Fixing SQL queries due DB changes (single database)

main/cron/document/finddoc.php

@@ -11,14 +11,13 @@ require_once '../../inc/lib/course.lib.php';
 if (empty($_GET['doc'])) {
   echo "To add a document name to search, add ?doc=abc to the URL";
 } else {
-  echo "Received param ".$_GET['doc']."<br />";
+  echo "Received param ".Security::remove_XSS($_GET['doc'])."<br />";
 }
 $courses_list =  CourseManager::get_courses_list();
 foreach ($courses_list as $course) {
-  //echo '<pre>'.print_r($course['db_name'],1).'</pre>';
   $title = Database::escape_string($_GET['doc']);
-  $td = Database::get_course_table(TABLE_DOCUMENT,$course['db_name']);
-  $sql = "SELECT id, path FROM $td WHERE path LIKE '%$title%' or title LIKE '%$title%'";
+  $td = Database::get_course_table(TABLE_DOCUMENT);
+  $sql = "SELECT id, path FROM $td WHERE c_id = ".$course['id']." AND path LIKE '%$title%' OR title LIKE '%$title%'";
   $res = Database::query($sql);
   if (Database::num_rows($res)>0) {
     while ($row = Database::fetch_array($res)) {

main/cron/document/index_all_docs.php

@@ -25,12 +25,12 @@ $specific_fields_values = array();
 foreach ($specific_fields as $sf) {
 	$specific_fields_values[$sf['code']] = '';
 }
+$td = Database::get_course_table(TABLE_DOCUMENT);
 
 foreach ($courses_list as $course) {
   $course_dir = $course['directory'].'/document';
-  $title = Database::escape_string($_GET['doc']);
-  $td = Database::get_course_table(TABLE_DOCUMENT,$course['db_name']);
-  $sql = "SELECT id, path, session_id FROM $td WHERE path LIKE '%$title%' or title LIKE '%$title%'";
+  $title = Database::escape_string($_GET['doc']);  
+  $sql = "SELECT id, path, session_id FROM $td WHERE c_id = ".$course['id']." AND path LIKE '%$title%' or title LIKE '%$title%'";
   $res = Database::query($sql);
   if (Database::num_rows($res)>0) {
     while ($row = Database::fetch_array($res)) {

main/document/create_document.php

@@ -172,6 +172,9 @@ if ($is_certificate_mode) {
 
 /*	Constants and variables */
 
+$doc_table = Database::get_course_table(TABLE_DOCUMENT);
+$course_id = api_get_course_int_id();
+
 $document_data = DocumentManager::get_document_data_by_id($_REQUEST['id'], api_get_course_id(), true);    
 if (empty($document_data)) {
     if (api_is_in_group()) {
@@ -422,8 +425,8 @@ if (!$is_certificate_mode && !is_my_shared_folder($_user['user_id'], $dir, $curr
 					$escaped_folders[$key] = Database::escape_string($val);
 			}
 			$folder_sql = implode("','", $escaped_folders);
-			$doc_table = Database::get_course_table(TABLE_DOCUMENT);
-			$sql = "SELECT * FROM $doc_table WHERE filetype='folder' AND path IN ('".$folder_sql."')";
+			
+			$sql = "SELECT * FROM $doc_table WHERE c_id = $course_id AND filetype='folder' AND path IN ('".$folder_sql."')";
 			$res = Database::query($sql);
 			$folder_titles = array();	
 			while ($obj = Database::fetch_object($res)) {				
@@ -571,13 +574,12 @@ if ($form->validate()) {
 			$new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
 			$new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
 			if ($new_comment || $new_title) {
-				$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT);
 				$ct = '';
 				if ($new_comment)
 					$ct .= ", comment='$new_comment'";
 				if ($new_title)
 					$ct .= ", title='$new_title'";
-				Database::query("UPDATE $TABLE_DOCUMENT SET".substr($ct, 1)." WHERE id = '$document_id'");
+				Database::query("UPDATE $doc_table SET".substr($ct, 1)." WHERE c_id = $course_id AND id = '$document_id'");
 			}
 			$dir= substr($dir,0,-1);
 			$selectcat = '';

