Permalink
Browse files

Security - Add Database:escape_string and remove_XSS

  • Loading branch information...
jmontoyaa committed Nov 19, 2018
1 parent 74894f2 commit d13365c19486d0783426a8c5315310a406d5be01
@@ -197,13 +197,13 @@
if (isset($_POST['Submit']) && $_POST['Submit']) {
// changing the name
$sql = "UPDATE $tbl_admin_languages SET original_name='{$_POST['txt_name']}'
WHERE id='{$_POST['edit_id']}'";
$name = Database::escape_string($_POST['txt_name']);
$postId = (int) $_POST['edit_id'];
$sql = "UPDATE $tbl_admin_languages SET original_name='$name'
WHERE id='$postId'";
$result = Database::query($sql);
// changing the Platform language
if ($_POST['platformlanguage'] && $_POST['platformlanguage'] != '') {
//$sql_update_2 = "UPDATE $tbl_settings_current SET selected_value='{$_POST['platformlanguage']}' WHERE variable='platformLanguage'";
//$result_2 = Database::query($sql_update_2);
api_set_setting('platformLanguage', $_POST['platformlanguage'], null, null, $_configuration['access_url']);
}
} elseif (isset($_POST['action'])) {
@@ -253,13 +253,16 @@
// including the header file (which includes the banner itself)
Display::display_header($tool_name);
echo '<a id="disable_all_except_default" href="javascript:void(0)" class="btn btn-primary"><em class="fa fa-eye"></em> '.get_lang('LanguagesDisableAllExceptDefault').'</a><br /><br />';
echo '<a
id="disable_all_except_default"
href="javascript:void(0)" class="btn btn-primary">
<em class="fa fa-eye"></em> '.get_lang('LanguagesDisableAllExceptDefault').'</a><br /><br />';
// selecting all the languages
$sql_select = "SELECT * FROM $tbl_admin_languages";
$result_select = Database::query($sql_select);
$sql_select_lang = "SELECT * FROM $tbl_settings_current WHERE category='Languages'";
$sql_select_lang = "SELECT * FROM $tbl_settings_current WHERE category='Languages'";
$result_select_lang = Database::query($sql_select_lang);
$row_lang = Database::fetch_array($result_select_lang);
@@ -17,8 +17,6 @@
api_protect_admin_script();
/* Global constants and variables */
$form_sent = 0;
$first_letter_user = '';
$first_letter_course = '';
@@ -30,7 +28,7 @@
/* Header */
$tool_name = get_lang('AddUsersToACourse');
$interbreadcrumb[] = ["url" => 'index.php', "name" => get_lang('PlatformAdmin')];
$interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
$htmlHeadXtra[] = '<script>
function validate_filter() {
@@ -56,7 +54,7 @@ function validate_filter() {
$new_field_list = [];
if (is_array($extra_field_list)) {
foreach ($extra_field_list as $extra_field) {
//if is enabled to filter and is a "<select>" field type
// if is enabled to filter and is a "<select>" field type
if ($extra_field[8] == 1 && $extra_field[2] == ExtraField::FIELD_TYPE_SELECT) {
$new_field_list[] = [
'name' => $extra_field[3],
@@ -83,8 +81,8 @@ function validate_filter() {
$form_sent = $_POST['form_sent'];
$users = isset($_POST['UserList']) && is_array($_POST['UserList']) ? $_POST['UserList'] : [];
$courses = isset($_POST['CourseList']) && is_array($_POST['CourseList']) ? $_POST['CourseList'] : [];
$first_letter_user = $_POST['firstLetterUser'];
$first_letter_course = $_POST['firstLetterCourse'];
$first_letter_user = Database::escape_string($_POST['firstLetterUser']);
$first_letter_course = Database::escape_string($_POST['firstLetterCourse']);
foreach ($users as $key => $value) {
$users[$key] = intval($value);
@@ -306,7 +304,7 @@ function validate_filter() {
<b><?php echo get_lang('CourseList'); ?> :</b>
<br/><br/>
<?php echo get_lang('FirstLetterCourse'); ?> :
<select name="firstLetterCourse"
<select name="firstLetterCourse"
onchange="javascript:document.formulaire.form_sent.value='2'; document.formulaire.submit();"
aria-label="<?php echo get_lang('FirstLetterCourse'); ?>">
<option value="">--</option>
