diff --git a/main/gradebook/gradebook_edit_all.php b/main/gradebook/gradebook_edit_all.php index 0733d55df9..30eed0e966 100755 --- a/main/gradebook/gradebook_edit_all.php +++ b/main/gradebook/gradebook_edit_all.php @@ -157,7 +157,7 @@ if ($my_api_cidreq=='') { } ?>
- +
diff --git a/main/gradebook/index.php b/main/gradebook/index.php index 96c87c52cd..ccf1af9796 100755 --- a/main/gradebook/index.php +++ b/main/gradebook/index.php @@ -714,7 +714,7 @@ if (isset ($_GET['studentoverview'])) { $pdf->ezText($organization_name,22,array('justification'=>'left')); $pdf->ezSetY(580); $pdf->ezText($portal_name,22,array('justification'=>'right')); - $pdf->ezStream(); + $pdf->ezStream();*/ } exit; } else { //in any other case (no search, no pdf), print the available gradebooks diff --git a/main/gradebook/lib/be/abstractlink.class.php b/main/gradebook/lib/be/abstractlink.class.php index df3d1d106a..571e9614f8 100755 --- a/main/gradebook/lib/be/abstractlink.class.php +++ b/main/gradebook/lib/be/abstractlink.class.php @@ -166,7 +166,7 @@ abstract class AbstractLink implements GradebookItem $sql .= ' visible = '.intval($visible); $paramcount ++; } - + $result = Database::query($sql); $links = AbstractLink::create_objects_from_sql_result($result); return $links; diff --git a/main/gradebook/lib/be/evaluation.class.php b/main/gradebook/lib/be/evaluation.class.php index b471b0c3d8..f99462c427 100755 --- a/main/gradebook/lib/be/evaluation.class.php +++ b/main/gradebook/lib/be/evaluation.class.php @@ -131,7 +131,7 @@ class Evaluation implements GradebookItem public function load ($id = null, $user_id = null, $course_code = null, $category_id = null, $visible = null) { $tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION); - $sql='SELECT id,name,description,user_id,course_code,category_id,date,weight,max,visible,type FROM '.$tbl_grade_evaluations; + $sql='SELECT id,name,description,user_id,course_code,category_id,created_at,weight,max,visible,type FROM '.$tbl_grade_evaluations; $paramcount = 0; if (isset ($id)) { $sql.= ' WHERE id = '.intval($id); @@ -161,7 +161,7 @@ class Evaluation implements GradebookItem $sql .= ' visible = '.intval($visible); $paramcount ++; } - + $result = Database::query($sql); $alleval = Evaluation::create_evaluation_objects_from_sql_result($result); return $alleval; diff --git a/main/gradebook/lib/be/linkfactory.class.php b/main/gradebook/lib/be/linkfactory.class.php index 1d4e4aaf5c..905f9912fc 100755 --- a/main/gradebook/lib/be/linkfactory.class.php +++ b/main/gradebook/lib/be/linkfactory.class.php @@ -6,13 +6,14 @@ // - add include // - change create() and get_all_types() // Please do not change existing values, they are used in the database ! -define('LINK_EXERCISE', 1); -define('LINK_DROPBOX',2); -define('LINK_STUDENTPUBLICATION',3); -define('LINK_LEARNPATH',4); -define('LINK_FORUM_THREAD',5); +define('LINK_EXERCISE', 1); +define('LINK_DROPBOX', 2); +define('LINK_STUDENTPUBLICATION', 3); +define('LINK_LEARNPATH', 4); +define('LINK_FORUM_THREAD', 5); //define('LINK_WORK',6); -define('LINK_ATTENDANCE',7); +define('LINK_ATTENDANCE', 7); + require_once 'gradebookitem.class.php'; require_once 'abstractlink.class.php'; require_once 'exerciselink.class.php'; @@ -22,6 +23,7 @@ require_once 'studentpublicationlink.class.php'; require_once 'learnpathlink.class.php'; require_once 'forumthreadlink.class.php'; require_once 'attendancelink.class.php'; + /** * Factory for link objects * @author Bert Steppé diff --git a/main/gradebook/lib/gradebook_functions.inc.php b/main/gradebook/lib/gradebook_functions.inc.php index c1d93701a3..cd638067d3 100755 --- a/main/gradebook/lib/gradebook_functions.inc.php +++ b/main/gradebook/lib/gradebook_functions.inc.php @@ -1,14 +1,15 @@ , Hogeschool Ghent +* @author Julio Montoya adding security functions * @version april 2007 */ require_once ('gradebook_functions_users.inc.php'); - /** * Adds a resource to the unique gradebook of a given course * @param string Course code @@ -118,7 +119,7 @@ function block_students() { */ function get_course_name_from_code($code) { $tbl_main_categories= Database :: get_main_table(TABLE_MAIN_COURSE); - $sql= 'SELECT title,code FROM ' . $tbl_main_categories . 'WHERE code = "' . $code . '"'; + $sql= 'SELECT title, code FROM ' . $tbl_main_categories . 