diff --git a/main/tracking/userLog.php b/main/tracking/userLog.php index 67e7990fd4..efcc5f4597 100644 --- a/main/tracking/userLog.php +++ b/main/tracking/userLog.php @@ -1,9 +1,9 @@ -"../group/group.php", "name"=> get_lang('BredCrumpGroups')); $interbreadcrumb[]= array ("url"=>"../group/group_space.php?gidReq=$_gid", "name"=> get_lang('BredCrumpGroupSpace')); */ -if($uInfo) -{ - $interbreadcrumb[]= array ("url"=>"../user/userInfo.php?uInfo=$uInfo", "name"=> ucfirst(get_lang('Users'))); +if(isset($uInfo)) { + $interbreadcrumb[]= array ('url'=>'../user/userInfo.php?uInfo='.Security::remove_XSS($uInfo), "name"=> ucfirst(get_lang('Users'))); } $nameTools = get_lang('ToolName'); @@ -108,8 +105,6 @@ td {border-bottom: thin dashed gray;} /*]]>*/ "; - - Display::display_header($nameTools,"Tracking"); /* @@ -139,7 +134,6 @@ $TABLECOURSE_GROUPSUSER = Database::get_course_table(TABLE_GROUP_USER); $TABLECOURSE_EXERCICES = Database::get_course_table(TABLE_QUIZ_TEST); $TBL_TRACK_HOTPOTATOES = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTPOTATOES); - if(api_get_setting('use_session_mode') == "true") { $sql = "SELECT 1 FROM $tbl_session_course_user AS session_course_user @@ -201,28 +195,28 @@ function myEnc($isostring,$supposed_encoding='ISO-8859-15') * Displays the number of logins every month for a specific user in a specific course. */ function display_login_tracking_info($view, $user_id, $course_id) -{ +{ $MonthsLong = $GLOBALS['MonthsLong']; $track_access_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ACCESS); $tempView = $view; - if(substr($view,0,1) == '1') - { + if(substr($view,0,1) == '1') { $new_view = substr_replace($view,'0',0,1); echo " - - -   ".myEnc(get_lang('LoginsAndAccessTools'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] - + + -   " . + "".myEnc(get_lang('LoginsAndAccessTools'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + "; echo "".myEnc(get_lang('LoginsDetails'))."
"; - $sql = "SELECT UNIX_TIMESTAMP(`access_date`), count(`access_date`) + $sql = "SELECT UNIX_TIMESTAMP(access_date), count(access_date) FROM $track_access_table - WHERE `access_user_id` = '$user_id' - AND `access_cours_code` = '".$course_id."' - GROUP BY YEAR(`access_date`),MONTH(`access_date`) - ORDER BY YEAR(`access_date`),MONTH(`access_date`) ASC"; + WHERE access_user_id = '".Database::escape_string($user_id)."' + AND access_cours_code = '".Database::escape_string($course_id)."' + GROUP BY YEAR(access_date),MONTH(access_date) + ORDER BY YEAR(access_date),MONTH(access_date) ASC"; echo ""; //$results = getManyResults2Col($sql); @@ -238,13 +232,11 @@ function display_login_tracking_info($view, $user_id, $course_id) "; $total = 0; - if (is_array($results)) - { - for($j = 0 ; $j < count($results) ; $j++) - { + if (is_array($results)) { + for($j = 0 ; $j < count($results) ; $j++) { echo ""; //echo "".$langMonthNames['long'][date("n", $results[$j][0])-1]." ".date("Y", $results[$j][0]).""; - echo "".$MonthsLong[date('n', $results[$j][0])-1].' '.date('Y', $results[$j][0]).""; + echo "".$MonthsLong[date('n', $results[$j][0])-1].' '.date('Y', $results[$j][0]).""; echo "".$results[$j][1].""; echo""; $total = $total + $results[$j][1]; @@ -253,24 +245,20 @@ function display_login_tracking_info($view, $user_id, $course_id) echo "".myEnc(get_lang('Total')).""; echo "".$total.""; echo""; - } - else - { + } else { echo ""; echo "
".myEnc(get_lang('NoResult'))."
"; echo""; } echo ""; echo ""; - } - else - { + } else { $new_view = substr_replace($view,'1',0,1); echo " - - +  ".myEnc(get_lang('LoginsAndAccessTools'))." - + + +  ".myEnc(get_lang('LoginsAndAccessTools'))." + "; } @@ -286,26 +274,24 @@ function display_exercise_tracking_info($view, $user_id, $course_id) if(substr($view,1,1) == '1') { $new_view = substr_replace($view,'0',1,1); - echo " - + echo " - -   ".myEnc(get_lang('ExercicesResults'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + -   ".myEnc(get_lang('ExercicesResults'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] - - "; + "; echo "".myEnc(get_lang('ExercicesDetails'))."
