chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixing queries see #7440

Browse Source
1.9.x
Julio Montoya 11 years ago
parent e85b8f5375
commit c839677b8c
28 changed files with 1046 additions and 776 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      main/admin/access_url_check_user_session.php
  2. 2
      main/admin/access_url_edit.php
  3. 10
      main/admin/add_sessions_to_promotion.php
  4. 35
      main/admin/add_sessions_to_usergroup.php
  5. 96
      main/admin/course_list.php
  6. 5
      main/admin/course_request_accepted.php
  7. 128
      main/admin/user_list.php
  8. 172
      main/coursecopy/classes/CourseBuilder.class.php
  9. 4
      main/coursecopy/copy_course_session.php
  10. 10
      main/exercice/exercice.php
  11. 2
      main/forum/forumfunction.inc.php
  12. 25
      main/gradebook/lib/be/category.class.php
  13. 48
      main/inc/lib/auth.lib.php
  14. 399
      main/inc/lib/course.lib.php
  15. 44
      main/inc/lib/course_category.lib.php
  16. 104
      main/inc/lib/database.lib.php
  17. 42
      main/inc/lib/document.lib.php
  18. 61
      main/inc/lib/group_portal_manager.lib.php
  19. 134
      main/inc/lib/main_api.lib.php
  20. 56
      main/inc/lib/sessionmanager.lib.php
  21. 44
      main/inc/lib/usermanager.lib.php
  22. 2
      main/inc/lib/userportal.lib.php
  23. 156
      main/newscorm/learnpath.class.php
  24. 3
      main/newscorm/lp_ajax_switch_item.php
  25. 9
      main/newscorm/lp_ajax_switch_item_toc.php
  26. 204
      main/reservation/rsys.php
  27. 19
      main/template/default/auth/courses_categories.php
  28. 7
      main/webservices/registration.soap.php

1
main/admin/access_url_check_user_session.php
Unescape View File

@ -56,7 +56,6 @@ $order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname' : ' O
$session_list = SessionManager::get_sessions_list();
$html = '';
$show_users_with_problems = isset($_REQUEST['show_users_with_problems']) && $_REQUEST['show_users_with_problems'] == 1 ? true : false;
if ($show_users_with_problems) {

2
main/admin/access_url_edit.php
Unescape View File

@ -159,3 +159,5 @@ $form->addElement('file','url_image_3','URL Image 3 (PNG)');
// Submit button
$form->addElement('style_submit_button', 'submit', $submit_name, 'class="add"');
$form->display();
Display::display_footer();

10
main/admin/add_sessions_to_promotion.php
Unescape View File

@ -93,7 +93,7 @@ if (isset($_POST['form_sent']) && $_POST['form_sent']) {
}
$promotion_data = $promotion->get($id);
$session_list = SessionManager::get_sessions_list(array(), array('name'));
$session_list = SessionManager::get_sessions_list(array(), array('name'));
$session_not_in_promotion = $session_in_promotion= array();
if (!empty($session_list)) {
@ -126,17 +126,19 @@ function search_sessions($needle, $type)
$needle = Database::escape_string($needle);
$needle = api_convert_encoding($needle, $charset, 'utf-8');
$session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "$needle%"));
$session_list = SessionManager::get_sessions_list(
array('s.name' => array('operator' => 'LIKE', 'value' => "$needle%"))
);
$return .= '<select id="session_not_in_promotion" name="session_not_in_promotion_name[]" multiple="multiple" size="15" style="width:360px;">';
foreach ($session_list as $row ) {
foreach ($session_list as $row) {
if (!in_array($row['id'], array_keys($session_in_promotion))) {
$return .= '<option value="'.$row['id'].'">'.$row['name'].'</option>';
}
}
$return .= '</select>';
$xajax_response -> addAssign('ajax_list_multiple','innerHTML',api_utf8_encode($return));
}
return $xajax_response;
}
$xajax->processRequests();

35
main/admin/add_sessions_to_usergroup.php
Unescape View File

@ -98,7 +98,7 @@ if (isset($_POST['form_sent']) && $_POST['form_sent']) {
$elements_posted = array();
}
if ($form_sent == 1) {
//added a parameter to send emails when registering a user
//added a parameter to send emails when registering a user
$usergroup->subscribe_sessions_to_usergroup($id, $elements_posted);
header('Location: usergroups.php');
exit;
@ -145,9 +145,13 @@ function search_sessions($needle,$type) {
$order_clause.
' LIMIT 11';*/
} else if ($type == 'searchbox') {
$session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "%$needle%"));
$session_list = SessionManager::get_sessions_list(
array('s.name' => array('operator' => 'LIKE', 'value' => "%$needle%"))
);
} else {
$session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "$needle%"));
$session_list = SessionManager::get_sessions_list(
array('s.name' => array('operator' => 'LIKE', 'value' => "$needle%"))
);
}
$i=0;
if ($type=='single') {
@ -189,13 +193,10 @@ if ($add_type == 'multiple') {
}
echo '<div class="actions">';
echo '<a href="usergroups.php">'.Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM).'</a>';
echo '<a href="usergroups.php">'.Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM).'</a>';
echo '<a href="javascript://" class="advanced_parameters" style="margin-top: 8px" onclick="display_advanced_search();"><span id="img_plus_and_minus">&nbsp;'.Display::return_icon('div_show.gif',get_lang('Show'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'</span></a>';
echo '</div>';
?>
<?php echo '<div id="advancedSearch" style="display: none">'. get_lang('SearchSessions'); ?> :
echo '<div id="advancedSearch" style="display: none">'. get_lang('SearchSessions'); ?> :
<input name="SearchSession" onchange = "xajax_search_sessions(this.value,'searchbox')" onkeyup="this.onchange()">
</div>
<form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if(!empty($_GET['add'])) echo '&add=true' ; ?>" style="margin:0px;" <?php if($ajax_search){echo ' onsubmit="valide();"';}?>>
@ -262,8 +263,8 @@ if(!empty($errorMsg)) {
<tr>
<td align="center">
<div id="content_source">
<?php
if (!($add_type=='multiple')) {
<?php
if (!($add_type=='multiple')) {
?>
<input type="text" id="user_to_add" onkeyup="xajax_search_users(this.value,'single')" />
<div id="ajax_list_users_single"></div>
@ -313,9 +314,7 @@ if(!empty($errorMsg)) {
</form>
<script type="text/javascript">
<!--
function moveItem(origin , destination){
function moveItem(origin , destination) {
for(var i = 0 ; i<origin.options.length ; i++) {
if(origin.options[i].selected) {
destination.options[destination.length] = new Option(origin.options[i].text,origin.options[i].value);
@ -325,11 +324,9 @@ function moveItem(origin , destination){
}
destination.selectedIndex = -1;
sortOptions(destination.options);
}
function sortOptions(options) {
newOptions = new Array();
for (i = 0 ; i<options.length ; i++)
newOptions[i] = options[i];
@ -338,7 +335,6 @@ function sortOptions(options) {
options.length = 0;
for(i = 0 ; i < newOptions.length ; i++)
options[i] = newOptions[i];
}
function mysort(a, b){
@ -358,10 +354,8 @@ function valide(){
document.forms.formulaire.submit();
}
function loadUsersInSelect(select){
function loadUsersInSelect(select) {
var xhr_object = null;
if(window.XMLHttpRequest) // Firefox
xhr_object = new XMLHttpRequest();
else if(window.ActiveXObject) // Internet Explorer
@ -370,10 +364,7 @@ function loadUsersInSelect(select){
alert("Votre navigateur ne supporte pas les objets XMLHTTPRequest...");
xhr_object.open("POST", "loadUsersInSelect.ajax.php");
xhr_object.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
nosessionUsers = makepost(document.getElementById('elements_not_in'));
sessionUsers = makepost(document.getElementById('elements_in'));
nosessionClasses = makepost(document.getElementById('origin_classes'));

96
main/admin/course_list.php
Unescape View File

@ -23,36 +23,56 @@ $sessionId = isset($_GET['session_id']) ? $_GET['session_id'] : null;
/**
* Get the number of courses which will be displayed
*/
function get_number_of_courses() {
function get_number_of_courses()
{
$course_table = Database :: get_main_table(TABLE_MAIN_COURSE);
$sql = "SELECT COUNT(code) AS total_number_of_items FROM $course_table";
if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
if ((api_is_platform_admin() || api_is_session_admin()) &&
api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
) {
$access_url_rel_course_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
$sql.= " INNER JOIN $access_url_rel_course_table url_rel_course ON (code=url_rel_course.course_code)";
}
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string($_GET['keyword']);
$sql .= " WHERE (title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%')";
} elseif (isset ($_GET['keyword_code'])) {
$keyword_code = Database::escape_string($_GET['keyword_code']);
$keyword_title = Database::escape_string($_GET['keyword_title']);
$keyword_category = Database::escape_string($_GET['keyword_category']);
$keyword_language = Database::escape_string($_GET['keyword_language']);
$keyword_visibility = Database::escape_string($_GET['keyword_visibility']);
$keyword = Database::escape_string("%".$_GET['keyword']."%");
$sql .= " WHERE (
title LIKE '".$keyword."' OR
code LIKE '".$keyword."' OR
visual_code LIKE '".$keyword."'
)
";
} elseif (isset($_GET['keyword_code'])) {
$keyword_code = Database::escape_string("%".$_GET['keyword_code']."%");
$keyword_title = Database::escape_string("%".$_GET['keyword_title']."%");
$keyword_category = Database::escape_string("%".$_GET['keyword_category']."%");
$keyword_language = Database::escape_string("%".$_GET['keyword_language']."%");
$keyword_visibility = Database::escape_string("%".$_GET['keyword_visibility']."%");
$keyword_subscribe = Database::escape_string($_GET['keyword_subscribe']);
$keyword_unsubscribe = Database::escape_string($_GET['keyword_unsubscribe']);
$sql .= " WHERE (code LIKE '%".$keyword_code."%' OR visual_code LIKE '%".$keyword_code."%') AND title LIKE '%".$keyword_title."%' AND category_code LIKE '%".$keyword_category."%' AND course_language LIKE '%".$keyword_language."%' AND visibility LIKE '%".$keyword_visibility."%' AND subscribe LIKE '".$keyword_subscribe."'AND unsubscribe LIKE '".$keyword_unsubscribe."'";
$sql .= " WHERE
(code LIKE '".$keyword_code."' OR visual_code LIKE '".$keyword_code."') AND
title LIKE '".$keyword_title."' AND
category_code LIKE '".$keyword_category."' AND
course_language LIKE '".$keyword_language."' AND
visibility LIKE '".$keyword_visibility."' AND
subscribe LIKE '".$keyword_subscribe."' AND
unsubscribe LIKE '".$keyword_unsubscribe."'
";
}
// adding the filter to see the user's only of the current access_url
if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
if ((api_is_platform_admin() || api_is_session_admin()) &&
api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
) {
$sql.= " AND url_rel_course.access_url_id=".api_get_current_access_url_id();
}
$res = Database::query($sql);
$obj = Database::fetch_object($res);
return $obj->total_number_of_items;
}
@ -62,9 +82,11 @@ function get_number_of_courses() {
* @param int $number_of_items
* @param int $column
* @param string $direction
*
* @return array
*/
function get_course_data($from, $number_of_items, $column, $direction) {
function get_course_data($from, $number_of_items, $column, $direction)
{
$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$sql = "SELECT code AS col0,
@ -80,35 +102,52 @@ function get_course_data($from, $number_of_items, $column, $direction) {
visual_code
FROM $course_table";
if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
if ((api_is_platform_admin() || api_is_session_admin()) &&
api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
) {
$access_url_rel_course_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
$sql.= " INNER JOIN $access_url_rel_course_table url_rel_course ON (code=url_rel_course.course_code)";
}
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " WHERE (title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%' ) ";
} elseif (isset ($_GET['keyword_code'])) {
$keyword_code = Database::escape_string($_GET['keyword_code']);
$keyword_title = Database::escape_string($_GET['keyword_title']);
$keyword_category = Database::escape_string($_GET['keyword_category']);
$keyword_language = Database::escape_string($_GET['keyword_language']);
$keyword_visibility = Database::escape_string($_GET['keyword_visibility']);
$keyword_subscribe = Database::escape_string($_GET['keyword_subscribe']);
$keyword_unsubscribe = Database::escape_string($_GET['keyword_unsubscribe']);
$sql .= " WHERE (code LIKE '%".$keyword_code."%' OR visual_code LIKE '%".$keyword_code."%') AND title LIKE '%".$keyword_title."%' AND category_code LIKE '%".$keyword_category."%' AND course_language LIKE '%".$keyword_language."%' AND visibility LIKE '%".$keyword_visibility."%' AND subscribe LIKE '".$keyword_subscribe."'AND unsubscribe LIKE '".$keyword_unsubscribe."'";
$keyword = Database::escape_string("%".trim($_GET['keyword'])."%");
$sql .= " WHERE (
title LIKE '".$keyword."' OR
code LIKE '".$keyword."' OR
visual_code LIKE '".$keyword."'
)
";
} elseif (isset($_GET['keyword_code'])) {
$keyword_code = Database::escape_string("%".$_GET['keyword_code']."%");
$keyword_title = Database::escape_string("%".$_GET['keyword_title']."%");
$keyword_category = Database::escape_string("%".$_GET['keyword_category']."%");
$keyword_language = Database::escape_string("%".$_GET['keyword_language']."%");
$keyword_visibility = Database::escape_string("%".$_GET['keyword_visibility']."%");
$keyword_subscribe = Database::escape_string($_GET['keyword_subscribe']);
$keyword_unsubscribe = Database::escape_string($_GET['keyword_unsubscribe']);
$sql .= " WHERE
(code LIKE '".$keyword_code."' OR visual_code LIKE '".$keyword_code."') AND
title LIKE '".$keyword_title."' AND
category_code LIKE '".$keyword_category."' AND
course_language LIKE '".$keyword_language."' AND
visibility LIKE '".$keyword_visibility."' AND
subscribe LIKE '".$keyword_subscribe."' AND
unsubscribe LIKE '".$keyword_unsubscribe."'";
}
// Adding the filter to see the user's only of the current access_url.
if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
if ((api_is_platform_admin() || api_is_session_admin()) &&
api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
) {
$sql.= " AND url_rel_course.access_url_id=".api_get_current_access_url_id();
}
$sql .= " ORDER BY col$column $direction ";
$sql .= " LIMIT $from,$number_of_items";
$sql .= " LIMIT $from, $number_of_items";
$res = Database::query($sql);
$courses = array ();
$courses = array();
while ($course = Database::fetch_array($res)) {
// Place colour icons in front of courses.
$show_visual_code = $course['visual_code'] != $course[2] ? Display::label($course['visual_code'], 'info') : null;
@ -118,6 +157,7 @@ function get_course_data($from, $number_of_items, $column, $direction) {
$course_rem = array($course[0], $course[1], $course[2], $course[3], $course[4], $course[5], $course[6], $course[7]);
$courses[] = $course_rem;
}
return $courses;
}

5
main/admin/course_request_accepted.php
Unescape View File

@ -92,8 +92,9 @@ function get_number_of_requests() {
/**
* Get course data to display
*/
function get_request_data($from, $number_of_items, $column, $direction) {
$keyword = Database::escape_string(trim($_GET['keyword']));
function get_request_data($from, $number_of_items, $column, $direction)
{
$keyword = isset($_GET['keyword']) ? Database::escape_string(trim($_GET['keyword'])) : null;
$course_request_table = Database :: get_main_table(TABLE_MAIN_COURSE_REQUEST);
$sql = "SELECT id AS col0,

