST['content_proximity']);}
+			if(!empty($_REQUEST['content_proximity'])){$proximity = Database::escape_string($_REQUEST['content_proximity']);}
 			$maker = '';
-			if(!empty($_REQUEST['content_maker'])){$maker = mysql_real_escape_string($_REQUEST['content_maker']);}
+			if(!empty($_REQUEST['content_maker'])){$maker = Database::escape_string($_REQUEST['content_maker']);}
 			$oAICC->set_proximity($proximity);
 			$oAICC->set_maker($maker);
 			$oAICC->set_jslib('aicc_api.php');
--- a/main/newscorm/scormOrganization.class.php
+++ b/main/newscorm/scormOrganization.class.php
@ -164,7 +164,7 @@ class scormOrganization {
    function get_name()
    {
    	if(!empty($this->title)){
-    		return mysql_real_escape_string($this->title);
+    		return Database::escape_string($this->title);
    	}else{
    		return '';
    	}
@ -176,7 +176,7 @@ class scormOrganization {
    function get_ref()
    {
    	if(!empty($this->identifier)){
-    		return mysql_real_escape_string($this->identifier);
+    		return Database::escape_string($this->identifier);
    	}else{
    		return '';
    	}
@ -187,7 +187,7 @@ class scormOrganization {
     */
    function set_name($title){
    	if(!empty($title)){
-    		$this->title = mysql_real_escape_string($title);
+    		$this->title = Database::escape_string($title);
    	}
    }
 }
--- a/main/permissions/permissions_functions.inc.php
+++ b/main/permissions/permissions_functions.inc.php
@ -41,7 +41,7 @@ function store_permissions($content, $id)
 	}

 	// We first delete all the existing permissions for that user/group/role
-	$sql="DELETE FROM $table  WHERE $id_field = '".mysql_real_escape_string($id)."'";
+	$sql="DELETE FROM $table  WHERE $id_field = '".Database::escape_string($id)."'";
 	$result=Database::query($sql, __FILE__, __LINE__);

 	// looping through the post values to find the permission (containing the string permission* )
@ -50,7 +50,7 @@ function store_permissions($content, $id)
 		if(strstr($key,"permission*"))
 		{
 			list($brol,$tool,$action)=explode("*",$key);
-			$sql="INSERT INTO $table ($id_field,tool,action) VALUES ('".mysql_real_escape_string($id)."','".mysql_real_escape_string($tool)."','".mysql_real_escape_string($action)."')";
+			$sql="INSERT INTO $table ($id_field,tool,action) VALUES ('".Database::escape_string($id)."','".Database::escape_string($tool)."','".Database::escape_string($action)."')";
 			$result=Database::query($sql, __FILE__, __LINE__);


@ -100,7 +100,7 @@ function store_one_permission($content, $action, $id, $tool,$permission)
 	// grating a right
 	if($action=='grant')
 	{
-		$sql="INSERT INTO $table ($id_field,tool,action) VALUES ('".mysql_real_escape_string($id)."','".mysql_real_escape_string($tool)."','".mysql_real_escape_string($permission)."')";
+		$sql="INSERT INTO $table ($id_field,tool,action) VALUES ('".Database::escape_string($id)."','".Database::escape_string($tool)."','".Database::escape_string($permission)."')";
 		$result=Database::query($sql, __FILE__, __LINE__);
 		if($result)
 		{
@ -109,7 +109,7 @@ function store_one_permission($content, $action, $id, $tool,$permission)
 	}
 	if($action=='revoke')
 	{
-		$sql="DELETE FROM $table WHERE $id_field = '".mysql_real_escape_string($id)."' AND tool='".mysql_real_escape_string($tool)."' AND action='".mysql_real_escape_string($permission)."'";
+		$sql="DELETE FROM $table WHERE $id_field = '".Database::escape_string($id)."' AND tool='".Database::escape_string($tool)."' AND action='".Database::escape_string($permission)."'";
 		$result=Database::query($sql, __FILE__, __LINE__);
 		if($result)
 		{
@ -161,7 +161,7 @@ function get_permissions($content, $id)
 	// where the first dimension is the tool.
 	$sql="
 		SELECT * FROM " . $table . "
-		WHERE " . $id_field . "='" . mysql_real_escape_string($id) . "'";
+		WHERE " . $id_field . "='" . Database::escape_string($id) . "'";
 	$result = Database::query($sql, __FILE__, __LINE__);

