chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r15602] tighten security

Browse Source
skala
Patrick Cool 18 years ago
parent 8e856cf09c
commit ee3863ed4a
19 changed files with 224 additions and 136 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      main/exercice/addlimits.php
  2. 4
      main/exercice/admin.php
  3. 58
      main/exercice/answer.class.php
  4. 4
      main/exercice/answer_admin.inc.php
  5. 44
      main/exercice/exercice.php
  6. 31
      main/exercice/exercise.class.php
  7. 4
      main/exercice/exercise.lib.php
  8. 6
      main/exercice/exercise_result.class.php
  9. 16
      main/exercice/exercise_result.php
  10. 78
      main/exercice/exercise_show.php
  11. 2
      main/exercice/hotspot_actionscript.as.php
  12. 2
      main/exercice/hotspot_answers.as.php
  13. 2
      main/exercice/hotspot_save.inc.php
  14. 9
      main/exercice/hotspot_savescore.inc.php
  15. 2
      main/exercice/hotspot_updatescore.inc.php
  16. 28
      main/exercice/mark_free_answer.php
  17. 42
      main/exercice/question.class.php
  18. 6
      main/exercice/question_pool.php
  19. 14
      main/exercice/savescores.php

8
main/exercice/addlimits.php
Unescape View File

@ -97,11 +97,11 @@ if ( empty ( $origin ) )
}
if ( empty ( $learnpath_id ) )
{
$learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']);
$learnpath_id = $_REQUEST['learnpath_id'];
}
if ( empty ( $learnpath_item_id ) )
{
$learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']);
$learnpath_item_id = $_REQUEST['learnpath_item_id'];
}
if ( empty ( $formSent ) )
{
@ -120,11 +120,11 @@ if ( empty ( $choice ) ) {
}
if ( empty ( $questionNum ) )
{
$questionNum = mysql_real_escape_string($_REQUEST['questionNum']);
$questionNum = $_REQUEST['questionNum'];
}
if ( empty ( $nbrQuestions ) )
{
$nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']);
$nbrQuestions = $_REQUEST['nbrQuestions'];
}
if ( empty ( $questionList ) )
{

4
main/exercice/admin.php
Unescape View File

@ -60,7 +60,7 @@
*
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: admin.php 15333 2008-05-20 17:07:26Z elixir_inter $
* @version $Id: admin.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -115,7 +115,7 @@ if($_SERVER['REQUEST_METHOD'] == 'POST')
// get vars from GET
if ( empty ( $exerciseId ) )
{
$exerciseId = mysql_real_escape_string($_GET['exerciseId']);
$exerciseId = $_GET['exerciseId'];
}
if ( empty ( $newQuestion ) )
{

58
main/exercice/answer.class.php
Unescape View File

@ -23,7 +23,7 @@
* 5 arrays are created to receive the attributes of each answer belonging to a specified question
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: answer.class.php 13732 2007-11-21 15:19:33Z yannoo $
* @version $Id: answer.class.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -112,7 +112,7 @@ class Answer
$questionId=$this->questionId;
//$answerType=$this->selectType();
$sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type FROM $TBL_ANSWER WHERE question_id='$questionId' ORDER BY position";
$sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type FROM $TBL_ANSWER WHERE question_id='".Database::escape_string($questionId)."' ORDER BY position";
$result=api_sql_query($sql,__FILE__,__LINE__);
@ -143,11 +143,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
function readOrderedBy($field,$order=ASC)
{
global $_course;
$field = mysql_real_escape_string($field);
if(empty($field)){
$field = Database::escape_string($field);
if(empty($field))
{
$field = 'position';
}
if($order != 'ASC' and $order!='DESC'){
if($order != 'ASC' and $order!='DESC')
{
$order = 'ASC';
}
$TBL_ANSWER = Database::get_course_table('quiz_answer');
@ -157,7 +159,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
$sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type " .
"FROM $TBL_ANSWER " .
"WHERE question_id='$questionId' " .
"WHERE question_id='".Database::escape_string($questionId)."' " .
"ORDER BY $field $order";
$result=api_sql_query($sql,__FILE__,__LINE__);
@ -260,7 +262,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
function getQuestionType()
{
$TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION);
$sql = "SELECT * FROM $TBL_QUESTIONS WHERE id = '".$this->questionId."'";
$sql = "SELECT * FROM $TBL_QUESTIONS WHERE id = '".Database::escape_string($this->questionId)."'";
$res = api_sql_query($sql,__FILE__,__LINE__);
if(Database::num_rows($res)<=0){
return null;
@ -385,12 +387,12 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
$questionId=$this->questionId;
$sql = "UPDATE $TBL_REPONSES SET " .
"`answer` = '$answer', " .
"`comment` = '$comment', " .
"`ponderation` = '$weighting', " .
"`position` = '$position' " .
"WHERE `id` =$position " .
"AND `question_id` =$questionId";
"answer = '".Database::escape_string($answer)."', " .
"comment = '".Database::escape_string($comment)."', " .
"ponderation = '".Database::escape_string($weighting)."', " .
"position = '".Database::escape_string($position)."' " .
"WHERE id = '".Database::escape_string($position)."' " .
"AND question_i` = '".Database::escape_string($questionId)."'";
api_sql_query($sql,__FILE__,__LINE__);
}
@ -407,7 +409,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
$questionId=$this->questionId;
// removes old answers before inserting of new ones
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='$questionId'";
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($questionId)."'";
api_sql_query($sql,__FILE__,__LINE__);
// inserts new answers into data base
@ -417,13 +419,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
for($i=1;$i <= $this->new_nbrAnswers;$i++)
{
$answer=addslashes($this->new_answer[$i]);
$correct=$this->new_correct[$i];
$comment=addslashes($this->new_comment[$i]);
$weighting=$this->new_weighting[$i];
$position=$this->new_position[$i];
$hotspot_coordinates=$this->new_hotspot_coordinates[$i];
$hotspot_type=$this->new_hotspot_type[$i];
$answer = Database::escape_string($this->new_answer[$i]);
$correct = Database::escape_string($this->new_correct[$i]);
$comment = Database::escape_string($this->new_comment[$i]);
$weighting = Database::escape_string($this->new_weighting[$i]);
$position = Database::escape_string($this->new_position[$i]);
$hotspot_coordinates = Database::escape_string($this->new_hotspot_coordinates[$i]);
$hotspot_type = Database::escape_string($this->new_hotspot_type[$i]);
$sql.="('$i','$questionId','$answer','$correct','$comment',
'$weighting','$position','$hotspot_coordinates','$hotspot_type'),";
@ -468,13 +470,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates;
for($i=1;$i <= $this->nbrAnswers;$i++)
{
$answer=addslashes($this->answer[$i]);
$correct=$this->correct[$i];
$comment=addslashes($this->comment[$i]);
$weighting=$this->weighting[$i];
$position=$this->position[$i];
$hotspot_coordinates=$this->hotspot_coordinates[$i];
$hotspot_type=$this->hotspot_type[$i];
$answer = Database::escape_string($this->answer[$i]);
$correct = Database::escape_string($this->correct[$i]);
$comment = Database::escape_string($this->comment[$i]);
$weighting = Database::escape_string($this->weighting[$i]);
$position = Database::escape_string($this->position[$i]);
$hotspot_coordinates = Database::escape_string($this->hotspot_coordinates[$i]);
$hotspot_type = Database::escape_string($this->hotspot_type[$i]);
$sql.="('$i','$newQuestionId','$answer','$correct','$comment'," .
"'$weighting','$position','$hotspot_coordinates','$hotspot_type'),";

