From ee3863ed4a36f12043f21ae3b567d3db2b29a07b Mon Sep 17 00:00:00 2001 From: Patrick Cool Date: Wed, 18 Jun 2008 10:52:24 +0200 Subject: [PATCH] [svn r15602] tighten security --- main/exercice/addlimits.php | 8 +-- main/exercice/admin.php | 4 +- main/exercice/answer.class.php | 58 +++++++++-------- main/exercice/answer_admin.inc.php | 4 +- main/exercice/exercice.php | 44 +++++++------ main/exercice/exercise.class.php | 31 +++++++-- main/exercice/exercise.lib.php | 4 +- main/exercice/exercise_result.class.php | 6 +- main/exercice/exercise_result.php | 16 ++--- main/exercice/exercise_show.php | 78 +++++++++++++++++------ main/exercice/hotspot_actionscript.as.php | 2 +- main/exercice/hotspot_answers.as.php | 2 +- main/exercice/hotspot_save.inc.php | 2 +- main/exercice/hotspot_savescore.inc.php | 9 ++- main/exercice/hotspot_updatescore.inc.php | 2 +- main/exercice/mark_free_answer.php | 28 ++++---- main/exercice/question.class.php | 42 ++++++++---- main/exercice/question_pool.php | 6 +- main/exercice/savescores.php | 14 ++-- 19 files changed, 224 insertions(+), 136 deletions(-) diff --git a/main/exercice/addlimits.php b/main/exercice/addlimits.php index 6ed41fc679..d1ffbbb9e5 100644 --- a/main/exercice/addlimits.php +++ b/main/exercice/addlimits.php @@ -97,11 +97,11 @@ if ( empty ( $origin ) ) } if ( empty ( $learnpath_id ) ) { - $learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']); + $learnpath_id = $_REQUEST['learnpath_id']; } if ( empty ( $learnpath_item_id ) ) { - $learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']); + $learnpath_item_id = $_REQUEST['learnpath_item_id']; } if ( empty ( $formSent ) ) { @@ -120,11 +120,11 @@ if ( empty ( $choice ) ) { } if ( empty ( $questionNum ) ) { - $questionNum = mysql_real_escape_string($_REQUEST['questionNum']); + $questionNum = $_REQUEST['questionNum']; } if ( empty ( $nbrQuestions ) ) { - $nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']); + $nbrQuestions = $_REQUEST['nbrQuestions']; } if ( empty ( $questionList ) ) { diff --git a/main/exercice/admin.php b/main/exercice/admin.php index 71413377fc..e54abafc2f 100644 --- a/main/exercice/admin.php +++ b/main/exercice/admin.php @@ -60,7 +60,7 @@ * * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: admin.php 15333 2008-05-20 17:07:26Z elixir_inter $ +* @version $Id: admin.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -115,7 +115,7 @@ if($_SERVER['REQUEST_METHOD'] == 'POST') // get vars from GET if ( empty ( $exerciseId ) ) { - $exerciseId = mysql_real_escape_string($_GET['exerciseId']); + $exerciseId = $_GET['exerciseId']; } if ( empty ( $newQuestion ) ) { diff --git a/main/exercice/answer.class.php b/main/exercice/answer.class.php index 0fff8d9b19..5d7950ca71 100644 --- a/main/exercice/answer.class.php +++ b/main/exercice/answer.class.php @@ -23,7 +23,7 @@ * 5 arrays are created to receive the attributes of each answer belonging to a specified question * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: answer.class.php 13732 2007-11-21 15:19:33Z yannoo $ +* @version $Id: answer.class.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -112,7 +112,7 @@ class Answer $questionId=$this->questionId; //$answerType=$this->selectType(); - $sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type FROM $TBL_ANSWER WHERE question_id='$questionId' ORDER BY position"; + $sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type FROM $TBL_ANSWER WHERE question_id='".Database::escape_string($questionId)."' ORDER BY position"; $result=api_sql_query($sql,__FILE__,__LINE__); @@ -143,11 +143,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; function readOrderedBy($field,$order=ASC) { global $_course; - $field = mysql_real_escape_string($field); - if(empty($field)){ + $field = Database::escape_string($field); + if(empty($field)) + { $field = 'position'; } - if($order != 'ASC' and $order!='DESC'){ + if($order != 'ASC' and $order!='DESC') + { $order = 'ASC'; } $TBL_ANSWER = Database::get_course_table('quiz_answer'); @@ -157,7 +159,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; $sql="SELECT answer,correct,comment,ponderation,position, hotspot_coordinates, hotspot_type " . "FROM $TBL_ANSWER " . - "WHERE question_id='$questionId' " . + "WHERE question_id='".Database::escape_string($questionId)."' " . "ORDER BY $field $order"; $result=api_sql_query($sql,__FILE__,__LINE__); @@ -260,7 +262,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; function getQuestionType() { $TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION); - $sql = "SELECT * FROM $TBL_QUESTIONS WHERE id = '".$this->questionId."'"; + $sql = "SELECT * FROM $TBL_QUESTIONS WHERE id = '".Database::escape_string($this->questionId)."'"; $res = api_sql_query($sql,__FILE__,__LINE__); if(Database::num_rows($res)<=0){ return null; @@ -385,12 +387,12 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; $questionId=$this->questionId; $sql = "UPDATE $TBL_REPONSES SET " . - "`answer` = '$answer', " . - "`comment` = '$comment', " . - "`ponderation` = '$weighting', " . - "`position` = '$position' " . - "WHERE `id` =$position " . - "AND `question_id` =$questionId"; + "answer = '".Database::escape_string($answer)."', " . + "comment = '".Database::escape_string($comment)."', " . + "ponderation = '".Database::escape_string($weighting)."', " . + "position = '".Database::escape_string($position)."' " . + "WHERE id = '".Database::escape_string($position)."' " . + "AND question_i` = '".Database::escape_string($questionId)."'"; api_sql_query($sql,__FILE__,__LINE__); } @@ -407,7 +409,7 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; $questionId=$this->questionId; // removes old answers before inserting of new ones - $sql="DELETE FROM $TBL_REPONSES WHERE question_id='$questionId'"; + $sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($questionId)."'"; api_sql_query($sql,__FILE__,__LINE__); // inserts