"; - $sql = "SELECT `ce`.`title`, `te`.`exe_result` , `te`.`exe_weighting`, UNIX_TIMESTAMP(`te`.`exe_date`) - FROM $TABLECOURSE_EXERCICES AS ce , `$TABLETRACK_EXERCICES` AS te - WHERE `te`.`exe_cours_id` = '$course_id' - AND `te`.`exe_user_id` = '$user_id' - AND `te`.`exe_exo_id` = `ce`.`id` - ORDER BY `ce`.`title` ASC, `te`.`exe_date` ASC"; + $sql = "SELECT ce.title, te.exe_result , te.exe_weighting, UNIX_TIMESTAMP(te.exe_date) + FROM $TABLECOURSE_EXERCICES AS ce , $TABLETRACK_EXERCICES AS te + WHERE te.exe_cours_id = '".Database::escape_string($course_id)."' + AND te.exe_user_id = '".Database::escape_string($user_id)."' + AND te.exe_exo_id = ce.id + ORDER BY ce.title ASC, te.exe_date ASC"; - $hpsql = "SELECT `te`.`exe_name`, `te`.`exe_result` , `te`.`exe_weighting`, UNIX_TIMESTAMP(`te`.`exe_date`) + $hpsql = "SELECT te.exe_name, te.exe_result , te.exe_weighting, UNIX_TIMESTAMP(te.exe_date) FROM $TBL_TRACK_HOTPOTATOES AS te - WHERE `te`.`exe_user_id` = '$user_id' AND `te`.`exe_cours_id` = '$course_id' - ORDER BY `te`.`exe_cours_id` ASC, `te`.`exe_date` ASC"; + WHERE te.exe_user_id = '".Database::escape_string($user_id)."' AND te.exe_cours_id = '".Database::escape_string($course_id)."' + ORDER BY te.exe_cours_id ASC, te.exe_date ASC"; $hpresults = getManyResultsXCol($hpsql, 4); @@ -328,10 +314,8 @@ function display_exercise_tracking_info($view, $user_id, $course_id) "; - if (is_array($results)) - { - for($i = 0; $i < sizeof($results); $i++) - { + if (is_array($results)) { + for($i = 0; $i < sizeof($results); $i++) { $display_date = format_locale_date(get_lang('dateTimeFormatLong'), $results[$i][3]); echo "\n"; echo "".$results[$i][0]."\n"; @@ -339,22 +323,17 @@ function display_exercise_tracking_info($view, $user_id, $course_id) echo "".$results[$i][1]." / ".$results[$i][2]."\n"; echo "\n"; } - } - else // istvan begin - { + } else { + // istvan begin $NoTestRes = 1; } // The Result of Tests - if(is_array($hpresults)) - { - for($i = 0; $i < sizeof($hpresults); $i++) - { + if(is_array($hpresults)) { + for($i = 0; $i < sizeof($hpresults); $i++) { $title = GetQuizName($hpresults[$i][0],''); - if ($title == '') $title = GetFileName($hpresults[$i][0]); - $display_date = format_locale_date(get_lang('dateTimeFormatLong'), $hpresults[$i][3]); ?> @@ -363,31 +342,25 @@ function display_exercise_tracking_info($view, $user_id, $course_id) / \n"; echo "
".myEnc(get_lang('NoResult'))."
\n"; echo "\n"; } echo ""; echo "\n\n"; - } - else - { + } else { $new_view = substr_replace($view,'1',1,1); echo " +  ".myEnc(get_lang('ExercicesResults'))." - - "; + "; } } @@ -397,24 +370,21 @@ function display_exercise_tracking_info($view, $user_id, $course_id) */ function display_student_publications_tracking_info($view, $user_id, $course_id) { - global $TABLETRACK_UPLOADS, $TABLECOURSE_WORK, $dateTimeFormatLong; - if(substr($view,2,1) == '1') - { + global $TABLETRACK_UPLOADS, $TABLECOURSE_WORK, $dateTimeFormatLong, $_course; + if(substr($view,2,1) == '1') { $new_view = substr_replace($view,'0',2,1); - echo " - + echo " - -   ".myEnc(get_lang('WorkUploads'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + -   ".myEnc(get_lang('WorkUploads'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] - - "; + "; echo "".myEnc(get_lang('WorksDetails'))."