4
main/exercice/answer_admin.inc.php
Unescape View File

@ -22,7 +22,7 @@
* This script allows to manage answers. It is included from the script admin.php
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: answer_admin.inc.php 13301 2007-09-27 03:47:39Z yannoo $
* @version $Id: answer_admin.inc.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -1155,7 +1155,7 @@ if($modifyAnswers)
?>
<h3>
<?php echo $questionName;?></h3><?php
$sql = "select description from `".$TBL_QUESTIONS."` where id = '$questionId'";
$sql = "select description from `".$TBL_QUESTIONS."` where id = '".Database::escape_string($questionId)."'";
$res = api_sql_query($sql,_FILE_,_LINE_);
?>
&nbsp; &nbsp; &nbsp;

44
main/exercice/exercice.php
Unescape View File

@ -157,11 +157,13 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit ||
$keyexp = explode('_',$key);
if ($keyexp[0] == "marks")
{
$sql = "select question from $TBL_QUESTIONS where id = '$keyexp[1]'";
$sql = "SELECT question from $TBL_QUESTIONS where id = '".Database::escape_string($keyexp[1])."'";
$result =api_sql_query($sql, __FILE__, __LINE__);
$ques_name = mysql_result($result,0,"question");
$query = "update $TBL_TRACK_ATTEMPT set marks = '$v' where question_id = $keyexp[1] and exe_id=$id";
$query = "UPDATE $TBL_TRACK_ATTEMPT SET marks = '".Database::escape_string($v)."'
WHERE question_id = '".Database::escape_string($keyexp[1])."'
AND exe_id='".Database::escape_string($id)."'";
api_sql_query($query, __FILE__, __LINE__);
$qry = 'SELECT sum(marks) as tot
@ -171,13 +173,15 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit ||
$res = api_sql_query($qry,__FILE__,__LINE__);
$tot = mysql_result($res,0,'tot');
$totquery = "update $TBL_TRACK_EXERCICES set exe_result = $tot where exe_Id=$id";
$totquery = "update $TBL_TRACK_EXERCICES set exe_result = '".Database::escape_string($tot)."' where exe_Id='".Database::escape_string($id)."'";
api_sql_query($totquery, __FILE__, __LINE__);
}
else
{
$query = "update $TBL_TRACK_ATTEMPT set teacher_comment = '$v' where question_id = $keyexp[1] and exe_id = $id ";
$query = "UPDATE $TBL_TRACK_ATTEMPT SET teacher_comment = '".Database::escape_string($v)."'
WHERE question_id = '".Database::escape_string($keyexp[1])."'
AND exe_id = '".Database::escape_string($id)."'";
api_sql_query($query, __FILE__, __LINE__);
}
@ -194,7 +198,7 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit ||
$tot += $row ['marks'];
}
$totquery = "update $TBL_TRACK_EXERCICES set exe_result = $tot where exe_Id=$id";
$totquery = "UPDATE $TBL_TRACK_EXERCICES SET exe_result = '".Database::escape_string($tot)."' WHERE exe_Id='".Database::escape_string($id)."'";
api_sql_query($totquery, __FILE__, __LINE__);
$subject = get_lang('ExamSheetVCC');
@ -459,7 +463,7 @@ if($is_allowedToEdit)
break;
case 'enable': // enables an exercise
$newVisibilityStatus = "1"; //"visible"
$query = "SELECT id FROM $TBL_DOCUMENT WHERE path='$file'";
$query = "SELECT id FROM $TBL_DOCUMENT WHERE path='".Database::escape_string($file)."'";
$res = api_sql_query($query,__FILE__,__LINE__);
$row = Database::fetch_array($res, 'ASSOC');
api_item_property_update($_course, TOOL_DOCUMENT, $row['id'], 'visible', $_user['user_id']);
@ -468,7 +472,7 @@ if($is_allowedToEdit)
break;
case 'disable': // disables an exercise
$newVisibilityStatus = "0"; //"invisible"
$query = "SELECT id FROM $TBL_DOCUMENT WHERE path='$file'";
$query = "SELECT id FROM $TBL_DOCUMENT WHERE path='".Database::escape_string($file)."'";
$res = api_sql_query($query,__FILE__,__LINE__);
$row = Database::fetch_array($res, 'ASSOC');
api_item_property_update($_course, TOOL_DOCUMENT, $row['id'], 'invisible', $_user['user_id']);
@ -483,14 +487,14 @@ if($is_allowedToEdit)
if($show == 'test')
{
$sql="SELECT id,title,type,active,description, results_disabled FROM $TBL_EXERCICES WHERE active<>'-1' ORDER BY title LIMIT $from,".($limitExPage+1);
$sql="SELECT id,title,type,active,description, results_disabled FROM $TBL_EXERCICES WHERE active<>'-1' ORDER BY title LIMIT ".(int)$from.",".(int)($limitExPage+1);
$result=api_sql_query($sql,__FILE__,__LINE__);
}
}
// only for students
elseif($show == 'test')
{
$sql="SELECT id,title,type,description, results_disabled FROM $TBL_EXERCICES WHERE active='1' ORDER BY title LIMIT $from,".($limitExPage+1);
$sql="SELECT id,title,type,description, results_disabled FROM $TBL_EXERCICES WHERE active='1' ORDER BY title LIMIT ".(int)$from.",".(int)($limitExPage+1);
$result=api_sql_query($sql,__FILE__,__LINE__);
}
@ -519,13 +523,13 @@ if($show == 'test'){
$res = api_sql_query ("SELECT *
FROM $TBL_DOCUMENT
WHERE
path LIKE '".$uploadPath."/%/%'",__FILE__,__LINE__);