128
main/admin/user_list.php
Unescape View File

@ -95,11 +95,11 @@ function active_user(element_div) {
}
}
function clear_course_list (div_course) {
function clear_course_list(div_course) {
$("div#"+div_course).html("&nbsp;");
$("div#"+div_course).hide("");
}
function clear_session_list (div_session) {
function clear_session_list(div_session) {
$("div#"+div_session).html("&nbsp;");
$("div#"+div_session).hide("");
}
@ -115,7 +115,6 @@ function display_advanced_search_form () {
}
$(document).ready(function() {
var select_val = $("#input_select_extra_data").val();
if ( document.getElementById(\'extra_data_text\')) {
@ -159,7 +158,6 @@ $this_section = SECTION_PLATFORM_ADMIN;
if ($action == 'login_as') {
$check = Security::check_token('get');
if (isset($_GET['user_id']) && api_can_login_as($_GET['user_id']) && $check) {
login_user($_GET['user_id']);
} else {
@ -174,7 +172,7 @@ api_protect_admin_script(true);
* Prepares the shared SQL query for the user table.
* See get_user_data() and get_number_of_users().
*
* @param boolean Whether to count, or get data
* @param boolean $is_count Whether to count, or get data
* @return string SQL query
*/
function prepare_user_sql_query($is_count) {
@ -187,16 +185,21 @@ function prepare_user_sql_query($is_count) {
} else {
$sql .= "SELECT u.user_id AS col0, u.official_code AS col2, ";
if (api_is_western_name_order())
if (api_is_western_name_order()) {
$sql .= "u.firstname AS col3, u.lastname AS col4, ";
else
} else {
$sql .= "u.lastname AS col3, u.firstname AS col4, ";
}
$sql .= "u.username AS col5, u.email AS col6, ".
"u.status AS col7, u.active AS col8, ".
"u.user_id AS col9, u.registration_date AS col10, ".
"u.expiration_date AS exp, u.password ".
"FROM $user_table u";
$sql .= " u.username AS col5,
u.email AS col6,
u.status AS col7,
u.active AS col8,
u.user_id AS col9,
u.registration_date AS col10,
u.expiration_date AS exp,
u.password
FROM $user_table u";
}
// adding the filter to see the user's only of the current access_url
@ -205,18 +208,29 @@ function prepare_user_sql_query($is_count) {
$sql.= " INNER JOIN $access_url_rel_user_table url_rel_user ON (u.user_id=url_rel_user.user_id)";
}
foreach ($_GET as $key => $value) {
/* Because this query uses LIKE very liberally we need to escape
* LIKE wildcards, concretely "_" and "%". This is only relevant
* for *LIKE* statements.
*
* See: http://stackoverflow.com/a/3683868 */
// Remove buggy whitespaces and escape for both SQL and LIKE.
if ($key == "keyword_status")
$$key = Database::escape_string(trim($value));
else
$$key = Database::escape_sql_wildcards(Database::escape_string(trim($value)));
$keywordList = array(
'keyword_firstname',
'keyword_lastname',
'keyword_username',
'keyword_email',
'keyword_officialcode',
'keyword_status',
'keyword_active',
'check_easy_passwords'
);
$keywordListValues = array();
$atLeastOne = false;
foreach ($keywordList as $keyword) {
$keywordListValues[$keyword] = null;
if (isset($_GET[$keyword]) && !empty($_GET[$keyword])) {
$keywordListValues[$keyword] = $_GET[$keyword];
$atLeastOne = true;
}
}
if ($atLeastOne == false) {
$keywordListValues = array();
}
if (isset($keyword_extra_data) && !empty($keyword_extra_data)) {
@ -225,40 +239,47 @@ function prepare_user_sql_query($is_count) {
$sql.= " INNER JOIN user_field_values ufv ON u.user_id=ufv.user_id AND ufv.field_id=$field_id ";
}
if (isset($keyword)) {
$sql .= " WHERE (".
"u.firstname LIKE '%". $keyword ."%' ".
"OR u.lastname LIKE '%". $keyword ."%' ".
"OR concat(u.firstname,' ',u.lastname) LIKE '%". $keyword ."%' ".
"OR concat(u.lastname,' ',u.firstname) LIKE '%". $keyword ."%' ".
"OR u.username LIKE '%". $keyword ."%' ".
"OR u.official_code LIKE '%". $keyword ."%' ".
"OR u.email LIKE '%". $keyword ."%')";
} elseif (isset($keyword_firstname)) {
if (isset($_GET['keyword']) && !empty($_GET['keyword'])) {
$keywordFiltered = Database::escape_string("%". $_GET['keyword'] ."%");
$sql .= " WHERE (
u.firstname LIKE '$keywordFiltered' OR
u.lastname LIKE '$keywordFiltered' OR
concat(u.firstname, ' ', u.lastname) LIKE '$keywordFiltered' OR
concat(u.lastname,' ',u.firstname) LIKE '$keywordFiltered' OR
u.username LIKE '$keywordFiltered' OR
u.official_code LIKE '$keywordFiltered' OR
u.email LIKE '$keywordFiltered'
)
";
} elseif (isset($keywordListValues) && !empty($keywordListValues)) {
$query_admin_table = '';
$keyword_admin = '';
if ($keyword_status == SESSIONADMIN) {
$keyword_status = '%';
if (isset($keywordListValues['keyword_status']) &&
$keywordListValues['keyword_status'] == PLATFORM_ADMIN
) {
$query_admin_table = " , $admin_table a ";
$keyword_admin = ' AND a.user_id = u.user_id ';
$keywordListValues['keyword_status'] = '%';
}
$keyword_extra_value = '';
if (isset($keyword_extra_data) && !empty($keyword_extra_data) &&
!empty($keyword_extra_data_text)) {
$keyword_extra_value = " AND ufv.field_value LIKE '%".trim($keyword_extra_data_text)."%' ";
}
$sql .= " $query_admin_table ".
"WHERE (u.firstname LIKE '%". $keyword_firstname ."%' ".
"AND u.lastname LIKE '%". $keyword_lastname ."%' ".
"AND u.username LIKE '%". $keyword_username ."%' ".
"AND u.email LIKE '%". $keyword_email ."%' ".
"AND u.official_code LIKE '%". $keyword_officialcode ."%' ".
"AND u.status LIKE '$keyword_status' ".
"$keyword_admin $keyword_extra_value";
$sql .= " $query_admin_table
WHERE (
u.firstname LIKE '". Database::escape_string("%".$keywordListValues['keyword_firstname']."%")."' AND
u.lastname LIKE '". Database::escape_string("%".$keywordListValues['keyword_lastname']."%")."' AND
u.username LIKE '". Database::escape_string("%".$keywordListValues['keyword_username']."%")."' AND
u.email LIKE '". Database::escape_string("%".$keywordListValues['keyword_email']."%")."' AND
u.official_code LIKE '". Database::escape_string("%".$keywordListValues['keyword_officialcode']."%")."' AND
u.status LIKE '".Database::escape_string($keywordListValues['keyword_status'])."'
$keyword_admin
$keyword_extra_value
";
if (isset($keyword_active) && !isset($keyword_inactive)) {
$sql .= " AND u.active='1'";
@ -270,7 +291,8 @@ function prepare_user_sql_query($is_count) {
// adding the filter to see the user's only of the current access_url
if ((api_is_platform_admin() || api_is_session_admin())
&& api_get_multiple_access_url()) {
&& api_get_multiple_access_url()
) {
$sql .= " AND url_rel_user.access_url_id=".api_get_current_access_url_id();
}
@ -388,7 +410,7 @@ function login_user($user_id) {
* @see SortableTable#get_total_number_of_items()
*/
function get_number_of_users() {
$sql = prepare_user_sql_query (true);
$sql = prepare_user_sql_query(true);
$res = Database::query($sql);
$obj = Database::fetch_object($res);
@ -404,7 +426,7 @@ function get_number_of_users() {
* @see SortableTable#get_table_data($from)
*/
function get_user_data($from, $number_of_items, $column, $direction) {
$sql = prepare_user_sql_query (false);
$sql = prepare_user_sql_query(false);
$checkPassStrength = isset($_GET['check_easy_passwords']) && $_GET['check_easy_passwords'] == 1 ? true : false;
@ -732,7 +754,8 @@ $form->addElement(
$actions = '';
if (api_is_platform_admin()) {
$actions .= '<span style="float:right;">'.
'<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_add.php">'.Display::return_icon('new_user.png',get_lang('AddUsers'),'',ICON_SIZE_MEDIUM).'</a>'.
'<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_add.php">'.
Display::return_icon('new_user.png',get_lang('AddUsers'),'',ICON_SIZE_MEDIUM).'</a>'.
'</span>';
}
$actions .= $form->return_form();
@ -790,8 +813,10 @@ $status_options['%'] = get_lang('All');
$status_options[STUDENT] = get_lang('Student');
$status_options[COURSEMANAGER] = get_lang('Teacher');
$status_options[DRH] = get_lang('Drh');
$status_options[SESSIONADMIN] = get_lang('Administrator');
$form->addElement('select','keyword_status',get_lang('Profile'),$status_options, array('style'=>'margin-left:17px'));
$status_options[SESSIONADMIN] = get_lang('SessionsAdmin');
$status_options[PLATFORM_ADMIN] = get_lang('Administrator');
$form->addElement('select','keyword_status',get_lang('Profile'), $status_options, array('style'=>'margin-left:17px'));
$form->addElement('html', '</td></tr>');
$form->addElement('html', '<tr><td>');
$active_group = array();
@ -881,7 +906,6 @@ if ($table->get_total_number_of_items() == 0) {
if (api_get_multiple_access_url() && isset($_REQUEST['keyword'])) {
$keyword = Database::escape_string($_REQUEST['keyword']);
//$conditions = array('firstname' => $keyword, 'lastname' => $keyword, 'username' => $keyword);
$conditions = array('username' => $keyword);
$user_list = UserManager::get_user_list($conditions, array(), false, ' OR ');
if (!empty($user_list)) {

172
main/coursecopy/classes/CourseBuilder.class.php
Unescape View File

@ -29,13 +29,14 @@ require_once 'Work.class.php';
require_once api_get_path(SYS_CODE_PATH).'exercice/question.class.php';
/**
* Class which can build a course-object from a Chamilo-course.
* Class CourseBuilder
* Builds a course-object from a Chamilo-course.
* @author Bart Mollet <bart.mollet@hogent.be>
* @package chamilo.backup
*/
class CourseBuilder
{
/** Course */
/** @var Course */
public $course;
/* With this array you can filter the tools you want to be parsed by
@ -67,8 +68,10 @@ class CourseBuilder
/**
* Create a new CourseBuilder
* @param string $type
* @param null $course
*/
public function __construct($type='', $course = null)
public function __construct($type='', $course = null)
{
$_course = api_get_course_info();
@ -87,7 +90,6 @@ class CourseBuilder
}
/**
*
* @param array $array
*/
public function set_tools_to_build($array)
@ -121,7 +123,7 @@ class CourseBuilder
* @param bool true if you want to get the elements that exists in the course and
* in the session, (session_id = 0 or session_id = X)
*/
public function build($session_id = 0, $course_code = '', $with_base_content = false)
public function build($session_id = 0, $course_code = '', $with_base_content = false)
{
$table_link = Database :: get_course_table(TABLE_LINKED_RESOURCES);
$table_properties = Database :: get_course_table(TABLE_ITEM_PROPERTY);
@ -467,7 +469,7 @@ class CourseBuilder
//select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
} else {
$sql = "SELECT * FROM $table_qui WHERE c_id = $course_id AND active >=0 AND session_id = 0";
//select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
//select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
}
$db_result = Database::query($sql);
@ -747,11 +749,11 @@ class CourseBuilder
$db_result = Database::query($sql);
while ($obj = Database::fetch_object($db_result)) {
$survey = new Survey($obj->survey_id, $obj->code,$obj->title,
$obj->subtitle, $obj->author, $obj->lang,
$obj->avail_from, $obj->avail_till, $obj->is_shared,
$obj->template, $obj->intro, $obj->surveythanks,
$obj->creation_date, $obj->invited, $obj->answered,
$obj->invite_mail, $obj->reminder_mail);
$obj->subtitle, $obj->author, $obj->lang,
$obj->avail_from, $obj->avail_till, $obj->is_shared,
$obj->template, $obj->intro, $obj->surveythanks,
$obj->creation_date, $obj->invited, $obj->answered,
$obj->invite_mail, $obj->reminder_mail);
$sql = 'SELECT * FROM '.$table_question.' WHERE c_id = '.$course_id.' AND survey_id = '.$obj->survey_id;
$db_result2 = Database::query($sql);
while ($obj2 = Database::fetch_object($db_result2)){
@ -925,75 +927,75 @@ class CourseBuilder
$db_result = Database::query($sql);
if ($db_result)
while ($obj = Database::fetch_object($db_result)) {
$items = array();
$sql_items = "SELECT * FROM ".$table_item." WHERE c_id = '$course_id' AND lp_id = ".$obj->id;
$db_items = Database::query($sql_items);
while ($obj_item = Database::fetch_object($db_items)) {
$item['id'] = $obj_item->id;
$item['item_type'] = $obj_item->item_type;
$item['ref'] = $obj_item->ref;
$item['title'] = $obj_item->title;
$item['description'] = $obj_item->description;
$item['path'] = $obj_item->path;
$item['min_score'] = $obj_item->min_score;
$item['max_score'] = $obj_item->max_score;
$item['mastery_score'] = $obj_item->mastery_score;
$item['parent_item_id'] = $obj_item->parent_item_id;
$item['previous_item_id'] = $obj_item->previous_item_id;
$item['next_item_id'] = $obj_item->next_item_id;
$item['display_order'] = $obj_item->display_order;
$item['prerequisite'] = $obj_item->prerequisite;
$item['parameters'] = $obj_item->parameters;
$item['launch_data'] = $obj_item->launch_data;
$item['audio'] = $obj_item->audio;
$items[] = $item;
}
while ($obj = Database::fetch_object($db_result)) {
$items = array();
$sql_items = "SELECT * FROM ".$table_item." WHERE c_id = '$course_id' AND lp_id = ".$obj->id;
$db_items = Database::query($sql_items);
while ($obj_item = Database::fetch_object($db_items)) {
$item['id'] = $obj_item->id;
$item['item_type'] = $obj_item->item_type;
$item['ref'] = $obj_item->ref;
$item['title'] = $obj_item->title;
$item['description'] = $obj_item->description;
$item['path'] = $obj_item->path;
$item['min_score'] = $obj_item->min_score;
$item['max_score'] = $obj_item->max_score;
$item['mastery_score'] = $obj_item->mastery_score;
$item['parent_item_id'] = $obj_item->parent_item_id;
$item['previous_item_id'] = $obj_item->previous_item_id;
$item['next_item_id'] = $obj_item->next_item_id;
$item['display_order'] = $obj_item->display_order;
$item['prerequisite'] = $obj_item->prerequisite;
$item['parameters'] = $obj_item->parameters;
$item['launch_data'] = $obj_item->launch_data;
$item['audio'] = $obj_item->audio;
$items[] = $item;
}
$sql_tool = "SELECT id FROM $table_tool
$sql_tool = "SELECT id FROM $table_tool
WHERE
c_id = $course_id AND
(link LIKE '%lp_controller.php%lp_id=".$obj->id."%' AND image='scormbuilder.gif') AND
visibility = '1' ";
$db_tool = Database::query($sql_tool);
$db_tool = Database::query($sql_tool);
if (Database::num_rows($db_tool)) {
$visibility = '1';
} else {
$visibility = '0';
}
if (Database::num_rows($db_tool)) {
$visibility = '1';
} else {
$visibility = '0';
}
$lp = new CourseCopyLearnpath(
$obj->id,
$obj->lp_type,
$obj->name,
$obj->path,
$obj->ref,
$obj->description,
$obj->content_local,
$obj->default_encoding,
$obj->default_view_mod,
$obj->prevent_reinit,
$obj->force_commit,
$obj->content_maker,
$obj->display_order,
$obj->js_lib,
$obj->content_license,
$obj->debug,
$visibility,
$obj->author,
$obj->preview_image,
$obj->use_max_score,
$obj->autolunch,
$obj->created_on,
$obj->modified_on,
$obj->publicated_on,
$obj->expired_on,
$obj->session_id,
$items
);
$this->course->add_resource($lp);
}
$lp = new CourseCopyLearnpath(
$obj->id,
$obj->lp_type,
$obj->name,
$obj->path,
$obj->ref,
$obj->description,
$obj->content_local,
$obj->default_encoding,
$obj->default_view_mod,
$obj->prevent_reinit,
$obj->force_commit,
$obj->content_maker,
$obj->display_order,
$obj->js_lib,
$obj->content_license,
$obj->debug,
$visibility,
$obj->author,
$obj->preview_image,
$obj->use_max_score,
$obj->autolunch,
$obj->created_on,
$obj->modified_on,
$obj->publicated_on,
$obj->expired_on,
$obj->session_id,
$items
);
$this->course->add_resource($lp);
}
// Save scorm directory (previously build_scorm_documents())
$i = 1;
@ -1092,7 +1094,7 @@ class CourseBuilder
$course_id = $course_info['real_id'];
if (!empty($session_id) && !empty($course_code)) {
$session_id = intval($session_id);
$session_id = intval($session_id);
if ($with_base_content) {
$session_condition = api_get_session_condition($session_id, true, true);
} else {
@ -1111,8 +1113,8 @@ class CourseBuilder
}
/**
* Build the Surveys
*/
* Build the Surveys
*/
public function build_thematic($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
{
$table_thematic = Database :: get_course_table(TABLE_THEMATIC);
@ -1149,7 +1151,7 @@ class CourseBuilder
//$thematic_plan_complete_list[$item['ref']] = $item;
}
}
if (count($thematic_plan_id_list) > 0) {
if (count($thematic_plan_id_list) > 0) {
$sql = "SELECT tp.*
FROM $table_thematic_plan tp
INNER JOIN $table_thematic t ON (t.id=tp.thematic_id)
@ -1169,8 +1171,8 @@ class CourseBuilder
}
/**
* Build the attendances
*/
* Build the attendances
*/
public function build_attendance($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
{
$table_attendance = Database :: get_course_table(TABLE_ATTENDANCE);
@ -1196,21 +1198,23 @@ class CourseBuilder
/**
* Build the works (or "student publications", or "assignments")
*
* @param int $session_id
* @param string $course_code
* @param bool $with_base_content
* @param array $id_list
*/
public function build_works($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
{
$table_work = Database :: get_course_table(TABLE_STUDENT_PUBLICATION);
//$table_work_assignment = Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
$course_id = api_get_course_int_id();
$sessionCondition = api_get_session_condition($session_id, true, $with_base_content);
$sql = "SELECT * FROM $table_work
WHERE
c_id = $course_id
c_id = $course_id
$sessionCondition AND
filetype = \'folder\' AND
filetype = 'folder' AND
parent_id = 0 AND
active = 1";
$db_result = Database::query($sql);

4
main/coursecopy/copy_course_session.php
Unescape View File

@ -90,7 +90,7 @@ function make_select_session_list($name, $sessions, $attr = array())
function display_form()
{
$html = '';
$sessions = SessionManager::get_sessions_list(null, array('name ASC'));
$sessions = SessionManager::get_sessions_list(array(), array('name', 'ASC'));
// Actions
$html .= '<div class="actions">';
@ -166,7 +166,7 @@ function search_courses($id_session, $type)
// Build select for destination sessions where is not included current session from select origin
if (!empty($id_session)) {
$sessions = SessionManager::get_sessions_list(null, array('name ASC'));
$sessions = SessionManager::get_sessions_list(array(), array('name', 'ASC'));
$select_destination .= '<select name="sessions_list_destination" width="380px" onchange = "javascript: xajax_search_courses(this.value,\'destination\');">';
$select_destination .= '<option value = "0">-- '.get_lang('SelectASession').' --</option>';

10
main/exercice/exercice.php
Unescape View File

@ -405,7 +405,9 @@ if (Database :: num_rows($result_total)) {
//get HotPotatoes files (active and inactive)
if ($is_allowedToEdit) {
$sql = "SELECT * FROM $TBL_DOCUMENT
WHERE c_id = $courseId AND path LIKE '".Database :: escape_string($uploadPath)."/%/%'";
WHERE
c_id = $courseId AND
path LIKE '".Database :: escape_string($uploadPath.'/%/%')."'";
$res = Database::query($sql);
$hp_count = Database :: num_rows($res);
} else {
@ -413,7 +415,7 @@ if ($is_allowedToEdit) {
WHERE
d.id = ip.ref AND
ip.tool = '".TOOL_DOCUMENT."' AND
d.path LIKE '".Database :: escape_string($uploadPath)."/%/%' AND
d.path LIKE '".Database :: escape_string($uploadPath.'/%/%')."' AND
ip.visibility ='1' AND
d.c_id = ".$courseId." AND
ip.c_id = ".$courseId;
@ -920,7 +922,7 @@ if ($is_allowedToEdit) {
d.id = ip.ref AND
ip.tool = '".TOOL_DOCUMENT."' AND
(d.path LIKE '%htm%') AND
d.path LIKE '".Database :: escape_string($uploadPath)."/%/%'
d.path LIKE '".Database :: escape_string($uploadPath.'/%/%')."'
LIMIT ".$from.",".$limit; // only .htm or .html files listed
} else {
$sql = "SELECT d.path as path, d.comment as comment, ip.visibility as visibility
@ -931,7 +933,7 @@ if ($is_allowedToEdit) {
d.id = ip.ref AND
ip.tool = '".TOOL_DOCUMENT."' AND
(d.path LIKE '%htm%') AND
d.path LIKE '".Database :: escape_string($uploadPath)."/%/%' AND
d.path LIKE '".Database :: escape_string($uploadPath.'/%/%')."' AND
ip.visibility='1'
LIMIT ".$from.",".$limit;
}

