Permalink
Browse files

Remove Database::escape_string() without quotes to avoid SQL injectio…

…ns - partial - refs #7440
  • Loading branch information...
ywarnier committed Jan 15, 2015
1 parent c5dccb4 commit e01f044d58a7698b44fdda3a73c83eb8181a4910
@@ -31,10 +31,10 @@ public static function search_courses($needle, $type)
$cond_course_code = '';
if (!empty($id_session)) {
$id_session = Database::escape_string($id_session);
$id_session = intval($id_session);
// check course_code from session_rel_course table
$sql = 'SELECT course_code FROM '.$tbl_session_rel_course.'
WHERE id_session ="'.(int)$id_session.'"';
WHERE id_session = '.$id_session;
$res = Database::query($sql);
$course_codes = '';
if (Database::num_rows($res) > 0) {
@@ -165,7 +165,7 @@ public static function edit_blog ($blog_id, $title, $subtitle) {
$this_blog_id = Database::insert_id();
//update item_property (update)
api_item_property_update(api_get_course_info(), TOOL_BLOGS, Database::escape_string($blog_id), 'BlogUpdated', api_get_user_id());
api_item_property_update(api_get_course_info(), TOOL_BLOGS, intval($blog_id), 'BlogUpdated', api_get_user_id());
// Update course homepage link
$sql = "UPDATE $tbl_tool SET name = '".Database::escape_string($title)."' WHERE c_id = $course_id AND link = 'blog/blog.php?blog_id=".Database::escape_string((int)$blog_id)."' LIMIT 1";
@@ -217,7 +217,7 @@ public static function delete_blog ($blog_id) {
Database::query($sql);
//update item_property (delete)
api_item_property_update(api_get_course_info(), TOOL_BLOGS, Database::escape_string($blog_id), 'delete', api_get_user_id());
api_item_property_update(api_get_course_info(), TOOL_BLOGS, intval($blog_id), 'delete', api_get_user_id());
}
/**
@@ -278,7 +278,7 @@ public static function create_post ($title, $full_text, $file_comment, $blog_id)
// Storing the attachments if any
if ($result) {
$sql='INSERT INTO '.$blog_table_attachment.'(c_id, filename,comment, path, post_id,size, blog_id,comment_id) '.
"VALUES ($course_id, '".Database::escape_string($file_name)."', '".Database::escape_string($comment)."', '".Database::escape_string($new_file_name)."' , '".$last_post_id."', '".intval($_FILES['user_upload']['size'])."', '".$blog_id."', '0' )";
"VALUES ($course_id, '".Database::escape_string($file_name)."', '".$comment."', '".Database::escape_string($new_file_name)."' , '".$last_post_id."', '".intval($_FILES['user_upload']['size'])."', '".$blog_id."', '0' )";
$result=Database::query($sql);
$message.=' / '.get_lang('AttachmentUpload');
}
@@ -404,7 +404,7 @@ public static function create_comment($title, $full_text, $file_comment,$blog_id
if ($result)
{
$sql='INSERT INTO '.$blog_table_attachment.'(c_id, filename,comment, path, post_id,size,blog_id,comment_id) '.
"VALUES ($course_id, '".Database::escape_string($file_name)."', '".Database::escape_string($comment)."', '".Database::escape_string($new_file_name)."' , '".$post_id."', '".$_FILES['user_upload']['size']."', '".$blog_id."', '".$last_id."' )";
"VALUES ($course_id, '".Database::escape_string($file_name)."', '".$comment."', '".Database::escape_string($new_file_name)."' , '".$post_id."', '".$_FILES['user_upload']['size']."', '".$blog_id."', '".$last_id."' )";
$result=Database::query($sql);
$message.=' / '.get_lang('AttachmentUpload');
}
@@ -423,9 +423,9 @@ public static function delete_comment ($blog_id, $post_id, $comment_id) {
// Init
$tbl_blogs_comments = Database::get_course_table(TABLE_BLOGS_COMMENTS);
$tbl_blogs_rating = Database::get_course_table(TABLE_BLOGS_RATING);
$blog_id = Database::escape_string($blog_id);
$post_id = Database::escape_string($post_id);
$comment_id = Database::escape_string($comment_id);
$blog_id = intval($blog_id);
$post_id = intval($post_id);
$comment_id = intval($comment_id);
$course_id = api_get_course_int_id();
@@ -2713,9 +2713,9 @@ function get_blog_attachment($blog_id, $post_id=null,$comment_id=null)
{
$blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
$blog_id = Database::escape_string($blog_id);
$comment_id = Database::escape_string($comment_id);
$post_id = Database::escape_string($post_id);
$blog_id = intval($blog_id);
$comment_id = intval($comment_id);
$post_id = intval($post_id);
$row=array();
$where='';
if (!empty ($post_id) && is_numeric($post_id)) {
@@ -2754,9 +2754,9 @@ function delete_all_blog_attachment($blog_id,$post_id=null,$comment_id=null)
global $_course;
$blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
$blog_id = Database::escape_string($blog_id);
$comment_id = Database::escape_string($comment_id);
$post_id = Database::escape_string($post_id);
$blog_id = intval($blog_id);
$comment_id = intval($comment_id);
$post_id = intval($post_id);
$course_id = api_get_course_int_id();
@@ -2836,7 +2836,7 @@ function get_blog_post_from_user($course_code, $user_id) {
function get_blog_comment_from_user($course_code, $user_id) {
$tbl_blogs = Database::get_course_table(TABLE_BLOGS);
$tbl_blog_comment = Database::get_course_table(TABLE_BLOGS_COMMENTS);