path LIKE '".Database::escape_string($uploadPath)."/%/%'",__FILE__,__LINE__);
$nbrTests = Database::num_rows($res);
$res = api_sql_query ("SELECT *
FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip
WHERE d.id = ip.ref
AND ip.tool = '".TOOL_DOCUMENT."'
AND d.path LIKE '".$uploadPath."/%/%'
AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%'
AND ip.visibility='1'", __FILE__,__LINE__);
$nbrActiveTests = Database::num_rows($res);
@ -633,7 +637,7 @@ if($show == 'test'){
</td>
<td width="8%" align="center"> <?php
$exid = $row['id'];
$sqlquery = "SELECT count(*) FROM $TBL_EXERCICE_QUESTION WHERE exercice_id = '$exid'";
$sqlquery = "SELECT count(*) FROM $TBL_EXERCICE_QUESTION WHERE exercice_id = '".Database::escape_string($exid)."'";
$sqlresult =api_sql_query($sqlquery);
$rowi = mysql_result($sqlresult,0);
echo $rowi.' '.strtolower(get_lang(($rowi>1?'Questions':'Question'))).'</td>';
@ -683,7 +687,7 @@ if($show == 'test'){
</table></td>
<td align="center"> <?php
$exid = $row['id'];
$sqlquery = "SELECT count(*) FROM $TBL_EXERCICE_QUESTION WHERE exercice_id = '$exid'";
$sqlquery = "SELECT count(*) FROM $TBL_EXERCICE_QUESTION WHERE exercice_id = '".Database::escape_string($exid)."'";
$sqlresult =api_sql_query($sqlquery);
$rowi = mysql_result($sqlresult,0);
echo ($rowi>1?get_lang('Questions'):get_lang('Question')); ?> </td>
@ -692,7 +696,7 @@ if($show == 'test'){
$eid = $row['id'];
$uid= api_get_user_id();
//this query might be improved later on by ordering by the new "tms" field rather than by exe_id
$qry = "select * from $TBL_TRACK_EXERCICES where exe_exo_id = $eid and exe_user_id = $uid and exe_cours_id = '".api_get_course_id()."' ORDER BY exe_id DESC";
$qry = "select * from $TBL_TRACK_EXERCICES where exe_exo_id = '".Database::escape_string($eid)."' and exe_user_id = '".Database::escape_string($uid)."' and exe_cours_id = '".api_get_course_id()."' ORDER BY exe_id DESC";
$qryres = api_sql_query($qry);
$num = Database::num_rows($qryres);
if($num>0)
@ -753,7 +757,7 @@ if($show == 'test'){
FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip
WHERE d.id = ip.ref AND ip.tool = '".TOOL_DOCUMENT."' AND
(d.path LIKE '%htm%')
AND d.path LIKE '".$uploadPath."/%/%' LIMIT $from,$to"; // only .htm or .html files listed
AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%' LIMIT ".(int)$from.",".(int)$to; // only .htm or .html files listed
}
else
{
@ -761,7 +765,7 @@ if($show == 'test'){
FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip
WHERE d.id = ip.ref AND ip.tool = '".TOOL_DOCUMENT."' AND
(d.path LIKE '%htm%')
AND d.path LIKE '".$uploadPath."/%/%' AND ip.visibility='1' LIMIT $from,$to";
AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%' AND ip.visibility='1' LIMIT ".(int)$from.",".(int)$to;
}
$result = api_sql_query ($sql,__FILE__,__LINE__);
@ -938,13 +942,13 @@ if($_configuration['tracking_enabled'])
$sql="SELECT CONCAT(lastname,' ',firstname),ce.title, te.exe_result ,
te.exe_weighting, UNIX_TIMESTAMP(te.exe_date),te.exe_id,email
FROM $TBL_EXERCICES AS ce , $TBL_TRACK_EXERCICES AS te, $TBL_USER AS user
WHERE te.exe_exo_id = ce.id AND user_id=te.exe_user_id AND te.exe_cours_id='$_cid'
WHERE te.exe_exo_id = ce.id AND user_id=te.exe_user_id AND te.exe_cours_id='".Database::escape_string($_cid)."'
ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC";
$hpsql="SELECT CONCAT(tu.lastname,' ',tu.firstname), tth.exe_name,
tth.exe_result , tth.exe_weighting, UNIX_TIMESTAMP(tth.exe_date)
FROM $TBL_TRACK_HOTPOTATOES tth, $TBL_USER tu
WHERE tu.user_id=tth.exe_user_id AND tth.exe_cours_id = '".$_cid."'
WHERE tu.user_id=tth.exe_user_id AND tth.exe_cours_id = ".Database::escape_string($_cid)."'
ORDER BY tth.exe_cours_id ASC, tth.exe_date ASC";
}
@ -952,12 +956,12 @@ if($_configuration['tracking_enabled'])
{ // get only this user's results
$sql="SELECT '',ce.title, te.exe_result , te.exe_weighting, UNIX_TIMESTAMP(te.exe_date),te.exe_id
FROM $TBL_EXERCICES AS ce , $TBL_TRACK_EXERCICES AS te
WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$_user['user_id']."' AND te.exe_cours_id='$_cid' AND results_disabled=0
WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$_user['user_id']."' AND te.exe_cours_id=".Database::escape_string($_cid)."' AND results_disabled=0
ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC";
$hpsql="SELECT '',exe_name, exe_result , exe_weighting, UNIX_TIMESTAMP(exe_date)
FROM $TBL_TRACK_HOTPOTATOES
WHERE exe_user_id = '".$_user['user_id']."' AND exe_cours_id = '".$_cid."'
WHERE exe_user_id = '".$_user['user_id']."' AND exe_cours_id = ".Database::escape_string($_cid)."'
ORDER BY exe_cours_id ASC, exe_date ASC";
}