"; - $sql = "SELECT `u`.`upload_date`, `w`.`title`, `w`.`author`,`w`.`url` - FROM `$TABLETRACK_UPLOADS` `u` , $TABLECOURSE_WORK `w` - WHERE `u`.`upload_work_id` = `w`.`id` - AND `u`.`upload_user_id` = '$user_id' - AND `u`.`upload_cours_id` = '$course_id' - ORDER BY `u`.`upload_date` DESC"; + $sql = "SELECT u.upload_date, w.title, w.author,w.url + FROM $TABLETRACK_UPLOADS u , $TABLECOURSE_WORK w + WHERE u.upload_work_id = w.id + AND u.upload_user_id = '".Database::escape_string($user_id)."' + AND u.upload_cours_id = '".Database::escape_string($course_id)."' + ORDER BY u.upload_date DESC"; echo ""; $results = getManyResultsXCol($sql,4); echo ""; @@ -429,10 +399,8 @@ function display_student_publications_tracking_info($view, $user_id, $course_id) ".myEnc(get_lang('Date'))." "; - if (is_array($results)) - { - for($j = 0 ; $j < count($results) ; $j++) - { + if (is_array($results)) { + for($j = 0 ; $j < count($results) ; $j++) { $pathToFile = api_get_path(WEB_COURSE_PATH).$_course['path']."/".$results[$j][3]; $timestamp = strtotime($results[$j][0]); $beautifulDate = format_locale_date($dateTimeFormatLong,$timestamp); @@ -444,24 +412,19 @@ function display_student_publications_tracking_info($view, $user_id, $course_id) echo ""; echo""; } - - } - else - { + } else { echo ""; echo ""; echo""; } echo "
".$beautifulDate."
".myEnc(get_lang('NoResult'))."
"; echo ""; - } - else - { + } else { $new_view = substr_replace($view,'1',2,1); echo " - +  ".myEnc(get_lang('WorkUploads'))." + +  ".myEnc(get_lang('WorkUploads'))." "; @@ -475,23 +438,22 @@ function display_student_publications_tracking_info($view, $user_id, $course_id) function display_links_tracking_info($view, $user_id, $course_id) { global $TABLETRACK_LINKS, $TABLECOURSE_LINKS; - if(substr($view,3,1) == '1') - { + if(substr($view,3,1) == '1') { $new_view = substr_replace($view,'0',3,1); echo " - -   ".myEnc(get_lang('LinksAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + -   ".myEnc(get_lang('LinksAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] "; echo "".myEnc(get_lang('LinksDetails'))."
"; - $sql = "SELECT `cl`.`title`, `cl`.`url` - FROM `$TABLETRACK_LINKS` AS sl, $TABLECOURSE_LINKS AS cl - WHERE `sl`.`links_link_id` = `cl`.`id` - AND `sl`.`links_cours_id` = '$course_id' - AND `sl`.`links_user_id` = '$user_id' - GROUP BY `cl`.`title`, `cl`.`url`"; + $sql = "SELECT cl.title, cl.url + FROM $TABLETRACK_LINKS AS sl, $TABLECOURSE_LINKS AS cl + WHERE sl.links_link_id = cl.id + AND sl.links_cours_id = '".Database::escape_string($course_id)."' + AND sl.links_user_id = '".Database::escape_string($user_id)."' + GROUP BY cl.title, cl.url"; echo ""; $results = getManyResults2Col($sql); echo ""; @@ -500,32 +462,25 @@ function display_links_tracking_info($view, $user_id, $course_id) ".myEnc(get_lang('LinksTitleLinkColumn'))." "; - if (is_array($results)) - { - for($j = 0 ; $j < count($results) ; $j++) - { + if (is_array($results)) { + for($j = 0 ; $j < count($results) ; $j++) { echo ""; echo ""; echo""; } - - } - else - { + } else { echo ""; echo ""; echo""; } echo "
".$results[$j][0]."
".myEnc(get_lang('NoResult'))."
"; echo ""; - } - else - { + } else { $new_view = substr_replace($view,'1',3,1); echo " - +  ".myEnc(get_lang('LinksAccess'))." + +  ".myEnc(get_lang('LinksAccess'))." "; @@ -544,17 +499,17 @@ function display_document_tracking_info($view, $user_id, $course_id) echo " - -   ".myEnc(get_lang('DocumentsAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + -   ".myEnc(get_lang('DocumentsAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] "; echo "".myEnc(get_lang('DocumentsDetails'))."