new answers into data base @@ -417,13 +419,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; for($i=1;$i <= $this->new_nbrAnswers;$i++) { - $answer=addslashes($this->new_answer[$i]); - $correct=$this->new_correct[$i]; - $comment=addslashes($this->new_comment[$i]); - $weighting=$this->new_weighting[$i]; - $position=$this->new_position[$i]; - $hotspot_coordinates=$this->new_hotspot_coordinates[$i]; - $hotspot_type=$this->new_hotspot_type[$i]; + $answer = Database::escape_string($this->new_answer[$i]); + $correct = Database::escape_string($this->new_correct[$i]); + $comment = Database::escape_string($this->new_comment[$i]); + $weighting = Database::escape_string($this->new_weighting[$i]); + $position = Database::escape_string($this->new_position[$i]); + $hotspot_coordinates = Database::escape_string($this->new_hotspot_coordinates[$i]); + $hotspot_type = Database::escape_string($this->new_hotspot_type[$i]); $sql.="('$i','$questionId','$answer','$correct','$comment', '$weighting','$position','$hotspot_coordinates','$hotspot_type'),"; @@ -468,13 +470,13 @@ $this->hotspot_coordinates[$i]=$object->hotspot_coordinates; for($i=1;$i <= $this->nbrAnswers;$i++) { - $answer=addslashes($this->answer[$i]); - $correct=$this->correct[$i]; - $comment=addslashes($this->comment[$i]); - $weighting=$this->weighting[$i]; - $position=$this->position[$i]; - $hotspot_coordinates=$this->hotspot_coordinates[$i]; - $hotspot_type=$this->hotspot_type[$i]; + $answer = Database::escape_string($this->answer[$i]); + $correct = Database::escape_string($this->correct[$i]); + $comment = Database::escape_string($this->comment[$i]); + $weighting = Database::escape_string($this->weighting[$i]); + $position = Database::escape_string($this->position[$i]); + $hotspot_coordinates = Database::escape_string($this->hotspot_coordinates[$i]); + $hotspot_type = Database::escape_string($this->hotspot_type[$i]); $sql.="('$i','$newQuestionId','$answer','$correct','$comment'," . "'$weighting','$position','$hotspot_coordinates','$hotspot_type'),"; diff --git a/main/exercice/answer_admin.inc.php b/main/exercice/answer_admin.inc.php index f345d04fe5..427b187e50 100644 --- a/main/exercice/answer_admin.inc.php +++ b/main/exercice/answer_admin.inc.php @@ -22,7 +22,7 @@ * This script allows to manage answers. It is included from the script admin.php * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: answer_admin.inc.php 13301 2007-09-27 03:47:39Z yannoo $ +* @version $Id: answer_admin.inc.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -1155,7 +1155,7 @@ if($modifyAnswers) ?>

      diff --git a/main/exercice/exercice.php b/main/exercice/exercice.php index 38e5cc9015..94e69cb319 100644 --- a/main/exercice/exercice.php +++ b/main/exercice/exercice.php @@ -157,11 +157,13 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit || $keyexp = explode('_',$key); if ($keyexp[0] == "marks") { - $sql = "select question from $TBL_QUESTIONS where id = '$keyexp[1]'"; + $sql = "SELECT question from $TBL_QUESTIONS where id = '".Database::escape_string($keyexp[1])."'"; $result =api_sql_query($sql, __FILE__, __LINE__); $ques_name = mysql_result($result,0,"question"); - $query = "update $TBL_TRACK_ATTEMPT set marks = '$v' where question_id = $keyexp[1] and exe_id=$id"; + $query = "UPDATE $TBL_TRACK_ATTEMPT SET marks = '".Database::escape_string($v)."' + WHERE question_id = '".Database::escape_string($keyexp[1])."' + AND exe_id='".Database::escape_string($id)."'"; api_sql_query($query, __FILE__, __LINE__); $qry = 'SELECT sum(marks) as tot @@ -171,13 +173,15 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit || $res = api_sql_query($qry,__FILE__,__LINE__); $tot = mysql_result($res,0,'tot'); - $totquery = "update $TBL_TRACK_EXERCICES set exe_result = $tot where exe_Id=$id"; + $totquery = "update $TBL_TRACK_EXERCICES set exe_result = '".Database::escape_string($tot)."' where exe_Id='".Database::escape_string($id)."'"; api_sql_query($totquery, __FILE__, __LINE__); } else { - $query = "update $TBL_TRACK_ATTEMPT set teacher_comment = '$v' where question_id = $keyexp[1] and exe_id = $id "; + $query = "UPDATE $TBL_TRACK_ATTEMPT SET teacher_comment = '".Database::escape_string($v)."' + WHERE question_id = '".Database::escape_string($keyexp[1])."' + AND exe_id = '".Database::escape_string($id)."'"; api_sql_query($query, __FILE__, __LINE__); } @@ -194,7 +198,7 @@ if ($show=='result' && $_REQUEST['comments']=='update' && ($is_allowedToEdit || $tot += $row ['marks']; } - $totquery = "update $TBL_TRACK_EXERCICES set exe_result = $tot where exe_Id=$id"; + $totquery = "UPDATE $TBL_TRACK_EXERCICES SET exe_result = '".Database::escape_string($tot)."' WHERE exe_Id='".Database::escape_string($id)."'"; api_sql_query($totquery, __FILE__, __LINE__); $subject = get_lang('ExamSheetVCC'); @@ -459,7 +463,7 @@ if($is_allowedToEdit) break; case 'enable': // enables an exercise $newVisibilityStatus = "1"; //"visible" - $query = "SELECT id FROM $TBL_DOCUMENT WHERE path='$file'"; + $query = "SELECT id FROM $TBL_DOCUMENT WHERE path='".Database::escape_string($file)."'"; $res = api_sql_query($query,__FILE__,__LINE__); $row = Database::fetch_array($res, 'ASSOC'); api_item_property_update($_course, TOOL_DOCUMENT, $row['id'], 'visible', $_user['user_id']); @@ -468,7 +472,7 @@ if($is_allowedToEdit) break; case 'disable': // disables an exercise $newVisibilityStatus = "0"; //"invisible" - $query = "SELECT id FROM $TBL_DOCUMENT WHERE path='$file'"; + $query = "SELECT id FROM $TBL_DOCUMENT WHERE path='".Database::escape_string($file)."'"; $res = api_sql_query($query,__FILE__,__LINE__); $row = Database::fetch_array($res, 'ASSOC'); api_item_property_update($_course, TOOL_DOCUMENT, $row['id'], 'invisible', $_user['user_id']); @@ -483,14 +487,14 @@ if($is_allowedToEdit) if($show == 'test') { - $sql="SELECT id,title,type,active,description, results_disabled FROM $TBL_EXERCICES WHERE active<>'-1' ORDER BY title LIMIT $from,".