2
main/forum/forumfunction.inc.php
Unescape View File

@ -527,7 +527,7 @@ function store_forumcategory($values)
$table_categories = Database::get_course_table(TABLE_FORUM_CATEGORY);
// Find the max cat_order. The new forum category is added at the end => max cat_order + &
$sql = "SELECT MAX(cat_order) as sort_max FROM ".Database::escape_string($table_categories)."
$sql = "SELECT MAX(cat_order) as sort_max FROM ".$table_categories."
WHERE c_id = $course_id";
$result = Database::query($sql);
$row = Database::fetch_array($result);

25
main/gradebook/lib/be/category.class.php
Unescape View File

@ -10,7 +10,6 @@ require_once api_get_path(LIBRARY_PATH).'grade_model.lib.php';
* Defines a gradebook Category object
* @package chamilo.gradebook
*/
class Category implements GradebookItem
{
private $id;
@ -206,8 +205,9 @@ class Category implements GradebookItem
if (!empty($session_id)) {
$tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
$sql = 'SELECT id, course_code FROM '.$tbl_grade_categories. '
WHERE session_id = '.$session_id;
$sql = 'SELECT id, course_code
FROM '.$tbl_grade_categories. '
WHERE session_id = '.$session_id;
$result_session = Database::query($sql);
if (Database::num_rows($result_session) > 0) {
$categoryList = array();
@ -219,6 +219,7 @@ class Category implements GradebookItem
//$allSubCategories = Category::load(null,null,null, $parent_id, null, $session_id, null);
}
}
return $categoryList;
}
}
@ -226,13 +227,13 @@ class Category implements GradebookItem
/**
* Retrieve categories and return them as an array of Category objects
* @param int category id
* @param int user id (category owner)
* @param string course code
* @param int parent category
* @param bool visible
* @param int session id (in case we are in a session)
* @param bool Whether to show all "session" categories (true) or hide them (false) in case there is no session id
* @param int $id category id
* @param int $user_id (category owner)
* @param string $course_code
* @param int $parent_id parent category
* @param bool $visible
* @param int $session_id (in case we are in a session)
* @param bool $order_by Whether to show all "session" categories (true) or hide them (false) in case there is no session id
*/
public static function load(
$id = null,
@ -256,7 +257,6 @@ class Category implements GradebookItem
$sql = 'SELECT * FROM '.$tbl_grade_categories;
$paramcount = 0;
if (isset($id)) {
$id = Database::escape_string($id);
$sql.= ' WHERE id = '.intval($id);
$paramcount ++;
}
@ -273,7 +273,6 @@ class Category implements GradebookItem
}
if (isset($course_code)) {
$course_code = Database::escape_string($course_code);
if ($paramcount != 0) {
$sql .= ' AND';
} else {
@ -303,7 +302,6 @@ class Category implements GradebookItem
}
if (isset($parent_id)) {
$parent_id = Database::escape_string($parent_id);
if ($paramcount != 0) {
$sql .= ' AND ';
} else {
@ -314,7 +312,6 @@ class Category implements GradebookItem
}
if (isset($visible)) {
$visible = Database::escape_string($visible);
if ($paramcount != 0) {
$sql .= ' AND';
} else {

48
main/inc/lib/auth.lib.php
Unescape View File

@ -5,6 +5,7 @@ require_once api_get_path(LIBRARY_PATH).'tracking.lib.php';
require_once api_get_path(LIBRARY_PATH).'course_category.lib.php';
/**
* Class Auth
* Auth can be used to instantiate objects or as a library to manage courses
* This file contains a class used like library provides functions for auth tool.
* It's also used like model to courses_controller (MVC pattern)
@ -19,7 +20,6 @@ class Auth
*/
public function __construct()
{
}
/**
@ -35,8 +35,13 @@ class Auth
$TABLE_COURSE_FIELD_VALUE = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
// get course list auto-register
$sql = "SELECT course_code FROM $TABLE_COURSE_FIELD_VALUE tcfv INNER JOIN $TABLE_COURSE_FIELD tcf ON " .
" tcfv.field_id = tcf.id WHERE tcf.field_variable = 'special_course' AND tcfv.field_value = 1 ";
$sql = "SELECT course_code FROM $TABLE_COURSE_FIELD_VALUE tcfv
INNER JOIN $TABLE_COURSE_FIELD tcf
ON tcfv.field_id = tcf.id
WHERE
tcf.field_variable = 'special_course' AND
tcfv.field_value = 1
";
$special_course_result = Database::query($sql);
if (Database::num_rows($special_course_result) > 0) {
@ -476,25 +481,36 @@ class Auth
}
$search_term_safe = Database::escape_string($search_term);
$sql_find = "SELECT * FROM $TABLECOURS WHERE (code LIKE '%" .
$search_term_safe . "%' OR title LIKE '%" . $search_term_safe .
"%' OR tutor_name LIKE '%" . $search_term_safe . "%')" .
$without_special_courses . "ORDER BY title, visual_code ASC " .
$limitFilter;
$sql_find = "SELECT * FROM $TABLECOURS
WHERE (
code LIKE '%".$search_term_safe . "%' OR
title LIKE '%" . $search_term_safe ."%' OR
tutor_name LIKE '%" . $search_term_safe . "%'
)
$without_special_courses
ORDER BY title, visual_code ASC
$limitFilter
";
global $_configuration;
if ($_configuration['multiple_access_urls']) {
$url_access_id = api_get_current_access_url_id();
if ($url_access_id != -1) {
$tbl_url_rel_course = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
$sql_find = "SELECT * FROM $TABLECOURS as course INNER JOIN" .
$tbl_url_rel_course . "as url_rel_course ON
(url_rel_course.course_code=course.code) WHERE access_url_id = " .
$url_access_id . "AND (code LIKE '%" . $search_term_safe . "%'
OR title LIKE '%" . $search_term_safe . "%'
OR tutor_name LIKE '%" . $search_term_safe . "%' )
$without_special_courses ORDER BY title, visual_code ASC " .
$limitFilter;
$sql_find = "SELECT *
FROM $TABLECOURS as course
INNER JOIN $tbl_url_rel_course as url_rel_course
ON (url_rel_course.course_code=course.code)
WHERE
access_url_id = $url_access_id AND (
code LIKE '%" . $search_term_safe . "%' OR
title LIKE '%" . $search_term_safe . "%' OR
tutor_name LIKE '%" . $search_term_safe . "%'
)
$without_special_courses
ORDER BY title, visual_code ASC
$limitFilter
";
}
}
$result_find = Database::query($sql_find);

399
main/inc/lib/course.lib.php
Unescape View File

@ -1739,8 +1739,8 @@ class CourseManager
* @param string $course_code
* @param boolean $with_session
* @param integer $session_id
* @param date $date_from
* @param date $date_to
* @param string $date_from
* @param string $date_to
* @return array with user id
*/
public static function get_student_list_from_course_code(
@ -1995,7 +1995,10 @@ class CourseManager
FROM ".Database::get_main_table(TABLE_MAIN_COURSE)." course
LEFT JOIN ".Database::get_main_table(TABLE_MAIN_COURSE_USER)." course_user
ON course.code = course_user.course_code
WHERE course.target_course_code = '$course_code' AND course_user.user_id = '$user_id' AND course_user.relation_type<>".COURSE_RELATION_TYPE_RRHH." ";
WHERE
course.target_course_code = '$course_code' AND
course_user.user_id = '$user_id' AND
course_user.relation_type<>".COURSE_RELATION_TYPE_RRHH." ";
$sql_result = Database::query($sql);
while ($result = Database::fetch_array($sql_result)) {
@ -2175,13 +2178,12 @@ class CourseManager
$table_stats_links = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_LINKS);
$table_stats_uploads = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_UPLOADS);
$code = Database::escape_string($code);
$sql = "SELECT * FROM $table_course WHERE code='".$code."'";
$codeFiltered = Database::escape_string($code);
$sql = "SELECT * FROM $table_course WHERE code='".$codeFiltered."'";
$res = Database::query($sql);
if (Database::num_rows($res) == 0) {
return;
}
$this_course = Database::fetch_array($res);
$count = 0;
if (api_is_multiple_url_enabled()) {
require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
@ -2193,177 +2195,183 @@ class CourseManager
$count = UrlManager::getcountUrlRelCourse($code);
}
if ($count == 0) {
self::create_database_dump($code);
if (!self::is_virtual_course_from_system_code($code)) {
// If this is not a virtual course, look for virtual courses that depend on this one, if any
$virtual_courses = self::get_virtual_courses_linked_to_real_course($code);
foreach ($virtual_courses as $index => $virtual_course) {
// Unsubscribe all classes from the virtual course
/*$sql = "DELETE FROM $table_course_class WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);*/
// Unsubscribe all users from the virtual course
$sql = "DELETE FROM $table_course_user WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
// Delete the course from the sessions tables
$sql = "DELETE FROM $table_session_course WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_session_course_user WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
// Delete the course from the survey tables
$sql = "DELETE FROM $table_course_survey WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
/*$sql = "DELETE FROM $table_course_survey_user WHERE db_name='".$virtual_course['db_name']."'";
Database::query($sql);
$sql = "DELETE FROM $table_course_survey_reminder WHERE db_name='".$virtual_course['db_name']."'";
Database::query($sql);*/
// Delete the course from the stats tables
$sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_online WHERE course = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
self::create_database_dump($code);
if (!self::is_virtual_course_from_system_code($code)) {
// If this is not a virtual course, look for virtual courses that depend on this one, if any
$virtual_courses = self::get_virtual_courses_linked_to_real_course($code);
foreach ($virtual_courses as $index => $virtual_course) {
// Unsubscribe all classes from the virtual course
/*$sql = "DELETE FROM $table_course_class WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);*/
// Unsubscribe all users from the virtual course
$sql = "DELETE FROM $table_course_user WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
// Delete the course from the sessions tables
$sql = "DELETE FROM $table_session_course WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_session_course_user WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
// Delete the course from the survey tables
$sql = "DELETE FROM $table_course_survey WHERE course_code='".$virtual_course['code']."'";
Database::query($sql);
/*$sql = "DELETE FROM $table_course_survey_user WHERE db_name='".$virtual_course['db_name']."'";
Database::query($sql);
$sql = "DELETE FROM $table_course_survey_reminder WHERE db_name='".$virtual_course['db_name']."'";
Database::query($sql);*/
// Delete the course from the course table
$sql = "DELETE FROM $table_course WHERE code='".$virtual_course['code']."'";
Database::query($sql);
}
// Delete the course from the stats tables
$sql = "SELECT * FROM $table_course WHERE code='".$code."'";
$res = Database::query($sql);
$course = Database::fetch_array($res);
$course_tables = get_course_tables();
$sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_online WHERE course = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$virtual_course['code']."'";
Database::query($sql);
//Cleaning c_x tables
if (!empty($course['id'])) {
foreach($course_tables as $table) {
$table = Database::get_course_table($table);
$sql = "DELETE FROM $table WHERE c_id = {$course['id']} ";
// Delete the course from the course table
$sql = "DELETE FROM $table_course WHERE code='".$virtual_course['code']."'";
Database::query($sql);
}
}
$course_dir = api_get_path(SYS_COURSE_PATH).$course['directory'];
$archive_dir = api_get_path(SYS_ARCHIVE_PATH).$course['directory'].'_'.time();
if (is_dir($course_dir)) {
rename($course_dir, $archive_dir);
}
}
// Unsubscribe all classes from the course
/*$sql = "DELETE FROM $table_course_class WHERE course_code='".$code."'";
Database::query($sql);*/
// Unsubscribe all users from the course
$sql = "DELETE FROM $table_course_user WHERE course_code='".$code."'";
Database::query($sql);
// Delete the course from the sessions tables
$sql = "DELETE FROM $table_session_course WHERE course_code='".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_session_course_user WHERE course_code='".$code."'";
Database::query($sql);
// Delete from Course - URL
$sql = "DELETE FROM $table_course_rel_url WHERE course_code = '".$code."'";
Database::query($sql);
$sql = "SELECT * FROM $table_course WHERE code='".$codeFiltered."'";
$res = Database::query($sql);
$course = Database::fetch_array($res);
$course_tables = get_course_tables();
//Cleaning c_x tables
if (!empty($course['id'])) {
foreach($course_tables as $table) {
$table = Database::get_course_table($table);
$sql = "DELETE FROM $table WHERE c_id = {$course['id']} ";
Database::query($sql);
}
}
$course_dir = api_get_path(SYS_COURSE_PATH).$course['directory'];
$archive_dir = api_get_path(SYS_ARCHIVE_PATH).$course['directory'].'_'.time();
if (is_dir($course_dir)) {
rename($course_dir, $archive_dir);
}
}
$sql = 'SELECT survey_id FROM '.$table_course_survey.' WHERE course_code="'.$code.'"';
$result_surveys = Database::query($sql);
while($surveys = Database::fetch_array($result_surveys)) {
$survey_id = $surveys[0];
$sql = 'DELETE FROM '.$table_course_survey_question.' WHERE survey_id="'.$survey_id.'"';
// Unsubscribe all classes from the course
/*$sql = "DELETE FROM $table_course_class WHERE course_code='".$code."'";
Database::query($sql);*/
// Unsubscribe all users from the course
$sql = "DELETE FROM $table_course_user WHERE course_code='".$codeFiltered."'";
Database::query($sql);
$sql = 'DELETE FROM '.$table_course_survey_question_option.' WHERE survey_id="'.$survey_id.'"';
// Delete the course from the sessions tables
$sql = "DELETE FROM $table_session_course WHERE course_code='".$codeFiltered."'";
Database::query($sql);
$sql = 'DELETE FROM '.$table_course_survey.' WHERE survey_id="'.$survey_id.'"';
$sql = "DELETE FROM $table_session_course_user WHERE course_code='".$codeFiltered."'";
Database::query($sql);
}
// Delete the course from the stats tables
$sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_online WHERE course = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$code."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$code."'";
Database::query($sql);
// Delete from Course - URL
$sql = "DELETE FROM $table_course_rel_url WHERE course_code = '".$codeFiltered."'";
Database::query($sql);
// Delete the course from the database
$sql = "DELETE FROM $table_course WHERE code='".$code."'";
Database::query($sql);
$sql = 'SELECT survey_id FROM '.$table_course_survey.' WHERE course_code="'.$codeFiltered.'"';
$result_surveys = Database::query($sql);
while($surveys = Database::fetch_array($result_surveys)) {
$survey_id = $surveys[0];
$sql = 'DELETE FROM '.$table_course_survey_question.' WHERE survey_id="'.$survey_id.'"';
Database::query($sql);
$sql = 'DELETE FROM '.$table_course_survey_question_option.' WHERE survey_id="'.$survey_id.'"';
Database::query($sql);
$sql = 'DELETE FROM '.$table_course_survey.' WHERE survey_id="'.$survey_id.'"';
Database::query($sql);
}
// delete extra course fields
$t_cf = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$t_cfv = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
// Delete the course from the stats tables
$sql = "SELECT distinct field_id FROM $t_cfv WHERE course_code = '$code'";
$res_field_ids = @Database::query($sql);
$sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_online WHERE course = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$codeFiltered."'";
Database::query($sql);
$sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$codeFiltered."'";
Database::query($sql);
while($row_field_id = Database::fetch_row($res_field_ids)){
$field_ids[] = $row_field_id[0];
}
// Delete the course from the database
$sql = "DELETE FROM $table_course WHERE code='".$codeFiltered."'";
Database::query($sql);
//delete from table_course_field_value from a given course_code
// delete extra course fields
$t_cf = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$t_cfv = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
$sql_course_field_value = "DELETE FROM $t_cfv WHERE course_code = '$code'";
@Database::query($sql_course_field_value);
$sql = "SELECT distinct field_id FROM $t_cfv WHERE course_code = '$codeFiltered'";
$res_field_ids = Database::query($sql);
$field_ids = array();
while($row_field_id = Database::fetch_row($res_field_ids)){
$field_ids[] = $row_field_id[0];
}
$sql = "SELECT distinct field_id FROM $t_cfv";
$res_field_all_ids = @Database::query($sql);
// Delete from table_course_field_value from a given course_code
$sql_course_field_value = "DELETE FROM $t_cfv WHERE course_code = '$codeFiltered'";
Database::query($sql_course_field_value);
while($row_field_all_id = Database::fetch_row($res_field_all_ids)){
$field_all_ids[] = $row_field_all_id[0];
}
$sql = "SELECT distinct field_id FROM $t_cfv";
$res_field_all_ids = Database::query($sql);
$field_all_ids = array();
while($row_field_all_id = Database::fetch_row($res_field_all_ids)) {
$field_all_ids[] = $row_field_all_id[0];
}
if (is_array($field_ids) && count($field_ids) > 0) {
foreach ($field_ids as $field_id) {
// check if field id is used into table field value
if (is_array($field_all_ids)) {
if (in_array($field_id, $field_all_ids)) {
continue;
} else {
$sql_course_field = "DELETE FROM $t_cf WHERE id = '$field_id'";
Database::query($sql_course_field);
if (is_array($field_ids) && count($field_ids) > 0) {
foreach ($field_ids as $field_id) {
// check if field id is used into table field value
if (is_array($field_all_ids)) {
if (in_array($field_id, $field_all_ids)) {
continue;
} else {
$sql_course_field = "DELETE FROM $t_cf WHERE id = '$field_id'";
Database::query($sql_course_field);
}
}
}
}
}
// Add event to system log
$user_id = api_get_user_id();
event_system(LOG_COURSE_DELETE, LOG_COURSE_CODE, $code, api_get_utc_datetime(), $user_id, $code);
// Add event to system log
$user_id = api_get_user_id();
event_system(
LOG_COURSE_DELETE,
LOG_COURSE_CODE,
$code,
api_get_utc_datetime(),
$user_id,
$code
);
}
}
@ -2884,8 +2892,8 @@ class CourseManager
*/
public static function update_course_extra_field_value($course_code, $fname, $fvalue = '')
{
$t_cfv = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
$t_cf = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$t_cfv = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
$t_cf = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$fname = Database::escape_string($fname);
$course_code = Database::escape_string($course_code);
$fvalues = '';
@ -3180,7 +3188,8 @@ class CourseManager
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
while ($row = Database::fetch_array($result)) {
$sql = "DELETE FROM $tbl_course_rel_user WHERE course_code = '{$row['course_code']}' AND user_id = $hr_manager_id AND relation_type=".COURSE_RELATION_TYPE_RRHH." ";
$sql = "DELETE FROM $tbl_course_rel_user
WHERE course_code = '{$row['course_code']}' AND user_id = $hr_manager_id AND relation_type=".COURSE_RELATION_TYPE_RRHH." ";
Database::query($sql);
}
}
@ -3189,7 +3198,8 @@ class CourseManager
if (is_array($courses_list)) {
foreach ($courses_list as $course_code) {
$course_code = Database::escape_string($course_code);
$insert_sql = "INSERT IGNORE INTO $tbl_course_rel_user(course_code, user_id, status, relation_type) VALUES('$course_code', $hr_manager_id, '".DRH."', '".COURSE_RELATION_TYPE_RRHH."')";
$insert_sql = "INSERT IGNORE INTO $tbl_course_rel_user(course_code, user_id, status, relation_type)
VALUES('$course_code', $hr_manager_id, '".DRH."', '".COURSE_RELATION_TYPE_RRHH."')";
Database::query($insert_sql);
if (Database::affected_rows()) {
$affected_rows++;
@ -3349,23 +3359,28 @@ class CourseManager
/**
* check if a course is special (autoregister)
* @param string course code
* @param string $course_code
*/
public static function is_special_course($course_code)
{
$tbl_course_field_value = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
$tbl_course_field = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$tbl_course_field_value = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
$tbl_course_field = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
$is_special = false;
$course_code = Database::escape_string($course_code);
$sql = "SELECT course_code
FROM $tbl_course_field_value tcfv
INNER JOIN $tbl_course_field tcf ON tcfv.field_id = tcf.id
WHERE tcf.field_variable = 'special_course' AND tcfv.field_value = 1 AND course_code='$course_code'";
WHERE
tcf.field_variable = 'special_course' AND
tcfv.field_value = 1 AND
course_code='$course_code'";
$result = Database::query($sql);
$num_rows = Database::num_rows($result);
if ($num_rows > 0){
$is_special = true;
}
return $is_special;
}
@ -3894,20 +3909,20 @@ class CourseManager
*/
public static function get_logged_user_course_html($course, $session_id = 0, $class = 'courses', $session_accessible = true, $load_dirs = false)
{
global $nosession, $nbDigestEntries, $digest, $thisCourseSysCode, $orderKey;
global $nosession;
$user_id = api_get_user_id();
$course_info = api_get_course_info($course['code']);
$status_course = CourseManager::get_user_in_course_status($user_id, $course_info['code']);
$course_info['status'] = empty($session_id) ? $status_course : STUDENT;
$course_info['id_session'] = $session_id;
if (!$nosession) {
global $now, $date_start, $date_end;
}
if (empty($date_start) or empty($date_end)) {
$sess = SessionManager::get_sessions_list(array('s.id = ' => $course_info['id_session']));
$sess = SessionManager::get_sessions_list(
array('s.id' => array('operator' => '=', 'value' => $course_info['id_session']))
);
$date_start = $sess[$course_info['id_session']]['date_start'];
$date_end = $sess[$course_info['id_session']]['date_end'];
}
@ -3917,17 +3932,21 @@ class CourseManager
}
// Table definitions
$main_user_table = Database :: get_main_table(TABLE_MAIN_USER);
$tbl_session = Database :: get_main_table(TABLE_MAIN_SESSION);
$tbl_session_category = Database :: get_main_table(TABLE_MAIN_SESSION_CATEGORY);
$main_user_table = Database :: get_main_table(TABLE_MAIN_USER);
$tbl_session = Database :: get_main_table(TABLE_MAIN_SESSION);
$tbl_session_category = Database :: get_main_table(TABLE_MAIN_SESSION_CATEGORY);
$course_access_settings = CourseManager::get_access_settings($course_info['code']);
$course_visibility = $course_access_settings['visibility'];
$course_access_settings = CourseManager::get_access_settings($course_info['code']);
$course_visibility = $course_access_settings['visibility'];
if ($course_visibility == COURSE_VISIBILITY_HIDDEN) {
return '';
}
$user_in_course_status = CourseManager::get_user_in_course_status(api_get_user_id(), $course_info['code']);
$user_in_course_status = CourseManager::get_user_in_course_status(
api_get_user_id(),
$course_info['code']
);
$is_coach = api_is_coach($course_info['id_session'], $course['code']);
@ -3935,8 +3954,11 @@ class CourseManager
// Show a hyperlink to the course, unless the course is closed and user is not course admin.
$session_url = '';
$session_title = '';
if ($session_accessible) {
if ($course_visibility != COURSE_VISIBILITY_CLOSED || $user_in_course_status == COURSEMANAGER) {
if ($course_visibility != COURSE_VISIBILITY_CLOSED ||
$user_in_course_status == COURSEMANAGER
) {
if (!$nosession) {
if (empty($course_info['id_session'])) {
$course_info['id_session'] = 0;
@ -3985,10 +4007,11 @@ class CourseManager
$params['link'] = $session_url;
$params['title'] = $session_title;
$params['right_actions'] = '';
if ($course_visibility != COURSE_VISIBILITY_CLOSED && $course_visibility != COURSE_VISIBILITY_HIDDEN) {
if ($course_visibility != COURSE_VISIBILITY_CLOSED &&
$course_visibility != COURSE_VISIBILITY_HIDDEN
) {
if ($load_dirs) {
$params['right_actions'] .= '<a id="document_preview_'.$course_info['real_id'].'_'.$course_info['id_session'].'" class="document_preview" href="javascript:void(0);">'.Display::return_icon('folder.png', get_lang('Documents'), array('align' => 'absmiddle'),ICON_SIZE_SMALL).'</a>';
$params['right_actions'] .= Display::div('', array('id' => 'document_result_'.$course_info['real_id'].'_'.$course_info['id_session'], 'class'=>'document_preview_container'));
@ -4000,9 +4023,19 @@ class CourseManager
}
if (api_get_setting('display_teacher_in_courselist') == 'true') {
$teacher_list = null;
if (!$nosession) {
$teacher_list = CourseManager::get_teacher_list_from_course_code_to_string($course_info['code'], self::USER_SEPARATOR, true);
$course_coachs = CourseManager::get_coachs_from_course_to_string($course_info['id_session'], $course['code'], self::USER_SEPARATOR, true);
$teacher_list = CourseManager::get_teacher_list_from_course_code_to_string(
$course_info['code'],
self::USER_SEPARATOR,
true
);
$course_coachs = CourseManager::get_coachs_from_course_to_string(
$course_info['id_session'],
$course['code'],
self::USER_SEPARATOR,
true
);
if ($course_info['status'] == COURSEMANAGER || ($course_info['status'] == STUDENT && empty($course_info['id_session'])) || empty($course_info['status'])) {
$params['teachers'] = $teacher_list;
@ -4722,6 +4755,9 @@ class CourseManager
if (!empty($specialCourseList)) {
$withoutSpecialCourses = ' AND c.code NOT IN ("'.implode('","',$specialCourseList).'")';
}
$visibilityCondition = null;
if (isset($_configuration['course_catalog_hide_private'])) {
if ($_configuration['course_catalog_hide_private'] == true) {
$courseInfo = api_get_course_info();
@ -4731,7 +4767,14 @@ class CourseManager
}
if (!empty($accessUrlId) && $accessUrlId == intval($accessUrlId)) {
$sql = "SELECT count(id) FROM $tableCourse c, $tableCourseRelAccessUrl u
WHERE c.code = u.course_code AND u.access_url_id = $accessUrlId AND c.visibility != 0 AND c.visibility != 4 $withoutSpecialCourses $visibilityCondition";
WHERE
c.code = u.course_code AND
u.access_url_id = $accessUrlId AND
c.visibility != 0 AND
c.visibility != 4
$withoutSpecialCourses
$visibilityCondition
";
}
$res = Database::query($sql);
$row = Database::fetch_row($res);