"; - $sql = "SELECT `down_doc_path` + $sql = "SELECT down_doc_path FROM $downloads_table - WHERE `down_cours_id` = '$course_id' - AND `down_user_id` = '$user_id' - GROUP BY `down_doc_path`"; + WHERE down_cours_id = '".Database::escape_string($course_id)."' + AND down_user_id = '".Database::escape_string($user_id)."' + GROUP BY down_doc_path"; echo ""; $results = getManyResults1Col($sql); @@ -564,32 +519,25 @@ function display_document_tracking_info($view, $user_id, $course_id) ".myEnc(get_lang('DocumentsTitleDocumentColumn'))." "; - if (is_array($results)) - { - for($j = 0 ; $j < count($results) ; $j++) - { + if (is_array($results)) { + for($j = 0 ; $j < count($results) ; $j++) { echo ""; echo "".$results[$j].""; echo""; } - - } - else - { + } else { echo ""; echo "
".myEnc(get_lang('NoResult'))."
"; echo""; } echo ""; echo ""; - } - else - { + } else { $new_view = substr_replace($view,'1',4,1); echo " - +  ".myEnc(get_lang('DocumentsAccess'))." + +  ".myEnc(get_lang('DocumentsAccess'))." "; @@ -612,43 +560,36 @@ function display_document_tracking_info($view, $user_id, $course_id) ".myEnc(get_lang('ListStudents')).""; - if( $is_allowedToTrackEverybodyInCourse ) - { + if( $is_allowedToTrackEverybodyInCourse ) { // if user can track everybody : list user of course if(api_get_setting('use_session_mode')) { $sql = "SELECT count(user_id) - FROM $TABLECOURSUSER - WHERE `course_code` = '$_cid'"; - } - else { + FROM $TABLECOURSUSER + WHERE course_code = '".Database::escape_string($_cid)."'"; + } else { $sql = "SELECT count(id_user) - FROM $tbl_session_course_user - WHERE `course_code` = '$_cid'"; + FROM $tbl_session_course_user + WHERE course_code = '".Database::escape_string($_cid)."'"; } - } - else - { + } else { // if user can only track one group : list users of this group $sql = "SELECT count(user) - FROM $TABLECOURSE_GROUPSUSER - WHERE `group_id` = '$_gid'"; + FROM $TABLECOURSE_GROUPSUSER + WHERE group_id = '".Database::escape_string($_gid)."'"; } $userGroupNb = getOneResult($sql); $step = 25; // number of student per page - if ($userGroupNb > $step) - { - if(!isset($offset)) - { + if ($userGroupNb > $step) { + if(!isset($offset)) { $offset=0; } @@ -659,47 +600,41 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura ."\n" ."\n" ."\n" ."\n" ."
"; - if ($previous >= 0) - { + if ($previous >= 0) { $navLink .= "<< ".myEnc(get_lang('PreviousPage')).""; } $navLink .= ""; - if ($next < $userGroupNb) - { + if ($next < $userGroupNb) { $navLink .= "".myEnc(get_lang('NextPage'))." >>"; } $navLink .= "
\n"; - } - else - { + } else { $offset = 0; } - echo $navLink; if (!settype($offset, 'integer') || !settype($step, 'integer')) die('Offset or step variables are not integers.'); //sanity check of integer vars - if( $is_allowedToTrackEverybodyInCourse ) - { + if( $is_allowedToTrackEverybodyInCourse ) { // list of users in this course - $sql = "SELECT `u`.`user_id`, `u`.`firstname`,`u`.`lastname` + $sql = "SELECT u.user_id, u.firstname,u.lastname FROM $TABLECOURSUSER cu , $TABLEUSER u - WHERE `cu`.`user_id` = `u`.`user_id` - AND `cu`.`course_code` = '$_cid' + WHERE cu.user_id = u.user_id + AND cu.course_code = '".Database::escape_string($_cid)."' LIMIT $offset,$step"; } else { // list of users of this group - $sql = "SELECT `u`.`user_id`, `u`.`firstname`,`u`.`lastname` + $sql = "SELECT u.user_id, u.firstname,u.lastname FROM $TABLECOURSE_GROUPSUSER gu , $TABLEUSER u - WHERE `gu`.`user_id` = `u`.`user_id` - AND `gu`.`group_id` = '$_gid' + WHERE gu.user_id = u.user_id + AND gu.group_id = '".Database::escape_string($_gid)."' LIMIT $offset,$step"; } $list_users = getManyResults3Col($sql); @@ -707,8 +642,7 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura ."\n" ."",myEnc(get_lang('UserName')),"\n" ."