Permalink
Browse files

Remove Database::escape_string() without quotes to avoid SQL injectio…

…ns - partial - refs #7440
  • Loading branch information...
ywarnier committed Jan 16, 2015
1 parent f6b9a55 commit 28baec78d282baec9aaa2c85f4736921375c3f6a
Showing with 206 additions and 198 deletions.
  1. +1 −1 main/inc/lib/fckeditor/fcktemplates.xml.php
  2. +18 −18 main/inc/lib/groupmanager.lib.php
  3. +4 −4 main/inc/lib/legal.lib.php
  4. +3 −3 main/inc/lib/lp_item.lib.php
  5. +1 −1 main/inc/lib/main_api.lib.php
  6. +8 −7 main/inc/lib/message.lib.php
  7. +2 −2 main/inc/lib/notebook.lib.php
  8. +3 −3 main/inc/lib/online.inc.php
  9. +1 −1 main/inc/lib/search/tool_processors/document_processor.class.php
  10. +1 −1 main/inc/lib/search/tool_processors/learnpath_processor.class.php
  11. +1 −1 main/inc/lib/search/tool_processors/link_processor.class.php
  12. +7 −7 main/inc/lib/sessionmanager.lib.php
  13. +5 −5 main/inc/lib/tracking.lib.php
  14. +26 −26 main/inc/lib/urlmanager.lib.php
  15. +22 −20 main/inc/lib/usermanager.lib.php
  16. +6 −7 main/mySpace/myspace.lib.php
  17. +1 −1 main/newscorm/audiorecorder.inc.php
  18. +8 −8 main/newscorm/learnpath.class.php
  19. +2 −2 main/newscorm/scorm.class.php
  20. +0 −1 main/notebook/notebook_repository.class.php
  21. +4 −4 main/permissions/roles.php
  22. +1 −1 main/reservation/subscribe.php
  23. +1 −1 main/social/group_invitation.php
  24. +9 −9 main/survey/fillsurvey.php
  25. +6 −5 main/survey/preview.php
  26. +34 −34 main/survey/survey.lib.php
  27. +5 −5 main/survey/survey.php
  28. +5 −5 main/tracking/userLog.php
  29. +1 −1 main/user/resume_session.php
  30. +7 −7 main/user/subscribe_user.php
  31. +1 −1 main/user/user.php
  32. +7 −1 main/webservices/cm_webservice_user.php
  33. +1 −1 main/wiki/wiki.inc.php
  34. +1 −1 main/work/work.php
  35. +1 −1 plugin/buycourses/src/inscription.php
  36. +1 −1 plugin/ticket/src/report.php
  37. +1 −1 tests/main/admin/calendar.lib.test.php
@@ -219,7 +219,7 @@ function load_personal_templates($user_id = 0) {
$sql = "SELECT template.id, template.title, template.description, template.image, template.ref_doc, document.path
FROM ".$table_template." template, ".$table_document." document
WHERE
user_id='".Database::escape_string($user_id)."' AND
user_id='".intval($user_id)."' AND
course_code='".Database::escape_string(api_get_course_id())."' AND
document.c_id = $course_id AND
document.id = template.ref_doc";
@@ -611,7 +611,7 @@ public static function set_group_properties(
max_student = '".Database::escape_string($maximum_number_of_students)."',
self_registration_allowed = '".Database::escape_string($self_registration_allowed)."',
self_unregistration_allowed = '".Database::escape_string($self_unregistration_allowed)."',
category_id = '".Database::escape_string($categoryId)."'
category_id = ".intval($categoryId)."
WHERE c_id = $course_id AND id=".$group_id;
$result = Database::query($sql);
@@ -895,7 +895,7 @@ public static function update_category(
groups_per_user = '".Database::escape_string($groups_per_user)."',
self_reg_allowed = '".Database::escape_string($self_registration_allowed)."',
self_unreg_allowed = '".Database::escape_string($self_unregistration_allowed)."',
max_student = ".Database::escape_string($maximum_number_of_students)."
max_student = ".intval($maximum_number_of_students)."