44
main/inc/lib/course_category.lib.php
Unescape View File

@ -18,7 +18,7 @@ function isMultipleUrlSupport()
function getCategoryById($categoryId)
{
$tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
$categoryId = Database::escape_string($categoryId);
$categoryId = intval($categoryId);
$sql = "SELECT * FROM $tbl_category WHERE id = '$categoryId'";
$result = Database::query($sql);
if (Database::num_rows($result)) {
@ -503,7 +503,7 @@ function browseCourseCategories()
* @return int
*/
function countCoursesInCategory($category_code="", $searchTerm = '')
{
{
global $_configuration;
$tbl_course = Database::get_main_table(TABLE_MAIN_COURSE);
$TABLE_COURSE_FIELD = Database :: get_main_table(TABLE_MAIN_COURSE_FIELD);
@ -556,9 +556,14 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
}
$sql = "SELECT * FROM $tbl_course
WHERE visibility != '0' AND visibility != '4'".
$categoryFilter . $searchFilter .
$without_special_courses . $visibilityCondition;
WHERE
visibility != '0' AND
visibility != '4'
$categoryFilter
$searchFilter
$without_special_courses
$visibilityCondition
";
// Showing only the courses of the current portal access_url_id.
if (api_is_multiple_url_enabled()) {
@ -566,11 +571,17 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
if ($url_access_id != -1) {
$tbl_url_rel_course = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
$sql = "SELECT * FROM $tbl_course as course
INNER JOIN $tbl_url_rel_course as url_rel_course
ON (url_rel_course.course_code=course.code)
WHERE access_url_id = $url_access_id AND course.visibility != '0'
AND course.visibility != '4' AND category_code" . "='" . $category_code . "'" .
$searchTerm . $without_special_courses. $visibilityCondition;
INNER JOIN $tbl_url_rel_course as url_rel_course
ON (url_rel_course.course_code=course.code)
WHERE
access_url_id = $url_access_id AND
course.visibility != '0' AND
course.visibility != '4' AND
category_code = '$category_code'
$searchTerm
$without_special_courses
$visibilityCondition
";
}
}
@ -585,7 +596,7 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
* @return array
*/
function browseCoursesInCategory($category_code, $random_value = null, $limit = array())
{
{
global $_configuration;
$tbl_course = Database::get_main_table(TABLE_MAIN_COURSE);
$TABLE_COURSE_FIELD = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
@ -609,6 +620,7 @@ function browseCoursesInCategory($category_code, $random_value = null, $limit =
if (!empty($special_course_list)) {
$without_special_courses = ' AND course.code NOT IN (' . implode(',', $special_course_list) . ')';
}
$visibilityCondition = null;
if (isset($_configuration['course_catalog_hide_private'])) {
if ($_configuration['course_catalog_hide_private'] == true) {
$courseInfo = api_get_course_info();
@ -960,10 +972,10 @@ function getCataloguePagination($pageCurrent, $pageLength, $pageTotal)
$categoryCode = null,
$hiddenLinks = null,
$action = null
)
{
$action = isset($action) ? Security::remove_XSS($action) :
Security::remove_XSS($_REQUEST['action']);
) {
$action = isset($action) ? Security::remove_XSS($action) : Security::remove_XSS($_REQUEST['action']);
$searchTerm = isset($_REQUEST['search_term']) ? Security::remove_XSS($_REQUEST['search_term']) : null;
// Start URL with params
$pageUrl = api_get_self() .
'?action=' . $action .
@ -982,7 +994,7 @@ function getCataloguePagination($pageCurrent, $pageLength, $pageTotal)
case 'subscribe' :
// for search
$pageUrl .=
'&search_term=' . $_REQUEST['search_term'] .
'&search_term=' . $searchTerm .
'&search_course=1' .
'&sec_token=' . $_SESSION['sec_token'];
break;

104
main/inc/lib/database.lib.php
Unescape View File

@ -455,21 +455,29 @@ class Database
* @param string The string to escape
* @return string The escaped string
*/
public static function escape_sql_wildcards($in_txt) {
public static function escape_sql_wildcards($in_txt)
{
$out_txt = api_preg_replace("/_/", "\_", $in_txt);
$out_txt = api_preg_replace("/%/", "\%", $out_txt);
return $out_txt;
}
/**
* Escapes a string to insert into the database as text
* @param string The string to escape
* @param resource $connection (optional) The database server connection, for detailed description see the method query().
* @return string The escaped string
* @param string $string The string to escape
* @param resource $connection (optional) The database server connection, for detailed description see the method query().
* @param bool $addFix
* @return string he escaped string
* @author Yannick Warnier <yannick.warnier@dokeos.com>
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
*/
public static function escape_string($string, $connection = null) {
public static function escape_string($string, $connection = null, $addFix = true)
{
// Fixes security problem when there's no "" or '' between a variable.
if ($addFix) {
$string = "__@$string@__";
}
return get_magic_quotes_gpc()
? (self::use_default_connection($connection)
? mysql_real_escape_string(stripslashes($string))
@ -479,6 +487,7 @@ class Database
: mysql_real_escape_string($string, $connection));
}
/**
* Gets the array from a SQL result (as returned by Database::query) - help achieving database independence
* @param resource The result from a call to sql_query (e.g. Database::query)
@ -486,8 +495,9 @@ class Database
* @return array Array of results as returned by php
* @author Yannick Warnier <yannick.warnier@beeznest.com>
*/
public static function fetch_array($result, $option = 'BOTH') {
if ($result === false) { return array(); }
public static function fetch_array($result, $option = 'BOTH')
{
if ($result === false) { return array(); }
return $option == 'ASSOC' ? mysql_fetch_array($result, MYSQL_ASSOC) : ($option == 'NUM' ? mysql_fetch_array($result, MYSQL_NUM) : mysql_fetch_array($result));
}
@ -674,6 +684,32 @@ class Database
return self::num_rows($resource) > 0 ? (!empty($field) ? mysql_result($resource, $row, $field) : mysql_result($resource, $row)) : null;
}
/**
* Removes "__@" prefix and @__ suffix added by Database::escape_string()
* @param string $query
* @return mixed
*/
public static function fixQuery($query)
{
// LIKE condition
$query = str_replace("'%__@", "'%", $query);
$query = str_replace("@__%'", "%'", $query);
// Fixing doubles
$query = str_replace("__@__@", "__@", $query);
$query = str_replace("@__@__", "@__", $query);
$query = str_replace("'__@", "'", $query);
$query = str_replace('"__@', "'", $query);
$query = str_replace("__@", "'", $query);
$query = str_replace("@__'", "'", $query);
$query = str_replace('@__"', "'", $query);
$query = str_replace("@__", "'", $query);
return $query;
}
/**
* This method returns a resource
* Documentation has been added by Arthur Portugal
@ -681,12 +717,14 @@ class Database
* @author Olivier Brouckaert
* @param string $query The SQL query
* @param resource $connection (optional) The database server (MySQL) connection.
* If it is not specified, the connection opened by mysql_connect() is assumed.
* If no connection is found, the server will try to create one as if mysql_connect() was called with no arguments.
* If no connection is found or established, an E_WARNING level error is generated.
* If it is not specified, the connection opened by mysql_connect() is assumed.
* If no connection is found, the server will try to create one as if mysql_connect() was called with no arguments.
* If no connection is found or established, an E_WARNING level error is generated.
* @param string $file (optional) On error it shows the file in which the error has been trigerred (use the "magic" constant __FILE__ as input parameter)
* @param string $line (optional) On error it shows the line in which the error has been trigerred (use the "magic" constant __LINE__ as input parameter)
*
* @return resource The returned result from the query
*
* Note: The parameter $connection could be skipped. Here are examples of this method usage:
* Database::query($query);
* $result = Database::query($query);
@ -698,7 +736,8 @@ class Database
* Database::query($query, $connection, __FILE__, __LINE__);
* $result = Database::query($query, $connection, __FILE__, __LINE__);
*/
public static function query($query, $connection = null, $file = null, $line = null) {
public static function query($query, $connection = null, $file = null, $line = null)
{
$use_default_connection = self::use_default_connection($connection);
if ($use_default_connection) {
// Let us do parameter shifting, thus the method would be similar
@ -707,10 +746,11 @@ class Database
$file = $connection;
$connection = null;
}
//@todo remove this before the stable release
//Check if the table contains a c_ (means a course id)
if (api_get_setting('server_type')==='test' && strpos($query, 'c_')) {
$query = self::fixQuery($query);
// Check if the table contains a c_ (means a course id)
if (api_get_setting('server_type') === 'test' && strpos($query, 'c_')) {
//Check if the table contains inner joins
if (
strpos($query, 'assoc_handle') === false &&
@ -1179,13 +1219,11 @@ class Database
* @example array('where'=> array('type = ? AND category = ?' => array('setting', 'Plugins'))
* @example array('where'=> array('name = "Julio" AND lastname = "montoya"'))
*/
public static function select($columns, $table_name, $conditions = array(), $type_result = 'all', $option = 'ASSOC')
{
$conditions = self::parse_conditions($conditions);
//@todo we could do a describe here to check the columns ...
$clean_columns = '';
if (is_array($columns)) {
$clean_columns = implode(',', $columns);
} else {
@ -1199,7 +1237,7 @@ class Database
$sql = "SELECT $clean_columns FROM $table_name $conditions";
$result = self::query($sql);
$array = array();
//if (self::num_rows($result) > 0 ) {
if ($type_result == 'all') {
while ($row = self::fetch_array($result, $option)) {
if (isset($row['id'])) {
@ -1216,11 +1254,12 @@ class Database
/**
* Parses WHERE/ORDER conditions i.e array('where'=>array('id = ?' =>'4'), 'order'=>'id DESC'))
* @todo known issues, it doesn't work when using LIKE conditions example: array('where'=>array('course_code LIKE "?%"'))
* @param array
* @todo lot of stuff to do here
* @todo known issues, it doesn't work when using
* LIKE conditions example: array('where'=>array('course_code LIKE "?%"'))
* @param array $conditions
*/
static function parse_conditions($conditions) {
public static function parse_conditions($conditions)
{
if (empty($conditions)) {
return '';
}
@ -1232,7 +1271,6 @@ class Database
$type_condition = strtolower($type_condition);
switch ($type_condition) {
case 'where':
foreach ($condition_data as $condition => $value_array) {
if (is_array($value_array)) {
$clean_values = array();
@ -1254,14 +1292,13 @@ class Database
$condition = str_replace("%s","'%s'", $condition);
$condition = str_replace("@-@","@%s@", $condition);
//Treat conditons as string
// Treat conditions as string
$condition = vsprintf($condition, $clean_values);
$condition = str_replace('@percentage@','%', $condition); //replace "%"
$where_return .= $condition;
}
}
if (!empty($where_return)) {
$return_value = " WHERE $where_return" ;
}
@ -1271,7 +1308,7 @@ class Database
if (!empty($order_array)) {
// 'order' => 'id desc, name desc'
$order_array = self::escape_string($order_array);
$order_array = self::escape_string($order_array, null, false);
$new_order_array = explode(',', $order_array);
$temp_value = array();
@ -1301,7 +1338,6 @@ class Database
break;
case 'limit':
$limit_array = explode(',', $condition_data);
if (!empty($limit_array)) {
if (count($limit_array) > 1) {
$return_value .= ' LIMIT '.intval($limit_array[0]).' , '.intval($limit_array[1]);
@ -1312,23 +1348,29 @@ class Database
break;
}
}
return $return_value;
}
public static function parse_where_conditions($coditions) {
return self::parse_conditions(array('where'=>$coditions));
/**
* @param array $conditions
* @return string
*/
public static function parse_where_conditions($conditions)
{
return self::parse_conditions(array('where'=>$conditions));
}
/**
* Experimental useful database update
* @todo lot of stuff to do here
*/
public static function delete($table_name, $where_conditions, $show_query = false) {
$result = false;
public static function delete($table_name, $where_conditions, $show_query = false)
{
$where_return = self::parse_where_conditions($where_conditions);
$sql = "DELETE FROM $table_name $where_return ";
if ($show_query) { echo $sql; echo '<br />'; }
$result = self::query($sql);
self::query($sql);
$affected_rows = self::affected_rows();
//@todo should return affected_rows for
return $affected_rows;