'WHERE code = "' . Database::escape_string($code) . '"'; $result= Database::query($sql); if ($col= Database::fetch_array($result)) { return $col['title']; @@ -235,17 +236,10 @@ function build_edit_icons_link($link, $selectcat) { * @return int false on error or link ID */ function is_resource_in_course_gradebook($course_code, $resource_type, $resource_id, $session_id = 0) { - /* See defines in lib/be/linkfactory.class.php - define('LINK_EXERCISE',1); - define('LINK_DROPBOX',2); - define('LINK_STUDENTPUBLICATION',3); - define('LINK_LEARNPATH',4); - define('LINK_FORUM_THREAD',5), - define('LINK_WORK',6); - */ - require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php'); - require_once (api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php'); - require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php'); + require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php'; + require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php'; + require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php'; + // TODO find the corresponding category (the first one for this course, ordered by ID) $t = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY); $l = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK); @@ -262,7 +256,7 @@ function is_resource_in_course_gradebook($course_code, $resource_type, $resource } $row = Database::fetch_array($res); $category = $row['id']; - $sql = "SELECT * FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id; + $sql = "SELECT id FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id; $res = Database::query($sql); if (Database::num_rows($res)<1) { return false; @@ -285,15 +279,15 @@ function remove_resource_from_course_gradebook($link_id) { return true; } /** - * return the database name + * Return the database name * @param int * @return String */ function get_database_name_by_link_id($id_link) { $course_table = Database::get_main_table(TABLE_MAIN_COURSE); $tbl_grade_links = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINK); - $res=Database::query('SELECT db_name from '.$course_table.' c inner join '.$tbl_grade_links.' l - on c.code=l.course_code WHERE l.id='.$id_link.' OR l.category_id='.$id_link); + $res=Database::query('SELECT db_name FROM '.$course_table.' c INNER JOIN '.$tbl_grade_links.' l + ON c.code=l.course_code WHERE l.id='.intval($id_link).' OR l.category_id='.intval($id_link)); $my_db_name=Database::fetch_array($res,'ASSOC'); return $my_db_name['db_name']; } @@ -402,8 +396,8 @@ function parse_xml_data($file) { function update_user_info_about_certificate ($cat_id,$user_id,$path_certificate) { $table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE); if (!UserManager::is_user_certified($cat_id,$user_id)) { - $sql='UPDATE '.$table_certificate.' SET path_certificate="'.$path_certificate.'" - WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" '; + $sql='UPDATE '.$table_certificate.' SET path_certificate="'.Database::escape_string($path_certificate).'" + WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" '; $rs=Database::query($sql,__FILE__,__LINE__); } } @@ -419,12 +413,12 @@ function parse_xml_data($file) { function register_user_info_about_certificate ($cat_id,$user_id,$score_certificate, $date_certificate) { $table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE); $sql_exist='SELECT COUNT(*) as count FROM '.$table_certificate.' gc - WHERE gc.cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" '; + WHERE gc.cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" '; $rs_exist=Database::query($sql_exist,__FILE__,__LINE__); $row=Database::fetch_array($rs_exist); if ($row['count']==0) { - echo $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate) - VALUES("'.$cat_id.'","'.$user_id.'","'.$score_certificate.'","'.$date_certificate.'")'; + $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate) + VALUES("'.intval($cat_id).'","'.intval($user_id).'","'.Database::escape_string($score_certificate).'","'.Database::escape_string($date_certificate).'")'; $rs=Database::query($sql,__FILE__,__LINE__); } @@ -437,7 +431,7 @@ function parse_xml_data($file) { */ function get_certificate_date_by_user_id ($cat_id,$user_id) { $table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE); - $sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'"'; + $sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'"'; $rs_get_date=Database::query($sql_get_date,__FILE__,__LINE__); $row_get_date=Database::fetch_array($rs_get_date,'ASSOC'); return $row_get_date['date_certificate'];