WHERE c_id = $course_id AND id = $id";
Database::query($sql);
@@ -1015,8 +1015,8 @@ public static function get_users(
WHERE c_id = $courseId AND g.group_id = $group_id";
if (!empty($column) && !empty($direction)) {
$column = Database::escape_string($column);
$direction = Database::escape_string($direction);
$column = Database::escape_string($column, null, false);
$direction = ($direction == 'ASC' ? 'ASC' : 'DESC');
$sql .= " ORDER BY $column $direction";
}
@@ -1306,8 +1306,8 @@ public static function user_in_number_of_groups($user_id, $cat_id = null)
{
$table_group_user = Database :: get_course_table(TABLE_GROUP_USER);
$table_group = Database :: get_course_table(TABLE_GROUP);
$user_id = Database::escape_string($user_id);
$cat_id = Database::escape_string($cat_id);
$user_id = intval($user_id);
$cat_id = intval($cat_id);
$course_id = api_get_course_int_id();
$cat_condition = '';
@@ -1365,7 +1365,7 @@ public static function is_self_unregistration_allowed($user_id, $group_id)
return false;
}
$table_group = Database :: get_course_table(TABLE_GROUP);
$group_id = Database::escape_string($group_id);
$group_id = intval($group_id);
$course_id = api_get_course_int_id();
$db_result = Database::query(
'SELECT self_unregistration_allowed
@@ -1389,8 +1389,8 @@ public static function is_subscribed($user_id, $group_id)
return false;
}
$table_group_user = Database :: get_course_table(TABLE_GROUP_USER);
$group_id = Database::escape_string($group_id);
$user_id = Database::escape_string($user_id);
$group_id = intval($group_id);
$user_id = intval($user_id);
$course_id = api_get_course_int_id();
$sql = 'SELECT 1 FROM '.$table_group_user.'
WHERE
@@ -1499,7 +1499,7 @@ public static function get_subscribed_tutors($group_id, $id_only = false)
$order_clause = " ORDER BY u.official_code, u.firstname, u.lastname";
}
$group_id = Database::escape_string($group_id);
$group_id = intval($group_id);
$course_id = api_get_course_int_id();
$sql = "SELECT tg.id, u.user_id, u.lastname, u.firstname, u.email
@@ -1538,8 +1538,8 @@ public static function subscribe_users($user_ids, $group_id)
if (!empty($user_ids)) {
foreach ($user_ids as $user_id) {
if (self::can_user_subscribe($user_id, $group_id)) {
$user_id = Database::escape_string($user_id);
$group_id = Database::escape_string($group_id);
$user_id = intval($user_id);
$group_id = intval($group_id);
$sql = "INSERT INTO ".$table_group_user." (c_id, user_id, group_id)
VALUES ('$course_id', '".$user_id."', '".$group_id."')";
$result &= Database::query($sql);
@@ -1565,8 +1565,8 @@ public static function subscribe_tutors($user_ids, $group_id)
$table_group_tutor = Database :: get_course_table(TABLE_GROUP_TUTOR);
foreach ($user_ids as $user_id) {
$user_id = Database::escape_string($user_id);
$group_id = Database::escape_string($group_id);
$user_id = intval($user_id);
$group_id = intval($group_id);
$sql = "INSERT INTO ".$table_group_tutor." (c_id, user_id, group_id)
VALUES ('$course_id', '".$user_id."', '".$group_id."')";
$result &= Database::query($sql);
@@ -1584,7 +1584,7 @@ public static function unsubscribe_users($user_ids, $group_id)
{
$user_ids = is_array($user_ids) ? $user_ids : array ($user_ids);
$table_group_user = Database :: get_course_table(TABLE_GROUP_USER);
$group_id = Database::escape_string($group_id);
$group_id = intval($group_id);
$course_id = api_get_course_int_id();
$sql = 'DELETE FROM '.$table_group_user.'
WHERE c_id = '.$course_id.' AND group_id = '.$group_id.' AND user_id IN ('.implode(',', $user_ids).')';
@@ -1654,8 +1654,8 @@ public static function unsubscribe_all_tutors($group_ids)
public static function is_tutor_of_group($user_id, $group_id)
{
$table_group_tutor = Database :: get_course_table(TABLE_GROUP_TUTOR);
$user_id = Database::escape_string($user_id);
$group_id = Database::escape_string($group_id);
$user_id = intval($user_id);
$group_id = intval($group_id);
$course_id = api_get_course_int_id();
$sql = "SELECT * FROM ".$table_group_tutor."
@@ -1724,7 +1724,7 @@ public static function get_all_tutors()
public static function is_tutor($user_id)
{
$course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
$user_id = Database::escape_string($user_id);
$user_id = intval($user_id);
$sql = "SELECT tutor_id FROM ".$course_user_table."