42
main/inc/lib/document.lib.php
Unescape View File

@ -531,7 +531,7 @@ class DocumentManager
// Escape underscores in the path so they don't act as a wildcard
$originalPath = $path;
$path = Database::escape_string(str_replace('_', '\_', $path));
$path = str_replace('_', '\_', $path);
$to_value = Database::escape_string($to_value);
$visibility_bit = ' <> 2';
@ -579,8 +579,8 @@ class DocumentManager
last.c_id = {$_course['real_id']}
)
WHERE
docs.path LIKE '" . $path . $added_slash . "%' AND
docs.path NOT LIKE '" . $path . $added_slash . "%/%' AND
docs.path LIKE '" . Database::escape_string($path . $added_slash.'%'). "' AND
docs.path NOT LIKE '" . Database::escape_string($path . $added_slash.'%/%')."' AND
docs.path NOT LIKE '%_DELETED_%' AND
$to_field = $to_value AND
last.visibility
@ -588,6 +588,7 @@ class DocumentManager
$condition_session
$sharedCondition
";
$result = Database::query($sql);
$doc_list = array();
@ -726,6 +727,7 @@ class DocumentManager
$_course['code'],
api_get_session_id()
);
$sharedCondition = null;
if (!empty($students)) {
@ -849,7 +851,7 @@ class DocumentManager
FROM $TABLE_ITEMPROPERTY AS last, $TABLE_DOCUMENT AS docs
WHERE
docs.id = last.ref AND
docs.path LIKE '" . Database::escape_string($row['path']) . "/%' AND
docs.path LIKE '" . Database::escape_string($row['path'].'/%') . "' AND
docs.filetype = 'folder' AND
last.tool = '" . TOOL_DOCUMENT . "' AND
last.to_group_id = " . $to_group_id . " AND
@ -1523,7 +1525,6 @@ class DocumentManager
$course_id = $course['real_id'];
//note the extra / at the end of doc_path to match every path in the document table that is part of the document path
$doc_path = Database::escape_string($doc_path);
$session_id = intval($session_id);
$condition = "AND id_session IN ('$session_id', '0') ";
@ -1548,6 +1549,7 @@ class DocumentManager
omega.jpg
theta.jpg
*/
if (strpos($doc_path, 'HotPotatoes_files') && preg_match("/\.t\.html$/", $doc_path)) {
$doc_path = substr($doc_path, 0, strlen($doc_path) - 7 - strlen(api_get_user_id()));
}
@ -1556,10 +1558,15 @@ class DocumentManager
$file_type = 'file';
}
$sql = "SELECT visibility FROM $docTable d INNER JOIN $propTable ip
ON (d.id = ip.ref AND d.c_id = $course_id AND ip.c_id = $course_id)
WHERE ip.tool = '" . TOOL_DOCUMENT . "' $condition AND
filetype = '$file_type' AND locate(concat(path,'/'),'" . $doc_path . "/')=1";
$sql = "SELECT visibility
FROM $docTable d
INNER JOIN $propTable ip
ON (d.id = ip.ref AND d.c_id = $course_id AND ip.c_id = $course_id)
WHERE
ip.tool = '" . TOOL_DOCUMENT . "' $condition AND
filetype = '$file_type' AND
locate(concat(path,'/'), '" . Database::escape_string($doc_path.'/'). "')=1
";
$result = Database::query($sql);
$is_visible = false;
@ -3195,7 +3202,6 @@ class DocumentManager
}
$overwrite_url = Security::remove_XSS($overwrite_url);
$user_id = api_get_user_id();
$user_in_course = false;
@ -3232,11 +3238,6 @@ class DocumentManager
$tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
$tbl_item_prop = Database::get_course_table(TABLE_ITEM_PROPERTY);
$path = '/';
$path = Database::escape_string(str_replace('_', '\_', $path));
$added_slash = ($path == '/') ? '' : '/';
$condition_session = " AND (id_session = '$session_id' OR id_session = '0' )";
$add_folder_filter = null;
@ -3258,18 +3259,18 @@ class DocumentManager
//$showOnlyFoldersCondition = " AND docs.filetype = 'folder' ";
}
$folderCondition = " AND docs.path LIKE '" . $path . $added_slash . "%' ";
$folderCondition = " AND docs.path LIKE '/%' ";
if ($folderId !== false) {
$parentData = self::get_document_data_by_id($folderId, $course_info['code']);
if (!empty($parentData)) {
$cleanedPath = Database::escape_string($parentData['path']);
$cleanedPath = $parentData['path'];
$num = substr_count($cleanedPath, '/');
$notLikeCondition = null;
for ($i = 1; $i <= $num; $i++) {
$repeat = str_repeat('/%', $i+1);
$notLikeCondition .= " AND docs.path NOT LIKE '".$cleanedPath.$repeat."' ";
$notLikeCondition .= " AND docs.path NOT LIKE '".Database::escape_string($cleanedPath.$repeat)."' ";
}
$folderCondition = " AND
@ -4692,8 +4693,6 @@ class DocumentManager
}
$sessionId = intval($sessionId);
$folder = Database::escape_string($folder);
$folderWithSuffix = self::fixDocumentName(
$folder,
'folder',
@ -4702,6 +4701,7 @@ class DocumentManager
$groupId
);
$folder = Database::escape_string($folder);
$folderWithSuffix = Database::escape_string($folderWithSuffix);
// Check if pathname already exists inside document table
@ -4710,7 +4710,7 @@ class DocumentManager
WHERE
filetype = 'folder' AND
c_id = $courseId AND
(path = '".$folder."' OR path = '$folderWithSuffix') AND
(path = '$folder' OR path = '$folderWithSuffix') AND
(session_id = 0 OR session_id = $sessionId)
";

61
main/inc/lib/group_portal_manager.lib.php
Unescape View File

@ -35,10 +35,12 @@ class GroupPortalManager
*
* @author Julio Montoya <gugli100@gmail.com>,
*
* @param string The URL of the site
* @param string The description of the site
* @param int is active or not
* @param int the user_id of the owner
* @param string $name The URL of the site
* @param string $description The description of the site
* @param string $url
* @param int $visibility is active or not
* @param int $picture
*
* @return boolean if success
*/
public static function add($name, $description, $url, $visibility, $picture = '')
@ -68,10 +70,12 @@ class GroupPortalManager
* Updates a group
* @author Julio Montoya <gugli100@gmail.com>,
*
* @param int The id
* @param string The description of the site
* @param int is active or not
* @param int the user_id of the owner
* @param int $group_id The id
* @param string $name The description of the site
* @param string $description
* @param string $url
* @param int $visibility
* @param string $picture_uri
* @param bool $allowMemberGroupToLeave
* @return bool if success
*/
@ -85,23 +89,24 @@ class GroupPortalManager
$allowMemberGroupToLeave = $allowMemberGroupToLeave == true ? 1 : 0;
$groupLeaveCondition = " allow_members_leave_group = $allowMemberGroupToLeave , ";
}
$sql = "UPDATE $table
SET name = '".Database::escape_string($name)."',
description = '".Database::escape_string($description)."',
picture_uri = '".Database::escape_string($picture_uri)."',
url = '".Database::escape_string($url)."',
visibility = '".Database::escape_string($visibility)."',
$groupLeaveCondition
updated_on = '".$now."'
$sql = "UPDATE $table SET
name = '".Database::escape_string($name)."',
description = '".Database::escape_string($description)."',
picture_uri = '".Database::escape_string($picture_uri)."',
url = '".Database::escape_string($url)."',
visibility = '".Database::escape_string($visibility)."',
$groupLeaveCondition
updated_on = '".$now."'
WHERE id = '$group_id'";
$result = Database::query($sql);
return $result;
}
/**
* Deletes a group
* @author Julio Montoya
* @param int id
* @param int $id
* @return boolean true if success
* */
public static function delete($id)
@ -122,9 +127,9 @@ class GroupPortalManager
/**
* Gets data of all groups
* @author Julio Montoya
* @param int visibility
* @param int from which record the results will begin (use for pagination)
* @param int number of items
* @param int $visibility
* @param int $from which record the results will begin (use for pagination)
* @param int $number_of_items
* @return array
* */
public static function get_all_group_data($visibility = GROUP_PERMISSION_OPEN, $from = 0, $number_of_items = 10)
@ -137,12 +142,14 @@ class GroupPortalManager
while ($item = Database::fetch_array($res)) {
$data[] = $item;
}
return $data;
}
/**
* Gets a list of all group
* @param id of a group not to include (i.e. to exclude)
* @param inr $without_this_one id of a group not to include (i.e. to exclude)
*
* @return array : id => name
* */
public static function get_groups_list($without_this_one = NULL)
@ -158,12 +165,14 @@ class GroupPortalManager
while ($item = Database::fetch_assoc($res)) {
$list[$item['id']] = $item['name'];
}
return $list;
}
/**
* Gets the group data
* @param int $group_id
*
* @return array
*/
public static function get_group_data($group_id)
@ -176,6 +185,7 @@ class GroupPortalManager
if (Database::num_rows($res) > 0) {
$item = Database::fetch_array($res, 'ASSOC');
}
return $item;
}
@ -757,10 +767,7 @@ class GroupPortalManager
$group_table = Database::get_main_table(TABLE_MAIN_GROUP);
$table_tag = Database::get_main_table(TABLE_MAIN_TAG);
$table_group_tag_values = Database::get_main_table(TABLE_MAIN_GROUP_REL_TAG);
$field_id = 5;
$tag = Database::escape_string($tag);
$from = intval($from);
$number_of_items = intval($number_of_items);
@ -777,8 +784,9 @@ class GroupPortalManager
WHERE
tag LIKE '$tag%' AND field_id= $field_id OR
(
g.name LIKE '%".$tag."%' OR g.description LIKE '%".$tag."%' OR g.url LIKE '%".$tag."%'
g.name LIKE '".Database::escape_string('%'.$tag.'%')."' OR
g.description LIKE '".Database::escape_string('%'.$tag.'%')."' OR
g.url LIKE '".Database::escape_string('%'.$tag.'%')."'
)";
$sql .= " LIMIT $from, $number_of_items";
@ -794,6 +802,7 @@ class GroupPortalManager
$return[$row['id']] = $row;
}
}
return $return;
}

134
main/inc/lib/main_api.lib.php
Unescape View File

@ -916,7 +916,6 @@ function api_protect_course_script($print_headers = false, $allow_session_admins
{
$is_allowed_in_course = api_is_allowed_in_course();
$is_visible = false;
$course_info = api_get_course_info();
if (empty($course_info)) {
@ -1034,14 +1033,12 @@ function api_block_anonymous_users($print_headers = true) {
api_not_allowed($print_headers);
return false;
}
return true;
}
/* ACCESSOR FUNCTIONS
Don't access kernel variables directly, use these functions instead. */
/**
* @return an array with the navigator name and version
* @return array with the navigator name and version
*/
function api_get_navigator() {
$navigator = 'Unknown';
@ -1273,7 +1270,7 @@ function api_get_user_info($user_id = '', $check_if_user_is_online = false, $sho
return _api_format_user($GLOBALS['_user']);
}
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_USER)."
WHERE user_id='".Database::escape_string($user_id)."'";
WHERE user_id='".intval($user_id)."'";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$result_array = Database::fetch_array($result);
@ -1463,9 +1460,9 @@ function api_get_cidreq($addSessionId = true, $addGroupId = true)
function api_get_course_info($course_code = null, $strict = false)
{
if (!empty($course_code)) {
$course_code = Database::escape_string($course_code);
$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
$course_code = Database::escape_string($course_code);
$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
$sql = "SELECT course.*, course_category.code faCode, course_category.name faName
FROM $course_table
LEFT JOIN $course_cat_table
@ -3228,11 +3225,13 @@ function api_get_item_visibility($_course, $tool, $id, $session = 0)
$session = (int) $session;
$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY);
$course_id = intval($_course['real_id']);
$sql = "SELECT visibility FROM $TABLE_ITEMPROPERTY
WHERE c_id = $course_id AND
tool = '$tool' AND
ref = $id AND
(id_session = $session OR id_session = 0)
$sql = "SELECT visibility
FROM $TABLE_ITEMPROPERTY
WHERE
c_id = $course_id AND
tool = '$tool' AND
ref = $id AND
(id_session = $session OR id_session = 0)
ORDER BY id_session DESC, lastedit_date DESC
LIMIT 1";
@ -3274,7 +3273,6 @@ function api_item_property_delete(
}
$table = Database::get_course_table(TABLE_ITEM_PROPERTY);
$tool = Database::escape_string($tool);
$itemId = intval($itemId);
$userId = intval($userId);
@ -3290,9 +3288,6 @@ function api_item_property_delete(
if (empty($userId)) {
$userCondition = " AND (to_user_id is NULL OR to_user_id = 0) ";
}
$sql = "DELETE FROM $table
WHERE
c_id = $courseId AND
@ -3351,18 +3346,18 @@ function api_item_property_update(
}
// Definition of variables.
$tool = Database::escape_string($tool);
$item_id = intval($item_id);
$lastedit_type = Database::escape_string($lastedit_type);
$user_id = intval($user_id);
$to_group_id = intval($to_group_id);
$to_user_id = intval($to_user_id);
$start_visible = Database::escape_string($start_visible);
$end_visible = Database::escape_string($end_visible);
$start_visible = ($start_visible == 0) ? '0000-00-00 00:00:00' : $start_visible;
$end_visible = ($end_visible == 0) ? '0000-00-00 00:00:00' : $end_visible;
$to_filter = '';
$time = api_get_utc_datetime();
$tool = Database::escape_string($tool);
$item_id = intval($item_id);
$lastedit_type = Database::escape_string($lastedit_type);
$user_id = intval($user_id);
$to_group_id = intval($to_group_id);
$to_user_id = intval($to_user_id);
$start_visible = Database::escape_string($start_visible);
$end_visible = Database::escape_string($end_visible);
$start_visible = ($start_visible == 0) ? '0000-00-00 00:00:00' : $start_visible;
$end_visible = ($end_visible == 0) ? '0000-00-00 00:00:00' : $end_visible;
$to_filter = '';
$time = api_get_utc_datetime();
if (!empty($session_id)) {
$session_id = intval($session_id);
@ -3388,7 +3383,6 @@ function api_item_property_update(
}
// Set filters for $to_user_id and $to_group_id, with priority for $to_user_id
$condition_session = '';
if (!empty($session_id)) {
$condition_session = " AND id_session = '$session_id' ";
@ -3550,8 +3544,8 @@ function api_item_property_update(
*/
function api_get_item_property_by_tool($tool, $course_code, $session_id = null)
{
$course_info = api_get_course_info($course_code);
$tool = Database::escape_string($tool);
$course_info = api_get_course_info($course_code);
$tool = Database::escape_string($tool);
// Definition of tables.
$item_property_table = Database::get_course_table(TABLE_ITEM_PROPERTY);
@ -3560,7 +3554,10 @@ function api_get_item_property_by_tool($tool, $course_code, $session_id = null)
$course_id = $course_info['real_id'];
$sql = "SELECT * FROM $item_property_table
WHERE c_id = $course_id AND tool = '$tool' $session_condition ";
WHERE
c_id = $course_id AND
tool = '$tool'
$session_condition ";
$rs = Database::query($sql);
$list = array();
if (Database::num_rows($rs) > 0) {
@ -3616,11 +3613,11 @@ function api_get_item_property_list_by_tool_by_user(
* @param string tool name, linked to 'rubrique' of the course tool_list (Warning: language sensitive !!)
* @param int id of the item itself, linked to key of every tool ('id', ...), "*" = all items of the tool
*/
function api_get_item_property_id($course_code, $tool, $ref) {
$course_info = api_get_course_info($course_code);
$tool = Database::escape_string($tool);
$ref = intval($ref);
function api_get_item_property_id($course_code, $tool, $ref)
{
$course_info = api_get_course_info($course_code);
$tool = Database::escape_string($tool);
$ref = intval($ref);
// Definition of tables.
$TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY);
@ -3860,13 +3857,15 @@ function api_get_languages_to_array() {
* @param string language name (the corresponding name of the language-folder in the filesystem)
* @return int id of the language
*/
function api_get_language_id($language) {
function api_get_language_id($language)
{
$tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE);
if (empty($language)) {
return null;
}
$language = Database::escape_string($language);
$sql = "SELECT id FROM $tbl_language WHERE available='1' AND dokeos_folder = '$language' LIMIT 1";
$sql = "SELECT id FROM $tbl_language
WHERE available='1' AND dokeos_folder = '$language' LIMIT 1";
$result = Database::query($sql);
$row = Database::fetch_array($result);
return $row['id'];
@ -4084,7 +4083,8 @@ function api_return_html_area($name, $content = '', $height = '', $width = '100%
* @param int $user_course_category: the id of the user_course_category
* @return int the value of the highest sort of the user_course_category
*/
function api_max_sort_value($user_course_category, $user_id) {
function api_max_sort_value($user_course_category, $user_id)
{
$tbl_course_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
$sql = "SELECT max(sort) as max_sort FROM $tbl_course_user
@ -4660,7 +4660,9 @@ function api_get_status_langvars() {
function api_get_settings_options($var) {
$table_settings_options = Database :: get_main_table(TABLE_MAIN_SETTINGS_OPTIONS);
$var = Database::escape_string($var);
$sql = "SELECT * FROM $table_settings_options WHERE variable = '$var' ORDER BY id";
$sql = "SELECT * FROM $table_settings_options
WHERE variable = '$var'
ORDER BY id";
$result = Database::query($sql);
$settings_options_array = array();
while ($row = Database::fetch_array($result, 'ASSOC')) {
@ -4816,7 +4818,8 @@ function api_set_settings_category($category, $value = null, $access_url = 1, $f
if (empty($access_url)) { $access_url = 1; }
if (isset($value)) {
$value = Database::escape_string($value);
$sql = "UPDATE $t_s SET selected_value = '$value' WHERE category = '$category' AND access_url = $access_url";
$sql = "UPDATE $t_s SET selected_value = '$value'
WHERE category = '$category' AND access_url = $access_url";
if (is_array($fieldtype) && count($fieldtype)>0) {
$sql .= " AND ( ";
$i = 0;
@ -4856,13 +4859,17 @@ function api_set_settings_category($category, $value = null, $access_url = 1, $f
* Gets all available access urls in an array (as in the database)
* @return array An array of database records
*/
function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $direction = 'ASC') {
$t_au = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $direction = 'ASC')
{
$table = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
$from = (int) $from;
$to = (int) $to;
$order = Database::escape_string($order);
$direction = Database::escape_string($direction);
$sql = "SELECT id, url, description, active, created_by, tms FROM $t_au ORDER BY $order $direction LIMIT $to OFFSET $from";
$order = Database::escape_string($order, null, false);
$direction = Database::escape_string($direction, null, false);
$sql = "SELECT id, url, description, active, created_by, tms
FROM $table
ORDER BY $order $direction
LIMIT $to OFFSET $from";
$res = Database::query($sql);
return Database::store_result($res);
}
@ -4877,7 +4884,7 @@ function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $directio
function api_get_access_url($id)
{
global $_configuration;
$id = Database::escape_string(intval($id));
$id = intval($id);
// Calling the Database:: library dont work this is handmade.
//$table_access_url = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
$table = 'access_url';
@ -5445,9 +5452,11 @@ function api_get_access_url_from_user($user_id) {
$user_id = intval($user_id);
$table_url_rel_user = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
$table_url = Database :: get_main_table(TABLE_MAIN_ACCESS_URL);
$sql = "SELECT access_url_id FROM $table_url_rel_user url_rel_user INNER JOIN $table_url u
$sql = "SELECT access_url_id
FROM $table_url_rel_user url_rel_user
INNER JOIN $table_url u
ON (url_rel_user.access_url_id = u.id)
WHERE user_id = ".Database::escape_string($user_id);
WHERE user_id = ".intval($user_id);
$result = Database::query($sql);
$url_list = array();
while ($row = Database::fetch_array($result, 'ASSOC')) {
@ -5465,10 +5474,11 @@ function api_get_access_url_from_user($user_id) {
function api_get_status_of_user_in_course ($user_id, $course_code) {
$tbl_rel_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
if (!empty($user_id) && !empty($course_code)) {
$user_id = Database::escape_string(intval($user_id));
$user_id = intval($user_id);
$course_code = Database::escape_string($course_code);
$sql = 'SELECT status FROM '.$tbl_rel_course_user.'
WHERE user_id='.$user_id.' AND course_code="'.$course_code.'";';
$sql = 'SELECT status
FROM '.$tbl_rel_course_user.'
WHERE user_id='.$user_id.' AND course_code="'.$course_code.'";';
$result = Database::query($sql);
$row_status = Database::fetch_array($result, 'ASSOC');
return $row_status['status'];
@ -5555,14 +5565,14 @@ function api_is_valid_secret_key($original_key_secret, $security_key) {
/**
* Checks whether a user is into course
* @param string $course_id - the course id
* @param string $user_id - the user id
* @param int $user_id - the user id
*/
function api_is_user_of_course($course_id, $user_id) {
$tbl_course_rel_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
$sql = 'SELECT user_id FROM '.$tbl_course_rel_user.'
WHERE
course_code="'.Database::escape_string($course_id).'" AND
user_id="'.Database::escape_string($user_id).'" AND
user_id="'.intval($user_id).'" AND
relation_type<>'.COURSE_RELATION_TYPE_RRHH.' ';
$result = Database::query($sql);
return Database::num_rows($result) == 1;
@ -5739,7 +5749,8 @@ function api_get_tool_information($tool_id) {
function api_get_tool_information_by_name($name) {
$t_tool = Database::get_course_table(TABLE_TOOL_LIST);
$course_id = api_get_course_int_id();
$sql = "SELECT * FROM $t_tool WHERE c_id = $course_id AND name = '".Database::escape_string($name)."' ";
$sql = "SELECT * FROM $t_tool
WHERE c_id = $course_id AND name = '".Database::escape_string($name)."' ";
$rs = Database::query($sql);
return Database::fetch_array($rs, 'ASSOC');
}
@ -6441,7 +6452,8 @@ function api_resource_is_locked_by_gradebook($item_id, $link_type, $course_code
$item_id = intval($item_id);
$link_type = intval($link_type);
$course_code = Database::escape_string($course_code);
$sql = "SELECT locked FROM $table WHERE locked = 1 AND ref_id = $item_id AND type = $link_type AND course_code = '$course_code' ";
$sql = "SELECT locked FROM $table
WHERE locked = 1 AND ref_id = $item_id AND type = $link_type AND course_code = '$course_code' ";
$result = Database::query($sql);
if (Database::num_rows($result)) {
return true;
@ -6992,7 +7004,9 @@ function api_get_bytes_memory_limit($mem){
*/
function api_get_user_info_from_official_code($official_code = '')
{
if (empty($official_code)) { return false; }
if (empty($official_code)) {
return false;
}
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_USER)."
WHERE official_code ='".Database::escape_string($official_code)."'";
$result = Database::query($sql);