31
main/exercice/exercise.class.php
Unescape View File

@ -22,7 +22,7 @@
* Exercise class: This class allows to instantiate an object of type Exercise
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: exercise.class.php 14786 2008-04-08 14:11:46Z elixir_inter $
* @version $Id: exercise.class.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -75,7 +75,7 @@ class Exercise
$TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION);
#$TBL_REPONSES = Database::get_course_table(TABLE_QUIZ_ANSWER);
$sql="SELECT title,description,sound,type,random,active, results_disabled FROM $TBL_EXERCICES WHERE id='$id'";
$sql="SELECT title,description,sound,type,random,active, results_disabled FROM $TBL_EXERCICES WHERE id='".Database::escape_string($id)."'";
$result=api_sql_query($sql,__FILE__,__LINE__);
// if the exercise has been found
@ -90,7 +90,7 @@ class Exercise
$this->active=$object->active;
$this->results_disabled =$object->results_disabled;
$sql="SELECT question_id,position FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='$id' ORDER BY position";
$sql="SELECT question_id,position FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='".Database::escape_string($id)."' ORDER BY position";
$result=api_sql_query($sql,__FILE__,__LINE__);
// fills the array with the question ID for this exercise
@ -445,13 +445,30 @@ class Exercise
// exercise already exists
if($id)
{
$sql="UPDATE $TBL_EXERCICES SET title='$exercise',description='$description',sound='$sound',type='$type',random='$random',active='$active',results_disabled='$results_disabled' WHERE id='$id'";
$sql="UPDATE $TBL_EXERCICES SET
title='".Database::escape_string($exercise)."',
description='".Database::escape_string($description)."',
sound='".Database::escape_string($sound)."',
type='".Database::escape_string($type)."',
random='".Database::escape_string($random)."',
active='".Database::escape_string($active)."',
results_disabled='".Database::escape_string($results_disabled)."'
WHERE id='".Database::escape_string($id)."'";
api_sql_query($sql,__FILE__,__LINE__);
}
// creates a new exercise
else
{
$sql="INSERT INTO $TBL_EXERCICES(title,description,sound,type,random,active, results_disabled) VALUES('$exercise','$description','$sound','$type','$random','$active',$results_disabled)";
$sql="INSERT INTO $TBL_EXERCICES(title,description,sound,type,random,active, results_disabled)
VALUES(
'".Database::escape_string($exercise)."',
'".Database::escape_string($description)."',
'".Database::escape_string($sound)."',
'".Database::escape_string($type)."',
'".Database::escape_string($random)."',
'".Database::escape_string($active)."',
'".Database::escape_string($results_disabled)."'
)";
api_sql_query($sql,__FILE__,__LINE__);
$this->id=mysql_insert_id();
@ -460,7 +477,7 @@ class Exercise
// updates the question position
foreach($this->questionList as $position=>$questionId)
{
$sql="UPDATE $TBL_QUESTIONS SET position='$position' WHERE id='$questionId'";
$sql="UPDATE $TBL_QUESTIONS SET position='".Database::escape_string($position)."' WHERE id='".Database::escape_string($questionId)."'";
api_sql_query($sql,__FILE__,__LINE__);
}
}
@ -615,7 +632,7 @@ class Exercise
*/
function delete(){
$TBL_EXERCICES = Database::get_course_table(TABLE_QUIZ_TEST);
$sql="UPDATE $TBL_EXERCICES SET active='-1' WHERE id='".$this->id."'";
$sql="UPDATE $TBL_EXERCICES SET active='-1' WHERE id='".Database::escape_string($this->id)."'";
api_sql_query($sql);
}

4
main/exercice/exercise.lib.php
Unescape View File

@ -23,7 +23,7 @@
* shows a question and its answers
* @package dokeos.exercise
* @author Olivier Brouckaert <oli.brouckaert@skynet.be>
* @version $Id: exercise.lib.php 15412 2008-05-26 13:56:24Z elixir_inter $
* @version $Id: exercise.lib.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -99,7 +99,7 @@ function showQuestion($questionId, $onlyAnswers=false, $origin=false)
$oFCKeditor->Value = '' ;
$TBL_LANGUAGES = Database::get_main_table(TABLE_MAIN_LANGUAGE);
$sql="SELECT isocode FROM ".$TBL_LANGUAGES." WHERE english_name='".$_SESSION["_course"]["language"]."'";
$sql="SELECT isocode FROM ".$TBL_LANGUAGES." WHERE english_name='".Database::escape_string($_SESSION["_course"]["language"])."'";
$result_sql=api_sql_query($sql);
$isocode_language=mysql_result($result_sql,0,0);
$oFCKeditor->Config['DefaultLanguage'] = $isocode_language;

6
main/exercice/exercise_result.class.php
Unescape View File

@ -89,7 +89,7 @@ class ExerciseResult
$TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION);
$sql="SELECT q.id, q.question, q.ponderation, q.position, q.type, q.picture " .
" FROM $TBL_EXERCISE_QUESTION eq, $TBL_QUESTIONS q " .
" WHERE eq.question_id=q.id AND eq.exercice_id='$e_id' " .
" WHERE eq.question_id=q.id AND eq.exercice_id='".Database::escape_string($e_id)."' " .
" ORDER BY q.position";
$result=api_sql_query($sql,__FILE__,__LINE__);
@ -142,12 +142,12 @@ class ExerciseResult
$sql="SELECT '',ce.title, te.exe_result , te.exe_weighting, " .
"UNIX_TIMESTAMP(te.exe_date),te.exe_id
FROM $TBL_EXERCISES ce , $TBL_TRACK_EXERCISES te
WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$user_id."' AND te.exe_cours_id='$cid'
WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".Database::escape_string($user_id)."' AND te.exe_cours_id='".Database::escape_string($cid)."'
ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC";
$hpsql="SELECT '',exe_name, exe_result , exe_weighting, UNIX_TIMESTAMP(exe_date)
FROM $TBL_TRACK_HOTPOTATOES
WHERE exe_user_id = '".$user_id."' AND exe_cours_id = '".$cid."'
WHERE exe_user_id = '".Database::escape_string($user_id)."' AND exe_cours_id = '".Database::escape_string($cid)."'
ORDER BY exe_cours_id ASC, exe_date ASC";
}

16
main/exercice/exercise_result.php
Unescape View File

@ -25,7 +25,7 @@
* @package dokeos.exercise
* @author Olivier Brouckaert, main author
* @author Roan Embrechts, some refactoring
* @version $Id: exercise_result.php 15438 2008-05-27 06:46:30Z elixir_inter $
* @version $Id: exercise_result.php 15602 2008-06-18 08:52:24Z pcool $
*
* @todo split more code up in functions, move functions to library?
*/
@ -92,10 +92,10 @@ if ( empty ( $origin ) ) {
$origin = $_REQUEST['origin'];
}
if ( empty ( $learnpath_id ) ) {
$learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']);
$learnpath_id = $_REQUEST['learnpath_id'];
}
if ( empty ( $learnpath_item_id ) ) {
$learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']);
$learnpath_item_id = $_REQUEST['learnpath_item_id'];
}
if ( empty ( $formSent ) ) {
$formSent = $_REQUEST['formSent'];
@ -110,10 +110,10 @@ if ( empty ( $choice ) ) {
$choice = $_REQUEST['choice'];
}
if ( empty ( $questionNum ) ) {
$questionNum = mysql_real_escape_string($_REQUEST['questionNum']);
$questionNum = $_REQUEST['questionNum'];
}
if ( empty ( $nbrQuestions ) ) {
$nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']);
$nbrQuestions = $_REQUEST['nbrQuestions'];
}
if ( empty ( $questionList ) ) {
$questionList = $_SESSION['questionList'];
@ -696,7 +696,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle);
$tbl_track_e_hotspot = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTSPOT);
// Save into db
$sql = "INSERT INTO $tbl_track_e_hotspot (`hotspot_user_id` , `hotspot_course_code` , `hotspot_exe_id` , `hotspot_question_id` , `hotspot_answer_id` , `hotspot_correct` , `hotspot_coordinate` )
VALUES ('".$_user['user_id']."', '".$_course['id']."', '$exeId', '$questionId', '$answerId', '$studentChoice', '".$_SESSION['exerciseResultCoordinates'][$questionId][$answerId]."')";
VALUES ('".Database::escape_string($_user['user_id'])."', '".Database::escape_string($_course['id'])."', '".Database::escape_string($exeId)."', '".Database::escape_string($questionId)."', '".Database::escape_string($answerId)."', '".Database::escape_string($studentChoice)."', '".Database::escape_string($_SESSION['exerciseResultCoordinates'][$questionId][$answerId])."')";
$result = api_sql_query($sql,__FILE__,__LINE__);
@ -791,7 +791,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle);
$val = $arr1[1][0];
$val=addslashes($val);
$val=strip_tags($val);
$sql = "select position from $table_ans where question_id=$questionId and answer='$val' AND correct=0";
$sql = "select position from $table_ans where question_id='".Database::escape_string($questionId)."' and answer='".Database::escape_string($val)."' AND correct=0";
$res = api_sql_query($sql, __FILE__, __LINE__);
$answer = mysql_result($res,0,"position");
@ -806,7 +806,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle);
}
elseif ($answerType==UNIQUE_ANSWER)
{
$sql = "select id from $table_ans where question_id=$questionId and position=$choice";
$sql = "select id from $table_ans where question_id='".Database::escape_string($questionId)."' and position='".Database::escape_string($choice)."'";
$res = api_sql_query($sql, __FILE__, __LINE__);
$answer = mysql_result($res,0,"id");
exercise_attempt($questionScore,$answer,$quesId,$exeId,0);

