Fix database field from 1.11.x

f7f9357
chamilo · May 28, 2021 · 005dc8e · 005dc8e
1 parent a52eb22
commit 005dc8e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 17 deletions.
diff --git a/public/main/inc/ajax/model.ajax.php b/public/main/inc/ajax/model.ajax.php
@@ -109,6 +109,8 @@ function getWhereClause($col, $oper, $val)
         'nc' => 'NOT LIKE',  //doesn't contain
     ];
 
+    $col = Database::escapeField($col);
+
     if (empty($col)) {
         return '';
     }
@@ -1442,8 +1444,9 @@ function getWhereClause($col, $oper, $val)
         }
 
         $whereCondition = " AND $whereCondition ";
+        $columnOrderValidList = array_merge(['firstname', 'lastname'], $columns);
+        $sidx = in_array($sidx, $columnOrderValidList) ? $sidx : 'title';
 
-        $sidx = in_array($sidx, $columns) ? $sidx : 'title';
         $result = get_work_user_list(
             $start,
             $limit,
@@ -2505,18 +2508,11 @@ function getWhereClause($col, $oper, $val)
                 }
                 $result = $obj->getUserGroupNotInCourse(
                     $options,
-                    $groupFilter,
-                    false,
-                    true
+                    $groupFilter
                 );
                 break;
             case 'registered':
-                $result = $obj->getUserGroupInCourse(
-                    $options,
-                    $groupFilter,
-                    false,
-                    true
-                );
+                $result = $obj->getUserGroupInCourse($options, $groupFilter);
                 break;
         }
 

diff --git a/public/main/inc/lib/database.lib.php b/public/main/inc/lib/database.lib.php
@@ -751,4 +751,9 @@ public static function listTableColumns($table)
     {
         return self::getManager()->getConnection()->getSchemaManager()->listTableColumns($table);
     }
+
+    public static function escapeField($field)
+    {
+        return self::escape_string(preg_replace("/[^a-zA-Z0-9_]/", '', $field));
+    }
 }
diff --git a/public/main/inc/lib/extra_field.lib.php b/public/main/inc/lib/extra_field.lib.php
@@ -1584,7 +1584,7 @@ public function set_extra_fields_in_form(
                         if ($freezeElement) {
                             $form->freeze('extra_'.$variable);
                         }
-                        break;
+                        break;                        
                     case self::FIELD_TYPE_FILE:
                         $fieldVariable = "extra_{$variable}";
                         $fieldTexts = [
@@ -2608,6 +2608,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
                     }
                 } else {
                     // Extra fields
+                    $ruleField = Database::escapeField($rule->field);
                     if (false === strpos($rule->field, '_second')) {
                         //No _second
                         $original_field = str_replace($stringToSearch, '', $rule->field);
@@ -2630,7 +2631,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
                                 $conditionArray[] = ' ('
                                 .$this->get_where_clause($rule->field, $rule->op, $rule->data)
                                 .') ';
-                                $extraFields[] = ['field' => $rule->field, 'id' => $field_option['id']];
+                                $extraFields[] = ['field' => $ruleField, 'id' => $field_option['id']];
                             }
                                 break;
                             case self::FIELD_TYPE_TAG:
@@ -2639,10 +2640,11 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
                                     break;
                                 }
 
+                                    // Where will be injected in the parseConditions()
                                 //$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
                                 //$conditionArray[] = " ( $where ) ";
                                 $extraFields[] = [
-                                'field' => $rule->field,
+                                        'field' => $ruleField,
                                 'id' => $field_option['id'],
                                 'data' => $rule->data,
                             ];
@@ -2656,7 +2658,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
                                     $where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
                                     $conditionArray[] = " ( $where ) ";
                                     $extraFields[] = [
-                                        'field' => $rule->field,
+                                        'field' => $ruleField,
                                         'id' => $field_option['id'],
                                         'data' => $rule->data,
                                     ];
@@ -2668,7 +2670,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
                         $original_field = str_replace($stringToSearch, '', $my_field);
                         $field_option = $this->get_handler_field_info_by_field_variable($original_field);
                         $extraFields[] = [
-                        'field' => $rule->field,
+                            'field' => $ruleField,
                         'id' => $field_option['id'],
                     ];
                     }
@@ -2689,6 +2691,8 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
      */
     public function get_where_clause($col, $oper, $val, $conditionBetweenOptions = 'OR')
     {
+        $col = Database::escapeField($col);
+
         if (empty($col)) {
             return '';
         }
@@ -2755,7 +2759,7 @@ public function parseConditions($options, $alias = 's')
                             $inject_extra_fields .= " fvo$counter.display_text as {$extra['field']}, ";
                             break;
                         case self::FIELD_TYPE_TAG:
-                            //$inject_extra_fields .= " tag$counter.tag as {$extra['field']}, ";
+                            // If using OR
                             // If using AND
                             $newCounter = 1;
                             $fields = [];
@@ -3201,7 +3205,7 @@ private function addSelectElement(FormValidator $form, array $fieldDetails, $def
         );
 
         if (empty($defaultValueId)) {
-            $slct->addOption(get_lang('Please select an option'), '');
+            $slct->addOption(get_lang('Please select an option'));
         }
 
         foreach ($options as $value => $text) {