56
main/inc/lib/sessionmanager.lib.php
Unescape View File

@ -2449,7 +2449,8 @@ class SessionManager
/**
* Get a list of sessions of which the given conditions match with an = 'cond'
* @param array $conditions a list of condition example :
* array('status' => STUDENT) or array('s.name LIKE' => "%$needle%")
* array('status' => STUDENT) or
* array('s.name' => array('operator' => 'LIKE', value = '%$needle%'))
* @param array $order_by a list of fields on which sort
* @return array An array with all sessions of the platform.
* @todo optional course code parameter, optional sorting parameters...
@ -2462,12 +2463,19 @@ class SessionManager
$table_access_url_rel_session = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_SESSION);
$session_course_table = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$access_url_id = api_get_current_access_url_id();
$return_array = array();
$sql_query = " SELECT s.id, s.name, s.nbr_courses, s.date_start, s.date_end, u.firstname, u.lastname, sc.name as category_name, s.promotion_id
$sql_query = " SELECT
s.id,
s.name,
s.nbr_courses,
s.date_start,
s.date_end,
u.firstname,
u.lastname,
sc.name as category_name,
s.promotion_id
FROM $session_table s
INNER JOIN $user_table u ON s.id_coach = u.user_id
INNER JOIN $table_access_url_rel_session ar ON ar.session_id = s.id
@ -2476,23 +2484,53 @@ class SessionManager
INNER JOIN $course_table c ON sco.course_code = c.code
WHERE ar.access_url_id = $access_url_id ";
$availableFields = array(
's.id',
's.name'
);
$availableOperator = array(
'like',
'>=',
'<=',
'='
);
if (count($conditions) > 0) {
foreach ($conditions as $field => $value) {
foreach ($conditions as $field => $options) {
$operator = strtolower($options['operator']);
$value = Database::escape_string($options['value']);
$sql_query .= ' AND ';
$field = Database::escape_string($field);
$value = Database::escape_string($value);
$sql_query .= $field . " '" . $value . "'";
if (in_array($field, $availableFields) && in_array($operator, $availableOperator)) {
$sql_query .= $field . " $operator '" . $value . "'";
}
}
}
$orderAvailableList = array('name');
if (count($order_by) > 0) {
$sql_query .= ' ORDER BY ' . Database::escape_string(implode(',', $order_by));
$order = null;
$direction = null;
if (isset($order_by[0]) && in_array($order_by[0], $orderAvailableList)) {
$order = $order_by[0];
}
if (isset($order_by[1]) && in_array(strtolower($order_by[1]), array('desc', 'asc'))) {
$direction = $order_by[1];
}
if (!empty($order)) {
$sql_query .= " ORDER BY $order $direction ";
}
}
$sql_result = Database::query($sql_query);
if (Database::num_rows($sql_result) > 0) {
while ($result = Database::fetch_array($sql_result)) {
$return_array[$result['id']] = $result;
}
}
return $return_array;
}

44
main/inc/lib/usermanager.lib.php
Unescape View File

@ -1643,8 +1643,14 @@ class UserManager
* @param int Optional. Whether we get all the fields with field_filter 1 or 0 or everything
* @return array Extra fields details (e.g. $list[2]['type'], $list[4]['options'][2]['title']
*/
public static function get_extra_fields($from = 0, $number_of_items = 0, $column = 5, $direction = 'ASC', $all_visibility = true, $field_filter = null)
{
public static function get_extra_fields(
$from = 0,
$number_of_items = 0,
$column = 5,
$direction = 'ASC',
$all_visibility = true,
$field_filter = null
) {
$fields = array();
$t_uf = Database :: get_main_table(TABLE_MAIN_USER_FIELD);
$t_ufo = Database :: get_main_table(TABLE_MAIN_USER_FIELD_OPTIONS);
@ -1664,7 +1670,7 @@ class UserManager
}
$sqlf .= " ORDER BY ".$columns[$column]." $sort_direction ";
if ($number_of_items != 0) {
$sqlf .= " LIMIT ".Database::escape_string($from).','.Database::escape_string($number_of_items);
$sqlf .= " LIMIT ".intval($from).','.intval($number_of_items);
}
$resf = Database::query($sqlf);
@ -3560,11 +3566,11 @@ class UserManager
/**
* Search an user (tags, first name, last name and email )
* @param string the tag
* @param int field id of the tag
* @param int where to start in the query
* @param int number of items
* @param bool get count or not
* @param string $tag
* @param int $field_id field id of the tag
* @param int $from where to start in the query
* @param int $number_of_items
* @param bool $getCount get count or not
* @return array
*/
public static function get_all_user_tags($tag, $field_id = 0, $from = 0, $number_of_items = 10, $getCount = false)
@ -3574,7 +3580,6 @@ class UserManager
$table_user_tag_values = Database::get_main_table(TABLE_MAIN_USER_REL_TAG);
$access_url_rel_user_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
$tag = Database::escape_string($tag);
$field_id = intval($field_id);
$from = intval($from);
$number_of_items = intval($number_of_items);
@ -3599,13 +3604,13 @@ class UserManager
LEFT JOIN $table_user_tag_values uv ON (u.user_id AND uv.user_id AND uv.user_id = url_rel_user.user_id)
LEFT JOIN $table_user_tag ut ON (uv.tag_id = ut.id)
WHERE
($where_field tag LIKE '$tag%') OR
($where_field tag LIKE '".Database::escape_string($tag."%")."') OR
(
u.firstname LIKE '%".$tag."%' OR
u.lastname LIKE '%".$tag."%' OR
u.username LIKE '%".$tag."%' OR
concat(u.firstname,' ',u.lastname) LIKE '%".$tag."%' OR
concat(u.lastname,' ',u.firstname) LIKE '%".$tag."%'
u.firstname LIKE '".Database::escape_string("%".$tag."%")."' OR
u.lastname LIKE '".Database::escape_string("%".$tag."%")."' OR
u.username LIKE '".Database::escape_string("%".$tag."%")."' OR
concat(u.firstname,' ',u.lastname) LIKE '".Database::escape_string("%".$tag."%")."' OR
concat(u.lastname,' ',u.firstname) LIKE '".Database::escape_string("%".$tag."%")."'
)
".(!empty($where_extra_fields) ? $where_extra_fields : '')."
AND
@ -3637,10 +3642,10 @@ class UserManager
$return[$row['user_id']] = $row;
}
}
return $return;
}
/**
* Get extra filtrable user fields (type select)
* @return array
@ -3653,10 +3658,15 @@ class UserManager
foreach ($extraFieldList as $extraField) {
//if is enabled to filter and is a "<select>" field type
if ($extraField[8] == 1 && $extraField[2] == 4) {
$extraFiltrableFields[] = array('name'=> $extraField[3], 'variable'=>$extraField[1], 'data'=> $extraField[9]);
$extraFiltrableFields[] = array(
'name' => $extraField[3],
'variable' => $extraField[1],
'data' => $extraField[9]
);
}
}
}
if (is_array($extraFiltrableFields) && count($extraFiltrableFields) > 0 ) {
return $extraFiltrableFields;
}

2
main/inc/lib/userportal.lib.php
Unescape View File

@ -1079,7 +1079,7 @@ class IndexManager
true,
$this->load_directories_preview
);
$html_courses_session .= $c[1];
$html_courses_session .= isset($c[1]) ? $c[1] : null;
}
$count_courses_session++;
}

