Merge

16 years ago · d58773b218
parent fe19e246ab b2b976c8c7
commit d58773b218
6 changed files with 31 additions and 35 deletions
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@ -157,7 +157,7 @@ if ($my_api_cidreq=='') {
 }
 ?>
 <div class="actions">
-<a href="<?php echo $_SESSION['gradebook_dest'].'?id_session='.$_SESSION['id_session'].'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id ?>"> <?php echo Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') ?></a>
+<a href="<?php echo Security::remove_XSS($_SESSION['gradebook_dest']).'?id_session='.api_get_session_id().'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id ?>"> <?php echo Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') ?></a>
 </div>
 <form method="post" action="gradebook_edit_all.php?id_session=<?php echo $_SESSION['id_session'].'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id?>">
 <table class="data_table">
--- a/main/gradebook/index.php
+++ b/main/gradebook/index.php
@ -714,7 +714,7 @@ if (isset ($_GET['studentoverview'])) {
 		$pdf->ezText($organization_name,22,array('justification'=>'left'));
 		$pdf->ezSetY(580);
 		$pdf->ezText($portal_name,22,array('justification'=>'right'));
-		$pdf->ezStream();
+		$pdf->ezStream();*/
 	}
 	exit;
 } else { //in any other case (no search, no pdf), print the available gradebooks
--- a/main/gradebook/lib/be/abstractlink.class.php
+++ b/main/gradebook/lib/be/abstractlink.class.php
@ -166,7 +166,7 @@ abstract class AbstractLink implements GradebookItem
 			$sql .= ' visible = '.intval($visible);
 			$paramcount ++;
 		}
-
+		
 		$result = Database::query($sql);
 		$links = AbstractLink::create_objects_from_sql_result($result);
 		return $links;
--- a/main/gradebook/lib/be/evaluation.class.php
+++ b/main/gradebook/lib/be/evaluation.class.php
@ -131,7 +131,7 @@ class Evaluation implements GradebookItem
 	public function load ($id = null, $user_id = null, $course_code = null, $category_id = null, $visible = null)
 	{
    	$tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
-		$sql='SELECT id,name,description,user_id,course_code,category_id,date,weight,max,visible,type FROM '.$tbl_grade_evaluations;
+		$sql='SELECT id,name,description,user_id,course_code,category_id,created_at,weight,max,visible,type FROM '.$tbl_grade_evaluations;
 		$paramcount = 0;
 		if (isset ($id)) {
 			$sql.= ' WHERE id = '.intval($id);
@ -161,7 +161,7 @@ class Evaluation implements GradebookItem
 			$sql .= ' visible = '.intval($visible);
 			$paramcount ++;
 		}
-
+		
 		$result = Database::query($sql);
 		$alleval = Evaluation::create_evaluation_objects_from_sql_result($result);
 		return $alleval;
--- a/main/gradebook/lib/be/linkfactory.class.php
+++ b/main/gradebook/lib/be/linkfactory.class.php
@ -6,13 +6,14 @@
 // - add include
 // - change create() and get_all_types()
 // Please do not change existing values, they are used in the database !
-define('LINK_EXERCISE',		1);
-define('LINK_DROPBOX',2);
-define('LINK_STUDENTPUBLICATION',3);
-define('LINK_LEARNPATH',4);
-define('LINK_FORUM_THREAD',5);
+define('LINK_EXERCISE',				1);
+define('LINK_DROPBOX',				2);
+define('LINK_STUDENTPUBLICATION',	3);
+define('LINK_LEARNPATH',			4);
+define('LINK_FORUM_THREAD',			5);
 //define('LINK_WORK',6);
-define('LINK_ATTENDANCE',7);
+define('LINK_ATTENDANCE',			7);
+
 require_once 'gradebookitem.class.php';
 require_once 'abstractlink.class.php';
 require_once 'exerciselink.class.php';
@ -22,6 +23,7 @@ require_once 'studentpublicationlink.class.php';
 require_once 'learnpathlink.class.php';
 require_once 'forumthreadlink.class.php';
 require_once 'attendancelink.class.php';
+
 /**
 * Factory for link objects
 * @author Bert Steppé
--- a/main/gradebook/lib/gradebook_functions.inc.php
+++ b/main/gradebook/lib/gradebook_functions.inc.php
@ -1,14 +1,15 @@
 <?php
 /* For licensing terms, see /license.txt */
-/*
+
+/**
 * These are functions used in gradebook
 *
 * @author Stijn Konings <konings.stijn@skynet.be>, Hogeschool Ghent
+* @author Julio Montoya <gugli100@gmail.com> adding security functions
 * @version april 2007
 */
 require_once ('gradebook_functions_users.inc.php');

