From e85b8f5375e894f52316ddc0213cf75506ccee24 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 29 Dec 2014 15:45:28 +0100
Subject: [PATCH 01/26] Minor - Adding missing variable

---
 main/survey/survey_list.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/main/survey/survey_list.php b/main/survey/survey_list.php
index 350f543fa7..cadefddf22 100755
--- a/main/survey/survey_list.php
+++ b/main/survey/survey_list.php
@@ -38,6 +38,7 @@ event_access_tool(TOOL_SURVEY);
  * of the code)
  */
 
+$courseInfo = api_get_course_info();
 $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
     api_get_user_id(),
     $courseInfo

From c839677b8cb4210f6b52132d95497f2fc3dde81c Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 30 Dec 2014 14:59:50 +0100
Subject: [PATCH 02/26] Fixing queries see #7440

---
 main/admin/access_url_check_user_session.php  |   1 -
 main/admin/access_url_edit.php                |   2 +
 main/admin/add_sessions_to_promotion.php      |  10 +-
 main/admin/add_sessions_to_usergroup.php      |  35 +-
 main/admin/course_list.php                    |  96 +++--
 main/admin/course_request_accepted.php        |   5 +-
 main/admin/user_list.php                      | 128 +++---
 .../classes/CourseBuilder.class.php           | 172 ++++----
 main/coursecopy/copy_course_session.php       |   4 +-
 main/exercice/exercice.php                    |  10 +-
 main/forum/forumfunction.inc.php              |   2 +-
 main/gradebook/lib/be/category.class.php      |  25 +-
 main/inc/lib/auth.lib.php                     |  48 ++-
 main/inc/lib/course.lib.php                   | 399 ++++++++++--------
 main/inc/lib/course_category.lib.php          |  44 +-
 main/inc/lib/database.lib.php                 | 104 +++--
 main/inc/lib/document.lib.php                 |  42 +-
 main/inc/lib/group_portal_manager.lib.php     |  61 +--
 main/inc/lib/main_api.lib.php                 | 134 +++---
 main/inc/lib/sessionmanager.lib.php           |  56 ++-
 main/inc/lib/usermanager.lib.php              |  44 +-
 main/inc/lib/userportal.lib.php               |   2 +-
 main/newscorm/learnpath.class.php             | 156 +++----
 main/newscorm/lp_ajax_switch_item.php         |   3 +-
 main/newscorm/lp_ajax_switch_item_toc.php     |   9 +-
 main/reservation/rsys.php                     | 204 ++++-----
 .../default/auth/courses_categories.php       |  19 +-
 main/webservices/registration.soap.php        |   7 +-
 28 files changed, 1046 insertions(+), 776 deletions(-)

diff --git a/main/admin/access_url_check_user_session.php b/main/admin/access_url_check_user_session.php
index 098af8ff31..84d3afa222 100755
--- a/main/admin/access_url_check_user_session.php
+++ b/main/admin/access_url_check_user_session.php
@@ -56,7 +56,6 @@ $order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname' : ' O
 
 $session_list = SessionManager::get_sessions_list();
 
-
 $html = '';
 $show_users_with_problems = isset($_REQUEST['show_users_with_problems']) && $_REQUEST['show_users_with_problems'] == 1 ? true : false;
 if ($show_users_with_problems) {
diff --git a/main/admin/access_url_edit.php b/main/admin/access_url_edit.php
index 167e666a8f..2a81157bd6 100755
--- a/main/admin/access_url_edit.php
+++ b/main/admin/access_url_edit.php
@@ -159,3 +159,5 @@ $form->addElement('file','url_image_3','URL Image 3 (PNG)');
 // Submit button
 $form->addElement('style_submit_button', 'submit', $submit_name, 'class="add"');
 $form->display();
+
+Display::display_footer();
diff --git a/main/admin/add_sessions_to_promotion.php b/main/admin/add_sessions_to_promotion.php
index 08767bf443..e34fca2aee 100755
--- a/main/admin/add_sessions_to_promotion.php
+++ b/main/admin/add_sessions_to_promotion.php
@@ -93,7 +93,7 @@ if (isset($_POST['form_sent']) && $_POST['form_sent']) {
 }
 
 $promotion_data = $promotion->get($id);
-$session_list   = SessionManager::get_sessions_list(array(), array('name'));
+$session_list = SessionManager::get_sessions_list(array(), array('name'));
 $session_not_in_promotion = $session_in_promotion= array();
 
 if (!empty($session_list)) {
@@ -126,17 +126,19 @@ function search_sessions($needle, $type)
         $needle = Database::escape_string($needle);
         $needle = api_convert_encoding($needle, $charset, 'utf-8');
 
-        $session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "$needle%"));
+        $session_list = SessionManager::get_sessions_list(
+            array('s.name' => array('operator' => 'LIKE', 'value' => "$needle%"))
+        );
         $return .= '<select id="session_not_in_promotion" name="session_not_in_promotion_name[]" multiple="multiple" size="15" style="width:360px;">';
-        foreach ($session_list as $row ) {
+        foreach ($session_list as $row) {
             if (!in_array($row['id'], array_keys($session_in_promotion))) {
                 $return .= '<option value="'.$row['id'].'">'.$row['name'].'</option>';
             }
         }
         $return .= '</select>';
         $xajax_response -> addAssign('ajax_list_multiple','innerHTML',api_utf8_encode($return));
-
     }
+
     return $xajax_response;
 }
 $xajax->processRequests();
diff --git a/main/admin/add_sessions_to_usergroup.php b/main/admin/add_sessions_to_usergroup.php
index 9edf901597..627ee5f39a 100755
--- a/main/admin/add_sessions_to_usergroup.php
+++ b/main/admin/add_sessions_to_usergroup.php
@@ -98,7 +98,7 @@ if (isset($_POST['form_sent']) && $_POST['form_sent']) {
         $elements_posted = array();
     }
     if ($form_sent == 1) {
-        //added a parameter to send emails when registering a user        
+        //added a parameter to send emails when registering a user
         $usergroup->subscribe_sessions_to_usergroup($id, $elements_posted);
         header('Location: usergroups.php');
         exit;
@@ -145,9 +145,13 @@ function search_sessions($needle,$type) {
                 $order_clause.
                 ' LIMIT 11';*/
         } else if ($type == 'searchbox') {
-            $session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "%$needle%"));
+            $session_list = SessionManager::get_sessions_list(
+                array('s.name' => array('operator' => 'LIKE', 'value' => "%$needle%"))
+            );
         } else {
-            $session_list = SessionManager::get_sessions_list(array('s.name LIKE' => "$needle%"));
+            $session_list = SessionManager::get_sessions_list(
+                array('s.name' => array('operator' => 'LIKE', 'value' => "$needle%"))
+            );
         }
         $i=0;
         if ($type=='single') {
@@ -189,13 +193,10 @@ if ($add_type == 'multiple') {
 }
 
 echo '<div class="actions">';
-echo '<a href="usergroups.php">'.Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM).'</a>'; 
+echo '<a href="usergroups.php">'.Display::return_icon('back.png',get_lang('Back'),'',ICON_SIZE_MEDIUM).'</a>';
 echo '<a href="javascript://" class="advanced_parameters" style="margin-top: 8px" onclick="display_advanced_search();"><span id="img_plus_and_minus">&nbsp;'.Display::return_icon('div_show.gif',get_lang('Show'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'</span></a>';
 echo '</div>';
-
-?>
-
-<?php echo '<div id="advancedSearch" style="display: none">'. get_lang('SearchSessions'); ?> :
+echo '<div id="advancedSearch" style="display: none">'. get_lang('SearchSessions'); ?> :
      <input name="SearchSession" onchange = "xajax_search_sessions(this.value,'searchbox')" onkeyup="this.onchange()">
      </div>
 <form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?id=<?php echo $id; if(!empty($_GET['add'])) echo '&add=true' ; ?>" style="margin:0px;" <?php if($ajax_search){echo ' onsubmit="valide();"';}?>>
@@ -262,8 +263,8 @@ if(!empty($errorMsg)) {
 <tr>
   <td align="center">
   <div id="content_source">
-      <?php           
-      if (!($add_type=='multiple')) {        
+      <?php
+      if (!($add_type=='multiple')) {
         ?>
         <input type="text" id="user_to_add" onkeyup="xajax_search_users(this.value,'single')" />
         <div id="ajax_list_users_single"></div>
@@ -313,9 +314,7 @@ if(!empty($errorMsg)) {
 </form>
 
 <script type="text/javascript">
-<!--
-function moveItem(origin , destination){
-
+function moveItem(origin , destination) {
     for(var i = 0 ; i<origin.options.length ; i++) {
         if(origin.options[i].selected) {
             destination.options[destination.length] = new Option(origin.options[i].text,origin.options[i].value);
@@ -325,11 +324,9 @@ function moveItem(origin , destination){
     }
     destination.selectedIndex = -1;
     sortOptions(destination.options);
-
 }
 
 function sortOptions(options) {
-
     newOptions = new Array();
     for (i = 0 ; i<options.length ; i++)
         newOptions[i] = options[i];
@@ -338,7 +335,6 @@ function sortOptions(options) {
     options.length = 0;
     for(i = 0 ; i < newOptions.length ; i++)
         options[i] = newOptions[i];
-
 }
 
 function mysort(a, b){
@@ -358,10 +354,8 @@ function valide(){
     document.forms.formulaire.submit();
 }
 
-function loadUsersInSelect(select){
-
+function loadUsersInSelect(select) {
     var xhr_object = null;
-
     if(window.XMLHttpRequest) // Firefox
         xhr_object = new XMLHttpRequest();
     else if(window.ActiveXObject) // Internet Explorer
@@ -370,10 +364,7 @@ function loadUsersInSelect(select){
     alert("Votre navigateur ne supporte pas les objets XMLHTTPRequest...");
 
     xhr_object.open("POST", "loadUsersInSelect.ajax.php");
-
     xhr_object.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
-
-
     nosessionUsers = makepost(document.getElementById('elements_not_in'));
     sessionUsers = makepost(document.getElementById('elements_in'));
     nosessionClasses = makepost(document.getElementById('origin_classes'));
diff --git a/main/admin/course_list.php b/main/admin/course_list.php
index 1d199d4e7a..ad8da98b35 100755
--- a/main/admin/course_list.php
+++ b/main/admin/course_list.php
@@ -23,36 +23,56 @@ $sessionId = isset($_GET['session_id']) ? $_GET['session_id'] : null;
 /**
  * Get the number of courses which will be displayed
  */
-function get_number_of_courses() {
+function get_number_of_courses()
+{
     $course_table = Database :: get_main_table(TABLE_MAIN_COURSE);
     $sql = "SELECT COUNT(code) AS total_number_of_items FROM $course_table";
 
-    if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
+    if ((api_is_platform_admin() || api_is_session_admin()) &&
+        api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
+    ) {
         $access_url_rel_course_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
         $sql.= " INNER JOIN $access_url_rel_course_table url_rel_course ON (code=url_rel_course.course_code)";
     }
 
     if (isset ($_GET['keyword'])) {
-        $keyword = Database::escape_string($_GET['keyword']);
-        $sql .= " WHERE (title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%')";
-    } elseif (isset ($_GET['keyword_code'])) {
-        $keyword_code = Database::escape_string($_GET['keyword_code']);
-        $keyword_title = Database::escape_string($_GET['keyword_title']);
-        $keyword_category = Database::escape_string($_GET['keyword_category']);
-        $keyword_language = Database::escape_string($_GET['keyword_language']);
-        $keyword_visibility = Database::escape_string($_GET['keyword_visibility']);
+        $keyword = Database::escape_string("%".$_GET['keyword']."%");
+        $sql .= " WHERE (
+                        title LIKE '".$keyword."' OR
+                        code LIKE '".$keyword."' OR
+                        visual_code LIKE '".$keyword."'
+                )
+        ";
+    } elseif (isset($_GET['keyword_code'])) {
+        $keyword_code = Database::escape_string("%".$_GET['keyword_code']."%");
+        $keyword_title = Database::escape_string("%".$_GET['keyword_title']."%");
+        $keyword_category = Database::escape_string("%".$_GET['keyword_category']."%");
+        $keyword_language = Database::escape_string("%".$_GET['keyword_language']."%");
+        $keyword_visibility = Database::escape_string("%".$_GET['keyword_visibility']."%");
         $keyword_subscribe = Database::escape_string($_GET['keyword_subscribe']);
         $keyword_unsubscribe = Database::escape_string($_GET['keyword_unsubscribe']);
-        $sql .= " WHERE (code LIKE '%".$keyword_code."%' OR visual_code LIKE '%".$keyword_code."%') AND title LIKE '%".$keyword_title."%' AND category_code LIKE '%".$keyword_category."%'  AND course_language LIKE '%".$keyword_language."%'   AND visibility LIKE '%".$keyword_visibility."%'    AND subscribe LIKE '".$keyword_subscribe."'AND unsubscribe LIKE '".$keyword_unsubscribe."'";
+
+        $sql .= " WHERE
+                    (code LIKE '".$keyword_code."' OR visual_code LIKE '".$keyword_code."') AND
+                    title LIKE '".$keyword_title."' AND
+                    category_code LIKE '".$keyword_category."' AND
+                    course_language LIKE '".$keyword_language."' AND
+                    visibility LIKE '".$keyword_visibility."' AND
+                    subscribe LIKE '".$keyword_subscribe."' AND
+                    unsubscribe LIKE '".$keyword_unsubscribe."'
+        ";
     }
 
     // adding the filter to see the user's only of the current access_url
-    if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
+    if ((api_is_platform_admin() || api_is_session_admin()) &&
+        api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
+    ) {
         $sql.= " AND url_rel_course.access_url_id=".api_get_current_access_url_id();
     }
 
     $res = Database::query($sql);
     $obj = Database::fetch_object($res);
+
     return $obj->total_number_of_items;
 }
 
@@ -62,9 +82,11 @@ function get_number_of_courses() {
  * @param int $number_of_items
  * @param int $column
  * @param string $direction
+ *
  * @return array
  */
-function get_course_data($from, $number_of_items, $column, $direction) {
+function get_course_data($from, $number_of_items, $column, $direction)
+{
     $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
 
     $sql = "SELECT  code AS col0,
@@ -80,35 +102,52 @@ function get_course_data($from, $number_of_items, $column, $direction) {
                     visual_code
     		FROM $course_table";
 
-    if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
+    if ((api_is_platform_admin() || api_is_session_admin()) &&
+        api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
+    ) {
         $access_url_rel_course_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
         $sql.= " INNER JOIN $access_url_rel_course_table url_rel_course ON (code=url_rel_course.course_code)";
     }
 
     if (isset ($_GET['keyword'])) {
-        $keyword = Database::escape_string(trim($_GET['keyword']));
-        $sql .= " WHERE (title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%' ) ";
-    } elseif (isset ($_GET['keyword_code'])) {
-        $keyword_code           = Database::escape_string($_GET['keyword_code']);
-        $keyword_title          = Database::escape_string($_GET['keyword_title']);
-        $keyword_category       = Database::escape_string($_GET['keyword_category']);
-        $keyword_language       = Database::escape_string($_GET['keyword_language']);
-        $keyword_visibility     = Database::escape_string($_GET['keyword_visibility']);
-        $keyword_subscribe      = Database::escape_string($_GET['keyword_subscribe']);
-        $keyword_unsubscribe    = Database::escape_string($_GET['keyword_unsubscribe']);
-        $sql .= " WHERE (code LIKE '%".$keyword_code."%' OR visual_code LIKE '%".$keyword_code."%') AND title LIKE '%".$keyword_title."%' AND category_code LIKE '%".$keyword_category."%'  AND course_language LIKE '%".$keyword_language."%'   AND visibility LIKE '%".$keyword_visibility."%'    AND subscribe LIKE '".$keyword_subscribe."'AND unsubscribe LIKE '".$keyword_unsubscribe."'";
+        $keyword = Database::escape_string("%".trim($_GET['keyword'])."%");
+        $sql .= " WHERE (
+            title LIKE '".$keyword."' OR
+            code LIKE '".$keyword."' OR
+            visual_code LIKE '".$keyword."'
+        )
+        ";
+    } elseif (isset($_GET['keyword_code'])) {
+        $keyword_code = Database::escape_string("%".$_GET['keyword_code']."%");
+        $keyword_title = Database::escape_string("%".$_GET['keyword_title']."%");
+        $keyword_category = Database::escape_string("%".$_GET['keyword_category']."%");
+        $keyword_language = Database::escape_string("%".$_GET['keyword_language']."%");
+        $keyword_visibility = Database::escape_string("%".$_GET['keyword_visibility']."%");
+        $keyword_subscribe = Database::escape_string($_GET['keyword_subscribe']);
+        $keyword_unsubscribe = Database::escape_string($_GET['keyword_unsubscribe']);
+
+        $sql .= " WHERE
+                (code LIKE '".$keyword_code."' OR visual_code LIKE '".$keyword_code."') AND
+                title LIKE '".$keyword_title."' AND
+                category_code LIKE '".$keyword_category."' AND
+                course_language LIKE '".$keyword_language."' AND
+                visibility LIKE '".$keyword_visibility."' AND
+                subscribe LIKE '".$keyword_subscribe."' AND
+                unsubscribe LIKE '".$keyword_unsubscribe."'";
     }
 
     // Adding the filter to see the user's only of the current access_url.
-    if ((api_is_platform_admin() || api_is_session_admin()) && api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1) {
+    if ((api_is_platform_admin() || api_is_session_admin()) &&
+        api_is_multiple_url_enabled() && api_get_current_access_url_id() != -1
+    ) {
         $sql.= " AND url_rel_course.access_url_id=".api_get_current_access_url_id();
     }
 
     $sql .= " ORDER BY col$column $direction ";
-    $sql .= " LIMIT $from,$number_of_items";
+    $sql .= " LIMIT $from, $number_of_items";
 
     $res = Database::query($sql);
-    $courses = array ();
+    $courses = array();
     while ($course = Database::fetch_array($res)) {
         // Place colour icons in front of courses.
         $show_visual_code = $course['visual_code'] != $course[2] ? Display::label($course['visual_code'], 'info') : null;
@@ -118,6 +157,7 @@ function get_course_data($from, $number_of_items, $column, $direction) {
         $course_rem = array($course[0], $course[1], $course[2], $course[3], $course[4], $course[5], $course[6], $course[7]);
         $courses[] = $course_rem;
     }
+
     return $courses;
 }
 
diff --git a/main/admin/course_request_accepted.php b/main/admin/course_request_accepted.php
index 506233006f..7e79905581 100755
--- a/main/admin/course_request_accepted.php
+++ b/main/admin/course_request_accepted.php
@@ -92,8 +92,9 @@ function get_number_of_requests() {
 /**
  * Get course data to display
  */
-function get_request_data($from, $number_of_items, $column, $direction) {
-    $keyword = Database::escape_string(trim($_GET['keyword']));
+function get_request_data($from, $number_of_items, $column, $direction)
+{
+    $keyword = isset($_GET['keyword']) ? Database::escape_string(trim($_GET['keyword'])) : null;
     $course_request_table = Database :: get_main_table(TABLE_MAIN_COURSE_REQUEST);
 
     $sql = "SELECT id AS col0,
diff --git a/main/admin/user_list.php b/main/admin/user_list.php
index 6f03438675..3abd4f7bef 100755
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@@ -95,11 +95,11 @@ function active_user(element_div) {
 	}
 }
 
-function clear_course_list (div_course) {
+function clear_course_list(div_course) {
 	$("div#"+div_course).html("&nbsp;");
 	$("div#"+div_course).hide("");
 }
-function clear_session_list (div_session) {
+function clear_session_list(div_session) {
 	$("div#"+div_session).html("&nbsp;");
 	$("div#"+div_session).hide("");
 }
@@ -115,7 +115,6 @@ function display_advanced_search_form () {
 }
 
 $(document).ready(function() {
-
     var select_val = $("#input_select_extra_data").val();
     if ( document.getElementById(\'extra_data_text\')) {
 
@@ -159,7 +158,6 @@ $this_section = SECTION_PLATFORM_ADMIN;
 
 if ($action == 'login_as') {
     $check = Security::check_token('get');
-
     if (isset($_GET['user_id']) && api_can_login_as($_GET['user_id']) && $check) {
         login_user($_GET['user_id']);
     } else {
@@ -174,7 +172,7 @@ api_protect_admin_script(true);
  * Prepares the shared SQL query for the user table.
  * See get_user_data() and get_number_of_users().
  *
- * @param boolean Whether to count, or get data
+ * @param boolean $is_count Whether to count, or get data
  * @return string SQL query
  */
 function prepare_user_sql_query($is_count) {
@@ -187,16 +185,21 @@ function prepare_user_sql_query($is_count) {
     } else {
         $sql .= "SELECT u.user_id AS col0, u.official_code AS col2, ";
 
-        if (api_is_western_name_order())
+        if (api_is_western_name_order()) {
             $sql .= "u.firstname AS col3, u.lastname AS col4, ";
-        else
+        } else {
             $sql .= "u.lastname AS col3, u.firstname AS col4, ";
+        }
 
-        $sql .= "u.username AS col5, u.email AS col6, ".
-                    "u.status AS col7, u.active AS col8, ".
-                    "u.user_id AS col9, u.registration_date AS col10, ".
-                    "u.expiration_date AS exp, u.password ".
-                    "FROM $user_table u";
+        $sql .= " u.username AS col5,
+                    u.email AS col6,
+                    u.status AS col7,
+                    u.active AS col8,
+                    u.user_id AS col9,
+                    u.registration_date AS col10,
+                    u.expiration_date AS exp,
+                    u.password
+                FROM $user_table u";
     }
 
     // adding the filter to see the user's only of the current access_url
@@ -205,18 +208,29 @@ function prepare_user_sql_query($is_count) {
         $sql.= " INNER JOIN $access_url_rel_user_table url_rel_user ON (u.user_id=url_rel_user.user_id)";
     }
 
-    foreach ($_GET as $key => $value) {
-        /* Because this query uses LIKE very liberally we need to escape
-         * LIKE wildcards, concretely "_" and "%". This is only relevant
-         * for *LIKE* statements.
-         *
-         * See: http://stackoverflow.com/a/3683868 */
-
-        // Remove buggy whitespaces and escape for both SQL and LIKE.
-        if ($key == "keyword_status")
-            $$key = Database::escape_string(trim($value));
-        else
-            $$key = Database::escape_sql_wildcards(Database::escape_string(trim($value)));
+    $keywordList = array(
+        'keyword_firstname',
+        'keyword_lastname',
+        'keyword_username',
+        'keyword_email',
+        'keyword_officialcode',
+        'keyword_status',
+        'keyword_active',
+        'check_easy_passwords'
+    );
+
+    $keywordListValues = array();
+    $atLeastOne = false;
+    foreach ($keywordList as $keyword) {
+        $keywordListValues[$keyword] = null;
+        if (isset($_GET[$keyword]) && !empty($_GET[$keyword])) {
+            $keywordListValues[$keyword] = $_GET[$keyword];
+            $atLeastOne = true;
+        }
+    }
+
+    if ($atLeastOne == false) {
+        $keywordListValues = array();
     }
 
     if (isset($keyword_extra_data) && !empty($keyword_extra_data)) {
@@ -225,40 +239,47 @@ function prepare_user_sql_query($is_count) {
         $sql.= " INNER JOIN user_field_values ufv ON u.user_id=ufv.user_id AND ufv.field_id=$field_id ";
     }
 
-    if (isset($keyword)) {
-        $sql .= " WHERE (".
-                    "u.firstname LIKE '%". $keyword ."%' ".
-                    "OR u.lastname LIKE '%". $keyword ."%' ".
-                    "OR concat(u.firstname,' ',u.lastname) LIKE '%". $keyword ."%' ".
-                    "OR concat(u.lastname,' ',u.firstname) LIKE '%". $keyword ."%' ".
-                    "OR u.username LIKE '%". $keyword ."%' ".
-                    "OR u.official_code LIKE '%". $keyword ."%' ".
-                    "OR u.email LIKE '%". $keyword ."%')";
-    } elseif (isset($keyword_firstname)) {
+    if (isset($_GET['keyword']) && !empty($_GET['keyword'])) {
+        $keywordFiltered = Database::escape_string("%". $_GET['keyword'] ."%");
+        $sql .= " WHERE (
+                    u.firstname LIKE '$keywordFiltered' OR
+                    u.lastname LIKE '$keywordFiltered' OR
+                    concat(u.firstname, ' ', u.lastname) LIKE '$keywordFiltered' OR
+                    concat(u.lastname,' ',u.firstname) LIKE '$keywordFiltered' OR
+                    u.username LIKE '$keywordFiltered' OR
+                    u.official_code LIKE '$keywordFiltered' OR
+                    u.email LIKE '$keywordFiltered'
+                )
+        ";
+    } elseif (isset($keywordListValues) && !empty($keywordListValues)) {
         $query_admin_table = '';
         $keyword_admin = '';
 
-        if ($keyword_status == SESSIONADMIN) {
-           $keyword_status = '%';
+        if (isset($keywordListValues['keyword_status']) &&
+            $keywordListValues['keyword_status'] == PLATFORM_ADMIN
+        ) {
            $query_admin_table = " , $admin_table a ";
            $keyword_admin = ' AND a.user_id = u.user_id ';
+            $keywordListValues['keyword_status'] = '%';
         }
 
         $keyword_extra_value = '';
-
         if (isset($keyword_extra_data) && !empty($keyword_extra_data) &&
             !empty($keyword_extra_data_text)) {
             $keyword_extra_value = " AND ufv.field_value LIKE '%".trim($keyword_extra_data_text)."%' ";
         }
 
-        $sql .= " $query_admin_table ".
-                "WHERE (u.firstname LIKE '%". $keyword_firstname ."%' ".
-                    "AND u.lastname LIKE '%". $keyword_lastname ."%' ".
-                    "AND u.username LIKE '%". $keyword_username ."%' ".
-                    "AND u.email LIKE '%". $keyword_email ."%' ".
-                    "AND u.official_code LIKE '%". $keyword_officialcode ."%' ".
-                    "AND u.status LIKE '$keyword_status' ".
-                    "$keyword_admin $keyword_extra_value";
+        $sql .= " $query_admin_table
+                WHERE (
+                    u.firstname LIKE '". Database::escape_string("%".$keywordListValues['keyword_firstname']."%")."' AND
+                    u.lastname LIKE '". Database::escape_string("%".$keywordListValues['keyword_lastname']."%")."' AND
+                    u.username LIKE '". Database::escape_string("%".$keywordListValues['keyword_username']."%")."' AND
+                    u.email LIKE '". Database::escape_string("%".$keywordListValues['keyword_email']."%")."' AND
+                    u.official_code LIKE '". Database::escape_string("%".$keywordListValues['keyword_officialcode']."%")."' AND
+                    u.status LIKE '".Database::escape_string($keywordListValues['keyword_status'])."'
+                    $keyword_admin
+                    $keyword_extra_value
+                ";
 
         if (isset($keyword_active) && !isset($keyword_inactive)) {
             $sql .= " AND u.active='1'";
@@ -270,7 +291,8 @@ function prepare_user_sql_query($is_count) {
 
     // adding the filter to see the user's only of the current access_url
     if ((api_is_platform_admin() || api_is_session_admin())
-        && api_get_multiple_access_url()) {
+        && api_get_multiple_access_url()
+    ) {
         $sql .= " AND url_rel_user.access_url_id=".api_get_current_access_url_id();
     }
 
@@ -388,7 +410,7 @@ function login_user($user_id) {
  * @see SortableTable#get_total_number_of_items()
  */
 function get_number_of_users() {
-    $sql = prepare_user_sql_query (true);
+    $sql = prepare_user_sql_query(true);
 
     $res = Database::query($sql);
     $obj = Database::fetch_object($res);
@@ -404,7 +426,7 @@ function get_number_of_users() {
  * @see SortableTable#get_table_data($from)
  */
 function get_user_data($from, $number_of_items, $column, $direction) {
-    $sql = prepare_user_sql_query (false);
+    $sql = prepare_user_sql_query(false);
 
     $checkPassStrength = isset($_GET['check_easy_passwords']) && $_GET['check_easy_passwords'] == 1 ? true : false;
 
@@ -732,7 +754,8 @@ $form->addElement(
 $actions  = '';
 if (api_is_platform_admin()) {
 	$actions .= '<span style="float:right;">'.
-		 '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_add.php">'.Display::return_icon('new_user.png',get_lang('AddUsers'),'',ICON_SIZE_MEDIUM).'</a>'.
+		 '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_add.php">'.
+         Display::return_icon('new_user.png',get_lang('AddUsers'),'',ICON_SIZE_MEDIUM).'</a>'.
 		 '</span>';
 }
 $actions .= $form->return_form();
@@ -790,8 +813,10 @@ $status_options['%'] = get_lang('All');
 $status_options[STUDENT] = get_lang('Student');
 $status_options[COURSEMANAGER] = get_lang('Teacher');
 $status_options[DRH] = get_lang('Drh');
-$status_options[SESSIONADMIN] = get_lang('Administrator');
-$form->addElement('select','keyword_status',get_lang('Profile'),$status_options, array('style'=>'margin-left:17px'));
+$status_options[SESSIONADMIN] = get_lang('SessionsAdmin');
+$status_options[PLATFORM_ADMIN] = get_lang('Administrator');
+
+$form->addElement('select','keyword_status',get_lang('Profile'), $status_options, array('style'=>'margin-left:17px'));
 $form->addElement('html', '</td></tr>');
 $form->addElement('html', '<tr><td>');
 $active_group = array();
@@ -881,7 +906,6 @@ if ($table->get_total_number_of_items() == 0) {
 
     if (api_get_multiple_access_url() && isset($_REQUEST['keyword'])) {
         $keyword = Database::escape_string($_REQUEST['keyword']);
-        //$conditions = array('firstname' => $keyword, 'lastname' => $keyword, 'username' => $keyword);
         $conditions = array('username' => $keyword);
         $user_list = UserManager::get_user_list($conditions, array(), false, ' OR ');
         if (!empty($user_list)) {
diff --git a/main/coursecopy/classes/CourseBuilder.class.php b/main/coursecopy/classes/CourseBuilder.class.php
index 11d64dea72..98a1e2b698 100755
--- a/main/coursecopy/classes/CourseBuilder.class.php
+++ b/main/coursecopy/classes/CourseBuilder.class.php
@@ -29,13 +29,14 @@ require_once 'Work.class.php';
 require_once api_get_path(SYS_CODE_PATH).'exercice/question.class.php';
 
 /**
- * Class which can build a course-object from a Chamilo-course.
+ * Class CourseBuilder
+ * Builds a course-object from a Chamilo-course.
  * @author Bart Mollet <bart.mollet@hogent.be>
  * @package chamilo.backup
  */
 class CourseBuilder
 {
-    /** Course */
+    /** @var Course  */
     public $course;
 
     /* With this array you can filter the tools you want to be parsed by
@@ -67,8 +68,10 @@ class CourseBuilder
 
     /**
      * Create a new CourseBuilder
+     * @param string $type
+     * @param null $course
      */
-	public function __construct($type='', $course = null)
+    public function __construct($type='', $course = null)
     {
         $_course = api_get_course_info();
 
@@ -87,7 +90,6 @@ class CourseBuilder
     }
 
     /**
-     *
      * @param array $array
      */
     public function set_tools_to_build($array)
@@ -121,7 +123,7 @@ class CourseBuilder
      * @param bool     true if you want to get the elements that exists in the course and
      *                 in the session, (session_id = 0 or session_id = X)
      */
-	public function build($session_id = 0, $course_code = '', $with_base_content = false)
+    public function build($session_id = 0, $course_code = '', $with_base_content = false)
     {
         $table_link       = Database :: get_course_table(TABLE_LINKED_RESOURCES);
         $table_properties = Database :: get_course_table(TABLE_ITEM_PROPERTY);
@@ -467,7 +469,7 @@ class CourseBuilder
             //select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
         } else {
             $sql = "SELECT * FROM $table_qui WHERE c_id = $course_id AND active >=0 AND session_id = 0";
-             //select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
+            //select only quizzes with active = 0 or 1 (not -1 which is for deleted quizzes)
         }
 
         $db_result = Database::query($sql);
@@ -747,11 +749,11 @@ class CourseBuilder
         $db_result = Database::query($sql);
         while ($obj = Database::fetch_object($db_result)) {
             $survey = new Survey($obj->survey_id, $obj->code,$obj->title,
-                                $obj->subtitle, $obj->author, $obj->lang,
-                                $obj->avail_from, $obj->avail_till, $obj->is_shared,
-                                $obj->template, $obj->intro, $obj->surveythanks,
-                                $obj->creation_date, $obj->invited, $obj->answered,
-                                $obj->invite_mail, $obj->reminder_mail);
+                $obj->subtitle, $obj->author, $obj->lang,
+                $obj->avail_from, $obj->avail_till, $obj->is_shared,
+                $obj->template, $obj->intro, $obj->surveythanks,
+                $obj->creation_date, $obj->invited, $obj->answered,
+                $obj->invite_mail, $obj->reminder_mail);
             $sql = 'SELECT * FROM '.$table_question.' WHERE c_id = '.$course_id.' AND survey_id = '.$obj->survey_id;
             $db_result2 = Database::query($sql);
             while ($obj2 = Database::fetch_object($db_result2)){
@@ -925,75 +927,75 @@ class CourseBuilder
 
         $db_result = Database::query($sql);
         if ($db_result)
-        while ($obj = Database::fetch_object($db_result)) {
-            $items = array();
-            $sql_items = "SELECT * FROM ".$table_item." WHERE c_id = '$course_id' AND lp_id = ".$obj->id;
-            $db_items = Database::query($sql_items);
-            while ($obj_item = Database::fetch_object($db_items)) {
-                $item['id']                   = $obj_item->id;
-                $item['item_type']            = $obj_item->item_type;
-                $item['ref']                = $obj_item->ref;
-                $item['title']                = $obj_item->title;
-                $item['description']        = $obj_item->description;
-                $item['path']                = $obj_item->path;
-                $item['min_score']            = $obj_item->min_score;
-                $item['max_score']            = $obj_item->max_score;
-                $item['mastery_score']        = $obj_item->mastery_score;
-                $item['parent_item_id']    = $obj_item->parent_item_id;
-                $item['previous_item_id']  = $obj_item->previous_item_id;
-                $item['next_item_id']        = $obj_item->next_item_id;
-                $item['display_order']     = $obj_item->display_order;
-                $item['prerequisite']       = $obj_item->prerequisite;
-                $item['parameters']        = $obj_item->parameters;
-                $item['launch_data']        = $obj_item->launch_data;
-                $item['audio']                = $obj_item->audio;
-                $items[] = $item;
-            }
+            while ($obj = Database::fetch_object($db_result)) {
+                $items = array();
+                $sql_items = "SELECT * FROM ".$table_item." WHERE c_id = '$course_id' AND lp_id = ".$obj->id;
+                $db_items = Database::query($sql_items);
+                while ($obj_item = Database::fetch_object($db_items)) {
+                    $item['id']                   = $obj_item->id;
+                    $item['item_type']            = $obj_item->item_type;
+                    $item['ref']                = $obj_item->ref;
+                    $item['title']                = $obj_item->title;
+                    $item['description']        = $obj_item->description;
+                    $item['path']                = $obj_item->path;
+                    $item['min_score']            = $obj_item->min_score;
+                    $item['max_score']            = $obj_item->max_score;
+                    $item['mastery_score']        = $obj_item->mastery_score;
+                    $item['parent_item_id']    = $obj_item->parent_item_id;
+                    $item['previous_item_id']  = $obj_item->previous_item_id;
+                    $item['next_item_id']        = $obj_item->next_item_id;
+                    $item['display_order']     = $obj_item->display_order;
+                    $item['prerequisite']       = $obj_item->prerequisite;
+                    $item['parameters']        = $obj_item->parameters;
+                    $item['launch_data']        = $obj_item->launch_data;
+                    $item['audio']                = $obj_item->audio;
+                    $items[] = $item;
+                }
 
-            $sql_tool = "SELECT id FROM $table_tool
+                $sql_tool = "SELECT id FROM $table_tool
                          WHERE
                             c_id = $course_id AND
                             (link LIKE '%lp_controller.php%lp_id=".$obj->id."%' AND image='scormbuilder.gif') AND
                             visibility = '1' ";
-            $db_tool = Database::query($sql_tool);
+                $db_tool = Database::query($sql_tool);
 
-            if (Database::num_rows($db_tool)) {
-                $visibility = '1';
-            } else {
-                $visibility = '0';
-            }
+                if (Database::num_rows($db_tool)) {
+                    $visibility = '1';
+                } else {
+                    $visibility = '0';
+                }
 
-            $lp = new CourseCopyLearnpath(
-                $obj->id,
-                $obj->lp_type,
-                $obj->name,
-                $obj->path,
-                $obj->ref,
-                $obj->description,
-                $obj->content_local,
-                $obj->default_encoding,
-                $obj->default_view_mod,
-                $obj->prevent_reinit,
-                $obj->force_commit,
-                $obj->content_maker,
-                $obj->display_order,
-                $obj->js_lib,
-                $obj->content_license,
-                $obj->debug,
-                $visibility,
-                $obj->author,
-                $obj->preview_image,
-                $obj->use_max_score,
-                $obj->autolunch,
-                $obj->created_on,
-                $obj->modified_on,
-                $obj->publicated_on,
-                $obj->expired_on,
-                $obj->session_id,
-                $items
-            );
-            $this->course->add_resource($lp);
-        }
+                $lp = new CourseCopyLearnpath(
+                    $obj->id,
+                    $obj->lp_type,
+                    $obj->name,
+                    $obj->path,
+                    $obj->ref,
+                    $obj->description,
+                    $obj->content_local,
+                    $obj->default_encoding,
+                    $obj->default_view_mod,
+                    $obj->prevent_reinit,
+                    $obj->force_commit,
+                    $obj->content_maker,
+                    $obj->display_order,
+                    $obj->js_lib,
+                    $obj->content_license,
+                    $obj->debug,
+                    $visibility,
+                    $obj->author,
+                    $obj->preview_image,
+                    $obj->use_max_score,
+                    $obj->autolunch,
+                    $obj->created_on,
+                    $obj->modified_on,
+                    $obj->publicated_on,
+                    $obj->expired_on,
+                    $obj->session_id,
+                    $items
+                );
+                $this->course->add_resource($lp);
+            }
 
         // Save scorm directory (previously build_scorm_documents())
         $i = 1;
@@ -1092,7 +1094,7 @@ class CourseBuilder
         $course_id         = $course_info['real_id'];
 
         if (!empty($session_id) && !empty($course_code)) {
-             $session_id = intval($session_id);
+            $session_id = intval($session_id);
             if ($with_base_content) {
                 $session_condition = api_get_session_condition($session_id, true, true);
             } else {
@@ -1111,8 +1113,8 @@ class CourseBuilder
     }
 
     /**
-    * Build the Surveys
-    */
+     * Build the Surveys
+     */
     public function build_thematic($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
     {
         $table_thematic            = Database :: get_course_table(TABLE_THEMATIC);
@@ -1149,7 +1151,7 @@ class CourseBuilder
                     //$thematic_plan_complete_list[$item['ref']] = $item;
                 }
             }
-             if (count($thematic_plan_id_list) > 0) {
+            if (count($thematic_plan_id_list) > 0) {
                 $sql = "SELECT tp.*
                         FROM $table_thematic_plan tp
                             INNER JOIN $table_thematic t ON (t.id=tp.thematic_id)
@@ -1169,8 +1171,8 @@ class CourseBuilder
     }
 
     /**
-    * Build the attendances
-    */
+     * Build the attendances
+     */
     public function build_attendance($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
     {
         $table_attendance            = Database :: get_course_table(TABLE_ATTENDANCE);
@@ -1196,21 +1198,23 @@ class CourseBuilder
 
     /**
      * Build the works (or "student publications", or "assignments")
+     *
+     * @param int $session_id
+     * @param string $course_code
+     * @param bool $with_base_content
+     * @param array $id_list
      */
     public function build_works($session_id = 0, $course_code = '', $with_base_content = false, $id_list = array())
     {
         $table_work  = Database :: get_course_table(TABLE_STUDENT_PUBLICATION);
-        //$table_work_assignment  = Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
-
         $course_id = api_get_course_int_id();
-
         $sessionCondition = api_get_session_condition($session_id, true, $with_base_content);
 
         $sql = "SELECT * FROM $table_work
                 WHERE
-                    c_id = $course_id 
+                    c_id = $course_id
                     $sessionCondition AND
-                    filetype = \'folder\' AND
+                    filetype = 'folder' AND
                     parent_id = 0 AND
                     active = 1";
         $db_result = Database::query($sql);
diff --git a/main/coursecopy/copy_course_session.php b/main/coursecopy/copy_course_session.php
index d4e7934301..84a7b53835 100755
--- a/main/coursecopy/copy_course_session.php
+++ b/main/coursecopy/copy_course_session.php
@@ -90,7 +90,7 @@ function make_select_session_list($name, $sessions, $attr = array())
 function display_form()
 {
     $html  = '';
-    $sessions = SessionManager::get_sessions_list(null, array('name ASC'));
+    $sessions = SessionManager::get_sessions_list(array(), array('name', 'ASC'));
 
     // Actions
     $html .= '<div class="actions">';
@@ -166,7 +166,7 @@ function search_courses($id_session, $type)
             // Build select for destination sessions where is not included current session from select origin
             if (!empty($id_session)) {
 
-                $sessions = SessionManager::get_sessions_list(null, array('name ASC'));
+                $sessions = SessionManager::get_sessions_list(array(), array('name', 'ASC'));
 
                 $select_destination .= '<select name="sessions_list_destination" width="380px" onchange = "javascript: xajax_search_courses(this.value,\'destination\');">';
                 $select_destination .= '<option value = "0">-- '.get_lang('SelectASession').' --</option>';
diff --git a/main/exercice/exercice.php b/main/exercice/exercice.php
index 6e01b60196..adb7485bfb 100755
--- a/main/exercice/exercice.php
+++ b/main/exercice/exercice.php
@@ -405,7 +405,9 @@ if (Database :: num_rows($result_total)) {
 //get HotPotatoes files (active and inactive)
 if ($is_allowedToEdit) {
     $sql = "SELECT * FROM $TBL_DOCUMENT
-            WHERE c_id = $courseId AND path LIKE '".Database :: escape_string($uploadPath)."/%/%'";
+            WHERE
+                c_id = $courseId AND
+                path LIKE '".Database :: escape_string($uploadPath.'/%/%')."'";
     $res = Database::query($sql);
     $hp_count = Database :: num_rows($res);
 } else {
@@ -413,7 +415,7 @@ if ($is_allowedToEdit) {
             WHERE
                 d.id = ip.ref AND
                 ip.tool = '".TOOL_DOCUMENT."' AND
-                d.path LIKE '".Database :: escape_string($uploadPath)."/%/%' AND
+                d.path LIKE '".Database :: escape_string($uploadPath.'/%/%')."' AND
                 ip.visibility ='1' AND
                 d.c_id      = ".$courseId." AND
                 ip.c_id     = ".$courseId;
@@ -920,7 +922,7 @@ if ($is_allowedToEdit) {
                 d.id = ip.ref AND
                 ip.tool = '".TOOL_DOCUMENT."' AND
                 (d.path LIKE '%htm%') AND
-                d.path  LIKE '".Database :: escape_string($uploadPath)."/%/%'
+                d.path  LIKE '".Database :: escape_string($uploadPath.'/%/%')."'
             LIMIT ".$from.",".$limit; // only .htm or .html files listed
 } else {
     $sql = "SELECT d.path as path, d.comment as comment, ip.visibility as visibility
@@ -931,7 +933,7 @@ if ($is_allowedToEdit) {
                 d.id = ip.ref AND
                 ip.tool = '".TOOL_DOCUMENT."' AND
                 (d.path LIKE '%htm%') AND
-                d.path  LIKE '".Database :: escape_string($uploadPath)."/%/%' AND
+                d.path  LIKE '".Database :: escape_string($uploadPath.'/%/%')."' AND
                 ip.visibility='1'
             LIMIT ".$from.",".$limit;
 }
diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
index 89874511a3..4972befc9b 100755
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@@ -527,7 +527,7 @@ function store_forumcategory($values)
     $table_categories = Database::get_course_table(TABLE_FORUM_CATEGORY);
 
     // Find the max cat_order. The new forum category is added at the end => max cat_order + &
-    $sql = "SELECT MAX(cat_order) as sort_max FROM ".Database::escape_string($table_categories)."
+    $sql = "SELECT MAX(cat_order) as sort_max FROM ".$table_categories."
             WHERE c_id = $course_id";
     $result = Database::query($sql);
     $row = Database::fetch_array($result);
diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php
index 996a325900..81734e6fed 100755
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@@ -10,7 +10,6 @@ require_once api_get_path(LIBRARY_PATH).'grade_model.lib.php';
  * Defines a gradebook Category object
  * @package chamilo.gradebook
  */
-
 class Category implements GradebookItem
 {
     private $id;
@@ -206,8 +205,9 @@ class Category implements GradebookItem
 
         if (!empty($session_id)) {
             $tbl_grade_categories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
-            $sql = 'SELECT id, course_code FROM '.$tbl_grade_categories. '
-                     WHERE session_id = '.$session_id;
+            $sql = 'SELECT id, course_code
+                    FROM '.$tbl_grade_categories. '
+                    WHERE session_id = '.$session_id;
             $result_session = Database::query($sql);
             if (Database::num_rows($result_session) > 0) {
                 $categoryList = array();
@@ -219,6 +219,7 @@ class Category implements GradebookItem
                         //$allSubCategories = Category::load(null,null,null, $parent_id, null, $session_id, null);
                     }
                 }
+
                 return $categoryList;
             }
         }
@@ -226,13 +227,13 @@ class Category implements GradebookItem
 
     /**
      * Retrieve categories and return them as an array of Category objects
-     * @param int      category id
-     * @param int      user id (category owner)
-     * @param string   course code
-     * @param int      parent category
-     * @param bool     visible
-     * @param int      session id (in case we are in a session)
-     * @param bool     Whether to show all "session" categories (true) or hide them (false) in case there is no session id
+     * @param int      $id category id
+     * @param int      $user_id (category owner)
+     * @param string   $course_code
+     * @param int      $parent_id parent category
+     * @param bool     $visible
+     * @param int      $session_id (in case we are in a session)
+     * @param bool     $order_by Whether to show all "session" categories (true) or hide them (false) in case there is no session id
      */
     public static function load(
         $id = null,
@@ -256,7 +257,6 @@ class Category implements GradebookItem
         $sql = 'SELECT * FROM '.$tbl_grade_categories;
         $paramcount = 0;
         if (isset($id)) {
-            $id = Database::escape_string($id);
             $sql.= ' WHERE id = '.intval($id);
             $paramcount ++;
         }
@@ -273,7 +273,6 @@ class Category implements GradebookItem
         }
 
         if (isset($course_code)) {
-            $course_code = Database::escape_string($course_code);
             if ($paramcount != 0) {
                 $sql .= ' AND';
             } else {
@@ -303,7 +302,6 @@ class Category implements GradebookItem
         }
 
         if (isset($parent_id)) {
-            $parent_id = Database::escape_string($parent_id);
             if ($paramcount != 0) {
                 $sql .= ' AND ';
             } else {
@@ -314,7 +312,6 @@ class Category implements GradebookItem
         }
 
         if (isset($visible)) {
-            $visible = Database::escape_string($visible);
             if ($paramcount != 0) {
                 $sql .= ' AND';
             } else {
diff --git a/main/inc/lib/auth.lib.php b/main/inc/lib/auth.lib.php
index dd30a936e7..d7c2c41cdd 100755
--- a/main/inc/lib/auth.lib.php
+++ b/main/inc/lib/auth.lib.php
@@ -5,6 +5,7 @@ require_once api_get_path(LIBRARY_PATH).'tracking.lib.php';
 require_once api_get_path(LIBRARY_PATH).'course_category.lib.php';
 