78
main/exercice/exercise_show.php
Unescape View File

@ -73,10 +73,10 @@ if ( empty ( $origin ) )
$origin = $_REQUEST['origin'];
}
if ( empty ( $learnpath_id ) ) {
$learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']);
$learnpath_id = $_REQUEST['learnpath_id'];
}
if ( empty ( $learnpath_item_id ) ) {
$learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']);
$learnpath_item_id = $_REQUEST['learnpath_item_id'];
}
if ( empty ( $formSent ) ) {
$formSent= $_REQUEST['formSent'];
@ -91,10 +91,10 @@ if ( empty ( $choice ) ) {
$choice = $_REQUEST['choice'];
}
if ( empty ( $questionNum ) ) {
$questionNum = mysql_real_escape_string($_REQUEST['questionNum']);
$questionNum = $_REQUEST['questionNum'];
}
if ( empty ( $nbrQuestions ) ) {
$nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']);
$nbrQuestions = $_REQUEST['nbrQuestions'];
}
if ( empty ( $questionList ) ) {
$questionList = $_SESSION['questionList'];
@ -181,15 +181,33 @@ function getFCK(vals,marksid){
</script>
<?php
//functions
/**
* Enter description here...
*
* @param unknown_type $id
* @param unknown_type $question_id
* @return unknown
*/
function get_comments($id,$question_id)
{
global $TBL_TRACK_ATTEMPT;
$sql = "select teacher_comment from ".$TBL_TRACK_ATTEMPT." where exe_id=$id and question_id = '$question_id' order by question_id";
$sql = "select teacher_comment from ".$TBL_TRACK_ATTEMPT." where exe_id='".Database::escape_string($id and question_id)."' = '".Database::escape_string($question_id)."' order by question_id";
$sqlres = api_sql_query($sql, __FILE__, __LINE__);
$comm = mysql_result($sqlres,0,"teacher_comment");
return $comm;
}
/**
* Enter description here...
*
* @param unknown_type $answerType
* @param unknown_type $studentChoice
* @param unknown_type $answer
* @param unknown_type $answerComment
* @param unknown_type $answerCorrect
* @param unknown_type $id
* @param unknown_type $questionId
* @param unknown_type $ans
*/
function display_unique_or_multiple_answer($answerType, $studentChoice, $answer, $answerComment, $answerCorrect,$id,$questionId,$ans)
{
?>
@ -214,6 +232,13 @@ function display_unique_or_multiple_answer($answerType, $studentChoice, $answer,
</tr>
<?php
}
/**
* Enter description here...
*
* @param unknown_type $answer
* @param unknown_type $id
* @param unknown_type $questionId
*/
function display_fill_in_blanks_answer($answer,$id,$questionId)
{
@ -232,7 +257,13 @@ function display_fill_in_blanks_answer($answer,$id,$questionId)
</tr>
<?php }
}
/**
* Enter description here...
*
* @param unknown_type $answer
* @param unknown_type $id
* @param unknown_type $questionId
*/
function display_free_answer($answer,$id,$questionId)
{
?>
@ -254,7 +285,14 @@ function display_free_answer($answer,$id,$questionId)
</tr>
<?php
}
/**
* Enter description here...
*
* @param unknown_type $answerId
* @param unknown_type $answer
* @param unknown_type $studentChoice
* @param unknown_type $answerComment
*/
function display_hotspot_answer($answerId, $answer, $studentChoice, $answerComment)
{
//global $hotspot_colors;
@ -300,7 +338,7 @@ function display_hotspot_answer($answerId, $answer, $studentChoice, $answerComme
<tr>
<td colspan="2">
<?php
$sql_test_name='SELECT title, description FROM '.$TBL_EXERCICES.' as exercises, '.$TBL_TRACK_EXERCICES.' as track_exercises WHERE exercises.id=track_exercises.exe_exo_id AND track_exercises.exe_id="'.$id.'"';
$sql_test_name='SELECT title, description FROM '.$TBL_EXERCICES.' as exercises, '.$TBL_TRACK_EXERCICES.' as track_exercises WHERE exercises.id=track_exercises.exe_exo_id AND track_exercises.exe_id="'.Database::escape_string($id).'"';
$result=api_sql_query($sql_test_name);
$test=mysql_result($result,0,0);
$exerciseTitle=api_parse_tex($test);
@ -311,7 +349,7 @@ $query = "select * from ".$TBL_TRACK_ATTEMPT." as attempts
INNER JOIN ".$TBL_TRACK_EXERCICES." as stats_exercices ON stats_exercices.exe_id=attempts.exe_id
INNER JOIN ".$TBL_EXERCICE_QUESTION." as quizz_rel_questions ON quizz_rel_questions.exercice_id=stats_exercices.exe_exo_id AND quizz_rel_questions.question_id = attempts.question_id
INNER JOIN ".$TBL_QUESTIONS." as questions ON questions.id=quizz_rel_questions.question_id
WHERE attempts.exe_id='$id' $user_restriction
WHERE attempts.exe_id='".Database::escape_string($id)."' $user_restriction
GROUP BY questions.position, attempts.question_id";
$result =api_sql_query($query, __FILE__, __LINE__);
@ -420,7 +458,7 @@ $result =api_sql_query($query, __FILE__, __LINE__);
$answerComment=$objAnswerTmp->selectComment($answerId);
$answerCorrect=$objAnswerTmp->isCorrect($answerId);
$answerWeighting=$objAnswerTmp->selectWeighting($answerId);
$queryans = "select * from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId";
$queryans = "select * from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'";
$resultans = api_sql_query($queryans, __FILE__, __LINE__);
while ($row = mysql_fetch_array($resultans))
{
@ -473,7 +511,7 @@ $result =api_sql_query($query, __FILE__, __LINE__);
$answerComment=$objAnswerTmp->selectComment($answerId);
$answerCorrect=$objAnswerTmp->isCorrect($answerId);
$answerWeighting=$objAnswerTmp->selectWeighting($answerId);
$queryans = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId";
$queryans = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'";
$resultans = api_sql_query($queryans, __FILE__, __LINE__);
$choice = mysql_result($resultans,0,"answer");
$studentChoice=($choice == $answerId)?1:0;
@ -554,7 +592,7 @@ $result =api_sql_query($query, __FILE__, __LINE__);
{
break;
}
$queryfill = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId";
$queryfill = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'";
$resfill = api_sql_query($queryfill, __FILE__, __LINE__);
$str=mysql_result($resfill,0,"answer");
preg_match_all ('#\[([^[/]*)/#', $str, $arr);
@ -600,7 +638,7 @@ $result =api_sql_query($query, __FILE__, __LINE__);
$objAnswerTmp=new Answer($questionId);
$nbrAnswers=$objAnswerTmp->selectNbrAnswers();
$questionScore=0;
$query = "select answer, marks from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId";
$query = "select answer, marks from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'";
$resq=api_sql_query($query);
$choice = mysql_result($resq,0,"answer");
$questionScore = mysql_result($resq,0,"marks");
@ -625,7 +663,7 @@ $result =api_sql_query($query, __FILE__, __LINE__);
$table_ans = Database :: get_course_table(TABLE_QUIZ_ANSWER);
$TBL_TRACK_ATTEMPT = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ATTEMPT);
$sql_select_answer = 'SELECT id, answer, correct, position FROM '.$table_ans.' WHERE question_id="'.$questionId.'" AND correct<>0';
$sql_select_answer = 'SELECT id, answer, correct, position FROM '.$table_ans.' WHERE question_id="'.Database::escape_string($questionId).'" AND correct<>0';
$res_answers = api_sql_query($sql_select_answer, __FILE__, __LINE__);
echo '<table width="355" height="71" border="0">';
@ -652,9 +690,9 @@ $result =api_sql_query($query, __FILE__, __LINE__);
ON answers.position = track_e_attempt.answer
AND track_e_attempt.question_id=answers.question_id
WHERE answers.correct = 0
AND track_e_attempt.exe_id = "'.$id.'"
AND track_e_attempt.question_id = "'.$questionId.'"
AND track_e_attempt.position="'.$i_answer_position.'"';
AND track_e_attempt.exe_id = "'.Database::escape_string($id).'"
AND track_e_attempt.question_id = "'.Database::escape_string($questionId).'"
AND track_e_attempt.position="'.Database::escape_string($i_answer_position).'"';
$res_user_answer = api_sql_query($sql_user_answer, __FILE__, __LINE__);
@ -709,14 +747,14 @@ $result =api_sql_query($query, __FILE__, __LINE__);
$answerWeighting=$objAnswerTmp->selectWeighting($answerId);
$TBL_TRACK_HOTSPOT = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTSPOT);
$query = "select hotspot_correct from ".$TBL_TRACK_HOTSPOT." where hotspot_exe_id = $id and hotspot_question_id= $questionId AND hotspot_answer_id=$answerId";
$query = "select hotspot_correct from ".$TBL_TRACK_HOTSPOT." where hotspot_exe_id = '".Database::escape_string($id)."' and hotspot_question_id= '".Database::escape_string($questionId)."' AND hotspot_answer_id='".Database::escape_string($answerId)."'";
$resq=api_sql_query($query);
$choice = mysql_result($resq,0,"hotspot_correct");
display_hotspot_answer($answerId,$answer,$choice,$answerComment);
$i++;
}
$queryfree = "select marks from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId";
$queryfree = "select marks from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'";
$resfree = api_sql_query($queryfree, __FILE__, __LINE__);
$questionScore= mysql_result($resfree,0,"marks");
$totalScore+=$questionScore;