\n"; - for($i = 0 ; $i < sizeof($list_users) ; $i++) - { + for($i = 0 ; $i < sizeof($list_users) ; $i++) { echo "\n" ."" ."" @@ -719,9 +653,9 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura echo "\n"; echo $navLink; - } - else // if uInfo is set - { + } else { + // if uInfo is set + /*************************************************************************** * * Informations about student uInfo @@ -729,27 +663,24 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura ***************************************************************************/ // these checks exists for security reasons, neither a prof nor a tutor can see statistics of a user from // another course, or group - if( $is_allowedToTrackEverybodyInCourse ) - { + if( $is_allowedToTrackEverybodyInCourse ) { // check if user is in this course $tracking_is_accepted = $is_course_member; $tracked_user_info = Database::get_user_info_from_id($uInfo); - } - else - { + } else { + // check if user is in the group of this tutor - $sql = "SELECT `u`.`firstname`,`u`.`lastname`, `u`.`email` + $sql = "SELECT u.firstname,u.lastname, u.email FROM $TABLECOURSE_GROUPSUSER gu , $TABLEUSER u - WHERE `gu`.`user_id` = `u`.`user_id` - AND `gu`.`group_id` = '$_gid' - AND `u`.`user_id` = '$uInfo'"; + WHERE gu.user_id = u.user_id` + AND gu.group_id = '".Database::escape_string($_gid)."' + AND u.user_id = '".Database::escape_string($uInfo)."'"; $query = api_sql_query($sql,__FILE__,__LINE__); $tracked_user_info = @mysql_fetch_assoc($query); if(is_array($tracked_user_info)) $tracking_is_accepted = true; } - if ($tracking_is_accepted) - { + if ($tracking_is_accepted) { $tracked_user_info['email'] == '' ? $mail_link = myEnc(get_lang('NoEmail')) : $mail_link = Display::encrypted_mailto_link($tracked_user_info['email']); echo ""; @@ -765,8 +696,8 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura // show none : number of 0 is equal to or bigger than number of categories echo " - [".myEnc(get_lang('ShowAll'))."] - [".myEnc(get_lang('ShowNone'))."]". + [".myEnc(get_lang('ShowAll'))."] + [".myEnc(get_lang('ShowNone'))."]". //"||[".myEnc(get_lang('BackToList'))."]". " @@ -789,9 +720,7 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura //Documents downloaded display_document_tracking_info($view, $uInfo, $_cid); - } - else - { + } else { echo myEnc(get_lang('ErrorUserNotInGroup')); } @@ -801,33 +730,29 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura * Scorm contents and Learning Path * ***************************************************************************/ - if(substr($view,5,1) == '1') - { + if(substr($view,5,1) == '1') { $new_view = substr_replace($view,'0',5,1); - echo " - + echo " - -   ".myEnc(get_lang('ScormAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] + -   ".myEnc(get_lang('ScormAccess'))."   [".myEnc(get_lang('Close'))."]   [".get_lang('ExportAsCSV')."] - - "; + "; $sql = "SELECT id, name FROM $tbl_learnpath_main"; $result=api_sql_query($sql,__FILE__,__LINE__); $ar=Database::fetch_array($result); - + echo ""; echo ""; - if (is_array($ar)) - { + if (is_array($ar)) { while ($ar['id'] != '') { $lp_title = stripslashes($ar['name']); echo ""; if ($ar['id']==$scormcontopen) { //have to list the students here $contentId=$ar['id']; @@ -835,7 +760,7 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura "FROM $tbl_learnpath_item i " . "INNER JOIN $tbl_learnpath_item_view iv ON i.id=iv.lp_item_id " . "INNER JOIN $tbl_learnpath_view v ON iv.lp_view_id=v.id " . - "WHERE (v.user_id=$uInfo and v.lp_id=$contentId) ORDER BY v.id, i.id"; + "WHERE (v.user_id=".Database::escape_string($uInfo)." and v.lp_id=$contentId) ORDER BY v.id, i.id"; $result3=api_sql_query($sql3,__FILE__,__LINE__); $ar3=Database::fetch_array($result3); if (is_array($ar3)) { @@ -870,10 +795,7 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura } $ar=Database::fetch_array($result); } - - } - else - { + } else { $noscorm=true; } @@ -884,37 +806,29 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura } echo "
 ".myEnc(get_lang('ScormContentColumn'))." 
"; - echo "$lp_title"; + echo "$lp_title"; echo "
"; echo ""; - } - else - { + } else { $new_view = substr_replace($view,'1',5,1); echo " - +  ".myEnc(get_lang('ScormAccess'))." + +  ".myEnc(get_lang('ScormAccess'))." "; } } -} -// not allowed -else -{ +} else { + // not allowed if(!$_configuration['tracking_enabled']) { echo myEnc(get_lang('TrackingDisabled')); - } - else - { + } else { api_not_allowed(); } } ?> - - \ No newline at end of file