 /**
+ * Class Auth
  * Auth can be used to instantiate objects or as a library to manage courses
  * This file contains a class used like library provides functions for auth tool.
  * It's also used like model to courses_controller (MVC pattern)
@@ -19,7 +20,6 @@ class Auth
      */
     public function __construct()
     {
-
     }
 
     /**
@@ -35,8 +35,13 @@ class Auth
         $TABLE_COURSE_FIELD_VALUE = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
 
         // get course list auto-register
-        $sql = "SELECT course_code FROM $TABLE_COURSE_FIELD_VALUE tcfv INNER JOIN $TABLE_COURSE_FIELD tcf ON " .
-            " tcfv.field_id =  tcf.id WHERE tcf.field_variable = 'special_course' AND tcfv.field_value = 1 ";
+        $sql = "SELECT course_code FROM $TABLE_COURSE_FIELD_VALUE tcfv
+                INNER JOIN $TABLE_COURSE_FIELD tcf
+                ON tcfv.field_id =  tcf.id
+                WHERE
+                    tcf.field_variable = 'special_course' AND
+                    tcfv.field_value = 1
+                ";
 
         $special_course_result = Database::query($sql);
         if (Database::num_rows($special_course_result) > 0) {
@@ -476,25 +481,36 @@ class Auth
         }
 
         $search_term_safe = Database::escape_string($search_term);
-        $sql_find = "SELECT * FROM $TABLECOURS WHERE (code LIKE '%" .
-            $search_term_safe . "%' OR title LIKE '%" . $search_term_safe .
-            "%' OR tutor_name LIKE '%" . $search_term_safe . "%')" .
-            $without_special_courses . "ORDER BY title, visual_code ASC " .
-            $limitFilter;
+        $sql_find = "SELECT * FROM $TABLECOURS
+                    WHERE (
+                        code LIKE '%".$search_term_safe . "%' OR
+                        title LIKE '%" . $search_term_safe ."%' OR
+                        tutor_name LIKE '%" . $search_term_safe . "%'
+                        )
+                        $without_special_courses
+                    ORDER BY title, visual_code ASC
+                    $limitFilter
+                    ";
 
         global $_configuration;
         if ($_configuration['multiple_access_urls']) {
             $url_access_id = api_get_current_access_url_id();
             if ($url_access_id != -1) {
                 $tbl_url_rel_course = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
-                $sql_find = "SELECT * FROM $TABLECOURS as course INNER JOIN" .
-                    $tbl_url_rel_course . "as url_rel_course ON
-                    (url_rel_course.course_code=course.code) WHERE access_url_id = " .
-                    $url_access_id . "AND (code LIKE '%" . $search_term_safe . "%'
-                    OR title LIKE '%" . $search_term_safe . "%'
-                    OR tutor_name LIKE '%" . $search_term_safe . "%' )
-                    $without_special_courses ORDER BY title, visual_code ASC " .
-                    $limitFilter;
+                $sql_find = "SELECT *
+                            FROM $TABLECOURS as course
+                            INNER JOIN $tbl_url_rel_course as url_rel_course
+                            ON (url_rel_course.course_code=course.code)
+                            WHERE
+                                access_url_id = $url_access_id AND (
+                                    code LIKE '%" . $search_term_safe . "%' OR
+                                    title LIKE '%" . $search_term_safe . "%' OR
+                                    tutor_name LIKE '%" . $search_term_safe . "%'
+                                )
+                                $without_special_courses
+                            ORDER BY title, visual_code ASC
+                            $limitFilter
+                            ";
             }
         }
         $result_find = Database::query($sql_find);
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
index 898f8eaf96..a57e70b365 100755
--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@@ -1739,8 +1739,8 @@ class CourseManager
      *  @param string $course_code
      *  @param boolean $with_session
      *  @param integer $session_id
-     *  @param date $date_from
-     *  @param date $date_to
+     *  @param string $date_from
+     *  @param string $date_to
      *  @return array with user id
      */
     public static function get_student_list_from_course_code(
@@ -1995,7 +1995,10 @@ class CourseManager
                 FROM ".Database::get_main_table(TABLE_MAIN_COURSE)." course
                 LEFT JOIN ".Database::get_main_table(TABLE_MAIN_COURSE_USER)." course_user
                 ON course.code = course_user.course_code
-                WHERE course.target_course_code = '$course_code' AND course_user.user_id = '$user_id' AND course_user.relation_type<>".COURSE_RELATION_TYPE_RRHH." ";
+                WHERE
+                    course.target_course_code = '$course_code' AND
+                    course_user.user_id = '$user_id' AND
+                    course_user.relation_type<>".COURSE_RELATION_TYPE_RRHH." ";
         $sql_result = Database::query($sql);
 
         while ($result = Database::fetch_array($sql_result)) {
@@ -2175,13 +2178,12 @@ class CourseManager
         $table_stats_links          = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_LINKS);
         $table_stats_uploads        = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_UPLOADS);
 
-        $code = Database::escape_string($code);
-        $sql = "SELECT * FROM $table_course WHERE code='".$code."'";
+        $codeFiltered = Database::escape_string($code);
+        $sql = "SELECT * FROM $table_course WHERE code='".$codeFiltered."'";
         $res = Database::query($sql);
         if (Database::num_rows($res) == 0) {
             return;
         }
-        $this_course = Database::fetch_array($res);
         $count = 0;
         if (api_is_multiple_url_enabled()) {
             require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
@@ -2193,177 +2195,183 @@ class CourseManager
             $count = UrlManager::getcountUrlRelCourse($code);
         }
         if ($count == 0) {
-        self::create_database_dump($code);
-        if (!self::is_virtual_course_from_system_code($code)) {
-            // If this is not a virtual course, look for virtual courses that depend on this one, if any
-            $virtual_courses = self::get_virtual_courses_linked_to_real_course($code);
-            foreach ($virtual_courses as $index => $virtual_course) {
-                // Unsubscribe all classes from the virtual course
-                /*$sql = "DELETE FROM $table_course_class WHERE course_code='".$virtual_course['code']."'";
-                Database::query($sql);*/
-                // Unsubscribe all users from the virtual course
-                $sql = "DELETE FROM $table_course_user WHERE course_code='".$virtual_course['code']."'";
-                Database::query($sql);
-                // Delete the course from the sessions tables
-                $sql = "DELETE FROM $table_session_course WHERE course_code='".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_session_course_user WHERE course_code='".$virtual_course['code']."'";
-                Database::query($sql);
-                // Delete the course from the survey tables
-                $sql = "DELETE FROM $table_course_survey WHERE course_code='".$virtual_course['code']."'";
-                Database::query($sql);
-                /*$sql = "DELETE FROM $table_course_survey_user WHERE db_name='".$virtual_course['db_name']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_course_survey_reminder WHERE db_name='".$virtual_course['db_name']."'";
-                Database::query($sql);*/
-
-                // Delete the course from the stats tables
-
-                $sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_online WHERE course = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$virtual_course['code']."'";
-                Database::query($sql);
-                $sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$virtual_course['code']."'";
-                Database::query($sql);
+            self::create_database_dump($code);
+            if (!self::is_virtual_course_from_system_code($code)) {
+                // If this is not a virtual course, look for virtual courses that depend on this one, if any
+                $virtual_courses = self::get_virtual_courses_linked_to_real_course($code);
+                foreach ($virtual_courses as $index => $virtual_course) {
+                    // Unsubscribe all classes from the virtual course
+                    /*$sql = "DELETE FROM $table_course_class WHERE course_code='".$virtual_course['code']."'";
+                    Database::query($sql);*/
+                    // Unsubscribe all users from the virtual course
+                    $sql = "DELETE FROM $table_course_user WHERE course_code='".$virtual_course['code']."'";
+                    Database::query($sql);
+                    // Delete the course from the sessions tables
+                    $sql = "DELETE FROM $table_session_course WHERE course_code='".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_session_course_user WHERE course_code='".$virtual_course['code']."'";
+                    Database::query($sql);
+                    // Delete the course from the survey tables
+                    $sql = "DELETE FROM $table_course_survey WHERE course_code='".$virtual_course['code']."'";
+                    Database::query($sql);
+                    /*$sql = "DELETE FROM $table_course_survey_user WHERE db_name='".$virtual_course['db_name']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_course_survey_reminder WHERE db_name='".$virtual_course['db_name']."'";
+                    Database::query($sql);*/
 
-                // Delete the course from the course table
-                $sql = "DELETE FROM $table_course WHERE code='".$virtual_course['code']."'";
-                Database::query($sql);
-            }
+                    // Delete the course from the stats tables
 
-            $sql = "SELECT * FROM $table_course WHERE code='".$code."'";
-            $res = Database::query($sql);
-            $course = Database::fetch_array($res);
-            $course_tables = get_course_tables();
+                    $sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_online WHERE course = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$virtual_course['code']."'";
+                    Database::query($sql);
+                    $sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$virtual_course['code']."'";
+                    Database::query($sql);
 
-            //Cleaning c_x tables
-            if (!empty($course['id'])) {
-                foreach($course_tables as $table) {
-                    $table = Database::get_course_table($table);
-                    $sql = "DELETE FROM $table WHERE c_id = {$course['id']} ";
+                    // Delete the course from the course table
+                    $sql = "DELETE FROM $table_course WHERE code='".$virtual_course['code']."'";
                     Database::query($sql);
                 }
-            }
-            $course_dir = api_get_path(SYS_COURSE_PATH).$course['directory'];
-            $archive_dir = api_get_path(SYS_ARCHIVE_PATH).$course['directory'].'_'.time();
-            if (is_dir($course_dir)) {
-                rename($course_dir, $archive_dir);
-            }
-        }
-
-        // Unsubscribe all classes from the course
-        /*$sql = "DELETE FROM $table_course_class WHERE course_code='".$code."'";
-        Database::query($sql);*/
-        // Unsubscribe all users from the course
-        $sql = "DELETE FROM $table_course_user WHERE course_code='".$code."'";
-        Database::query($sql);
-        // Delete the course from the sessions tables
-        $sql = "DELETE FROM $table_session_course WHERE course_code='".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_session_course_user WHERE course_code='".$code."'";
-        Database::query($sql);
 
-        // Delete from Course - URL
-        $sql = "DELETE FROM $table_course_rel_url WHERE course_code = '".$code."'";
-        Database::query($sql);
+                $sql = "SELECT * FROM $table_course WHERE code='".$codeFiltered."'";
+                $res = Database::query($sql);
+                $course = Database::fetch_array($res);
+                $course_tables = get_course_tables();
+
+                //Cleaning c_x tables
+                if (!empty($course['id'])) {
+                    foreach($course_tables as $table) {
+                        $table = Database::get_course_table($table);
+                        $sql = "DELETE FROM $table WHERE c_id = {$course['id']} ";
+                        Database::query($sql);
+                    }
+                }
+                $course_dir = api_get_path(SYS_COURSE_PATH).$course['directory'];
+                $archive_dir = api_get_path(SYS_ARCHIVE_PATH).$course['directory'].'_'.time();
+                if (is_dir($course_dir)) {
+                    rename($course_dir, $archive_dir);
+                }
+            }
 
-        $sql = 'SELECT survey_id FROM '.$table_course_survey.' WHERE course_code="'.$code.'"';
-        $result_surveys = Database::query($sql);
-        while($surveys = Database::fetch_array($result_surveys)) {
-            $survey_id = $surveys[0];
-            $sql = 'DELETE FROM '.$table_course_survey_question.' WHERE survey_id="'.$survey_id.'"';
+            // Unsubscribe all classes from the course
+            /*$sql = "DELETE FROM $table_course_class WHERE course_code='".$code."'";
+            Database::query($sql);*/
+            // Unsubscribe all users from the course
+            $sql = "DELETE FROM $table_course_user WHERE course_code='".$codeFiltered."'";
             Database::query($sql);
-            $sql = 'DELETE FROM '.$table_course_survey_question_option.' WHERE survey_id="'.$survey_id.'"';
+            // Delete the course from the sessions tables
+            $sql = "DELETE FROM $table_session_course WHERE course_code='".$codeFiltered."'";
             Database::query($sql);
-            $sql = 'DELETE FROM '.$table_course_survey.' WHERE survey_id="'.$survey_id.'"';
+            $sql = "DELETE FROM $table_session_course_user WHERE course_code='".$codeFiltered."'";
             Database::query($sql);
-        }
 
-        // Delete the course from the stats tables
-
-        $sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_online WHERE course = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$code."'";
-        Database::query($sql);
-        $sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$code."'";
-        Database::query($sql);
+            // Delete from Course - URL
+            $sql = "DELETE FROM $table_course_rel_url WHERE course_code = '".$codeFiltered."'";
+            Database::query($sql);
 
-        // Delete the course from the database
-        $sql = "DELETE FROM $table_course WHERE code='".$code."'";
-        Database::query($sql);
+            $sql = 'SELECT survey_id FROM '.$table_course_survey.' WHERE course_code="'.$codeFiltered.'"';
+            $result_surveys = Database::query($sql);
+            while($surveys = Database::fetch_array($result_surveys)) {
+                $survey_id = $surveys[0];
+                $sql = 'DELETE FROM '.$table_course_survey_question.' WHERE survey_id="'.$survey_id.'"';
+                Database::query($sql);
+                $sql = 'DELETE FROM '.$table_course_survey_question_option.' WHERE survey_id="'.$survey_id.'"';
+                Database::query($sql);
+                $sql = 'DELETE FROM '.$table_course_survey.' WHERE survey_id="'.$survey_id.'"';
+                Database::query($sql);
+            }
 
-        // delete extra course fields
-        $t_cf         = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
-        $t_cfv         = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
+            // Delete the course from the stats tables
 
-        $sql = "SELECT distinct field_id FROM $t_cfv WHERE course_code = '$code'";
-        $res_field_ids = @Database::query($sql);
+            $sql = "DELETE FROM $table_stats_hotpots WHERE exe_cours_id = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_attempt WHERE course_code = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_exercises WHERE exe_cours_id = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_access WHERE access_cours_code = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_lastaccess WHERE access_cours_code = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_course_access WHERE course_code = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_online WHERE course = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_default WHERE default_cours_code = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_downloads WHERE down_cours_id = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_links WHERE links_cours_id = '".$codeFiltered."'";
+            Database::query($sql);
+            $sql = "DELETE FROM $table_stats_uploads WHERE upload_cours_id = '".$codeFiltered."'";
+            Database::query($sql);
 
-        while($row_field_id = Database::fetch_row($res_field_ids)){
-            $field_ids[] = $row_field_id[0];
-        }
+            // Delete the course from the database
+            $sql = "DELETE FROM $table_course WHERE code='".$codeFiltered."'";
+            Database::query($sql);
 
-        //delete from table_course_field_value from a given course_code
+            // delete extra course fields
+            $t_cf         = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
+            $t_cfv         = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
 
-        $sql_course_field_value = "DELETE FROM $t_cfv WHERE course_code = '$code'";
-        @Database::query($sql_course_field_value);
+            $sql = "SELECT distinct field_id FROM $t_cfv WHERE course_code = '$codeFiltered'";
+            $res_field_ids = Database::query($sql);
+            $field_ids = array();
+            while($row_field_id = Database::fetch_row($res_field_ids)){
+                $field_ids[] = $row_field_id[0];
+            }
 
-        $sql = "SELECT distinct field_id FROM $t_cfv";
-        $res_field_all_ids = @Database::query($sql);
+            // Delete from table_course_field_value from a given course_code
+            $sql_course_field_value = "DELETE FROM $t_cfv WHERE course_code = '$codeFiltered'";
+            Database::query($sql_course_field_value);
 
-        while($row_field_all_id = Database::fetch_row($res_field_all_ids)){
-            $field_all_ids[] = $row_field_all_id[0];
-        }
+            $sql = "SELECT distinct field_id FROM $t_cfv";
+            $res_field_all_ids = Database::query($sql);
+            $field_all_ids = array();
+            while($row_field_all_id = Database::fetch_row($res_field_all_ids)) {
+                $field_all_ids[] = $row_field_all_id[0];
+            }
 
-        if (is_array($field_ids) && count($field_ids) > 0) {
-            foreach ($field_ids as $field_id) {
-                // check if field id is used into table field value
-                if (is_array($field_all_ids)) {
-                    if (in_array($field_id, $field_all_ids)) {
-                        continue;
-                    } else {
-                        $sql_course_field = "DELETE FROM $t_cf WHERE id = '$field_id'";
-                        Database::query($sql_course_field);
+            if (is_array($field_ids) && count($field_ids) > 0) {
+                foreach ($field_ids as $field_id) {
+                    // check if field id is used into table field value
+                    if (is_array($field_all_ids)) {
+                        if (in_array($field_id, $field_all_ids)) {
+                            continue;
+                        } else {
+                            $sql_course_field = "DELETE FROM $t_cf WHERE id = '$field_id'";
+                            Database::query($sql_course_field);
+                        }
                     }
                 }
             }
-        }
 
-        // Add event to system log
-        $user_id = api_get_user_id();
-        event_system(LOG_COURSE_DELETE, LOG_COURSE_CODE, $code, api_get_utc_datetime(), $user_id, $code);
+            // Add event to system log
+            $user_id = api_get_user_id();
+            event_system(
+                LOG_COURSE_DELETE,
+                LOG_COURSE_CODE,
+                $code,
+                api_get_utc_datetime(),
+                $user_id,
+                $code
+            );
         }
     }
 
@@ -2884,8 +2892,8 @@ class CourseManager
      */
     public static function update_course_extra_field_value($course_code, $fname, $fvalue = '')
     {
-        $t_cfv            = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
-        $t_cf             = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
+        $t_cfv = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
+        $t_cf = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
         $fname = Database::escape_string($fname);
         $course_code = Database::escape_string($course_code);
         $fvalues = '';
@@ -3180,7 +3188,8 @@ class CourseManager
         $result = Database::query($sql);
         if (Database::num_rows($result) > 0) {
             while ($row = Database::fetch_array($result))   {
-                $sql = "DELETE FROM $tbl_course_rel_user WHERE course_code = '{$row['course_code']}' AND user_id = $hr_manager_id AND relation_type=".COURSE_RELATION_TYPE_RRHH." ";
+                $sql = "DELETE FROM $tbl_course_rel_user
+                        WHERE course_code = '{$row['course_code']}' AND user_id = $hr_manager_id AND relation_type=".COURSE_RELATION_TYPE_RRHH." ";
                 Database::query($sql);
             }
         }
@@ -3189,7 +3198,8 @@ class CourseManager
         if (is_array($courses_list)) {
             foreach ($courses_list as $course_code) {
                 $course_code = Database::escape_string($course_code);
-                $insert_sql = "INSERT IGNORE INTO $tbl_course_rel_user(course_code, user_id, status, relation_type) VALUES('$course_code', $hr_manager_id, '".DRH."', '".COURSE_RELATION_TYPE_RRHH."')";
+                $insert_sql = "INSERT IGNORE INTO $tbl_course_rel_user(course_code, user_id, status, relation_type)
+                               VALUES('$course_code', $hr_manager_id, '".DRH."', '".COURSE_RELATION_TYPE_RRHH."')";
                 Database::query($insert_sql);
                 if (Database::affected_rows()) {
                     $affected_rows++;
@@ -3349,23 +3359,28 @@ class CourseManager
 
     /**
      * check if a course is special (autoregister)
-     * @param string course code
+     * @param string $course_code
      */
     public static function is_special_course($course_code)
     {
-        $tbl_course_field_value        = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
-        $tbl_course_field             = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
+        $tbl_course_field_value = Database::get_main_table(TABLE_MAIN_COURSE_FIELD_VALUES);
+        $tbl_course_field = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
+
         $is_special = false;
+        $course_code = Database::escape_string($course_code);
         $sql = "SELECT course_code
                 FROM $tbl_course_field_value tcfv
                 INNER JOIN $tbl_course_field tcf ON tcfv.field_id =  tcf.id
-                WHERE tcf.field_variable = 'special_course' AND tcfv.field_value = 1 AND course_code='$course_code'";
+                WHERE
+                    tcf.field_variable = 'special_course' AND
+                    tcfv.field_value = 1 AND
+                    course_code='$course_code'";
         $result = Database::query($sql);
         $num_rows = Database::num_rows($result);
         if ($num_rows > 0){
             $is_special = true;
-
         }
+
         return $is_special;
     }
 
@@ -3894,20 +3909,20 @@ class CourseManager
      */
     public static function get_logged_user_course_html($course, $session_id = 0, $class = 'courses', $session_accessible = true, $load_dirs = false)
     {
-        global $nosession, $nbDigestEntries, $digest, $thisCourseSysCode, $orderKey;
+        global $nosession;
         $user_id  = api_get_user_id();
         $course_info = api_get_course_info($course['code']);
         $status_course = CourseManager::get_user_in_course_status($user_id, $course_info['code']);
-
         $course_info['status'] = empty($session_id) ? $status_course : STUDENT;
-
         $course_info['id_session'] = $session_id;
 
         if (!$nosession) {
             global $now, $date_start, $date_end;
         }
         if (empty($date_start) or empty($date_end)) {
-            $sess = SessionManager::get_sessions_list(array('s.id = ' => $course_info['id_session']));
+            $sess = SessionManager::get_sessions_list(
+                array('s.id' => array('operator' => '=', 'value' => $course_info['id_session']))
+            );
             $date_start = $sess[$course_info['id_session']]['date_start'];
             $date_end = $sess[$course_info['id_session']]['date_end'];
         }
@@ -3917,17 +3932,21 @@ class CourseManager
         }
 
         // Table definitions
-        $main_user_table            = Database :: get_main_table(TABLE_MAIN_USER);
-        $tbl_session                = Database :: get_main_table(TABLE_MAIN_SESSION);
-        $tbl_session_category       = Database :: get_main_table(TABLE_MAIN_SESSION_CATEGORY);
+        $main_user_table = Database :: get_main_table(TABLE_MAIN_USER);
+        $tbl_session = Database :: get_main_table(TABLE_MAIN_SESSION);
+        $tbl_session_category = Database :: get_main_table(TABLE_MAIN_SESSION_CATEGORY);
 
-        $course_access_settings     = CourseManager::get_access_settings($course_info['code']);
-        $course_visibility          = $course_access_settings['visibility'];
+        $course_access_settings = CourseManager::get_access_settings($course_info['code']);
+        $course_visibility = $course_access_settings['visibility'];
 
         if ($course_visibility == COURSE_VISIBILITY_HIDDEN) {
             return '';
         }
-        $user_in_course_status = CourseManager::get_user_in_course_status(api_get_user_id(), $course_info['code']);
+
+        $user_in_course_status = CourseManager::get_user_in_course_status(
+            api_get_user_id(),
+            $course_info['code']
+        );
 
         $is_coach = api_is_coach($course_info['id_session'], $course['code']);
 
@@ -3935,8 +3954,11 @@ class CourseManager
         // Show a hyperlink to the course, unless the course is closed and user is not course admin.
         $session_url = '';
         $session_title = '';
+
         if ($session_accessible) {
-            if ($course_visibility != COURSE_VISIBILITY_CLOSED || $user_in_course_status == COURSEMANAGER) {
+            if ($course_visibility != COURSE_VISIBILITY_CLOSED ||
+                $user_in_course_status == COURSEMANAGER
+            ) {
                 if (!$nosession) {
                     if (empty($course_info['id_session'])) {
                         $course_info['id_session'] = 0;
@@ -3985,10 +4007,11 @@ class CourseManager
 
         $params['link'] = $session_url;
         $params['title'] = $session_title;
-
         $params['right_actions'] = '';
 
-        if ($course_visibility != COURSE_VISIBILITY_CLOSED && $course_visibility != COURSE_VISIBILITY_HIDDEN) {
+        if ($course_visibility != COURSE_VISIBILITY_CLOSED &&
+            $course_visibility != COURSE_VISIBILITY_HIDDEN
+        ) {
             if ($load_dirs) {
                 $params['right_actions'] .= '<a id="document_preview_'.$course_info['real_id'].'_'.$course_info['id_session'].'" class="document_preview" href="javascript:void(0);">'.Display::return_icon('folder.png', get_lang('Documents'), array('align' => 'absmiddle'),ICON_SIZE_SMALL).'</a>';
                 $params['right_actions'] .= Display::div('', array('id' => 'document_result_'.$course_info['real_id'].'_'.$course_info['id_session'], 'class'=>'document_preview_container'));
@@ -4000,9 +4023,19 @@ class CourseManager
         }
 
         if (api_get_setting('display_teacher_in_courselist') == 'true') {
+            $teacher_list = null;
             if (!$nosession) {
-                $teacher_list = CourseManager::get_teacher_list_from_course_code_to_string($course_info['code'], self::USER_SEPARATOR, true);
-                $course_coachs = CourseManager::get_coachs_from_course_to_string($course_info['id_session'], $course['code'], self::USER_SEPARATOR, true);
+                $teacher_list = CourseManager::get_teacher_list_from_course_code_to_string(
+                    $course_info['code'],
+                    self::USER_SEPARATOR,
+                    true
+                );
+                $course_coachs = CourseManager::get_coachs_from_course_to_string(
+                    $course_info['id_session'],
+                    $course['code'],
+                    self::USER_SEPARATOR,
+                    true
+                );
 
                 if ($course_info['status'] == COURSEMANAGER || ($course_info['status'] == STUDENT && empty($course_info['id_session'])) || empty($course_info['status'])) {
                     $params['teachers'] = $teacher_list;
@@ -4722,6 +4755,9 @@ class CourseManager
         if (!empty($specialCourseList)) {
             $withoutSpecialCourses = ' AND c.code NOT IN ("'.implode('","',$specialCourseList).'")';
         }
+
+        $visibilityCondition = null;
+
         if (isset($_configuration['course_catalog_hide_private'])) {
             if ($_configuration['course_catalog_hide_private'] == true) {
                 $courseInfo = api_get_course_info();
@@ -4731,7 +4767,14 @@ class CourseManager
         }
         if (!empty($accessUrlId) && $accessUrlId == intval($accessUrlId)) {
             $sql = "SELECT count(id) FROM $tableCourse c, $tableCourseRelAccessUrl u
-                    WHERE c.code = u.course_code AND u.access_url_id = $accessUrlId AND c.visibility != 0 AND c.visibility != 4 $withoutSpecialCourses $visibilityCondition";
+                    WHERE
+                        c.code = u.course_code AND
+                        u.access_url_id = $accessUrlId AND
+                        c.visibility != 0 AND
+                        c.visibility != 4
+                        $withoutSpecialCourses
+                        $visibilityCondition
+                    ";
         }
         $res = Database::query($sql);
         $row = Database::fetch_row($res);
diff --git a/main/inc/lib/course_category.lib.php b/main/inc/lib/course_category.lib.php
index 9b462e34c8..7806090cd6 100755
--- a/main/inc/lib/course_category.lib.php
+++ b/main/inc/lib/course_category.lib.php
@@ -18,7 +18,7 @@ function isMultipleUrlSupport()
 function getCategoryById($categoryId)
 {
     $tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
-    $categoryId = Database::escape_string($categoryId);
+    $categoryId = intval($categoryId);
     $sql = "SELECT * FROM $tbl_category WHERE id = '$categoryId'";
     $result = Database::query($sql);
     if (Database::num_rows($result)) {
@@ -503,7 +503,7 @@ function browseCourseCategories()
  * @return int
  */
 function countCoursesInCategory($category_code="", $searchTerm = '')
-{   
+{
     global $_configuration;
     $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE);
     $TABLE_COURSE_FIELD = Database :: get_main_table(TABLE_MAIN_COURSE_FIELD);
@@ -556,9 +556,14 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
     }
 
     $sql = "SELECT * FROM $tbl_course
-        WHERE visibility != '0' AND visibility != '4'".
-        $categoryFilter . $searchFilter .
-        $without_special_courses . $visibilityCondition;
+            WHERE
+                visibility != '0' AND
+                visibility != '4'
+                $categoryFilter
+                $searchFilter
+                $without_special_courses
+                $visibilityCondition
+            ";
     // Showing only the courses of the current portal access_url_id.
 
     if (api_is_multiple_url_enabled()) {
@@ -566,11 +571,17 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
         if ($url_access_id != -1) {
             $tbl_url_rel_course = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_COURSE);
             $sql = "SELECT * FROM $tbl_course as course
-                INNER JOIN $tbl_url_rel_course as url_rel_course
-                ON (url_rel_course.course_code=course.code)
-                WHERE access_url_id = $url_access_id AND course.visibility != '0'
-                AND course.visibility != '4' AND category_code" . "='" . $category_code . "'" .
-                $searchTerm . $without_special_courses. $visibilityCondition;
+                    INNER JOIN $tbl_url_rel_course as url_rel_course
+                    ON (url_rel_course.course_code=course.code)
+                    WHERE
+                        access_url_id = $url_access_id AND
+                        course.visibility != '0' AND
+                        course.visibility != '4' AND
+                        category_code = '$category_code'
+                        $searchTerm
+                        $without_special_courses
+                        $visibilityCondition
+                    ";
         }
     }
 
@@ -585,7 +596,7 @@ function countCoursesInCategory($category_code="", $searchTerm = '')
  * @return array
  */
 function browseCoursesInCategory($category_code, $random_value = null, $limit = array())
-{   
+{
     global $_configuration;
     $tbl_course = Database::get_main_table(TABLE_MAIN_COURSE);
     $TABLE_COURSE_FIELD = Database::get_main_table(TABLE_MAIN_COURSE_FIELD);
@@ -609,6 +620,7 @@ function browseCoursesInCategory($category_code, $random_value = null, $limit =
     if (!empty($special_course_list)) {
         $without_special_courses = ' AND course.code NOT IN (' . implode(',', $special_course_list) . ')';
     }
+    $visibilityCondition = null;
     if (isset($_configuration['course_catalog_hide_private'])) {
         if ($_configuration['course_catalog_hide_private'] == true) {
             $courseInfo = api_get_course_info();
@@ -960,10 +972,10 @@ function getCataloguePagination($pageCurrent, $pageLength, $pageTotal)
         $categoryCode = null,
         $hiddenLinks = null,
         $action = null
-    )
-    {
-        $action = isset($action) ? Security::remove_XSS($action) :
-            Security::remove_XSS($_REQUEST['action']);
+    ) {
+        $action = isset($action) ? Security::remove_XSS($action) : Security::remove_XSS($_REQUEST['action']);
+        $searchTerm = isset($_REQUEST['search_term']) ? Security::remove_XSS($_REQUEST['search_term']) : null;
+
         // Start URL with params
         $pageUrl = api_get_self() .
             '?action=' . $action .
@@ -982,7 +994,7 @@ function getCataloguePagination($pageCurrent, $pageLength, $pageTotal)
             case 'subscribe' :
                 // for search
                 $pageUrl .=
-                    '&search_term=' . $_REQUEST['search_term'] .
+                    '&search_term=' . $searchTerm .
                     '&search_course=1' .
                     '&sec_token=' . $_SESSION['sec_token'];
                 break;
diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php
index 52efbe87c5..90d3905858 100755
--- a/main/inc/lib/database.lib.php
+++ b/main/inc/lib/database.lib.php
@@ -455,21 +455,29 @@ class Database
      * @param string            The string to escape
      * @return string           The escaped string
      */
-    public static function escape_sql_wildcards($in_txt) {
+    public static function escape_sql_wildcards($in_txt)
+    {
         $out_txt = api_preg_replace("/_/", "\_", $in_txt);
         $out_txt = api_preg_replace("/%/", "\%", $out_txt);
+
         return $out_txt;
     }
 
     /**
      * Escapes a string to insert into the database as text
-     * @param string                            The string to escape
-     * @param resource $connection (optional)   The database server connection, for detailed description see the method query().
-     * @return string                           The escaped string
+     * @param string    $string The string to escape
+     * @param resource  $connection (optional)   The database server connection, for detailed description see the method query().
+     * @param bool $addFix
+     * @return string   he escaped string
      * @author Yannick Warnier <yannick.warnier@dokeos.com>
      * @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
      */
-    public static function escape_string($string, $connection = null) {
+    public static function escape_string($string, $connection = null, $addFix = true)
+    {
+        // Fixes security problem when there's no "" or '' between a variable.
+        if ($addFix) {
+            $string = "__@$string@__";
+        }
         return get_magic_quotes_gpc()
             ? (self::use_default_connection($connection)
                 ? mysql_real_escape_string(stripslashes($string))
@@ -479,6 +487,7 @@ class Database
                 : mysql_real_escape_string($string, $connection));
     }
 
+
     /**
      * Gets the array from a SQL result (as returned by Database::query) - help achieving database independence
      * @param resource      The result from a call to sql_query (e.g. Database::query)
@@ -486,8 +495,9 @@ class Database
      * @return array        Array of results as returned by php
      * @author Yannick Warnier <yannick.warnier@beeznest.com>
      */
-    public static function fetch_array($result, $option = 'BOTH') {
-    if ($result === false) { return array(); }
+    public static function fetch_array($result, $option = 'BOTH')
+    {
+        if ($result === false) { return array(); }
         return $option == 'ASSOC' ? mysql_fetch_array($result, MYSQL_ASSOC) : ($option == 'NUM' ? mysql_fetch_array($result, MYSQL_NUM) : mysql_fetch_array($result));
     }
 
@@ -674,6 +684,32 @@ class Database
         return self::num_rows($resource) > 0 ? (!empty($field) ? mysql_result($resource, $row, $field) : mysql_result($resource, $row)) : null;
     }
 
+    /**
+     * Removes "__@" prefix and @__ suffix added by Database::escape_string()
+     * @param string $query
+     * @return mixed
+     */
+    public static function fixQuery($query)
+    {
+        // LIKE condition
+        $query = str_replace("'%__@", "'%", $query);
+        $query = str_replace("@__%'", "%'", $query);
+
+        // Fixing doubles
+        $query = str_replace("__@__@", "__@", $query);
+        $query = str_replace("@__@__", "@__", $query);
+
+        $query = str_replace("'__@", "'", $query);
+        $query = str_replace('"__@', "'", $query);
+        $query = str_replace("__@", "'", $query);
+
+        $query = str_replace("@__'", "'", $query);
+        $query = str_replace('@__"', "'", $query);
+        $query = str_replace("@__", "'", $query);
+
+        return $query;
+    }
+
     /**
      * This method returns a resource
      * Documentation has been added by Arthur Portugal
@@ -681,12 +717,14 @@ class Database
      * @author Olivier Brouckaert
      * @param string $query                     The SQL query
      * @param resource $connection (optional)   The database server (MySQL) connection.
-     *                                          If it is not specified, the connection opened by mysql_connect() is assumed.
-     *                                          If no connection is found, the server will try to create one as if mysql_connect() was called with no arguments.
-     *                                          If no connection is found or established, an E_WARNING level error is generated.
+     * If it is not specified, the connection opened by mysql_connect() is assumed.
+     * If no connection is found, the server will try to create one as if mysql_connect() was called with no arguments.
+     * If no connection is found or established, an E_WARNING level error is generated.
      * @param string $file (optional)           On error it shows the file in which the error has been trigerred (use the "magic" constant __FILE__ as input parameter)
      * @param string $line (optional)           On error it shows the line in which the error has been trigerred (use the "magic" constant __LINE__ as input parameter)
+     *
      * @return resource                         The returned result from the query
+     *
      * Note: The parameter $connection could be skipped. Here are examples of this method usage:
      * Database::query($query);
      * $result = Database::query($query);
@@ -698,7 +736,8 @@ class Database
      * Database::query($query, $connection, __FILE__, __LINE__);
      * $result = Database::query($query, $connection, __FILE__, __LINE__);
      */
-    public static function query($query, $connection = null, $file = null, $line = null) {
+    public static function query($query, $connection = null, $file = null, $line = null)
+    {
         $use_default_connection = self::use_default_connection($connection);
         if ($use_default_connection) {
             // Let us do parameter shifting, thus the method would be similar
@@ -707,10 +746,11 @@ class Database
             $file = $connection;
             $connection = null;
         }
-        //@todo remove this before the stable release
 
-        //Check if the table contains a c_ (means a course id)
-        if (api_get_setting('server_type')==='test' && strpos($query, 'c_')) {
+        $query = self::fixQuery($query);
+
+        // Check if the table contains a c_ (means a course id)
+        if (api_get_setting('server_type') === 'test' && strpos($query, 'c_')) {
             //Check if the table contains inner joins
             if (
                 strpos($query, 'assoc_handle') === false &&
@@ -1179,13 +1219,11 @@ class Database
      * @example array('where'=> array('type = ? AND category = ?' => array('setting', 'Plugins'))
      * @example array('where'=> array('name = "Julio" AND lastname = "montoya"'))
     */
-
     public static function select($columns, $table_name, $conditions = array(), $type_result = 'all', $option = 'ASSOC')
     {
         $conditions = self::parse_conditions($conditions);
 
         //@todo we could do a describe here to check the columns ...
-        $clean_columns = '';
         if (is_array($columns)) {
             $clean_columns = implode(',', $columns);
         } else {
@@ -1199,7 +1237,7 @@ class Database
         $sql    = "SELECT $clean_columns FROM $table_name $conditions";
         $result = self::query($sql);
         $array = array();
-        //if (self::num_rows($result) > 0 ) {
+
         if ($type_result == 'all') {
             while ($row = self::fetch_array($result, $option)) {
                 if (isset($row['id'])) {
@@ -1216,11 +1254,12 @@ class Database
 
     /**
      * Parses WHERE/ORDER conditions i.e array('where'=>array('id = ?' =>'4'), 'order'=>'id DESC'))
-     * @todo known issues, it doesn't work when using LIKE conditions example: array('where'=>array('course_code LIKE "?%"'))
-     * @param   array
-     * @todo lot of stuff to do here
+     * @todo known issues, it doesn't work when using
+     * LIKE conditions example: array('where'=>array('course_code LIKE "?%"'))
+     * @param   array $conditions
     */
-    static function parse_conditions($conditions) {
+    public static function parse_conditions($conditions)
+    {
         if (empty($conditions)) {
             return '';
         }
@@ -1232,7 +1271,6 @@ class Database
             $type_condition = strtolower($type_condition);
             switch ($type_condition) {
                 case 'where':
-
                     foreach ($condition_data as $condition => $value_array) {
                         if (is_array($value_array)) {
                             $clean_values = array();
@@ -1254,14 +1292,13 @@ class Database
                             $condition = str_replace("%s","'%s'", $condition);
                             $condition = str_replace("@-@","@%s@", $condition);
 
-                            //Treat conditons as string
+                            // Treat conditions as string
                             $condition = vsprintf($condition, $clean_values);
                             $condition = str_replace('@percentage@','%', $condition); //replace "%"
                             $where_return .= $condition;
                         }
                     }
 
-
                     if (!empty($where_return)) {
                         $return_value = " WHERE $where_return" ;
                     }
@@ -1271,7 +1308,7 @@ class Database
 
                     if (!empty($order_array)) {
                         // 'order' => 'id desc, name desc'
-                        $order_array = self::escape_string($order_array);
+                        $order_array = self::escape_string($order_array, null, false);
                         $new_order_array = explode(',', $order_array);
                         $temp_value = array();
 
@@ -1301,7 +1338,6 @@ class Database
                     break;
                 case 'limit':
                     $limit_array = explode(',', $condition_data);
-
                     if (!empty($limit_array)) {
                         if (count($limit_array) > 1) {
                             $return_value .= ' LIMIT '.intval($limit_array[0]).' , '.intval($limit_array[1]);
@@ -1312,23 +1348,29 @@ class Database
                     break;
             }
         }
+
         return $return_value;
     }
 
-    public static function parse_where_conditions($coditions) {
-        return self::parse_conditions(array('where'=>$coditions));
+    /**
+     * @param array $conditions
+     * @return string
+     */
+    public static function parse_where_conditions($conditions)
+    {
+        return self::parse_conditions(array('where'=>$conditions));
     }
 
     /**
      * Experimental useful database update
      * @todo lot of stuff to do here
      */
-    public static function delete($table_name, $where_conditions, $show_query = false) {
-        $result = false;
+    public static function delete($table_name, $where_conditions, $show_query = false)
+    {
         $where_return = self::parse_where_conditions($where_conditions);
         $sql    = "DELETE FROM $table_name $where_return ";
         if ($show_query) { echo $sql; echo '<br />'; }
-        $result = self::query($sql);
+        self::query($sql);
         $affected_rows = self::affected_rows();
         //@todo should return affected_rows for
         return $affected_rows;
diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php
index 17128bb321..807378884b 100755
--- a/main/inc/lib/document.lib.php
+++ b/main/inc/lib/document.lib.php
@@ -531,7 +531,7 @@ class DocumentManager
 
         // Escape underscores in the path so they don't act as a wildcard
         $originalPath = $path;
-        $path = Database::escape_string(str_replace('_', '\_', $path));
+        $path = str_replace('_', '\_', $path);
         $to_value = Database::escape_string($to_value);
 
         $visibility_bit = ' <> 2';
@@ -579,8 +579,8 @@ class DocumentManager
                     last.c_id = {$_course['real_id']}
                 )
                 WHERE
-                    docs.path LIKE '" . $path . $added_slash . "%' AND
-                    docs.path NOT LIKE '" . $path . $added_slash . "%/%' AND
+                    docs.path LIKE '" . Database::escape_string($path . $added_slash.'%'). "' AND
+                    docs.path NOT LIKE '" . Database::escape_string($path . $added_slash.'%/%')."' AND
                     docs.path NOT LIKE '%_DELETED_%' AND
                     $to_field = $to_value AND
                     last.visibility
@@ -588,6 +588,7 @@ class DocumentManager
                     $condition_session
                     $sharedCondition
                 ";
+
         $result = Database::query($sql);
 
         $doc_list = array();
@@ -726,6 +727,7 @@ class DocumentManager
             $_course['code'],
             api_get_session_id()
         );
+
         $sharedCondition = null;
 
         if (!empty($students)) {
@@ -849,7 +851,7 @@ class DocumentManager
                         FROM $TABLE_ITEMPROPERTY AS last, $TABLE_DOCUMENT AS docs
                         WHERE
                             docs.id = last.ref AND
-                            docs.path LIKE '" . Database::escape_string($row['path']) . "/%' AND
+                            docs.path LIKE '" . Database::escape_string($row['path'].'/%') . "' AND
                             docs.filetype = 'folder' AND
                             last.tool = '" . TOOL_DOCUMENT . "' AND
                             last.to_group_id = " . $to_group_id . " AND
@@ -1523,7 +1525,6 @@ class DocumentManager
 
         $course_id = $course['real_id'];
         //note the extra / at the end of doc_path to match every path in the document table that is part of the document path
-        $doc_path = Database::escape_string($doc_path);
 
         $session_id = intval($session_id);
         $condition = "AND id_session IN  ('$session_id', '0') ";
@@ -1548,6 +1549,7 @@ class DocumentManager
           omega.jpg
           theta.jpg
          */
+
         if (strpos($doc_path, 'HotPotatoes_files') && preg_match("/\.t\.html$/", $doc_path)) {
             $doc_path = substr($doc_path, 0, strlen($doc_path) - 7 - strlen(api_get_user_id()));
         }
@@ -1556,10 +1558,15 @@ class DocumentManager
             $file_type = 'file';
         }
 
-        $sql = "SELECT visibility FROM $docTable d INNER JOIN $propTable ip
-                ON (d.id = ip.ref AND d.c_id  = $course_id  AND ip.c_id = $course_id)
-        		 WHERE ip.tool = '" . TOOL_DOCUMENT . "' $condition AND
-        			   filetype = '$file_type' AND locate(concat(path,'/'),'" . $doc_path . "/')=1";
+        $sql = "SELECT visibility
+                FROM $docTable d
+                INNER JOIN $propTable ip
+                ON (d.id = ip.ref AND d.c_id  = $course_id AND ip.c_id = $course_id)
+        		WHERE
+        		    ip.tool = '" . TOOL_DOCUMENT . "' $condition AND
+        			filetype = '$file_type' AND
+        			locate(concat(path,'/'), '" . Database::escape_string($doc_path.'/'). "')=1
+                ";
 
         $result = Database::query($sql);
         $is_visible = false;
@@ -3195,7 +3202,6 @@ class DocumentManager
         }
 
         $overwrite_url = Security::remove_XSS($overwrite_url);
-
         $user_id = api_get_user_id();
         $user_in_course = false;
 
@@ -3232,11 +3238,6 @@ class DocumentManager
 
         $tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
         $tbl_item_prop = Database::get_course_table(TABLE_ITEM_PROPERTY);
-
-        $path = '/';
-        $path = Database::escape_string(str_replace('_', '\_', $path));
-        $added_slash = ($path == '/') ? '' : '/';
-
         $condition_session = " AND (id_session = '$session_id' OR  id_session = '0' )";
 
         $add_folder_filter = null;
@@ -3258,18 +3259,18 @@ class DocumentManager
             //$showOnlyFoldersCondition = " AND docs.filetype = 'folder' ";
         }
 
-        $folderCondition = " AND docs.path LIKE '" . $path . $added_slash . "%' ";
+        $folderCondition = " AND docs.path LIKE '/%' ";
 
         if ($folderId !== false) {
             $parentData = self::get_document_data_by_id($folderId, $course_info['code']);
             if (!empty($parentData)) {
-                $cleanedPath = Database::escape_string($parentData['path']);
+                $cleanedPath = $parentData['path'];
                 $num = substr_count($cleanedPath, '/');
 
                 $notLikeCondition = null;
                 for ($i = 1; $i <= $num; $i++) {
                     $repeat = str_repeat('/%', $i+1);
-                    $notLikeCondition .= " AND docs.path NOT LIKE '".$cleanedPath.$repeat."' ";
+                    $notLikeCondition .= " AND docs.path NOT LIKE '".Database::escape_string($cleanedPath.$repeat)."' ";
                 }
 
                 $folderCondition = " AND
@@ -4692,8 +4693,6 @@ class DocumentManager
         }
 
         $sessionId = intval($sessionId);
-        $folder = Database::escape_string($folder);
-
         $folderWithSuffix = self::fixDocumentName(
             $folder,
             'folder',
@@ -4702,6 +4701,7 @@ class DocumentManager
             $groupId
         );
 
+        $folder = Database::escape_string($folder);
         $folderWithSuffix = Database::escape_string($folderWithSuffix);
 