156
main/newscorm/learnpath.class.php
Unescape View File

@ -4,8 +4,8 @@
use \ChamiloSession as Session;
/**
* This class defines the parent attributes and methods for Chamilo learnpaths and SCORM
* learnpaths. It is used by the scorm class.
* This class defines the parent attributes and methods for Chamilo learnpaths
* and SCORM learnpaths. It is used by the scorm class.
*
* @package chamilo.learnpath
* @author Yannick Warnier <ywarnier@beeznest.org>
@ -457,7 +457,6 @@ class learnpath
$parent = intval($parent);
$previous = intval($previous);
$type = Database::escape_string($type);
$id = intval($id);
$max_time_allowed = Database::escape_string(htmlentities($max_time_allowed));
if (empty ($max_time_allowed)) {
@ -515,7 +514,7 @@ class learnpath
$new_item_id = -1;
$id = Database::escape_string($id);
$typeCleaned = Database::escape_string($type);
if ($type == 'quiz') {
$sql = 'SELECT SUM(ponderation)
FROM ' . Database :: get_course_table(TABLE_QUIZ_QUESTION) . ' as quiz_question
@ -555,7 +554,7 @@ class learnpath
") VALUES (
$course_id ,
".$this->get_id() . ", ".
"'" . $type . "', ".
"'" . $typeCleaned . "', ".
"'', ".
"'" . $title . "', ".
"'" . $description . "', ".
@ -587,7 +586,7 @@ class learnpath
") VALUES (".
$course_id. ",".
$this->get_id() . ",".
"'" . $type . "',".
"'" . $typeCleaned . "',".
"'',".
"'" . $title . "',".
"'" . $description . "',".
@ -760,13 +759,13 @@ class learnpath
$publicated_on = api_get_utc_datetime();
}
} else {
$publicated_on = Database::escape_string(api_get_utc_datetime($publicated_on));
$publicated_on = Database::escape_string(api_get_utc_datetime($publicated_on));
}
if ($expired_on == '0000-00-00 00:00:00' || empty($expired_on)) {
$expired_on = '';
} else {
$expired_on = Database::escape_string(api_get_utc_datetime($expired_on));
$expired_on = Database::escape_string(api_get_utc_datetime($expired_on));
}
while (Database :: num_rows($res_name)) {
@ -967,7 +966,7 @@ class learnpath
}
*/
}
$this->ordered_items = array ();
$this->ordered_items = array();
$this->index = 0;
unset ($this->lp_id);
//unset other stuff
@ -1465,7 +1464,6 @@ class learnpath
}
$prerequisite_id = Database::escape_string($prerequisite_id);
$tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
if (!is_numeric($mastery_score) || $mastery_score < 0) {
@ -1674,7 +1672,7 @@ class learnpath
if ($this->debug > 0) {
error_log('New LP - In learnpath::get_current_item_id()', 0);
}
if (!empty ($this->current)) {
if (!empty($this->current)) {
$current = $this->current;
}
if ($this->debug > 2) {
@ -1814,7 +1812,7 @@ class learnpath
/**
* Gets the information about an item in a format usable as JavaScript to update
* the JS API by just printing this content into the <head> section of the message frame
* @param integer Item ID
* @param int $item_id
* @return string
*/
public function get_js_info($item_id = '')
@ -1824,7 +1822,7 @@ class learnpath
}
$info = '';
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
if (!empty($item_id) && is_object($this->items[$item_id])) {
//if item is defined, return values from DB
@ -3294,9 +3292,9 @@ class learnpath
/**
* Gets a link to the resource from the present location, depending on item ID.
* @param string Type of link expected
* @param integer Learnpath item ID
* @return string Link to the lp_item resource
* @param string $type Type of link expected
* @param integer $item_id Learnpath item ID
* @return string $provided_toc Link to the lp_item resource
*/
public function get_link($type = 'http', $item_id = null, $provided_toc = false)
{
@ -3326,7 +3324,7 @@ class learnpath
$lp_table = Database::get_course_table(TABLE_LP_MAIN);
$lp_item_table = Database::get_course_table(TABLE_LP_ITEM);
$lp_item_view_table = Database::get_course_table(TABLE_LP_ITEM_VIEW);
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "SELECT l.lp_type as ltype, l.path as lpath, li.item_type as litype, li.path as lipath, li.parameters as liparams
FROM $lp_table l
@ -3366,7 +3364,6 @@ class learnpath
// Now go through the specific cases to get the end of the path
// @todo Use constants instead of int values.
switch ($lp_type) {
case 1 :
if ($lp_item_type == 'dokeos_chapter') {
@ -3425,13 +3422,13 @@ class learnpath
}
if ($type_quiz) {
$lp_item_id = Database::escape_string($lp_item_id);
$lp_view_id = Database::escape_string($lp_view_id);
$lp_item_id = intval($lp_item_id);
$lp_view_id = intval($lp_view_id);
$sql = "SELECT count(*) FROM $lp_item_view_table
WHERE
c_id = $course_id AND
lp_item_id='" . (int) $lp_item_id . "' AND
lp_view_id ='" . (int) $lp_view_id . "' AND
lp_item_id='" . $lp_item_id . "' AND
lp_view_id ='" . $lp_view_id . "' AND
status='completed'";
$result = Database::query($sql);
$row_count = Database :: fetch_row($result);
@ -4114,7 +4111,7 @@ class learnpath
{
$course_id = api_get_course_int_id();
$tbl_lp = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = Database::escape_string($lp_id);
$lp_id = intval($lp_id);
$sql = "SELECT * FROM $tbl_lp where c_id = ".$course_id." AND id=$lp_id";
$result = Database::query($sql);
if (Database::num_rows($result)) {
@ -4341,7 +4338,7 @@ class learnpath
/**
* Sets the current item ID (checks if valid and authorized first)
* @param integer New item ID. If not given or not authorized, defaults to current
* @param integer $item_id New item ID. If not given or not authorized, defaults to current
*/
public function set_current_item($item_id = null)
{
@ -4358,7 +4355,7 @@ class learnpath
error_log('New LP - New current item given is ' . $item_id . '...', 0);
}
if (is_numeric($item_id)) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
// TODO: Check in database here.
$this->last = $this->current;
$this->current = $item_id;
@ -4442,11 +4439,11 @@ class learnpath
}
if (empty ($name))
return false;
$this->maker = Database::escape_string($name);
$this->maker = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$course_id = api_get_course_int_id();
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET content_maker = '" . $this->maker . "'
$sql = "UPDATE $lp_table SET content_maker = '" . Database::escape_string($this->maker) . "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new content_maker : ' . $this->maker, 0);
@ -4468,11 +4465,11 @@ class learnpath
if (empty($name)) {
return false;
}
$this->name = Database::escape_string($name);
$this->name = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$course_id = api_get_course_int_id();
$sql = "UPDATE $lp_table SET name = '" . $this->name . "'
$sql = "UPDATE $lp_table SET name = '" . Database::escape_string($this->name). "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new name : ' . $this->name, 0);
@ -4582,10 +4579,10 @@ class learnpath
if ($this->debug > 0) {
error_log('New LP - In learnpath::set_theme()', 0);
}
$this->theme = Database::escape_string($name);
$this->theme = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET theme = '" . $this->theme . "'
$sql = "UPDATE $lp_table SET theme = '" . Database::escape_string($this->theme). "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new theme : ' . $this->theme, 0);
@ -4606,10 +4603,11 @@ class learnpath
error_log('New LP - In learnpath::set_preview_image()', 0);
}
$this->preview_image = Database::escape_string($name);
$this->preview_image = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET preview_image = '" . $this->preview_image . "'
$sql = "UPDATE $lp_table SET
preview_image = '" . Database::escape_string($this->preview_image). "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new preview image : ' . $this->preview_image, 0);
@ -4628,10 +4626,10 @@ class learnpath
if ($this->debug > 0) {
error_log('New LP - In learnpath::set_author()', 0);
}
$this->author = Database::escape_string($name);
$this->author = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET author = '" . $this->author . "'
$sql = "UPDATE $lp_table SET author = '" . Database::escape_string($name). "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new preview author : ' . $this->author, 0);
@ -4704,10 +4702,11 @@ class learnpath
if (empty ($name))
return false;
$this->proximity = Database::escape_string($name);
$this->proximity = $name;
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET content_local = '" . $this->proximity . "'
$sql = "UPDATE $lp_table SET
content_local = '" . Database::escape_string($name) . "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new proximity : ' . $this->proximity, 0);
@ -4756,7 +4755,7 @@ class learnpath
/**
* Sets and saves the expired_on date
* @param string Optional string giving the new author of this learnpath
* @param string $expired_on Optional string giving the new author of this learnpath
* @return bool Returns true if author's name is not empty
*/
public function set_expired_on($expired_on)
@ -4767,13 +4766,14 @@ class learnpath
}
if (!empty($expired_on)) {
$this->expired_on = Database::escape_string(api_get_utc_datetime($expired_on));
$this->expired_on = api_get_utc_datetime($expired_on);
} else {
$this->expired_on = '';
}
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET expired_on = '" . $this->expired_on . "'
$sql = "UPDATE $lp_table SET
expired_on = '" . Database::escape_string($this->expired_on) . "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new expired_on : ' . $this->expired_on, 0);
@ -4784,7 +4784,7 @@ class learnpath
/**
* Sets and saves the publicated_on date
* @param string Optional string giving the new author of this learnpath
* @param string $publicated_on Optional string giving the new author of this learnpath
* @return bool Returns true if author's name is not empty
*/
public function set_publicated_on($publicated_on)
@ -4794,13 +4794,14 @@ class learnpath
error_log('New LP - In learnpath::set_expired_on()', 0);
}
if (!empty($publicated_on)) {
$this->publicated_on = Database::escape_string(api_get_utc_datetime($publicated_on));
$this->publicated_on = api_get_utc_datetime($publicated_on);
} else {
$this->publicated_on = '';
}
$lp_table = Database :: get_course_table(TABLE_LP_MAIN);
$lp_id = $this->get_id();
$sql = "UPDATE $lp_table SET publicated_on = '" . $this->publicated_on . "'
$sql = "UPDATE $lp_table SET
publicated_on = '" . Database::escape_string($this->publicated_on) . "'
WHERE c_id = ".$course_id." AND id = '$lp_id'";
if ($this->debug > 2) {
error_log('New LP - lp updated with new publicated_on : ' . $this->publicated_on, 0);
@ -4811,7 +4812,6 @@ class learnpath
/**
* Sets and saves the expired_on date
* @param string Optional string giving the new author of this learnpath
* @return bool Returns true if author's name is not empty
*/
public function set_modified_on()
@ -4837,7 +4837,8 @@ class learnpath
* @param string Error message. If empty, reinits the error string
* @return void
*/
public function set_error_msg($error = '') {
public function set_error_msg($error = '')
{
if ($this->debug > 0) {
error_log('New LP - In learnpath::set_error_msg()', 0);
}
@ -4849,9 +4850,10 @@ class learnpath
}
/**
* Launches the current item if not 'sco' (starts timer and make sure there is a record ready in the DB)
* @param boolean Whether to allow a new attempt or not
* @return boolean True
* Launches the current item if not 'sco'
* (starts timer and make sure there is a record ready in the DB)
* @param boolean $allow_new_attempt Whether to allow a new attempt or not
* @return boolean
*/
public function start_current_item($allow_new_attempt = false)
{
@ -4865,7 +4867,6 @@ class learnpath
($type == 1 && $item_type != TOOL_QUIZ && $item_type != TOOL_HOTPOTATOES)
) {
$this->items[$this->current]->open($allow_new_attempt);
$this->autocomplete_parents($this->current);
$prereq_check = $this->prerequisites_match($this->current);
$this->items[$this->current]->save(false, $prereq_check);
@ -5710,17 +5711,28 @@ class learnpath
$return .= "\tm.add(" . $menu . ", -1, '" . addslashes(Security::remove_XSS(($this->name))) . "');\n";
$tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
$sql = " SELECT id, title, description, item_type, path, parent_item_id, previous_item_id, next_item_id, max_score, min_score, mastery_score, display_order
$sql = " SELECT
id,
title,
description,
item_type,
path,
parent_item_id,
previous_item_id,
next_item_id,
max_score,
min_score,
mastery_score,
display_order
FROM $tbl_lp_item
WHERE c_id = ".$course_id." AND lp_id = " . Database::escape_string($this->lp_id);
WHERE c_id = ".$course_id." AND lp_id = " . intval($this->lp_id);
$result = Database::query($sql);
$arrLP = array ();
while ($row = Database :: fetch_array($result)) {
$row['title'] = Security :: remove_XSS($row['title']);
$row['description'] = Security :: remove_XSS($row['description']);
$arrLP[] = array (
$arrLP[] = array(
'id' => $row['id'],
'item_type' => $row['item_type'],
'title' => $row['title'],
@ -6007,9 +6019,10 @@ class learnpath
fputs($fp, $content);
fclose($fp);
$sql_update = "UPDATE " . $table_doc ." SET title='".Database::escape_string($_POST['title'])."'
WHERE c_id = ".$course_id." AND id = " . $document_id;
Database::query($sql_update);
$sql = "UPDATE " . $table_doc ." SET
title='".Database::escape_string($_POST['title'])."'
WHERE c_id = ".$course_id." AND id = " . $document_id;
Database::query($sql);
}
}
}
@ -6026,9 +6039,8 @@ class learnpath
$return = '';
if (is_numeric($item_id)) {
$tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
$tbl_doc = Database :: get_course_table(TABLE_DOCUMENT);
$sql = "SELECT lp.* FROM " . $tbl_lp_item . " as lp
WHERE c_id = ".$course_id." AND lp.id = " . Database::escape_string($item_id);
WHERE c_id = ".$course_id." AND lp.id = " . intval($item_id);
$result = Database::query($sql);
while ($row = Database :: fetch_array($result,'ASSOC')) {
$_SESSION['parent_item_id'] = ($row['item_type'] == 'dokeos_chapter' || $row['item_type'] == 'dokeos_module' || $row['item_type'] == 'dir') ? $item_id : 0;
@ -6057,11 +6069,12 @@ class learnpath
}
break;
case TOOL_DOCUMENT:
$tbl_doc = Database :: get_course_table(TABLE_DOCUMENT);
$sql_doc = "SELECT path FROM " . $tbl_doc . " WHERE c_id = ".$course_id." AND id = " . Database::escape_string($row['path']);
$result = Database::query($sql_doc);
$path_file = Database::result($result, 0, 0);
$path_parts = pathinfo($path_file);
$tbl_doc = Database :: get_course_table(TABLE_DOCUMENT);
$sql_doc = "SELECT path FROM " . $tbl_doc . "
WHERE c_id = ".$course_id." AND id = " . Database::escape_string($row['path']);
$result = Database::query($sql_doc);
$path_file = Database::result($result, 0, 0);
$path_parts = pathinfo($path_file);
// TODO: Correct the following naive comparisons, also, htm extension is missing.
if (in_array($path_parts['extension'], array(
'html',
@ -6095,7 +6108,8 @@ class learnpath
$return = '';
if (is_numeric($item_id)) {
$tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
$sql = "SELECT * FROM $tbl_lp_item WHERE c_id = ".$course_id." AND id = " . Database::escape_string($item_id);
$sql = "SELECT * FROM $tbl_lp_item
WHERE c_id = ".$course_id." AND id = " . intval($item_id);
$res = Database::query($sql);
$row = Database::fetch_array($res);
@ -6116,9 +6130,10 @@ class learnpath
$sql_step = " SELECT lp.*, doc.path as dir
FROM " . $tbl_lp_item . " as lp
LEFT JOIN " . $tbl_doc . " as doc ON doc.id = lp.path
WHERE lp.c_id = $course_id AND
doc.c_id = $course_id AND
lp.id = " . Database::escape_string($item_id);
WHERE
lp.c_id = $course_id AND
doc.c_id = $course_id AND
lp.id = " . intval($item_id);
$res_step = Database::query($sql_step);
$row_step = Database :: fetch_array($res_step);
$return .= $this->display_manipulate($item_id, $row['item_type']);
@ -6128,7 +6143,8 @@ class learnpath
$link_id = (string) $row['path'];
if (ctype_digit($link_id)) {
$tbl_link = Database :: get_course_table(TABLE_LINK);
$sql_select = 'SELECT url FROM ' . $tbl_link . ' WHERE c_id = '.$course_id.' AND id = ' . Database::escape_string($link_id);
$sql_select = 'SELECT url FROM ' . $tbl_link . '
WHERE c_id = '.$course_id.' AND id = ' . intval($link_id);
$res_link = Database::query($sql_select);
$row_link = Database :: fetch_array($res_link);
if (is_array($row_link)) {
@ -7792,9 +7808,7 @@ class learnpath
WHERE c_id = ".$course_id." AND lp_id = " . $this->lp_id;
$result = Database::query($sql);
$arrLP = array ();
$arrLP = array();
while ($row = Database :: fetch_array($result)) {
$arrLP[] = array (
'id' => $row['id'],

3
main/newscorm/lp_ajax_switch_item.php
Unescape View File

@ -232,7 +232,8 @@ function switch_item_details($lp_id, $user_id, $view_id, $current_item, $next_it
if ($debug > 1) {
error_log('Prereq_match() returned '.htmlentities($mylp->error), 0);
}
$_SESSION['scorm_item_id'] = $new_item_id; // Save the new item ID for the exercise tool to use.
// Save the new item ID for the exercise tool to use.
$_SESSION['scorm_item_id'] = $new_item_id;
$_SESSION['lpobject'] = serialize($mylp);
return $return;
}

9
main/newscorm/lp_ajax_switch_item_toc.php
Unescape View File

@ -167,4 +167,11 @@ function switch_item_toc($lp_id, $user_id, $view_id, $current_item, $next_item)
$_SESSION['lpobject'] = serialize($mylp);
return $return;
}
echo switch_item_toc($_POST['lid'], $_POST['uid'], $_POST['vid'], $_POST['iid'], $_POST['next']);
echo switch_item_toc(
$_POST['lid'],
$_POST['uid'],
$_POST['vid'],
$_POST['iid'],
$_POST['next']
);