 	while($row = Database::fetch_array($result))
@ -632,7 +632,7 @@ function assign_role($content, $action, $id, $role_id, $scope='course')
 	// grating a right
 	if($action=='grant')
 	{
-		$sql="INSERT INTO $table (role_id, scope,  $id_field) VALUES ('".mysql_real_escape_string($role_id)."','".mysql_real_escape_string($scope)."','".mysql_real_escape_string($id)."')";
+		$sql="INSERT INTO $table (role_id, scope,  $id_field) VALUES ('".Database::escape_string($role_id)."','".Database::escape_string($scope)."','".Database::escape_string($id)."')";
 		$result=Database::query($sql, __FILE__, __LINE__);
 		if($result)
 		{
@ -641,7 +641,7 @@ function assign_role($content, $action, $id, $role_id, $scope='course')
 	}
 	if($action=='revoke')
 	{
-		$sql="DELETE FROM $table WHERE $id_field = '".mysql_real_escape_string($id)."' AND role_id='".mysql_real_escape_string($role_id)."'";
+		$sql="DELETE FROM $table WHERE $id_field = '".Database::escape_string($id)."' AND role_id='".Database::escape_string($role_id)."'";
 		$result=Database::query($sql, __FILE__, __LINE__);
 		if($result)
 		{
--- a/main/permissions/roles.php
+++ b/main/permissions/roles.php
@ -17,9 +17,9 @@ if ($_POST['StoreRolePermissions'])
 	{
 		$table_role=Database::get_course_table(TABLE_ROLE);
 		$sql="INSERT INTO $table_role (role_name, role_comment, default_role)
-					VALUES ('".mysql_real_escape_string($_POST['role_name'])."','".mysql_real_escape_string($_POST['role_comment'])."','".mysql_real_escape_string($_POST['default_role'])."')";
-		$result=mysql_query($sql) or die(mysql_error());
-		$role_id=mysql_insert_id();
+					VALUES ('".Database::escape_string($_POST['role_name'])."','".Database::escape_string($_POST['role_comment'])."','".Database::escape_string($_POST['default_role'])."')";
+		$result=Database::query($sql);
+		$role_id=Database::insert_id();
 		$result_message=store_permissions('role', $role_id);
 	}
 	else
@ -41,22 +41,22 @@ if (isset($_GET['action']) AND isset($_GET['role_id']) AND $_GET['action']=='del
 {
 	//deleting the assignments fo this role: users
 	$table=Database::get_course_table(TABLE_ROLE_USER);
-	$sql="DELETE FROM $table WHERE role_id='".mysql_real_escape_string($_GET['role_id'])."'";
+	$sql="DELETE FROM $table WHERE role_id='".Database::escape_string($_GET['role_id'])."'";
 	$result=Database::query($sql, __LINE__, __FILE__);

 	// deleting the assignments of this role: groups
 	$table=Database::get_course_table(TABLE_ROLE_GROUP);
-	$sql="DELETE FROM $table WHERE role_id='".mysql_real_escape_string($_GET['role_id'])."'";
+	$sql="DELETE FROM $table WHERE role_id='".Database::escape_string($_GET['role_id'])."'";
 	$result=Database::query($sql, __LINE__, __FILE__);

 	// deleting the permissions of this role
 	$table=Database::get_course_table(TABLE_ROLE_PERMISSION);
-	$sql="DELETE FROM $table WHERE role_id='".mysql_real_escape_string($_GET['role_id'])."'";
+	$sql="DELETE FROM $table WHERE role_id='".Database::escape_string($_GET['role_id'])."'";
 	$result=Database::query($sql, __LINE__, __FILE__);

 	// deleting the role
 	$table_role=Database::get_course_table(TABLE_ROLE);
-	$sql="DELETE FROM $table_role WHERE role_id='".mysql_real_escape_string($_GET['role_id'])."'";
+	$sql="DELETE FROM $table_role WHERE role_id='".Database::escape_string($_GET['role_id'])."'";
 	$result=Database::query($sql, __LINE__, __FILE__);

 	$result_message=get_lang('RoleDeleted');
--- a/main/user/class.php
+++ b/main/user/class.php
@ -117,7 +117,7 @@ function get_number_of_classes()
 	$sql = "SELECT c.id	FROM $class_table c, $course_class_table cc WHERE cc.class_id = c.id AND cc.course_code ='".$_SESSION['_course']['id']."'";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	$res = Database::query($sql, __FILE__, __LINE__);
@ -146,7 +146,7 @@ function get_class_data($from, $number_of_items, $column, $direction)
 	$sql .= " WHERE c.id = cc.class_id AND cc.course_code = '".$_SESSION['_course']['id']."'";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	$sql .= " GROUP BY c.id, c.name ";
--- a/main/user/subscribe_class.php
+++ b/main/user/subscribe_class.php
@ -125,7 +125,7 @@ function get_number_of_classes()
 	$sql = "SELECT c.id	FROM $class_table c WHERE 1 = 1";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	if( count($subscribed_classes) > 0)
@ -162,7 +162,7 @@ function get_class_data($from, $number_of_items, $column, $direction)
 	$sql .= " WHERE 1 = 1";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = mysql_real_escape_string($_GET['keyword']);
+		$keyword = Database::escape_string($_GET['keyword']);
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	if( count($subscribed_classes) > 0)
--- a/main/work/work.php
+++ b/main/work/work.php
@ -961,7 +961,7 @@ if ($ctok==$_POST['sec_token']) { //check the token inserted into the form
 			//Get the author ID for that document from the item_property table
 			$is_author = false;
 			if ($id<>'') {
-				$author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=" . mysql_real_escape_string($id);
+				$author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=" . Database::escape_string($id);

 				$author_qry = Database::query($author_sql, __FILE__, __LINE__);
 				if (Database :: num_rows($author_qry) == 1) {
--- a/tests/main/inc/lib/surveymanager.lib.test.php
+++ b/tests/main/inc/lib/surveymanager.lib.test.php
@ -180,7 +180,7 @@ class TestSurveyManager extends UnitTestCase {
 	function testget_status() {
 		global $_user;
 		$table_user = Database::get_main_table(TABLE_MAIN_USER);
-		$sqlm = "SELECT  status FROM  $table_user WHERE user_id = '".mysql_real_escape_string($_user['user_id'])."'";
+		$sqlm = "SELECT  status FROM  $table_user WHERE user_id = '".Database::escape_string($_user['user_id'])."'";
 		$resm = Database::query($sqlm,__FILE__,__LINE__);
 		$objm=@Database::fetch_object($resm);
 		$ss = $objm->status ;