($limitExPage+1); + $sql="SELECT id,title,type,active,description, results_disabled FROM $TBL_EXERCICES WHERE active<>'-1' ORDER BY title LIMIT ".(int)$from.",".(int)($limitExPage+1); $result=api_sql_query($sql,__FILE__,__LINE__); } } // only for students elseif($show == 'test') { - $sql="SELECT id,title,type,description, results_disabled FROM $TBL_EXERCICES WHERE active='1' ORDER BY title LIMIT $from,".($limitExPage+1); + $sql="SELECT id,title,type,description, results_disabled FROM $TBL_EXERCICES WHERE active='1' ORDER BY title LIMIT ".(int)$from.",".(int)($limitExPage+1); $result=api_sql_query($sql,__FILE__,__LINE__); } @@ -519,13 +523,13 @@ if($show == 'test'){ $res = api_sql_query ("SELECT * FROM $TBL_DOCUMENT WHERE - path LIKE '".$uploadPath."/%/%'",__FILE__,__LINE__); + path LIKE '".Database::escape_string($uploadPath)."/%/%'",__FILE__,__LINE__); $nbrTests = Database::num_rows($res); $res = api_sql_query ("SELECT * FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip WHERE d.id = ip.ref AND ip.tool = '".TOOL_DOCUMENT."' - AND d.path LIKE '".$uploadPath."/%/%' + AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%' AND ip.visibility='1'", __FILE__,__LINE__); $nbrActiveTests = Database::num_rows($res); @@ -633,7 +637,7 @@ if($show == 'test'){ 1?'Questions':'Question'))).''; @@ -683,7 +687,7 @@ if($show == 'test'){ 1?get_lang('Questions'):get_lang('Question')); ?> @@ -692,7 +696,7 @@ if($show == 'test'){ $eid = $row['id']; $uid= api_get_user_id(); //this query might be improved later on by ordering by the new "tms" field rather than by exe_id - $qry = "select * from $TBL_TRACK_EXERCICES where exe_exo_id = $eid and exe_user_id = $uid and exe_cours_id = '".api_get_course_id()."' ORDER BY exe_id DESC"; + $qry = "select * from $TBL_TRACK_EXERCICES where exe_exo_id = '".Database::escape_string($eid)."' and exe_user_id = '".Database::escape_string($uid)."' and exe_cours_id = '".api_get_course_id()."' ORDER BY exe_id DESC"; $qryres = api_sql_query($qry); $num = Database::num_rows($qryres); if($num>0) @@ -753,7 +757,7 @@ if($show == 'test'){ FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip WHERE d.id = ip.ref AND ip.tool = '".TOOL_DOCUMENT."' AND (d.path LIKE '%htm%') - AND d.path LIKE '".$uploadPath."/%/%' LIMIT $from,$to"; // only .htm or .html files listed + AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%' LIMIT ".(int)$from.",".(int)$to; // only .htm or .html files listed } else { @@ -761,7 +765,7 @@ if($show == 'test'){ FROM $TBL_DOCUMENT d, $TBL_ITEM_PROPERTY ip WHERE d.id = ip.ref AND ip.tool = '".TOOL_DOCUMENT."' AND (d.path LIKE '%htm%') - AND d.path LIKE '".$uploadPath."/%/%' AND ip.visibility='1' LIMIT $from,$to"; + AND d.path LIKE '".Database::escape_string($uploadPath)."/%/%' AND ip.visibility='1' LIMIT ".(int)$from.",".(int)$to; } $result = api_sql_query ($sql,__FILE__,__LINE__); @@ -938,13 +942,13 @@ if($_configuration['tracking_enabled']) $sql="SELECT CONCAT(lastname,' ',firstname),ce.title, te.exe_result , te.exe_weighting, UNIX_TIMESTAMP(te.exe_date),te.exe_id,email FROM $TBL_EXERCICES AS ce , $TBL_TRACK_EXERCICES AS te, $TBL_USER AS user - WHERE te.exe_exo_id = ce.id AND user_id=te.exe_user_id AND te.exe_cours_id='$_cid' + WHERE te.exe_exo_id = ce.id AND user_id=te.exe_user_id AND te.exe_cours_id='".Database::escape_string($_cid)."' ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC"; $hpsql="SELECT CONCAT(tu.lastname,' ',tu.firstname), tth.exe_name, tth.exe_result , tth.exe_weighting, UNIX_TIMESTAMP(tth.exe_date) FROM $TBL_TRACK_HOTPOTATOES tth, $TBL_USER tu - WHERE tu.user_id=tth.exe_user_id AND tth.exe_cours_id = '".$_cid."' + WHERE tu.user_id=tth.exe_user_id AND tth.exe_cours_id = ".Database::escape_string($_cid)."' ORDER BY tth.exe_cours_id ASC, tth.exe_date ASC"; } @@ -952,12 +956,12 @@ if($_configuration['tracking_enabled']) { // get only this user's results $sql="SELECT '',ce.title, te.exe_result , te.exe_weighting, UNIX_TIMESTAMP(te.exe_date),te.exe_id FROM $TBL_EXERCICES AS ce , $TBL_TRACK_EXERCICES AS te - WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$_user['user_id']."' AND te.exe_cours_id='$_cid' AND results_disabled=0 + WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$_user['user_id']."' AND te.exe_cours_id=".Database::escape_string($_cid)."' AND results_disabled=0 ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC"; $hpsql="SELECT '',exe_name, exe_result , exe_weighting, UNIX_TIMESTAMP(exe_date) FROM $TBL_TRACK_HOTPOTATOES - WHERE exe_user_id = '".$_user['user_id']."' AND exe_cours_id = '".$_cid."' + WHERE exe_user_id = '".$_user['user_id']."' AND exe_cours_id = ".Database::escape_string($_cid)."' ORDER BY exe_cours_id ASC, exe_date ASC"; } diff --git a/main/exercice/exercise.class.php b/main/exercice/exercise.class.php index 6334257a6f..2f5548ee37 100644 --- a/main/exercice/exercise.class.php +++ b/main/exercice/exercise.class.php @@ -22,7 +22,7 @@ * Exercise class: This class allows to instantiate an object of type Exercise * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: exercise.class.php 14786 2008-04-08 14:11:46Z elixir_inter $ +* @version $Id: exercise.class.