2
main/exercice/hotspot_actionscript.as.php
Unescape View File

@ -47,7 +47,7 @@ $courseCode = $_course['sysCode'];
$coursePath = $_course['path'];
// Query db for answers
$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type, ponderation FROM $TBL_ANSWERS WHERE question_id = '$questionId' ORDER BY id";
$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type, ponderation FROM $TBL_ANSWERS WHERE question_id = '".Database::escape_string($questionId)."' ORDER BY id";
$result = api_sql_query($sql,__FILE__,__LINE__);
// Init

2
main/exercice/hotspot_answers.as.php
Unescape View File

@ -51,7 +51,7 @@ $courseCode = $_course['sysCode'];
$coursePath = $_course['path'];
// Query db for answers
$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type FROM $TBL_ANSWERS WHERE question_id = '$questionId' ORDER BY id";
$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type FROM $TBL_ANSWERS WHERE question_id = '".Database::escape_string($questionId)."' ORDER BY id";
$result = api_sql_query($sql,__FILE__,__LINE__);
// Init

2
main/exercice/hotspot_save.inc.php
Unescape View File

@ -61,7 +61,7 @@ if ($_GET['type'] == "poly")
}
$hotspot_coordinates = substr($hotspot_coordinates,0,-2);
}
$sql = "UPDATE `$TBL_ANSWER` SET `hotspot_coordinates` = '$hotspot_coordinates',`hotspot_type` = '$hotspot_type' WHERE `id` =$answerId AND `question_id` =$questionId LIMIT 1 ;";
$sql = "UPDATE `$TBL_ANSWER` SET hotspot_coordinates = '".Database::escape_string($hotspot_coordinates)."',hotspot_type = '".Database::escape_string($hotspot_type)."' WHERE id = '".Database::escape_string($answerId)."' AND question_id ='".Database::escape_string($questionId)."' LIMIT 1 ;";
$result = api_sql_query($sql,__FILE__,__LINE__);
echo "done=done";
?>