$user_id = Database::escape_string($user_id);
$user_id = intval($user_id);
$course_info = api_get_course_info($course_code);
$course_id = $course_info['real_id'];
@@ -160,7 +160,7 @@ public static function subscribe_to_course($class_id, $course_code) {
$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$sql = "INSERT IGNORE INTO $tbl_course_class SET course_code = '".Database::escape_string($course_code)."', class_id = '".Database::escape_string($class_id)."'";
Database::query($sql);
$sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."'";
$sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".intval($class_id)."'";
$res = Database::query($sql);
while ($user = Database::fetch_object($res)) {
CourseManager :: subscribe_user($user->user_id, $course_code);
@@ -181,7 +181,7 @@ public static function unsubscribe_from_course($class_id, $course_code)
$single_class_users = Database::query($sql);
while ($single_class_user = Database::fetch_object($single_class_users))
{
$sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."' AND user_id = '".Database::escape_string($single_class_user->user_id)."'";
$sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".intval($class_id)."' AND user_id = '".Database::escape_string($single_class_user->user_id)."'";
$res = Database::query($sql);
if (Database::num_rows($res) > 0)
{
@@ -253,7 +253,7 @@ public static function get_courses_list(
if (!in_array($orderdirection, array('ASC', 'DESC'))) {
$sql .= 'ASC';
} else {
$sql .= Database::escape_string($orderdirection);
$sql .= ($orderdirection == 'ASC'?'ASC':'DESC');
}
if (!empty($howmany) && is_int($howmany) and $howmany > 0) {
@@ -263,7 +263,7 @@ public static function get_courses_list(
}
if (!empty($from)) {
$from = intval($from);
$sql .= ' OFFSET '.Database::escape_string($from);
$sql .= ' OFFSET '.intval($from);
} else {
$sql .= ' OFFSET 0';
}
@@ -301,7 +301,7 @@ public static function get_user_in_course_status($user_id, $course_code)
{
$result = Database::fetch_array(Database::query(
"SELECT status FROM ".Database::get_main_table(TABLE_MAIN_COURSE_USER)."
WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".Database::escape_string($user_id))
WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".intval($user_id))
);
return $result['status'];
@@ -316,7 +316,7 @@ public static function get_tutor_in_course_status($user_id, $course_code)
{
$result = Database::fetch_array(Database::query(
"SELECT tutor_id FROM ".Database::get_main_table(TABLE_MAIN_COURSE_USER)."
WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".Database::escape_string($user_id))
WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".intval($user_id))
);
return $result['tutor_id'];
@@ -3868,7 +3868,7 @@ function get_user_course_categories() {
global $_user;
$output = array();
$table_category = Database::get_user_personal_table(TABLE_USER_COURSE_CATEGORY);
$sql = "SELECT * FROM ".$table_category." WHERE user_id='".Database::escape_string($_user['user_id'])."'";
$sql = "SELECT * FROM ".$table_category." WHERE user_id='".intval($_user['user_id'])."'";
$result = Database::query($sql);
while ($row = Database::fetch_array($result)) {
$output[$row['id']] = $row['title'];
@@ -101,7 +101,7 @@ function addNode($code, $name, $canHaveCourses, $parent_id)
$tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
$code = trim(Database::escape_string($code));
$name = trim(Database::escape_string($name));
$parent_id = Database::escape_string($parent_id);
$parent_id = intval($parent_id);
$canHaveCourses = Database::escape_string($canHaveCourses);
$code = generate_course_code($code);
@@ -220,7 +220,7 @@ function moveNodeUp($code, $tree_pos, $parent_id)
$tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
$code = Database::escape_string($code);
$tree_pos = Database::escape_string($tree_pos);
$parent_id = Database::escape_string($parent_id);
$parent_id = intval($parent_id);
$sql = "SELECT code,tree_pos
FROM $tbl_category
WHERE parent_id " . (empty($parent_id) ? "IS NULL" : "='$parent_id'") . " AND tree_pos<'$tree_pos'
@@ -246,11 +246,11 @@ function moveNodeUp($code, $tree_pos, $parent_id)
* @param $cpt
* @return mixed
*/
function compterFils($pere, $cpt)
function compterFils($parent, $cpt)
{
$tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
$pere = Database::escape_string($pere);
$result = Database::query("SELECT code FROM $tbl_category WHERE parent_id='$pere'");
$parent = intval($parent);
$result = Database::query("SELECT code FROM $tbl_category WHERE parent_id='$parent'");
while ($row = Database::fetch_array($result)) {
$cpt = compterFils($row['code'], $cpt);
@@ -299,7 +299,7 @@ public static function update_course_request(
objetives = "%s", target_audience = "%s", status = "%s", info = "%s", exemplary_content = "%s"
WHERE id = '.$id, Database::get_main_table(TABLE_MAIN_COURSE_REQUEST),
Database::escape_string($code),
Database::escape_string($user_id),
intval($user_id),
Database::escape_string($directory),
Database::escape_string($db_name),