         // Check if pathname already exists inside document table
@@ -4710,7 +4710,7 @@ class DocumentManager
                 WHERE
                     filetype = 'folder' AND
                     c_id = $courseId AND
-                    (path = '".$folder."' OR path = '$folderWithSuffix') AND
+                    (path = '$folder' OR path = '$folderWithSuffix') AND
                     (session_id = 0 OR session_id = $sessionId)
         ";
 
diff --git a/main/inc/lib/group_portal_manager.lib.php b/main/inc/lib/group_portal_manager.lib.php
index a2889448df..278f22965c 100755
--- a/main/inc/lib/group_portal_manager.lib.php
+++ b/main/inc/lib/group_portal_manager.lib.php
@@ -35,10 +35,12 @@ class GroupPortalManager
      *
      * @author Julio Montoya <gugli100@gmail.com>,
      *
-     * @param	string	The URL of the site
-     * @param	string  The description of the site
-     * @param	int		is active or not
-     * @param  int     the user_id of the owner
+     * @param	string	$name The URL of the site
+     * @param	string  $description The description of the site
+     * @param  string  $url
+     * @param	int		$visibility is active or not
+     * @param  int     $picture
+     *
      * @return boolean if success
      */
     public static function add($name, $description, $url, $visibility, $picture = '')
@@ -68,10 +70,12 @@ class GroupPortalManager
      * Updates a group
      * @author Julio Montoya <gugli100@gmail.com>,
      *
-     * @param int The id
-     * @param string The description of the site
-     * @param int is active or not
-     * @param int the user_id of the owner
+     * @param int $group_id The id
+     * @param string $name The description of the site
+     * @param string $description
+     * @param string $url
+     * @param int $visibility
+     * @param string $picture_uri
      * @param bool $allowMemberGroupToLeave
      * @return bool if success
      */
@@ -85,23 +89,24 @@ class GroupPortalManager
             $allowMemberGroupToLeave = $allowMemberGroupToLeave == true ? 1 : 0;
             $groupLeaveCondition = " allow_members_leave_group = $allowMemberGroupToLeave , ";
         }
-        $sql = "UPDATE $table
-               	SET name 	= '".Database::escape_string($name)."',
-                description = '".Database::escape_string($description)."',
-                picture_uri = '".Database::escape_string($picture_uri)."',
-                url 		= '".Database::escape_string($url)."',
-                visibility 	= '".Database::escape_string($visibility)."',
-                $groupLeaveCondition
-                updated_on 	= '".$now."'
+        $sql = "UPDATE $table SET
+                    name 	= '".Database::escape_string($name)."',
+                    description = '".Database::escape_string($description)."',
+                    picture_uri = '".Database::escape_string($picture_uri)."',
+                    url 		= '".Database::escape_string($url)."',
+                    visibility 	= '".Database::escape_string($visibility)."',
+                    $groupLeaveCondition
+                    updated_on 	= '".$now."'
                 WHERE id = '$group_id'";
         $result = Database::query($sql);
+
         return $result;
     }
 
     /**
      * Deletes a group
      * @author Julio Montoya
-     * @param int id
+     * @param int $id
      * @return boolean true if success
      * */
     public static function delete($id)
@@ -122,9 +127,9 @@ class GroupPortalManager
     /**
      * Gets data of all groups
      * @author Julio Montoya
-     * @param int	visibility
-     * @param int	from which record the results will begin (use for pagination)
-     * @param int	number of items
+     * @param int	$visibility
+     * @param int	$from which record the results will begin (use for pagination)
+     * @param int	$number_of_items
      * @return array
      * */
     public static function get_all_group_data($visibility = GROUP_PERMISSION_OPEN, $from = 0, $number_of_items = 10)
@@ -137,12 +142,14 @@ class GroupPortalManager
         while ($item = Database::fetch_array($res)) {
             $data[] = $item;
         }
+
         return $data;
     }
 
     /**
      * Gets a list of all group
-     * @param id of a group not to include (i.e. to exclude)
+     * @param inr $without_this_one id of a group not to include (i.e. to exclude)
+     *
      * @return array : id => name
      * */
     public static function get_groups_list($without_this_one = NULL)
@@ -158,12 +165,14 @@ class GroupPortalManager
         while ($item = Database::fetch_assoc($res)) {
             $list[$item['id']] = $item['name'];
         }
+
         return $list;
     }
 
     /**
      * Gets the group data
      * @param int $group_id
+     *
      * @return array
      */
     public static function get_group_data($group_id)
@@ -176,6 +185,7 @@ class GroupPortalManager
         if (Database::num_rows($res) > 0) {
             $item = Database::fetch_array($res, 'ASSOC');
         }
+
         return $item;
     }
 
@@ -757,10 +767,7 @@ class GroupPortalManager
         $group_table = Database::get_main_table(TABLE_MAIN_GROUP);
         $table_tag = Database::get_main_table(TABLE_MAIN_TAG);
         $table_group_tag_values = Database::get_main_table(TABLE_MAIN_GROUP_REL_TAG);
-
         $field_id = 5;
-
-        $tag = Database::escape_string($tag);
         $from = intval($from);
         $number_of_items = intval($number_of_items);
 
@@ -777,8 +784,9 @@ class GroupPortalManager
                 WHERE
                     tag LIKE '$tag%' AND field_id= $field_id OR
                     (
-                       g.name LIKE '%".$tag."%' OR g.description LIKE '%".$tag."%'  OR  g.url LIKE '%".$tag."%'
-
+                       g.name LIKE '".Database::escape_string('%'.$tag.'%')."' OR
+                       g.description LIKE '".Database::escape_string('%'.$tag.'%')."' OR
+                       g.url LIKE '".Database::escape_string('%'.$tag.'%')."'
                      )";
 
         $sql .= " LIMIT $from, $number_of_items";
@@ -794,6 +802,7 @@ class GroupPortalManager
                 $return[$row['id']] = $row;
             }
         }
+
         return $return;
     }
 
diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php
index 1bd1c5fb51..9c6b86557e 100755
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@@ -916,7 +916,6 @@ function api_protect_course_script($print_headers = false, $allow_session_admins
 {
     $is_allowed_in_course = api_is_allowed_in_course();
     $is_visible = false;
-
     $course_info = api_get_course_info();
 
     if (empty($course_info)) {
@@ -1034,14 +1033,12 @@ function api_block_anonymous_users($print_headers = true) {
         api_not_allowed($print_headers);
         return false;
     }
+
     return true;
 }
 
-/* ACCESSOR FUNCTIONS
-   Don't access kernel variables directly, use these functions instead. */
-
 /**
- * @return an array with the navigator name and version
+ * @return array with the navigator name and version
  */
 function api_get_navigator() {
     $navigator = 'Unknown';
@@ -1273,7 +1270,7 @@ function api_get_user_info($user_id = '', $check_if_user_is_online = false, $sho
         return _api_format_user($GLOBALS['_user']);
     }
     $sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_USER)."
-            WHERE user_id='".Database::escape_string($user_id)."'";
+            WHERE user_id='".intval($user_id)."'";
     $result = Database::query($sql);
     if (Database::num_rows($result) > 0) {
         $result_array = Database::fetch_array($result);
@@ -1463,9 +1460,9 @@ function api_get_cidreq($addSessionId = true, $addGroupId = true)
 function api_get_course_info($course_code = null, $strict = false)
 {
     if (!empty($course_code)) {
-        $course_code        = Database::escape_string($course_code);
-        $course_table       = Database::get_main_table(TABLE_MAIN_COURSE);
-        $course_cat_table   = Database::get_main_table(TABLE_MAIN_CATEGORY);
+        $course_code = Database::escape_string($course_code);
+        $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
+        $course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
         $sql = "SELECT course.*, course_category.code faCode, course_category.name faName
                  FROM $course_table
                  LEFT JOIN $course_cat_table
@@ -3228,11 +3225,13 @@ function api_get_item_visibility($_course, $tool, $id, $session = 0)
     $session = (int) $session;
     $TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY);
     $course_id = intval($_course['real_id']);
-    $sql = "SELECT visibility FROM $TABLE_ITEMPROPERTY
-            WHERE   c_id = $course_id AND
-                    tool = '$tool' AND
-                    ref = $id AND
-                    (id_session = $session OR id_session = 0)
+    $sql = "SELECT visibility
+            FROM $TABLE_ITEMPROPERTY
+            WHERE
+                c_id = $course_id AND
+                tool = '$tool' AND
+                ref = $id AND
+                (id_session = $session OR id_session = 0)
             ORDER BY id_session DESC, lastedit_date DESC
             LIMIT 1";
 
@@ -3274,7 +3273,6 @@ function api_item_property_delete(
     }
 
     $table = Database::get_course_table(TABLE_ITEM_PROPERTY);
-
     $tool = Database::escape_string($tool);
     $itemId = intval($itemId);
     $userId = intval($userId);
@@ -3290,9 +3288,6 @@ function api_item_property_delete(
     if (empty($userId)) {
         $userCondition = " AND (to_user_id is NULL OR to_user_id = 0) ";
     }
-
-
-
     $sql = "DELETE FROM $table
             WHERE
                 c_id = $courseId AND
@@ -3351,18 +3346,18 @@ function api_item_property_update(
     }
 
     // Definition of variables.
-    $tool           = Database::escape_string($tool);
-    $item_id        = intval($item_id);
-    $lastedit_type  = Database::escape_string($lastedit_type);
-    $user_id        = intval($user_id);
-    $to_group_id    = intval($to_group_id);
-    $to_user_id     = intval($to_user_id);
-    $start_visible  = Database::escape_string($start_visible);
-    $end_visible    = Database::escape_string($end_visible);
-    $start_visible  = ($start_visible == 0) ? '0000-00-00 00:00:00' : $start_visible;
-    $end_visible    = ($end_visible == 0) ? '0000-00-00 00:00:00' : $end_visible;
-    $to_filter      = '';
-    $time           = api_get_utc_datetime();
+    $tool = Database::escape_string($tool);
+    $item_id = intval($item_id);
+    $lastedit_type = Database::escape_string($lastedit_type);
+    $user_id = intval($user_id);
+    $to_group_id = intval($to_group_id);
+    $to_user_id = intval($to_user_id);
+    $start_visible = Database::escape_string($start_visible);
+    $end_visible = Database::escape_string($end_visible);
+    $start_visible = ($start_visible == 0) ? '0000-00-00 00:00:00' : $start_visible;
+    $end_visible = ($end_visible == 0) ? '0000-00-00 00:00:00' : $end_visible;
+    $to_filter = '';
+    $time = api_get_utc_datetime();
 
     if (!empty($session_id)) {
         $session_id = intval($session_id);
@@ -3388,7 +3383,6 @@ function api_item_property_update(
     }
 
     // Set filters for $to_user_id and $to_group_id, with priority for $to_user_id
-
     $condition_session = '';
     if (!empty($session_id)) {
         $condition_session = " AND id_session = '$session_id' ";
@@ -3550,8 +3544,8 @@ function api_item_property_update(
  */
 function api_get_item_property_by_tool($tool, $course_code, $session_id = null)
 {
-    $course_info    = api_get_course_info($course_code);
-    $tool           = Database::escape_string($tool);
+    $course_info = api_get_course_info($course_code);
+    $tool = Database::escape_string($tool);
 
     // Definition of tables.
     $item_property_table = Database::get_course_table(TABLE_ITEM_PROPERTY);
@@ -3560,7 +3554,10 @@ function api_get_item_property_by_tool($tool, $course_code, $session_id = null)
     $course_id = $course_info['real_id'];
 
     $sql = "SELECT * FROM $item_property_table
-            WHERE c_id = $course_id AND tool = '$tool'  $session_condition ";
+            WHERE
+                c_id = $course_id AND
+                tool = '$tool'
+                $session_condition ";
     $rs  = Database::query($sql);
     $list = array();
     if (Database::num_rows($rs) > 0) {
@@ -3616,11 +3613,11 @@ function api_get_item_property_list_by_tool_by_user(
  * @param string    tool name, linked to 'rubrique' of the course tool_list (Warning: language sensitive !!)
  * @param int       id of the item itself, linked to key of every tool ('id', ...), "*" = all items of the tool
  */
-function api_get_item_property_id($course_code, $tool, $ref) {
-
-    $course_info    = api_get_course_info($course_code);
-    $tool           = Database::escape_string($tool);
-    $ref            = intval($ref);
+function api_get_item_property_id($course_code, $tool, $ref)
+{
+    $course_info = api_get_course_info($course_code);
+    $tool = Database::escape_string($tool);
+    $ref = intval($ref);
 
     // Definition of tables.
     $TABLE_ITEMPROPERTY = Database::get_course_table(TABLE_ITEM_PROPERTY);
@@ -3860,13 +3857,15 @@ function api_get_languages_to_array() {
  * @param   string  language name (the corresponding name of the language-folder in the filesystem)
  * @return  int     id of the language
  */
-function api_get_language_id($language) {
+function api_get_language_id($language)
+{
     $tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE);
     if (empty($language)) {
         return null;
     }
     $language = Database::escape_string($language);
-    $sql = "SELECT id FROM $tbl_language WHERE available='1' AND dokeos_folder = '$language' LIMIT 1";
+    $sql = "SELECT id FROM $tbl_language
+            WHERE available='1' AND dokeos_folder = '$language' LIMIT 1";
     $result = Database::query($sql);
     $row = Database::fetch_array($result);
     return $row['id'];
@@ -4084,7 +4083,8 @@ function api_return_html_area($name, $content = '', $height = '', $width = '100%
  * @param int $user_course_category: the id of the user_course_category
  * @return int the value of the highest sort of the user_course_category
  */
-function api_max_sort_value($user_course_category, $user_id) {
+function api_max_sort_value($user_course_category, $user_id)
+{
     $tbl_course_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
 
     $sql = "SELECT max(sort) as max_sort FROM $tbl_course_user
@@ -4660,7 +4660,9 @@ function api_get_status_langvars() {
 function api_get_settings_options($var) {
     $table_settings_options = Database :: get_main_table(TABLE_MAIN_SETTINGS_OPTIONS);
     $var = Database::escape_string($var);
-    $sql = "SELECT * FROM $table_settings_options WHERE variable = '$var' ORDER BY id";
+    $sql = "SELECT * FROM $table_settings_options
+            WHERE variable = '$var'
+            ORDER BY id";
     $result = Database::query($sql);
     $settings_options_array = array();
     while ($row = Database::fetch_array($result, 'ASSOC')) {
@@ -4816,7 +4818,8 @@ function api_set_settings_category($category, $value = null, $access_url = 1, $f
     if (empty($access_url)) { $access_url = 1; }
     if (isset($value)) {
         $value = Database::escape_string($value);
-        $sql = "UPDATE $t_s SET selected_value = '$value' WHERE category = '$category' AND access_url = $access_url";
+        $sql = "UPDATE $t_s SET selected_value = '$value'
+                WHERE category = '$category' AND access_url = $access_url";
         if (is_array($fieldtype) && count($fieldtype)>0) {
             $sql .= " AND ( ";
             $i = 0;
@@ -4856,13 +4859,17 @@ function api_set_settings_category($category, $value = null, $access_url = 1, $f
  * Gets all available access urls in an array (as in the database)
  * @return array    An array of database records
  */
-function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $direction = 'ASC') {
-    $t_au = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
+function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $direction = 'ASC')
+{
+    $table = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
     $from = (int) $from;
     $to = (int) $to;
-    $order = Database::escape_string($order);
-    $direction = Database::escape_string($direction);
-    $sql = "SELECT id, url, description, active, created_by, tms FROM $t_au ORDER BY $order $direction LIMIT $to OFFSET $from";
+    $order = Database::escape_string($order, null, false);
+    $direction = Database::escape_string($direction, null, false);
+    $sql = "SELECT id, url, description, active, created_by, tms
+            FROM $table
+            ORDER BY $order $direction
+            LIMIT $to OFFSET $from";
     $res = Database::query($sql);
     return Database::store_result($res);
 }
@@ -4877,7 +4884,7 @@ function api_get_access_urls($from = 0, $to = 1000000, $order = 'url', $directio
 function api_get_access_url($id)
 {
     global $_configuration;
-    $id = Database::escape_string(intval($id));
+    $id = intval($id);
     // Calling the Database:: library dont work this is handmade.
     //$table_access_url = Database::get_main_table(TABLE_MAIN_ACCESS_URL);
     $table = 'access_url';
@@ -5445,9 +5452,11 @@ function api_get_access_url_from_user($user_id) {
     $user_id = intval($user_id);
     $table_url_rel_user = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
     $table_url          = Database :: get_main_table(TABLE_MAIN_ACCESS_URL);
-    $sql = "SELECT access_url_id FROM $table_url_rel_user url_rel_user INNER JOIN $table_url u
+    $sql = "SELECT access_url_id
+            FROM $table_url_rel_user url_rel_user
+            INNER JOIN $table_url u
             ON (url_rel_user.access_url_id = u.id)
-            WHERE user_id = ".Database::escape_string($user_id);
+            WHERE user_id = ".intval($user_id);
     $result = Database::query($sql);
     $url_list = array();
     while ($row = Database::fetch_array($result, 'ASSOC')) {
@@ -5465,10 +5474,11 @@ function api_get_access_url_from_user($user_id) {
 function api_get_status_of_user_in_course ($user_id, $course_code) {
     $tbl_rel_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
     if (!empty($user_id) && !empty($course_code)) {
-        $user_id        = Database::escape_string(intval($user_id));
+        $user_id        = intval($user_id);
         $course_code    = Database::escape_string($course_code);
-        $sql = 'SELECT status FROM '.$tbl_rel_course_user.'
-            WHERE user_id='.$user_id.' AND course_code="'.$course_code.'";';
+        $sql = 'SELECT status
+                FROM '.$tbl_rel_course_user.'
+                WHERE user_id='.$user_id.' AND course_code="'.$course_code.'";';
         $result = Database::query($sql);
         $row_status = Database::fetch_array($result, 'ASSOC');
         return $row_status['status'];
@@ -5555,14 +5565,14 @@ function api_is_valid_secret_key($original_key_secret, $security_key) {
 /**
  * Checks whether a user is into course
  * @param string $course_id - the course id
- * @param string $user_id - the user id
+ * @param int $user_id - the user id
  */
 function api_is_user_of_course($course_id, $user_id) {
     $tbl_course_rel_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
     $sql = 'SELECT user_id FROM '.$tbl_course_rel_user.'
             WHERE
                 course_code="'.Database::escape_string($course_id).'" AND
-                user_id="'.Database::escape_string($user_id).'" AND
+                user_id="'.intval($user_id).'" AND
                 relation_type<>'.COURSE_RELATION_TYPE_RRHH.' ';
     $result = Database::query($sql);
     return Database::num_rows($result) == 1;
@@ -5739,7 +5749,8 @@ function api_get_tool_information($tool_id) {
 function api_get_tool_information_by_name($name) {
     $t_tool = Database::get_course_table(TABLE_TOOL_LIST);
     $course_id = api_get_course_int_id();
-    $sql = "SELECT * FROM $t_tool WHERE c_id = $course_id  AND name = '".Database::escape_string($name)."' ";
+    $sql = "SELECT * FROM $t_tool
+            WHERE c_id = $course_id  AND name = '".Database::escape_string($name)."' ";
     $rs  = Database::query($sql);
     return Database::fetch_array($rs, 'ASSOC');
 }
@@ -6441,7 +6452,8 @@ function api_resource_is_locked_by_gradebook($item_id, $link_type, $course_code
         $item_id = intval($item_id);
         $link_type = intval($link_type);
         $course_code = Database::escape_string($course_code);
-        $sql = "SELECT locked FROM $table WHERE locked = 1 AND ref_id = $item_id AND type = $link_type AND course_code = '$course_code' ";
+        $sql = "SELECT locked FROM $table
+                WHERE locked = 1 AND ref_id = $item_id AND type = $link_type AND course_code = '$course_code' ";
         $result = Database::query($sql);
         if (Database::num_rows($result)) {
             return true;
@@ -6992,7 +7004,9 @@ function api_get_bytes_memory_limit($mem){
  */
 function api_get_user_info_from_official_code($official_code = '')
 {
-    if (empty($official_code)) { return false; }
+    if (empty($official_code)) {
+        return false;
+    }
     $sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_USER)."
             WHERE official_code ='".Database::escape_string($official_code)."'";
     $result = Database::query($sql);
diff --git a/main/inc/lib/sessionmanager.lib.php b/main/inc/lib/sessionmanager.lib.php
index 3f846bbd62..ea7a7134d9 100755
--- a/main/inc/lib/sessionmanager.lib.php
+++ b/main/inc/lib/sessionmanager.lib.php
@@ -2449,7 +2449,8 @@ class SessionManager
     /**
      * Get a list of sessions of which the given conditions match with an = 'cond'
      * @param  array $conditions a list of condition example :
-     *  array('status' => STUDENT) or array('s.name LIKE' => "%$needle%")
+     * array('status' => STUDENT) or
+     * array('s.name' => array('operator' => 'LIKE', value = '%$needle%'))
      * @param  array $order_by a list of fields on which sort
      * @return array An array with all sessions of the platform.
      * @todo   optional course code parameter, optional sorting parameters...
@@ -2462,12 +2463,19 @@ class SessionManager
         $table_access_url_rel_session = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_SESSION);
         $session_course_table = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
         $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
-
         $access_url_id = api_get_current_access_url_id();
-
         $return_array = array();
 
-        $sql_query = " SELECT s.id, s.name, s.nbr_courses, s.date_start, s.date_end, u.firstname, u.lastname, sc.name as category_name, s.promotion_id
+        $sql_query = " SELECT
+                    s.id,
+                    s.name,
+                    s.nbr_courses,
+                    s.date_start,
+                    s.date_end,
+                    u.firstname,
+                    u.lastname,
+                    sc.name as category_name,
+                    s.promotion_id
 				FROM $session_table s
 				INNER JOIN $user_table u ON s.id_coach = u.user_id
 				INNER JOIN $table_access_url_rel_session ar ON ar.session_id = s.id
@@ -2476,23 +2484,53 @@ class SessionManager
 				INNER JOIN $course_table c ON sco.course_code = c.code
 				WHERE ar.access_url_id = $access_url_id ";
 
+        $availableFields = array(
+            's.id',
+            's.name'
+        );
+
+        $availableOperator = array(
+            'like',
+            '>=',
+            '<=',
+            '='
+        );
+
         if (count($conditions) > 0) {
-            foreach ($conditions as $field => $value) {
+            foreach ($conditions as $field => $options) {
+                $operator = strtolower($options['operator']);
+                $value = Database::escape_string($options['value']);
                 $sql_query .= ' AND ';
-                $field = Database::escape_string($field);
-                $value = Database::escape_string($value);
-                $sql_query .= $field . " '" . $value . "'";
+                if (in_array($field, $availableFields) && in_array($operator, $availableOperator)) {
+                    $sql_query .= $field . " $operator '" . $value . "'";
+                }
             }
         }
+
+        $orderAvailableList = array('name');
+
         if (count($order_by) > 0) {
-            $sql_query .= ' ORDER BY ' . Database::escape_string(implode(',', $order_by));
+            $order = null;
+            $direction = null;
+            if (isset($order_by[0]) && in_array($order_by[0], $orderAvailableList)) {
+                $order = $order_by[0];
+            }
+            if (isset($order_by[1]) && in_array(strtolower($order_by[1]), array('desc', 'asc'))) {
+                $direction = $order_by[1];
+            }
+
+            if (!empty($order)) {
+                $sql_query .= " ORDER BY $order $direction ";
+            }
         }
+
         $sql_result = Database::query($sql_query);
         if (Database::num_rows($sql_result) > 0) {
             while ($result = Database::fetch_array($sql_result)) {
                 $return_array[$result['id']] = $result;
             }
         }
+
         return $return_array;
     }
 
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
index fe2b302a22..fa1cc8b552 100755
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@@ -1643,8 +1643,14 @@ class UserManager
      * @param    int        Optional. Whether we get all the fields with field_filter 1 or 0 or everything
      * @return    array    Extra fields details (e.g. $list[2]['type'], $list[4]['options'][2]['title']
      */
-    public static function get_extra_fields($from = 0, $number_of_items = 0, $column = 5, $direction = 'ASC', $all_visibility = true, $field_filter = null)
-    {
+    public static function get_extra_fields(
+        $from = 0,
+        $number_of_items = 0,
+        $column = 5,
+        $direction = 'ASC',
+        $all_visibility = true,
+        $field_filter = null
+    ) {
         $fields = array();
         $t_uf = Database :: get_main_table(TABLE_MAIN_USER_FIELD);
         $t_ufo = Database :: get_main_table(TABLE_MAIN_USER_FIELD_OPTIONS);
@@ -1664,7 +1670,7 @@ class UserManager
         }
         $sqlf .= " ORDER BY ".$columns[$column]." $sort_direction ";
         if ($number_of_items != 0) {
-            $sqlf .= " LIMIT ".Database::escape_string($from).','.Database::escape_string($number_of_items);
+            $sqlf .= " LIMIT ".intval($from).','.intval($number_of_items);
         }
 
         $resf = Database::query($sqlf);
@@ -3560,11 +3566,11 @@ class UserManager
 
     /**
      * Search an user (tags, first name, last name and email )
-     * @param string the tag
-     * @param int field id of the tag
-     * @param int where to start in the query
-     * @param int number of items
-     * @param bool get count or not
+     * @param string $tag
+     * @param int $field_id field id of the tag
+     * @param int $from where to start in the query
+     * @param int $number_of_items
+     * @param bool $getCount get count or not
      * @return array
      */
     public static function get_all_user_tags($tag, $field_id = 0, $from = 0, $number_of_items = 10, $getCount = false)
@@ -3574,7 +3580,6 @@ class UserManager
         $table_user_tag_values = Database::get_main_table(TABLE_MAIN_USER_REL_TAG);
         $access_url_rel_user_table = Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
 
-        $tag = Database::escape_string($tag);
         $field_id = intval($field_id);
         $from = intval($from);
         $number_of_items = intval($number_of_items);
@@ -3599,13 +3604,13 @@ class UserManager
                 LEFT JOIN $table_user_tag_values uv ON (u.user_id AND uv.user_id AND  uv.user_id = url_rel_user.user_id)
                 LEFT JOIN $table_user_tag ut ON (uv.tag_id = ut.id)
                 WHERE
-                    ($where_field tag LIKE '$tag%') OR
+                    ($where_field tag LIKE '".Database::escape_string($tag."%")."') OR
                     (
-                        u.firstname LIKE '%".$tag."%' OR
-                        u.lastname LIKE '%".$tag."%' OR
-                        u.username LIKE '%".$tag."%' OR
-                        concat(u.firstname,' ',u.lastname) LIKE '%".$tag."%' OR
-                        concat(u.lastname,' ',u.firstname) LIKE '%".$tag."%'
+                        u.firstname LIKE '".Database::escape_string("%".$tag."%")."' OR
+                        u.lastname LIKE '".Database::escape_string("%".$tag."%")."' OR
+                        u.username LIKE '".Database::escape_string("%".$tag."%")."' OR
+                        concat(u.firstname,' ',u.lastname) LIKE '".Database::escape_string("%".$tag."%")."' OR
+                        concat(u.lastname,' ',u.firstname) LIKE '".Database::escape_string("%".$tag."%")."'
                      )
                      ".(!empty($where_extra_fields) ? $where_extra_fields : '')."
                      AND
@@ -3637,10 +3642,10 @@ class UserManager
                 $return[$row['user_id']] = $row;
             }
         }
+
         return $return;
     }
 
-
     /**
       * Get extra filtrable user fields (type select)
       * @return array
@@ -3653,10 +3658,15 @@ class UserManager
             foreach ($extraFieldList as $extraField) {
                 //if is enabled to filter and is a "<select>" field type
                 if ($extraField[8] == 1 && $extraField[2] == 4) {
-                    $extraFiltrableFields[] = array('name'=> $extraField[3], 'variable'=>$extraField[1], 'data'=> $extraField[9]);
+                    $extraFiltrableFields[] = array(
+                        'name' => $extraField[3],
+                        'variable' => $extraField[1],
+                        'data' => $extraField[9]
+                    );
                 }
             }
         }
+
         if (is_array($extraFiltrableFields) && count($extraFiltrableFields) > 0 ) {
             return $extraFiltrableFields;
         }
diff --git a/main/inc/lib/userportal.lib.php b/main/inc/lib/userportal.lib.php
index c98a20c1f2..f9cea4430a 100755
--- a/main/inc/lib/userportal.lib.php
+++ b/main/inc/lib/userportal.lib.php
@@ -1079,7 +1079,7 @@ class IndexManager
                                         true,
                                         $this->load_directories_preview
                                     );
-                                    $html_courses_session .= $c[1];
+                                    $html_courses_session .= isset($c[1]) ? $c[1] : null;
                                 }
                                 $count_courses_session++;
                             }
diff --git a/main/newscorm/learnpath.class.php b/main/newscorm/learnpath.class.php
index eabb2d45f2..f66bce6415 100755
--- a/main/newscorm/learnpath.class.php
+++ b/main/newscorm/learnpath.class.php
@@ -4,8 +4,8 @@
 use \ChamiloSession as Session;
 
 /**
- * This class defines the parent attributes and methods for Chamilo learnpaths and SCORM
- * learnpaths. It is used by the scorm class.
+ * This class defines the parent attributes and methods for Chamilo learnpaths
+ * and SCORM learnpaths. It is used by the scorm class.
  *
  * @package chamilo.learnpath
  * @author	Yannick Warnier <ywarnier@beeznest.org>
@@ -457,7 +457,6 @@ class learnpath
 
         $parent = intval($parent);
         $previous = intval($previous);
-        $type = Database::escape_string($type);
         $id = intval($id);
         $max_time_allowed = Database::escape_string(htmlentities($max_time_allowed));
         if (empty ($max_time_allowed)) {
@@ -515,7 +514,7 @@ class learnpath
 
         $new_item_id = -1;
         $id = Database::escape_string($id);
-
+        $typeCleaned = Database::escape_string($type);
         if ($type == 'quiz') {
             $sql = 'SELECT SUM(ponderation)
 					FROM ' . Database :: get_course_table(TABLE_QUIZ_QUESTION) . ' as quiz_question
@@ -555,7 +554,7 @@ class learnpath
                 ") VALUES (
                             $course_id ,
                             ".$this->get_id() . ", ".
-                "'" . $type . "', ".
+                "'" . $typeCleaned . "', ".
                 "'', ".
                 "'" . $title . "', ".
                 "'" . $description . "', ".
@@ -587,7 +586,7 @@ class learnpath
                 ") VALUES (".
                 $course_id. ",".
                 $this->get_id() . ",".
-                "'" . $type . "',".
+                "'" . $typeCleaned . "',".
                 "'',".
                 "'" . $title . "',".
                 "'" . $description . "',".
@@ -760,13 +759,13 @@ class learnpath
                 $publicated_on = api_get_utc_datetime();
             }
         } else {
-            $publicated_on   = Database::escape_string(api_get_utc_datetime($publicated_on));
+            $publicated_on = Database::escape_string(api_get_utc_datetime($publicated_on));
         }
 
         if ($expired_on == '0000-00-00 00:00:00' || empty($expired_on)) {
             $expired_on = '';
         } else {
-            $expired_on   = Database::escape_string(api_get_utc_datetime($expired_on));
+            $expired_on = Database::escape_string(api_get_utc_datetime($expired_on));
         }
 
         while (Database :: num_rows($res_name)) {
@@ -967,7 +966,7 @@ class learnpath
             }
             */
         }
-        $this->ordered_items = array ();
+        $this->ordered_items = array();
         $this->index = 0;
         unset ($this->lp_id);
         //unset other stuff
@@ -1465,7 +1464,6 @@ class learnpath
         }
 
         $prerequisite_id = Database::escape_string($prerequisite_id);
-
         $tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
 
         if (!is_numeric($mastery_score) || $mastery_score < 0) {
@@ -1674,7 +1672,7 @@ class learnpath
         if ($this->debug > 0) {
             error_log('New LP - In learnpath::get_current_item_id()', 0);
         }
-        if (!empty ($this->current)) {
+        if (!empty($this->current)) {
             $current = $this->current;
         }
         if ($this->debug > 2) {
@@ -1814,7 +1812,7 @@ class learnpath
     /**
      * Gets the information about an item in a format usable as JavaScript to update
      * the JS API by just printing this content into the <head> section of the message frame
-     * @param	integer		Item ID
+     * @param	int $item_id
      * @return	string
      */
     public function get_js_info($item_id = '')
@@ -1824,7 +1822,7 @@ class learnpath
         }
 
         $info = '';
-        $item_id = Database::escape_string($item_id);
+        $item_id = intval($item_id);
 
         if (!empty($item_id) && is_object($this->items[$item_id])) {
             //if item is defined, return values from DB
@@ -3294,9 +3292,9 @@ class learnpath
 
     /**
      * Gets a link to the resource from the present location, depending on item ID.
-     * @param	string	Type of link expected
-     * @param	integer	Learnpath item ID
-     * @return	string	Link to the lp_item resource
+     * @param	string	$type Type of link expected
+     * @param	integer	$item_id Learnpath item ID
+     * @return	string	$provided_toc Link to the lp_item resource
      */
     public function get_link($type = 'http', $item_id = null, $provided_toc = false)
     {
@@ -3326,7 +3324,7 @@ class learnpath
         $lp_table 			= Database::get_course_table(TABLE_LP_MAIN);
         $lp_item_table 		= Database::get_course_table(TABLE_LP_ITEM);
         $lp_item_view_table = Database::get_course_table(TABLE_LP_ITEM_VIEW);
-        $item_id 			= Database::escape_string($item_id);
+        $item_id = intval($item_id);
 
         $sql = "SELECT l.lp_type as ltype, l.path as lpath, li.item_type as litype, li.path as lipath, li.parameters as liparams
         		FROM $lp_table l
@@ -3366,7 +3364,6 @@ class learnpath
 
             // Now go through the specific cases to get the end of the path
             // @todo Use constants instead of int values.
-
             switch ($lp_type) {
                 case 1 :
                     if ($lp_item_type == 'dokeos_chapter') {
@@ -3425,13 +3422,13 @@ class learnpath
                             }
 
                             if ($type_quiz) {
-                                $lp_item_id = Database::escape_string($lp_item_id);
-                                $lp_view_id = Database::escape_string($lp_view_id);
+                                $lp_item_id = intval($lp_item_id);
+                                $lp_view_id = intval($lp_view_id);
                                 $sql = "SELECT count(*) FROM $lp_item_view_table
                                         WHERE
                                             c_id = $course_id AND
-                                            lp_item_id='" . (int) $lp_item_id . "' AND
-                                            lp_view_id ='" . (int) $lp_view_id . "' AND
+                                            lp_item_id='" . $lp_item_id . "' AND
+                                            lp_view_id ='" . $lp_view_id . "' AND
                                             status='completed'";
                                 $result = Database::query($sql);
                                 $row_count = Database :: fetch_row($result);
@@ -4114,7 +4111,7 @@ class learnpath
     {
         $course_id = api_get_course_int_id();
         $tbl_lp = Database :: get_course_table(TABLE_LP_MAIN);
-        $lp_id = Database::escape_string($lp_id);
+        $lp_id = intval($lp_id);
         $sql = "SELECT * FROM $tbl_lp where c_id = ".$course_id." AND id=$lp_id";
         $result = Database::query($sql);
         if (Database::num_rows($result)) {
@@ -4341,7 +4338,7 @@ class learnpath
 
     /**
      * Sets the current item ID (checks if valid and authorized first)
-     * @param	integer	New item ID. If not given or not authorized, defaults to current
+     * @param	integer	$item_id New item ID. If not given or not authorized, defaults to current
      */
     public function set_current_item($item_id = null)
     {
@@ -4358,7 +4355,7 @@ class learnpath
                 error_log('New LP - New current item given is ' . $item_id . '...', 0);
             }
             if (is_numeric($item_id)) {
-                $item_id = Database::escape_string($item_id);
+                $item_id = intval($item_id);
                 // TODO: Check in database here.
                 $this->last = $this->current;
                 $this->current = $item_id;
@@ -4442,11 +4439,11 @@ class learnpath
         }
         if (empty ($name))
             return false;
-        $this->maker = Database::escape_string($name);
+        $this->maker = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $course_id = api_get_course_int_id();
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET content_maker = '" . $this->maker . "'
+        $sql = "UPDATE $lp_table SET content_maker = '" . Database::escape_string($this->maker) . "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new content_maker : ' . $this->maker, 0);
@@ -4468,11 +4465,11 @@ class learnpath
         if (empty($name)) {
             return false;
         }
-        $this->name = Database::escape_string($name);
+        $this->name = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
         $course_id = api_get_course_int_id();
-        $sql = "UPDATE $lp_table SET name = '" . $this->name . "'
+        $sql = "UPDATE $lp_table SET name = '" . Database::escape_string($this->name). "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new name : ' . $this->name, 0);
@@ -4582,10 +4579,10 @@ class learnpath
         if ($this->debug > 0) {
             error_log('New LP - In learnpath::set_theme()', 0);
         }
-        $this->theme = Database::escape_string($name);
+        $this->theme = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET theme = '" . $this->theme . "'
+        $sql = "UPDATE $lp_table SET theme = '" . Database::escape_string($this->theme). "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new theme : ' . $this->theme, 0);
@@ -4606,10 +4603,11 @@ class learnpath
             error_log('New LP - In learnpath::set_preview_image()', 0);
         }
 
-        $this->preview_image = Database::escape_string($name);
+        $this->preview_image = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET preview_image = '" . $this->preview_image . "'
+        $sql = "UPDATE $lp_table SET
+                preview_image = '" . Database::escape_string($this->preview_image). "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new preview image : ' . $this->preview_image, 0);
@@ -4628,10 +4626,10 @@ class learnpath
         if ($this->debug > 0) {
             error_log('New LP - In learnpath::set_author()', 0);
         }
-        $this->author = Database::escape_string($name);
+        $this->author = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET author = '" . $this->author . "'
+        $sql = "UPDATE $lp_table SET author = '" . Database::escape_string($name). "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new preview author : ' . $this->author, 0);
@@ -4704,10 +4702,11 @@ class learnpath
         if (empty ($name))
             return false;
 
-        $this->proximity = Database::escape_string($name);
+        $this->proximity = $name;
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET content_local = '" . $this->proximity . "'
+        $sql = "UPDATE $lp_table SET
+                    content_local = '" . Database::escape_string($name) . "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new proximity : ' . $this->proximity, 0);
@@ -4756,7 +4755,7 @@ class learnpath
 
     /**
      * Sets and saves the expired_on date
-     * @param   string  Optional string giving the new author of this learnpath
+     * @param   string  $expired_on Optional string giving the new author of this learnpath
      * @return   bool    Returns true if author's name is not empty
      */
     public function set_expired_on($expired_on)
@@ -4767,13 +4766,14 @@ class learnpath
         }
 
         if (!empty($expired_on)) {
-            $this->expired_on = Database::escape_string(api_get_utc_datetime($expired_on));
+            $this->expired_on = api_get_utc_datetime($expired_on);
         } else {
             $this->expired_on = '';
         }
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET expired_on = '" . $this->expired_on . "'
+        $sql = "UPDATE $lp_table SET
+                expired_on = '" . Database::escape_string($this->expired_on) . "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new expired_on : ' . $this->expired_on, 0);
@@ -4784,7 +4784,7 @@ class learnpath
 
     /**
      * Sets and saves the publicated_on date
-     * @param   string  Optional string giving the new author of this learnpath
+     * @param   string  $publicated_on Optional string giving the new author of this learnpath
      * @return   bool    Returns true if author's name is not empty
      */
     public function set_publicated_on($publicated_on)
@@ -4794,13 +4794,14 @@ class learnpath
             error_log('New LP - In learnpath::set_expired_on()', 0);
         }
         if (!empty($publicated_on)) {
-            $this->publicated_on = Database::escape_string(api_get_utc_datetime($publicated_on));
+            $this->publicated_on = api_get_utc_datetime($publicated_on);
         } else {
             $this->publicated_on = '';
         }
         $lp_table = Database :: get_course_table(TABLE_LP_MAIN);
         $lp_id = $this->get_id();
-        $sql = "UPDATE $lp_table SET publicated_on = '" . $this->publicated_on . "'
+        $sql = "UPDATE $lp_table SET
+                publicated_on = '" . Database::escape_string($this->publicated_on) . "'
                 WHERE c_id = ".$course_id." AND id = '$lp_id'";
         if ($this->debug > 2) {
             error_log('New LP - lp updated with new publicated_on : ' . $this->publicated_on, 0);
@@ -4811,7 +4812,6 @@ class learnpath
 
     /**
      * Sets and saves the expired_on date
-     * @param   string  Optional string giving the new author of this learnpath
      * @return   bool    Returns true if author's name is not empty
      */
     public function set_modified_on()
@@ -4837,7 +4837,8 @@ class learnpath
      * @param	string	Error message. If empty, reinits the error string
      * @return 	void
      */
-    public function set_error_msg($error = '') {
+    public function set_error_msg($error = '')
+    {
         if ($this->debug > 0) {
             error_log('New LP - In learnpath::set_error_msg()', 0);
         }
@@ -4849,9 +4850,10 @@ class learnpath
     }
 
     /**
-     * Launches the current item if not 'sco' (starts timer and make sure there is a record ready in the DB)
-     * @param  boolean     Whether to allow a new attempt or not
-     * @return boolean     True
+     * Launches the current item if not 'sco'
+     * (starts timer and make sure there is a record ready in the DB)
+     * @param  boolean  $allow_new_attempt Whether to allow a new attempt or not
+     * @return boolean
      */
     public function start_current_item($allow_new_attempt = false)
     {
@@ -4865,7 +4867,6 @@ class learnpath
                 ($type == 1 && $item_type != TOOL_QUIZ && $item_type != TOOL_HOTPOTATOES)
             ) {
                 $this->items[$this->current]->open($allow_new_attempt);
-
                 $this->autocomplete_parents($this->current);
                 $prereq_check = $this->prerequisites_match($this->current);
                 $this->items[$this->current]->save(false, $prereq_check);
@@ -5710,17 +5711,28 @@ class learnpath
         $return .= "\tm.add(" . $menu . ", -1, '" . addslashes(Security::remove_XSS(($this->name))) . "');\n";
         $tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
 
-        $sql = " SELECT id, title, description, item_type, path, parent_item_id, previous_item_id, next_item_id, max_score, min_score, mastery_score, display_order
+        $sql = " SELECT
+                    id,
+                    title,
+                    description,
+                    item_type,
+                    path,
+                    parent_item_id,
+                    previous_item_id,
+                    next_item_id,
+                    max_score,
+                    min_score,
+                    mastery_score,
+                    display_order
                  FROM $tbl_lp_item
-                 WHERE c_id = ".$course_id." AND lp_id = " . Database::escape_string($this->lp_id);
+                 WHERE c_id = ".$course_id." AND lp_id = " . intval($this->lp_id);
         $result = Database::query($sql);
         $arrLP = array ();
 
         while ($row = Database :: fetch_array($result)) {
             $row['title'] = Security :: remove_XSS($row['title']);
             $row['description'] = Security :: remove_XSS($row['description']);
-
-            $arrLP[] = array (
+            $arrLP[] = array(
                 'id' 				=> $row['id'],
                 'item_type' 		=> $row['item_type'],
                 'title' 			=> $row['title'],
@@ -6007,9 +6019,10 @@ class learnpath
                 fputs($fp, $content);
                 fclose($fp);
 
-                $sql_update = "UPDATE " . $table_doc ." SET title='".Database::escape_string($_POST['title'])."'
-                               WHERE c_id = ".$course_id." AND id = " . $document_id;
-                Database::query($sql_update);
+                $sql = "UPDATE " . $table_doc ." SET
+                            title='".Database::escape_string($_POST['title'])."'
+                        WHERE c_id = ".$course_id." AND id = " . $document_id;
+                Database::query($sql);
             }
         }
     }
@@ -6026,9 +6039,8 @@ class learnpath
         $return = '';
         if (is_numeric($item_id)) {
             $tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
-            $tbl_doc     = Database :: get_course_table(TABLE_DOCUMENT);
             $sql = "SELECT lp.* FROM " . $tbl_lp_item . " as lp
-                    WHERE c_id = ".$course_id." AND lp.id = " . Database::escape_string($item_id);
+                    WHERE c_id = ".$course_id." AND lp.id = " . intval($item_id);
             $result = Database::query($sql);
             while ($row = Database :: fetch_array($result,'ASSOC')) {
                 $_SESSION['parent_item_id'] = ($row['item_type'] == 'dokeos_chapter' || $row['item_type'] == 'dokeos_module' || $row['item_type'] == 'dir') ? $item_id : 0;
@@ -6057,11 +6069,12 @@ class learnpath
                         }
                         break;
                     case TOOL_DOCUMENT:
-                        $tbl_doc      = Database :: get_course_table(TABLE_DOCUMENT);
-                        $sql_doc      = "SELECT path FROM " . $tbl_doc . " WHERE c_id = ".$course_id." AND id = " . Database::escape_string($row['path']);
-                        $result       = Database::query($sql_doc);
-                        $path_file    = Database::result($result, 0, 0);
-                        $path_parts   = pathinfo($path_file);
+                        $tbl_doc = Database :: get_course_table(TABLE_DOCUMENT);
+                        $sql_doc = "SELECT path FROM " . $tbl_doc . "
+                                    WHERE c_id = ".$course_id." AND id = " . Database::escape_string($row['path']);
+                        $result = Database::query($sql_doc);
+                        $path_file = Database::result($result, 0, 0);
+                        $path_parts = pathinfo($path_file);
                         // TODO: Correct the following naive comparisons, also, htm extension is missing.
                         if (in_array($path_parts['extension'], array(
                             'html',
@@ -6095,7 +6108,8 @@ class learnpath
         $return = '';
         if (is_numeric($item_id)) {
             $tbl_lp_item = Database :: get_course_table(TABLE_LP_ITEM);
-            $sql = "SELECT * FROM $tbl_lp_item WHERE c_id = ".$course_id." AND id = " . Database::escape_string($item_id);
+            $sql = "SELECT * FROM $tbl_lp_item
+                    WHERE c_id = ".$course_id." AND id = " . intval($item_id);
             $res = Database::query($sql);
             $row = Database::fetch_array($res);
 
@@ -6116,9 +6130,10 @@ class learnpath
                     $sql_step = " SELECT lp.*, doc.path as dir
                                     FROM " . $tbl_lp_item . " as lp
                                     LEFT JOIN " . $tbl_doc . " as doc ON doc.id = lp.path
-                                    WHERE 	lp.c_id = $course_id AND
-                    						doc.c_id = $course_id AND
-                    						lp.id = " . Database::escape_string($item_id);
+                                    WHERE
+                                        lp.c_id = $course_id AND
+                    					doc.c_id = $course_id AND
+                    					lp.id = " . intval($item_id);
                     $res_step = Database::query($sql_step);
                     $row_step = Database :: fetch_array($res_step);
                     $return .= $this->display_manipulate($item_id, $row['item_type']);
@@ -6128,7 +6143,8 @@ class learnpath
                     $link_id = (string) $row['path'];
                     if (ctype_digit($link_id)) {
                         $tbl_link = Database :: get_course_table(TABLE_LINK);
-                        $sql_select = 'SELECT url FROM ' . $tbl_link . ' WHERE c_id = '.$course_id.' AND id = ' . Database::escape_string($link_id);
+                        $sql_select = 'SELECT url FROM ' . $tbl_link . '
+                                       WHERE c_id = '.$course_id.' AND id = ' . intval($link_id);
                         $res_link = Database::query($sql_select);
                         $row_link = Database :: fetch_array($res_link);
                         if (is_array($row_link)) {
@@ -7792,9 +7808,7 @@ class learnpath
                 WHERE c_id = ".$course_id." AND lp_id = " . $this->lp_id;
 
