chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

escaping variblaes inside functions

Browse Source
1.9.x
César Perales 12 years ago
parent 70b98308a1
commit e2fd7d2b36
5 changed files with 50 additions and 23 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 24
      main/inc/ajax/model.ajax.php
  2. 32
      main/inc/lib/sessionmanager.lib.php
  3. 5
      main/inc/lib/tracking.lib.php
  4. 4
      main/mySpace/index.php
  5. 8
      main/mySpace/myspace.lib.php

24
main/inc/ajax/model.ajax.php
Unescape View File

@ -266,12 +266,12 @@ switch ($action) {
case 'get_session_progress': case 'get_session_progress':
//@TODO replace this for a more efficient function (not retrieving the whole data) //@TODO replace this for a more efficient function (not retrieving the whole data)
$course = api_get_course_info_by_id($courseId); $course = api_get_course_info_by_id($courseId);
$users = CourseManager::get_student_list_from_course_code($course['code'], true, intval($_GET['session_id']), $_GET['date_from'], $_GET['date_to']); $users = CourseManager::get_student_list_from_course_code($course['code'], true, $_GET['session_id'], $_GET['date_from'], $_GET['date_to']);
$count = count($users); $count = count($users);
break; break;
case 'get_exercise_progress': case 'get_exercise_progress':
//@TODO replace this for a more efficient function (not retrieving the whole data) //@TODO replace this for a more efficient function (not retrieving the whole data)
$records = Tracking::get_exercise_progress(intval($_GET['session_id']), intval($_GET['course_id']), intval($_GET['exercise_id']), $_GET['date_from'], $_GET['date_to']); $records = Tracking::get_exercise_progress($_GET['session_id'], $_GET['course_id'], $_GET['exercise_id'], $_GET['date_from'], $_GET['date_to']);
$count = count($records); $count = count($records);
break; break;
case 'get_session_access_overview': case 'get_session_access_overview':
@ -281,7 +281,7 @@ switch ($action) {
break; break;
case 'get_survey_overview': case 'get_survey_overview':
//@TODO replace this for a more efficient function (not retrieving the whole data) //@TODO replace this for a more efficient function (not retrieving the whole data)
$records = SessionManager::get_survey_overview(intval($_GET['session_id']), intval($_GET['course_id']), intval($_GET['survey_id']), $_GET['date_from'], $_GET['date_to'], $options); $records = SessionManager::get_survey_overview($_GET['session_id'], $_GET['course_id'], $_GET['survey_id'], $_GET['date_from'], $_GET['date_to'], $options);
$count = count($records); $count = count($records);
break; break;
/*case 'get_extra_fields': /*case 'get_extra_fields':
@ -656,9 +656,9 @@ switch ($action) {
$sessionId = 0; $sessionId = 0;
if (!empty($_GET['course_id'])) if (!empty($_GET['course_id']))
{ {
$sessionId = intval($_GET['session_id']); $sessionId = intval($_GET['session_id']);
$courseId = intval($_GET['course_id']); $courseId = intval($_GET['course_id']);
$course = api_get_course_info_by_id($courseId); $course = api_get_course_info_by_id($courseId);
$date_from = $_GET['date_from']; $date_from = $_GET['date_from'];
$date_to = $_GET['date_to']; $date_to = $_GET['date_to'];
} }
@ -691,9 +691,9 @@ switch ($action) {
$sessionId = 0; $sessionId = 0;
if (!empty($_GET['course_id']) && !empty($_GET['survey_id'])) if (!empty($_GET['course_id']) && !empty($_GET['survey_id']))
{ {
$sessionId = intval($_GET['session_id']); $sessionId = intval($_GET['session_id']);
$courseId = intval($_GET['course_id']); $courseId = intval($_GET['course_id']);
$surveyId = intval($_GET['survey_id']); $surveyId = intval($_GET['survey_id']);
$date_from = $_GET['date_from']; $date_from = $_GET['date_from'];
$date_to = $_GET['date_to']; $date_to = $_GET['date_to'];
//$course = api_get_course_info_by_id($courseId); //$course = api_get_course_info_by_id($courseId);
@ -771,8 +771,8 @@ switch ($action) {
$sessionId = 0; $sessionId = 0;
if (!empty($_GET['course_id'])) if (!empty($_GET['course_id']))
{ {
$sessionId = intval($_GET['session_id']); $sessionId = intval($_GET['session_id']);
$courseId = intval($_GET['course_id']); $courseId = intval($_GET['course_id']);
$date_from = $_GET['date_from']; $date_from = $_GET['date_from'];
$date_to = $_GET['date_to']; $date_to = $_GET['date_to'];
} }
@ -805,7 +805,7 @@ switch ($action) {
$date_to = $_GET['date_to']; $date_to = $_GET['date_to'];
} }
$result = SessionManager::get_user_data_access_tracking_overview(intval($sessionId), intval($courseId), intval($studentId), intval($profile), $date_from, $date_to, $result = SessionManager::get_user_data_access_tracking_overview($sessionId, $courseId, $studentId, $profile, $date_from, $date_to,
array( array(
'where' => $where_condition, 'where' => $where_condition,
'order' => "$sidx $sord", 'order' => "$sidx $sord",