-
 /**
 * Adds a resource to the unique gradebook of a given course
 * @param   string  Course code
@ -118,7 +119,7 @@ function block_students() {
 */
 function get_course_name_from_code($code) {
 	$tbl_main_categories= Database :: get_main_table(TABLE_MAIN_COURSE);
-	$sql= 'SELECT title,code FROM ' . $tbl_main_categories . 'WHERE code = "' . $code . '"';
+	$sql= 'SELECT title, code FROM ' . $tbl_main_categories . 'WHERE code = "' . Database::escape_string($code) . '"';
 	$result= Database::query($sql);
 	if ($col= Database::fetch_array($result)) {
 		return $col['title'];
@ -235,17 +236,10 @@ function build_edit_icons_link($link, $selectcat) {
 * @return   int     false on error or link ID
 */
 function is_resource_in_course_gradebook($course_code, $resource_type, $resource_id, $session_id = 0) {
-    /* See defines in lib/be/linkfactory.class.php
-    define('LINK_EXERCISE',1);
-    define('LINK_DROPBOX',2);
-    define('LINK_STUDENTPUBLICATION',3);
-    define('LINK_LEARNPATH',4);
-    define('LINK_FORUM_THREAD',5),
-    define('LINK_WORK',6);
-    */
-    require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php');
-    require_once (api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php');
-	require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php');
+    require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php';
+    require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php';
+	require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php';
+	
    // TODO find the corresponding category (the first one for this course, ordered by ID)
    $t = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
    $l = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
@ -262,7 +256,7 @@ function is_resource_in_course_gradebook($course_code, $resource_type, $resource
    }
    $row = Database::fetch_array($res);
    $category = $row['id'];
-    $sql = "SELECT * FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id;
+    $sql = "SELECT id FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id;
    $res = Database::query($sql);
    if (Database::num_rows($res)<1) {
    	return false;
@ -285,15 +279,15 @@ function remove_resource_from_course_gradebook($link_id) {
    return true;
 }
 /**
- * return the database name
+ * Return the database name
 * @param    int
 * @return   String
 */
 function get_database_name_by_link_id($id_link) {
 	$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
 	$tbl_grade_links = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
-	$res=Database::query('SELECT db_name from '.$course_table.' c inner join '.$tbl_grade_links.' l
-	on c.code=l.course_code WHERE l.id='.$id_link.' OR l.category_id='.$id_link);
+	$res=Database::query('SELECT db_name FROM '.$course_table.' c INNER JOIN '.$tbl_grade_links.' l
+			ON c.code=l.course_code WHERE l.id='.intval($id_link).' OR l.category_id='.intval($id_link));
 	$my_db_name=Database::fetch_array($res,'ASSOC');
 	return $my_db_name['db_name'];
 }
@ -402,8 +396,8 @@ function parse_xml_data($file) {
  function update_user_info_about_certificate ($cat_id,$user_id,$path_certificate) {
  	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
  	if (!UserManager::is_user_certified($cat_id,$user_id)) {
-  		$sql='UPDATE '.$table_certificate.' SET path_certificate="'.$path_certificate.'"  
-		WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" ';
+  		$sql='UPDATE '.$table_certificate.' SET path_certificate="'.Database::escape_string($path_certificate).'"  
+			 WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" ';
 		$rs=Database::query($sql,__FILE__,__LINE__);
  	}
  }
@ -419,12 +413,12 @@ function parse_xml_data($file) {
  function register_user_info_about_certificate ($cat_id,$user_id,$score_certificate, $date_certificate) {
  	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
  	$sql_exist='SELECT COUNT(*) as count FROM '.$table_certificate.' gc 
-				WHERE gc.cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" ';
+				WHERE gc.cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" ';
 	$rs_exist=Database::query($sql_exist,__FILE__,__LINE__);
 	$row=Database::fetch_array($rs_exist);
 	if ($row['count']==0) {
-		echo $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate)
-			  VALUES("'.$cat_id.'","'.$user_id.'","'.$score_certificate.'","'.$date_certificate.'")';
+		$sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate)
+			  VALUES("'.intval($cat_id).'","'.intval($user_id).'","'.Database::escape_string($score_certificate).'","'.Database::escape_string($date_certificate).'")';
 		$rs=Database::query($sql,__FILE__,__LINE__);  
 	}
 	
@ -437,7 +431,7 @@ function parse_xml_data($file) {
  */  
  function get_certificate_date_by_user_id ($cat_id,$user_id) {
    	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
-    	$sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'"';
+    	$sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'"';
    	$rs_get_date=Database::query($sql_get_date,__FILE__,__LINE__);
    	$row_get_date=Database::fetch_array($rs_get_date,'ASSOC');
    	return $row_get_date['date_certificate'];