9
main/exercice/hotspot_savescore.inc.php
Unescape View File

@ -52,7 +52,14 @@ else // user clicked ON a hotspot
$TBL_TRACK_E_HOTSPOT = Database::get_statistic_table(STATISTIC_TRACK_E_HOTSPOTS);
// Save into db
$sql = "INSERT INTO $TBL_TRACK_E_HOTSPOT (`user_id` , `course_id` , `quiz_id` , `question_id` , `answer_id` , `correct` , `coordinate` ) VALUES ('".$_user['user_id']."', '$courseCode', '$exerciseId', '$questionId', '$answerId', '$hit', '$coordinates')";
$sql = "INSERT INTO $TBL_TRACK_E_HOTSPOT (`user_id` , `course_id` , `quiz_id` , `question_id` , `answer_id` , `correct` , `coordinate` ) VALUES (
'".Database::escape_string($_user['user_id'])."',
'".Database::escape_string($courseCode)."',
'".Database::escape_string($exerciseId)."',
'".Database::escape_string($questionId)."',
'".Database::escape_string($answerId)."',
'".Database::escape_string($hit)."',
'".Database::escape_string($coordinates)."')";
$result = api_sql_query($sql,__FILE__,__LINE__);
// Save insert id into session if users changes answer.
$insert_id = mysql_insert_id();

2
main/exercice/hotspot_updatescore.inc.php
Unescape View File

@ -67,6 +67,6 @@ $TBL_TRACK_E_HOTSPOT = Database::get_statistic_table(STATISTIC_TRACK_E_HOTSPOT
// update db
$update_id = $_SESSION['exerciseResult'][$questionId]['ids'][$answerId];
$sql = "UPDATE $TBL_TRACK_E_HOTSPOT SET `coordinate` = '".$coordinates."' WHERE `id` =$update_id LIMIT 1 ;;";
$sql = "UPDATE $TBL_TRACK_E_HOTSPOT SET coordinate = '".Database::escape_string($coordinates)."' WHERE id ='".Database::escape_string($update_id)."' LIMIT 1 ;;";
$result = api_sql_query($sql,__FILE__,__LINE__);
?>

28
main/exercice/mark_free_answer.php
Unescape View File

@ -66,7 +66,7 @@ $debug=0;
if($debug>0){echo str_repeat('&nbsp;',0).'Entered exercise_result.php'."<br />\n";var_dump($_POST);}
// general parameters passed via POST/GET
$my_course_code = mysql_real_escape_string($_GET['cid']);
$my_course_code = $_GET['cid'];
if(!empty($_REQUEST['exe'])){
$my_exe = $_REQUEST['exe'];
}else{
@ -123,7 +123,7 @@ if($action == 'mark'){
#$tbl_learnpath_user = Database::get_course_table('learnpath_user');
#global $origin, $tbl_learnpath_user, $learnpath_id, $learnpath_item_id;
$sql = "SELECT * FROM $exercise_table
WHERE exe_user_id = '$my_usr' AND exe_cours_id = '$my_cid' AND exe_exo_id = '$my_exe'
WHERE exe_user_id = '".Database::escape_string($my_usr)."' AND exe_cours_id = '".Database::escape_string($my_cid)."' AND exe_exo_id = '".Database::escape_string($my_exe)."'
ORDER BY exe_date DESC";
#echo $sql;
$res = api_sql_query($sql,__FILE__,__LINE__);
@ -142,21 +142,21 @@ if($action == 'mark'){
$reallyNow = time();
$sql = "INSERT INTO $exercise_table
(
`exe_user_id`,
`exe_cours_id`,
`exe_exo_id`,
`exe_result`,
`exe_weighting`,
`exe_date`
exe_user_id,
exe_cours_id,
exe_exo_id,
exe_result,
exe_weighting,
exe_date
)
VALUES
(
".$my_usr.",
'".$my_cid."',
'".$my_exe."',
'".$my_score."',
'".$obj_question->selectWeighting()."',
'".Database::escape_string($my_usr)."',
'".Database::escape_string($my_cid)."',
'".Database::escape_string($my_exe)."',
'".Database::escape_string($my_score)."',
'".Database::escape_string($obj_question->selectWeighting())."',
FROM_UNIXTIME(".$reallyNow.")
)";
#if ($origin == 'learnpath')
@ -175,7 +175,7 @@ if($action == 'mark'){
//return 0;
}
}else{
$my_msg .= " There might have been a problem with the total score being too big...<br />\n";
$my_msg .= get_lang('TotalScoreTooBig');
}
}