32
main/inc/lib/sessionmanager.lib.php
Unescape View File

@ -509,6 +509,12 @@ class SessionManager
*/ */
public static function get_session_lp_progress($sessionId = 0, $courseId = 0, $date_from, $date_to, $options) public static function get_session_lp_progress($sessionId = 0, $courseId = 0, $date_from, $date_to, $options)
{ {
//escaping vars
$sessionId = intval($sessionId);
$courseId = intval($courseId);
$date_from = Database :: escape_string($date_from);
$date_to = Database :: escape_string($date_to);
//tables //tables
$session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER); $session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
$user = Database::get_main_table(TABLE_MAIN_USER); $user = Database::get_main_table(TABLE_MAIN_USER);
@ -613,6 +619,13 @@ class SessionManager
*/ */
public static function get_survey_overview($sessionId = 0, $courseId = 0, $surveyId = 0, $date_from, $date_to, $options) public static function get_survey_overview($sessionId = 0, $courseId = 0, $surveyId = 0, $date_from, $date_to, $options)
{ {
//escaping vars
$sessionId = intval($sessionId);
$courseId = intval($courseId);
$surveyId = intval($surveyId);
$date_from = Database::escape_string($date_from);
$date_to = Database::escape_string($date_to);
//tables //tables
$session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER); $session_course_user = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
$user = Database::get_main_table(TABLE_MAIN_USER); $user = Database::get_main_table(TABLE_MAIN_USER);
@ -652,7 +665,7 @@ class SessionManager
INNER JOIN $user u ON u.user_id = s.id_user INNER JOIN $user u ON u.user_id = s.id_user
$where $order $limit"; $where $order $limit";
$sql_query = sprintf($sql, $course['code'], intval($sessionId)); $sql_query = sprintf($sql, $course['code'], $sessionId);
$rs = Database::query($sql_query); $rs = Database::query($sql_query);
while ($user = Database::fetch_array($rs)) while ($user = Database::fetch_array($rs))
{ {
@ -1019,6 +1032,15 @@ class SessionManager
$options $options
) { ) {
global $_configuration; global $_configuration;
//escaping variables
$sessionId = intval($sessionId);
$courseId = intval($courseId);
$studentId = intval($studentId);
$profile = intval($profile);
$date_from = Database::escape_string($date_from);
$date_to = Database::escape_string($date_to);
// database table definition // database table definition
$user = Database :: get_main_table(TABLE_MAIN_USER); $user = Database :: get_main_table(TABLE_MAIN_USER);
$course = Database :: get_main_table(TABLE_MAIN_COURSE); $course = Database :: get_main_table(TABLE_MAIN_COURSE);
@ -1033,16 +1055,16 @@ class SessionManager
} }
if (isset($sessionId) && !empty($sessionId)) { if (isset($sessionId) && !empty($sessionId)) {
$where = sprintf(" WHERE a.session_id = %d", intval($sessionId)); $where = sprintf(" WHERE a.session_id = %d", $sessionId);
} }
if (isset($courseId) && !empty($courseId)) { if (isset($courseId) && !empty($courseId)) {
$where .= sprintf(" AND c.id = %d", intval($courseId)) ; $where .= sprintf(" AND c.id = %d", $courseId);
} }
if (isset($studentId) && !empty($studentId)) { if (isset($studentId) && !empty($studentId)) {
$where .= sprintf(" AND u.user_id = %d", intval($studentId)); $where .= sprintf(" AND u.user_id = %d", $studentId);
} }
if (isset($profile) && !empty($profile)) { if (isset($profile) && !empty($profile)) {
$where .= sprintf(" AND u.status = %d", intval($profile)); $where .= sprintf(" AND u.status = %d", $profile);
} }
if (!empty($date_to) && !empty($date_from)) { if (!empty($date_to) && !empty($date_from)) {
$where .= sprintf(" AND a.login_course_date >= '%s 00:00:00' $where .= sprintf(" AND a.login_course_date >= '%s 00:00:00'