         $result = Database::query($sql);
-
-        $arrLP = array ();
-
+        $arrLP = array();
         while ($row = Database :: fetch_array($result)) {
             $arrLP[] = array (
                 'id' => $row['id'],
diff --git a/main/newscorm/lp_ajax_switch_item.php b/main/newscorm/lp_ajax_switch_item.php
index 371cbefad8..2b6a932065 100755
--- a/main/newscorm/lp_ajax_switch_item.php
+++ b/main/newscorm/lp_ajax_switch_item.php
@@ -232,7 +232,8 @@ function switch_item_details($lp_id, $user_id, $view_id, $current_item, $next_it
     if ($debug > 1) {
         error_log('Prereq_match() returned '.htmlentities($mylp->error), 0);
     }
-    $_SESSION['scorm_item_id'] = $new_item_id; // Save the new item ID for the exercise tool to use.
+    // Save the new item ID for the exercise tool to use.
+    $_SESSION['scorm_item_id'] = $new_item_id;
     $_SESSION['lpobject']      = serialize($mylp);
     return $return;
 }
diff --git a/main/newscorm/lp_ajax_switch_item_toc.php b/main/newscorm/lp_ajax_switch_item_toc.php
index 7593d7798e..8267243118 100755
--- a/main/newscorm/lp_ajax_switch_item_toc.php
+++ b/main/newscorm/lp_ajax_switch_item_toc.php
@@ -167,4 +167,11 @@ function switch_item_toc($lp_id, $user_id, $view_id, $current_item, $next_item)
     $_SESSION['lpobject'] = serialize($mylp);
     return $return;
 }
-echo switch_item_toc($_POST['lid'], $_POST['uid'], $_POST['vid'], $_POST['iid'], $_POST['next']);
+
+echo switch_item_toc(
+    $_POST['lid'],
+    $_POST['uid'],
+    $_POST['vid'],
+    $_POST['iid'],
+    $_POST['next']
+);
diff --git a/main/reservation/rsys.php b/main/reservation/rsys.php
index f7f7c19bb7..b97ddbaafd 100755
--- a/main/reservation/rsys.php
+++ b/main/reservation/rsys.php
@@ -1,14 +1,18 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
-    The class-library with all reservation-system specific functionality
+ * Class Rsys
+ * The class-library with all reservation-system specific functionality
  */
-class Rsys {
+class Rsys
+{
 	/**
 	 *  Get required database-vars from inc/lib/database.lib.php and load them into the $GLOBALS['_rsys']-array
 	 *
 	 */
-	function init() {
+	public function init()
+	{
 		// reservation database tables
 		$GLOBALS['_rsys']['dbtables']['item'] 		  	= Database :: get_main_table(TABLE_MAIN_RESERVATION_ITEM);
 		$GLOBALS['_rsys']['dbtables']['reservation']  	= Database :: get_main_table(TABLE_MAIN_RESERVATION_RESERVATION);
@@ -33,7 +37,7 @@ class Rsys {
 	 */
 	function get_num_subscriptions_reservationperiods($res_id) {
 		$sql = "SELECT COUNT(*) FROM ".Rsys :: getTable("subscription")." s
-			WHERE s.reservation_id = '".Database::escape_string($res_id)."'";
+			WHERE s.reservation_id = '".intval($res_id)."'";
 		return @ Database::result(Database::query($sql), 0, 0);
 	}
 
@@ -134,9 +138,9 @@ class Rsys {
 	 *  @param  -   String  $name   The name
 	 *  @return -   int             The id
 	 */
-	function add_category($naam) {
-		if (Rsys :: check_category($naam)) {
-			$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($naam)."')";
+	function add_category($name) {
+		if (Rsys :: check_category($name)) {
+			$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($name)."')";
 			Database::query($sql);
 			return Database::insert_id();
 		}
@@ -150,7 +154,7 @@ class Rsys {
 	 *  @return -   boolean         True or False
 	 */
 	function check_category($name, $id=0) {
-		$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".Database::escape_string($id)."";
+		$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".intval($id)."";
 		$Result = Database::query($sql);
 		return (Database::num_rows($Result) == 0);
 	}
@@ -163,7 +167,7 @@ class Rsys {
 	 */
 	function edit_category($id, $name) {
 		if (Rsys :: check_category($name, $id)) {
-			$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".Database::escape_string($id)."";
+			$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".intval($id)."";
 			Database::query($sql);
 			return $id;
 		}
@@ -176,11 +180,11 @@ class Rsys {
 	 *  @param  -   int     $id     The id
 	 */
 	function delete_category($id) {
-        $id = intval($id);
-		$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".Database::escape_string($id)."";
+		$id = intval($id);
+		$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".inval($id)."";
 		$result = Database::query($sql);
 		if (Database::num_rows($result) == 0) {
-			$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".Database::escape_string($id)."";
+			$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".intval($id)."";
 			Database::query($sql2);
 			return 0;
 		} else {
@@ -197,10 +201,10 @@ class Rsys {
 	 *  @return -   Array               One or all rows of the category-table
 	 */
 	function get_category($id = null, $orderby = "name ASC") {
-        $id = intval($id);
+		$id = intval($id);
 		$sql = "SELECT * FROM ".Rsys :: getTable("category");
 		if (!empty ($id))
-			$sql .= " WHERE id = ".Database::escape_string($id)."";
+			$sql .= " WHERE id = ".intval($id)."";
 		else
 			$sql .= " ORDER BY ".$orderby;
 		$arr = Database::store_result(Database::query($sql));
@@ -308,8 +312,8 @@ class Rsys {
 	function check_item($item, $category, $id=0) {
 		$sql = "SELECT name FROM ".Rsys :: getTable("item")."
 							WHERE LCASE(name)='".strtolower(Database::escape_string($item))."'
-							AND category_id=".Database::escape_string($category)."
-							AND id<>".Database::escape_string($id)."";
+							AND category_id=".intval($category)."
+							AND id<>".intval($id)."";
 		$Result = Database::query($sql);
 		return (Database::num_rows($Result) == 0);
 	}
@@ -325,7 +329,7 @@ class Rsys {
 	 */
 	function add_item($name, $description, $category, $course = "") {
 		if (Rsys :: check_item($name, $category)) {
-			$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".Database::escape_string($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
+			$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".intval($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
 			Database::query($sql);
 			return Database::insert_id();
 		}
@@ -346,8 +350,8 @@ class Rsys {
 			return false;
 		if (!Rsys :: check_item($name, $category, $id))
 			return false;
-		$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".Database::escape_string($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
-			   "WHERE id =".Database::escape_string($id)."";
+		$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".intval($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
+			"WHERE id =".intval($id)."";
 		Database::query($sql);
 		return $id;
 	}
@@ -360,18 +364,18 @@ class Rsys {
 	function delete_item($id) {
 		if (!Rsys :: item_allow($id, 'delete'))
 			return false;
-		$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".Database::escape_string($id)."";
+		$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".intval($id)."";
 		$result = Database::query($sql);
 		while ($array = Database::fetch_array($result)) {
 			if (Rsys :: mysql_datetime_to_timestamp(date('Y-m-d H:i:s')) <= Rsys :: mysql_datetime_to_timestamp($array[1]))
 				$checked = true;
 		}
 		if (!$checked) {
-			$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".Database::escape_string($id)."";
+			$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".intval($id)."";
 			Database::query($sql);
-			$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".Database::escape_string($id)."";
+			$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".intval($id)."";
 			Database::query($sql);
-			$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".Database::escape_string($id)."";
+			$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".intval($id)."";
 			Database::query($sql);
 			return '0';
 		} else {
@@ -403,7 +407,7 @@ class Rsys {
 		        		LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id
 		                LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id
 		                LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
-		                WHERE i.id='".Database::escape_string($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."'  OR 1=". (api_is_platform_admin() ? 1 : 0).")";
+		                WHERE i.id='".intval($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."'  OR 1=". (api_is_platform_admin() ? 1 : 0).")";
 		return Database::num_rows(Database::query($sql)) > 0;
 	}
 
@@ -415,7 +419,7 @@ class Rsys {
 	 *  @return -   Array               The returned rows
 	 */
 	function get_item($id = null, $orderby = "name ASC") {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$sql = "SELECT i.* FROM ".Rsys :: getTable("item")." i";
 		if (!empty ($id)) {
 			if (!Rsys :: item_allow($id, 'view'))
@@ -438,7 +442,7 @@ class Rsys {
 	 */
 	function is_blackout($itemid) {
 		$sql = "SELECT id FROM ".Rsys :: getTable("item");
-		$sql .= " WHERE id = ".Database::escape_string($itemid)." AND blackout=1";
+		$sql .= " WHERE id = ".intval($itemid)." AND blackout=1";
 		return Database::num_rows(Database::query($sql)) == 1;
 	}
 
@@ -450,7 +454,7 @@ class Rsys {
 	 *  @return -   Array               The returned rows
 	 */
 	function get_category_items($id, $orderby = "name ASC") {
-		$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE category_id = ".Database::escape_string($id)." ORDER BY ".$orderby;
+		$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE category_id = ".intval($id)." ORDER BY ".$orderby;
 		$arr = Database::store_result(Database::query($sql));
 		return $arr;
 	}
@@ -463,7 +467,7 @@ class Rsys {
 	 *  @return -   Array               The returned rows
 	 */
 	function get_course_items($id, $orderby = "name ASC") {
-		$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE course_id = ".Database::escape_string($id)." ORDER BY ".$orderby;
+		$sql = "SELECT * FROM ".Rsys :: getTable("item")." WHERE course_code = ".Database::escape_string($id)." ORDER BY ".$orderby;
 		$arr = Database::store_result(Database::query($sql));
 		return $arr;
 	}
@@ -486,7 +490,7 @@ class Rsys {
 							WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."'  OR 1=". (api_is_platform_admin() ? 1 : 0).")";
 
 		if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) {
-			$sql .= " AND ca.id = '".Database::escape_string($_GET['cat'])."' ";
+			$sql .= " AND ca.id = '".intval($_GET['cat'])."' ";
 		}
 
 		$from = intval($from);
@@ -520,7 +524,7 @@ class Rsys {
                             WHERE ( 1=". (api_is_platform_admin() ? 1 : 0)."
 							OR ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' ))";
 
- 		return @ Database::result(Database::query($sql), 0, 0);
+		return @ Database::result(Database::query($sql), 0, 0);
 	}
 
 	/**
@@ -533,7 +537,7 @@ class Rsys {
 	 *  @return -   Array               The returned rows
 	 */
 	function get_table_itemrights($from, $per_page, $column, $direction) {
-		$itemid = Database::escape_string($_GET['item_id']);
+		$itemid = intval($_GET['item_id']);
 		$sql = "SELECT id, name FROM ".Database :: get_main_table(TABLE_MAIN_CLASS);
 		$result = Database::query($sql);
 		while ($array = Database::fetch_array($result, 'NUM')) {
@@ -570,29 +574,29 @@ class Rsys {
 						} else {
 							$tabel[$count][4] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=0\'" />';
 						}
-	                    if ($lijn2[5] == 0) {
-       		                 $tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
-                	    } else {
-                        	$tabel[$count][5] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=0\'" />';
-	                    }
-			$controle = true;
-			}
-			}
-			if (!$controle) {
-				$tabel[$count][2] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=edit&set=1\'" />';
-				$tabel[$count][3] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=delete&set=1\'" />';
-				$tabel[$count][4] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=1\'" />';
-				$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
-			}
-			$tabel[$count][6] = $itemid."-".$lijn[0];
+						if ($lijn2[5] == 0) {
+							$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
+						} else {
+							$tabel[$count][5] = '<img src="../img/right.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=0\'" />';
+						}
+						$controle = true;
+					}
+				}
+				if (!$controle) {
+					$tabel[$count][2] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=edit&set=1\'" />';
+					$tabel[$count][3] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=delete&set=1\'" />';
+					$tabel[$count][4] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=manage&set=1\'" />';
+					$tabel[$count][5] = '<img src="../img/wrong.gif" onclick="document.location.href=\'m_item.php?action=m_rights&subaction=switch&class_id='.$lijn[0].'&item_id='.$itemid.'&switch=view&set=1\'" />';
+				}
+				$tabel[$count][6] = $itemid."-".$lijn[0];
 			}
 		}
 		return $tabel;
 	}
 
 	function set_new_right($item_id, $class_id, $column, $value) {
-		$item_id = Database::escape_string($item_id);
-		$class_id = Database::escape_string($class_id);
+		$item_id = intval($item_id);
+		$class_id = intval($class_id);
 		$value = Database::escape_string($value);
 		$column = Database::escape_string($column);
 
@@ -625,7 +629,7 @@ class Rsys {
 	 *  @return -   Array               The returned rows
 	 */
 	function get_itemfiltered_class($item_id) {
-		$item_id = Database::escape_string($item_id);
+		$item_id = intval($item_id);
 		$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)."
 				WHERE id NOT IN (SELECT class_id  FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
 		$arr = Database::store_result(Database::query($sql));
@@ -639,7 +643,7 @@ class Rsys {
 	 *  @return -   int                 The amount
 	 */
 	function get_num_itemfiltered_class($item_id) {
-		$item_id = Database::escape_string($item_id);
+		$item_id = intval($item_id);
 		$sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id  FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
 		return Database::result(Database::query($sql), 0, 0);
 	}
@@ -656,7 +660,7 @@ class Rsys {
 	function add_item_right($item_id, $class_id, $edit, $delete, $m_reservation) {
 		if (!Rsys :: item_allow($item_id, 'm_rights'))
 			return false;
-		$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,edit_right,delete_right,m_reservation) VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($class_id)."','".Database::escape_string($edit)."','".Database::escape_string($delete)."','".Database::escape_string($m_reservation)."')";
+		$sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,edit_right,delete_right,m_reservation) VALUES ('".intval($item_id)."','".intval($class_id)."','".Database::escape_string($edit)."','".Database::escape_string($delete)."','".Database::escape_string($m_reservation)."')";
 		Database::query($sql);
 	}
 
@@ -671,8 +675,8 @@ class Rsys {
 	 *  @return -   int                     The id
 	 */
 	function edit_item_right($item_id, $class_id, $edit, $delete, $m_reservation) {
-		$item_id = Database::escape_string($item_id);
-		$class_id = Database::escape_string($class_id);
+		$item_id = intval($item_id);
+		$class_id = intval($class_id);
 
 		if (!Rsys :: item_allow($item_id, 'm_rights'))
 			return false;
@@ -686,8 +690,8 @@ class Rsys {
 	 *  @param  -   int     $id     The id
 	 */
 	function delete_item_right($item_id, $class_id) {
-		$item_id = Database::escape_string($item_id);
-		$class_id = Database::escape_string($class_id);
+		$item_id = intval($item_id);
+		$class_id = intval($class_id);
 
 		if (!Rsys :: item_allow($item_id, 'm_rights'))
 			return false;
@@ -696,15 +700,15 @@ class Rsys {
 	}
 
 	function get_class_group($class_id) {
-		$class_id = Database::escape_string($class_id);
+		$class_id = intval($class_id);
 		$sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id='".$class_id."'";
 		$arr = Database::store_result(Database::query($sql));
 		return $arr;
 	}
 
 	function get_item_rights($item_id, $class_id) {
-		$item_id = Database::escape_string($item_id);
-		$class_id = Database::escape_string($class_id);
+		$item_id = intval($item_id);
+		$class_id = intval($class_id);
 
 		$sql = "SELECT * FROM ".Rsys :: getTable('item_rights')." WHERE item_id='".$item_id."' AND class_id='".$class_id."'";
 		$arr = Database::store_result(Database::query($sql));
@@ -712,7 +716,7 @@ class Rsys {
 	}
 
 	function black_out_changer($item_id) {
-		$item_id = Database::escape_string($item_id);
+		$item_id = intval($item_id);
 		$sql = "SELECT blackout FROM ".Rsys :: getTable("item")." WHERE id='".$item_id."'";
 		$Value = Database::store_result(Database::query($sql));
 		($Value[0][0] == 0 ? $changedValue = 1 : $changedValue = 0);
@@ -723,7 +727,7 @@ class Rsys {
 	}
 
 	function black_out_notifier($item_id, $value) {
-		$item_id = Database::escape_string($item_id);
+		$item_id = intval($item_id);
 		$value = Database::escape_string($value);
 
 		$sql = "SELECT id, timepicker FROM ".Rsys :: getTable('reservation')."
@@ -791,7 +795,7 @@ class Rsys {
 	}
 
 	function check_date($item_id, $start_date, $end_date, $start_at, $end_at) {
-		$item_id = Database::escape_string($item_id);
+		$item_id = intval($item_id);
 		$start_date = Database::escape_string($start_date);
 		$end_date = Database::escape_string($end_date);
 		$start_at = Database::escape_string($start_at);
@@ -826,8 +830,8 @@ class Rsys {
 	}
 
 	function check_date_edit($item_id, $start_date, $end_date, $start_at, $end_at, $reservation_id) {
-		$item_id = Database::escape_string($item_id);
-		$reservation_id = Database::escape_string($reservation_id);
+		$item_id = intval($item_id);
+		$reservation_id = intval($reservation_id);
 		$start_date = Database::escape_string($start_date);
 		$end_date = Database::escape_string($end_date);
 		$start_at = Database::escape_string($start_at);
@@ -882,7 +886,7 @@ class Rsys {
 	 *  Returns an array with items from a category linked to rights(used by m_reservations.php)
 	 */
 	function get_cat_r_items($category) {
-		$category = Database::escape_string($category);
+		$category = intval($category);
 		$sql = "SELECT i.id,i.name as catitem
 						                FROM ".Rsys :: getTable('item')." i
 										INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@@ -901,7 +905,7 @@ class Rsys {
 	 *  Returns an array with [ itemID => "category/item" ] with view_rights (used by reservation.php)
 	 */
 	function get_cat_items($category) {
-		$category = Database::escape_string($category);
+		$category = intval($category);
 		$sql = "SELECT i.id,i.name as catitem
                 FROM ".Rsys :: getTable('item')." i
                 INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id
@@ -927,7 +931,7 @@ class Rsys {
 	 */
 	function get_table_reservations($from, $per_page, $column, $direction) {
 		$sql = "SELECT DISTINCT r.id AS col0, i.name AS col1,  DATE_FORMAT(r.start_at,'%Y-%m-%d %H:%i') AS col2, DATE_FORMAT(r.end_at,'%Y-%m-%d %H:%i') AS col3," .
-   				"DATE_FORMAT(r.subscribe_from,'%Y-%m-%d %k:%i') AS col4, DATE_FORMAT(r.subscribe_until,'%Y-%m-%d %k:%i') AS col5,IF(timepicker <> 0, '".get_lang('TimePicker')."',CONCAT(r.subscribers,'/',r.max_users)) AS col6, r.notes AS col7, r.id as col8
+			"DATE_FORMAT(r.subscribe_from,'%Y-%m-%d %k:%i') AS col4, DATE_FORMAT(r.subscribe_until,'%Y-%m-%d %k:%i') AS col5,IF(timepicker <> 0, '".get_lang('TimePicker')."',CONCAT(r.subscribers,'/',r.max_users)) AS col6, r.notes AS col7, r.id as col8
                 FROM ".Rsys :: getTable('reservation')." r
                 INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
                 LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id
@@ -955,7 +959,7 @@ class Rsys {
 	}
 
 	function check_edit_right($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$sql = "SELECT r.id
 	            FROM ".Rsys :: getTable('reservation')." r
 	            INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@@ -971,7 +975,7 @@ class Rsys {
 	}
 
 	function check_delete_right($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$sql = "SELECT r.id
                 FROM ".Rsys :: getTable('reservation')." r
                 INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
@@ -987,7 +991,7 @@ class Rsys {
 	}
 
 	function check_auto_accept($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$sql = "SELECT auto_accept FROM ".Rsys :: getTable('reservation')." WHERE id='".$id."'";
 		return Database::result(Database::query($sql), 0, 0);
 	}
@@ -1005,10 +1009,10 @@ class Rsys {
                 LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = r.item_id
                 LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
                 WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."') OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).')';
-        if (isset ($_GET['keyword'])) {
-            $keyword = Database::escape_string(trim($_GET['keyword']));
-            $sql .= " AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
-        }
+		if (isset ($_GET['keyword'])) {
+			$keyword = Database::escape_string(trim($_GET['keyword']));
+			$sql .= " AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
+		}
 		return Database::result(Database::query($sql), 0, 0);
 	}
 
@@ -1033,7 +1037,7 @@ class Rsys {
 				return 2;
 		}
 		if ($start_at < (date( 'Y-m-d H:i:s',time())))
-				return 3;
+			return 3;
 		if (($stamp_start_date != $stamp_end_date) && $timepicker == '1')
 		{
 			return 4;
@@ -1068,7 +1072,7 @@ class Rsys {
 			}
 		}
 
-		$sql = "INSERT INTO ".Rsys :: getTable("reservation")." (item_id,auto_accept,max_users,start_at,end_at,subscribe_from,subscribe_until,notes,timepicker,timepicker_min,timepicker_max,subid) VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($auto_accept)."','". (intval($max_users) > 1 ? $max_users : 1)."','".Database::escape_string($start_at)."','".Database::escape_string($end_at)."','".Database::escape_string($subscribe_from)."','".Database::escape_string($subscribe_until)."','".Database::escape_string($notes)."','".$timepicker."','".$min."','".$max."','". ($subid == 0 ? 0 : $subid)."')";
+		$sql = "INSERT INTO ".Rsys :: getTable("reservation")." (item_id,auto_accept,max_users,start_at,end_at,subscribe_from,subscribe_until,notes,timepicker,timepicker_min,timepicker_max,subid) VALUES ('".intval($item_id)."','".Database::escape_string($auto_accept)."','". (intval($max_users) > 1 ? $max_users : 1)."','".Database::escape_string($start_at)."','".Database::escape_string($end_at)."','".Database::escape_string($subscribe_from)."','".Database::escape_string($subscribe_until)."','".Database::escape_string($notes)."','".$timepicker."','".$min."','".$max."','". ($subid == 0 ? 0 : $subid)."')";
 		Database::query($sql);
 		return 0;
 	}
@@ -1082,7 +1086,7 @@ class Rsys {
 	 *
 	 */
 	function edit_reservation($id, $item_id, $auto_accept, $max_users, $start_at, $end_at, $subscribe_from, $subscribe_until, $notes, $timepicker) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 
 		if (!Rsys :: item_allow($item_id, 'm_reservation'))
 			return false;
@@ -1116,7 +1120,7 @@ class Rsys {
 		} else {
 			$auto_accept = 0;
 		}
-		$sql = "UPDATE ".Rsys :: getTable("reservation")." SET item_id='".Database::escape_string($item_id)."',auto_accept='".Database::escape_string($auto_accept)."',max_users='". ($max_users > 1 ? $max_users : 1)."',start_at='".Database::escape_string($start_at)."',end_at='".Database::escape_string($end_at)."',subscribe_from='".Database::escape_string($subscribe_from)."',subscribe_until='".Database::escape_string($subscribe_until)."',notes='".Database::escape_string($notes)."' WHERE id='".$id."'";
+		$sql = "UPDATE ".Rsys :: getTable("reservation")." SET item_id='".intval($item_id)."',auto_accept='".Database::escape_string($auto_accept)."',max_users='". ($max_users > 1 ? $max_users : 1)."',start_at='".Database::escape_string($start_at)."',end_at='".Database::escape_string($end_at)."',subscribe_from='".Database::escape_string($subscribe_from)."',subscribe_until='".Database::escape_string($subscribe_until)."',notes='".Database::escape_string($notes)."' WHERE id='".$id."'";
 		Database::query($sql);
 		return 0;
 	}
@@ -1125,7 +1129,7 @@ class Rsys {
 	 *  Deletes a reservation
 	 */
 	function delete_reservation($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 
 		$sql = "SELECT id FROM ".Rsys :: getTable("reservation")."WHERE id='".$id."' OR subid='".$id."'";
 		$result2 = Database::query($sql);
@@ -1148,7 +1152,7 @@ class Rsys {
 	}
 
 	function is_owner_item($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$sql = "SELECT creator FROM ".Rsys :: getTable('item')." i ,".Rsys :: getTable('reservation')." r
 			where i.id = r.item_id
 			and r.id = '".$id."'
@@ -1160,7 +1164,7 @@ class Rsys {
 	}
 
 	function get_reservation($id) {
-		$id = Database::escape_string($id);
+		$id = intval($id);
 
 		$sql = "SELECT *
                 FROM ".Rsys :: getTable('reservation')." r
@@ -1192,10 +1196,10 @@ class Rsys {
 					WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."')
 					OR i2.creator='".api_get_user_id()."'
 					OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
-      		if (isset ($_GET['keyword'])) {
-            		$keyword = Database::escape_string(trim($_GET['keyword']));
-            		$sql .= " AND (i1.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
-        	}
+		if (isset ($_GET['keyword'])) {
+			$keyword = Database::escape_string(trim($_GET['keyword']));
+			$sql .= " AND (i1.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
+		}
 		return Database::result(Database::query($sql), 0, 0);
 	}
 
@@ -1228,10 +1232,10 @@ class Rsys {
 					WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."')
 					OR i2.creator='".api_get_user_id()."'
 					OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
-      		if (isset ($_GET['keyword'])) {
-            		$keyword = Database::escape_string(trim($_GET['keyword']));
-            		$sql .= " AND (i1.name LIKE '%".$keyword."%' or c.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
-        	}
+		if (isset ($_GET['keyword'])) {
+			$keyword = Database::escape_string(trim($_GET['keyword']));
+			$sql .= " AND (i1.name LIKE '%".$keyword."%' or c.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
+		}
 		$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
 		/*$result = Database::query($sql);
 		while ($array = Database::fetch_array($result, 'NUM'))
@@ -1301,7 +1305,7 @@ class Rsys {
 			and s.reservation_id = r.id";
 
 		if (!empty ($_GET['rid'])) {
-			$sql .= " and r.id = '".Database::escape_string($_GET['rid'])."'";
+			$sql .= " and r.id = '".intval($_GET['rid'])."'";
 		}
 		$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
 		$result = Database::query($sql);
@@ -1354,7 +1358,7 @@ class Rsys {
 	function set_accepted($id, $value) {
 		global $subscription;
 
-		$id = Database::escape_string($id);
+		$id = intval($id);
 		$value = Database::escape_string($value);
 		$sql = "UPDATE ".Rsys :: getTable('subscription')." SET ACCEPTED='".$value."' WHERE dummy='".$id."'";
 		Database::query($sql);
@@ -1407,7 +1411,7 @@ class Rsys {
 	*/
 
 	function check_date_subscription($reservation_id, $start_at, $end_at) {
-		$reservation_id = Database::escape_string($reservation_id);
+		$reservation_id = intval($reservation_id);
 		$start_at = Database::escape_string($start_at);
 		$end_at = Database::escape_string($end_at);
 
@@ -1461,7 +1465,7 @@ class Rsys {
 	}
 
 	function check_date_month_calendar($date, $itemid) {
-		$itemid = Database::escape_string($itemid);
+		$itemid = intval($itemid);
 		$date = Database::escape_string($date);
 
 		$sql = "SELECT id FROM ".Rsys :: getTable('reservation')."
@@ -1485,13 +1489,13 @@ class Rsys {
 	 * @param -		int		$reservation_id		The id off the reservation
 	 */
 	function add_subscription($reservation_id, $user_id, $accepted) {
-		$reservation_id = Database::escape_string($reservation_id);
-		$user_id = Database::escape_string($user_id);
-		$accepted = Database::escape_string($accepted);
+		$reservation_id = intval($reservation_id);
+		$user_id = intval($user_id);
+		$accepted = intval($accepted);
 
 		$sql = "SELECT user_id FROM ".Rsys :: getTable("subscription")." WHERE user_id='".$user_id."' AND reservation_id='".$reservation_id."'";
 		if (Database::num_rows(Database::query($sql)) == 0) {
-			$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."')";
+			$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".intval($user_id)."','".intval($reservation_id)."','". ($accepted ? '1' : '0')."')";
 			Database::query($sql);
 			$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers+1 WHERE id='".$reservation_id."'";
 			Database::query($sql);
@@ -1528,7 +1532,7 @@ class Rsys {
 			if ((Rsys :: mysql_datetime_to_timestamp($end_date)-Rsys :: mysql_datetime_to_timestamp($start_date)) > ($max*60))
 				return 3;
 		}
-		$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted,start_at,end_at) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."','".$start_date."','".$end_date."')";
+		$sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted,start_at,end_at) VALUES ('".intval($user_id)."','".intval($reservation_id)."','". ($accepted ? '1' : '0')."','".$start_date."','".$end_date."')";
 		Database::query($sql);
 		return 0;
 	}
@@ -1539,7 +1543,7 @@ class Rsys {
 	function delete_subscription($reservation_id, $dummy) {
 		$sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".Database::escape_string($dummy)."'";
 		Database::query($sql);
-		$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".Database::escape_string($reservation_id)."'";
+		$sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".intval($reservation_id)."'";
 		Database::query($sql);
 	}
 
@@ -1642,7 +1646,7 @@ class Rsys {
 	 *                      ['max_end_at']      = the maximal end_at in all reservations   (usefull to build table)
 	 */
 	function get_item_reservations($from, $till, $itemid) {
-		$itemid = Database::escape_string($itemid);
+		$itemid = intval($itemid);
 		$till = Database::escape_string($till);
 		$from = Database::escape_string($from);
 
@@ -1698,7 +1702,7 @@ class Rsys {
 	 *  Returns $reservation_id=>"START_AT - END_AT"
 	 */
 	function get_item_subfiltered_reservations($item_id) {
-		$itemid = Database::escape_string($itemid);
+		$itemid = intval($itemid);
 		$sql = "SELECT r.id AS reservation_id, r.start_at, r.end_at
 						                FROM ".Rsys :: getTable('reservation')." r
 						                INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id
diff --git a/main/template/default/auth/courses_categories.php b/main/template/default/auth/courses_categories.php
index 98cbdf64a8..019fb947c0 100755
--- a/main/template/default/auth/courses_categories.php
+++ b/main/template/default/auth/courses_categories.php
@@ -7,7 +7,7 @@
 * @package chamilo.auth
 */
 
-if (Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
+if (isset($_REQUEST['action']) && Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
     $stok = Security::get_token();
 } else {
     $stok = $_SESSION['sec_token'];
@@ -33,6 +33,8 @@ if ($showSessions && isset($_POST['date'])) {
 }
 
 $userInfo = api_get_user_info();
+$code = isset($code) ? $code : null;
+
 ?>
 <script>
     $(document).ready( function() {
@@ -52,7 +54,7 @@ $userInfo = api_get_user_info();
                 }
             });
         });
-    
+
         $('.courses-list-btn').toggle(function (e) {
             e.preventDefault();
 
@@ -72,10 +74,8 @@ $userInfo = api_get_user_info();
                 },
                 success: function (response){
                     var $container = $el.prev('.course-list');
-
                     var $courseList = $('<ul>');
-
-                    $.each(response, function (index, course){
+                    $.each(response, function (index, course) {
                         $courseList.append('<li><div><strong>' + course.name + '</strong><br>' + course.coachName + '</div></li>');
                     });
 
@@ -84,21 +84,18 @@ $userInfo = api_get_user_info();
             });
         }, function (e) {
             e.preventDefault();
-
             var $el = $(this);
             var $container = $el.prev('.course-list');
             $container.hide(250).empty();
-            
             $el.children('img').remove();
             $el.prepend('<?php echo Display::display_icon('nolines_plus.gif'); ?>');
         });
-        
-        var getSessionId = function (el){
+
+        var getSessionId = function (el) {
             var parts = el.id.split('_');
-            
             return parseInt(parts[1], 10);
         };
-        
+
         <?php if ($showSessions) { ?>
         $('#date').datepicker({
             dateFormat: 'yy-mm-dd'
diff --git a/main/webservices/registration.soap.php b/main/webservices/registration.soap.php
index a3a2ab6155..dba1bc1541 100755
--- a/main/webservices/registration.soap.php
+++ b/main/webservices/registration.soap.php
@@ -1600,7 +1600,7 @@ function WSEditUserWithPicture($params) {
     // Get user id from id wiener
 
     $user_id = UserManager::get_user_id_from_original_id($original_user_id_value, $original_user_id_name);
-    
+
     // Get picture and generate uri.
     $filename = basename($picture_url);
     $tempdir = sys_get_temp_dir();
@@ -5462,10 +5462,10 @@ function WSListSessions($params) {
     $sql_params = array();
     // Dates should be provided in YYYY-MM-DD format, UTC
     if (!empty($params['date_start'])) {
-        $sql_params['s.date_start >='] = $params['date_start'];
+        $sql_params['s.date_start'] = array('operator' => '>=', 'value' => $params['date_start']);
     }
     if (!empty($params['date_end'])) {
-        $sql_params['s.date_end <='] = $params['date_end'];
+        $sql_params['s.date_end'] = array('operator' => '<=', 'value' => $params['date_end']);
     }
     $sessions_list = SessionManager::get_sessions_list($sql_params);
     $return_list = array();
@@ -5478,6 +5478,7 @@ function WSListSessions($params) {
             'date_end' => $session['date_end'],
         );
     }
+
     return $return_list;
 }
 

From 76633e45c40961118f2c382d93ec8e90edf44e24 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 30 Dec 2014 15:00:31 +0100
Subject: [PATCH 03/26] Minor - format code.

---
 main/document/slideshow.php                   |   7 +-
 main/gradebook/gradebook_add_cat.php          |  16 +-
 main/gradebook/gradebook_add_eval.php         |  30 +-
 main/gradebook/gradebook_add_link.php         |  27 +-
 .../gradebook_add_link_select_course.php      |  20 +-
 main/gradebook/gradebook_add_result.php       |  18 +-
 .../gradebook_display_certificate.php         |   1 +
 main/gradebook/index.php                      |   4 +-
 .../gradebook/lib/fe/gradebooktable.class.php | 290 +++++++++---------
 .../lib/gradebook_data_generator.class.php    |   3 +-
 .../gradebook/lib/gradebook_functions.inc.php |  27 +-
 main/inc/ajax/course.ajax.php                 |   2 -
 main/inc/ajax/session.ajax.php                |  17 +-
 .../lib/CoursesAndSessionsCatalog.class.php   |   7 +
 .../lib/formvalidator/FormValidator.class.php |  16 +-
 main/newscorm/lp_controller.php               |   7 +-
 main/social/search.php                        |  22 +-
 main/wiki/index.php                           |   3 +-
 18 files changed, 280 insertions(+), 237 deletions(-)

diff --git a/main/document/slideshow.php b/main/document/slideshow.php
index 8c7ed1853a..37e3309e66 100755
--- a/main/document/slideshow.php
+++ b/main/document/slideshow.php
@@ -48,6 +48,7 @@ if (isset($_SESSION['image_files_only'])) {
 }
 
 // Calculating the current slide, next slide, previous slide and the number of slides
+$slide = null;
 if ($slide_id != 'all') {
 	$slide = $slide_id ? $slide_id : 0;
 	$previous_slide = $slide - 1;
@@ -64,9 +65,11 @@ function MM_openBrWindow(theURL,winName,features) { //v2.0
 <?php
 
 if ($slide_id != 'all') {
-	$image = $sys_course_path.$_course['path'].'/document'.$folder.$image_files_only[$slide];
+	$image = null;
+	if (isset($image_files_only[$slide])) {
+		$image = $sys_course_path . $_course['path'] . '/document' . $folder . $image_files_only[$slide];
+	}
 	if (file_exists($image)) {
-
 		echo '<div class="actions-pagination">';
 
 		// Back forward buttons
diff --git a/main/gradebook/gradebook_add_cat.php b/main/gradebook/gradebook_add_cat.php
index 427581c036..7017a8af12 100755
--- a/main/gradebook/gradebook_add_cat.php
+++ b/main/gradebook/gradebook_add_cat.php
@@ -57,7 +57,7 @@ $(document).ready(function () {
 });
 
 function check_skills() {
-    //selecting only selected users
+    // selecting only selected users
     $("#skills option:selected").each(function() {
         var skill_id = $(this).val();
         if (skill_id != "" ) {
@@ -76,7 +76,7 @@ function check_skills() {
                             }
                         });
                     }
-                },
+                }
             });
         }
     });
@@ -98,7 +98,6 @@ if ($_in_course) {
 }
 
 $catadd->set_course_code(api_get_course_id());
-
 $form = new CatForm(
     CatForm :: TYPE_ADD,
     $catadd,
@@ -140,14 +139,17 @@ if ($form->validate()) {
     }
     $cat->set_visible($visible);
     $result = $cat->add();
-    header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?addcat=&selectcat=' . $cat->get_parent_id());
+    header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?addcat=&selectcat=' . $cat->get_parent_id().'&'.api_get_cidreq());
     exit;
 }
 
-if ( !$_in_course ) {
-    $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.$get_select_cat,'name' => get_lang('Gradebook'));
+if (!$_in_course) {
+    $interbreadcrumb[] = array (
+        'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.$get_select_cat.'&'.api_get_cidreq(),
+        'name' => get_lang('Gradebook')
+    );
 }
-$interbreadcrumb[]= array (	'url' =>'index.php','name' => get_lang('ToolGradebook'));
+$interbreadcrumb[]= array(	'url' =>'index.php','name' => get_lang('ToolGradebook'));
 Display :: display_header(get_lang('NewCategory'));
 
 $display_form = true;
diff --git a/main/gradebook/gradebook_add_eval.php b/main/gradebook/gradebook_add_eval.php
index e61bd06166..71970ed3cd 100755
--- a/main/gradebook/gradebook_add_eval.php
+++ b/main/gradebook/gradebook_add_eval.php
@@ -1,6 +1,6 @@
 <?php
-
 /* For licensing terms, see /license.txt */
+
 /**
  * Script
  * @package chamilo.gradebook
@@ -29,7 +29,14 @@ if (isset($_GET['selectcat']) && (!empty($_GET['selectcat']))) {
     $evaladd->set_category_id(0);
 }
 
-$form = new EvalForm(EvalForm :: TYPE_ADD, $evaladd, null, 'add_eval_form', null, api_get_self() . '?selectcat=' . $select_cat);
+$form = new EvalForm(
+    EvalForm :: TYPE_ADD,
+    $evaladd,
+    null,
+    'add_eval_form',
+    null,
+    api_get_self() . '?selectcat=' . $select_cat.'&'.api_get_cidreq()
+);
 
 if ($form->validate()) {
     $values = $form->exportValues();
@@ -51,7 +58,6 @@ if ($form->validate()) {
     //$values['weight'] = $values['weight_mask']/$global_weight*$parent_cat[0]->get_weight();
     $values['weight'] = $values['weight_mask'];
 
-
     $eval->set_weight($values['weight']);
     $eval->set_max($values['max']);
 
@@ -68,32 +74,30 @@ if ($form->validate()) {
             //header('Location: gradebook_add_user.php?selecteval=' . $eval->get_id());
             exit;
         } else {
-            header('Location: ' . Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $eval->get_category_id());
+            header('Location: ' . Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $eval->get_category_id().'&'.api_get_cidreq());
             exit;
         }
     } else {
         $val_addresult = isset($values['addresult']) ? $values['addresult'] : null;
         if ($val_addresult == 1) {
-            header('Location: gradebook_add_result.php?selecteval=' . $eval->get_id());
+            header('Location: gradebook_add_result.php?selecteval=' . $eval->get_id().'&'.api_get_cidreq());
             exit;
         } else {
-            header('Location: ' . Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $eval->get_category_id());
+            header('Location: ' . Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $eval->get_category_id().'&'.api_get_cidreq());
             exit;
         }
     }
 }
 
 $interbreadcrumb[] = array(
-    'url' => Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $select_cat,
-    'name' => get_lang('Gradebook'
-    ));
+    'url' => Security::remove_XSS($_SESSION['gradebook_dest']) . '?selectcat=' . $select_cat.'&'.api_get_cidreq(),
+    'name' => get_lang('Gradebook'))
+;
 $this_section = SECTION_COURSES;
 
 $htmlHeadXtra[] = '<script type="text/javascript">
 $(document).ready( function() {
-
-    $("#hid_category_id").change(function(){
-
+    $("#hid_category_id").change(function() {
        $("#hid_category_id option:selected").each(function () {
            var cat_id = $(this).val();
             $.ajax({
@@ -103,7 +107,7 @@ $(document).ready( function() {
                     if (return_value != 0 ) {
                         $("#max_weight").html(return_value);
                     }
-                },
+                }
             });
        });
     });
diff --git a/main/gradebook/gradebook_add_link.php b/main/gradebook/gradebook_add_link.php
index 9401b19fc1..3e82119bec 100755
--- a/main/gradebook/gradebook_add_link.php
+++ b/main/gradebook/gradebook_add_link.php
@@ -34,7 +34,7 @@ if ($session_id == 0) {
     $all_categories = Category::load_session_categories(null, $session_id);
 }
 $category = Category :: load($_GET['selectcat']);
-$url = api_get_self().'?selectcat='.Security::remove_XSS($_GET['selectcat']).'&newtypeselected='.$typeSelected.'&course_code='.api_get_course_id();
+$url = api_get_self().'?selectcat='.Security::remove_XSS($_GET['selectcat']).'&newtypeselected='.$typeSelected.'&course_code='.api_get_course_id().'&'.api_get_cidreq();
 $typeform = new LinkForm(LinkForm :: TYPE_CREATE, $category[0], null, 'create_link', null, $url, $typeSelected);
 
 // if user selected a link type
@@ -87,8 +87,10 @@ if (isset($typeSelected) && $typeSelected != '0') {
         $link->set_visible(empty($addvalues['visible']) ? 0 : 1);
 
         // Update view_properties
-        if (isset($typeSelected) && 5 == $typeSelected && (isset($addvalues['select_link']) && $addvalues['select_link'] <> "")) {
-
+        if (isset($typeSelected) &&
+            5 == $typeSelected &&
+            (isset($addvalues['select_link']) && $addvalues['select_link'] <> "")
+        ) {
             $sql1 = 'SELECT thread_title from '.$tbl_forum_thread.'
 					 WHERE c_id = '.$course_info['real_id'].' AND thread_id='.$addvalues['select_link'];
             $res1 = Database::query($sql1);
@@ -100,32 +102,35 @@ if (isset($typeSelected) && $typeSelected != '0') {
             $row = Database::fetch_row($res_l);
             if ($row[0] == 0) {
                 $link->add();
-                $sql = 'UPDATE '.$tbl_forum_thread.' SET thread_qualify_max='.$addvalues['weight'].',thread_weight='.$addvalues['weight'].',thread_title_qualify="'.$rowtit[0].'"
+                $sql = 'UPDATE '.$tbl_forum_thread.' SET
+                            thread_qualify_max='.$addvalues['weight'].',
+                            thread_weight='.$addvalues['weight'].',
+                            thread_title_qualify="'.$rowtit[0].'"
 						WHERE thread_id='.$addvalues['select_link'].' AND c_id = '.$course_info['real_id'].' ';
                 Database::query($sql);
             }
         }
 
         $link->add();
-
         $addvalue_result = !empty($addvalues['addresult']) ? $addvalues['addresult'] : array();
         if ($addvalue_result == 1) {
-            header('Location: gradebook_add_result.php?selecteval='.$link->get_ref_id());
+            header('Location: gradebook_add_result.php?selecteval='.$link->get_ref_id().'&'.api_get_cidreq());
             exit;
         } else {
-            header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?linkadded=&selectcat='.Security::remove_XSS($_GET['selectcat']));
+            header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?linkadded=&selectcat='.Security::remove_XSS($_GET['selectcat']).'&'.api_get_cidreq());
             exit;
         }
     }
 }
 
-
-$interbreadcrumb[] = array('url' => $_SESSION['gradebook_dest'].'?selectcat='.Security::remove_XSS($_GET['selectcat']), 'name' => get_lang('Gradebook'));
+$interbreadcrumb[] = array(
+    'url' => $_SESSION['gradebook_dest'].'?selectcat='.Security::remove_XSS($_GET['selectcat']).'&'.api_get_cidreq(),
+    'name' => get_lang('Gradebook')
+);
 $this_section = SECTION_COURSES;
 
 $htmlHeadXtra[] = '<script>
 $(document).ready( function() {
-
     $("#hide_category_id").change(function() {
        $("#hide_category_id option:selected").each(function () {
            var cat_id = $(this).val();
@@ -136,7 +141,7 @@ $(document).ready( function() {
                     if (return_value != 0 ) {
                         $("#max_weight").html(return_value);
                     }
-                },
+                }
             });
        });
     });
diff --git a/main/gradebook/gradebook_add_link_select_course.php b/main/gradebook/gradebook_add_link_select_course.php
index bc578fde17..8ed811b8e3 100755
--- a/main/gradebook/gradebook_add_link_select_course.php
+++ b/main/gradebook/gradebook_add_link_select_course.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  * Script
  * @package chamilo.gradebook
@@ -18,25 +19,30 @@ api_block_anonymous_users();
 block_students();
 
 $catadd = new Category();
-$catadd->set_user_id($_user['user_id']);
+$catadd->set_user_id(api_get_user_id());
 $catadd->set_parent_id($_GET['selectcat']);
 $catcourse = Category :: load ($_GET['selectcat']);
-//$catadd->set_course_code($catcourse[0]->get_course_code());
-$form = new CatForm(CatForm :: TYPE_SELECT_COURSE, $catadd, 'add_cat_form', null, api_get_self().'?selectcat=' . Security::remove_XSS($_GET['selectcat']));
+$form = new CatForm(
+    CatForm :: TYPE_SELECT_COURSE,
+    $catadd,
+    'add_cat_form',
+    null,
+    api_get_self() . '?selectcat=' . Security::remove_XSS($_GET['selectcat']).'&'.api_get_cidreq()
+);
 
 if ($form->validate()) {
     $values = $form->exportValues();
     $cat = new Category();
     $cat->set_course_code($values['select_course']);
     $cat->set_name($values['name']);
-    header('location: gradebook_add_link.php?selectcat=' .Security::remove_XSS($_GET['selectcat']).'&course_code='.Security::remove_XSS($values['select_course']));
+    header('location: gradebook_add_link.php?selectcat=' .Security::remove_XSS($_GET['selectcat']).'&course_code='.Security::remove_XSS($values['select_course']).'&'.api_get_cidreq());
     exit;
 }
 