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -75,7 +75,7 @@ class Exercise $TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION); #$TBL_REPONSES = Database::get_course_table(TABLE_QUIZ_ANSWER); - $sql="SELECT title,description,sound,type,random,active, results_disabled FROM $TBL_EXERCICES WHERE id='$id'"; + $sql="SELECT title,description,sound,type,random,active, results_disabled FROM $TBL_EXERCICES WHERE id='".Database::escape_string($id)."'"; $result=api_sql_query($sql,__FILE__,__LINE__); // if the exercise has been found @@ -90,7 +90,7 @@ class Exercise $this->active=$object->active; $this->results_disabled =$object->results_disabled; - $sql="SELECT question_id,position FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='$id' ORDER BY position"; + $sql="SELECT question_id,position FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='".Database::escape_string($id)."' ORDER BY position"; $result=api_sql_query($sql,__FILE__,__LINE__); // fills the array with the question ID for this exercise @@ -445,13 +445,30 @@ class Exercise // exercise already exists if($id) { - $sql="UPDATE $TBL_EXERCICES SET title='$exercise',description='$description',sound='$sound',type='$type',random='$random',active='$active',results_disabled='$results_disabled' WHERE id='$id'"; + $sql="UPDATE $TBL_EXERCICES SET + title='".Database::escape_string($exercise)."', + description='".Database::escape_string($description)."', + sound='".Database::escape_string($sound)."', + type='".Database::escape_string($type)."', + random='".Database::escape_string($random)."', + active='".Database::escape_string($active)."', + results_disabled='".Database::escape_string($results_disabled)."' + WHERE id='".Database::escape_string($id)."'"; api_sql_query($sql,__FILE__,__LINE__); } // creates a new exercise else { - $sql="INSERT INTO $TBL_EXERCICES(title,description,sound,type,random,active, results_disabled) VALUES('$exercise','$description','$sound','$type','$random','$active',$results_disabled)"; + $sql="INSERT INTO $TBL_EXERCICES(title,description,sound,type,random,active, results_disabled) + VALUES( + '".Database::escape_string($exercise)."', + '".Database::escape_string($description)."', + '".Database::escape_string($sound)."', + '".Database::escape_string($type)."', + '".Database::escape_string($random)."', + '".Database::escape_string($active)."', + '".Database::escape_string($results_disabled)."' + )"; api_sql_query($sql,__FILE__,__LINE__); $this->id=mysql_insert_id(); @@ -460,7 +477,7 @@ class Exercise // updates the question position foreach($this->questionList as $position=>$questionId) { - $sql="UPDATE $TBL_QUESTIONS SET position='$position' WHERE id='$questionId'"; + $sql="UPDATE $TBL_QUESTIONS SET position='".Database::escape_string($position)."' WHERE id='".Database::escape_string($questionId)."'"; api_sql_query($sql,__FILE__,__LINE__); } } @@ -615,7 +632,7 @@ class Exercise */ function delete(){ $TBL_EXERCICES = Database::get_course_table(TABLE_QUIZ_TEST); - $sql="UPDATE $TBL_EXERCICES SET active='-1' WHERE id='".$this->id."'"; + $sql="UPDATE $TBL_EXERCICES SET active='-1' WHERE id='".Database::escape_string($this->id)."'"; api_sql_query($sql); } diff --git a/main/exercice/exercise.lib.php b/main/exercice/exercise.lib.php index 3a6bc31f7b..f39a610f1a 100644 --- a/main/exercice/exercise.lib.php +++ b/main/exercice/exercise.lib.php @@ -23,7 +23,7 @@ * shows a question and its answers * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: exercise.lib.php 15412 2008-05-26 13:56:24Z elixir_inter $ +* @version $Id: exercise.lib.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -99,7 +99,7 @@ function showQuestion($questionId, $onlyAnswers=false, $origin=false) $oFCKeditor->Value = '' ; $TBL_LANGUAGES = Database::get_main_table(TABLE_MAIN_LANGUAGE); - $sql="SELECT isocode FROM ".$TBL_LANGUAGES." WHERE english_name='".$_SESSION["_course"]["language"]."'"; + $sql="SELECT isocode FROM ".$TBL_LANGUAGES." WHERE english_name='".Database::escape_string($_SESSION["_course"]["language"])."'"; $result_sql=api_sql_query($sql); $isocode_language=mysql_result($result_sql,0,0); $oFCKeditor->Config['DefaultLanguage'] = $isocode_language; diff --git a/main/exercice/exercise_result.class.php b/main/exercice/exercise_result.class.php index d6871eca80..9f9724b646 100644 --- a/main/exercice/exercise_result.class.php +++ b/main/exercice/exercise_result.class.php @@ -89,7 +89,7 @@ class ExerciseResult $TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION); $sql="SELECT q.id, q.question, q.ponderation, q.position, q.type, q.picture " . " FROM $TBL_EXERCISE_QUESTION eq, $TBL_QUESTIONS q " . - " WHERE eq.question_id=q.id AND eq.exercice_id='$e_id' " . + " WHERE eq.question_id=q.id AND eq.exercice_id='".Database::escape_string($e_id)."' " . " ORDER BY q.position"; $result=api_sql_query($sql,__FILE__,__LINE__); @@ -142,12 +142,12 @@ class ExerciseResult $sql="SELECT '',ce.title, te.exe_result , te.exe_weighting, " . "UNIX_TIMESTAMP(te.exe_date),te.exe_id FROM $TBL_EXERCISES ce , $TBL_TRACK_EXERCISES te - WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".$user_id."' AND te.exe_cours_id='$cid' + WHERE te.exe_exo_id = ce.id AND te.exe_user_id='".Database::escape_string($user_id)."' AND te.exe_cours_id='".Database::escape_string($cid)."' ORDER BY te.exe_cours_id ASC, ce.title ASC, te.exe_date ASC"; $hpsql="SELECT '',exe_name, exe_result , exe_weighting, UNIX_TIMESTAMP(exe_date) FROM $TBL_TRACK_HOTPOTATOES - WHERE exe_user_id = '".$user_id."' AND exe_cours_id = '".$cid."' + WHERE exe_user_id = '".Database::escape_string($user_id)."' AND exe_cours_id = '".Database::escape_string($cid)."' ORDER BY exe_cours_id ASC, exe_date ASC"; } diff --git a/main/exercice/exercise_result.php b/main/exercice/exercise_result.php index 567ecf01f6..bba31aa8d7 100644 --- a/main/exercice/exercise_result.php +++ b/main/exercice/exercise_result.php @@ -25,7 +25,7 @@ * @package dokeos.exercise * @author Olivier Brouckaert, main author * @author Roan Embrechts, some refactoring -* @version $Id: exercise_result.php 15438 2008-05-27 06:46:30Z elixir_inter $ +* @version $Id: exercise_result.php 15602 2008-06-18 08:52:24Z pcool $ * * @todo split more code up in functions, move functions to library? */ @@ -92,10 +92,10 @@ if ( empty ( $origin ) ) { $origin = $_REQUEST['origin']; } if ( empty ( $learnpath_id ) ) { - $learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']); + $learnpath_id = $_REQUEST['learnpath_id']; } if ( empty ( $learnpath_item_id ) ) { - $learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']); + $learnpath_item_id = $_REQUEST['learnpath_item_id']; } if ( empty ( $formSent ) ) { $formSent = $_REQUEST['formSent']; @@ -110,10 +110,10 @@ if ( empty ( $choice ) ) { $choice = $_REQUEST['choice']; } if ( empty ( $questionNum ) ) { - $questionNum = mysql_real_escape_string($_REQUEST['questionNum']); + $questionNum = $_REQUEST['questionNum']; } if ( empty ( $nbrQuestions ) ) { - $nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']); + $nbrQuestions = $_REQUEST['nbrQuestions']; } if ( empty ( $questionList ) ) { $questionList = $_SESSION['questionList']; @@ -696,7 +696,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle); $tbl_track_e_hotspot = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTSPOT); // Save into db $sql = "INSERT INTO $tbl_track_e_hotspot (`hotspot_user_id` , `hotspot_course_code` , `hotspot_exe_id` , `hotspot_question_id` , `hotspot_answer_id` , `hotspot_correct` , `hotspot_coordinate` ) - VALUES ('".$_user['user_id']."', '".$_course['id']."', '$exeId', '$questionId', '$answerId', '$studentChoice', '".$_SESSION['exerciseResultCoordinates'][$questionId][$answerId]."')"; + VALUES ('".Database::escape_string($_user['user_id'])."', '".Database::escape_string($_course['id'])."', '".Database::escape_string($exeId)."', '".Database::escape_string($questionId)."', '".Database::escape_string($answerId)."', '".Database::escape_string($studentChoice)."', '".Database::escape_string($_SESSION['exerciseResultCoordinates'][$questionId][$answerId])."')"; $result = api_sql_query($sql,__FILE__,__LINE__); @@ -791,7 +791,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle); $val = $arr1[1][0]; $val=addslashes($val); $val=strip_tags($val); - $sql = "select position from $table_ans where question_id=$questionId and answer='$val' AND correct=0"; + $sql = "select position from $table_ans where question_id='".Database::escape_string($questionId)."' and answer='".Database::escape_string($val)."' AND correct=0"; $res = api_sql_query($sql, __FILE__, __LINE__); $answer = mysql_result($res,0,"position"); @@ -806,7 +806,7 @@ $exerciseTitle=api_parse_tex($exerciseTitle); } elseif ($answerType==UNIQUE_ANSWER) { - $sql = "select id from $table_ans where question_id=$questionId and position=$choice"; + $sql = "select id from $table_ans where question_id='".Database::escape_string($questionId)."' and position='".Database::escape_string($choice)."'"; $res = api_sql_query($sql, __FILE__, __LINE__); $answer = mysql_result($res,0,"id"); exercise_attempt($questionScore,$answer,$quesId,$exeId,0); diff --git a/main/exercice/exercise_show.php b/main/exercice/exercise_show.php index 37033b0ef6..f71c3f4ae3 100644 --- a/main/exercice/exercise_show.php +++ b/main/exercice/exercise_show.php @@ -73,10 +73,10 @@ if ( empty ( $origin ) ) $origin = $_REQUEST['origin']; } if ( empty ( $learnpath_id ) ) { - $learnpath_id = mysql_real_escape_string($_REQUEST['learnpath_id']); + $learnpath_id = $_REQUEST['learnpath_id']; } if ( empty ( $learnpath_item_id ) ) { - $learnpath_item_id = mysql_real_escape_string($_REQUEST['learnpath_item_id']); + $learnpath_item_id = $_REQUEST['learnpath_item_id']; } if ( empty ( $formSent ) ) { $formSent= $_REQUEST['formSent']; @@ -91,10 +91,10 @@ if ( empty ( $choice ) ) { $choice = $_REQUEST['choice']; } if ( empty ( $questionNum ) ) { - $questionNum = mysql_real_escape_string($_REQUEST['questionNum']); + $questionNum = $_REQUEST['questionNum']; } if ( empty ( $nbrQuestions ) ) { - $nbrQuestions = mysql_real_escape_string($_REQUEST['nbrQuestions']); + $nbrQuestions = $_REQUEST['nbrQuestions']; } if ( empty ( $questionList ) ) { $questionList = $_SESSION['questionList']; @@ -181,15 +181,33 @@ function getFCK(vals,marksid){ @@ -214,6 +232,13 @@ function display_unique_or_multiple_answer($answerType, $studentChoice, $answer, @@ -254,7 +285,14 @@ function display_free_answer($answer,$id,$questionId) selectComment($answerId); $answerCorrect=$objAnswerTmp->isCorrect($answerId); $answerWeighting=$objAnswerTmp->selectWeighting($answerId); - $queryans = "select * from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId"; + $queryans = "select * from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'"; $resultans = api_sql_query($queryans, __FILE__, __LINE__); while ($row = mysql_fetch_array($resultans)) { @@ -473,7 +511,7 @@ $result =api_sql_query($query, __FILE__, __LINE__); $answerComment=$objAnswerTmp->selectComment($answerId); $answerCorrect=$objAnswerTmp->isCorrect($answerId); $answerWeighting=$objAnswerTmp->selectWeighting($answerId); - $queryans = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId"; + $queryans = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'"; $resultans = api_sql_query($queryans, __FILE__, __LINE__); $choice = mysql_result($resultans,0,"answer"); $studentChoice=($choice == $answerId)?1:0; @@ -554,7 +592,7 @@ $result =api_sql_query($query, __FILE__, __LINE__); { break; } - $queryfill = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId"; + $queryfill = "select answer from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'"; $resfill = api_sql_query($queryfill, __FILE__, __LINE__); $str=mysql_result($resfill,0,"answer"); preg_match_all ('#\[([^[/]*)/#', $str, $arr); @@ -600,7 +638,7 @@ $result =api_sql_query($query, __FILE__, __LINE__); $objAnswerTmp=new Answer($questionId); $nbrAnswers=$objAnswerTmp->selectNbrAnswers(); $questionScore=0; - $query = "select answer, marks from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId"; + $query = "select answer, marks from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'"; $resq=api_sql_query($query); $choice = mysql_result($resq,0,"answer"); $questionScore = mysql_result($resq,0,"marks"); @@ -625,7 +663,7 @@ $result =api_sql_query($query, __FILE__, __LINE__); $table_ans = Database :: get_course_table(TABLE_QUIZ_ANSWER); $TBL_TRACK_ATTEMPT = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ATTEMPT); - $sql_select_answer = 'SELECT id, answer, correct, position FROM '.