42
main/exercice/question.class.php
Unescape View File

@ -22,7 +22,7 @@
* File containing the Question class.
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: question.class.php 15463 2008-05-27 16:45:11Z juliomontoya $
* @version $Id: question.class.php 15602 2008-06-18 08:52:24Z pcool $
*/
@ -103,7 +103,7 @@ abstract class Question
$TBL_EXERCICES = Database::get_course_table(TABLE_QUIZ_TEST);
$TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION);
$TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION);
$sql="SELECT question,description,ponderation,position,type,picture FROM $TBL_QUESTIONS WHERE id='$id'";
$sql="SELECT question,description,ponderation,position,type,picture FROM $TBL_QUESTIONS WHERE id='".Database::escape_string($id)."'";
$result=api_sql_query($sql,__FILE__,__LINE__);
@ -298,7 +298,7 @@ abstract class Question
if(!in_array($this->type,array(UNIQUE_ANSWER,MULTIPLE_ANSWER)) || !in_array($type,array(UNIQUE_ANSWER,MULTIPLE_ANSWER)))
{
// removes old answers
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='".$this->id."'";
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($this->id)."'";
api_sql_query($sql,__FILE__,__LINE__);
}
@ -472,7 +472,7 @@ abstract class Question
$Extension=$picture[sizeof($picture)-1];
$picture='quiz-'.$questionId.'.'.$Extension;
$sql="UPDATE $TBL_QUESTIONS SET picture='$picture' WHERE id='$questionId'";
$sql="UPDATE $TBL_QUESTIONS SET picture='".Database::escape_string($picture)."' WHERE id='".Database::escape_string($questionId)."'";
api_sql_query($sql,__FILE__,__LINE__);
return @copy($picturePath.'/'.$this->picture,$picturePath.'/'.$picture)?true:false;
@ -559,19 +559,33 @@ abstract class Question
// question already exists
if($id)
{
$sql="UPDATE $TBL_QUESTIONS SET question='$question',description='$description',ponderation='$weighting',position='$position',type='$type',picture='$picture' WHERE id='$id'";
$sql="UPDATE $TBL_QUESTIONS SET
question ='".Database::escape_string($question)."',
description ='".Database::escape_string($description)."',
ponderation ='".Database::escape_string($weighting)."',
position ='".Database::escape_string($position)."',
type ='".Database::escape_string($type)."',
picture ='".Database::escape_string($picture)."'
WHERE id='".Database::escape_string($id)."'";
api_sql_query($sql,__FILE__,__LINE__);
}
// creates a new question
else
{
$sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='$exerciseId'";
$sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='".Database::escape_string($exerciseId)."'";
$result=api_sql_query($sql);
$current_position=mysql_result($result,0,0);
$this -> updatePosition($current_position+1);
$position = $this -> position;
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture) VALUES('$question','$description','$weighting','$position','$type','$picture')";
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture) VALUES(
'".Database::escape_string($question)."',
'".Database::escape_string($description)."',
'".Database::escape_string($weighting)."',
'".Database::escape_string($position)."',
'".Database::escape_string($type)."',
'".Database::escape_string($picture)."'
)";
api_sql_query($sql,__FILE__,__LINE__);
$this->id=mysql_insert_id();
@ -580,7 +594,7 @@ abstract class Question
if ($type == HOT_SPOT || $type == HOT_SPOT_ORDER) {
$TBL_ANSWERS = Database::get_course_table(TABLE_QUIZ_ANSWER);
$sql="INSERT INTO $TBL_ANSWERS (`id` , `question_id` , `answer` , `correct` , `comment` , `ponderation` , `position` , `hotspot_coordinates` , `hotspot_type` ) VALUES ('1', '$this->id', '', NULL , '', NULL , '1', '0;0|0|0', 'square')";
$sql="INSERT INTO $TBL_ANSWERS (`id` , `question_id` , `answer` , `correct` , `comment` , `ponderation` , `position` , `hotspot_coordinates` , `hotspot_type` ) VALUES ('1', '".Database::escape_string($this->id)."', '', NULL , '', NULL , '1', '0;0|0|0', 'square')";
api_sql_query($sql,__FILE__,__LINE__);
}
}
@ -617,7 +631,7 @@ abstract class Question
{
$this->exerciseList[]=$exerciseId;
$sql="INSERT INTO $TBL_EXERCICE_QUESTION(question_id,exercice_id) VALUES('$id','$exerciseId')";
$sql="INSERT INTO $TBL_EXERCICE_QUESTION(question_id,exercice_id) VALUES('".Database::escape_string($id)."','".Database::escape_string($exerciseId)."')";
api_sql_query($sql,__FILE__,__LINE__);
}
@ -649,7 +663,7 @@ abstract class Question
// deletes the position in the array containing the wanted exercise ID
unset($this->exerciseList[$pos]);
$sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='$id' AND exercice_id='$exerciseId'";
$sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='".Database::escape_string($id)."' AND exercice_id='".Database::escape_string($exerciseId)."'";
api_sql_query($sql,__FILE__,__LINE__);
return true;
@ -673,13 +687,13 @@ abstract class Question
// if the question must be removed from all exercises
if(!$deleteFromEx)
{
$sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='$id'";
$sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='".Database::escape_string($id)."'";
api_sql_query($sql,__FILE__,__LINE__);
$sql="DELETE FROM $TBL_QUESTIONS WHERE id='$id'";
$sql="DELETE FROM $TBL_QUESTIONS WHERE id='".Database::escape_string($id)."'";
api_sql_query($sql,__FILE__,__LINE__);
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='$id'";
$sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($id)."'";
api_sql_query($sql,__FILE__,__LINE__);
$this->removePicture();
@ -710,7 +724,7 @@ abstract class Question
$position=$this->position;
$type=$this->type;
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type) VALUES('$question','$description','$weighting','$position','$type')";
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type) VALUES('".Database::escape_string($question)."','".Database::escape_string($description)."','".Database::escape_string($weighting)."','".Database::escape_string($position)."','".Database::escape_string($type)."')";
api_sql_query($sql,__FILE__,__LINE__);
$id=mysql_insert_id();

6
main/exercice/question_pool.php
Unescape View File

@ -18,7 +18,7 @@
* One question can be in several exercises
* @package dokeos.exercise
* @author Olivier Brouckaert
* @version $Id: question_pool.php 15385 2008-05-24 02:59:51Z yannoo $
* @version $Id: question_pool.php 15602 2008-06-18 08:52:24Z pcool $
*/
// name of the language file that needs to be included
@ -144,7 +144,7 @@ if($is_allowedToEdit)
<option value="-1" <?php if($exerciseId == -1) echo 'selected="selected"'; ?>>-- <?php echo get_lang('OrphanQuestions'); ?> --</option>
<?php
$sql="SELECT id,title FROM $TBL_EXERCICES WHERE id<>'$fromExercise' AND active<>'-1' ORDER BY id";
$sql="SELECT id,title FROM $TBL_EXERCICES WHERE id<>'".Database::escape_string($fromExercise)."' AND active<>'-1' ORDER BY id";
$result=api_sql_query($sql,__FILE__,__LINE__);
// shows a list-box allowing to filter questions
@ -168,7 +168,7 @@ if($is_allowedToEdit)
// if we have selected an exercise in the list-box 'Filter'
if($exerciseId > 0)
{
$sql="SELECT id,question,type FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='$exerciseId' ORDER BY position";
$sql="SELECT id,question,type FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='".Database::escape_string($exerciseId)."' ORDER BY position";
}
// if we have selected the option 'Orphan questions' in the list-box 'Filter'
elseif($exerciseId == -1)

14
main/exercice/savescores.php
Unescape View File

@ -22,7 +22,7 @@
* Saving the scores.
* @package dokeos.exercise
* @author
* @version $Id: savescores.php 15312 2008-05-19 01:15:03Z yannoo $
* @version $Id: savescores.php 15602 2008-06-18 08:52:24Z pcool $
*/
// name of the language file that needs to be included
@ -55,8 +55,8 @@ $tbl_learnpath_user = Database::get_course_table(TABLE_LEARNPATH_USER);
$TABLE_LP_ITEM_VIEW = Database::get_course_table(TABLE_LP_ITEM_VIEW);
$_cid = api_get_course_id();
$test = mysql_real_escape_string($_REQUEST['test']);
$score = mysql_real_escape_string($_REQUEST['score']);
$test = $_REQUEST['test'];
$score = $_REQUEST['score'];
$origin = $_REQUEST['origin'];
$jscript2run = '';
@ -95,7 +95,13 @@ function save_scores($file, $score)
$sql = "INSERT INTO $TABLETRACK_HOTPOTATOES ".
"(exe_name, exe_user_id, exe_date,exe_cours_id,exe_result,exe_weighting)" .
"VALUES" .
"('$file',$user_id,'$date','$_cid','$score','$weighting')";
"(
'".Database::escape_string($file)."',
'".Database::escape_string($user_id)."',
'".Database::escape_string($date)."',
'".Database::escape_string($_cid)."',
'".Database::escape_string($score)."',
'".Database::escape_string($weighting)."')";
$res = api_sql_query($sql,__FILE__,__LINE__);
if ($origin == 'learnpath')

Write Preview
Loading…
Cancel
Save