main/document/document.inc.php

@@ -17,6 +17,7 @@
  */
 
 function build_directory_selector($folders, $document_id, $group_dir = '', $change_renderer = false) {
+    $doc_table = Database::get_course_table(TABLE_DOCUMENT);
     $course_id = api_get_course_int_id();
     $folder_titles = array();
     if (api_get_setting('use_document_title') == 'true') {
@@ -26,7 +27,7 @@ function build_directory_selector($folders, $document_id, $group_dir = '', $chan
                 $escaped_folders[$key] = Database::escape_string($val);
             }
             $folder_sql = implode("','", $escaped_folders);
-            $doc_table = Database::get_course_table(TABLE_DOCUMENT);
+            
             $sql = "SELECT * FROM $doc_table WHERE filetype = 'folder' AND c_id = $course_id AND path IN ('".$folder_sql."')";
             $res = Database::query($sql);
             $folder_titles = array();
@@ -702,8 +703,8 @@ function build_move_to_selector($folders, $curdirpath, $move_file, $group_dir =
  * @return the path which should be displayed
  */
 function get_titles_of_path($path) {
-
     global $tmp_folders_titles;
+    $course_id = api_get_course_int_id();
 
     $nb_slashes = substr_count($path, '/');
     $tmp_path = '';
@@ -723,7 +724,8 @@ function get_titles_of_path($path) {
             // If this path has soon been stored here we don't need a new query
             $path_displayed .= $tmp_folders_titles[$tmp_path];
         } else {
-            $sql = 'SELECT title FROM '.Database::get_course_table(TABLE_DOCUMENT).' WHERE path LIKE BINARY "'.$tmp_path.'"';
+            $sql = 'SELECT title FROM '.Database::get_course_table(TABLE_DOCUMENT).' 
+                    WHERE c_id = '.$course_id.' AND path LIKE BINARY "'.$tmp_path.'"';
             $rs = Database::query($sql);
             $tmp_title = '/'.Database::result($rs, 0, 0);
             $path_displayed .= $tmp_title;

main/document/document.php

@@ -289,8 +289,9 @@ if (isset($_GET['curdirpath']) && $_GET['curdirpath'] == '/certificates' && isse
 
 // Is the document tool visible?
 // Check whether the tool is actually visible
-$table_course_tool  = Database::get_course_table(TABLE_TOOL_LIST, $_course['dbName']);
-$tool_sql           = 'SELECT visibility FROM ' . $table_course_tool . ' WHERE name = "'. TOOL_DOCUMENT .'" LIMIT 1';
+$table_course_tool  = Database::get_course_table(TABLE_TOOL_LIST);
+$course_id          = api_get_course_int_id();
+$tool_sql           = 'SELECT visibility FROM ' . $table_course_tool . ' WHERE c_id = '.$course_id.' AND name = "'. TOOL_DOCUMENT .'" LIMIT 1';
 $tool_result        = Database::query($tool_sql);
 $tool_row           = Database::fetch_array($tool_result);
 $tool_visibility    = $tool_row['visibility'];
@@ -599,8 +600,6 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_fold
         }
         $document_to_move = DocumentManager::get_document_data_by_id($_POST['move_file'], api_get_course_id());            
         require_once $lib_path.'fileManage.lib.php';
-        // This is needed for the update_db_info function
-        $dbTable = Database::get_course_table(TABLE_DOCUMENT);
         // Security fix: make sure they can't move files that are not in the document table
         if (!empty($document_to_move)) {
 			
@@ -608,12 +607,8 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_fold
 			$fileExist=false;
 			if(file_exists($real_path_target)){
 				$fileExist=true;
-			}			
-			
+			}						
             if (move($base_work_dir.$document_to_move['path'], $base_work_dir.$_POST['move_to'])) {
-            //if (1) {
-            //$contents = DocumentManager::replace_urls_inside_content_html_when_moving_file(basename($document_to_move['path']), $base_work_dir.dirname($document_to_move['path']), $base_work_dir.$_POST['move_to']);
-            //exit;
                 update_db_info('update', $document_to_move['path'], $_POST['move_to'].'/'.basename($document_to_move['path']));
                
 			   //update database item property

main/document/document_lite.php

@@ -168,8 +168,9 @@ $current_folder_id = $document_id;
 