$table_ans.' WHERE question_id="'.$questionId.'" AND correct<>0'; + $sql_select_answer = 'SELECT id, answer, correct, position FROM '.$table_ans.' WHERE question_id="'.Database::escape_string($questionId).'" AND correct<>0'; $res_answers = api_sql_query($sql_select_answer, __FILE__, __LINE__); echo ''; @@ -652,9 +690,9 @@ $result =api_sql_query($query, __FILE__, __LINE__); ON answers.position = track_e_attempt.answer AND track_e_attempt.question_id=answers.question_id WHERE answers.correct = 0 - AND track_e_attempt.exe_id = "'.$id.'" - AND track_e_attempt.question_id = "'.$questionId.'" - AND track_e_attempt.position="'.$i_answer_position.'"'; + AND track_e_attempt.exe_id = "'.Database::escape_string($id).'" + AND track_e_attempt.question_id = "'.Database::escape_string($questionId).'" + AND track_e_attempt.position="'.Database::escape_string($i_answer_position).'"'; $res_user_answer = api_sql_query($sql_user_answer, __FILE__, __LINE__); @@ -709,14 +747,14 @@ $result =api_sql_query($query, __FILE__, __LINE__); $answerWeighting=$objAnswerTmp->selectWeighting($answerId); $TBL_TRACK_HOTSPOT = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_HOTSPOT); - $query = "select hotspot_correct from ".$TBL_TRACK_HOTSPOT." where hotspot_exe_id = $id and hotspot_question_id= $questionId AND hotspot_answer_id=$answerId"; + $query = "select hotspot_correct from ".$TBL_TRACK_HOTSPOT." where hotspot_exe_id = '".Database::escape_string($id)."' and hotspot_question_id= '".Database::escape_string($questionId)."' AND hotspot_answer_id='".Database::escape_string($answerId)."'"; $resq=api_sql_query($query); $choice = mysql_result($resq,0,"hotspot_correct"); display_hotspot_answer($answerId,$answer,$choice,$answerComment); $i++; } - $queryfree = "select marks from ".$TBL_TRACK_ATTEMPT." where exe_id = $id and question_id= $questionId"; + $queryfree = "select marks from ".$TBL_TRACK_ATTEMPT." where exe_id = '".Database::escape_string($id)."' and question_id= '".Database::escape_string($questionId)."'"; $resfree = api_sql_query($queryfree, __FILE__, __LINE__); $questionScore= mysql_result($resfree,0,"marks"); $totalScore+=$questionScore; diff --git a/main/exercice/hotspot_actionscript.as.php b/main/exercice/hotspot_actionscript.as.php index 0959dc069c..e393237bac 100644 --- a/main/exercice/hotspot_actionscript.as.php +++ b/main/exercice/hotspot_actionscript.as.php @@ -47,7 +47,7 @@ $courseCode = $_course['sysCode']; $coursePath = $_course['path']; // Query db for answers -$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type, ponderation FROM $TBL_ANSWERS WHERE question_id = '$questionId' ORDER BY id"; +$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type, ponderation FROM $TBL_ANSWERS WHERE question_id = '".Database::escape_string($questionId)."' ORDER BY id"; $result = api_sql_query($sql,__FILE__,__LINE__); // Init diff --git a/main/exercice/hotspot_answers.as.php b/main/exercice/hotspot_answers.as.php index 004ae6f981..d4889a32f9 100644 --- a/main/exercice/hotspot_answers.as.php +++ b/main/exercice/hotspot_answers.as.php @@ -51,7 +51,7 @@ $courseCode = $_course['sysCode']; $coursePath = $_course['path']; // Query db for answers -$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type FROM $TBL_ANSWERS WHERE question_id = '$questionId' ORDER BY id"; +$sql = "SELECT id, answer, hotspot_coordinates, hotspot_type FROM $TBL_ANSWERS WHERE question_id = '".Database::escape_string($questionId)."' ORDER BY id"; $result = api_sql_query($sql,__FILE__,__LINE__); // Init diff --git a/main/exercice/hotspot_save.inc.php b/main/exercice/hotspot_save.inc.php index a80663a669..a2148500c5 100644 --- a/main/exercice/hotspot_save.inc.php +++ b/main/exercice/hotspot_save.inc.php @@ -61,7 +61,7 @@ if ($_GET['type'] == "poly") } $hotspot_coordinates = substr($hotspot_coordinates,0,-2); } -$sql = "UPDATE `$TBL_ANSWER` SET `hotspot_coordinates` = '$hotspot_coordinates',`hotspot_type` = '$hotspot_type' WHERE `id` =$answerId AND `question_id` =$questionId LIMIT 1 ;"; +$sql = "UPDATE `$TBL_ANSWER` SET hotspot_coordinates = '".Database::escape_string($hotspot_coordinates)."',hotspot_type = '".Database::escape_string($hotspot_type)."' WHERE id = '".Database::escape_string($answerId)."' AND question_id ='".Database::escape_string($questionId)."' LIMIT 1 ;"; $result = api_sql_query($sql,__FILE__,__LINE__); echo "done=done"; ?> \ No newline at end of file diff --git a/main/exercice/hotspot_savescore.inc.php b/main/exercice/hotspot_savescore.inc.php index 5b905b1931..0917c6e92c 100644 --- a/main/exercice/hotspot_savescore.inc.php +++ b/main/exercice/hotspot_savescore.inc.php @@ -52,7 +52,14 @@ else // user clicked ON a hotspot $TBL_TRACK_E_HOTSPOT = Database::get_statistic_table(STATISTIC_TRACK_E_HOTSPOTS); // Save into db -$sql = "INSERT INTO $TBL_TRACK_E_HOTSPOT (`user_id` , `course_id` , `quiz_id` , `question_id` , `answer_id` , `correct` , `coordinate` ) VALUES ('".$_user['user_id']."', '$courseCode', '$exerciseId', '$questionId', '$answerId', '$hit', '$coordinates')"; +$sql = "INSERT INTO $TBL_TRACK_E_HOTSPOT (`user_id` , `course_id` , `quiz_id` , `question_id` , `answer_id` , `correct` , `coordinate` ) VALUES ( + '".Database::escape_string($_user['user_id'])."', + '".Database::escape_string($courseCode)."', + '".Database::escape_string($exerciseId)."', + '".Database::escape_string($questionId)."', + '".Database::escape_string($answerId)."', + '".Database::escape_string($hit)."', + '".Database::escape_string($coordinates)."')"; $result = api_sql_query($sql,__FILE__,__LINE__); // Save insert id into session if users changes answer. $insert_id = mysql_insert_id(); diff --git a/main/exercice/hotspot_updatescore.inc.php b/main/exercice/hotspot_updatescore.inc.php index e775044ce4..d92f85a07b 100644 --- a/main/exercice/hotspot_updatescore.inc.php +++ b/main/exercice/hotspot_updatescore.inc.php @@ -67,6 +67,6 @@ $TBL_TRACK_E_HOTSPOT = Database::get_statistic_table(STATISTIC_TRACK_E_HOTSPOT // update db $update_id = $_SESSION['exerciseResult'][$questionId]['ids'][$answerId]; -$sql = "UPDATE $TBL_TRACK_E_HOTSPOT SET `coordinate` = '".