WHERE user_id = '".$user_id."' AND c_id ='".api_get_course_int_id()."'"."AND tutor_id=1";
@@ -35,11 +35,11 @@ public static function add($language, $content, $type, $changes)
$version = intval(LegalManager::get_last_condition_version($language));
$version++;
$sql = "INSERT INTO $legal_table SET
language_id = '".Database::escape_string($language)."',
language_id = '".$language."',
content = '".$content."',
changes= '".$changes."',
type = '".$type."',
version = '".Database::escape_string($version)."',
version = '".intval($version)."',
date = '".$time."'";
Database::query($sql);
@@ -256,8 +256,8 @@ public static function count()
public static function get_type_of_terms_and_conditions($legal_id,$language_id)
{
$legal_conditions_table = Database::get_main_table(TABLE_MAIN_LEGAL);
$legal_id=Database::escape_string($legal_id);
$language_id=Database::escape_string($language_id);
$legal_id = intval($legal_id);
$language_id = Database::escape_string($language_id);
$sql = 'SELECT type FROM '.$legal_conditions_table.' WHERE legal_id="'.$legal_id.'" AND language_id="'.$language_id.'"';
$rs = Database::query($sql);
@@ -39,8 +39,8 @@ public function __construct($in_c_id=0, $in_id=0)
$item_view_table = Database::get_course_table(TABLE_LP_ITEM);
$sql = "SELECT * FROM $item_view_table
WHERE
c_id=".Database::escape_string($in_c_id)." AND
id=".Database::escape_string($in_id);
c_id=".intval($in_c_id)." AND
id=".intval($in_id);
$res = Database::query($sql);
$data = Database::fetch_array($res);
@@ -79,7 +79,7 @@ public function update_in_bdd()
$item_view_table = Database::get_course_table(TABLE_LP_ITEM);
if ($this->c_id > 0 && $this->id > 0) {
$sql = "UPDATE $item_view_table SET
lp_id = '".Database::escape_string($this->lp_id)."' ,
lp_id = '".intval($this->lp_id)."' ,
item_type = '".Database::escape_string($this->item_type)."' ,
ref = '".Database::escape_string($this->ref)."' ,
title = '".Database::escape_string($this->title)."' ,
@@ -3650,7 +3650,7 @@ function api_get_item_property_id($course_code, $tool, $ref)
*/
function api_track_item_property_update($tool, $ref, $title, $content, $progress)
{
$tbl_stats_item_property = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ITEM_PROPERTY);
$tbl_stats_item_property = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ITEM_PROPERTY);
$course_id = api_get_real_course_id(); //numeric
$course_code = api_get_course_id(); //alphanumeric
$item_property_id = api_get_item_property_id($course_code, $tool, $ref);
@@ -445,7 +445,7 @@ public static function delete_message_by_user_receiver($user_receiver_id, $id)
if ($id != strval(intval($id)))
return false;
$user_receiver_id = intval($user_receiver_id);
$id = Database::escape_string($id);
$id = intval($id);
$sql = "SELECT * FROM $table_message WHERE id=".$id." AND msg_status<>4;";
$rs = Database::query($sql);
@@ -763,14 +763,15 @@ public static function exist_message($user_id, $id)
$table_message = Database::get_main_table(TABLE_MESSAGE);
$query = "SELECT id FROM $table_message
WHERE
user_receiver_id=".Database::escape_string($user_id)." AND
id='".Database::escape_string($id)."'";
user_receiver_id = ".intval($user_id)." AND
id = '".intval($id)."'";
$result = Database::query($query);
$num = Database::num_rows($result);
if ($num > 0)
if ($num > 0) {
return true;
else
} else {
return false;
}
}
/**
@@ -973,8 +974,8 @@ public static function show_message_box_sent()
$query = "SELECT * FROM $table_message
WHERE
user_sender_id=".api_get_user_id()." AND
id=".intval(Database::escape_string($_GET['id_send']))." AND
msg_status=4;";
id=".intval($_GET['id_send'])." AND
msg_status = 4;";
$result = Database::query($query);
$message_id = intval($_GET['id_send']);
}
@@ -59,7 +59,7 @@ static function save_note($values)
$course_id,
'" . api_get_user_id() . "',
'" . Database::escape_string(api_get_course_id()) . "',
'" . Database::escape_string($_SESSION['id_session']) . "',
'" . intval($_SESSION['id_session']) . "',
'" . Database::escape_string($values['note_title']) . "',
'" . Database::escape_string($values['note_comment']) . "',
'" . Database::escape_string(date('Y-m-d H:i:s')) . "',
@@ -119,7 +119,7 @@ static function update_note($values) {
$sql = "UPDATE $t_notebook SET
user_id = '" . api_get_user_id() . "',
course = '" . Database::escape_string(api_get_course_id()) . "',
session_id = '" . Database::escape_string($_SESSION['id_session']) . "',
session_id = '" . intval($_SESSION['id_session']) . "',
title = '" . Database::escape_string($values['note_title']) . "',
description = '" . Database::escape_string($values['note_comment']) . "',
update_date = '" . Database::escape_string(date('Y-m-d H:i:s')) . "'