5
main/inc/lib/tracking.lib.php
Unescape View File

@ -3265,6 +3265,11 @@ class Tracking
*/ */
public static function get_exercise_progress($sessionId = 0, $courseId = 0, $exerciseId = 0, $date_from, $date_to, $options = array()) public static function get_exercise_progress($sessionId = 0, $courseId = 0, $exerciseId = 0, $date_from, $date_to, $options = array())
{ {
$sessionId = intval($sessionId);
$courseId = intval($courseId);
$exerciseId = intval($exerciseId);
$date_from = Database::escape_string($date_from);
$date_to = Database::escape_string($date_to);
/* /*
* This method gets the data by blocks, as previous attempts at one single * This method gets the data by blocks, as previous attempts at one single
* query made it take ages. The logic of query division is described below * query made it take ages. The logic of query division is described below

4
main/mySpace/index.php
Unescape View File

@ -922,9 +922,9 @@ if ($is_platform_admin && in_array($view, array('admin')) && $display != 'yourst
if (!empty($_GET['course_id'])) { if (!empty($_GET['course_id'])) {
if(!empty($_GET['date_to']) && (!empty($_GET['date_from']))) { if(!empty($_GET['date_to']) && (!empty($_GET['date_from']))) {
if (!empty($_GET['student_id'])) { if (!empty($_GET['student_id'])) {
echo MySpace::display_tracking_access_overview(intval($_GET['session_id']), intval($_GET['course_id']), intval($_GET['student_id']), '', $_GET['date_from'], $_GET['date_to']); echo MySpace::display_tracking_access_overview($_GET['session_id'], $_GET['course_id'], $_GET['student_id'], '', $_GET['date_from'], $_GET['date_to']);
} else if (!empty($_GET['profile'])) { } else if (!empty($_GET['profile'])) {
echo MySpace::display_tracking_access_overview(intval($_GET['session_id']), intval($_GET['course_id']), '', $_GET['profile'], $_GET['date_from'], $_GET['date_to']); echo MySpace::display_tracking_access_overview($_GET['session_id'], $_GET['course_id'], '', $_GET['profile'], $_GET['date_from'], $_GET['date_to']);
} else { } else {
Display::display_warning_message(get_lang('ChooseStudentOrProfile')); Display::display_warning_message(get_lang('ChooseStudentOrProfile'));
} }

8
main/mySpace/myspace.lib.php
Unescape View File

@ -316,7 +316,7 @@ class MySpace {
$action_links = ''; $action_links = '';
// jqgrid will use this URL to do the selects // jqgrid will use this URL to do the selects
$url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_session_lp_progress&session_id=' . intval($sessionId) . '&course_id=' . intval($courseId) . '&date_to=' . $date_to . '&date_from=' . $date_from; $url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_session_lp_progress&session_id=' . $sessionId . '&course_id=' . $courseId . '&date_to=' . $date_to . '&date_from=' . $date_from;
//Table Id //Table Id
$tableId = 'lpProgress'; $tableId = 'lpProgress';
@ -389,7 +389,7 @@ class MySpace {
//get dynamic column names //get dynamic column names
// jqgrid will use this URL to do the selects // jqgrid will use this URL to do the selects
$url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_exercise_progress&session_id=' . intval($sessionId) . '&course_id=' . intval($courseId) . '&exercise_id=' . intval($exerciseId) . '&date_to=' . $date_to . '&date_from=' . $date_from; $url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_exercise_progress&session_id=' . $sessionId . '&course_id=' . $courseId . '&exercise_id=' . $exerciseId . '&date_to=' . $date_to . '&date_from=' . $date_from;
//Autowidth //Autowidth
$extra_params['autowidth'] = 'true'; $extra_params['autowidth'] = 'true';
@ -454,7 +454,7 @@ class MySpace {
$action_links = ''; $action_links = '';
// jqgrid will use this URL to do the selects // jqgrid will use this URL to do the selects
$url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_survey_overview&session_id=' . intval($sessionId) . '&course_id=' . intval($courseId) . '&survey_id=' . intval($surveyId) . '&date_to=' . $date_to . '&date_from=' . $date_from; $url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_survey_overview&session_id=' . $sessionId . '&course_id=' . $courseId . '&survey_id=' . $surveyId . '&date_to=' . $date_to . '&date_from=' . $date_from;
//Table Id //Table Id
$tableId = 'lpProgress'; $tableId = 'lpProgress';
@ -582,7 +582,7 @@ class MySpace {
$action_links = ''; $action_links = '';
// jqgrid will use this URL to do the selects // jqgrid will use this URL to do the selects
$url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_session_progress&session_id=' . intval($sessionId) . '&course_id=' . intval($courseId) . '&date_to=' . $date_to . '&date_from=' . $date_from; $url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_session_progress&session_id=' . $sessionId . '&course_id=' . $courseId . '&date_to=' . $date_to . '&date_from=' . $date_from;
//Table Id //Table Id
$tableId = 'progressOverview'; $tableId = 'progressOverview';

Write Preview
Loading…
Cancel
Save