204
main/reservation/rsys.php
Unescape View File

@ -1,14 +1,18 @@
<?php
/* For licensing terms, see /license.txt */
/**
The class-library with all reservation-system specific functionality
* Class Rsys
* The class-library with all reservation-system specific functionality
*/
class Rsys {
class Rsys
{
/**
* Get required database-vars from inc/lib/database.lib.php and load them into the $GLOBALS['_rsys']-array
*
*/
function init() {
public function init()
{
// reservation database tables
$GLOBALS['_rsys']['dbtables']['item'] = Database :: get_main_table(TABLE_MAIN_RESERVATION_ITEM);
$GLOBALS['_rsys']['dbtables']['reservation'] = Database :: get_main_table(TABLE_MAIN_RESERVATION_RESERVATION);
@ -33,7 +37,7 @@ class Rsys {
*/
function get_num_subscriptions_reservationperiods($res_id) {
$sql = "SELECT COUNT(*) FROM ".Rsys :: getTable("subscription")." s
WHERE s.reservation_id = '".Database::escape_string($res_id)."'";
WHERE s.reservation_id = '".intval($res_id)."'";
return @ Database::result(Database::query($sql), 0, 0);
}
@ -134,9 +138,9 @@ class Rsys {
* @param - String $name The name
* @return - int The id
*/
function add_category($naam) {
if (Rsys :: check_category($naam)) {
$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($naam)."')";
function add_category($name) {
if (Rsys :: check_category($name)) {
$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($name)."')";
Database::query($sql);
return Database::insert_id();
}
@ -150,7 +154,7 @@ class Rsys {
* @return - boolean True or False
*/
function check_category($name, $id=0) {
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".Database::escape_string($id)."";
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".intval($id)."";
$Result = Database::query($sql);
return (Database::num_rows($Result) == 0);
}
@ -163,7 +167,7 @@ class Rsys {
*/
function edit_category($id, $name) {
if (Rsys :: check_category($name, $id)) {
$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".Database::escape_string($id)."";
$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".intval($id)."";
Database::query($sql);
return $id;
}
@ -176,11 +180,11 @@ class Rsys {
* @param - int $id The id
*/
function delete_category($id) {
$id = intval($id);
$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".Database::escape_string($id)."";
$id = intval($id);
$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".inval($id)."";
$result = Database::query($sql);
if (Database::num_rows($result) == 0) {
$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".Database::escape_string($id)."";
$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".intval($id)."";
Database::query($sql2);
return 0;
} else {
@ -197,10 +201,10 @@ class Rsys {
* @return - Array One or all rows of the category-table
*/
function get_category($id = null, $orderby = "name ASC") {
$id = intval($id);
$id = intval($id);
$sql = "SELECT * FROM ".Rsys :: getTable("category");
if (!empty ($id))
$sql .= " WHERE id = ".Database::escape_string($id)."";
$sql .= " WHERE id = ".intval($id)."";
else
$sql .= " ORDER BY ".$orderby;
$arr = Database::store_result(Database::query($sql));
@ -308,8 +312,8 @@ class Rsys {
function check_item($item, $category, $id=0) {
$sql = "SELECT name FROM ".Rsys :: getTable("item")."
WHERE LCASE(name)='".strtolower(Database::escape_string($item))."'
AND category_id=".Database::escape_string($category)."
AND id<>".Database::escape_string($id)."";
AND category_id=".intval($category)."
AND id<>".intval($id)."";
$Result = Database::query($sql);
return (Database::num_rows($Result) == 0);
}
@ -325,7 +329,7 @@ class Rsys {
*/
function add_item($name, $description, $category, $course = "") {
if (Rsys :: check_item($name, $category)) {
$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".Database::escape_string($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".intval($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
Database::query($sql);
return Database::insert_id();
}
@ -346,8 +350,8 @@ class Rsys {
return false;
if (!Rsys :: check_item($name, $category, $id))
return false;
$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".Database::escape_string($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
"WHERE id =".Database::escape_string($id)."";
$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".intval($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
"WHERE id =".intval($id)."";
Database::query($sql);
return $id;
}
@ -360,18 +364,18 @@ class Rsys {
function delete_item($id) {
if (!Rsys :: item_allow($id, 'delete'))
return false;
$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".Database::escape_string($id)."";
$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".intval($id)."";
$result = Database::query($sql);
while ($array = Database::fetch_array($result)) {
if (Rsys :: mysql_datetime_to_timestamp(date('Y-m-d H:i:s')) <= Rsys :: mysql_datetime_to_timestamp($array[1]))
$checked = true;
}
if (!$checked) {
$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".intval($id)."";
Database::query($sql);
$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".intval($id)."";
Database::query($sql);
$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".intval($id)."";
Database::query($sql);
return '0';
} else {
@ -403,7 +407,7 @@ class Rsys {
LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
WHERE i.id='".Database::escape_string($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
WHERE i.id='".intval($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
return Database::num_rows(Database::query($sql)) > 0;
}
@ -415,7 +419,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_item($id = null, $orderby = "name ASC") {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT i.* FROM ".Rsys :: getTable("item")." i";
if (!empty ($id)) {
if (!Rsys :: item_allow($id, 'view'))
@ -438,7 +442,7 @@ class Rsys {
*/
function is_blackout($itemid) {
$sql = "SELECT id FROM ".Rsys :: getTable("item");
$sql .= " WHERE id = ".Database::escape_string($itemid)." AND blackout=1";
$sql .= " WHERE id = ".intval($itemid)." AND blackout=1";
return Database::num_rows(Database::query($sql)) == 1;
}
@ -450,7 +454,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_category_items($id, $orderby = "name ASC") {
$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE category_id = ".Database::escape_string($id)." ORDER BY ".$orderby;
$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE category_id = ".intval($id)." ORDER BY ".$orderby;
$arr = Database::store_result(Database::query($sql));
return $arr;
}
@ -463,7 +467,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_course_items($id, $orderby = "name ASC") {
$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE course_id = ".Database::escape_string($id)." ORDER BY ".$orderby;
$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE course_code = ".Database::escape_string($id)." ORDER BY ".$orderby;
$arr = Database::store_result(Database::query($sql));
return $arr;
}
@ -486,7 +490,7 @@ class Rsys {
WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) {
$sql .= " AND ca.id = '".Database::escape_string($_GET['cat'])."' ";
$sql .= " AND ca.id = '".intval($_GET['cat'])."' ";
}
$from = intval($from);
@ -520,7 +524,7 @@ class Rsys {
WHERE ( 1=". (api_is_platform_admin() ? 1 : 0)."
OR ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' ))";
return @ Database::result(Database::query($sql), 0, 0);
return @ Database::result(Database::query($sql), 0, 0);
}
/**
@ -533,7 +537,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_table_itemrights($from, $per_page, $column, $direction) {
$itemid = Database::escape_string($_GET['item_id']);
$itemid = intval($_GET['item_id']);
$sql = "SELECT id, name FROM ".Database :: get_main_table(TABLE_MAIN_CLASS);
$result = Database::query($sql);
while ($array = Database::fetch_array($result, 'NUM')) {
@ -570,29 +574,29 @@ class Rsys {
} else {
$tabel[$count][4] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=0\'" />';
}
if ($lijn2[5] == 0) {
$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
} else {
$tabel[$count][5] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=0\'" />';
}
$controle = true;
}
}
if (!$controle) {
$tabel[$count][2] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=edit&set=1\'" />';
$tabel[$count][3] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=delete&set=1\'" />';
$tabel[$count][4] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=1\'" />';
$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
}
$tabel[$count][6] = $itemid."-".$lijn[0];
if ($lijn2[5] == 0) {
$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
} else {
$tabel[$count][5] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=0\'" />';
}
$controle = true;
}
}
if (!$controle) {
$tabel[$count][2] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=edit&set=1\'" />';
$tabel[$count][3] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=delete&set=1\'" />';
$tabel[$count][4] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=1\'" />';
$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
}
$tabel[$count][6] = $itemid."-".$lijn[0];
}
}
return $tabel;
}
function set_new_right($item_id, $class_id, $column, $value) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$item_id = intval($item_id);
$class_id = intval($class_id);
$value = Database::escape_string($value);
$column = Database::escape_string($column);
@ -625,7 +629,7 @@ class Rsys {
* @return - Array The returned rows
*/
function get_itemfiltered_class($item_id) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)."
WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
$arr = Database::store_result(Database::query($sql));
@ -639,7 +643,7 @@ class Rsys {
* @return - int The amount
*/
function get_num_itemfiltered_class($item_id) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
return Database::result(Database::query($sql), 0, 0);
}
@ -656,7 +660,7 @@ class Rsys {
function add_item_right($item_id, $class_id, $edit, $delete, $m_reservation) {
if (!Rsys :: item_allow($item_id, 'm_rights'))
return false;
$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,edit_right,delete_right,m_reservation) VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($class_id)."','".Database::escape_string($edit)."','".Database::escape_string($delete)."','".Database::escape_string($m_reservation)."')";
$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,edit_right,delete_right,m_reservation) VALUES ('".intval($item_id)."','".intval($class_id)."','".Database::escape_string($edit)."','".Database::escape_string($delete)."','".Database::escape_string($m_reservation)."')";
Database::query($sql);
}
@ -671,8 +675,8 @@ class Rsys {
* @return - int The id
*/
function edit_item_right($item_id, $class_id, $edit, $delete, $m_reservation) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$item_id = intval($item_id);
$class_id = intval($class_id);
if (!Rsys :: item_allow($item_id, 'm_rights'))
return false;
@ -686,8 +690,8 @@ class Rsys {
* @param - int $id The id
*/
function delete_item_right($item_id, $class_id) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$item_id = intval($item_id);
$class_id = intval($class_id);
if (!Rsys :: item_allow($item_id, 'm_rights'))
return false;
@ -696,15 +700,15 @@ class Rsys {
}
function get_class_group($class_id) {
$class_id = Database::escape_string($class_id);
$class_id = intval($class_id);
$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id='".$class_id."'";
$arr = Database::store_result(Database::query($sql));
return $arr;
}
function get_item_rights($item_id, $class_id) {
$item_id = Database::escape_string($item_id);
$class_id = Database::escape_string($class_id);
$item_id = intval($item_id);
$class_id = intval($class_id);
$sql = "SELECT * FROM ".Rsys :: getTable('item_rights')." WHERE item_id='".$item_id."' AND class_id='".$class_id."'";
$arr = Database::store_result(Database::query($sql));
@ -712,7 +716,7 @@ class Rsys {
}
function black_out_changer($item_id) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "SELECT blackout FROM ".Rsys :: getTable("item")." WHERE id='".$item_id."'";
$Value = Database::store_result(Database::query($sql));
($Value[0][0] == 0 ? $changedValue = 1 : $changedValue = 0);
@ -723,7 +727,7 @@ class Rsys {
}
function black_out_notifier($item_id, $value) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$value = Database::escape_string($value);
$sql = "SELECT id, timepicker FROM ".Rsys :: getTable('reservation')."
@ -791,7 +795,7 @@ class Rsys {
}
function check_date($item_id, $start_date, $end_date, $start_at, $end_at) {
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$start_date = Database::escape_string($start_date);
$end_date = Database::escape_string($end_date);
$start_at = Database::escape_string($start_at);
@ -826,8 +830,8 @@ class Rsys {
}
function check_date_edit($item_id, $start_date, $end_date, $start_at, $end_at, $reservation_id) {
$item_id = Database::escape_string($item_id);
$reservation_id = Database::escape_string($reservation_id);
$item_id = intval($item_id);
$reservation_id = intval($reservation_id);
$start_date = Database::escape_string($start_date);
$end_date = Database::escape_string($end_date);
$start_at = Database::escape_string($start_at);
@ -882,7 +886,7 @@ class Rsys {
* Returns an array with items from a category linked to rights(used by m_reservations.php)
*/
function get_cat_r_items($category) {
$category = Database::escape_string($category);
$category = intval($category);
$sql = "SELECT i.id,i.name as catitem
FROM ".Rsys :: getTable('item')." i
INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@ -901,7 +905,7 @@ class Rsys {
* Returns an array with [ itemID => "category/item" ] with view_rights (used by reservation.php)
*/
function get_cat_items($category) {
$category = Database::escape_string($category);
$category = intval($category);
$sql = "SELECT i.id,i.name as catitem
FROM ".Rsys :: getTable('item')." i
INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@ -927,7 +931,7 @@ class Rsys {
*/
function get_table_reservations($from, $per_page, $column, $direction) {
$sql = "SELECT DISTINCT r.id AS col0, i.name AS col1, DATE_FORMAT(r.start_at,'%Y-%m-%d %H:%i') AS col2, DATE_FORMAT(r.end_at,'%Y-%m-%d %H:%i') AS col3," .
"DATE_FORMAT(r.subscribe_from,'%Y-%m-%d %k:%i') AS col4, DATE_FORMAT(r.subscribe_until,'%Y-%m-%d %k:%i') AS col5,IF(timepicker <> 0, '".get_lang('TimePicker')."',CONCAT(r.subscribers,'/',r.max_users)) AS col6, r.notes AS col7, r.id as col8
"DATE_FORMAT(r.subscribe_from,'%Y-%m-%d %k:%i') AS col4, DATE_FORMAT(r.subscribe_until,'%Y-%m-%d %k:%i') AS col5,IF(timepicker <> 0, '".get_lang('TimePicker')."',CONCAT(r.subscribers,'/',r.max_users)) AS col6, r.notes AS col7, r.id as col8
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id
@ -955,7 +959,7 @@ class Rsys {
}
function check_edit_right($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT r.id
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -971,7 +975,7 @@ class Rsys {
}
function check_delete_right($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT r.id
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@ -987,7 +991,7 @@ class Rsys {
}
function check_auto_accept($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT auto_accept FROM ".Rsys :: getTable('reservation')." WHERE id='".$id."'";
return Database::result(Database::query($sql), 0, 0);
}
@ -1005,10 +1009,10 @@ class Rsys {
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = r.item_id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."') OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).')';
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
}
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
}
return Database::result(Database::query($sql), 0, 0);
}
@ -1033,7 +1037,7 @@ class Rsys {
return 2;
}
if ($start_at < (date( 'Y-m-d H:i:s',time())))
return 3;
return 3;
if (($stamp_start_date != $stamp_end_date) && $timepicker == '1')
{
return 4;
@ -1068,7 +1072,7 @@ class Rsys {
}
}
$sql = "INSERT INTO ".Rsys :: getTable("reservation")." (item_id,auto_accept,max_users,start_at,end_at,subscribe_from,subscribe_until,notes,timepicker,timepicker_min,timepicker_max,subid) VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($auto_accept)."','". (intval($max_users) > 1 ? $max_users : 1)."','".Database::escape_string($start_at)."','".Database::escape_string($end_at)."','".Database::escape_string($subscribe_from)."','".Database::escape_string($subscribe_until)."','".Database::escape_string($notes)."','".$timepicker."','".$min."','".$max."','". ($subid == 0 ? 0 : $subid)."')";
$sql = "INSERT INTO ".Rsys :: getTable("reservation")." (item_id,auto_accept,max_users,start_at,end_at,subscribe_from,subscribe_until,notes,timepicker,timepicker_min,timepicker_max,subid) VALUES ('".intval($item_id)."','".Database::escape_string($auto_accept)."','". (intval($max_users) > 1 ? $max_users : 1)."','".Database::escape_string($start_at)."','".Database::escape_string($end_at)."','".Database::escape_string($subscribe_from)."','".Database::escape_string($subscribe_until)."','".Database::escape_string($notes)."','".$timepicker."','".$min."','".$max."','". ($subid == 0 ? 0 : $subid)."')";
Database::query($sql);
return 0;
}
@ -1082,7 +1086,7 @@ class Rsys {
*
*/
function edit_reservation($id, $item_id, $auto_accept, $max_users, $start_at, $end_at, $subscribe_from, $subscribe_until, $notes, $timepicker) {
$id = Database::escape_string($id);
$id = intval($id);
if (!Rsys :: item_allow($item_id, 'm_reservation'))
return false;
@ -1116,7 +1120,7 @@ class Rsys {
} else {
$auto_accept = 0;
}
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET item_id='".Database::escape_string($item_id)."',auto_accept='".Database::escape_string($auto_accept)."',max_users='". ($max_users > 1 ? $max_users : 1)."',start_at='".Database::escape_string($start_at)."',end_at='".Database::escape_string($end_at)."',subscribe_from='".Database::escape_string($subscribe_from)."',subscribe_until='".Database::escape_string($subscribe_until)."',notes='".Database::escape_string($notes)."' WHERE id='".$id."'";
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET item_id='".intval($item_id)."',auto_accept='".Database::escape_string($auto_accept)."',max_users='". ($max_users > 1 ? $max_users : 1)."',start_at='".Database::escape_string($start_at)."',end_at='".Database::escape_string($end_at)."',subscribe_from='".Database::escape_string($subscribe_from)."',subscribe_until='".Database::escape_string($subscribe_until)."',notes='".Database::escape_string($notes)."' WHERE id='".$id."'";
Database::query($sql);
return 0;
}
@ -1125,7 +1129,7 @@ class Rsys {
* Deletes a reservation
*/
function delete_reservation($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT id FROM ".Rsys :: getTable("reservation")."WHERE id='".$id."' OR subid='".$id."'";
$result2 = Database::query($sql);
@ -1148,7 +1152,7 @@ class Rsys {
}
function is_owner_item($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT creator FROM ".Rsys :: getTable('item')." i ,".Rsys :: getTable('reservation')." r
where i.id = r.item_id
and r.id = '".$id."'
@ -1160,7 +1164,7 @@ class Rsys {
}
function get_reservation($id) {
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT *
FROM ".Rsys :: getTable('reservation')." r
@ -1192,10 +1196,10 @@ class Rsys {
WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."')
OR i2.creator='".api_get_user_id()."'
OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i1.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
}
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i1.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
}
return Database::result(Database::query($sql), 0, 0);
}
@ -1228,10 +1232,10 @@ class Rsys {
WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."')
OR i2.creator='".api_get_user_id()."'
OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i1.name LIKE '%".$keyword."%' or c.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
}
if (isset ($_GET['keyword'])) {
$keyword = Database::escape_string(trim($_GET['keyword']));
$sql .= " AND (i1.name LIKE '%".$keyword."%' or c.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
}
$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
/*$result = Database::query($sql);
while ($array = Database::fetch_array($result, 'NUM'))
@ -1301,7 +1305,7 @@ class Rsys {
and s.reservation_id = r.id";
if (!empty ($_GET['rid'])) {
$sql .= " and r.id = '".Database::escape_string($_GET['rid'])."'";
$sql .= " and r.id = '".intval($_GET['rid'])."'";
}
$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
$result = Database::query($sql);
@ -1354,7 +1358,7 @@ class Rsys {
function set_accepted($id, $value) {
global $subscription;
$id = Database::escape_string($id);
$id = intval($id);
$value = Database::escape_string($value);
$sql = "UPDATE ".Rsys :: getTable('subscription')." SET ACCEPTED='".$value."' WHERE dummy='".$id."'";
Database::query($sql);
@ -1407,7 +1411,7 @@ class Rsys {
*/
function check_date_subscription($reservation_id, $start_at, $end_at) {
$reservation_id = Database::escape_string($reservation_id);
$reservation_id = intval($reservation_id);
$start_at = Database::escape_string($start_at);
$end_at = Database::escape_string($end_at);
@ -1461,7 +1465,7 @@ class Rsys {
}
function check_date_month_calendar($date, $itemid) {
$itemid = Database::escape_string($itemid);
$itemid = intval($itemid);
$date = Database::escape_string($date);
$sql = "SELECT id FROM ".Rsys :: getTable('reservation')."
@ -1485,13 +1489,13 @@ class Rsys {
* @param - int $reservation_id The id off the reservation
*/
function add_subscription($reservation_id, $user_id, $accepted) {
$reservation_id = Database::escape_string($reservation_id);
$user_id = Database::escape_string($user_id);
$accepted = Database::escape_string($accepted);
$reservation_id = intval($reservation_id);
$user_id = intval($user_id);
$accepted = intval($accepted);
$sql = "SELECT user_id FROM ".Rsys :: getTable("subscription")." WHERE user_id='".$user_id."' AND reservation_id='".$reservation_id."'";
if (Database::num_rows(Database::query($sql)) == 0) {
$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."')";
$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".intval($user_id)."','".intval($reservation_id)."','". ($accepted ? '1' : '0')."')";
Database::query($sql);
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers+1 WHERE id='".$reservation_id."'";
Database::query($sql);
@ -1528,7 +1532,7 @@ class Rsys {
if ((Rsys :: mysql_datetime_to_timestamp($end_date)-Rsys :: mysql_datetime_to_timestamp($start_date)) > ($max*60))
return 3;
}
$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted,start_at,end_at) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."','".$start_date."','".$end_date."')";
$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted,start_at,end_at) VALUES ('".intval($user_id)."','".intval($reservation_id)."','". ($accepted ? '1' : '0')."','".$start_date."','".$end_date."')";
Database::query($sql);
return 0;
}
@ -1539,7 +1543,7 @@ class Rsys {
function delete_subscription($reservation_id, $dummy) {
$sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".Database::escape_string($dummy)."'";
Database::query($sql);
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".Database::escape_string($reservation_id)."'";
$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".intval($reservation_id)."'";
Database::query($sql);
}
@ -1642,7 +1646,7 @@ class Rsys {
* ['max_end_at'] = the maximal end_at in all reservations (usefull to build table)
*/
function get_item_reservations($from, $till, $itemid) {
$itemid = Database::escape_string($itemid);
$itemid = intval($itemid);
$till = Database::escape_string($till);
$from = Database::escape_string($from);
@ -1698,7 +1702,7 @@ class Rsys {
* Returns $reservation_id=>"START_AT - END_AT"
*/
function get_item_subfiltered_reservations($item_id) {
$itemid = Database::escape_string($itemid);
$itemid = intval($itemid);
$sql = "SELECT r.id AS reservation_id, r.start_at, r.end_at
FROM ".Rsys :: getTable('reservation')." r
INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id

19
main/template/default/auth/courses_categories.php
Unescape View File

@ -7,7 +7,7 @@
* @package chamilo.auth
*/
if (Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
if (isset($_REQUEST['action']) && Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
$stok = Security::get_token();
} else {
$stok = $_SESSION['sec_token'];
@ -33,6 +33,8 @@ if ($showSessions && isset($_POST['date'])) {
}
$userInfo = api_get_user_info();
$code = isset($code) ? $code : null;
?>
<script>
$(document).ready( function() {
@ -52,7 +54,7 @@ $userInfo = api_get_user_info();
}
});
});
$('.courses-list-btn').toggle(function (e) {
e.preventDefault();
@ -72,10 +74,8 @@ $userInfo = api_get_user_info();
},
success: function (response){
var $container = $el.prev('.course-list');
var $courseList = $('<ul>');
$.each(response, function (index, course){
$.each(response, function (index, course) {
$courseList.append('<li><div><strong>' + course.name + '</strong><br>' + course.coachName + '</div></li>');
});
@ -84,21 +84,18 @@ $userInfo = api_get_user_info();
});
}, function (e) {
e.preventDefault();
var $el = $(this);
var $container = $el.prev('.course-list');
$container.hide(250).empty();
$el.children('img').remove();
$el.prepend('<?php echo Display::display_icon('nolines_plus.gif'); ?>');
});
var getSessionId = function (el){
var getSessionId = function (el) {
var parts = el.id.split('_');
return parseInt(parts[1], 10);
};
<?php if ($showSessions) { ?>
$('#date').datepicker({
dateFormat: 'yy-mm-dd'

7
main/webservices/registration.soap.php
Unescape View File

@ -1600,7 +1600,7 @@ function WSEditUserWithPicture($params) {
// Get user id from id wiener
$user_id = UserManager::get_user_id_from_original_id($original_user_id_value, $original_user_id_name);
// Get picture and generate uri.
$filename = basename($picture_url);
$tempdir = sys_get_temp_dir();
@ -5462,10 +5462,10 @@ function WSListSessions($params) {
$sql_params = array();
// Dates should be provided in YYYY-MM-DD format, UTC
if (!empty($params['date_start'])) {
$sql_params['s.date_start >='] = $params['date_start'];
$sql_params['s.date_start'] = array('operator' => '>=', 'value' => $params['date_start']);
}
if (!empty($params['date_end'])) {
$sql_params['s.date_end <='] = $params['date_end'];
$sql_params['s.date_end'] = array('operator' => '<=', 'value' => $params['date_end']);
}
$sessions_list = SessionManager::get_sessions_list($sql_params);
$return_list = array();
@ -5478,6 +5478,7 @@ function WSListSessions($params) {
'date_end' => $session['date_end'],
);
}
return $return_list;
}

Write Preview
Loading…
Cancel
Save