@@ -393,7 +393,7 @@ function who_is_online_in_this_course($from, $number_of_items, $uid, $time_limit
$online_time = time() - $time_limit*60;
$current_date = api_get_utc_datetime($online_time);
$track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE);
$track_online_table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
$course_code = Database::escape_string($course_code);
$from = intval($from);
@@ -424,7 +424,7 @@ function who_is_online_in_this_course($from, $number_of_items, $uid, $time_limit
function who_is_online_in_this_course_count($uid, $time_limit, $coursecode=null) {
if(empty($coursecode)) return false;
$track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE);
$track_online_table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
$coursecode = Database::escape_string($coursecode);
$time_limit = Database::escape_string($time_limit);
@@ -451,7 +451,7 @@ function who_is_online_in_this_course_count($uid, $time_limit, $coursecode=null)
*/
function GetFullUserName($uid) {
$uid = (int) $uid;
$uid = Database::escape_string($uid);
$uid = intval($uid);
$user_table = Database::get_main_table(TABLE_MAIN_USER);
$query = "SELECT firstname, lastname FROM ".$user_table." WHERE user_id='$uid'";
$result = @Database::query($query);
@@ -75,7 +75,7 @@ private function get_information($course_id, $doc_id) {
$item_property_table = Database::get_course_table(TABLE_ITEM_PROPERTY);
$doc_table = Database::get_course_table(TABLE_DOCUMENT);
$doc_id = Database::escape_string($doc_id);
$doc_id = intval($doc_id);
$sql = "SELECT * FROM $doc_table
WHERE $doc_table.id = $doc_id AND c_id = $course_id
LIMIT 1";
@@ -98,7 +98,7 @@ private function get_information($course_id, $lp_id, $has_document_id = TRUE) {
$lp_table = Database::get_course_table(TABLE_LP_MAIN);
$doc_table = Database::get_course_table(TABLE_DOCUMENT);
$lp_id = Database::escape_string($lp_id);
$lp_id = intval($lp_id);
if ($has_document_id) {
$sql = "SELECT $lpi_table.id, $lp_table.name, $lp_table.author, $doc_table.path
@@ -102,7 +102,7 @@ private function get_information($course_id, $link_id) {
if (!empty($course_information)) {
$item_property_table = Database::get_course_table(TABLE_ITEM_PROPERTY);
$link_id = Database::escape_string($link_id);
$link_id = intval($link_id);
$sql = "SELECT insert_user_id FROM $item_property_table
WHERE ref = $link_id AND tool = '" . TOOL_LINK . "' AND c_id = $course_id
LIMIT 1";
@@ -641,7 +641,7 @@ public static function get_session_lp_progress($sessionId = 0, $courseId = 0, $d
$sql_query = sprintf($sql,
intval($courseId),
Database::escape_string($user['user_id']),
intval($user['user_id']),
$sessionId
);
@@ -1485,7 +1485,7 @@ public static function delete_session($id_checked, $from_ws = false)
}
if (!api_is_platform_admin() && !$from_ws) {
$sql = 'SELECT session_admin_id FROM ' . Database :: get_main_table(TABLE_MAIN_SESSION) . ' WHERE id=' . $id_checked;
$sql = 'SELECT session_admin_id FROM ' . Database :: get_main_table(TABLE_MAIN_SESSION) . ' WHERE id IN (' . $id_checked.')';
$rs = Database::query($sql);
if (Database::result($rs, 0, 0) != $userId) {
api_not_allowed(true);
@@ -2056,9 +2056,9 @@ public static function add_courses_to_session(
// subscribe all the users from the session to this course inside the session
$nbr_users = 0;
foreach ($user_list as $enreg_user) {
$enreg_user_id = Database::escape_string($enreg_user['id_user']);
$enreg_user_id = intval($enreg_user['id_user']);
$sql = "INSERT IGNORE INTO $tbl_session_rel_course_rel_user (id_session, course_code, id_user)
VALUES ('$sessionId','$enreg_course','$enreg_user_id')";
VALUES ($sessionId,'$enreg_course',$enreg_user_id)";
Database::query($sql);
if (Database::affected_rows()) {
$nbr_users++;
@@ -2253,7 +2253,7 @@ public static function relation_session_course_exist($session_id, $course_id)
$return_value = false;
$sql = "SELECT course_code FROM $tbl_session_course
WHERE
id_session = " . Database::escape_string($session_id) . " AND
id_session = " . intval($session_id) . " AND
course_code = '" . Database::escape_string($course_id) . "'";
$result = Database::query($sql);
$num = Database::num_rows($result);
@@ -5214,8 +5214,8 @@ public static function getUserSession($userId, $sessionId)
public static function isUserSusbcribedAsStudent($sessionId, $userId) {
$sessionRelUserTable = Database::get_main_table(TABLE_MAIN_SESSION_USER);
$sessionId = Database::escape_string($sessionId);
$userId = Database::escape_string($userId);
$sessionId = intval($sessionId);
$userId = intval($userId);
$sql = "SELECT COUNT(1) AS qty FROM $sessionRelUserTable "
. "WHERE id_session = $sessionId AND id_user = $userId AND relation_type = 0";
Oops, something went wrong.

0 comments on commit 28baec7

Please sign in to comment.