Database::escape_string($course_language),
@@ -983,7 +983,7 @@ public static function is_folder($_course, $document_id)
{
$TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT);
$course_id = $_course['real_id'];
$document_id = Database::escape_string($document_id);
$document_id = intval($document_id);
$sql = "SELECT filetype FROM $TABLE_DOCUMENT
WHERE c_id = $course_id AND id= $document_id";
$result = Database::fetch_array(Database::query($sql), 'ASSOC');
@@ -1467,7 +1467,7 @@ public static function set_document_as_template($title, $description, $document_
'" . Database::escape_string($title) . "',
'" . Database::escape_string($description) . "',
'" . Database::escape_string($course_code) . "',
'" . Database::escape_string($user_id) . "',
'" . intval($user_id) . "',
'" . Database::escape_string($document_id_for_template) . "',
'" . Database::escape_string($image) . "')";
Database::query($sql);
@@ -1486,8 +1486,8 @@ public static function unset_document_as_template($document_id, $course_code, $u
{
$table_template = Database::get_main_table(TABLE_MAIN_TEMPLATES);
$course_code = Database::escape_string($course_code);
$user_id = Database::escape_string($user_id);
$document_id = Database::escape_string($document_id);
$user_id = intval($user_id);
$document_id = intval($document_id);
$sql = 'SELECT id FROM ' . $table_template . '
WHERE
@@ -1718,13 +1718,13 @@ public static function attach_gradebook_certificate($course_id, $document_id)
$tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
$session_id = api_get_session_id();
if ($session_id == 0 || is_null($session_id)) {
$sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
$sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
} elseif ($session_id > 0) {
$sql_session = 'AND session_id=' . Database::escape_string($session_id);
$sql_session = 'AND session_id=' . intval($session_id);
} else {
$sql_session = '';
}
$sql = 'UPDATE ' . $tbl_category . ' SET document_id="' . Database::escape_string($document_id) . '"
$sql = 'UPDATE ' . $tbl_category . ' SET document_id="' . intval($document_id) . '"
WHERE course_code="' . Database::escape_string($course_id) . '" ' . $sql_session;
Database::query($sql);
}
@@ -1739,9 +1739,9 @@ public static function get_default_certificate_id($course_id)
$tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
$session_id = api_get_session_id();
if ($session_id == 0 || is_null($session_id)) {
$sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
$sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
} elseif ($session_id > 0) {
$sql_session = 'AND session_id=' . Database::escape_string($session_id);
$sql_session = 'AND session_id=' . intval($session_id);
} else {
$sql_session = '';
}
@@ -1911,9 +1911,9 @@ public static function remove_attach_certificate($course_id, $default_certificat
$tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
$session_id = api_get_session_id();
if ($session_id == 0 || is_null($session_id)) {
$sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
$sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
} elseif ($session_id > 0) {
$sql_session = 'AND session_id=' . Database::escape_string($session_id);
$sql_session = 'AND session_id=' . intval($session_id);
} else {
$sql_session = '';
}
@@ -1613,8 +1613,8 @@ function event_send_mail($event_name, $params)
*/
function check_if_mail_already_sent($event_name, $user_from, $user_to = null) {
$event_name = Database::escape_string($event_name);
$user_to = Database::escape_string($user_to);
$user_from = Database::escape_string($user_from);
$user_to = intval($user_to);
$user_from = intval($user_from);
if ($user_to == null) {
$sql = 'SELECT COUNT(*) as total FROM ' . Database::get_main_table(TABLE_EVENT_SENT) . '
WHERE user_from = '.$user_from.' AND event_type_name = "'.$event_name.'"';
@@ -384,7 +384,7 @@ public function save($params, $show_query = false)
public function get_values_by_handler_and_field_id($item_id, $field_id, $transform = false)
{
$field_id = intval($field_id);
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "SELECT s.*, field_type FROM {$this->table} s
INNER JOIN {$this->table_handler_field} sf ON (s.field_id = sf.id)
@@ -466,7 +466,7 @@ public function searchValuesByField($tag, $field_id, $limit = 10)
*/
public function get_values_by_handler_and_field_variable($item_id, $field_variable, $transform = false)
{
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$field_variable = Database::escape_string($field_variable);
$sql = "SELECT s.*, field_type FROM {$this->table} s
@@ -637,7 +637,7 @@ public function delete_all_values_by_field_id($field_id)
public function delete_values_by_handler_and_field_id($item_id, $field_id)
{
$field_id = intval($field_id);
$item_id = Database::escape_string($item_id);
$item_id = intval($item_id);
$sql = "DELETE FROM {$this->table}
WHERE {$this->handler_id} = '$item_id' AND field_id = '".$field_id."' ";
Database::query($sql);
Oops, something went wrong.

0 comments on commit e01f044

Please sign in to comment.