 $interbreadcrumb[] = array (
-    'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.Security::remove_XSS($_GET['selectcat']),
-    'name' => get_lang('Gradebook'
-    ));
+    'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.Security::remove_XSS($_GET['selectcat']).'&'.api_get_cidreq(),
+    'name' => get_lang('Gradebook')
+);
 Display :: display_header(get_lang('NewCategory'));
 $form->display();
 Display :: display_footer();
diff --git a/main/gradebook/gradebook_add_result.php b/main/gradebook/gradebook_add_result.php
index 788a9834a8..4166ee0321 100755
--- a/main/gradebook/gradebook_add_result.php
+++ b/main/gradebook/gradebook_add_result.php
@@ -24,13 +24,20 @@ $resultadd = new Result();
 $resultadd->set_evaluation_id($_GET['selecteval']);
 $evaluation = Evaluation :: load($_GET['selecteval']);
 $category = !empty($_GET['selectcat']) ? $_GET['selectcat'] : "";
-$add_result_form = new EvalForm(EvalForm :: TYPE_RESULT_ADD, $evaluation[0], $resultadd, 'add_result_form', null, api_get_self() . '?selectcat=' . Security::remove_XSS($category) . '&selecteval=' . Security::remove_XSS($_GET['selecteval']));
+$add_result_form = new EvalForm(
+    EvalForm :: TYPE_RESULT_ADD,
+    $evaluation[0],
+    $resultadd,
+    'add_result_form',
+    null,
+    api_get_self() . '?selectcat=' . Security::remove_XSS($category) . '&selecteval=' . Security::remove_XSS($_GET['selecteval']).'&'.api_get_cidreq()
+);
 $table = $add_result_form->toHtml();
 if ($add_result_form->validate()) {
     $values = $add_result_form->exportValues();
     $nr_users = $values['nr_users'];
     if ($nr_users == '0') {
-        header('Location: gradebook_view_result.php?addresultnostudents=&selecteval=' . Security::remove_XSS($_GET['selecteval']));
+        header('Location: gradebook_view_result.php?addresultnostudents=&selecteval=' . Security::remove_XSS($_GET['selecteval']).'&'.api_get_cidreq());
         exit;
     }
     $scores = ($values['score']);
@@ -43,10 +50,13 @@ if ($add_result_form->validate()) {
         $res->add();
         next($scores);
     }
-    header('Location: gradebook_view_result.php?addresult=&selecteval=' . Security::remove_XSS($_GET['selecteval']));
+    header('Location: gradebook_view_result.php?addresult=&selecteval=' . Security::remove_XSS($_GET['selecteval']).'&'.api_get_cidreq());
     exit;
 }
-$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']),'name' => get_lang('Gradebook'));
+$interbreadcrumb[] = array(
+    'url' => Security::remove_XSS($_SESSION['gradebook_dest']),
+    'name' => get_lang('Gradebook')
+);
 Display :: display_header(get_lang('AddResult'));
 DisplayGradebook :: display_header_result ($evaluation[0], null, 0,0);
 echo $table;
diff --git a/main/gradebook/gradebook_display_certificate.php b/main/gradebook/gradebook_display_certificate.php
index 5fe8c26481..2364de90c4 100755
--- a/main/gradebook/gradebook_display_certificate.php
+++ b/main/gradebook/gradebook_display_certificate.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  * Script
  * @package chamilo.gradebook
diff --git a/main/gradebook/index.php b/main/gradebook/index.php
index 12a76d66aa..aae093f8a8 100755
--- a/main/gradebook/index.php
+++ b/main/gradebook/index.php
@@ -9,7 +9,7 @@ $language_file = array('gradebook', 'exercice');
 
 // $cidReset : This is the main difference with gradebook.php, here we say,
 // basically, that we are inside a course, and many things depend from that
-$cidReset= false;
+//$cidReset = false;
 $_in_course = true;
 require_once '../inc/global.inc.php';
 $current_course_tool  = TOOL_GRADEBOOK;
@@ -702,7 +702,7 @@ if (isset($_GET['studentoverview'])) {
         }
         unset($cats);
     }
-    $cats = Category :: load ($category, null, null, null, null, null, false);
+    $cats = Category::load($category, null, null, null, null, null, false);
 
     //with this fix the teacher only can view 1 gradebook
     if (api_is_platform_admin()) {
diff --git a/main/gradebook/lib/fe/gradebooktable.class.php b/main/gradebook/lib/fe/gradebooktable.class.php
index 49f509165c..8f6e01d95a 100755
--- a/main/gradebook/lib/fe/gradebooktable.class.php
+++ b/main/gradebook/lib/fe/gradebooktable.class.php
@@ -20,10 +20,15 @@ class GradebookTable extends SortableTable
 
     /**
      * Constructor
+     * @param Category $currentcat
+     * @param array $cats
+     * @param array $evals
+     * @param array $links
+     * @param null $addparams
      */
     public function GradebookTable($currentcat, $cats = array(), $evals = array(), $links = array(), $addparams = null)
     {
-        parent::__construct ('gradebooklist', null, null, (api_is_allowed_to_edit()?1:0));
+        parent::__construct('gradebooklist', null, null, (api_is_allowed_to_edit()?1:0));
         $this->evals_links = array_merge($evals, $links);
         $this->currentcat = $currentcat;
         $this->cats = $cats;
@@ -40,7 +45,6 @@ class GradebookTable extends SortableTable
 
         $this->set_header($column++, get_lang('Type'), '', 'width="35px"');
         $this->set_header($column++, get_lang('Name'), false);
-
         $this->set_header($column++, get_lang('Description'), false);
 
         if (api_is_allowed_to_edit(null, true)) {
@@ -60,18 +64,18 @@ class GradebookTable extends SortableTable
         }
 
         // Deactivates the odd/even alt rows in order that the +/- buttons work see #4047
-
         $this->odd_even_rows_enabled = false;
 
         // Admins get an edit column.
         if (api_is_allowed_to_edit(null, true)) {
             $this->set_header($column++, get_lang('Modify'), false, 'width="195px"');
             // Actions on multiple selected documents.
-            $this->set_form_actions(array (
-                'setvisible' => get_lang('SetVisible'),
-                'setinvisible' => get_lang('SetInvisible'),
-                'deleted' => get_lang('DeleteSelected')
-                ));
+            $this->set_form_actions(array(
+                    'setvisible' => get_lang('SetVisible'),
+                    'setinvisible' => get_lang('SetInvisible'),
+                    'deleted' => get_lang('DeleteSelected')
+                )
+            );
         } else {
             if (empty($_GET['selectcat']) && !api_is_allowed_to_edit()) {
                 $this->set_header($column++, get_lang('Certificates'), false);
@@ -87,14 +91,14 @@ class GradebookTable extends SortableTable
         return $this->datagen;
     }
 
-	/**
-	 * Function used by SortableTable to get total number of items in the table
+    /**
+     * Function used by SortableTable to get total number of items in the table
      * @return int
-	 */
+     */
     public function get_total_number_of_items()
     {
-		return $this->datagen->get_total_items_count();
-	}
+        return $this->datagen->get_total_items_count();
+    }
 
     /**
      * Function used by SortableTable to generate the data to display
@@ -142,19 +146,21 @@ class GradebookTable extends SortableTable
         }
 
         // Status of user in course.
-        $user_id        = api_get_user_id();
-        $course_code    = api_get_course_id();
-        $session_id     = api_get_session_id();
-        $status_user    = api_get_status_of_user_in_course($user_id, $course_code);
-        $data_array     = $this->datagen->get_data($sorting, $from, $this->per_page);
+        $user_id = api_get_user_id();
+        $course_code = api_get_course_id();
+        $session_id = api_get_session_id();
+        $status_user = api_get_status_of_user_in_course($user_id, $course_code);
+        $data_array = $this->datagen->get_data(
+            $sorting,
+            $from,
+            $this->per_page
+        );
 
         // generate the data to display
         $sortable_data = array();
         $weight_total_links = 0;
-
         $main_categories = array();
         $main_cat =  Category::load(null, null, $course_code, null, null, $session_id, false);
-
         $total_categories_weight = 0;
         $scoredisplay = ScoreDisplay :: instance();
 
@@ -204,6 +210,7 @@ class GradebookTable extends SortableTable
                 true
             );
 
+            // Weight
             if (api_is_allowed_to_edit(null, true)) {
                 $row[] = $invisibility_span_open .Display::tag('h4', $average).$invisibility_span_close;
             } else {
@@ -258,14 +265,11 @@ class GradebookTable extends SortableTable
             $sortable_data[] = $row;
 
             // Loading children
-
             if (get_class($item) == 'Category') {
-
-                $stud_id        = api_get_user_id();
-                $course_code    = api_get_course_id();
-                $session_id     = api_get_session_id();
-                $parent_id      = $item->get_id();
-
+                $stud_id = api_get_user_id();
+                $course_code = api_get_course_id();
+                $session_id = api_get_session_id();
+                $parent_id = $item->get_id();
                 $cats = Category::load($parent_id, null, null, null, null, null);
 
                 if (isset($cats[0])) {
@@ -275,13 +279,11 @@ class GradebookTable extends SortableTable
 
                     $sub_cat_info = new GradebookDataGenerator($allcat, $alleval, $alllink);
                     $data_array  =  $sub_cat_info->get_data($sorting, $from, $this->per_page);
-
                     $total_weight = 0;
 
                     // Links.
-
                     foreach ($data_array as $data) {
-                        $row  = array();
+                        $row = array();
                         $item = $data[0];
 
                         //if the item is invisible, wrap it in a span with class invisible
@@ -341,7 +343,6 @@ class GradebookTable extends SortableTable
                             }
                         }
                         $row['child_of'] = $parent_id;
-
                         $sortable_data[] = $row;
                     }
 
@@ -406,7 +407,8 @@ class GradebookTable extends SortableTable
                     $weight_total_links > $weight_category
                 ) {
                     $warning_message = sprintf(get_lang('TotalWeightMustBeX'), $weight_category);
-                    $modify_icons  = '<a class="right_link" href="gradebook_edit_cat.php?editcat='.$id_cat.'&cidReq='.$course_code.'">'.Display::return_icon('edit.png', $warning_message, array(), ICON_SIZE_SMALL).'</a>';
+                    $modify_icons  = '<a class="right_link" href="gradebook_edit_cat.php?editcat='.$id_cat.'&cidReq='.$course_code.'">'.
+                            Display::return_icon('edit.png', $warning_message, array(), ICON_SIZE_SMALL).'</a>';
                     $warning_message .= $modify_icons;
                     Display::display_warning_message($warning_message, false);
                 }
@@ -493,7 +495,7 @@ class GradebookTable extends SortableTable
      */
     private function build_course_code ($item)
     {
-    	return $item->get_course_code();
+        return $item->get_course_code();
     }
 
     /**
@@ -502,18 +504,18 @@ class GradebookTable extends SortableTable
      */
     private function build_id_column ($item)
     {
-		switch ($item->get_item_type()) {
-			// category
-			case 'C' :
-				return 'CATE' . $item->get_id();
-			// evaluation
-			case 'E' :
-				return 'EVAL' . $item->get_id();
-			// link
-			case 'L' :
-				return 'LINK' . $item->get_id();
-		}
-	}
+        switch ($item->get_item_type()) {
+            // category
+            case 'C' :
+                return 'CATE' . $item->get_id();
+            // evaluation
+            case 'E' :
+                return 'EVAL' . $item->get_id();
+            // link
+            case 'L' :
+                return 'LINK' . $item->get_id();
+        }
+    }
 
     /**
      * @param $item
@@ -522,95 +524,95 @@ class GradebookTable extends SortableTable
      */
     private function build_type_column ($item, $attributes = array())
     {
-		return build_type_icon_tag($item->get_icon_name(), $attributes);
-	}
-
-	/**
-	 * Generate name column
-	 * @param unknown_type $item
-	 * @return string
-	 */
-	private function build_name_link($item)
+        return build_type_icon_tag($item->get_icon_name(), $attributes);
+    }
+
+    /**
+     * Generate name column
+     * @param unknown_type $item
+     * @return string
+     */
+    private function build_name_link($item)
     {
         $view = isset($_GET['view']) ? Security::remove_XSS($_GET['view']) : null;
-		switch ($item->get_item_type()) {
-			// category
-			case 'C' :
-				$prms_uri='?selectcat=' . $item->get_id() . '&amp;view='.$view;
-
-				if (isset($_GET['isStudentView'])) {
-					if ( isset($is_student) || ( isset($_SESSION['studentview']) && $_SESSION['studentview']=='studentview') ) {
-						$prms_uri=$prms_uri.'&amp;isStudentView='.Security::remove_XSS($_GET['isStudentView']);
-					}
-				}
-
-				$cat = new Category();
-				$show_message=$cat->show_message_resource_delete($item->get_course_code());
-				return '&nbsp;<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).$prms_uri.'">'
-				 		. $item->get_name()
-				 		. '</a>'
-				 		. ($item->is_course() ? ' &nbsp;[' . $item->get_course_code() . ']'.$show_message : '');
-			// evaluation
-			case 'E' :
-				$cat = new Category();
-				$course_id = Database::get_course_by_category($_GET['selectcat']);
-
-				$show_message = $cat->show_message_resource_delete($course_id);
-
-				// course/platform admin can go to the view_results page
-
-				if (api_is_allowed_to_edit() && $show_message===false) {
-					if ($item->get_type() == 'presence') {
-						return '&nbsp;'
-							. '<a href="gradebook_view_result.php?cidReq='.$course_id.'&amp;selecteval=' . $item->get_id() . '">'
-							. $item->get_name()
-							. '</a>';
-					} else {
-						return '&nbsp;'
-							. '<a href="gradebook_view_result.php?cidReq='.$course_id.'&amp;selecteval=' . $item->get_id() . '">'
-							. $item->get_name()
-							. '</a>&nbsp;'.Display::label(get_lang('Evaluation'));
-					}
-				} elseif (ScoreDisplay :: instance()->is_custom() && $show_message===false) {
-					// students can go to the statistics page (if custom display enabled)
-					return '&nbsp;'
-						. '<a href="gradebook_statistics.php?selecteval=' . $item->get_id() . '">'
-						. $item->get_name()
-						. '</a>';
-
-				} elseif ($show_message===false && !api_is_allowed_to_edit() && !(ScoreDisplay :: instance()->is_custom())) {
-					return '&nbsp;'
-						. '<a href="gradebook_statistics.php?selecteval=' . $item->get_id() . '">'
-						. $item->get_name()
-						. '</a>';
-
-				} else {
-					return '['.get_lang('Evaluation').']&nbsp;&nbsp;'.$item->get_name().$show_message;
-				}
-			// link
-			case 'L' :
-				$cat 			= new Category();
-				$course_id	 	= Database::get_course_by_category($_GET['selectcat']);
-				$show_message	= $cat->show_message_resource_delete($course_id);
-
-				$url = $item->get_link();
-
-				if (isset($url) && $show_message===false) {
-					$text = '&nbsp;<a href="' . $item->get_link() . '">'
-							. $item->get_name()
-							. '</a>';
-				} else {
-					$text = $item->get_name();
-				}
-
-				$text .= "&nbsp;".Display::label($item->get_type_name(), 'info').$show_message;
-				$cc = $this->currentcat->get_course_code();
-				if (empty($cc)) {
-					$text .= '&nbsp;[<a href="'.api_get_path(REL_COURSE_PATH).$item->get_course_code().'/">'.$item->get_course_code().'</a>]';
-				}
-				return $text;
-		}
-	}
+        switch ($item->get_item_type()) {
+            // category
+            case 'C' :
+                $prms_uri='?selectcat=' . $item->get_id() . '&amp;view='.$view;
+
+                if (isset($_GET['isStudentView'])) {
+                    if ( isset($is_student) || ( isset($_SESSION['studentview']) && $_SESSION['studentview']=='studentview') ) {
+                        $prms_uri=$prms_uri.'&amp;isStudentView='.Security::remove_XSS($_GET['isStudentView']);
+                    }
+                }
+
+                $cat = new Category();
+                $show_message=$cat->show_message_resource_delete($item->get_course_code());
+                return '&nbsp;<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).$prms_uri.'">'
+                . $item->get_name()
+                . '</a>'
+                . ($item->is_course() ? ' &nbsp;[' . $item->get_course_code() . ']'.$show_message : '');
+            // evaluation
+            case 'E' :
+                $cat = new Category();
+                $course_id = Database::get_course_by_category($_GET['selectcat']);
+
+                $show_message = $cat->show_message_resource_delete($course_id);
+
+                // course/platform admin can go to the view_results page
+
+                if (api_is_allowed_to_edit() && $show_message===false) {
+                    if ($item->get_type() == 'presence') {
+                        return '&nbsp;'
+                        . '<a href="gradebook_view_result.php?cidReq='.$course_id.'&amp;selecteval=' . $item->get_id() . '">'
+                        . $item->get_name()
+                        . '</a>';
+                    } else {
+                        return '&nbsp;'
+                        . '<a href="gradebook_view_result.php?cidReq='.$course_id.'&amp;selecteval=' . $item->get_id() . '">'
+                        . $item->get_name()
+                        . '</a>&nbsp;'.Display::label(get_lang('Evaluation'));
+                    }
+                } elseif (ScoreDisplay :: instance()->is_custom() && $show_message===false) {
+                    // students can go to the statistics page (if custom display enabled)
+                    return '&nbsp;'
+                    . '<a href="gradebook_statistics.php?selecteval=' . $item->get_id() . '">'
+                    . $item->get_name()
+                    . '</a>';
+
+                } elseif ($show_message===false && !api_is_allowed_to_edit() && !(ScoreDisplay :: instance()->is_custom())) {
+                    return '&nbsp;'
+                    . '<a href="gradebook_statistics.php?selecteval=' . $item->get_id() . '">'
+                    . $item->get_name()
+                    . '</a>';
+
+                } else {
+                    return '['.get_lang('Evaluation').']&nbsp;&nbsp;'.$item->get_name().$show_message;
+                }
+            // link
+            case 'L' :
+                $cat 			= new Category();
+                $course_id	 	= Database::get_course_by_category($_GET['selectcat']);
+                $show_message	= $cat->show_message_resource_delete($course_id);
+
+                $url = $item->get_link();
+
+                if (isset($url) && $show_message===false) {
+                    $text = '&nbsp;<a href="' . $item->get_link() . '">'
+                        . $item->get_name()
+                        . '</a>';
+                } else {
+                    $text = $item->get_name();
+                }
+
+                $text .= "&nbsp;".Display::label($item->get_type_name(), 'info').$show_message;
+                $cc = $this->currentcat->get_course_code();
+                if (empty($cc)) {
+                    $text .= '&nbsp;[<a href="'.api_get_path(REL_COURSE_PATH).$item->get_course_code().'/">'.$item->get_course_code().'</a>]';
+                }
+                return $text;
+        }
+    }
 
     /**
      * @param $item
@@ -618,16 +620,16 @@ class GradebookTable extends SortableTable
      */
     private function build_edit_column($item)
     {
-		switch ($item->get_item_type()) {
-			// category
-			case 'C' :
-				return build_edit_icons_cat($item, $this->currentcat);
-			// evaluation
-			case 'E' :
-				return build_edit_icons_eval($item, $this->currentcat->get_id());
-			// link
-			case 'L' :
-				return build_edit_icons_link($item, $this->currentcat->get_id());
-		}
-	}
+        switch ($item->get_item_type()) {
+            // category
+            case 'C' :
+                return build_edit_icons_cat($item, $this->currentcat);
+            // evaluation
+            case 'E' :
+                return build_edit_icons_eval($item, $this->currentcat->get_id());
+            // link
+            case 'L' :
+                return build_edit_icons_link($item, $this->currentcat->get_id());
+        }
+    }
 }
diff --git a/main/gradebook/lib/gradebook_data_generator.class.php b/main/gradebook/lib/gradebook_data_generator.class.php
index 0f880eeb62..f3b120cde5 100755
--- a/main/gradebook/lib/gradebook_data_generator.class.php
+++ b/main/gradebook/lib/gradebook_data_generator.class.php
@@ -57,6 +57,7 @@ class GradebookDataGenerator
 
     /**
      * Get total number of items (rows)
+     * @return int
      */
     public function get_total_items_count()
     {
@@ -196,7 +197,7 @@ class GradebookDataGenerator
         } else {
             $date = $item1->get_date();
             if (!empty($date)) {
-             $timestamp1 = api_strtotime($date, 'UTC');
+                $timestamp1 = api_strtotime($date, 'UTC');
             } else {
                 $timestamp1 = null;
             }
diff --git a/main/gradebook/lib/gradebook_functions.inc.php b/main/gradebook/lib/gradebook_functions.inc.php
index 54922d5de5..af228625ac 100755
--- a/main/gradebook/lib/gradebook_functions.inc.php
+++ b/main/gradebook/lib/gradebook_functions.inc.php
@@ -199,8 +199,8 @@ function get_icon_file_name($type)
 
 /**
  * Builds the course or platform admin icons to edit a category
- * @param object $cat category object
- * @param int $selectcat id of selected category
+ * @param Category $cat category
+ * @param Category $selectcat id of selected category
  */
 function build_edit_icons_cat($cat, $selectcat)
 {
@@ -213,11 +213,12 @@ function build_edit_icons_cat($cat, $selectcat)
         $visibility_icon = ($cat->is_visible() == 0) ? 'invisible' : 'visible';
         $visibility_command = ($cat->is_visible() == 0) ? 'set_visible' : 'set_invisible';
 
-        $modify_icons .= '<a class="view_children" data-cat-id="' . $cat->get_id() . '" href="javascript:void(0);">' . Display::return_icon('view_more_stats.gif', get_lang('Show'), '', ICON_SIZE_SMALL) . '</a>';
+        $modify_icons .= '<a class="view_children" data-cat-id="' . $cat->get_id() . '" href="javascript:void(0);">' .
+            Display::return_icon('view_more_stats.gif', get_lang('Show'), '', ICON_SIZE_SMALL) . '</a>';
 
         if (api_is_allowed_to_edit(null, true)) {
 
-            //Locking button
+            // Locking button
             if (api_get_setting('gradebook_locking_enabled') == 'true') {
 
                 if ($cat->is_locked()) {
@@ -240,9 +241,7 @@ function build_edit_icons_cat($cat, $selectcat)
                 if ($cat->is_locked() && !api_is_platform_admin()) {
                     $modify_icons .= Display::return_icon('edit_na.png', get_lang('Modify'), '', ICON_SIZE_SMALL);
                 } else {
-                    $modify_icons .= '<a href="gradebook_edit_cat.php?' .
-                        'editcat=' . $cat->get_id() . '&cidReq=' .
-                        $cat->get_course_code() . '">' .
+                    $modify_icons .= '<a href="gradebook_edit_cat.php?' .'editcat=' . $cat->get_id() . '&cidReq=' .$cat->get_course_code() . '">' .
                         Display::return_icon(
                             'edit.png',
                             get_lang('Modify'),
@@ -252,26 +251,21 @@ function build_edit_icons_cat($cat, $selectcat)
                 }
             }
 
-            $modify_icons .= '<a href="gradebook_edit_all.php?selectcat=' .
-                $cat->get_id() . '&cidReq=' . $cat->get_course_code() . '">' .
+            $modify_icons .= '<a href="gradebook_edit_all.php?selectcat=' .$cat->get_id() . '&cidReq=' . $cat->get_course_code() . '">' .
                 Display::return_icon(
                     'percentage.png',
                     get_lang('EditAllWeights'),
                     '',
                     ICON_SIZE_SMALL
                 ) . '</a>';
-            $modify_icons .= '<a href="gradebook_flatview.php?selectcat=' .
-                $cat->get_id() . '&cidReq=' . $cat->get_course_code() . '">' .
+            $modify_icons .= '<a href="gradebook_flatview.php?selectcat=' .$cat->get_id() . '&cidReq=' . $cat->get_course_code() . '">' .
                 Display::return_icon(
                     'stats.png',
                     get_lang('FlatView'),
                     '',
                     ICON_SIZE_SMALL
                 ) . '</a>';
-            $modify_icons .= '&nbsp;<a href="' . api_get_self() .
-                '?visiblecat=' . $cat->get_id() . '&' .
-                $visibility_command . '=&selectcat=' . $selectcat .
-                '&cidReq=' . $cat->get_course_code() . '">' .
+            $modify_icons .= '&nbsp;<a href="' . api_get_self() .'?visiblecat=' . $cat->get_id() . '&' .$visibility_command . '=&selectcat=' . $selectcat .'&cidReq=' . $cat->get_course_code() . '">' .
                 Display::return_icon(
                     $visibility_icon . '.png',
                     get_lang('Visible'),
@@ -289,7 +283,8 @@ function build_edit_icons_cat($cat, $selectcat)
             if ($cat->is_locked() && !api_is_platform_admin()) {
                 $modify_icons .= Display::return_icon('delete_na.png', get_lang('DeleteAll'), '', ICON_SIZE_SMALL);
             } else {
-                $modify_icons .= '&nbsp;<a href="' . api_get_self() . '?deletecat=' . $cat->get_id() . '&amp;selectcat=' . $selectcat . '&amp;cidReq=' . $cat->get_course_code() . '" onclick="return confirmation();">' . Display::return_icon('delete.png', get_lang('DeleteAll'), '', ICON_SIZE_SMALL) . '</a>';
+                $modify_icons .= '&nbsp;<a href="' . api_get_self() . '?deletecat=' . $cat->get_id() . '&amp;selectcat=' . $selectcat . '&amp;cidReq=' . $cat->get_course_code() . '" onclick="return confirmation();">' .
+                    Display::return_icon('delete.png', get_lang('DeleteAll'), '', ICON_SIZE_SMALL) . '</a>';
             }
         }
 
diff --git a/main/inc/ajax/course.ajax.php b/main/inc/ajax/course.ajax.php
index baa89b2b3b..2d0ac9891f 100755
--- a/main/inc/ajax/course.ajax.php
+++ b/main/inc/ajax/course.ajax.php
@@ -104,8 +104,6 @@ switch ($action) {
     case 'search_course_by_session':
         if (api_is_platform_admin()) {
             $results = SessionManager::get_course_list_by_session_id($_GET['session_id'], $_GET['q']);
-
-            //$results = SessionManager::get_sessions_list(array('s.name LIKE' => "%".$_REQUEST['q']."%"));
             $results2 = array();
             if (!empty($results)) {
                 foreach ($results as $item) {
diff --git a/main/inc/ajax/session.ajax.php b/main/inc/ajax/session.ajax.php
index bcd18bd1d8..1cf1cdab72 100755
--- a/main/inc/ajax/session.ajax.php
+++ b/main/inc/ajax/session.ajax.php
@@ -26,9 +26,8 @@ switch ($action) {
         break;
     case 'search_session':
         if (api_is_platform_admin()) {
-            //$results = SessionManager::get_sessions_list(array('s.name LIKE' => "%".$_REQUEST['q']."%"));
             $results = SessionManager::get_sessions_list(
-                array('s.name LIKE' => "%".$_REQUEST['q']."%")
+                array('s.name' => array('operator' => 'LIKE', 'value' => "%".$_REQUEST['q']."%"))
             );
             $results2 = array();
             if (!empty($results)) {
@@ -52,7 +51,12 @@ switch ($action) {
         break;
     case 'search_session_all':
         if (api_is_platform_admin()) {
-            $results = SessionManager::get_sessions_list(array('s.name LIKE' => "%".$_REQUEST['q']."%", 'c.id ='=>$_REQUEST['course_id']));
+            $results = SessionManager::get_sessions_list(
+                array(
+                    's.name' => array('operator' => 'like', 'value' => "%".$_REQUEST['q']."%"),
+                    'c.id' => array('operator' => '=', 'value' => $_REQUEST['course_id'])
+                )
+            );
             $results2 = array();
             if (!empty($results)) {
                 foreach ($results as $item) {
@@ -76,7 +80,12 @@ switch ($action) {
         break;
     case 'search_session_by_course':
         if (api_is_platform_admin()) {
-            $results = SessionManager::get_sessions_list(array('s.name LIKE' => "%".$_REQUEST['q']."%", 'c.id ='=>$_REQUEST['course_id']));
+            $results = SessionManager::get_sessions_list(
+                array(
+                    's.name' => array('operator' => 'like', 'value' => "%".$_REQUEST['q']."%"),
+                    'c.id' => array('operator' => '=', 'value' => $_REQUEST['course_id'])
+                )
+            );
             $results2 = array();
             if (!empty($results)) {
                 foreach ($results as $item) {
diff --git a/main/inc/lib/CoursesAndSessionsCatalog.class.php b/main/inc/lib/CoursesAndSessionsCatalog.class.php
index dfe1279098..0b95bdcdc9 100644
--- a/main/inc/lib/CoursesAndSessionsCatalog.class.php
+++ b/main/inc/lib/CoursesAndSessionsCatalog.class.php
@@ -1,5 +1,9 @@
 <?php
+/* For licensing terms, see /license.txt */
 
+/**
+ * Class CoursesAndSessionsCatalog
+ */
 class CoursesAndSessionsCatalog
 {
 
@@ -7,6 +11,7 @@ class CoursesAndSessionsCatalog
      * Check the configuration for the courses and sessions catalog
      * @global array $_configuration Configuration
      * @param int $value The value to check
+     *
      * @return boolean Whether the configuration is $value
      */
     public static function is($value = CATALOG_COURSES)
@@ -25,6 +30,7 @@ class CoursesAndSessionsCatalog
     /**
      * Check whether to display the sessions list
      * @global array $_configuration Configuration
+     *
      * @return boolean whether to display
      */
     public static function showSessions()
@@ -47,6 +53,7 @@ class CoursesAndSessionsCatalog
     /**
      * Check whether to display the courses list
      * @global array $_configuration Configuration
+     *
      * @return boolean whether to display
      */
     public static function showCourses()
diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
index 185fc64a75..99e2cdff83 100755
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -18,7 +18,7 @@ define('TEACHER_HTML_FULLPAGE', 5);
  */
 class FormValidator extends HTML_QuickForm
 {
-
+    public $with_progress_bar = false;
     /**
      * Create a form validator based on an array of form data:
      *
@@ -47,10 +47,11 @@ class FormValidator extends HTML_QuickForm
      *             )
      *         );
      *
-     * @param array form_data
+     * @param array $form_data
+     *
      * @return FormValidator
      */
-    static function create($form_data)
+    public static function create($form_data)
     {
         if (empty($form_data)) {
             return null;
@@ -98,11 +99,10 @@ class FormValidator extends HTML_QuickForm
             }
         }
         $result->setDefaults($defaults);
+
         return $result;
     }
 
-    var $with_progress_bar = false;
-
     /**
      * Constructor
      * @param string $form_name					Name of the form
@@ -113,7 +113,7 @@ class FormValidator extends HTML_QuickForm
      * @param bool $track_submit (optional)		Whether to track if the form was
      * submitted by adding a special hidden field (default = true)
      */
-    function __construct($form_name, $method = 'post', $action = '', $target = '', $attributes = null, $track_submit = true)
+    public function __construct($form_name, $method = 'post', $action = '', $target = '', $attributes = null, $track_submit = true)
     {
         // Default form class.
         if (is_array($attributes) && !isset($attributes['class']) || empty($attributes)) {
@@ -646,7 +646,7 @@ function html_filter_student_fullpage($html)
  * @return string                       The cleaned mobile phone number
  */
 function mobile_phone_number_filter($mobilePhoneNumber)
-{    
+{
     $mobilePhoneNumber = str_replace(array('+', '(', ')'), '', $mobilePhoneNumber);
     return ltrim($mobilePhoneNumber,'0');
-}
\ No newline at end of file
+}
diff --git a/main/newscorm/lp_controller.php b/main/newscorm/lp_controller.php
index f305658ee8..3c7f836610 100755
--- a/main/newscorm/lp_controller.php
+++ b/main/newscorm/lp_controller.php
@@ -1060,8 +1060,11 @@ switch ($action) {
         break;
     case 'content':
         if ($debug > 0) error_log('New LP - content action triggered', 0);
-        if ($debug > 0) error_log('New LP - Item id is '.$_GET['item_id'], 0);
-        if (!$lp_found) { error_log('New LP - No learnpath given for content', 0); require 'lp_list.php'; }
+        if ($debug > 0) error_log('New LP - Item id is '.intval($_GET['item_id']), 0);
+        if (!$lp_found) {
+            error_log('New LP - No learnpath given for content', 0);
+            require 'lp_list.php';
+        }
         else {
             $_SESSION['oLP']->save_last();
             $_SESSION['oLP']->set_current_item($_GET['item_id']);
diff --git a/main/social/search.php b/main/social/search.php
index dfdf366198..bc5907a8c6 100755
--- a/main/social/search.php
+++ b/main/social/search.php
@@ -4,12 +4,11 @@
  * @package chamilo.social
  * @author Julio Montoya <gugli100@gmail.com>
  */
-/**
- * Initialization
- */
+
 // name of the language file that needs to be included
 $language_file = array('registration', 'admin', 'userInfo');
-$cidReset      = true;
+$cidReset = true;
+
 require_once '../inc/global.inc.php';
 require_once api_get_path(LIBRARY_PATH).'group_portal_manager.lib.php';
 require_once api_get_path(LIBRARY_PATH).'magpierss/rss_fetch.inc';
@@ -140,22 +139,23 @@ $query = isset($_GET['q']) ? Database::escape_string($_GET['q']) : null;
 $query_search_type = isset($_GET['search_type']) && in_array($_GET['search_type'], array('0','1','2')) ? $_GET['search_type'] : null;
 $extra_fields = UserManager::get_extra_filtrable_fields();
 $query_vars = array('q' => $query, 'search_type' => $query_search_type);
-foreach ($extra_fields as $extra_field) {
-    $field_name = 'field_'.$extra_field['variable'];
-    if (isset($_GET[$field_name]) && $_GET[$field_name]!='0') {
-        $query_vars[$field_name]=$_GET[$field_name];
+if (!empty($extra_fields)) {
+    foreach ($extra_fields as $extra_field) {
+        $field_name = 'field_' . $extra_field['variable'];
+        if (isset($_GET[$field_name]) && $_GET[$field_name] != '0') {
+            $query_vars[$field_name] = $_GET[$field_name];
+        }
     }
 }
 
 $social_avatar_block = SocialManager::show_social_avatar_block('search');
 $social_menu_block = SocialManager::show_social_menu('search');
-
 $social_right_content = '<div class="span9">'.UserManager::get_search_form($query).'</div>';
 
 // I'm searching something
 if ($query != '' || ($query_vars['search_type']=='1' && count($query_vars)>2) ) {
     $itemPerPage = 9;
-    
+
     if ($_GET['search_type']=='0' || $_GET['search_type']=='1') {
         $page = isset($_GET['users_page_nr']) ? intval($_GET['users_page_nr']) : 1;
         $totalUsers = UserManager::get_all_user_tags($_GET['q'], 0, 0, $itemPerPage, true);
@@ -216,9 +216,7 @@ if ($query != '' || ($query_vars['search_type']=='1' && count($query_vars)>2) )
             }
 
             $tag = isset($user['tag']) ? ' <br /><br />'.$user['tag'] : null;
-
             $user_info['complete_name'] = Display::url($status_icon.$user_info['complete_name'], $url);
-
             $invitations = $user['tag'].$send_inv.$send_msg;
 
             $results .= '<li class="span3">
diff --git a/main/wiki/index.php b/main/wiki/index.php
index 105cbe8b5f..7223f2b076 100755
--- a/main/wiki/index.php
+++ b/main/wiki/index.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  *	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University, Belgium
  * 	@author Juan Carlos Raña <herodoto@telefonica.net>
@@ -7,8 +8,6 @@
  * 	@package chamilo.wiki
  */
 
-use \ChamiloSession as Session;
-
 // name of the language file that needs to be included
 $language_file = 'wiki';
 

From b666f820314195bdaf18553f8f2a3e836ef6e214 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 31 Dec 2014 09:14:26 +0100
Subject: [PATCH 04/26] Minor - Fixing PHP warnings

---
 main/dropbox/index.php                        |  6 ++-
 main/exercice/exercise.lib.php                |  6 ++-
 main/forum/forumfunction.inc.php              |  7 +--
 .../gradebook_display_certificate.php         |  2 +-
 main/gradebook/gradebook_edit_all.php         | 11 ++---
 main/gradebook/lib/be/abstractlink.class.php  | 44 +++++++++++++------
 main/messages/new_message.php                 |  2 +-
 main/social/group_topics.php                  |  1 +
 main/social/groups.php                        | 43 ++++++++----------
 main/social/message_for_group_form.inc.php    | 31 ++++---------
 main/survey/survey.lib.php                    |  9 ++--
 11 files changed, 84 insertions(+), 78 deletions(-)

diff --git a/main/dropbox/index.php b/main/dropbox/index.php
index 68aef7f876..a17d3e5284 100755
--- a/main/dropbox/index.php
+++ b/main/dropbox/index.php
@@ -5,7 +5,7 @@
 require_once 'dropbox_init.inc.php';
 
 // get the last time the user accessed the tool
-if ($_SESSION[$_course['id']]['last_access'][TOOL_DROPBOX] == '') {
+if (isset($_SESSION[$_course['id']]) && $_SESSION[$_course['id']]['last_access'][TOOL_DROPBOX] == '') {
 	$last_access = get_last_tool_access(TOOL_DROPBOX);
 	$_SESSION[$_course['id']]['last_access'][TOOL_DROPBOX] = $last_access;
 } else {
@@ -181,9 +181,11 @@ if (isset($_GET['error']) AND !empty($_GET['error'])) {
 	Display :: display_normal_message(get_lang($_GET['error']));
 }
 
+$dropbox_data_sent = array();
+$movelist = array();
+$dropbox_data_recieved = array();
 
 if ($action != 'add') {
-
 	// Getting all the categories in the dropbox for the given user
 	$dropbox_categories = get_dropbox_categories();
 	// Greating the arrays with the categories for the received files and for the sent files
diff --git a/main/exercice/exercise.lib.php b/main/exercice/exercise.lib.php
index 9a0b73250f..6d36767778 100755
--- a/main/exercice/exercise.lib.php
+++ b/main/exercice/exercise.lib.php
@@ -1379,7 +1379,9 @@ function get_exam_results_data(
         $teacher_id_list[] = $teacher['user_id'];
     }
 
-    //Simple exercises
+    $list_info = array();
+
+    // Simple exercises
     if (empty($hotpotatoe_where)) {
         $column = !empty($column) ? Database::escape_string($column) : null;
         $from = intval($from);
@@ -1407,7 +1409,7 @@ function get_exam_results_data(
 
         $lp_list_obj = new learnpathList(api_get_user_id());
         $lp_list = $lp_list_obj->get_flat_list();
-        $list_info = array();
+
         if (is_array($results)) {
 
             $users_array_id = array();
diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
index 4972befc9b..cce5651dd7 100755
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@@ -182,6 +182,7 @@ function handle_forum_and_forumcategories($lp_id = null)
         $return_message = delete_forum_forumcategory_thread($get_content, $get_id);
         Display::display_confirmation_message($return_message, false);
     }
+
     // Change visibility of a forum or a forum category.
     if ($action_forum_cat == 'invisible' || $action_forum_cat == 'visible') {
         $return_message = change_visibility($get_content, $get_id, $action_forum_cat);
@@ -1023,9 +1024,9 @@ function display_up_down_icon($content, $id, $list)
 /**
  * This function changes the visibility in the database (item_property)
  *
- * @param $content what is it that we want to make (in)visible: forum category, forum, thread, post
- * @param $id the id of the content we want to make invisible
- * @param $target_visibility what is the current status of the visibility (0 = invisible, 1 = visible)
+ * @param string $content what is it that we want to make (in)visible: forum category, forum, thread, post
+ * @param int $id the id of the content we want to make invisible
+ * @param string $target_visibility what is the current status of the visibility (0 = invisible, 1 = visible)
  *
  * @todo change the get parameter so that it matches the tool constants.
  * @todo check if api_item_property_update returns true or false => returnmessage depends on it.
diff --git a/main/gradebook/gradebook_display_certificate.php b/main/gradebook/gradebook_display_certificate.php
index 2364de90c4..2365fbf085 100755
--- a/main/gradebook/gradebook_display_certificate.php
+++ b/main/gradebook/gradebook_display_certificate.php
@@ -97,7 +97,7 @@ $this_section = SECTION_COURSES;
 
 Display::display_header('');
 
-if ($_GET['action'] == 'delete') {
+if (isset($_GET['action']) && $_GET['action'] == 'delete') {
     $check = Security::check_token('get');
     if ($check) {
         $certificate = new Certificate($_GET['certificate_id']);
diff --git a/main/gradebook/gradebook_edit_all.php b/main/gradebook/gradebook_edit_all.php
index 29e3d8899b..593dc197cf 100755
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@@ -57,7 +57,6 @@ $course_id			  =	get_course_id_by_link_id($my_selectcat);
 
 $table_link           = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
 $table_evaluation     = Database::get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
-
 $tbl_forum_thread     = Database :: get_course_table(TABLE_FORUM_THREAD);
 $tbl_work             = Database :: get_course_table(TABLE_STUDENT_PUBLICATION);
 $tbl_attendance       = Database :: get_course_table(TABLE_ATTENDANCE);
@@ -77,7 +76,7 @@ if ($submitted==1) {
         require_once 'lib/be/evaluation.class.php';
         $eval_log = new Evaluation();
     }
-    if(isset($_POST['link'])){
+    if (isset($_POST['link'])) {
         require_once 'lib/be/abstractlink.class.php';
         //$eval_link_log = new AbstractLink();
     }
@@ -170,7 +169,7 @@ if ($my_api_cidreq=='') {
 }
 ?>
     <div class="actions">
-        <a href="<?php echo Security::remove_XSS($_SESSION['gradebook_dest']).'?id_session='.api_get_session_id().'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $my_selectcat ?>">
+        <a href="<?php echo Security::remove_XSS($_SESSION['gradebook_dest']).'?'.$my_api_cidreq ?>&selectcat=<?php echo $my_selectcat ?>">
             <?php echo Display::return_icon('back.png',get_lang('FolderView'),'',ICON_SIZE_MEDIUM); ?>
         </a>
     </div>
@@ -178,7 +177,7 @@ if ($my_api_cidreq=='') {
 $warning_message = sprintf(get_lang('TotalWeightMustBeX'), $masked_total);
 Display::display_normal_message($warning_message, false);
 ?>
-    <form method="post" action="gradebook_edit_all.php?id_session=<?php echo $_SESSION['id_session'].'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $my_selectcat?>">
+    <form method="post" action="gradebook_edit_all.php?<?php echo $my_api_cidreq ?>&selectcat=<?php echo $my_selectcat?>">
         <table class="data_table">
             <tr class="row_odd">
                 <th style="width: 35px;"><?php echo get_lang('Type'); ?></th>
@@ -189,7 +188,9 @@ Display::display_normal_message($warning_message, false);
         </table>
         <input type="hidden" name="submitted" value="1" />
         <br />
-        <button class="save" type="submit" name="name" value="<?php echo get_lang('Save') ?>"><?php echo get_lang('SaveScoringRules') ?></button>
+        <button class="save" type="submit" name="name" value="<?php echo get_lang('Save') ?>">
+            <?php echo get_lang('SaveScoringRules') ?>
+        </button>
     </form>
 <?php
 Display :: display_footer();
diff --git a/main/gradebook/lib/be/abstractlink.class.php b/main/gradebook/lib/be/abstractlink.class.php
index 4d4e8a6617..3e57a6fc52 100755
--- a/main/gradebook/lib/be/abstractlink.class.php
+++ b/main/gradebook/lib/be/abstractlink.class.php
@@ -300,9 +300,9 @@ abstract class AbstractLink implements GradebookItem
     /**
      * Update the properties of this link in the database
      */
-    public function save() {
+    public function save()
+    {
         $this->save_linked_data();
-
         $tbl_grade_links = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
         $sql = "UPDATE $tbl_grade_links SET
                     type        = ".intval($this->get_type()).",
@@ -322,7 +322,7 @@ abstract class AbstractLink implements GradebookItem
     /**
      * @param int $idevaluation
      */
-    public function add_link_log($idevaluation)
+    public static function add_link_log($idevaluation)
     {
         $tbl_grade_linkeval_log = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINKEVAL_LOG);
         $dateobject=AbstractLink::load ($idevaluation,null,null,null,null);
@@ -345,7 +345,8 @@ abstract class AbstractLink implements GradebookItem
     /**
      * Delete this link from the database
      */
-    public function delete() {
+    public function delete()
+    {
         $this->delete_linked_data();
         $tbl_grade_links = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
         $sql = 'DELETE FROM '.$tbl_grade_links.' WHERE id = '.intval($this->id);
@@ -361,7 +362,6 @@ abstract class AbstractLink implements GradebookItem
     public function get_target_categories()
     {
         // links can only be moved to categories inside this course
-
         $targets = array();
         $level = 0;
 
@@ -416,22 +416,26 @@ abstract class AbstractLink implements GradebookItem
                 $foundlinks[] = $link;
             }
         }
+
         return $foundlinks;
     }
 
-
-    // Other methods implementing GradebookItem
+    /**
+     * @return string
+     */
     public function get_item_type()
     {
         return 'L';
     }
 
-    public function get_icon_name() {
+    /**
+     * @return string
+     */
+    public function get_icon_name()
+    {
         return 'link';
     }
 
-    // ABSTRACT FUNCTIONS - to be implemented by subclass
-
     abstract function has_results();
     abstract function get_link();
     abstract function is_valid_link();
@@ -469,19 +473,31 @@ abstract class AbstractLink implements GradebookItem
     {
     }
 
+    /**
+     *
+     */
     public function delete_linked_data()
     {
     }
 
-    public function set_name ($name)
+    /**
+     * @param $name
+     */
+    public function set_name($name)
     {
     }
 
-    public function set_description ($description)
+    /**
+     * @param $description
+     */
+    public function set_description($description)
     {
     }
 
-    public function set_max ($max)
+    /**
+     * @param $max
+     */
+    public function set_max($max)
     {
     }
 
@@ -495,7 +511,7 @@ abstract class AbstractLink implements GradebookItem
      * @param int locked 1 or unlocked 0
      *
      * */
-    function lock($locked)
+    public function lock($locked)
     {
         $table = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
         $sql = "UPDATE $table SET locked = '".intval($locked)."' WHERE id='".$this->id."'";
diff --git a/main/messages/new_message.php b/main/messages/new_message.php
index 22f8ce2d15..7b63fee8d3 100755
--- a/main/messages/new_message.php
+++ b/main/messages/new_message.php
@@ -344,7 +344,7 @@ if (!isset($_POST['compose'])) {
         // post
         if ($restrict) {
             if (!isset($_POST['group_id'])) {
-                $default['users']	 = $_POST['users'];
+                $default['users'] = isset($_POST['users']) ? $_POST['users'] : null;
             } else {
                 $default['group_id'] = $_POST['group_id'];
             }
diff --git a/main/social/group_topics.php b/main/social/group_topics.php
index 7e7e6c87cd..fd2ca973c3 100755
--- a/main/social/group_topics.php
+++ b/main/social/group_topics.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  * @package chamilo.social
  * @author Julio Montoya <gugli100@gmail.com>
diff --git a/main/social/groups.php b/main/social/groups.php
index 322a6370a2..20610891fb 100755
--- a/main/social/groups.php
+++ b/main/social/groups.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  * @package chamilo.social
  * @author Julio Montoya <gugli100@gmail.com>
@@ -47,9 +48,7 @@ function remove_image_form(id_elem1) {
 	if (filepaths.childNodes.length < 3) {
 		var link_attach = document.getElementById("link-more-attach");
 		if (link_attach) {
-			link_attach.innerHTML=\'<a href="javascript://" onclick="return add_image_form()">' . get_lang(
-        'AddOneMoreFile'
-    ) . '</a>\';
+			link_attach.innerHTML=\'<a href="javascript://" onclick="return add_image_form()">' . get_lang('AddOneMoreFile') . '</a>\';
 		}
 	}
 }
@@ -67,10 +66,7 @@ function add_image_form() {
 	filepaths.appendChild(elem1);
 	id_elem1 = "filepath_"+counter_image;
 	id_elem1 = "\'"+id_elem1+"\'";
-	document.getElementById("filepath_"+counter_image).innerHTML = "<input type=\"file\" name=\"attach_"+counter_image+"\"  size=\"20\" />&nbsp;<a href=\"javascript:remove_image_form("+id_elem1+")\"><img src=\"' . api_get_path(
-        WEB_CODE_PATH
-    ) . 'img/delete.gif\"></a>";
-
+	document.getElementById("filepath_"+counter_image).innerHTML = "<input type=\"file\" name=\"attach_"+counter_image+"\"  size=\"20\" />&nbsp;<a href=\"javascript:remove_image_form("+id_elem1+")\"><img src=\"' . api_get_path(WEB_CODE_PATH) . 'img/delete.gif\"></a>";
 	if (filepaths.childNodes.length == 3) {
 		var link_attach = document.getElementById("link-more-attach");
 		if (link_attach) {
@@ -92,34 +88,33 @@ jQuery(document).ready(function() {
     $("#tab_browse").bind("tabsselect", function(event, ui) {
 		window.location.href=ui.tab;
     });
+
 	$("#tabs").tabs();
 	$("#tab_browse").tabs();
-
     var valor = "' . $anchor . '";
 
