Fixed issue #4934 : Editing a response in the data entry form always …

…resets the answer to "not completed" in private surveys Dev : fixed completed select box, allow to change submitdate, fix some security in sql request git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_dev@9799 b72ed6b6-b9f8-46b5-92b4-906544132732
LimeSurvey · Feb 15, 2011 · 5952a9b · 5952a9b
1 parent 4d2368c
commit 5952a9b
Showing 1 changed file with 24 additions and 16 deletions.
diff --git a/admin/dataentry.php b/admin/dataentry.php
@@ -97,7 +97,7 @@
         {
             $tokencompleted = "";
             $tokentable = db_table_name("tokens_".$surveyid);
-            $tcquery = "SELECT completed from $tokentable WHERE token='".$_POST['token']."'";
+            $tcquery = "SELECT completed from $tokentable WHERE token=".db_quoteall($_POST['token'],true);
             $tcresult = db_execute_assoc($tcquery);
             $tccount = $tcresult->RecordCount();
             while ($tcrow = $tcresult->FetchRow())
@@ -118,7 +118,7 @@
             }
             else
             { // token is valid, survey not anonymous, try to get last recorded response id
-                $aquery = "SELECT id,startlanguage FROM $surveytable WHERE token='".$_POST['token']."'";
+                $aquery = "SELECT id,startlanguage FROM $surveytable WHERE token=".db_quoteall($_POST['token'],true);
                 $aresult = db_execute_assoc($aquery);
                 while ($arow = $aresult->FetchRow())
                 {
@@ -305,7 +305,7 @@
                     { $submitdate = date_shift(date("Y-m-d H:i:s"), "Y-m-d", $timeadjust); }
 
 				// check how many uses the token has left
-				$usesquery = "SELECT usesleft FROM {$dbprefix}tokens_$surveyid WHERE token='{$_POST['token']}'";
+				$usesquery = "SELECT usesleft FROM {$dbprefix}tokens_$surveyid WHERE token=".db_quoteall($_POST['token'],true);
 				$usesresult = db_execute_assoc($usesquery);
 				$usesrow = $usesresult->FetchRow();
 				if (isset($usesrow)) { $usesleft = $usesrow['usesleft']; }
@@ -334,12 +334,12 @@
 						$utquery .= "SET usesleft=usesleft-1\n";
 					}
                 }
-                $utquery .= "WHERE token='{$_POST['token']}'";
+                $utquery .= "WHERE token=".db_quoteall($_POST['token'],true);
                 $utresult = $connect->Execute($utquery) or safe_die ("Couldn't update tokens table!<br />\n$utquery<br />\n".$connect->ErrorMsg());
 
                 // save submitdate into survey table
                 $srid = $connect->Insert_ID();
-                $sdquery = "UPDATE {$dbprefix}survey_$surveyid SET submitdate='{$submitdate}' WHERE id={$srid}\n";
+                $sdquery = "UPDATE {$dbprefix}survey_$surveyid SET submitdate=".db_quoteall($submitdate,true)." WHERE id={$srid}\n";
                 $sdresult = $connect->Execute($sdquery) or safe_die ("Couldn't set submitdate response in survey table!<br />\n$sdquery<br />\n".$connect->ErrorMsg());
             }
             if (isset($_POST['save']) && $_POST['save'] == "on")
@@ -580,16 +580,13 @@
                         {
                             $mysubmitdate = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust);
                         }
-                        $completedate= empty($idrow[$fname['fieldname']]) ? $mysubmitdate : $idrow[$fname['fieldname']];
-
-                        $dataentryoutput .= "                <select name='submitdate'>\n";
-                        $dataentryoutput .= "                    <option value=";
-                        if(empty($idrow['submitdate'])) { $dataentryoutput .= "'' selected"; }
-                        else    { $dataentryoutput .= "'N'"; }
+                        $completedate= empty($idrow['submitdate']) ? $mysubmitdate : $idrow['submitdate'];
+                        $dataentryoutput .= "                <select name='completed'>\n";
+                        $dataentryoutput .= "                    <option value='N'";
+                        if(empty($idrow['submitdate'])) { $dataentryoutput .= " selected='selected'"; }
                         $dataentryoutput .= ">".$clang->gT("No")."</option>\n";
-                        $dataentryoutput .= "                    <option value=";
-                        if(!empty($idrow['submitdate'])) { $dataentryoutput .= "'' selected"; }
-                        else     { $dataentryoutput .= "'$completedate'"; }
+                        $dataentryoutput .= "                    <option value='{$completedate}'";
+                        if(!empty($idrow['submitdate'])) { $dataentryoutput .= " selected='selected'"; }
                         $dataentryoutput .= ">".$clang->gT("Yes")."</option>\n";
                         $dataentryoutput .= "                </select>\n";
                         break;
@@ -1430,9 +1427,20 @@ function saveshow(value)
             {
                 $updateqr .= db_quote_id($fieldname)." = NULL, \n";
             }
-            elseif (($irow['type'] == 'submitdate') && ($thisvalue == 'N' || $thisvalue == ''))
+            elseif ($irow['type'] == 'submitdate')
             {
-                $updateqr .= db_quote_id($fieldname)." = NULL, \n";
+                if (isset($_POST['completed']) && ($_POST['completed']== "N"))
+                {
+                    $updateqr .= db_quote_id($fieldname)." = NULL, \n";
+                }
+                elseif (isset($_POST['completed']) && $thisvalue=="")
+                {
+                    $updateqr .= db_quote_id($fieldname)." = " . db_quoteall($_POST['completed'],true) . ", \n";
+                }
+                else
+                {
+                    $updateqr .= db_quote_id($fieldname)." = " . db_quoteall($thisvalue,true) . ", \n";
+                }
             }
             else
             {