$coordinates."' WHERE `id` =$update_id LIMIT 1 ;;"; +$sql = "UPDATE $TBL_TRACK_E_HOTSPOT SET coordinate = '".Database::escape_string($coordinates)."' WHERE id ='".Database::escape_string($update_id)."' LIMIT 1 ;;"; $result = api_sql_query($sql,__FILE__,__LINE__); ?> \ No newline at end of file diff --git a/main/exercice/mark_free_answer.php b/main/exercice/mark_free_answer.php index 03dd4e0ffd..6e97d015c1 100644 --- a/main/exercice/mark_free_answer.php +++ b/main/exercice/mark_free_answer.php @@ -66,7 +66,7 @@ $debug=0; if($debug>0){echo str_repeat(' ',0).'Entered exercise_result.php'."
\n";var_dump($_POST);} // general parameters passed via POST/GET -$my_course_code = mysql_real_escape_string($_GET['cid']); +$my_course_code = $_GET['cid']; if(!empty($_REQUEST['exe'])){ $my_exe = $_REQUEST['exe']; }else{ @@ -123,7 +123,7 @@ if($action == 'mark'){ #$tbl_learnpath_user = Database::get_course_table('learnpath_user'); #global $origin, $tbl_learnpath_user, $learnpath_id, $learnpath_item_id; $sql = "SELECT * FROM $exercise_table - WHERE exe_user_id = '$my_usr' AND exe_cours_id = '$my_cid' AND exe_exo_id = '$my_exe' + WHERE exe_user_id = '".Database::escape_string($my_usr)."' AND exe_cours_id = '".Database::escape_string($my_cid)."' AND exe_exo_id = '".Database::escape_string($my_exe)."' ORDER BY exe_date DESC"; #echo $sql; $res = api_sql_query($sql,__FILE__,__LINE__); @@ -142,21 +142,21 @@ if($action == 'mark'){ $reallyNow = time(); $sql = "INSERT INTO $exercise_table ( - `exe_user_id`, - `exe_cours_id`, - `exe_exo_id`, - `exe_result`, - `exe_weighting`, - `exe_date` + exe_user_id, + exe_cours_id, + exe_exo_id, + exe_result, + exe_weighting, + exe_date ) VALUES ( - ".$my_usr.", - '".$my_cid."', - '".$my_exe."', - '".$my_score."', - '".$obj_question->selectWeighting()."', + '".Database::escape_string($my_usr)."', + '".Database::escape_string($my_cid)."', + '".Database::escape_string($my_exe)."', + '".Database::escape_string($my_score)."', + '".Database::escape_string($obj_question->selectWeighting())."', FROM_UNIXTIME(".$reallyNow.") )"; #if ($origin == 'learnpath') @@ -175,7 +175,7 @@ if($action == 'mark'){ //return 0; } }else{ - $my_msg .= " There might have been a problem with the total score being too big...
\n"; + $my_msg .= get_lang('TotalScoreTooBig'); } } diff --git a/main/exercice/question.class.php b/main/exercice/question.class.php index 0e30be32f9..4c2b10f040 100644 --- a/main/exercice/question.class.php +++ b/main/exercice/question.class.php @@ -22,7 +22,7 @@ * File containing the Question class. * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: question.class.php 15463 2008-05-27 16:45:11Z juliomontoya $ +* @version $Id: question.class.php 15602 2008-06-18 08:52:24Z pcool $ */ @@ -103,7 +103,7 @@ abstract class Question $TBL_EXERCICES = Database::get_course_table(TABLE_QUIZ_TEST); $TBL_QUESTIONS = Database::get_course_table(TABLE_QUIZ_QUESTION); $TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION); - $sql="SELECT question,description,ponderation,position,type,picture FROM $TBL_QUESTIONS WHERE id='$id'"; + $sql="SELECT question,description,ponderation,position,type,picture FROM $TBL_QUESTIONS WHERE id='".Database::escape_string($id)."'"; $result=api_sql_query($sql,__FILE__,__LINE__); @@ -298,7 +298,7 @@ abstract class Question if(!in_array($this->type,array(UNIQUE_ANSWER,MULTIPLE_ANSWER)) || !in_array($type,array(UNIQUE_ANSWER,MULTIPLE_ANSWER))) { // removes old answers - $sql="DELETE FROM $TBL_REPONSES WHERE question_id='".$this->id."'"; + $sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($this->id)."'"; api_sql_query($sql,__FILE__,__LINE__); } @@ -472,7 +472,7 @@ abstract class Question $Extension=$picture[sizeof($picture)-1]; $picture='quiz-'.$questionId.'.'.$Extension; - $sql="UPDATE $TBL_QUESTIONS SET picture='$picture' WHERE id='$questionId'"; + $sql="UPDATE $TBL_QUESTIONS SET picture='".Database::escape_string($picture)."' WHERE id='".Database::escape_string($questionId)."'"; api_sql_query($sql,__FILE__,__LINE__); return @copy($picturePath.'/'.$this->picture,$picturePath.'/'.$picture)?true:false; @@ -559,19 +559,33 @@ abstract class Question // question already exists if($id) { - $sql="UPDATE $TBL_QUESTIONS SET question='$question',description='$description',ponderation='$weighting',position='$position',type='$type',picture='$picture' WHERE id='$id'"; + $sql="UPDATE $TBL_QUESTIONS SET + question ='".Database::escape_string($question)."', + description ='".Database::escape_string($description)."', + ponderation ='".Database::escape_string($weighting)."', + position ='".Database::escape_string($position)."', + type ='".Database::escape_string($type)."', + picture ='".Database::escape_string($picture)."' + WHERE id='".Database::escape_string($id)."'"; api_sql_query($sql,__FILE__,__LINE__); } // creates a new question else { - $sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='$exerciseId'"; + $sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='".Database::escape_string($exerciseId)."'"; $result=api_sql_query($sql); $current_position=mysql_result($result,0,0); $this -> updatePosition($current_position+1); $position = $this -> position; - $sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture) VALUES('$question','$description','$weighting','$position','$type','$picture')"; + $sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture) VALUES( + '".Database::escape_string($question)."', + '".Database::escape_string($description)."', + '".Database::escape_string($weighting)."', + '".Database::escape_string($position)."', + '".Database::escape_string($type)."', + '".Database::escape_string($picture)."' + )"; api_sql_query($sql,__FILE__,__LINE__); $this->id=mysql_insert_id(); @@ -580,7 +594,7 @@ abstract class Question if ($type == HOT_SPOT || $type == HOT_SPOT_ORDER) { $TBL_ANSWERS = Database::get_course_table(TABLE_QUIZ_ANSWER); - $sql="INSERT INTO $TBL_ANSWERS (`id` , `question_id` , `answer` , `correct` , `comment` , `ponderation` , `position` , `hotspot_coordinates` , `hotspot_type` ) VALUES ('1', '$this->id', '', NULL , '', NULL , '1', '0;0|0|0', 'square')"; + $sql="INSERT INTO $TBL_ANSWERS (`id` , `question_id` , `answer` , `correct` , `comment` , `ponderation` , `position` , `hotspot_coordinates` , `hotspot_type` ) VALUES ('1', '".Database::escape_string($this->id)."', '', NULL , '', NULL , '1', '0;0|0|0', 'square')"; api_sql_query($sql,__FILE__,__LINE__); } } @@ -617,7 +631,7 @@ abstract class Question { $this->exerciseList[]=$exerciseId; - $sql="INSERT INTO $TBL_EXERCICE_QUESTION(question_id,exercice_id) VALUES('$id','$exerciseId')"; + $sql="INSERT INTO $TBL_EXERCICE_QUESTION(question_id,exercice_id) VALUES('".Database::escape_string($id)."','".Database::escape_string($exerciseId)."')"; api_sql_query($sql,__FILE__,__LINE__); } @@ -649,7 +663,7 @@ abstract class Question // deletes the position in the array containing the wanted exercise ID unset($this->exerciseList[$pos]); - $sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='$id' AND exercice_id='$exerciseId'"; + $sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='".Database::escape_string($id)."' AND exercice_id='".Database::escape_string($exerciseId)."'"; api_sql_query($sql,__FILE__,__LINE__); return true; @@ -673,13 +687,13 @@ abstract class Question // if the question must be removed from all exercises if(!$deleteFromEx) { - $sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='$id'"; + $sql="DELETE FROM $TBL_EXERCICE_QUESTION WHERE question_id='".Database::escape_string($id)."'"; api_sql_query($sql,__FILE__,__LINE__); - $sql="DELETE FROM $TBL_QUESTIONS WHERE id='$id'"; + $sql="DELETE FROM $TBL_QUESTIONS WHERE id='".Database::escape_string($id)."'"; api_sql_query($sql,__FILE__,__LINE__); - $sql="DELETE FROM $TBL_REPONSES WHERE question_id='$id'"; + $sql="DELETE FROM $TBL_REPONSES WHERE question_id='".Database::escape_string($id)."'"; api_sql_query($sql,__FILE__,__LINE__); $this->removePicture(); @@ -710,7 +724,7 @@ abstract class Question $position=$this->position; $type=$this->type; - $sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type) VALUES('$question','$description','$weighting','$position','$type')"; + $sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type) VALUES('".Database::escape_string($question)."','".Database::escape_string($description)."','".Database::escape_string($weighting)."','".Database::escape_string($position)."','".Database::escape_string($type)."')"; api_sql_query($sql,__FILE__,__LINE__); $id=mysql_insert_id(); diff --git a/main/exercice/question_pool.php b/main/exercice/question_pool.php index 14b837cd96..1c9da63022 100644 --- a/main/exercice/question_pool.php +++ b/main/exercice/question_pool.php @@ -18,7 +18,7 @@ * One question can be in several exercises * @package dokeos.exercise * @author Olivier Brouckaert -* @version $Id: question_pool.php 15385 2008-05-24 02:59:51Z yannoo $ +* @version $Id: question_pool.php 15602 2008-06-18 08:52:24Z pcool $ */ // name of the language file that needs to be included @@ -144,7 +144,7 @@ if($is_allowedToEdit) '$fromExercise' AND active<>'-1' ORDER BY id"; + $sql="SELECT id,title FROM $TBL_EXERCICES WHERE id<>'".Database::escape_string($fromExercise)."' AND active<>'-1' ORDER BY id"; $result=api_sql_query($sql,__FILE__,__LINE__); // shows a list-box allowing to filter questions @@ -168,7 +168,7 @@ if($is_allowedToEdit) // if we have selected an exercise in the list-box 'Filter' if($exerciseId > 0) { - $sql="SELECT id,question,type FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='$exerciseId' ORDER BY position"; + $sql="SELECT id,question,type FROM $TBL_EXERCICE_QUESTION,$TBL_QUESTIONS WHERE question_id=id AND exercice_id='".Database::escape_string($exerciseId)."' ORDER BY position"; } // if we have selected the option 'Orphan questions' in the list-box 'Filter' elseif($exerciseId == -1) diff --git a/main/exercice/savescores.php b/main/exercice/savescores.php index 4edd08520b..d01265d4b4 100644 --- a/main/exercice/savescores.php +++ b/main/exercice/savescores.php @@ -22,7 +22,7 @@ * Saving the scores. * @package dokeos.exercise * @author -* @version $Id: savescores.php 15312 2008-05-19 01:15:03Z yannoo $ +* @version $Id: savescores.php 15602 2008-06-18 08:52:24Z pcool $ */ // name of the language file that needs to be included @@ -55,8 +55,8 @@ $tbl_learnpath_user = Database::get_course_table(TABLE_LEARNPATH_USER); $TABLE_LP_ITEM_VIEW = Database::get_course_table(TABLE_LP_ITEM_VIEW); $_cid = api_get_course_id(); -$test = mysql_real_escape_string($_REQUEST['test']); -$score = mysql_real_escape_string($_REQUEST['score']); +$test = $_REQUEST['test']; +$score = $_REQUEST['score']; $origin = $_REQUEST['origin']; $jscript2run = ''; @@ -95,7 +95,13 @@ function save_scores($file, $score) $sql = "INSERT INTO $TABLETRACK_HOTPOTATOES ". "(exe_name, exe_user_id, exe_date,exe_cours_id,exe_result,exe_weighting)" . "VALUES" . - "('$file',$user_id,'$date','$_cid','$score','$weighting')"; + "( + '".Database::escape_string($file)."', + '".Database::escape_string($user_id)."', + '".Database::escape_string($date)."', + '".Database::escape_string($_cid)."', + '".Database::escape_string($score)."', + '".Database::escape_string($weighting)."')"; $res = api_sql_query($sql,__FILE__,__LINE__); if ($origin == 'learnpath')