     $(".head").click(function() {
-				$(this).next().next().slideToggle("fast");
-				image_clicked = $("#" + this.id + " img").attr("src");
-				image_clicked_info = image_clicked.split("/");
-				image_real_clicked = image_clicked_info[image_clicked_info.length-1];
-				image_path = image_clicked.split("img");
-				current_path = image_path[0]+"img/";
-				if (image_real_clicked == "div_show.gif") {
-					current_path = current_path+"div_hide.gif";
-					$("#" + this.id + " img").attr("src", current_path);
-				} else {
-					current_path = current_path+"div_show.gif";
-					$("#" + this.id + " img").attr("src", current_path)
-				}
-				return false;
-		 	}).next().next().hide();
+        $(this).next().next().slideToggle("fast");
+        image_clicked = $("#" + this.id + " img").attr("src");
+        image_clicked_info = image_clicked.split("/");
+        image_real_clicked = image_clicked_info[image_clicked_info.length-1];
+        image_path = image_clicked.split("img");
+        current_path = image_path[0]+"img/";
+        if (image_real_clicked == "div_show.gif") {
+            current_path = current_path+"div_hide.gif";
+            $("#" + this.id + " img").attr("src", current_path);
+        } else {
+            current_path = current_path+"div_show.gif";
+            $("#" + this.id + " img").attr("src", current_path)
+        }
+        return false;
+    }).next().next().hide();
 
    // anchor for current topic
    if (valor) {
    		$("#"+valor).show();
    		window.location = document.URL+"#"+valor;
    }
-
 });
 </script>';
 
diff --git a/main/social/message_for_group_form.inc.php b/main/social/message_for_group_form.inc.php
index aad98fd704..1531461564 100755
--- a/main/social/message_for_group_form.inc.php
+++ b/main/social/message_for_group_form.inc.php
@@ -4,9 +4,7 @@
  * Form for group message
  * @package chamilo.social
  */
-/**
- * Initialization
- */
+
 $language_file = array('registration', 'messages', 'userInfo', 'admin');
 $cidReset = true;
 require_once '../inc/global.inc.php';
@@ -36,19 +34,15 @@ if (isset($_REQUEST['user_friend'])) {
 }
 
 $group_id = intval($_GET['group_id']);
+$message_id = isset($_GET['message_id']) ? intval($_GET['message_id']) : null;
 
-$message_id = intval($_GET['message_id']);
 $actions = array(
     'add_message_group',
     'edit_message_group',
     'reply_message_group'
 );
 
-$allowed_action = (isset($_GET['action']) && in_array(
-        $_GET['action'],
-        $actions
-    )) ? Security::remove_XSS($_GET['action']) : '';
-
+$allowed_action = (isset($_GET['action']) && in_array($_GET['action'], $actions)) ? Security::remove_XSS($_GET['action']) : '';
 $to_group = '';
 $subject = '';
 $message = '';
@@ -75,24 +69,15 @@ if (!empty($group_id) && $allowed_action) {
     }
 }
 
-$page_item = !empty($_GET['topics_page_nr']) ? intval(
-    $_GET['topics_page_nr']
-) : 1;
-$param_item_page = isset($_GET['items_page_nr']) && isset($_GET['topic_id']) ? ('&items_' . intval(
-        $_GET['topic_id']
-    ) . '_page_nr=' . (!empty($_GET['topics_page_nr']) ? intval(
-        $_GET['topics_page_nr']
-    ) : 1)) : '';
+$page_item = !empty($_GET['topics_page_nr']) ? intval($_GET['topics_page_nr']) : 1;
+$param_item_page = isset($_GET['items_page_nr']) && isset($_GET['topic_id']) ? ('&items_' . intval($_GET['topic_id']) . '_page_nr=' . (!empty($_GET['topics_page_nr']) ? intval($_GET['topics_page_nr']) : 1)) : '';
 $param_item_page .= '&topic_id=' . intval($_GET['topic_id']);
-$page_topic = !empty($_GET['topics_page_nr']) ? intval(
-    $_GET['topics_page_nr']
-) : 1;
+$page_topic = !empty($_GET['topics_page_nr']) ? intval($_GET['topics_page_nr']) : 1;
+$anchor = isset($_GET['anchor_topic']) ? Security::remove_XSS($_GET['anchor_topic']) : null;
 ?>
 
 <form name="form"
-      action="group_topics.php?id=<?php echo $group_id ?>&anchor_topic=<?php echo Security::remove_XSS(
-          $_GET['anchor_topic']
-      ) ?>&topics_page_nr=<?php echo $page_topic . $param_item_page ?>"
+      action="group_topics.php?id=<?php echo $group_id ?>&anchor_topic=<?php echo $anchor; ?>&topics_page_nr=<?php echo $page_topic . $param_item_page ?>"
       method="POST" enctype="multipart/form-data">
     <input type="hidden" name="action" value="<?php echo $allowed_action ?>"/>
     <input type="hidden" name="group_id" value="<?php echo $group_id ?>"/>
diff --git a/main/survey/survey.lib.php b/main/survey/survey.lib.php
index 963e836043..40efc3ee81 100755
--- a/main/survey/survey.lib.php
+++ b/main/survey/survey.lib.php
@@ -872,6 +872,7 @@ class survey_manager
         $sql = "SELECT * FROM $table_survey_question_option
 		        WHERE c_id = $course_id AND survey_id='".Database::escape_string($survey_id)."'";
         $result = Database::query($sql);
+        $return = array();
         while ($row = Database::fetch_array($result, 'ASSOC')) {
             $return[$row['question_id']]['answers'][] = $row['option_text'];
         }
@@ -2631,7 +2632,7 @@ class SurveyUtil
      * @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
      * @version February 2007
      */
-    static function handle_reporting_actions($survey_data, $people_filled)
+    public static function handle_reporting_actions($survey_data, $people_filled)
     {
         $action = isset($_GET['action']) ? $_GET['action'] : null;
 
@@ -2639,7 +2640,8 @@ class SurveyUtil
         $temp_questions_data = survey_manager::get_questions($_GET['survey_id']);
 
         // Sorting like they should be displayed and removing the non-answer question types (comment and pagebreak)
-        $my_temp_questions_data=($temp_questions_data==null) ? array() : $temp_questions_data;
+        $my_temp_questions_data = ($temp_questions_data==null) ? array() : $temp_questions_data;
+        $questions_data = array();
         foreach ($my_temp_questions_data as $key => & $value) {
             if ($value['type'] != 'comment' && $value['type'] != 'pagebreak') {
                 $questions_data[$value['sort']] = $value;
@@ -2892,6 +2894,7 @@ class SurveyUtil
         }
 
         $currentQuestion = isset($_GET['question']) ? $_GET['question'] : 0;
+        $question = array();
 
         echo '<div class="actions">';
         echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/reporting.php?survey_id='.Security::remove_XSS($_GET['survey_id']).'">'.
@@ -2938,7 +2941,7 @@ class SurveyUtil
             }
         }
 
-        echo $question['survey_question'];
+        echo isset($question['survey_question']) ? $question['survey_question'] : null;
 
         if ($question['type'] == 'score') {
             /** @todo This function should return the options as this is needed further in the code */

From ddf30bfab7b4680e1c1b60107e05c728341bc223 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 31 Dec 2014 09:14:45 +0100
Subject: [PATCH 05/26] Fixing queries see #7440

---
 main/inc/lib/link.lib.php        |   4 +-
 main/inc/lib/main_api.lib.php    |  18 ++--
 main/inc/lib/usermanager.lib.php |  89 +++++++++++++------
 main/social/search.php           |   6 +-
 main/wiki/wiki.inc.php           | 143 +++++++++++++++++--------------
 5 files changed, 160 insertions(+), 100 deletions(-)

diff --git a/main/inc/lib/link.lib.php b/main/inc/lib/link.lib.php
index 9799a4520f..29a9f2f00c 100755
--- a/main/inc/lib/link.lib.php
+++ b/main/inc/lib/link.lib.php
@@ -565,7 +565,7 @@ function editlinkcategory($type)
             if (empty ($mytarget)) {
                 $mytarget = '_self';
             }
-            $mytarget = ",target='" . $target . "'";
+            $mytarget = ", target='" . $target . "'";
 
             // Finding the old category_id.
             $sql = "SELECT * FROM " . $tbl_link . "
@@ -592,7 +592,7 @@ function editlinkcategory($type)
                 "description='" . Database :: escape_string($_POST['description']) . "', " .
                 "category_id='" . Database :: escape_string($_POST['selectcategory']) . "', " .
                 "display_order='" . $max_display_order . "', " .
-                "on_homepage='" . Database :: escape_string($onhomepage) . " ' $mytarget " .
+                "on_homepage= '" . Database :: escape_string($onhomepage) ."' $mytarget " .
                 " WHERE c_id = $course_id AND id='" . intval($_POST['id']) . "'";
             Database :: query($sql);
 
diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php
index 9c6b86557e..303ce8d15d 100755
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@@ -3348,6 +3348,7 @@ function api_item_property_update(
     // Definition of variables.
     $tool = Database::escape_string($tool);
     $item_id = intval($item_id);
+    $lastEditTypeNoFilter = $lastedit_type;
     $lastedit_type = Database::escape_string($lastedit_type);
     $user_id = intval($user_id);
     $to_group_id = intval($to_group_id);
@@ -3415,7 +3416,7 @@ function api_item_property_update(
 
     // Update if possible
     $set_type = '';
-    switch ($lastedit_type) {
+    switch ($lastEditTypeNoFilter) {
         case 'delete':
             // delete = make item only visible for the platform admin.
             $visibility = '2';
@@ -3448,17 +3449,18 @@ function api_item_property_update(
                             lastedit_user_id = '$user_id',
                             visibility='$visibility' $set_type
                         WHERE $filter";
-
             }
             break;
         case 'visible' : // Change item to visible.
             $visibility = '1';
-
             if (!empty($session_id)) {
-
                 // Check whether session id already exist into item_properties for updating visibility or add it.
                 $sql = "SELECT id_session FROM $TABLE_ITEMPROPERTY
-                        WHERE c_id = $course_id AND tool = '$tool' AND ref = '$item_id' AND id_session = '$session_id'";
+                        WHERE
+                            c_id = $course_id AND
+                            tool = '$tool' AND
+                            ref = '$item_id' AND
+                            id_session = '$session_id'";
                 $rs = Database::query($sql);
                 if (Database::num_rows($rs) > 0) {
                     $sql = "UPDATE $TABLE_ITEMPROPERTY
@@ -3488,7 +3490,11 @@ function api_item_property_update(
             if (!empty($session_id)) {
                 // Check whether session id already exist into item_properties for updating visibility or add it
                 $sql = "SELECT id_session FROM $TABLE_ITEMPROPERTY
-                        WHERE c_id=$course_id AND tool = '$tool' AND ref='$item_id' AND id_session = '$session_id'";
+                        WHERE
+                            c_id = $course_id AND
+                            tool = '$tool' AND
+                            ref='$item_id' AND
+                            id_session = '$session_id'";
                 $rs = Database::query($sql);
                 if (Database::num_rows($rs) > 0) {
                     $sql = "UPDATE $TABLE_ITEMPROPERTY
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
index fa1cc8b552..e9721d696a 100755
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@@ -1303,7 +1303,7 @@ class UserManager
 
     /**
      * Update User extra field file type into {user_folder}/{$extra_field}
-     * @param $user_id              The user internal identification number
+     * @param int $user_id          The user internal identification number
      * @param string $extra_field   The $extra_field The extra field name
      * @param null $file            The filename
      * @param null $source_file     The temporal filename
@@ -1318,6 +1318,7 @@ class UserManager
         if (empty($user_id)) {
             return false;
         }
+
         if (empty($source_file)) {
             $source_file = $file;
         }
@@ -1495,9 +1496,10 @@ class UserManager
 
     /**
      * Update an extra field value for a given user
-     * @param    integer    User ID
-     * @param    string    Field variable name
-     * @param    string    Field value
+     * @param    integer   $user_id User ID
+     * @param    string    $fname Field variable name
+     * @param    string    $fvalue Field value
+     *
      * @return    boolean    true if field updated, false otherwise
      */
     public static function update_extra_field_value($user_id, $fname, $fvalue = '')
@@ -1508,24 +1510,28 @@ class UserManager
         $t_ufv = Database::get_main_table(TABLE_MAIN_USER_FIELD_VALUES);
         $fname = Database::escape_string($fname);
 
-        if ($user_id != strval(intval($user_id)))
+        if ($user_id != strval(intval($user_id))) {
             return false;
-        if ($user_id === false)
+        }
+
+        if ($user_id === false) {
             return false;
+        }
 
         $fvalues = '';
-
-        //echo '<pre>'; print_r($fvalue);
         if (is_array($fvalue)) {
             foreach ($fvalue as $val) {
-                $fvalues .= Database::escape_string($val).';';
+                $fvalues .= $val.';';
             }
             if (!empty($fvalues)) {
                 $fvalues = substr($fvalues, 0, -1);
             }
         } else {
-            $fvalues = Database::escape_string($fvalue);
+            $fvalues = $fvalue;
         }
+
+        $fvalues = Database::escape_string($fvalues);
+
         $sqluf = "SELECT * FROM $t_uf WHERE field_variable='$fname'";
         $resuf = Database::query($sqluf);
         $is_extra_file = false;
@@ -1571,7 +1577,12 @@ class UserManager
                         $fvalue['name'] = Security::filter_filename($fvalue['name']);
                         $fvalue['tmp_name'] = Security::filter_filename($fvalue['tmp_name']);
                         // Update and recover the filename
-                        $fvalues = UserManager::update_user_extra_file($user_id, $rowuf['field_variable'], $fvalue['name'], $fvalue['tmp_name']);
+                        $fvalues = UserManager::update_user_extra_file(
+                            $user_id,
+                            $rowuf['field_variable'],
+                            $fvalue['name'],
+                            $fvalue['tmp_name']
+                        );
                     } else {
                         // Set empty string to $fvalues to delete it
                         $fvalues = '';
@@ -1583,7 +1594,9 @@ class UserManager
                     break;
             }
             $tms = time();
-            $sqlufv = "SELECT * FROM $t_ufv WHERE user_id = $user_id AND field_id = ".$rowuf['id']." ORDER BY id";
+            $sqlufv = "SELECT * FROM $t_ufv
+                       WHERE user_id = $user_id AND field_id = ".$rowuf['id']."
+                       ORDER BY id";
             $resufv = Database::query($sqlufv);
             $n = Database::num_rows($resufv);
             if ($n > 1) {
@@ -1596,9 +1609,12 @@ class UserManager
                     }
                     $rowufv = Database::fetch_array($resufv);
                     if ($rowufv['field_value'] != $fvalues) {
-                        $sqlu = "UPDATE $t_ufv SET field_value = '$fvalues', tms = FROM_UNIXTIME($tms) WHERE id = ".$rowufv['id'];
+                        $sqlu = "UPDATE $t_ufv SET
+                                    field_value = '$fvalues',
+                                    tms = FROM_UNIXTIME($tms)
+                                WHERE id = ".$rowufv['id'];
                         $resu = Database::query($sqlu);
-                        return($resu ? true : false);
+                        return ($resu ? true : false);
                     }
                     return true;
                 }
@@ -1612,29 +1628,35 @@ class UserManager
                     }
                     // If the new field is empty, delete it
                     if ($fvalues == '') {
-                        $sql_query = "DELETE FROM $t_ufv WHERE id = ".$rowufv['id'].";";
+                        $sql_query = "DELETE FROM $t_ufv
+                                      WHERE id = ".$rowufv['id'].";";
                     } else {
                         // Otherwise update it
-                        $sql_query = "UPDATE $t_ufv SET field_value = '$fvalues', tms = FROM_UNIXTIME($tms) WHERE id = ".$rowufv['id'];
+                        $sql_query = "UPDATE $t_ufv SET
+                                        field_value = '$fvalues',
+                                        tms = FROM_UNIXTIME($tms)
+                                      WHERE id = ".$rowufv['id'];
                     }
 
                     $resu = Database::query($sql_query);
-                    return($resu ? true : false);
+                    return ($resu ? true : false);
                 }
+
                 return true;
             } else {
-                $sqli = "INSERT INTO $t_ufv (user_id,field_id,field_value,tms) ".
-                    "VALUES ($user_id,".$rowuf['id'].",'$fvalues',FROM_UNIXTIME($tms))";
+                $sqli = "INSERT INTO $t_ufv (user_id,field_id,field_value,tms)
+                         VALUES ( $user_id, ".$rowuf['id'].", '$fvalues', FROM_UNIXTIME($tms))";
                 $resi = Database::query($sqli);
-                return($resi ? true : false);
+                return ($resi ? true : false);
             }
         } else {
-            return false; //field not found
+            // Field not found
+            return false;
         }
     }
 
     /**
-     * Get an array of extra fieds with field details (type, default value and options)
+     * Get an array of extra fields with field details (type, default value and options)
      * @param    integer    Offset (from which row)
      * @param    integer    Number of items
      * @param    integer    Column on which sorting is made
@@ -3573,8 +3595,13 @@ class UserManager
      * @param bool $getCount get count or not
      * @return array
      */
-    public static function get_all_user_tags($tag, $field_id = 0, $from = 0, $number_of_items = 10, $getCount = false)
-    {
+    public static function get_all_user_tags(
+        $tag,
+        $field_id = 0,
+        $from = 0,
+        $number_of_items = 10,
+        $getCount = false
+    ) {
         $user_table = Database::get_main_table(TABLE_MAIN_USER);
         $table_user_tag = Database::get_main_table(TABLE_MAIN_TAG);
         $table_user_tag_values = Database::get_main_table(TABLE_MAIN_USER_REL_TAG);
@@ -3609,8 +3636,8 @@ class UserManager
                         u.firstname LIKE '".Database::escape_string("%".$tag."%")."' OR
                         u.lastname LIKE '".Database::escape_string("%".$tag."%")."' OR
                         u.username LIKE '".Database::escape_string("%".$tag."%")."' OR
-                        concat(u.firstname,' ',u.lastname) LIKE '".Database::escape_string("%".$tag."%")."' OR
-                        concat(u.lastname,' ',u.firstname) LIKE '".Database::escape_string("%".$tag."%")."'
+                        concat(u.firstname, ' ', u.lastname) LIKE '".Database::escape_string("%".$tag."%")."' OR
+                        concat(u.lastname, ' ', u.firstname) LIKE '".Database::escape_string("%".$tag."%")."'
                      )
                      ".(!empty($where_extra_fields) ? $where_extra_fields : '')."
                      AND
@@ -3635,8 +3662,14 @@ class UserManager
                 return $row['count'];
             }
             while ($row = Database::fetch_array($result, 'ASSOC')) {
-                if (isset($return[$row['user_id']]) && !empty($return[$row['user_id']]['tag'])) {
-                    $url = Display::url($row['tag'], api_get_path(WEB_PATH).'main/social/search.php?q='.$row['tag'], array('class' => 'tag'));
+                if (isset($return[$row['user_id']]) &&
+                    !empty($return[$row['user_id']]['tag'])
+                ) {
+                    $url = Display::url(
+                        $row['tag'],
+                        api_get_path(WEB_PATH).'main/social/search.php?q='.$row['tag'],
+                        array('class' => 'tag')
+                    );
                     $row['tag'] = $url;
                 }
                 $return[$row['user_id']] = $row;
diff --git a/main/social/search.php b/main/social/search.php
index bc5907a8c6..5f83164ccf 100755
--- a/main/social/search.php
+++ b/main/social/search.php
@@ -135,7 +135,7 @@ $this_section      = SECTION_SOCIAL;
 $tool_name         = get_lang('Search');
 $interbreadcrumb[] = array('url' => 'profile.php', 'name' => get_lang('SocialNetwork'));
 
-$query = isset($_GET['q']) ? Database::escape_string($_GET['q']) : null;
+$query = isset($_GET['q']) ? Security::remove_XSS($_GET['q']): null;
 $query_search_type = isset($_GET['search_type']) && in_array($_GET['search_type'], array('0','1','2')) ? $_GET['search_type'] : null;
 $extra_fields = UserManager::get_extra_filtrable_fields();
 $query_vars = array('q' => $query, 'search_type' => $query_search_type);
@@ -152,6 +152,9 @@ $social_avatar_block = SocialManager::show_social_avatar_block('search');
 $social_menu_block = SocialManager::show_social_menu('search');
 $social_right_content = '<div class="span9">'.UserManager::get_search_form($query).'</div>';
 
+$groups = array();
+$totalGroups = array();
+
 // I'm searching something
 if ($query != '' || ($query_vars['search_type']=='1' && count($query_vars)>2) ) {
     $itemPerPage = 9;
@@ -169,7 +172,6 @@ if ($query != '' || ($query_vars['search_type']=='1' && count($query_vars)>2) )
         $pageGroup = isset($_GET['groups_page_nr']) ? intval($_GET['groups_page_nr']) : 1;
         // Groups
         $fromGroups = intval(($pageGroup - 1) * $itemPerPage);
-
         $totalGroups = GroupPortalManager::get_all_group_tags($_GET['q'], 0, $itemPerPage, true);
         $groups = GroupPortalManager::get_all_group_tags($_GET['q'], $fromGroups, $itemPerPage);
     }
diff --git a/main/wiki/wiki.inc.php b/main/wiki/wiki.inc.php
index f4264cb955..956663668d 100755
--- a/main/wiki/wiki.inc.php
+++ b/main/wiki/wiki.inc.php
@@ -1,15 +1,16 @@
 <?php
 /* For licensing terms, see /license.txt */
+
+use \ChamiloSession as Session;
+
 /**
+ * Class Wiki
  * Functions library for the wiki tool
  * @author Juan Carlos Raña <herodoto@telefonica.net>
  * @author Patrick Cool <patrick.cool@UGent.be>, Ghent University, Belgium
  * @author Julio Montoya <gugli100@gmail.com> using the pdf.lib.php library
  * @package chamilo.wiki
  */
-
-use \ChamiloSession as Session;
-
 class Wiki
 {
     public $tbl_wiki;
@@ -29,6 +30,9 @@ class Wiki
     public $wikiData = array();
     public $url;
 
+    /**
+     * Constructor
+     */
     public function __construct()
     {
         // Database table definition
@@ -239,6 +243,7 @@ class Wiki
     /**
      * This function saves a change in a wiki page
      * @author Patrick Cool <patrick.cool@ugent.be>, Ghent University
+     * @param array $values
      * @return language string saying that the changes are stored
      **/
     public function save_wiki($values)
@@ -267,20 +272,20 @@ class Wiki
         // NOTE: visibility, visibility_disc and ratinglock_disc changes are not made here, but through the interce buttons
 
         // cleaning the variables
-        $_clean['page_id']		= Database::escape_string($values['page_id']);
-        $_clean['reflink']		= Database::escape_string(trim($values['reflink']));
-        $_clean['title']		= Database::escape_string(trim($values['title']));
-        $_clean['content']		= Database::escape_string($values['content']);
+        $_clean['page_id'] = intval($values['page_id']);
+        $_clean['reflink'] = Database::escape_string(trim($values['reflink']));
+        $_clean['title'] = Database::escape_string(trim($values['title']));
+        $_clean['content'] = Database::escape_string($values['content']);
         if (api_get_setting('htmlpurifier_wiki') == 'true'){
             $purifier = new HTMLPurifier();
             $_clean['content'] = $purifier->purify($_clean['content']);
         }
-        $_clean['user_id']		= api_get_user_id();
-        $_clean['assignment']	= Database::escape_string($values['assignment']);
-        $_clean['comment']		= Database::escape_string($values['comment']);
-        $_clean['progress']		= Database::escape_string($values['progress']);
-        $_clean['version']		= intval($values['version']) + 1 ;
-        $_clean['linksto'] 		= self::links_to($_clean['content']); //and check links content
+        $_clean['user_id'] = api_get_user_id();
+        $_clean['assignment']= Database::escape_string($values['assignment']);
+        $_clean['comment'] = Database::escape_string($values['comment']);
+        $_clean['progress']	= Database::escape_string($values['progress']);
+        $_clean['version'] = intval($values['version']) + 1 ;
+        $_clean['linksto'] = self::links_to($_clean['content']); //and check links content
 
         //cleaning config variables
         if (!empty($values['task'])) {
@@ -321,22 +326,30 @@ class Wiki
         $sql = "INSERT INTO ".$tbl_wiki." (c_id, page_id, reflink, title, content, user_id, group_id, dtime, assignment, comment, progress, version, linksto, user_ip, session_id)
                 VALUES ($course_id, '".$_clean['page_id']."','".$_clean['reflink']."','".$_clean['title']."','".$_clean['content']."','".$_clean['user_id']."','".$groupId."','".$dtime."','".$_clean['assignment']."','".$_clean['comment']."','".$_clean['progress']."','".$_clean['version']."','".$_clean['linksto']."','".Database::escape_string($_SERVER['REMOTE_ADDR'])."', '".Database::escape_string($session_id)."')";
         Database::query($sql);
-        $Id = Database::insert_id();
 
-        if ($Id > 0) {
+        $id = Database::insert_id();
+
+        if ($id > 0) {
             //insert into item_property
-            api_item_property_update(api_get_course_info(), TOOL_WIKI, $Id, 'WikiAdded', api_get_user_id(), $groupId);
+            api_item_property_update(
+                api_get_course_info(),
+                TOOL_WIKI,
+                $id,
+                'WikiAdded',
+                api_get_user_id(),
+                $groupId
+            );
         }
 
-        if ($_clean['page_id']	==0) {
-            $sql='UPDATE '.$tbl_wiki.' SET page_id="'.$Id.'" WHERE c_id = '.$course_id.' AND id="'.$Id.'"';
+        if ($_clean['page_id']	== 0) {
+            $sql='UPDATE '.$tbl_wiki.' SET page_id="'.$id.'" WHERE c_id = '.$course_id.' AND id="'.$id.'"';
             Database::query($sql);
         }
 
         //update wiki config
-        if ($_clean['reflink']=='index' && $_clean['version']==1) {
-            $sql="INSERT INTO ".$tbl_wiki_conf." (c_id, page_id, task, feedback1, feedback2, feedback3, fprogress1, fprogress2, fprogress3, max_text, max_version, startdate_assig, enddate_assig, delayedsubmit)
-                  VALUES ($course_id, '".$Id."','".$_clean['task']."','".$_clean['feedback1']."','".$_clean['feedback2']."','".$_clean['feedback3']."','".$_clean['fprogress1']."','".$_clean['fprogress2']."','".$_clean['fprogress3']."','".$_clean['max_text']."','".$_clean['max_version']."','".$_clean['startdate_assig']."','".$_clean['enddate_assig']."','".$_clean['delayedsubmit']."')";
+        if ($values['reflink'] == 'index' && $_clean['version'] == 1 ) {
+            $sql = "INSERT INTO ".$tbl_wiki_conf." (c_id, page_id, task, feedback1, feedback2, feedback3, fprogress1, fprogress2, fprogress3, max_text, max_version, startdate_assig, enddate_assig, delayedsubmit)
+                  VALUES ($course_id, '".$id."','".$_clean['task']."','".$_clean['feedback1']."','".$_clean['feedback2']."','".$_clean['feedback3']."','".$_clean['fprogress1']."','".$_clean['fprogress2']."','".$_clean['fprogress3']."','".$_clean['max_text']."','".$_clean['max_version']."','".$_clean['startdate_assig']."','".$_clean['enddate_assig']."','".$_clean['delayedsubmit']."')";
         } else {
             $sql = 'UPDATE '.$tbl_wiki_conf.' SET
                         task="'.$_clean['task'].'",
@@ -355,10 +368,11 @@ class Wiki
                         page_id = "'.$_clean['page_id'].'" AND
                         c_id = '.$course_id;
         }
+
         Database::query($sql);
-        api_item_property_update($_course, 'wiki', $Id, 'WikiAdded', api_get_user_id(), $groupId);
+        api_item_property_update($_course, 'wiki', $id, 'WikiAdded', api_get_user_id(), $groupId);
         self::check_emailcue($_clean['reflink'], 'P', $dtime, $_clean['user_id']);
-        $this->setWikiData($Id);
+        $this->setWikiData($id);
 
         return get_lang('Saved');
     }
@@ -403,8 +417,8 @@ class Wiki
         ($course_id, '".$r_page_id."','".$r_reflink."','".$r_title."','".$r_content."','".$r_user_id."','".$r_group_id."','".$r_dtime."','".$r_assignment."','".$r_comment."','".$r_progress."','".$r_version."','".$r_linksto."','".Database::escape_string($_SERVER['REMOTE_ADDR'])."','".Database::escape_string($session_id)."')";
 
         Database::query($sql);
-        $Id = Database::insert_id();
-        api_item_property_update($_course, 'wiki', $Id, 'WikiAdded', api_get_user_id(), $r_group_id);
+        $id = Database::insert_id();
+        api_item_property_update($_course, 'wiki', $id, 'WikiAdded', api_get_user_id(), $r_group_id);
         self::check_emailcue($r_reflink, 'P', $r_dtime, $r_user_id);
 
         return get_lang('PageRestored');
@@ -739,18 +753,17 @@ class Wiki
         $KeyVisibility=$row['visibility'];
 
         // second, show the last version
-        $sql = 'SELECT * FROM '.$tbl_wiki.' w , '.$tbl_wiki_conf.' wc
+        $sql = 'SELECT * FROM '.$tbl_wiki.' w INNER JOIN '.$tbl_wiki_conf.' wc
+                ON (wc.page_id = w.page_id AND wc.c_id = w.c_id)
                 WHERE
-                    wc.c_id 	  = '.$course_id.' AND
                     w.c_id 		  = '.$course_id.' AND
-                    wc.page_id	  = w.page_id AND
                     w.reflink	  = "'.Database::escape_string($pageMIX).'" AND
                     w.session_id  = '.$session_id.' AND
                     w.'.$groupfilter.'  '.$filter.'
                 ORDER BY id DESC';
 
         $result = Database::query($sql);
-        $row    = Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version
+        $row = Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version
 
         //log users access to wiki (page_id)
         if (!empty($row['page_id'])) {
@@ -1286,7 +1299,7 @@ class Wiki
                         c_id = '.$course_id.' AND
                         reflink="'.Database::escape_string($page).'" AND
                         '.$groupfilter.$condition_session;
-             //Visibility. Value to all,not only for the first
+            //Visibility. Value to all,not only for the first
             Database::query($sql);
 
             //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page
@@ -2375,7 +2388,7 @@ class Wiki
                 WHERE
                     c_id = '.$course_id.' AND
                     is_editing="'.$isEditing.'" '.
-                    $condition_session;
+            $condition_session;
         Database::query($sql);
     }
 
@@ -3545,25 +3558,26 @@ class Wiki
             //fix index to title Main page into linksto
 
             if ($page == 'index') {
-                $page=str_replace(' ','_',get_lang('DefaultTitle'));
+                $page = str_replace(' ','_',get_lang('DefaultTitle'));
             }
 
             //table
-            if (api_is_allowed_to_edit(false,true) || api_is_platform_admin()) { //only by professors if page is hidden
+            if (api_is_allowed_to_edit(false,true) || api_is_platform_admin()) {
+                //only by professors if page is hidden
                 $sql = "SELECT * FROM ".$tbl_wiki." s1
-                        WHERE s1.c_id = $course_id AND linksto LIKE '%".Database::escape_string($page)." %' AND id=(
+                        WHERE s1.c_id = $course_id AND linksto LIKE '%".Database::escape_string($page)."%' AND id=(
                         SELECT MAX(s2.id) FROM ".$tbl_wiki." s2
                         WHERE s2.c_id = $course_id AND s1.reflink = s2.reflink AND ".$groupfilter.$condition_session.")";
                 //add blank space after like '%" " %' to identify each word
             } else {
                 $sql = "SELECT * FROM ".$tbl_wiki." s1
-                        WHERE s1.c_id = $course_id AND visibility=1 AND linksto LIKE '%".Database::escape_string($page)." %' AND id=(
+                        WHERE s1.c_id = $course_id AND visibility=1 AND linksto LIKE '%".Database::escape_string($page)."%' AND id=(
                         SELECT MAX(s2.id) FROM ".$tbl_wiki." s2
                         WHERE s2.c_id = $course_id AND s1.reflink = s2.reflink AND ".$groupfilter.$condition_session.")";
                 //add blank space after like '%" " %' to identify each word
             }
 
-            $allpages=Database::query($sql);
+            $allpages = Database::query($sql);
 
             //show table
             if (Database::num_rows($allpages) > 0) {
@@ -3900,22 +3914,22 @@ class Wiki
                         self::setMessage(Display::display_normal_message($is_being_edited, false, true));
                     } else {
                         self::setMessage(Display::display_confirmation_message(
-                                self::restore_wikipage(
-                                    $current_row['page_id'],
-                                    $current_row['reflink'],
-                                    $current_row['title'],
-                                    $current_row['content'],
-                                    $current_row['group_id'],
-                                    $current_row['assignment'],
-                                    $current_row['progress'],
-                                    $current_row['version'],
-                                    $last_row['version'],
-                                    $current_row['linksto']
-                                ).': <a href="index.php?cidReq='.$_course['code'].'&action=showpage&amp;title='.api_htmlentities(urlencode($last_row['reflink'])).'&session_id='.$last_row['session_id'].'&group_id='.$last_row['group_id'].'">'.
-                                api_htmlentities($last_row['title']).'</a>',
-                                false,
-                                true
-                            ));
+                            self::restore_wikipage(
+                                $current_row['page_id'],
+                                $current_row['reflink'],
+                                $current_row['title'],
+                                $current_row['content'],
+                                $current_row['group_id'],
+                                $current_row['assignment'],
+                                $current_row['progress'],
+                                $current_row['version'],
+                                $last_row['version'],
+                                $current_row['linksto']
+                            ).': <a href="index.php?cidReq='.$_course['code'].'&action=showpage&amp;title='.api_htmlentities(urlencode($last_row['reflink'])).'&session_id='.$last_row['session_id'].'&group_id='.$last_row['group_id'].'">'.
+                            api_htmlentities($last_row['title']).'</a>',
+                            false,
+                            true
+                        ));
                     }
                 }
             }
@@ -4440,27 +4454,28 @@ class Wiki
         $groupId = $this->group_id;
         $userId = api_get_user_id();
 
-        if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) {
+        if (api_get_session_id() != 0 && api_is_allowed_to_session_edit(false,true)==false) {
             api_not_allowed();
         }
 
         $sql = 'SELECT *
-                FROM '.$tbl_wiki.', '.$tbl_wiki_conf.'
-    		    WHERE
-                    '.$tbl_wiki.'.c_id = '.$course_id.' AND
-                    '.$tbl_wiki_conf.'.c_id = '.$course_id.' AND
-                    '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND
-                    '.$tbl_wiki.'.reflink= "'.Database::escape_string($page).'" AND
-                    '.$tbl_wiki.'.'.$groupfilter.$condition_session.'
+                FROM '.$tbl_wiki.' w INNER JOIN '.$tbl_wiki_conf.' c
+                ON  (w.c_id = c.c_id AND w.page_id = c.page_id)
+                WHERE
+    		        w.c_id = '.$course_id.' AND
+                    w.reflink= "'.Database::escape_string($page).'" AND
+                    w.'.$groupfilter.$condition_session.'
                 ORDER BY id DESC';
         $result = Database::query($sql);
         $row = Database::fetch_array($result);
+
         // we do not need a while loop since we are always displaying the last version
 
         if ($row['content']=='' AND $row['title']=='' AND $page=='') {
             self::setMessage(Display::display_error_message(get_lang('MustSelectPage'), false, true));
             return;
         } elseif ($row['content']=='' AND $row['title']=='' AND $page=='index') {
+
             //Table structure for better export to pdf
             $default_table_for_content_Start='<table align="center" border="0"><tr><td align="center">';
             $default_table_for_content_End='</td></tr></table>';
@@ -4474,7 +4489,9 @@ class Wiki
         }
 
         //Only teachers and platform admin can edit the index page. Only teachers and platform admin can edit an assignment teacher. And users in groups
-        if (($row['reflink']=='index' || $row['reflink']=='' || $row['assignment']==1) && (!api_is_allowed_to_edit(false,true) && intval($_GET['group_id'])==0)) {
+        if (($row['reflink']=='index' || $row['reflink']=='' || $row['assignment']==1) &&
+            (!api_is_allowed_to_edit(false,true) && intval($_GET['group_id'])==0)
+        ) {
             self::setMessage(Display::display_error_message(get_lang('OnlyEditPagesCourseManager'), false, true));
         } else {
             $PassEdit=false;
@@ -4535,7 +4552,7 @@ class Wiki
                         $row['enddate_assig']!='0000-00-00 00:00:00' &&
                         $row['delayedsubmit']==0
                     ) {
-                        $message=get_lang('TheDeadlineHasBeenCompleted').': '.api_get_local_time($row['enddate_assig'], null, date_default_timezone_get());
+                        $message = get_lang('TheDeadlineHasBeenCompleted').': '.api_get_local_time($row['enddate_assig'], null, date_default_timezone_get());
                         self::setMessage(Display::display_warning_message($message, false, true));
                         if (!api_is_allowed_to_edit(false,true)) {
                             return;
@@ -4644,6 +4661,7 @@ class Wiki
                     $row['title'] = $title;
                     $row['page_id'] = $page_id;
                     $row['reflink'] = $page;
+                    $row['content'] = $content;
 
                     $form->setDefaults($row);
                     $form->display();
@@ -4659,6 +4677,7 @@ class Wiki
                             //prevent concurrent users and double version
                             self::setMessage(Display::display_error_message(get_lang("EditedByAnotherUser"), false, true));
                         } else {
+
                             $return_message = self::save_wiki($form->exportValues());
                             self::setMessage(Display::display_confirmation_message($return_message, false, true));
                         }

From c2ad0b6b31694a16a1a726aaab242d8a1b07b444 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 31 Dec 2014 15:34:00 +0100
Subject: [PATCH 06/26] Fixing query.

---
 main/admin/session_course_edit.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/main/admin/session_course_edit.php b/main/admin/session_course_edit.php
index ae35562d60..b561f2af02 100755
--- a/main/admin/session_course_edit.php
+++ b/main/admin/session_course_edit.php
@@ -12,7 +12,7 @@ require_once '../inc/global.inc.php';
 
 $id_session = intval($_GET['id_session']);
 SessionManager::protect_session_edit($id_session);
-$course_code = Database::escape_string($_GET['course_code']);
+$course_code = $_GET['course_code'];
 
 $formSent=0;
 $errorMsg='';
@@ -47,7 +47,7 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 
 	// get all tutor by course_code in the session
 	$sql = "SELECT id_user FROM $tbl_session_rel_course_rel_user
-	        WHERE id_session = '$id_session' AND course_code = '$course_code' AND status = 2";
+	        WHERE id_session = '$id_session' AND course_code = '".Database::escape_string($course_code)."' AND status = 2";
 	$rs_coachs = Database::query($sql);
 
 	$coachs_course_session = array();
@@ -70,7 +70,12 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 		$array_intersect = array_diff($coachs_course_session,$id_coachs);
 
 		foreach ($array_intersect as $nocoach_user_id) {
-			$rs2 = SessionManager::set_coach_to_course_session($nocoach_user_id, $id_session, $course_code,true);
+			$rs2 = SessionManager::set_coach_to_course_session(
+				$nocoach_user_id,
+				$id_session,
+				$course_code,
+				true
+			);
 		}
 
 		header('Location: '.Security::remove_XSS($_GET['page']).'?id_session='.$id_session);
@@ -79,7 +84,7 @@ if (isset($_POST['formSent']) && $_POST['formSent']) {
 	}
 } else {
 	$sql = "SELECT id_user FROM $tbl_session_rel_course_rel_user
-	        WHERE id_session = '$id_session' AND course_code = '$course_code' AND status = 2 ";
+	        WHERE id_session = '$id_session' AND course_code = '".Database::escape_string($course_code)."' AND status = 2 ";
 	$rs = Database::query($sql);
 
 	if (Database::num_rows($rs) > 0) {

From e41e773eacaa1cc957e006a3c7d35fbfa4f7f21e Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 2 Jan 2015 08:49:37 +0100
Subject: [PATCH 07/26] Minor - format code

---
 .../add_courses_to_session_functions.lib.php  | 76 ++++++++++---------
 1 file changed, 39 insertions(+), 37 deletions(-)

diff --git a/main/inc/lib/add_courses_to_session_functions.lib.php b/main/inc/lib/add_courses_to_session_functions.lib.php
index ced70e9084..bb5aeaf5cb 100755
--- a/main/inc/lib/add_courses_to_session_functions.lib.php
+++ b/main/inc/lib/add_courses_to_session_functions.lib.php
@@ -1,31 +1,27 @@
 <?php
 /* For licensing terms, see /license.txt */
-/**
- * Definition of the AddCourseToSession class
- * @package chamilo.library
- */
-/**
- * Init
- */
+
 require_once dirname(__FILE__).'/xajax/xajax.inc.php';
 //require_once (api_get_path(SYS_CODE_PATH).'admin/add_courses_to_session.php');
 
 /**
- * AddCourseToSession class
+ * Class AddCourseToSession
  */
-class AddCourseToSession {
-    /**
-     * Searches a course, given a search string and a type of search box
-     * @param string Search string
-     * @param string Type of search box ('single' or anything else)
-     * @return string XajaxResponse
-     * @assert () !== null
-     * @assert ('abc', 'single') !== null
-     * @assert ('abc', 'multiple') !== null
-     */
-    public function search_courses($needle,$type) {
+class AddCourseToSession
+{
+	/**
+	 * Searches a course, given a search string and a type of search box
+	 * @param string $needle Search string
+	 * @param string $type Type of search box ('single' or anything else)
+	 * @return string XajaxResponse
+	 * @assert () !== null
+	 * @assert ('abc', 'single') !== null
+	 * @assert ('abc', 'multiple') !== null
+	 */
+	public static function search_courses($needle, $type)
+	{
 		global $tbl_course, $tbl_session_rel_course, $id_session;
-
+		$course_title = null;
 		$xajax_response = new XajaxResponse();
 		$return = '';
 		if(!empty($needle) && !empty($type)) {
@@ -35,9 +31,10 @@ class AddCourseToSession {
 
 			$cond_course_code = '';
 			if (!empty($id_session)) {
-			$id_session = Database::escape_string($id_session);
+				$id_session = Database::escape_string($id_session);
 				// check course_code from session_rel_course table
-				$sql = 'SELECT course_code FROM '.$tbl_session_rel_course.' WHERE id_session ="'.(int)$id_session.'"';
+				$sql = 'SELECT course_code FROM '.$tbl_session_rel_course.'
+						WHERE id_session ="'.(int)$id_session.'"';
 				$res = Database::query($sql);
 				$course_codes = '';
 				if (Database::num_rows($res) > 0) {
@@ -51,19 +48,21 @@ class AddCourseToSession {
 			}
 
 			if ($type=='single') {
-			// search users where username or firstname or lastname begins likes $needle
-			$sql = 'SELECT course.code, course.visual_code, course.title, session_rel_course.id_session
+				// search users where username or firstname or lastname begins likes $needle
+				$sql = 'SELECT course.code, course.visual_code, course.title, session_rel_course.id_session
 					FROM '.$tbl_course.' course
 					LEFT JOIN '.$tbl_session_rel_course.' session_rel_course
 						ON course.code = session_rel_course.course_code
 						AND session_rel_course.id_session = '.intval($id_session).'
-					WHERE course.visual_code LIKE "'.$needle.'%"
-					OR course.title LIKE "'.$needle.'%"';
+					WHERE
+						course.visual_code LIKE "'.$needle.'%" OR
+						course.title LIKE "'.$needle.'%"';
 			} else {
-
-			$sql = 'SELECT course.code, course.visual_code, course.title
-					FROM '.$tbl_course.' course
-					WHERE course.visual_code LIKE "'.$needle.'%" '.$cond_course_code.' ORDER BY course.code ';
+				$sql = 'SELECT course.code, course.visual_code, course.title
+						FROM '.$tbl_course.' course
+						WHERE
+							course.visual_code LIKE "'.$needle.'%" '.$cond_course_code.'
+						ORDER BY course.code ';
 			}
 
 			global $_configuration;
@@ -79,13 +78,18 @@ class AddCourseToSession {
 									ON course.code = session_rel_course.course_code
 									AND session_rel_course.id_session = '.intval($id_session).'
 								INNER JOIN '.$tbl_course_rel_access_url.' url_course ON (url_course.course_code=course.code)
-								WHERE access_url_id = '.$access_url_id.' AND (course.visual_code LIKE "'.$needle.'%"
-								OR course.title LIKE "'.$needle.'%" )';
+								WHERE
+									access_url_id = '.$access_url_id.' AND
+									(course.visual_code LIKE "'.$needle.'%" OR
+									course.title LIKE "'.$needle.'%" )';
 					} else {
 						$sql = 'SELECT course.code, course.visual_code, course.title
 								FROM '.$tbl_course.' course, '.$tbl_course_rel_access_url.' url_course
-								WHERE url_course.course_code=course.code AND access_url_id = '.$access_url_id.'
-								AND course.visual_code LIKE "'.$needle.'%" '.$cond_course_code.' ORDER BY course.code ';
+								WHERE
+									url_course.course_code=course.code AND
+									access_url_id = '.$access_url_id.' AND
+									course.visual_code LIKE "'.$needle.'%" '.$cond_course_code.'
+								ORDER BY course.code ';
 					}
 				}
 			}
@@ -99,11 +103,8 @@ class AddCourseToSession {
 					$course_title=str_replace("'","\'",$course_title);
 					$return .= '<a href="javascript: void(0);" onclick="javascript: add_course_to_session(\''.$course['code'].'\',\''.$course_title.' ('.$course['visual_code'].')'.'\')">'.$course['title'].' ('.$course['visual_code'].')</a><br />';
 				}
-
 				$xajax_response -> addAssign('ajax_list_courses_single','innerHTML',api_utf8_encode($return));
-
 			} else {
-
 				$return .= '<select id="origin" name="NoSessionCoursesList[]" multiple="multiple" size="20" style="width:340px;">';
 				while($course = Database :: fetch_array($rs)) {
 					$course_list[] = $course['code'];
@@ -116,6 +117,7 @@ class AddCourseToSession {
 			}
 		}
 		$_SESSION['course_list'] = $course_list;
+
 		return $xajax_response;
 	}
 }