 // Is the document tool visible?
 // Check whether the tool is actually visible
-$table_course_tool  = Database::get_course_table(TABLE_TOOL_LIST, $_course['dbName']);
-$tool_sql           = 'SELECT visibility FROM ' . $table_course_tool . ' WHERE name = "'. TOOL_DOCUMENT .'" LIMIT 1';
+$table_course_tool  = Database::get_course_table(TABLE_TOOL_LIST);
+$course_id          = api_get_course_int_id();
+$tool_sql           = 'SELECT visibility FROM ' . $table_course_tool . ' WHERE c_id = '.$course_id.' AND name = "'. TOOL_DOCUMENT .'" LIMIT 1';
 $tool_result        = Database::query($tool_sql);
 $tool_row           = Database::fetch_array($tool_result);
 $tool_visibility    = $tool_row['visibility'];
@@ -431,10 +432,7 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_fold
             }
         }
         $document_to_move = DocumentManager::get_document_data_by_id($_POST['move_file'], api_get_course_id());            
-        require_once $lib_path.'fileManage.lib.php';
-        // This is needed for the update_db_info function
-        //$dbTable = $_course['dbNameGlu'].'document';
-        $dbTable = Database::get_course_table(TABLE_DOCUMENT);
+        require_once $lib_path.'fileManage.lib.php';        
         // Security fix: make sure they can't move files that are not in the document table
         if (!empty($document_to_move)) {
 			

main/document/downloadfolder.inc.php

@@ -37,6 +37,8 @@ $zip_folder     = new PclZip($temp_zip_file);
 $doc_table      = Database::get_course_table(TABLE_DOCUMENT);
 $prop_table     = Database::get_course_table(TABLE_ITEM_PROPERTY);
 
+$course_id      = api_get_course_int_id();
+
 //$to_group_id = api_get_group_id(); variable loaded in document.php
 
 
@@ -64,7 +66,7 @@ if (api_is_allowed_to_edit()) {
 					docs.path 			LIKE '".$querypath."/%' AND 
 					docs.filetype		= 'file' AND props.visibility<>'2' AND 
 					props.to_group_id	= ".$to_group_id." AND 
-					docs.c_id 			= ".api_get_course_int_id()." ";
+					docs.c_id 			= ".$course_id." ";
 	$query = Database::query($sql);
 	// Add tem to the zip file
 	while ($not_deleted_file = Database::fetch_assoc($query)) {
@@ -82,8 +84,8 @@ if (api_is_allowed_to_edit()) {
 	// So... I do it in a couple of steps:
 	// 1st: Get all files that are visible in the given path
 	$querypath = Database::escape_string($querypath);
-	$query = Database::query("SELECT path FROM $doc_table AS docs,$prop_table AS props 
-						      WHERE props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$querypath."/%' AND props.visibility='1' AND docs.filetype='file' AND props.to_group_id=".$to_group_id);
+	$query = Database::query("SELECT path FROM $doc_table AS docs, $prop_table AS props 
+						      WHERE docs.c_id = $course_id AND props.c_id = $course_id AND props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$querypath."/%' AND props.visibility='1' AND docs.filetype='file' AND props.to_group_id=".$to_group_id);
 	// Add them to an array
 	while ($all_visible_files = Database::fetch_assoc($query)) {
 		$all_visible_files_path[] = $all_visible_files['path'];
@@ -91,14 +93,15 @@ if (api_is_allowed_to_edit()) {
 
 	// 2nd: Get all folders that are invisible in the given path
 	$query2 = Database::query("SELECT path FROM $doc_table AS docs,$prop_table AS props 
-							   WHERE props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$querypath."/%' AND props.visibility<>'1' AND docs.filetype='folder'");
+							   WHERE docs.c_id = $course_id AND props.c_id = $course_id AND props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$querypath."/%' AND props.visibility<>'1' AND docs.filetype='folder'");
 	// If we get invisible folders, we have to filter out these results from all visible files we found
 	if (Database::num_rows($query2) > 0) {
 		// Add tem to an array
 		while ($invisible_folders = Database::fetch_assoc($query2)) {
 		//3rd: Get all files that are in the found invisible folder (these are "invisible" too)
 			//echo "<br /><br />invisible folders: ".$sys_course_path.$_course['path'].'/document'.$invisible_folders['path'].'<br />';
-			$query3 = Database::query("SELECT path FROM $doc_table AS docs,$prop_table AS props  WHERE props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$invisible_folders['path']."/%' AND docs.filetype='file' AND props.visibility='1'");
+			$query3 = Database::query("SELECT path FROM $doc_table AS docs,$prop_table AS props  
+			                           WHERE docs.c_id = $course_id AND props.c_id = $course_id AND props.tool='".TOOL_DOCUMENT."' AND docs.id=props.ref AND docs.path LIKE '".$invisible_folders['path']."/%' AND docs.filetype='file' AND props.visibility='1'");
 			// Add tem to an array
 			while ($files_in_invisible_folder = Database::fetch_assoc($query3)) {
 				$files_in_invisible_folder_path[] = $files_in_invisible_folder['path'];