@@ -46,11 +46,11 @@
$selectedTeacher = $formValues['teacher'];
if (!empty($formValues['from'])) {
$selectedFrom = $formValues['from'];
$selectedFrom = Security::remove_XSS($formValues['from']);
}
if (!empty($formValues['until'])) {
$selectedUntil = $formValues['until'];
$selectedUntil = Security::remove_XSS($formValues['until']);
}
}
@@ -96,6 +96,9 @@
if (!empty($selectedCourse)) {
$withFilter = true;
$course = api_get_course_info($selectedCourse);
if (empty($course)) {
api_not_allowed(true);
}
$reportTitle = sprintf(get_lang('TimeReportForCourseX'), $course['title']);
$teachers = CourseManager::get_teacher_list_from_course_code($selectedCourse);
@@ -8,13 +8,17 @@
*
* @package chamilo.auth
*/
if (isset($_REQUEST['action']) && Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
$stok = Security::get_token();
} else {
$stok = Security::getTokenFromSession();
}
$action = !empty($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : 'display_courses';
global $actions;
$action = in_array($action, $actions) ? $action : 'display_courses';
$showCourses = CoursesAndSessionsCatalog::showCourses();
$showSessions = CoursesAndSessionsCatalog::showSessions();
$pageCurrent = isset($pageCurrent) ? $pageCurrent : isset($_GET['pageCurrent']) ? intval($_GET['pageCurrent']) : 1;
@@ -3270,6 +3270,7 @@ function api_display_tool_view_option()
$output_string .= '<a class="btn btn-default btn-sm" href="'.$sourceurl.'&isStudentView=true" target="_self">'.
Display::returnFontAwesomeIcon('eye').' '.get_lang('SwitchToStudentView').'</a>';
}
$output_string = Security::remove_XSS($output_string);
$html = Display::tag('div', $output_string, ['class' => 'view-options']);
return $html;
@@ -53,6 +53,7 @@ public function setValue($value)
*/
public function parseDateRange($dateRange)
{
$dateRange = Security::remove_XSS($dateRange);
$dates = explode('/', $dateRange);
$dates = array_map('trim', $dates);
$start = isset($dates[0]) ? $dates[0] : '';
@@ -82,7 +83,7 @@ public function validateDates($dates, $format = null)
$d = DateTime::createFromFormat($format, $dates['end']);
$resultEnd = $d && $d->format($format) == $dates['end'];
if (!($resultStart) || !$resultEnd) {
if (!$resultStart || !$resultEnd) {
return false;
}
@@ -133,29 +134,29 @@ private function getElementJS()
}
$minDate = null;
$minDateValue = $this->getAttribute('minDate');
$minDateValue = Security::remove_XSS($this->getAttribute('minDate'));
if (!empty($minDateValue)) {
$minDate = "
minDate: '{$minDateValue}',
";
}
$maxDate = null;
$maxDateValue = $this->getAttribute('maxDate');
$maxDateValue = Security::remove_XSS($this->getAttribute('maxDate'));
if (!empty($maxDateValue)) {
$maxDate = "
maxDate: '{$maxDateValue}',
";
}
$format = 'YYYY-MM-DD HH:mm';
$formatValue = $this->getAttribute('format');
$formatValue = Security::remove_XSS($this->getAttribute('format'));
if (!empty($formatValue)) {
$format = $formatValue;
}
$timePicker = 'true';
$timePickerValue = $this->getAttribute('timePicker');
$timePickerValue = Security::remove_XSS($this->getAttribute('timePicker'));
if (!empty($timePickerValue)) {
$timePicker = $timePickerValue;
}
@@ -54,8 +54,7 @@ public function __construct(
*/
public function toHtml()
{
$value = $this->getValue();
$value = Security::remove_XSS($this->getValue());
if ($this->editor) {
if ($this->editor->getConfigAttribute('fullPage')) {
if (strlen(trim($value)) == 0) {
@@ -100,7 +99,7 @@ public function buildEditor($style = false)
{
$result = '';
if ($this->editor) {
$this->editor->value = $this->getValue();
$this->editor->value = Security::remove_XSS($this->getValue());
$this->editor->setName($this->getName());
if ($style == true) {
$result = $this->editor->createHtmlStyle();

0 comments on commit d13365c

Please sign in to comment.