Security issue - Adding security::remove_XSS, intval and escape_string functions

15 years ago · ecfdef6f3f
parent 4851a7529e
commit ecfdef6f3f
4 changed files with 15 additions and 15 deletions
--- a/main/gradebook/lib/be/attendancelink.class.php
+++ b/main/gradebook/lib/be/attendancelink.class.php
@ -44,7 +44,7 @@ class AttendanceLink extends AbstractLink

 		$sql = 'SELECT att.id, att.name, att.attendance_qualify_title
 				FROM '.$this->get_attendance_table().' att
-				WHERE att.id NOT IN (SELECT ref_id FROM '.$tbl_grade_links.' WHERE type = '.LINK_ATTENDANCE.' AND course_code = "'.$this->get_course_code().'")
+				WHERE att.id NOT IN (SELECT ref_id FROM '.$tbl_grade_links.' WHERE type = '.LINK_ATTENDANCE.' AND course_code = "'.Database::escape_string($this->get_course_code()).'")
 				AND att.session_id='.api_get_session_id().'';
 		$result = Database::query($sql);

@ -69,7 +69,7 @@ class AttendanceLink extends AbstractLink
    	}
    	$tbl_attendance = $this->get_attendance_table();
    	$session_id = api_get_session_id();
-    	$sql = 'SELECT att.id, att.name, att.attendance_qualify_title FROM '.$tbl_attendance.' att WHERE att.active = 1 AND att.session_id = '.$session_id.'';
+    	$sql = 'SELECT att.id, att.name, att.attendance_qualify_title FROM '.$tbl_attendance.' att WHERE att.active = 1 AND att.session_id = '.intval($session_id).'';
 		$result = Database::query($sql);
 		while ($data=Database::fetch_array($result)) {
 			if (isset($data['attendance_qualify_title']) && $data['attendance_qualify_title'] != ''){
@ -89,7 +89,7 @@ class AttendanceLink extends AbstractLink
    public function has_results() {
    	$course_info = api_get_course_info($this->course_code);
    	$tbl_attendance_result = Database :: get_course_table(TABLE_ATTENDANCE_RESULT,$course_info['dbName']);
-		$sql = 'SELECT count(*) AS number FROM '.$tbl_attendance_result." WHERE attendance_id = '".$this->get_ref_id()."'";
+		$sql = 'SELECT count(*) AS number FROM '.$tbl_attendance_result." WHERE attendance_id = '".intval($this->get_ref_id())."'";
    	$result = Database::query($sql);
 		$number = Database::fetch_row($result);
 		return ($number[0] != 0);
@ -104,14 +104,14 @@ class AttendanceLink extends AbstractLink
 			$session_id = api_get_session_id();

 			// get attendance qualify max
-	  		$sql = 'SELECT att.attendance_qualify_max FROM '.$this->get_attendance_table().' att WHERE att.id = '.$this->get_ref_id().' AND att.session_id='.$session_id.'';
+	  		$sql = 'SELECT att.attendance_qualify_max FROM '.$this->get_attendance_table().' att WHERE att.id = '.intval($this->get_ref_id()).' AND att.session_id='.intval($session_id).'';
 			$query = Database::query($sql);
 			$attendance = Database::fetch_array($query);

 			// get results
-	  	    $sql = 'SELECT * FROM '.$tbl_attendance_result.' WHERE attendance_id = '.$this->get_ref_id();
+	  	    $sql = 'SELECT * FROM '.$tbl_attendance_result.' WHERE attendance_id = '.intval($this->get_ref_id());
 	    	if (isset($stud_id)) {
-	    		$sql .= ' AND user_id = '.$stud_id;
+	    		$sql .= ' AND user_id = '.intval($stud_id);
 	    	}
 	    	$scores = Database::query($sql);
 			// for 1 student
@ -208,7 +208,7 @@ class AttendanceLink extends AbstractLink
    public function is_valid_link() {
    	$session_id = api_get_session_id();
        $sql = 'SELECT count(att.id) FROM '.$this->get_attendance_table().' att
-        		 WHERE att.id = '.$this->get_ref_id().' AND att.session_id='.$session_id.'';
+        		 WHERE att.id = '.intval($this->get_ref_id()).' AND att.session_id='.intval($session_id).'';
        $result = Database::query($sql);
        $number = Database::fetch_row($result);
        return ($number[0] != 0);
--- a/main/gradebook/lib/be/category.class.php
+++ b/main/gradebook/lib/be/category.class.php
@ -143,11 +143,11 @@ class Category implements GradebookItem
 		$paramcount = 0;
 		if (isset($id)) {
 			$id = Database::escape_string($id);
-			$sql.= ' WHERE id = '.$id;
+			$sql.= ' WHERE id = '.intval($id);
 			$paramcount ++;
 		}
 		if (isset($user_id)) {
-			$user_id = Database::escape_string($user_id);
+			$user_id = intval($user_id);
 			if ($paramcount != 0) { $sql .= ' AND';
 			} else {
 			$sql .= ' WHERE';
--- a/main/gradebook/lib/be/dropboxlink.class.php
+++ b/main/gradebook/lib/be/dropboxlink.class.php
@ -29,7 +29,7 @@ class DropboxLink extends EvalLink

 		$sql = 'SELECT filename'
 				.' FROM '.$this->get_dropbox_table()
-				.' WHERE uploader_id = '.$stud_id
+				.' WHERE uploader_id = '.intval($stud_id)
 				." AND title = '".Database::escape_string($eval->get_name())."'";

 		$result = Database::query($sql);
--- a/main/gradebook/lib/be/evaluation.class.php
+++ b/main/gradebook/lib/be/evaluation.class.php
@ -132,31 +132,31 @@ class Evaluation implements GradebookItem
 		$sql='SELECT id,name,description,user_id,course_code,category_id,date,weight,max,visible,type FROM '.$tbl_grade_evaluations;
 		$paramcount = 0;
 		if (isset ($id)) {
-			$sql.= ' WHERE id = '.$id;
+			$sql.= ' WHERE id = '.intval($id);
 			$paramcount ++;
 		}
 		if (isset ($user_id)) {
 			if ($paramcount != 0) $sql .= ' AND';
 			else $sql .= ' WHERE';
-			$sql .= ' user_id = '.$user_id;
+			$sql .= ' user_id = '.intval($user_id);
 			$paramcount ++;
 		}
 		if (isset ($course_code) && $course_code <> '-1') {
 			if ($paramcount != 0) $sql .= ' AND';
 			else $sql .= ' WHERE';
-			$sql .= " course_code = '".$course_code."'";
+			$sql .= " course_code = '".Database::escape_string($course_code)."'";
 			$paramcount ++;
 		}
 		if (isset ($category_id)) {
 			if ($paramcount != 0) $sql .= ' AND';
 			else $sql .= ' WHERE';
-			$sql .= ' category_id = '.$category_id;
+			$sql .= ' category_id = '.intval($category_id);
 			$paramcount ++;
 		}
 		if (isset ($visible)) {
 			if ($paramcount != 0) $sql .= ' AND';
 			else $sql .= ' WHERE';
-			$sql .= ' visible = '.$visible;
+			$sql .= ' visible = '.intval($visible);
 			$paramcount ++;
 		}