main/document/edit_document.php

@@ -183,6 +183,7 @@ if (!is_dir($filepath)) {
 }
 
 $dbTable = Database::get_course_table(TABLE_DOCUMENT);
+$course_id = api_get_course_int_id();
 
 if (!empty($_SESSION['_gid'])) {
 	$req_gid = '&gidReq='.$_SESSION['_gid'];
@@ -219,7 +220,7 @@ if (isset($_POST['comment'])) {
 	// Fixing the path if it is wrong	
 	$comment 	     = trim(Database::escape_string($_POST['comment']));
 	$title 		     = trim(Database::escape_string($_POST['title'])); 
-	$query = "UPDATE $dbTable SET comment='".$comment."', title='".$title."' WHERE id = ".$document_id;
+	$query = "UPDATE $dbTable SET comment='".$comment."', title='".$title."' WHERE c_id = $course_id AND id = ".$document_id;
 	Database::query($query);	
 	$comments_updated = get_lang('ComMod');
 	$info_message     = get_lang('fileModified');
@@ -238,7 +239,7 @@ if (isset($_POST['renameTo'])) {
 
 /** TODO: Check whether this code is still used **/
 /* Search the old comment */  // RH: metadata: added 'id,'
-$result = Database::query("SELECT id, comment, title FROM $dbTable WHERE id = ".$document_id);
+$result = Database::query("SELECT id, comment, title FROM $dbTable WHERE c_id = $course_id AND id = ".$document_id);
 
 /*
 // Debug info - enable on temporary needs only.

main/document/slideshow.php

@@ -217,6 +217,7 @@ for ($k = 0; $k < $number_iteration; $k++) {
 echo '</table>';
 
 /*	ONE AT A TIME VIEW */
+$course_id = api_get_course_int_id();
 
 // This is for viewing all the images in the slideshow one at a time.
 if ($slide_id != 'all') {
@@ -239,7 +240,7 @@ if ($slide_id != 'all') {
 		} else {
 			$pathpart = $path.'/';
 		}
-		$sql = "SELECT * FROM $tbl_documents WHERE path='".Database::escape_string($pathpart.$image_files_only[$slide])."'";
+		$sql = "SELECT * FROM $tbl_documents WHERE c_id = $course_id AND path='".Database::escape_string($pathpart.$image_files_only[$slide])."'";
 		$result = Database::query($sql);
 		$row = Database::fetch_array($result);
 

main/inc/lib/fileManage.lib.php

@@ -17,11 +17,10 @@
  *
  */
 function update_db_info($action, $old_path, $new_path = '') {
-
-	global $dbTable; // Table 'document'
-
+    $dbTable = Database::get_course_table(TABLE_DOCUMENT);
+    $course_id = api_get_course_int_id();
+    
 	/* DELETE */
-
 	if ($action == 'delete') {
 		/*  // RH: metadata, update 2004/08/23
 		    these two lines replaced by new code below:
@@ -29,13 +28,12 @@ function update_db_info($action, $old_path, $new_path = '') {
     		WHERE path='".$old_path."' OR path LIKE '".$old_path."/%'";
         */
         $old_path = Database::escape_string($old_path);
-        $to_delete = "WHERE path LIKE BINARY '".$old_path."' OR path LIKE BINARY '".$old_path."/%'";
+        $to_delete = "WHERE c_id = $course_id AND path LIKE BINARY '".$old_path."' OR path LIKE BINARY '".$old_path."/%'";
         $query = "DELETE FROM $dbTable " . $to_delete;
 
         $result = Database::query("SELECT id FROM $dbTable " . $to_delete);
 
         if (Database::num_rows($result)) {
-
             require_once api_get_path(INCLUDE_PATH).'../metadata/md_funcs.php';
             $mdStore = new mdstore(TRUE);  // create if needed
 
@@ -67,12 +65,9 @@ function update_db_info($action, $old_path, $new_path = '') {
 		$new_path = Database::escape_string($new_path);
 		$query = "UPDATE $dbTable
 		SET path = CONCAT('".$new_path."', SUBSTRING(path, LENGTH('".$old_path."')+1) )
-		WHERE path LIKE BINARY '".$old_path."' OR path LIKE BINARY '".$old_path."/%'";
-	}
-	//echo $query;
-	//error_log($query,0);
+		WHERE c_id = $course_id AND path LIKE BINARY '".$old_path."' OR path LIKE BINARY '".$old_path."/%'";
+	}	
 	Database::query($query);
-	//Display::display_normal_message("query = $query");
 }
 
 /**