From 94a0316be60183091d2ed7bc28ee1cc201c44939 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 2 Jan 2015 08:52:03 +0100
Subject: [PATCH 08/26] Fixing queries see #7440

---
 main/admin/add_users_to_session.php | 46 ++++++++++++++++-------------
 main/inc/lib/database.lib.php       |  3 ++
 2 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/main/admin/add_users_to_session.php b/main/admin/add_users_to_session.php
index d4bd984c45..d6e055032e 100755
--- a/main/admin/add_users_to_session.php
+++ b/main/admin/add_users_to_session.php
@@ -1,5 +1,6 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
 *	@package chamilo.admin
 */
@@ -82,12 +83,9 @@ function search_users($needle, $type)
 
         // xajax send utf8 datas... datas in db can be non-utf8 datas
         $charset = api_get_system_encoding();
-        $needle = Database::escape_string($needle);
         $needle = api_convert_encoding($needle, $charset, 'utf-8');
-
+        $needle = Database::escape_string($needle);
         $order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname, username' : ' ORDER BY lastname, firstname, username';
-
-
         $showOfficialCode = false;
         global $_configuration;
         if (isset($_configuration['order_user_list_by_official_code']) &&
@@ -117,7 +115,6 @@ function search_users($needle, $type)
                 $cond_user_id = ' AND user.user_id NOT IN('.implode(",",$user_ids).')';
             }
         }
-
         switch ($type) {
             case 'single':
                 // search users where username or firstname or lastname begins likes $needle
@@ -128,14 +125,19 @@ function search_users($needle, $type)
                                 username LIKE "'.$needle.'%" OR
                                 firstname LIKE "'.$needle.'%" OR
                                 lastname LIKE "'.$needle.'%"
-                            ) AND user.status<>6 AND user.status<>'.DRH.''.
+                            ) AND
+                            user.status <> 6 AND
+                            user.status <> '.DRH.''.
                         $order_clause.'
                         LIMIT 11';
                 break;
             case 'multiple':
                 $sql = 'SELECT user.user_id, username, lastname, firstname, official_code
                         FROM '.$tbl_user.' user
-                        WHERE '.(api_sort_by_first_name() ? 'firstname' : 'lastname').' LIKE "'.$needle.'%" AND user.status<>'.DRH.' AND user.status<>6 '.$cond_user_id.
+                        WHERE
+                            '.(api_sort_by_first_name() ? 'firstname' : 'lastname').' LIKE "'.$needle.'%" AND
+                            user.status <> '.DRH.' AND
+                            user.status <> 6 '.$cond_user_id.
                         $order_clause;
                 break;
             case 'any_session':
@@ -154,7 +156,7 @@ function search_users($needle, $type)
             $tbl_user_rel_access_url= Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
             $access_url_id = api_get_current_access_url_id();
             if ($access_url_id != -1) {
-                switch($type) {
+                switch ($type) {
                     case 'single':
                         $sql = 'SELECT user.user_id, username, lastname, firstname, official_code
                         FROM '.$tbl_user.' user
@@ -165,7 +167,8 @@ function search_users($needle, $type)
                                 username LIKE "'.$needle.'%" OR
                                 firstname LIKE "'.$needle.'%" OR
                                 lastname LIKE "'.$needle.'%"
-                            ) AND user.status<>6 AND user.status<>'.DRH.' '.
+                            ) AND user.status<>6 AND
+                            user.status<>'.DRH.' '.
                         $order_clause.
                         ' LIMIT 11';
                         break;
@@ -195,7 +198,7 @@ function search_users($needle, $type)
                 }
             }
         }
-
+        //echo Database::fixQuery($sql);
         $rs = Database::query($sql);
         $i = 0;
         if ($type=='single') {
@@ -219,19 +222,18 @@ function search_users($needle, $type)
             global $nosessionUsersList;
             $return .= '<select id="origin_users" name="nosessionUsersList[]" multiple="multiple" size="15" style="width:360px;">';
             while ($user = Database :: fetch_array($rs)) {
-
                 $person_name = api_get_person_name($user['firstname'], $user['lastname']).' ('.$user['username'].') '.$user['official_code'];
                 if ($showOfficialCode) {
                     $officialCode = !empty($user['official_code']) ? $user['official_code'].' - ' : '? - ';
                     $person_name = $officialCode.api_get_person_name($user['firstname'], $user['lastname']).' ('.$user['username'].')';
                 }
-
 	            $return .= '<option value="'.$user['user_id'].'">'.$person_name.' </option>';
 			}
 			$return .= '</select>';
 			$xajax_response -> addAssign('ajax_list_users_multiple','innerHTML',api_utf8_encode($return));
 		}
 	}
+
 	return $xajax_response;
 }
 
@@ -284,11 +286,11 @@ function change_select(val) {
 }
 </script>';
 
-$form_sent=0;
-$errorMsg=$firstLetterUser=$firstLetterSession='';
-$UserList=$SessionList=array();
-$sessions=array();
-$noPHP_SELF=true;
+$form_sent = 0;
+$errorMsg = $firstLetterUser = $firstLetterSession = '';
+$UserList = $SessionList = array();
+$sessions = array();
+$noPHP_SELF = true;
 
 if (isset($_POST['form_sent']) && $_POST['form_sent']) {
     $form_sent             = $_POST['form_sent'];
@@ -330,7 +332,8 @@ if ($ajax_search) {
     $sql = "SELECT user_id, lastname, firstname, username, id_session, official_code
             FROM $tbl_user u
             INNER JOIN $tbl_session_rel_user
-                ON $tbl_session_rel_user.id_user = u.user_id AND $tbl_session_rel_user.relation_type<>".SESSION_RELATION_TYPE_RRHH."
+                ON $tbl_session_rel_user.id_user = u.user_id AND
+                $tbl_session_rel_user.relation_type<>".SESSION_RELATION_TYPE_RRHH."
                 AND $tbl_session_rel_user.id_session = ".intval($id_session)."
             WHERE u.status<>".DRH." AND u.status<>6
             $order_clause";
@@ -342,7 +345,8 @@ if ($ajax_search) {
             $sql="SELECT u.user_id, lastname, firstname, username, id_session, official_code
             FROM $tbl_user u
             INNER JOIN $tbl_session_rel_user
-                ON $tbl_session_rel_user.id_user = u.user_id AND $tbl_session_rel_user.relation_type<>".SESSION_RELATION_TYPE_RRHH."
+                ON $tbl_session_rel_user.id_user = u.user_id AND
+                $tbl_session_rel_user.relation_type<>".SESSION_RELATION_TYPE_RRHH."
                 AND $tbl_session_rel_user.id_session = ".intval($id_session)."
             INNER JOIN $tbl_user_rel_access_url url_user ON (url_user.user_id=u.user_id)
             WHERE access_url_id = $access_url_id AND u.status<>".DRH." AND u.status<>6
@@ -438,8 +442,8 @@ if ($ajax_search) {
         }
     }
 
-    $result   = Database::query($sql);
-    $users    = Database::store_result($result,'ASSOC');
+    $result = Database::query($sql);
+    $users = Database::store_result($result,'ASSOC');
     foreach ($users as $uid => $user) {
         if ($user['id_session'] != $id_session) {
             $nosessionUsersList[$user['user_id']] = array(
diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php
index 90d3905858..91bce86f11 100755
--- a/main/inc/lib/database.lib.php
+++ b/main/inc/lib/database.lib.php
@@ -695,6 +695,9 @@ class Database
         $query = str_replace("'%__@", "'%", $query);
         $query = str_replace("@__%'", "%'", $query);
 
+        $query = str_replace('@__%"', "%'", $query);
+        $query = str_replace('"%__@', "'%", $query);
+
         // Fixing doubles
         $query = str_replace("__@__@", "__@", $query);
         $query = str_replace("@__@__", "@__", $query);

From fe2c21ec145fdeece079f6fee8958b59a1b1ec01 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 2 Jan 2015 09:04:03 +0100
Subject: [PATCH 09/26] Minor - format code

---
 main/inc/lib/display.lib.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/main/inc/lib/display.lib.php b/main/inc/lib/display.lib.php
index b10ccf6d87..b196bf518e 100755
--- a/main/inc/lib/display.lib.php
+++ b/main/inc/lib/display.lib.php
@@ -67,7 +67,6 @@ class Display
             preg_match('/main\/([^*\/]+)/', $currentURL, $matches);
             $toolList = self::toolList();
             if (!empty($matches)) {
-
                 foreach ($matches as $match) {
                     if (in_array($match, $toolList)) {
                         $help = explode('_', $match);
@@ -599,8 +598,6 @@ class Display
         return '<a href="'.api_get_path(WEB_PATH).'index.php">'.$name.'</a>';
     }
 
-
-
     /**
      * Prints an <option>-list with all letters (A-Z).
      * @param char $selected_letter The letter that should be selected
@@ -1758,7 +1755,8 @@ class Display
      * @param string $type
      * @return string
      */
-    public static function label($content, $type = null) {
+    public static function label($content, $type = null)
+    {
         $class = '';
         switch ($type) {
             case 'success':
@@ -1791,7 +1789,8 @@ class Display
      * @param array $items
      * @return null|string
      */
-    public static function actions($items) {
+    public static function actions($items)
+    {
         $html = null;
         if (!empty($items)) {
             $html = '<div class="new_actions"><ul class="nav nav-pills">';
@@ -1856,7 +1855,8 @@ class Display
     /**
      * @todo use twig
      */
-    public static function group_button($title, $elements) {
+    public static function group_button($title, $elements)
+    {
         $html = '<div class="btn-toolbar">
             <div class="btn-group">
             <button class="btn dropdown-toggle" data-toggle="dropdown">'.$title.' <span class="caret"></span></button>

From 0b2de914fde11179d87f7ea4593531a4ca97994f Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 2 Jan 2015 09:04:24 +0100
Subject: [PATCH 10/26] Adding Database::escape_string() + fixing PHP warnings.

---
 main/admin/dashboard_add_courses_to_user.php  | 14 ++++++++------
 main/admin/dashboard_add_sessions_to_user.php | 12 +++++++-----
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/main/admin/dashboard_add_courses_to_user.php b/main/admin/dashboard_add_courses_to_user.php
index 2629de17ac..0bd50f4f1a 100755
--- a/main/admin/dashboard_add_courses_to_user.php
+++ b/main/admin/dashboard_add_courses_to_user.php
@@ -59,16 +59,17 @@ if (!api_is_platform_admin()) {
 	api_not_allowed(true);
 }
 
-function search_courses($needle,$type)
+function search_courses($needle, $type)
 {
-    global $_configuration, $tbl_course, $tbl_course_rel_user, $tbl_course_rel_access_url,$user_id;
+    global $_configuration, $tbl_course, $tbl_course_rel_access_url,$user_id;
 
     $xajax_response = new XajaxResponse();
     $return = '';
-    if(!empty($needle) && !empty($type)) {
+    if (!empty($needle) && !empty($type)) {
         // xajax send utf8 datas... datas in db can be non-utf8 datas
         $charset = api_get_system_encoding();
         $needle = api_convert_encoding($needle, $charset, 'utf-8');
+		$needle = Database::escape_string($needle);
 
         $assigned_courses_to_hrm = CourseManager::get_courses_followed_by_drh($user_id);
         $assigned_courses_code = array_keys($assigned_courses_to_hrm);
@@ -190,9 +191,10 @@ if (count($assigned_courses_code) > 0) {
 }
 
 $needle = '%';
+$firstLetter = null;
 if (isset($_POST['firstLetterCourse'])) {
-	$needle = Database::escape_string($_POST['firstLetterCourse']);
-	$needle = "$needle%";
+	$firstLetter = $_POST['firstLetterCourse'];
+	$needle = Database::escape_string($firstLetter.'%');
 }
 
 if (api_is_multiple_url_enabled()) {
@@ -249,7 +251,7 @@ if(!empty($msg)) {
      <select name="firstLetterCourse" onchange = "xajax_search_courses(this.value,'multiple')">
       <option value="%">--</option>
       <?php
-      echo Display :: get_alphabet_options($_POST['firstLetterCourse']);
+      echo Display :: get_alphabet_options($firstLetter);
       ?>
      </select>
 </td>
diff --git a/main/admin/dashboard_add_sessions_to_user.php b/main/admin/dashboard_add_sessions_to_user.php
index 296c6dfea3..0bae98dffa 100755
--- a/main/admin/dashboard_add_sessions_to_user.php
+++ b/main/admin/dashboard_add_sessions_to_user.php
@@ -59,7 +59,7 @@ if (!api_is_platform_admin() && !api_is_session_admin()) {
     api_not_allowed(true);
 }
 
-function search_sessions($needle,$type)
+function search_sessions($needle, $type)
 {
     global $_configuration, $tbl_session_rel_access_url, $tbl_session, $user_id;
 
@@ -69,6 +69,7 @@ function search_sessions($needle,$type)
         // xajax send utf8 datas... datas in db can be non-utf8 datas
         $charset = api_get_system_encoding();
         $needle = api_convert_encoding($needle, $charset, 'utf-8');
+        $needle = Database::escape_string($needle);
         $assigned_sessions_to_hrm = SessionManager::get_sessions_followed_by_drh($user_id);
         $assigned_sessions_id = array_keys($assigned_sessions_to_hrm);
 
@@ -93,6 +94,7 @@ function search_sessions($needle,$type)
         $return .= '</select>';
         $xajax_response->addAssign('ajax_list_sessions_multiple','innerHTML',api_utf8_encode($return));
     }
+
     return $xajax_response;
 }
 
@@ -192,8 +194,7 @@ if (count($assigned_sessions_id) > 0) {
 
 $needle = '%';
 if (!empty($firstLetterSession)) {
-    $needle = Database::escape_string($firstLetterSession);
-    $needle = "$needle%";
+    $needle = Database::escape_string($firstLetterSession.'%');
 }
 
 if (api_is_multiple_url_enabled()) {
@@ -222,7 +223,8 @@ $result	= Database::query($sql);
             <tr>
                 <td width="45%" align="center"><b><?php echo get_lang('SessionsListInPlatform') ?> :</b></td>
                 <td width="10%">&nbsp;</td>
-                <td align="center" width="45%"><b>
+                <td align="center" width="45%">
+                    <b>
                         <?php
                         if (UserManager::is_admin($user_id)) {
                             echo get_lang('AssignedSessionsListToPlatformAdministrator');
@@ -235,7 +237,7 @@ $result	= Database::query($sql);
                         : </b></td>
             </tr>
 
-            <?php if($add_type == 'multiple') { ?>
+            <?php if ($add_type == 'multiple') { ?>
                 <tr><td width="45%" align="center">
                         <?php echo get_lang('FirstLetterSession');?> :
                         <select name="firstLetterSession" onchange = "xajax_search_sessions(this.value, 'multiple')">

From 5d74663bae828477d30211af5cf51ab65b9302f0 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 5 Jan 2015 13:29:10 +0100
Subject: [PATCH 11/26] Fixing session list when session is read only and
 inside a category.

---
 main/inc/lib/userportal.lib.php | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/main/inc/lib/userportal.lib.php b/main/inc/lib/userportal.lib.php
index f9cea4430a..382538c3a8 100755
--- a/main/inc/lib/userportal.lib.php
+++ b/main/inc/lib/userportal.lib.php
@@ -1065,7 +1065,6 @@ class IndexManager
                                         }
                                     }
                                 }
-
                             }
                             if ($session_now > $allowed_time && $days_access_after_end > $dif_time_after - 1) {
                                 // Read only and accessible.
@@ -1166,13 +1165,17 @@ class IndexManager
                                     if ($date_session_start != '0000-00-00') {
                                         $allowed_time = api_strtotime($date_session_start . ' 00:00:00') - ($days_access_before_beginning * 86400);
                                     }
-                                    if ($date_session_end != '0000-00-00') {
-                                        $endSessionToTms = api_strtotime($date_session_end . ' 23:59:59');
-                                        if ($session_now > $endSessionToTms) {
-                                            $dif_time_after = $session_now - $endSessionToTms;
-                                            $dif_time_after = round(
-                                                $dif_time_after / 86400
+                                    if (!isset($_GET['history'])) {
+                                        if ($date_session_end != '0000-00-00') {
+                                            $endSessionToTms = api_strtotime(
+                                                $date_session_end . ' 23:59:59'
                                             );
+                                            if ($session_now > $endSessionToTms) {
+                                                $dif_time_after = $session_now - $endSessionToTms;
+                                                $dif_time_after = round(
+                                                    $dif_time_after / 86400
+                                                );
+                                            }
                                         }
                                     }
                                 } else {
@@ -1181,7 +1184,9 @@ class IndexManager
                                     );
                                 }
 
-                                if ($session_now > $allowed_time && $days_access_after_end > $dif_time_after - 1) {
+                                if ($session_now > $allowed_time &&
+                                    $days_access_after_end > $dif_time_after - 1
+                                ) {
                                     if (api_get_setting('hide_courses_in_sessions') == 'false') {
                                         $c = CourseManager:: get_logged_user_course_html(
                                             $course,

From 74c25067aa05e139ab84ab3730d3b1a267fe0730 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 5 Jan 2015 15:19:45 +0100
Subject: [PATCH 12/26] Coach and download files if session is read only see
 BT#9233

---
 main/inc/ajax/model.ajax.php     |  6 ++----
 main/work/downloadfolder.inc.php |  6 ++++--
 main/work/student_work.php       | 14 ++++++++++----
 main/work/view.php               | 17 ++++++++++++-----
 main/work/work.lib.php           | 24 +++++++++++++++++-------
 main/work/work.php               |  2 +-
 main/work/work_list_all.php      |  4 ++--
 7 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/main/inc/ajax/model.ajax.php b/main/inc/ajax/model.ajax.php
index 5496580e10..3a5783e11b 100755
--- a/main/inc/ajax/model.ajax.php
+++ b/main/inc/ajax/model.ajax.php
@@ -214,7 +214,6 @@ switch ($action) {
     case 'get_work_student':
         require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
         $count = getWorkListStudent(0, $limit, $sidx, $sord, $whereCondition, true);
-
         break;
     case 'get_work_user_list_all':
         require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
@@ -258,7 +257,7 @@ switch ($action) {
         }
         break;
     case 'get_work_student_list_overview':
-        if (!api_is_allowed_to_edit()) {
+        if (!(api_is_allowed_to_edit() || api_is_coach())) {
             return 0;
         }
         require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
@@ -588,7 +587,6 @@ switch ($action) {
                 'actions'
             );
         } else {
-
             $columns = array(
                 'type',
                 'firstname',
@@ -677,7 +675,7 @@ switch ($action) {
         $result = get_exam_results_hotpotatoes_data($start, $limit, $sidx, $sord, $hotpot_path, $whereCondition);
         break;
     case 'get_work_student_list_overview':
-        if (!api_is_allowed_to_edit()) {
+        if (!(api_is_allowed_to_edit() || api_is_coach())) {
             return array();
         }
         require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
diff --git a/main/work/downloadfolder.inc.php b/main/work/downloadfolder.inc.php
index 04e234d6ff..9c3f205c1f 100755
--- a/main/work/downloadfolder.inc.php
+++ b/main/work/downloadfolder.inc.php
@@ -10,14 +10,16 @@
 $work_id = $_GET['id'];
 require_once '../inc/global.inc.php';
 $current_course_tool  = TOOL_STUDENTPUBLICATION;
+$_course = api_get_course_info();
 
-//protection
+// Protection
 api_protect_course_script(true);
 
 require_once 'work.lib.php';
 
 $work_data = get_work_data_by_id($work_id);
 $groupId = api_get_group_id();
+
 if (empty($work_data)) {
     exit;
 }
@@ -59,7 +61,7 @@ if (array_key_exists('filename', $work_data)) {
     $filenameCondition = ", filename";
 }
 
-if (api_is_allowed_to_edit()) {
+if (api_is_allowed_to_edit() || api_is_coach()) {
     //Search for all files that are not deleted => visibility != 2
     $sql = "SELECT DISTINCT
                 url,
diff --git a/main/work/student_work.php b/main/work/student_work.php
index 20a00bd0b2..4b13833778 100755
--- a/main/work/student_work.php
+++ b/main/work/student_work.php
@@ -39,7 +39,7 @@ if (!empty($group_id)) {
     } else {
         // you are not a teacher
         $show_work = GroupManager::user_has_access(
-            $user_id,
+            api_get_user_id(),
             $group_id,
             GroupManager::GROUP_TOOL_WORK
         );
@@ -58,7 +58,7 @@ if (!empty($group_id)) {
         'name' => get_lang('GroupSpace').' '.$group_properties['name']
     );
 } else {
-    if (!api_is_allowed_to_edit(false, true)) {
+    if (!(api_is_allowed_to_edit() || api_is_coach())) {
         api_not_allowed(true);
     }
 }
@@ -178,8 +178,14 @@ foreach ($workPerUser as $work) {
             $url = api_get_path(WEB_CODE_PATH).'work/download.php?'.api_get_cidreq().'&id='.$itemId;
             $links .= Display::url(Display::return_icon('save.png', get_lang('Download')), $url);
         }
-        $url = api_get_path(WEB_CODE_PATH).'work/edit.php?'.api_get_cidreq().'&item_id='.$itemId.'&id='.$workId.'&parent_id='.$workId;
-        $links .= Display::url(Display::return_icon('rate_work.png', get_lang('Comment')), $url);
+
+        if (api_is_allowed_to_edit()) {
+            $url = api_get_path(WEB_CODE_PATH).'work/edit.php?'.api_get_cidreq().'&item_id='.$itemId.'&id='.$workId.'&parent_id='.$workId;
+            $links .= Display::url(
+                Display::return_icon('rate_work.png', get_lang('Comment')),
+                $url
+            );
+        }
 
         $table->setCellContents($row, $column, $links);
 
diff --git a/main/work/view.php b/main/work/view.php
index ed3abf82e7..d5f2f56aa7 100755
--- a/main/work/view.php
+++ b/main/work/view.php
@@ -35,14 +35,14 @@ $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
     $courseInfo
 );
 
-if ((user_is_author($id) || $isDrhOfCourse) ||
+if ((user_is_author($id) || $isDrhOfCourse || (api_is_allowed_to_edit() || api_is_coach())) ||
     (
         $courseInfo['show_score'] == 0 &&
         $work['active'] == 1 &&
         $work['accepted'] == 1
     )
 ) {
-    if (api_is_allowed_to_edit(null, true) || api_is_drh()) {
+    if ((api_is_allowed_to_edit() || api_is_coach()) || api_is_drh()) {
         $url_dir = 'work_list_all.php?id='.$my_folder_data['id'];
     } else {
         $url_dir = 'work_list.php?id='.$my_folder_data['id'];
@@ -51,8 +51,13 @@ if ((user_is_author($id) || $isDrhOfCourse) ||
     $interbreadcrumb[] = array('url' => $url_dir, 'name' => $my_folder_data['title']);
     $interbreadcrumb[] = array('url' => '#','name' => $work['title']);
     //|| api_is_drh()
-    if (($courseInfo['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) ||
-        (api_is_allowed_to_edit()) || user_is_author($id) || $isDrhOfCourse
+    if (($courseInfo['show_score'] == 0 &&
+        $work['active'] == 1 &&
+        $work['accepted'] == 1
+        ) ||
+        (api_is_allowed_to_edit() || api_is_coach()) ||
+        user_is_author($id) ||
+        $isDrhOfCourse
     ) {
         $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
         switch ($action) {
@@ -89,7 +94,9 @@ if ((user_is_author($id) || $isDrhOfCourse) ||
         $tpl->assign('work', $work);
         $tpl->assign('work_comment_enabled', ALLOW_USER_COMMENTS);
         $tpl->assign('comments', $comments);
-        $tpl->assign('form', $commentForm);
+        if (api_is_allowed_to_session_edit()) {
+            $tpl->assign('form', $commentForm);
+        }
         $tpl->assign('is_allowed_to_edit', api_is_allowed_to_edit());
 
         $template = $tpl->get_template('work/view.tpl');
diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index 355448088e..bf2142d353 100755
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -1828,12 +1828,12 @@ function getWorkListTeacher(
 ) {
     $workTable = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
     $workTableAssignment  = Database::get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
-    $courseInfo = api_get_course_info();
+
     $course_id = api_get_course_int_id();
     $session_id = api_get_session_id();
     $condition_session = api_get_session_condition($session_id);
     $group_id = api_get_group_id();
-    $is_allowed_to_edit = api_is_allowed_to_edit(null, true);
+    $is_allowed_to_edit = api_is_allowed_to_edit() || api_is_coach();
 
     if (!in_array($direction, array('asc', 'desc'))) {
         $direction = 'desc';
@@ -1931,9 +1931,18 @@ function getWorkListTeacher(
                 );
             }
             $deleteUrl = api_get_path(WEB_CODE_PATH).'work/work.php?id='.$workId.'&action=delete_dir&'.api_get_cidreq();
-            $deleteLink = '<a href="#" onclick="showConfirmationPopup(this, \''.$deleteUrl.'\' ) " >'.
-                Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
-
+            $deleteLink = '<a href="#" onclick="showConfirmationPopup(this, \'' . $deleteUrl . '\' ) " >' .
+                Display::return_icon(
+                    'delete.png',
+                    get_lang('Delete'),
+                    array(),
+                    ICON_SIZE_SMALL
+                ) . '</a>';
+
+            if (!api_is_allowed_to_edit()) {
+                $deleteLink = null;
+                $editLink = null;
+            }
             $work['actions'] = $downloadLink.$editLink.$deleteLink;
             $works[] = $work;
         }
@@ -2184,7 +2193,7 @@ function get_work_user_list(
     }
 
     $work_data = get_work_data_by_id($work_id);
-    $is_allowed_to_edit = api_is_allowed_to_edit(null, true);
+    $is_allowed_to_edit = api_is_allowed_to_edit() || api_is_coach();
     $condition_session  = api_get_session_condition($session_id);
     $locked = api_resource_is_locked_by_gradebook($work_id, LINK_STUDENTPUBLICATION);
 
@@ -2377,7 +2386,7 @@ function get_work_user_list(
                 // Actions.
 
                 $action = '';
-                if ($is_allowed_to_edit) {
+                if (api_is_allowed_to_edit()) {
                     $action .= '<a href="'.$url.'view.php?'.api_get_cidreq().'&id='.$item_id.'" title="'.get_lang('View').'">'.
                         Display::return_icon('default.png', get_lang('View'),array(), ICON_SIZE_SMALL).'</a> ';
 
@@ -3632,6 +3641,7 @@ function getWorkCommentForm($work)
         $form->addElement('checkbox', 'send_mail', null, get_lang('SendMail'));
     }
     $form->addElement('button', 'button', get_lang('Send'));
+
     return $form->return_form();
 }
 
diff --git a/main/work/work.php b/main/work/work.php
index f3a5f73b94..75e07288f5 100755
--- a/main/work/work.php
+++ b/main/work/work.php
@@ -289,7 +289,7 @@ switch ($action) {
                 get_lang('Description').':</strong><p>'.Security::remove_XSS($my_folder_data['description'], STUDENT).
                 '</p></div></p>';
         }
-        if (api_is_allowed_to_edit()) {
+        if (api_is_allowed_to_edit() || api_is_coach()) {
             // Work list
             $content .= '<div class="row">';
             $content .= '<div class="span9">';
diff --git a/main/work/work_list_all.php b/main/work/work_list_all.php
index ed5e6da5c2..901a6c853a 100755
--- a/main/work/work_list_all.php
+++ b/main/work/work_list_all.php
@@ -15,7 +15,7 @@ require_once 'work.lib.php';
 $this_section = SECTION_COURSES;
 
 $workId = isset($_GET['id']) ? intval($_GET['id']) : null;
-$is_allowed_to_edit = api_is_allowed_to_edit();
+$is_allowed_to_edit = api_is_allowed_to_edit() || api_is_coach();
 
 if (empty($workId)) {
     api_not_allowed(true);
@@ -33,7 +33,7 @@ $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
     api_get_course_info()
 );
 
-if (!(api_is_allowed_to_edit() || $isDrhOfCourse)) {
+if (!($is_allowed_to_edit || $isDrhOfCourse)) {
     api_not_allowed(true);
 }
 

From ea4b07fe8b6d35b2cd07929f44f2477e98bd0e52 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 5 Jan 2015 15:54:45 +0100
Subject: [PATCH 13/26] Showing link categories.

---
 main/inc/lib/link.lib.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/main/inc/lib/link.lib.php b/main/inc/lib/link.lib.php
index 29a9f2f00c..4a083da470 100755
--- a/main/inc/lib/link.lib.php
+++ b/main/inc/lib/link.lib.php
@@ -827,7 +827,7 @@ function change_visibility_link($id, $scope)
  * session
  * @param   int $courseId
  * @param   int $sessionId
- * @return string SQL query (to be executed)
+ * @return resource
  */
 function getLinkCategories($courseId, $sessionId)
 {
@@ -849,6 +849,13 @@ function getLinkCategories($courseId, $sessionId)
                 itemproperties.c_id = " . $courseId . "
             ORDER BY linkcat.display_order DESC";
 
+    $sql = "SELECT *, linkcat.id
+            FROM $tblLinkCategory linkcat
+            WHERE
+                linkcat.c_id = " . $courseId."
+                $sessionCondition
+            ORDER BY linkcat.display_order DESC";
+
     return Database::query($sql);
 }
 

From 6bd4b5df0db53da2e586f1dac514873aca11ba7b Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 6 Jan 2015 10:33:09 +0100
Subject: [PATCH 14/26] Adding auto attendance see BT#8814

---
 main/attendance/attendance_controller.php | 38 ++++++++-
 main/attendance/attendance_list.php       |  7 +-
 main/attendance/calendar_logins.php       | 11 +++
 main/attendance/index.php                 |  8 +-
 main/inc/lib/attendance.lib.php           | 97 +++++++++++++++++++++++
 main/inc/lib/course.lib.php               | 58 +++++++++++++-
 6 files changed, 212 insertions(+), 7 deletions(-)
 create mode 100644 main/attendance/calendar_logins.php

diff --git a/main/attendance/attendance_controller.php b/main/attendance/attendance_controller.php
index 6d35d5efec..6e3479e67f 100755
--- a/main/attendance/attendance_controller.php
+++ b/main/attendance/attendance_controller.php
@@ -536,10 +536,46 @@ class AttendanceController
             'pdf_teachers' => $teacherName,
             'pdf_course_category' => $courseCategory['name'],
             'format' => 'A4-L',
-            'orientation' =>    'L'
+            'orientation' => 'L'
         );
 
         Export::export_html_to_pdf($content, $params);
         exit;
     }
+
+    /**
+     * Gets attendace base in the table:
+     * TABLE_STATISTIC_TRACK_E_COURSE_ACCESS
+     * @throws ViewException
+     */
+    public function calendarLogins()
+    {
+        $form = new FormValidator(
+            'search',
+            'post',
+            api_get_self().'?'.api_get_cidreq().'&action=calendar_logins'
+        );
+        $form->addDateRangePicker('range', get_lang('Range'));
+        $form->add_button('submit', get_lang('submit'));
+        $table = null;
+
+        if ($form->validate()) {
+            $values = $form->getSubmitValues();
+
+            $startDate = api_get_utc_datetime($values['range_start']);
+            $endDate = api_get_utc_datetime($values['range_end']);
+
+            $attendance = new Attendance();
+            $table = $attendance->getAttendanceLogins($startDate, $endDate);
+        }
+
+        $data = array(
+            'form' => $form->return_form(),
+            'table' => $table
+        );
+        $this->view->set_data($data);
+        $this->view->set_layout('layout');
+        $this->view->set_template('calendar_logins');
+        $this->view->render();
+    }
 }
diff --git a/main/attendance/attendance_list.php b/main/attendance/attendance_list.php
index f871895e89..772b548abe 100755
--- a/main/attendance/attendance_list.php
+++ b/main/attendance/attendance_list.php
@@ -16,7 +16,12 @@ if (api_is_allowed_to_edit(null, true)) {
         $param_gradebook = '&gradebook='.Security::remove_XSS($_SESSION['gradebook']);
     }
     echo '<div class="actions">';
-    echo '<a href="index.php?'.api_get_cidreq().$param_gradebook.'&action=attendance_add">'.Display::return_icon('new_attendance_list.png',get_lang('CreateANewAttendance'),'',ICON_SIZE_MEDIUM).'</a>';
+    echo '<a href="index.php?'.api_get_cidreq().$param_gradebook.'&action=attendance_add">'.
+        Display::return_icon('new_attendance_list.png',get_lang('CreateANewAttendance'),'',ICON_SIZE_MEDIUM).'</a>';
+
+    echo '<a href="index.php?'.api_get_cidreq().$param_gradebook.'&action=calendar_logins">'.
+        Display::return_icon('attendance_list.png',get_lang('Logins'),'',ICON_SIZE_MEDIUM).'</a>';
+
     echo '</div>';
 }
 $attendance = new Attendance();
diff --git a/main/attendance/calendar_logins.php b/main/attendance/calendar_logins.php
new file mode 100644
index 0000000000..bfb44b1705
--- /dev/null
+++ b/main/attendance/calendar_logins.php
@@ -0,0 +1,11 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+// See AttendanceController::calendarLogins function
+echo '<div class="actions">';
+echo '<a href="index.php?'.api_get_cidreq().'&action=calendar_list='.$param_gradebook.'">'.
+    Display::return_icon('back.png',get_lang('AttendanceCalendar'),'',ICON_SIZE_MEDIUM).'</a>';
+echo '</div>';
+
+echo $form;
+echo $table;
diff --git a/main/attendance/index.php b/main/attendance/index.php
index 12c6bab4b6..94f2b69917 100755
--- a/main/attendance/index.php
+++ b/main/attendance/index.php
@@ -48,7 +48,8 @@ $actions = array(
     'attendance_delete_select',
     'attendance_restore',
     'attendance_sheet_export_to_pdf',
-    'attendance_sheet_list_no_edit'
+    'attendance_sheet_list_no_edit',
+    'calendar_logins'
 );
 
 $actions_calendar = array(
@@ -303,6 +304,11 @@ switch ($action) {
     case 'calendar_list' :
         $attendance_controller->attendance_calendar($action, $attendance_id, $calendar_id);
         break;
+    case 'calendar_logins':
+        if (api_is_allowed_to_edit(null, true)) {
+            $attendance_controller->calendarLogins();
+        }
+        break;
     default :
         $attendance_controller->attendance_list();
 }
diff --git a/main/inc/lib/attendance.lib.php b/main/inc/lib/attendance.lib.php
index 4eb5cef78a..d09a875ec1 100755
--- a/main/inc/lib/attendance.lib.php
+++ b/main/inc/lib/attendance.lib.php
@@ -1483,4 +1483,101 @@ class Attendance
 	{
 		return $this->attendance_weight;
 	}
+
+	/**
+	 * @param string $startDate in UTC time
+	 * @param string $endDate in UTC time
+	 *
+	 * @return string
+	 */
+	public function getAttendanceLogins($startDate, $endDate)
+	{
+		$sessionId = api_get_session_id();
+		$courseCode  = api_get_course_id();
+		if (!empty($sessionId)) {
+			$users = CourseManager:: get_user_list_from_course_code(
+				$courseCode,
+				$sessionId,
+				'',
+				'lastname'
+			);
+		} else {
+			$users = CourseManager:: get_user_list_from_course_code(
+				$courseCode,
+				0,
+				'',
+				'lastname'
+			);
+		}
+
+		$dateTimeStartOriginal = new DateTime($startDate);
+		$dateTimeStart = new DateTime($startDate);
+		$dateTimeEnd= new DateTime($endDate);
+		$interval = $dateTimeStart->diff($dateTimeEnd);
+		$days = intval($interval->format('%a'));
+
+		$dateList = array($dateTimeStart->format('Y-m-d'));
+		$headers = array(
+			get_lang('User'),
+			$dateTimeStart->format('Y-m-d')
+		);
+
+		for ($i = 0; $i < $days; $i++) {
+			$dateTimeStart = $dateTimeStart->add(new DateInterval('P1D'));
+			$date = $dateTimeStart->format('Y-m-d');
+			$dateList[] = $date;
+			$headers[] = $date;
+		}
+
+		$accessData = CourseManager::getCourseAccessPerCourseAndSession(
+			$courseCode,
+			$sessionId,
+			$dateTimeStartOriginal->format('Y-m-d H:i:s'),
+			$dateTimeEnd->format('Y-m-d H:i:s')
+		);
+
+		$results = array();
+		if (!empty($accessData)) {
+			foreach ($accessData as $data) {
+				$onlyDate = substr($data['login_course_date'], 0, 10);
+				$results[$data['user_id']][$onlyDate] = true;
+			}
+		}
+
+		$table = new HTML_Table(array('class' => 'data_table'));
+		$row = 0;
+		$column = 0;
+		foreach ($headers as $header) {
+			$table->setHeaderContents($row, $column, $header);
+			$column++;
+		}
+		$row = 1;
+		foreach ($users as $user) {
+			$table->setCellContents(
+				$row,
+				0,
+				$user['lastname'].' '.$user['firstname'].' ('.$user['username'].')'
+			);
+			$row ++;
+		}
+
+		$column = 1;
+		$row = 1;
+		foreach ($users as $user) {
+			foreach ($dateList as $date) {
+				$status = null;
+				if (isset($results[$user['user_id']]) &&
+					isset($results[$user['user_id']][$date])
+				) {
+					$status = 'X';
+				}
+				$table->setCellContents($row, $column, $status);
+				$column++;
+			}
+			$row++;
+			$column = 1;
+		}
+
+		return $table->toHtml();
+	}
 }
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
index a57e70b365..fcba4c1fa8 100755
--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@@ -1382,7 +1382,6 @@ class CourseManager
 
         // if the $order_by does not contain 'ORDER BY' we have to check if it is a valid field that can be sorted on
         if (!strstr($order_by,'ORDER BY')) {
-            $order_by = Database::escape_string($order_by);
             if (!empty($order_by)) {
                 $order_by = 'ORDER BY '.$order_by;
             } else {
@@ -1415,7 +1414,6 @@ class CourseManager
             if (SessionManager::orderCourseIsEnabled()) {
                 //$order_by = "ORDER BY position";
             }
-
         } else {
             if ($return_count) {
                 $sql = " SELECT COUNT(*) as count";
@@ -1424,9 +1422,21 @@ class CourseManager
                 }
             } else {
                 if (empty($course_code)) {
-                    $sql = 'SELECT DISTINCT course.title, course.code, course_rel_user.status as status_rel, user.user_id, course_rel_user.role, course_rel_user.tutor_id, user.*  ';
+                    $sql = 'SELECT DISTINCT
+                                course.title,
+                                course.code,
+                                course_rel_user.status as status_rel,
+                                user.user_id,
+                                course_rel_user.role,
+                                course_rel_user.tutor_id,
+                                user.*  ';
                 } else {
-                    $sql = 'SELECT DISTINCT course_rel_user.status as status_rel, user.user_id, course_rel_user.role, course_rel_user.tutor_id, user.*  ';
+                    $sql = 'SELECT DISTINCT
+                                course_rel_user.status as status_rel,
+                                user.user_id,
+                                course_rel_user.role,
+                                course_rel_user.tutor_id,
+                                user.*  ';
                 }
             }
 
@@ -1490,6 +1500,7 @@ class CourseManager
         }
 
         $sql .= ' '.$order_by.' '.$limit;
+
         $rs = Database::query($sql);
         $users = array();
 
@@ -5055,6 +5066,10 @@ class CourseManager
     public static function getCourseAccessPerSessionAndUser($sessionId, $userId, $limit = null)
     {
         $table = Database :: get_main_table(TABLE_STATISTIC_TRACK_E_COURSE_ACCESS);
+
+        $sessionId = intval($sessionId);
+        $userId = intval($userId);
+
         $sql = "SELECT * FROM $table
                 WHERE session_id = $sessionId AND user_id = $userId";
 
@@ -5067,6 +5082,38 @@ class CourseManager
         return Database::store_result($result);
     }
 
+    /**
+     * Get information from the track_e_course_access table
+     * @param string $courseCode
+     * @param int $sessionId
+     * @param string $startDate
+     * @param string $endDate
+     * @return array
+     */
+    public static function getCourseAccessPerCourseAndSession(
+        $courseCode,
+        $sessionId,
+        $startDate,
+        $endDate
+    ) {
+        $table = Database :: get_main_table(TABLE_STATISTIC_TRACK_E_COURSE_ACCESS);
+        $courseCode = Database::escape_string($courseCode);
+        $sessionId = intval($sessionId);
+        $startDate = Database::escape_string($startDate);
+        $endDate = Database::escape_string($endDate);
+
+        $sql = "SELECT * FROM $table
+                WHERE
+                    course_code = $courseCode AND
+                    session_id = $sessionId AND
+                    login_course_date BETWEEN $startDate AND $endDate
+                    ";
+
+        $result = Database::query($sql);
+
+        return Database::store_result($result);
+    }
+
     /**
      * Get login information from the track_e_course_access table, for any
      * course in the given session
@@ -5076,6 +5123,9 @@ class CourseManager
      */
     public static function getFirstCourseAccessPerSessionAndUser($sessionId, $userId)
     {
+        $sessionId = intval($sessionId);
+        $userId = intval($userId);
+
         $table = Database :: get_main_table(TABLE_STATISTIC_TRACK_E_COURSE_ACCESS);
         $sql = "SELECT * FROM $table
                 WHERE session_id = $sessionId AND user_id = $userId

From e5dd2c3c8958aacf13ab8778fb95c641e1887150 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 6 Jan 2015 10:33:42 +0100
Subject: [PATCH 15/26] Minor - format code

---
 .../lib/formvalidator/FormValidator.class.php |  8 ++++++--
 main/inc/lib/tracking.lib.php                 |  4 ++--
 main/inc/lib/userportal.lib.php               |  1 -
 main/mySpace/company_reports.php              | 20 +++++++++++++------
 4 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
index 99e2cdff83..23d94aff11 100755
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -257,8 +257,12 @@ EOT;
     }
 
     /**
-     * date_range_picker element creates 2 hidden fields
-     * elementName + "_start" elementName "_end"
+     * The "date_range_picker" element creates 2 hidden fields
+     * "elementName" + "_start"  and "elementName" + "_end"
+     * For example if the name is "range", you will have 2 new fields
+     * when executing $form->getSubmitValues()
+     * "range_start" and "range_end"
+     *
      * @param string $name
      * @param string $label
      * @param bool $required
diff --git a/main/inc/lib/tracking.lib.php b/main/inc/lib/tracking.lib.php
index 6602f0bf9b..afe68f8c0c 100755
--- a/main/inc/lib/tracking.lib.php
+++ b/main/inc/lib/tracking.lib.php
@@ -1210,8 +1210,8 @@ class Tracking
      * Calculates the time spent on the platform by a user
      * @param   int|array User id
      * @param   string type of time filter: 'last_week' or 'custom'
-     * @param   strgin  start date date('Y-m-d H:i:s')
-     * @param   strgin  end date date('Y-m-d H:i:s')
+     * @param   string  start date date('Y-m-d H:i:s')
+     * @param   string  end date date('Y-m-d H:i:s')
      * @return timestamp $nb_seconds
      */
     public static function get_time_spent_on_the_platform(
diff --git a/main/inc/lib/userportal.lib.php b/main/inc/lib/userportal.lib.php
index 382538c3a8..73924d1c81 100755
--- a/main/inc/lib/userportal.lib.php
+++ b/main/inc/lib/userportal.lib.php
@@ -1023,7 +1023,6 @@ class IndexManager
                 if ($session_category_id == 0 &&
                     isset($session_category['sessions'])
                 ) {
-
                     // Independent sessions
                     foreach ($session_category['sessions'] as $session) {
                         $session_id = $session['session_id'];
diff --git a/main/mySpace/company_reports.php b/main/mySpace/company_reports.php
index 8d36fd0c74..dc8fcd9f02 100755
--- a/main/mySpace/company_reports.php
+++ b/main/mySpace/company_reports.php
@@ -71,12 +71,20 @@ $extra_params['height'] = 'auto';
 $htmlHeadXtra[] = '<script>
 $(function() {
     '.Display::grid_js('user_course_report',  $url, $columns, $column_model, $extra_params, array(), null, true).'
-    jQuery("#user_course_report").jqGrid("navGrid","#user_course_report_pager",{view:false, edit:false, add:false, del:false, search:false, excel:true});
-    jQuery("#user_course_report").jqGrid("navButtonAdd","#user_course_report_pager",{
-           caption:"",
-           onClickButton : function () {
-               jQuery("#user_course_report").jqGrid("excelExport",{"url":"'.$url.'&export_format=xls"});
-           }
+    jQuery("#user_course_report").jqGrid("navGrid","#user_course_report_pager",{
+        view:false,
+        edit:false,
+        add:false,
+        del:false,
+        search:false,
+        excel:true
+    });
+
+    jQuery("#user_course_report").jqGrid("navButtonAdd","#user_course_report_pager", {
+       caption:"",
+       onClickButton : function () {
+           jQuery("#user_course_report").jqGrid("excelExport",{"url":"'.$url.'&export_format=xls"});
+       }
     });
 });
 </script>';

From cc515eb7f8a84c8bd74575f2aa0987b45b716c30 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 6 Jan 2015 10:33:55 +0100
Subject: [PATCH 16/26] Fixing queries

---
 main/inc/ajax/model.ajax.php | 11 +++++++++--
 main/work/work.lib.php       |  8 +++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/main/inc/ajax/model.ajax.php b/main/inc/ajax/model.ajax.php
index 3a5783e11b..0ce7abb7e7 100755
--- a/main/inc/ajax/model.ajax.php
+++ b/main/inc/ajax/model.ajax.php
@@ -467,11 +467,15 @@ switch ($action) {
             }
         }
 
+        if (!in_array($sidx, array('training_hours'))) {
+            //$sidx = 'training_hours';
+        }
+
         $result = CourseManager::get_user_list_from_course_code(
             null,
             null,
             "LIMIT $start, $limit",
-            " $sidx $sord",
+            null, //" $sidx $sord",
             null,
             null,
             true,
@@ -509,7 +513,9 @@ switch ($action) {
                 $column_names[] = $extra['3'];
             }
         }
-
+        if (!in_array($sidx, array('title'))) {
+            $sidx = 'title';
+        }
         $result = CourseManager::get_user_list_from_course_code(
             null,
             null,
@@ -682,6 +688,7 @@ switch ($action) {
         $columns = array(
             'student', 'works'
         );
+
         $result = getWorkUserListData(
             $workId,
             api_get_course_id(),
diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index bf2142d353..4a93b0d9db 100755
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -4692,15 +4692,17 @@ function getWorkUserList($courseCode, $sessionId, $groupId, $start, $limit, $sid
     } else {
         $limitString = null;
         if (!empty($start) && !empty($limit)) {
+            $start = intval($start);
+            $limit = intval($limit);
             $limitString = " LIMIT $start, $limit";
         }
 
         $orderBy = null;
 
         if (!empty($sidx) && !empty($sord)) {
-            $sidx = Database::escape_string($sidx);
-            $sord = Database::escape_string($sord);
-            $orderBy = "ORDER BY $sidx $sord";
+            if (in_array($sidx, array('firstname', 'lastname'))) {
+                $orderBy = "ORDER BY $sidx $sord";
+            }
         }
 
         if (empty($sessionId)) {

From d9a6fc7d5a02858e5a5dc0469ed219ee18b0521c Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 6 Jan 2015 10:53:30 +0100
Subject: [PATCH 17/26] If user selects overwrite then we overwrite the file
 see BT#9235

---
 main/inc/lib/fileUpload.lib.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php
index ec44761706..e92c1cfda9 100755
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@@ -357,7 +357,7 @@ function handle_uploaded_document(
             );
 
             // This means that the path already exists in this course.
-            if (!empty($documentList)) {
+            if (!empty($documentList) && $whatIfFileExists != 'overwrite') {
                 //$found = false;
                 // Checking if we are talking about the same course + session
                 /*foreach ($documentList as $document) {
@@ -378,6 +378,7 @@ function handle_uploaded_document(
                 case 'overwrite':
                     // Check if the target file exists, so we can give another message
                     $fileExists = file_exists($fullPath);
+
                     if (moveUploadedFile($uploadedFile, $fullPath)) {
                         chmod($fullPath, $filePermissions);
 

From 956475f2e3fc052fdff11258201cafd56c2bb6ae Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 7 Jan 2015 12:32:35 +0100
Subject: [PATCH 18/26] Minor - format code.

---
 .../classes/CourseArchiver.class.php          | 19 +++++---
 .../classes/CourseCopyLearnpath.class.php     | 44 ++++++++++++++++---
 .../classes/CourseCopyTestCategory.php        |  3 +-
 .../classes/CourseDescription.class.php       | 11 +++--
 4 files changed, 60 insertions(+), 17 deletions(-)

diff --git a/main/coursecopy/classes/CourseArchiver.class.php b/main/coursecopy/classes/CourseArchiver.class.php
index 80d128de43..0b958857c2 100755
--- a/main/coursecopy/classes/CourseArchiver.class.php
+++ b/main/coursecopy/classes/CourseArchiver.class.php
@@ -1,5 +1,4 @@
 <?php
-
 /* For licensing terms, see /license.txt */
 
 require_once 'Course.class.php';
@@ -22,7 +21,10 @@ class CourseArchiver
         $dir = api_get_path(SYS_ARCHIVE_PATH);
         if ($handle = @ opendir($dir)) {
             while (($file = readdir($handle)) !== false) {
-                if ($file != "." && $file != ".." && strpos($file, 'CourseArchiver_') === 0 && is_dir($dir . '/' . $file)) {
+                if ($file != "." && $file != ".." &&
+                    strpos($file, 'CourseArchiver_') === 0 &&
+                    is_dir($dir . '/' . $file)
+                ) {
                     rmdirr($dir . '/' . $file);
                 }
             }
@@ -152,15 +154,20 @@ class CourseArchiver
                     $course_code = $file_parts[1];
                     $file_parts = explode('.', $file_parts[2]);
                     $date = $file_parts[0];
-                    $ext = $file_parts[1];
+                    $ext = isset($file_parts[1]) ? $file_parts[1] : null;
                     if ($ext == 'zip' && ($user_id != null && $owner_id == $user_id || $user_id == null)) {
                         $date = substr($date, 0, 4) . '-' . substr($date, 4, 2) . '-' . substr($date, 6, 2) . ' ' . substr($date, 9, 2) . ':' . substr($date, 11, 2) . ':' . substr($date, 13, 2);
-                        $backup_files[] = array('file' => $file, 'date' => $date, 'course_code' => $course_code);
+                        $backup_files[] = array(
+                            'file' => $file,
+                            'date' => $date,
+                            'course_code' => $course_code
+                        );
                     }
                 }
             }
             closedir($dir);
         }
+
         return $backup_files;
     }
 
@@ -174,8 +181,10 @@ class CourseArchiver
         $new_dir = api_get_path(SYS_ARCHIVE_PATH);
         if (is_dir($new_dir) && is_writable($new_dir)) {
             move_uploaded_file($file, api_get_path(SYS_ARCHIVE_PATH).$new_filename);
+
             return $new_filename;
         }
+
         return false;
     }
 
@@ -218,7 +227,7 @@ class CourseArchiver
             return new Course();
         }
         $course->backup_path = $unzip_dir;
+
         return $course;
     }
-
 }
diff --git a/main/coursecopy/classes/CourseCopyLearnpath.class.php b/main/coursecopy/classes/CourseCopyLearnpath.class.php
index b87da7798d..813574f0b1 100755
--- a/main/coursecopy/classes/CourseCopyLearnpath.class.php
+++ b/main/coursecopy/classes/CourseCopyLearnpath.class.php
@@ -1,11 +1,13 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
- * A learnpath
+ * Class CourseCopyLearnpath
  * @author Bart Mollet <bart.mollet@hogent.be>
  * @package chamilo.backup
  */
-class CourseCopyLearnpath extends Resource {
+class CourseCopyLearnpath extends Resource
+{
 	/**
 	 * Type of learnpath (can be dokeos (1), scorm (2), aicc (3))
 	 */
@@ -106,9 +108,35 @@ class CourseCopyLearnpath extends Resource {
 	 * @param string $visibility
 	 * @param array  $items
 	 */
-	function CourseCopyLearnpath($id,$type,$name, $path,$ref,$description,$content_local,$default_encoding,$default_view_mode,$prevent_reinit,$force_commit,
-	                             $content_maker, $display_order,$js_lib,$content_license,$debug, $visibility, $author, $preview_image,
-	                             $use_max_score, $autolunch, $created_on, $modified_on, $publicated_on, $expired_on, $session_id, $items) {
+	public function CourseCopyLearnpath(
+		$id,
+		$type,
+		$name,
+		$path,
+		$ref,
+		$description,
+		$content_local,
+		$default_encoding,
+		$default_view_mode,
+		$prevent_reinit,
+		$force_commit,
+		$content_maker,
+		$display_order,
+		$js_lib,
+		$content_license,
+		$debug,
+		$visibility,
+		$author,
+		$preview_image,
+		$use_max_score,
+		$autolunch,
+		$created_on,
+		$modified_on,
+		$publicated_on,
+		$expired_on,
+		$session_id,
+		$items
+	) {
 		parent::Resource($id,RESOURCE_LEARNPATH);
 		$this->lp_type = $type;
 		$this->name = $name;
@@ -147,6 +175,7 @@ class CourseCopyLearnpath extends Resource {
 	{
 		return $this->items;
 	}
+
 	/**
 	 * Check if a given resource is used as an item in this chapter
 	 */
@@ -154,13 +183,14 @@ class CourseCopyLearnpath extends Resource {
 	{
 		foreach ($this->items as $item) {
 			if ($item['id'] == $resource->get_id() &&
-                isset($item['type']) && $item['type'] == $resource->get_type()
-            ) {
+				isset($item['type']) && $item['type'] == $resource->get_type()
+			) {
 				return true;
 			}
 		}
 		return false;
 	}
+
 	/**
 	 * Show this learnpath
 	 */
diff --git a/main/coursecopy/classes/CourseCopyTestCategory.php b/main/coursecopy/classes/CourseCopyTestCategory.php
index 72f38e5c76..5b3efa70f3 100755
--- a/main/coursecopy/classes/CourseCopyTestCategory.php
+++ b/main/coursecopy/classes/CourseCopyTestCategory.php
@@ -34,7 +34,8 @@ class CourseCopyTestcategory extends Resource
     /**
      * Show the test_category title, used in the partial recycle_course.php form
      */
-    function show() {
+    function show()
+    {
         parent::show();
         echo $this->title;
     }
diff --git a/main/coursecopy/classes/CourseDescription.class.php b/main/coursecopy/classes/CourseDescription.class.php
index 8401cc23cf..42946b7aa2 100755
--- a/main/coursecopy/classes/CourseDescription.class.php
+++ b/main/coursecopy/classes/CourseDescription.class.php
@@ -21,24 +21,27 @@ class CourseDescription extends Resource
 	/**
 	 * The description type
 	 */
-	var $description_type;	
+	var $description_type;
 	/**
 	 * Create a new course description
 	 * @param int $id
 	 * @param string $title
 	 * @param string $content
 	 */
-	function __construct($id,$title,$content,$description_type) {
+	function __construct($id,$title,$content,$description_type)
+	{
 		parent::Resource($id,RESOURCE_COURSEDESCRIPTION);
 		$this->title = $title;
 		$this->content = $content;
 		$this->description_type = $description_type;
 	}
+
 	/**
 	 * Show this Event
 	 */
-	function show() {
+	function show()
+	{
 		parent::show();
 		echo $this->title;
 	}
-}
\ No newline at end of file
+}

From ef1dc064ea934ad27f4972d223de8420c3c42854 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 8 Jan 2015 13:03:42 +0100
Subject: [PATCH 19/26] Adding export certificates by user list see #9250

---
 main/admin/export_certificates.php            | 74 +++++++++++++++
 .../gradebook_display_certificate.php         | 47 +---------
 main/gradebook/lib/be/category.class.php      | 94 +++++++++++++++++--
 .../gradebook/lib/gradebook_functions.inc.php | 46 +++++++--
 4 files changed, 203 insertions(+), 58 deletions(-)
 create mode 100644 main/admin/export_certificates.php

diff --git a/main/admin/export_certificates.php b/main/admin/export_certificates.php
new file mode 100644
index 0000000000..e617a957a6
--- /dev/null
+++ b/main/admin/export_certificates.php
@@ -0,0 +1,74 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+/**
+ *  @package chamilo.admin
+ */
+
+// Language files that need to be included.
+$language_file = array('admin');
+
+$cidReset = true;
+
+require_once '../inc/global.inc.php';
+
+require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php';
+require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/gradebook_functions.inc.php';
+
+Display::display_header(null);
+
+$form = new FormValidator('export_certificate');
+$courses = CourseManager::get_courses_list(0, 0, 'title');
+$options = array();
+foreach ($courses as $course) {
+    $options[$course['id']] = $course['title'];
+}
+$form->addElement('select', 'course', get_lang('Course'), $options);
+$form->addElement('file', 'file', get_lang('File'));
+$form->add_button('submit', get_lang('Submit'));
+$form->display();
+
+if ($form->validate()) {
+    $values = $form->getSubmitValues();
+    if (isset($_FILES['file']['tmp_name']) &&
+        !empty($_FILES['file']['tmp_name'])
+    ) {
+
+        $users = Import::csv_reader($_FILES['file']['tmp_name']);
+        $courseId = $values['course'];
+        $courseInfo = api_get_course_info_by_id($courseId);
+        $courseCode = $courseInfo['code'];
+
+        $cats = Category:: load(
+            null,
+            null,
+            $courseCode,
+            null,
+            null,
+            0,
+            false
+        );
+
+        if (isset($cats[0])) {
+            /** @var Category $cat */
+            $userList = array();
+            foreach ($users as $user) {
+                $userInfo = api_get_user_info_from_official_code(
+                    $user['official_code']
+                );
+                if (!empty($userInfo)) {
+                    $userList[] = $userInfo;
+                }
+            }
+
+            Category::exportAllCertificates(
+                $cat->get_id(),
+                $userList
+            );
+        }
+    }
+
+}
+
+Display :: display_footer();
diff --git a/main/gradebook/gradebook_display_certificate.php b/main/gradebook/gradebook_display_certificate.php
index 2365fbf085..971dd5dba8 100755
--- a/main/gradebook/gradebook_display_certificate.php
+++ b/main/gradebook/gradebook_display_certificate.php
@@ -37,54 +37,15 @@ $cat_id = isset($_GET['cat_id']) ? (int)$_GET['cat_id'] : null;
 $action = isset($_GET['action']) && $_GET['action'] ? $_GET['action'] : null;
 switch ($action) {
     case 'export_all_certificates':
-        $params['orientation'] = 'landscape';
-        $params['left'] = 0;
-        $params['right'] = 0;
-        $params['top'] = 0;
-        $params['bottom'] = 0;
-        $page_format = $params['orientation'] == 'landscape' ? 'A4-L' : 'A4';
-        $pdf = new PDF($page_format, $params['orientation'], $params);
-
-        $certificate_list = get_list_users_certificates($cat_id);
-        $certificate_path_list = array();
-
-        if (!empty($certificate_list)) {
-            foreach ($certificate_list as $index=>$value) {
-                $list_certificate = get_list_gradebook_certificates_by_user_id($value['user_id'], $cat_id);
-                foreach ($list_certificate as $value_certificate) {
-                    $certificate_obj = new Certificate($value_certificate['id']);
-                    $certificate_obj->generate(array('hide_print_button' => true));
-                    if ($certificate_obj->html_file_is_generated()) {
-                        $certificate_path_list[]= $certificate_obj->html_file;
-                    }
-                }
-            }
-        }
-        if (!empty($certificate_path_list)) {
-            // Print certificates (without the common header/footer/watermark
-            //  stuff) and return as one multiple-pages PDF
-            $pdf->html_to_pdf($certificate_path_list, get_lang('Certificates'), null, false, false);
-        }
+        Category::exportAllCertificates($cat_id);
         break;
     case 'generate_all_certificates':
         $user_list = CourseManager::get_user_list_from_course_code(api_get_course_id(), api_get_session_id());
-        if (!empty($user_list)) {
-            foreach ($user_list as $user_info) {
-                Category::register_user_certificate($cat_id, $user_info['user_id']);
-            }
-        }
+        Category::generateCertificatesInUserList($cat_id, $user_list);
         break;
     case 'delete_all_certificates':
-        $certificate_list = get_list_users_certificates($cat_id);
-        if (!empty($certificate_list)) {
-            foreach ($certificate_list as $index=>$value) {
-                $list_certificate = get_list_gradebook_certificates_by_user_id($value['user_id'], $cat_id);
-                foreach ($list_certificate as $value_certificate) {
-                    $certificate_obj = new Certificate($value_certificate['id']);
-                    $certificate_obj->delete(true);
-                }
-            }
-        }
+        Category::deleteAllCertificates($cat_id);
+
         break;
 }
 
diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php
index 81734e6fed..4847165488 100755
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@@ -29,8 +29,6 @@ class Category implements GradebookItem
     {
     }
 
-    // GETTERS AND SETTERS
-
     public function get_id()
     {
         return $this->id;
@@ -1456,12 +1454,11 @@ class Category implements GradebookItem
     public function getCategories($catId)
     {
         $tblGradeCategories = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
-        $courseInfo = api_get_course_info(api_get_course_id());
-        $courseCode = $courseInfo['code'];
         $sql='SELECT * FROM '.$tblGradeCategories.' WHERE parent_id = '.intval($catId);
 
         $result = Database::query($sql);
         $allcats = Category::create_category_objects_from_sql_result($result);
+
         return $allcats;
     }
 
@@ -1614,10 +1611,17 @@ class Category implements GradebookItem
         // A student always sees only the teacher's repartition
         $scoretotal_display = $scoredisplay->display_score($scoretotal, SCORE_DIV_PERCENT);
 
-        if (isset($certificate_min_score) && $item_total_value >= $certificate_min_score) {
+        if (isset($certificate_min_score) &&
+            $item_total_value >= $certificate_min_score
+        ) {
             $my_certificate = get_certificate_by_user_id($cats_course[0]->get_id(), $user_id);
             if (empty($my_certificate)) {
-                register_user_info_about_certificate($category_id, $user_id, $my_score_in_gradebook, api_get_utc_datetime());
+                register_user_info_about_certificate(
+                    $category_id,
+                    $user_id,
+                    $my_score_in_gradebook,
+                    api_get_utc_datetime()
+                );
                 $my_certificate = get_certificate_by_user_id($cats_course[0]->get_id(), $user_id);
             }
             $html = array();
@@ -1656,4 +1660,82 @@ class Category implements GradebookItem
             return false;
         }
     }
+
+    /**
+     * @param int $catId
+     * @param array $userList
+     */
+    public static function generateCertificatesInUserList($catId, $userList)
+    {
+        if (!empty($userList)) {
+            foreach ($userList as $userInfo) {
+                self::register_user_certificate($catId, $userInfo['user_id']);
+            }
+        }
+    }
+
+    /**
+     * @param int $catId
+     * @param array $userList
+     */
+    public static function exportAllCertificates(
+        $catId,
+        $userList = array()
+    ) {
+        $params['orientation'] = 'landscape';
+        $params['left'] = 0;
+        $params['right'] = 0;
+        $params['top'] = 0;
+        $params['bottom'] = 0;
+        $page_format = $params['orientation'] == 'landscape' ? 'A4-L' : 'A4';
+        $pdf = new PDF($page_format, $params['orientation'], $params);
+
+        $certificate_list = get_list_users_certificates($catId, $userList);
+        $certificate_path_list = array();
+
+        if (!empty($certificate_list)) {
+            foreach ($certificate_list as $index=>$value) {
+                $list_certificate = get_list_gradebook_certificates_by_user_id(
+                    $value['user_id'],
+                    $catId
+                );
+                foreach ($list_certificate as $value_certificate) {
+                    $certificate_obj = new Certificate($value_certificate['id']);
+                    $certificate_obj->generate(array('hide_print_button' => true));
+                    if ($certificate_obj->html_file_is_generated()) {
+                        $certificate_path_list[]= $certificate_obj->html_file;
+                    }
+                }
+            }
+        }
+
+        if (!empty($certificate_path_list)) {
+            // Print certificates (without the common header/footer/watermark
+            //  stuff) and return as one multiple-pages PDF
+            $pdf->html_to_pdf(
+                $certificate_path_list,
+                get_lang('Certificates'),
+                null,
+                false,
+                false
+            );
+        }
+    }
+
+    /**
+     * @param int $catId
+     */
+    public static function deleteAllCertificates($catId)
+    {
+        $certificate_list = get_list_users_certificates($catId);
+        if (!empty($certificate_list)) {
+            foreach ($certificate_list as $index=>$value) {
+                $list_certificate = get_list_gradebook_certificates_by_user_id($value['user_id'], $catId);
+                foreach ($list_certificate as $value_certificate) {
+                    $certificate_obj = new Certificate($value_certificate['id']);
+                    $certificate_obj->delete(true);
+                }
+            }
+        }
+    }
 }
diff --git a/main/gradebook/lib/gradebook_functions.inc.php b/main/gradebook/lib/gradebook_functions.inc.php
index af228625ac..80a8250fe7 100755
--- a/main/gradebook/lib/gradebook_functions.inc.php
+++ b/main/gradebook/lib/gradebook_functions.inc.php
@@ -224,14 +224,14 @@ function build_edit_icons_cat($cat, $selectcat)
                 if ($cat->is_locked()) {
                     if (api_is_platform_admin()) {
                         $modify_icons .= '&nbsp;<a onclick="javascript:if (!confirm(\'' . addslashes(get_lang('ConfirmToUnlockElement')) . '\')) return false;" href="' . api_get_self() . '?' . api_get_cidreq() . '&category_id=' . $cat->get_id() . '&action=unlock">' .
-                                Display::return_icon('lock.png', get_lang('UnLockEvaluation'), '', ICON_SIZE_SMALL) . '</a>';
+                            Display::return_icon('lock.png', get_lang('UnLockEvaluation'), '', ICON_SIZE_SMALL) . '</a>';
                     } else {
                         $modify_icons .= '&nbsp;<a href="#">' . Display::return_icon('lock_na.png', get_lang('GradebookLockedAlert'), '', ICON_SIZE_SMALL) . '</a>';
                     }
                     $modify_icons .= '&nbsp;<a href="gradebook_flatview.php?export_pdf=category&selectcat=' . $cat->get_id() . '" >' . Display::return_icon('pdf.png', get_lang('ExportToPDF'), '', ICON_SIZE_SMALL) . '</a>';
                 } else {
                     $modify_icons .= '&nbsp;<a onclick="javascript:if (!confirm(\'' . addslashes(get_lang('ConfirmToLockElement')) . '\')) return false;" href="' . api_get_self() . '?' . api_get_cidreq() . '&category_id=' . $cat->get_id() . '&action=lock">' .
-                            Display::return_icon('unlock.png', get_lang('LockEvaluation'), '', ICON_SIZE_SMALL) . '</a>';
+                        Display::return_icon('unlock.png', get_lang('LockEvaluation'), '', ICON_SIZE_SMALL) . '</a>';
                     $modify_icons .= '&nbsp;<a href="#" >' . Display::return_icon('pdf_na.png', get_lang('ExportToPDF'), '', ICON_SIZE_SMALL) . '</a>';
                     //$modify_icons .= '&nbsp;<a href="gradebook_flatview.php?export_pdf=category&selectcat=' . $cat->get_id() . '" >'.Display::return_icon('pdf.png', get_lang('ExportToPDF'),'',ICON_SIZE_SMALL).'</a>';
                 }
@@ -363,7 +363,7 @@ function build_edit_icons_link($link, $selectcat)
             $modify_icons = Display::return_icon('edit_na.png', get_lang('Modify'), '', ICON_SIZE_SMALL);
         } else {
             $modify_icons = '<a href="gradebook_edit_link.php?editlink=' . $link->get_id() . '&amp;cidReq=' . $link->get_course_code() . '">' .
-                    Display::return_icon('edit.png', get_lang('Modify'), '', ICON_SIZE_SMALL) . '</a>';
+                Display::return_icon('edit.png', get_lang('Modify'), '', ICON_SIZE_SMALL) . '</a>';
         }
 
         //$modify_icons .= '&nbsp;<a href="' . api_get_self() . '?movelink=' . $link->get_id() . '&selectcat=' . $selectcat . '"><img src="../img/deplacer_fichier.gif" border="0" title="' . get_lang('Move') . '" alt="" /></a>';
@@ -617,8 +617,8 @@ function register_user_info_about_certificate($cat_id, $user_id, $score_certific
 
 /**
  * Get date of user certificate
- * @param int The category id
- * @param int The user id
+ * @param int $cat_id The category id
+ * @param int $user_id The user id
  * @return Datetime The date when you obtained the certificate
  */
 function get_certificate_by_user_id($cat_id, $user_id)
@@ -633,10 +633,11 @@ function get_certificate_by_user_id($cat_id, $user_id)
 
 /**
  * Get list of users certificates
- * @param int The category id
+ * @param int $cat_id The category id
+ * @param array $userList Only users in this list
  * @return array
  */
-function get_list_users_certificates($cat_id = null)
+function get_list_users_certificates($cat_id = null, $userList = array())
 {
     $table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
     $table_user = Database::get_main_table(TABLE_MAIN_USER);
@@ -646,19 +647,26 @@ function get_list_users_certificates($cat_id = null)
     if (!is_null($cat_id) && $cat_id > 0) {
         $sql.=' WHERE cat_id=' . Database::escape_string($cat_id);
     }
+    if (!empty($userList)) {
+        $userList = array_map('intval', $userList);
+        $userListCondition = implode("','", $userList);
+        $sql .= " AND u.user_id IN ('$userListCondition')";
+    }
     $sql.=' ORDER BY u.firstname';
     $rs = Database::query($sql);
+
     $list_users = array();
     while ($row = Database::fetch_array($rs)) {
         $list_users[] = $row;
     }
+
     return $list_users;
 }
 
 /**
  * Gets the certificate list by user id
- * @param int The user id
- * @param int The category id
+ * @param int $user_id The user id
+ * @param int $cat_id The category id
  * @return array
  */
 function get_list_gradebook_certificates_by_user_id($user_id, $cat_id = null)
@@ -679,6 +687,13 @@ function get_list_gradebook_certificates_by_user_id($user_id, $cat_id = null)
     return $list_certificate;
 }
 
+/**
+ * @param $user_id
+ * @param $course_code
+ * @param bool $is_preview
+ * @param bool $hide_print_button
+ * @return array
+ */
 function get_user_certificate_content($user_id, $course_code, $is_preview = false, $hide_print_button = false)
 {
     // Generate document HTML
@@ -719,6 +734,11 @@ function get_user_certificate_content($user_id, $course_code, $is_preview = fals
     );
 }
 
+/**
+ * @param null $course_code
+ * @param int $gradebook_model_id
+ * @return mixed
+ */
 function create_default_course_gradebook($course_code = null, $gradebook_model_id = 0)
 {
     if (api_is_allowed_to_edit(true, true)) {
@@ -767,9 +787,13 @@ function create_default_course_gradebook($course_code = null, $gradebook_model_i
             $category_id = $row['id'];
         }
     }
+
     return $category_id;
 }
 
+/**
+ * @param FormValidator $form
+ */
 function load_gradebook_select_in_tool($form)
 {
     $course_code = api_get_course_id();
@@ -924,6 +948,10 @@ function export_pdf_flatview($flatviewtable, $cat, $users, $alleval, $alllinks,
     exit;
 }
 
+/**
+ * @param array $list_values
+ * @return string
+ */
 function score_badges($list_values)
 {
     $counter = 1;

From d36c633267b4ec66dec8e04054be2c1db0aae55f Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 8 Jan 2015 13:32:53 +0100
Subject: [PATCH 20/26] Adding certificate_filter_by_official_code see BT#9250

---
 .../gradebook_display_certificate.php         | 30 +++++++--
 main/inc/lib/usermanager.lib.php              | 62 ++++++++++++++++---
 main/install/configuration.dist.php           |  2 +
 3 files changed, 83 insertions(+), 11 deletions(-)

diff --git a/main/gradebook/gradebook_display_certificate.php b/main/gradebook/gradebook_display_certificate.php
index 971dd5dba8..5b13deccd3 100755
--- a/main/gradebook/gradebook_display_certificate.php
+++ b/main/gradebook/gradebook_display_certificate.php
@@ -45,7 +45,6 @@ switch ($action) {
         break;
     case 'delete_all_certificates':
         Category::deleteAllCertificates($cat_id);
-
         break;
 }
 
@@ -66,7 +65,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'delete') {
         Security::clear_token();
         if ($result ==true) {
             Display::display_confirmation_message(get_lang('CertificateRemoved'));
-        } else  {
+        } else {
             Display::display_error_message(get_lang('CertificateNotRemoved'));
         }
     }
@@ -117,7 +116,28 @@ if (!empty($cats)) {
     }
 }
 
-$certificate_list = get_list_users_certificates($cat_id);
+$filter = api_get_configuration_value('certificate_filter_by_official_code');
+$userList = array();
+$filterForm = null;
+if ($filter) {
+    echo '<br />';
+    $options = UserManager::getOfficialCodeGrouped();
+    $form = new FormValidator(
+        'official_code',
+        'POST',
+        api_get_self().'?'.api_get_cidreq().'&cat_id='.$cat_id
+    );
+    $form->addElement('select', 'filter', get_lang('OfficialCode'), $options);
+    $form->add_button('submit', get_lang('Submit'));
+    $filterForm = '<br />'.$form->return_form();
+
+    if ($form->validate()) {
+        $officialCode = $form->getSubmitValue('filter');
+        $userList = UserManager::getUsersByOfficialCode($officialCode);
+    }
+}
+
+$certificate_list = get_list_users_certificates($cat_id, $userList);
 
 echo '<div class="btn-group">';
 $url = api_get_self().'?action=generate_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id;
@@ -132,7 +152,9 @@ if (count($certificate_list) > 0) {
 }
 echo '</div>';
 
-if (count($certificate_list)==0) {
+echo $filterForm;
+
+if (count($certificate_list) == 0 ) {
     echo Display::display_warning_message(get_lang('NoResultsAvailable'));
 } else {
 
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
index e9721d696a..98b5f78111 100755
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@@ -3557,7 +3557,7 @@ class UserManager
     }
 
     /**
-     * Returns a list of all admninistrators
+     * Returns a list of all administrators
      * @author jmontoya
      * @return array
      */
@@ -3568,13 +3568,18 @@ class UserManager
         $tbl_url_rel_user = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
         $access_url_id = api_get_current_access_url_id();
         if (api_get_multiple_access_url()) {
-            $access_url_id = api_get_current_access_url_id();
-            $sql = "SELECT admin.user_id, username, firstname, lastname, email FROM $tbl_url_rel_user as url INNER JOIN $table_admin as admin
-                                 ON (admin.user_id=url.user_id) INNER JOIN $table_user u ON (u.user_id=admin.user_id)
-                                 WHERE access_url_id ='".$access_url_id."'";
+            $sql = "SELECT admin.user_id, username, firstname, lastname, email
+                    FROM $tbl_url_rel_user as url
+                    INNER JOIN $table_admin as admin
+                    ON (admin.user_id=url.user_id)
+                    INNER JOIN $table_user u
+                    ON (u.user_id=admin.user_id)
+                    WHERE access_url_id ='".$access_url_id."'";
         } else {
-            $sql = "SELECT admin.user_id, username, firstname, lastname, email FROM $table_admin as admin
-                    INNER JOIN $table_user u ON (u.user_id=admin.user_id)";
+            $sql = "SELECT admin.user_id, username, firstname, lastname, email
+                    FROM $table_admin as admin
+                    INNER JOIN $table_user u
+                    ON (u.user_id=admin.user_id)";
         }
         $result = Database::query($sql);
         $return = array();
@@ -3583,6 +3588,7 @@ class UserManager
                 $return[$row['user_id']] = $row;
             }
         }
+
         return $return;
     }
 
@@ -4899,4 +4905,46 @@ EOF;
             Database::query($sql);
         }
     }
+
+    /**
+     * @return array
+     */
+    public static function getOfficialCodeGrouped()
+    {
+        $user = Database::get_main_table(TABLE_MAIN_USER);
+        $sql = "SELECT DISTINCT official_code
+                FROM $user
+                GROUP BY official_code";
+        $result = Database::query($sql);
+
+        $values = Database::store_result($result, 'ASSOC');
+
+        $result = array();
+        foreach ($values as $value) {
+            $result[$value['official_code']] = $value['official_code'];
+        }
+        return $result;
+    }
+
+    /**
+     * @param string $officialCode
+     * @return array
+     */
+    public static function getUsersByOfficialCode($officialCode)
+    {
+        $user = Database::get_main_table(TABLE_MAIN_USER);
+        $officialCode = Database::escape_string($officialCode);
+
+        $sql = "SELECT DISTINCT user_id
+                FROM $user
+                WHERE official_code = $officialCode
+                ";
+        $result = Database::query($sql);
+
+        $users = array();
+        while ($row = Database::fetch_array($result)) {
+            $users[] = $row['user_id'];
+        }
+        return $users;
+    }
 }
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 7757864e65..fe1af1e6ef 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -271,3 +271,5 @@ $_configuration['system_stable']     = NEW_VERSION_STABLE;
 //$_configuration['course_images_in_courses_list'] = false;
 // Which student publication will be taken when connected to the gradebook: first|last
 //$_configuration['student_publication_to_take_in_gradebook'] = 'first';
+// Show a filter by official code
+//$_configuration['certificate_filter_by_official_code'] = false;

From bcf4854e06d79437cef1f87b193efd40b095bf72 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 8 Jan 2015 14:21:48 +0100
Subject: [PATCH 21/26] Corrections after adding option
 certificate_filter_by_official_code

see BT#9250
---
 .../gradebook_display_certificate.php         | 41 ++++++++++++++-----
 main/inc/lib/usermanager.lib.php              |  2 +-
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/main/gradebook/gradebook_display_certificate.php b/main/gradebook/gradebook_display_certificate.php
index 5b13deccd3..6876ea1c7b 100755
--- a/main/gradebook/gradebook_display_certificate.php
+++ b/main/gradebook/gradebook_display_certificate.php
@@ -35,9 +35,16 @@ if (!api_is_allowed_to_edit()) {
 
 $cat_id = isset($_GET['cat_id']) ? (int)$_GET['cat_id'] : null;
 $action = isset($_GET['action']) && $_GET['action'] ? $_GET['action'] : null;
+$filterOfficialCode = isset($_POST['filter']) ? Security::remove_XSS($_POST['filter']) : null;
+$filterOfficialCodeGet = isset($_GET['filter']) ? Security::remove_XSS($_GET['filter']) : null;
+
 switch ($action) {
     case 'export_all_certificates':
-        Category::exportAllCertificates($cat_id);
+        $userList = array();
+        if (!empty($filterOfficialCodeGet)) {
+            $userList = UserManager::getUsersByOfficialCode($filterOfficialCodeGet);
+        }
+        Category::exportAllCertificates($cat_id, $userList);
         break;
     case 'generate_all_certificates':
         $user_list = CourseManager::get_user_list_from_course_code(api_get_course_id(), api_get_session_id());
@@ -50,8 +57,8 @@ switch ($action) {
 
 $course_code = api_get_course_id();
 
-$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?',	'name' => get_lang('Gradebook'));
-$interbreadcrumb[] = array ('url' => '#','name' => get_lang('GradebookListOfStudentsCertificates'));
+$interbreadcrumb[] = array('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?',	'name' => get_lang('Gradebook'));
+$interbreadcrumb[] = array('url' => '#','name' => get_lang('GradebookListOfStudentsCertificates'));
 
 $this_section = SECTION_COURSES;
 
@@ -119,11 +126,13 @@ if (!empty($cats)) {
 $filter = api_get_configuration_value('certificate_filter_by_official_code');
 $userList = array();
 $filterForm = null;
+$certificate_list = array();
 if ($filter) {
     echo '<br />';
     $options = UserManager::getOfficialCodeGrouped();
+    $options =array_merge(array('all' => get_lang('All')), $options);
     $form = new FormValidator(
-        'official_code',
+        'official_code_filter',
         'POST',
         api_get_self().'?'.api_get_cidreq().'&cat_id='.$cat_id
     );
@@ -133,21 +142,33 @@ if ($filter) {
 
     if ($form->validate()) {
         $officialCode = $form->getSubmitValue('filter');
-        $userList = UserManager::getUsersByOfficialCode($officialCode);
+         if ($officialCode == 'all') {
+            $certificate_list = get_list_users_certificates($cat_id);
+        } else {
+             $userList = UserManager::getUsersByOfficialCode($officialCode);
+             if (!empty($userList)) {
+                 $certificate_list = get_list_users_certificates(
+                     $cat_id,
+                     $userList
+                 );
+             }
+         }
+    } else {
+        $certificate_list = get_list_users_certificates($cat_id);
     }
+} else {
+    $certificate_list = get_list_users_certificates($cat_id);
 }
 
-$certificate_list = get_list_users_certificates($cat_id, $userList);
-
 echo '<div class="btn-group">';
-$url = api_get_self().'?action=generate_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id;
+$url = api_get_self().'?action=generate_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id.'&filter='.$filterOfficialCode;
 echo Display::url(get_lang('GenerateCertificates'), $url, array('class' => 'btn'));
 
-$url = api_get_self().'?action=delete_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id;
+$url = api_get_self().'?action=delete_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id.'&filter='.$filterOfficialCode;
 echo Display::url(get_lang('DeleteAllCertificates'), $url, array('class' => 'btn'));
 
 if (count($certificate_list) > 0) {
-    $url = api_get_self().'?action=export_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id;
+    $url = api_get_self().'?action=export_all_certificates'.'&'.api_get_cidReq().'&cat_id='.$cat_id.'&filter='.$filterOfficialCode;
     echo Display::url(get_lang('ExportAllCertificatesToPDF'), $url, array('class' => 'btn'));
 }
 echo '</div>';
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
index 98b5f78111..342f1b1dad 100755
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@@ -4937,7 +4937,7 @@ EOF;
 
         $sql = "SELECT DISTINCT user_id
                 FROM $user
-                WHERE official_code = $officialCode
+                WHERE official_code = '$officialCode'
                 ";
         $result = Database::query($sql);
 

From 8d21060afaec211630fbdcd5cd660938e9b50861 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 8 Jan 2015 14:32:38 +0100
Subject: [PATCH 22/26] Changing header size.

---
 main/gradebook/lib/fe/displaygradebook.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/gradebook/lib/fe/displaygradebook.php b/main/gradebook/lib/fe/displaygradebook.php
index 3e865d142a..fb73ceaa6f 100755
--- a/main/gradebook/lib/fe/displaygradebook.php
+++ b/main/gradebook/lib/fe/displaygradebook.php
@@ -455,7 +455,7 @@ class DisplayGradebook
                 if (!empty($certificateLinkInfo) && isset($certificateLinkInfo['certificate_link'])) {
                     $certificateLink .= '<span style="float:right"> ' . $certificateLinkInfo['certificate_link']."</span>";
                 }
-                $scoreinfo .= '<h2>' . get_lang('Total') . ' : ' . $scorecourse_display . $certificateLink. '</h2>';
+                $scoreinfo .= '<h3>' . get_lang('Total') . ' : ' . $scorecourse_display . $certificateLink. '</h3>';
 
             }
             Display :: display_normal_message($scoreinfo, false);

From eb9b9fc3f51f10b6eb9fe53b6a343d27a36625a8 Mon Sep 17 00:00:00 2001
From: robbosch <robb@zentyal.org>
Date: Fri, 9 Jan 2015 08:46:35 +0100
Subject: [PATCH 23/26] Changing UI

---
 main/gradebook/lib/be/category.class.php   | 12 +++++-------
 main/gradebook/lib/fe/displaygradebook.php |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php
index 4847165488..e015b8e143 100755
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@@ -1631,14 +1631,12 @@ class Category implements GradebookItem
                 if (!empty($fileWasGenerated)) {
                     $url = api_get_path(WEB_PATH) . 'certificates/index.php?id=' . $my_certificate['id'];
                     $certificates = Display::url(
-                        Display::return_icon(
-                            'certificate_download.png',
-                            get_lang('DownloadCertificate'),
-                            array(),
-                            ICON_SIZE_MEDIUM
-                        ).'&nbsp;'.get_lang('DownloadCertificate'),
+                        '&nbsp;'.get_lang('DownloadCertificate'),
                         $url,
-                        array('target' => '_blank')
+                        array(
+                            'target' => '_blank',
+                            'class' => 'btn'
+                        )
                     );
                     $exportToPDF = Display::url(
                         Display::return_icon(
diff --git a/main/gradebook/lib/fe/displaygradebook.php b/main/gradebook/lib/fe/displaygradebook.php
index fb73ceaa6f..7d7058d91c 100755
--- a/main/gradebook/lib/fe/displaygradebook.php
+++ b/main/gradebook/lib/fe/displaygradebook.php
@@ -455,7 +455,7 @@ class DisplayGradebook
                 if (!empty($certificateLinkInfo) && isset($certificateLinkInfo['certificate_link'])) {
                     $certificateLink .= '<span style="float:right"> ' . $certificateLinkInfo['certificate_link']."</span>";
                 }
-                $scoreinfo .= '<h3>' . get_lang('Total') . ' : ' . $scorecourse_display . $certificateLink. '</h3>';
+                $scoreinfo .= '<h4>' . get_lang('Total') . ' : ' . $scorecourse_display . $certificateLink. '</h4>';
 
             }
             Display :: display_normal_message($scoreinfo, false);

From b14bcb36ad2145721205145561ae9a2d024a3a36 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 9 Jan 2015 09:02:33 +0100
Subject: [PATCH 24/26] Adding option
 $_configuration['certificate_pdf_orientation']

See BT#9250
---
 main/gradebook/lib/be/category.class.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php
index e015b8e143..8a8559d48c 100755
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@@ -1680,7 +1680,13 @@ class Category implements GradebookItem
         $catId,
         $userList = array()
     ) {
+        $orientation = api_get_configuration_value('certificate_pdf_orientation');
+
         $params['orientation'] = 'landscape';
+        if (!empty($orientation)) {
+            $params['orientation'] = $orientation;
+        }
+
         $params['left'] = 0;
         $params['right'] = 0;
         $params['top'] = 0;

From 73e381620438970423d371e717ad0bb8d5667a29 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 9 Jan 2015 12:20:14 +0100
Subject: [PATCH 25/26] Adding exercise_max_fckeditors_in_page setting see
 BT#9247

---
 main/exercice/exercise_show.php     | 34 ++++++++++++++++++++++++++---
 main/install/configuration.dist.php |  3 +++
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/main/exercice/exercise_show.php b/main/exercice/exercise_show.php
index d5ff900ba4..a9cd087e99 100755
--- a/main/exercice/exercise_show.php
+++ b/main/exercice/exercise_show.php
@@ -72,6 +72,7 @@ if (api_is_course_session_coach(
     }
 }
 
+$maxEditors = isset($_configuration['exercise_max_fckeditors_in_page']) ? $_configuration['exercise_max_fckeditors_in_page'] : 0;
 $is_allowedToEdit = api_is_allowed_to_edit(null, true) || $is_courseTutor || api_is_session_admin() || api_is_drh();
 
 //Getting results from the exe_id. This variable also contain all the information about the exercise
@@ -128,6 +129,8 @@ if ($origin != 'learnpath') {
 }
 ?>
 <script>
+var maxEditors = '<?php echo intval($maxEditors); ?>';
+
 function showfck(sid,marksid) {
 	document.getElementById(sid).style.display='block';
 	document.getElementById(marksid).style.display='block';
@@ -153,8 +156,12 @@ function getFCK(vals,marksid) {
 		var oHidden = document.createElement("input");
 		oHidden.type = "hidden";
 		oHidden.name = "comments_"+ids[k];
-		oEditor = FCKeditorAPI.GetInstance(oHidden.name) ;
-		oHidden.value = oEditor.GetXHTML(true);
+        if (maxEditors == 0) {
+            oEditor = FCKeditorAPI.GetInstance(oHidden.name) ;
+            oHidden.value = oEditor.GetXHTML(true);
+        } else {
+            oHidden.value = $("textarea[name='" + oHidden.name + "']").val();
+        }
 		f.appendChild(oHidden);
 	}
 }
@@ -283,6 +290,11 @@ $counter = 1;
 $exercise_content = null;
 $category_list = array();
 
+$useAdvancedEditor = true;
+if (count($questionList) > $maxEditors) {
+    $useAdvancedEditor = false;
+}
+
 foreach ($questionList as $questionId) {
 
 	$choice = $exerciseResult[$questionId];
@@ -534,7 +546,23 @@ foreach ($questionList as $questionId) {
 			$renderer->setElementTemplate('<div align="left">{element}</div>');
 			$comnt = get_comments($id, $questionId);
 			$default = array('comments_'.$questionId =>  $comnt);
-			$feedback_form->addElement('html_editor', 'comments_'.$questionId, null, null, array('ToolbarSet' => 'TestAnswerFeedback', 'Width' => '100%', 'Height' => '120'));
+
+            if ($useAdvancedEditor) {
+                $feedback_form->addElement(
+                    'html_editor',
+                    'comments_' . $questionId,
+                    null,
+                    null,
+                    array(
+                        'ToolbarSet' => 'TestAnswerFeedback',
+                        'Width' => '100%',
+                        'Height' => '120'
+                    )
+                );
+            } else {
+                $feedback_form->addElement('textarea', 'comments_' . $questionId);
+            }
+
 			$feedback_form->addElement('html','<br>');
 			$feedback_form->setDefaults($default);
 			$feedback_form->display();
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index fe1af1e6ef..fdf1ad97ac 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -273,3 +273,6 @@ $_configuration['system_stable']     = NEW_VERSION_STABLE;
 //$_configuration['student_publication_to_take_in_gradebook'] = 'first';
 // Show a filter by official code
 //$_configuration['certificate_filter_by_official_code'] = false;
+// Max quantity of fkceditor allowed in the exercise result page otherwise
+// Textareas are used.
+//$_configuration['exercise_max_fckeditors_in_page'] = 0;

From 3bc8fd6fad15e6d92e8c1fd32e28d531c8c07d1d Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 9 Jan 2015 13:05:27 +0100
Subject: [PATCH 26/26] Adding
 $_configuration['document_if_file_exists_option']

To set default upload option see BT#9235
---
 main/document/upload.php            | 14 ++++++++++++--
 main/inc/ajax/document.ajax.php     | 10 ++++++++--
 main/install/configuration.dist.php |  2 ++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/main/document/upload.php b/main/document/upload.php
index 9fac9327b1..6433eb96bd 100755
--- a/main/document/upload.php
+++ b/main/document/upload.php
@@ -284,7 +284,7 @@ if (api_get_setting('search_enabled') == 'true') {
 
 $form->addElement('radio', 'if_exists', get_lang('UplWhatIfFileExists'), get_lang('UplDoNothing'), 'nothing');
 $form->addElement('radio', 'if_exists', '', get_lang('UplOverwriteLong'), 'overwrite');
-$form->addElement('radio', 'if_exists', '', get_lang('UplRenameLong'), 'rename', array('checked="checked"'));
+$form->addElement('radio', 'if_exists', '', get_lang('UplRenameLong'), 'rename');
 // Close the java script and avoid the footer up
 $form->addElement('html', '</div>');
 
@@ -292,7 +292,17 @@ $form->addElement('html', '</div>');
 $form->addElement('style_submit_button', 'submitDocument', get_lang('SendDocument'), 'class="upload"');
 $form->add_real_progress_bar('DocumentUpload', 'file');
 
-$defaults = array('index_document' => 'checked="checked"');
+$fileExistsOption = api_get_configuration_value('document_if_file_exists_option');
+
+$defaultFileExistsOption = 'rename';
+if (!empty($fileExistsOption)) {
+    $defaultFileExistsOption = $fileExistsOption;
+}
+
+$defaults = array(
+    'index_document' => 'checked="checked"',
+    'if_exists' => $defaultFileExistsOption
+);
 
 $form->setDefaults($defaults);
 
diff --git a/main/inc/ajax/document.ajax.php b/main/inc/ajax/document.ajax.php
index f94be44a42..4aeb6a893d 100755
--- a/main/inc/ajax/document.ajax.php
+++ b/main/inc/ajax/document.ajax.php
@@ -25,7 +25,13 @@ switch ($action) {
             exit;
         }
 
-        $ifExists = isset($_POST['if_exists']) ? $_POST['if_exists'] : 'overwrite';
+        $fileExistsOption = api_get_configuration_value('document_if_file_exists_option');
+        $defaultFileExistsOption = 'rename';
+        if (!empty($fileExistsOption)) {
+            $defaultFileExistsOption = $fileExistsOption;
+        }
+
+        //$ifExists = isset($_POST['if_exists']) ? $_POST['if_exists'] : $defaultFileExistsOption;
 
         if (!empty($_FILES)) {
             require_once api_get_path(LIBRARY_PATH).'fileDisplay.lib.php';
@@ -36,7 +42,7 @@ switch ($action) {
                 $file['name'],
                 '', // comment
                 0,
-                $ifExists,
+                $defaultFileExistsOption,
                 false,
                 false
             );
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index fdf1ad97ac..ed362558d7 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -276,3 +276,5 @@ $_configuration['system_stable']     = NEW_VERSION_STABLE;
 // Max quantity of fkceditor allowed in the exercise result page otherwise
 // Textareas are used.
 //$_configuration['exercise_max_fckeditors_in_page'] = 0;
+// Default upload option
+//$_configuration['document_if_file_exists_option'] = 'rename'; // overwrite