Permalink
Browse files

variable cleaning and sesskey updates

  • Loading branch information...
1 parent 0733cc0 commit f862f00d54157cebe170271351242b10372838ac michaelpenne committed Jan 27, 2005
Showing with 77 additions and 41 deletions.
  1. +8 −6 mod/lesson/import.php
  2. +30 −7 mod/lesson/lesson.php
  3. +39 −28 mod/lesson/view.php
View
@@ -4,8 +4,9 @@
require_once("../../config.php");
require_once("locallib.php");
- optional_variable($format);
- require_variable($id); // Course Module ID
+ $format = optional_param('format');
+ $id = required_param('id', PARAM_INT); // Course Module ID
+ $pageid = required_param('pageid', PARAM_INT);
if (! $cm = get_record("course_modules", "id", $id)) {
error("Course Module ID was incorrect");
@@ -33,8 +34,8 @@
"<A HREF=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->shortname</A> -> ".
"<A HREF=index.php?id=$course->id>$strlessons</A> -> <a href=\"view.php?id=$cm->id\">$lesson->name</a>-> $strimportquestions");
- if ($form = data_submitted()) { /// Filename
-
+ if ($form = lesson_clean_data_submitted()) { /// Filename
+ confirm_sesskey();
$form->format = clean_filename($form->format); // For safety
if (isset($form->filename)) { // file already on server
@@ -78,7 +79,7 @@
error("Error occurred during pre-processing!");
}
- if (! $format->importprocess($newfile['tmp_name'], $lesson, $_POST['pageid'])) { // Process the uploaded file
+ if (! $format->importprocess($newfile['tmp_name'], $lesson, $pageid)) { // Process the uploaded file
error("Error occurred during processing!");
}
@@ -112,7 +113,8 @@
print_simple_box_start("center", "", "$THEME->cellheading");
echo "<form enctype=\"multipart/form-data\" method=\"post\" action=import.php>";
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\">\n";
- echo "<input type=\"hidden\" name=\"pageid\" value=\"".$_GET['pageid']."\">\n";
+ echo "<input type=\"hidden\" name=\"pageid\" value=\"".$pageid."\">\n";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".$USER->sesskey."\">\n";
echo "<table cellpadding=5>";
echo "<tr><td align=right>";
View
@@ -102,6 +102,7 @@
<input type="hidden" name="action" value="insertpage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>" />
<input type="hidden" name="qtype" value="<?PHP echo LESSON_BRANCHTABLE ?>" />
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>" />
<center><table cellpadding=5 border=1>
<tr><td align="center">
<tr valign="top">
@@ -156,6 +157,8 @@
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
// first get the preceeding page
$pageid = required_param('pageid', PARAM_INT);
@@ -218,6 +221,8 @@
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
// first get the preceeding page
// if $pageid = 0, then we are inserting a new page at the beginning of the lesson
@@ -285,6 +290,8 @@
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
// first get the preceeding page
$pageid = required_param('pageid', PARAM_INT);
@@ -379,17 +386,19 @@
<input type="hidden" name="id" value="<?PHP echo $cm->id ?>">
<input type="hidden" name="action" value="insertpage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>">
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>">
<center><table cellpadding=5 border=1>
<?php
echo "<tr><td align=\"center\"><b>";
echo get_string("questiontype", "lesson").":</b> \n";
echo helpbutton("questiontype", get_string("questiontype", "lesson"), "lesson")."<br>";
if (isset($_GET['qtype'])) {
- lesson_qtype_menu($LESSON_QUESTION_TYPE, $_GET['qtype'],
+ $qtype = clean_param($_GET['qtype'], PARAM_INT);
+ lesson_qtype_menu($LESSON_QUESTION_TYPE, $qtype,
"lesson.php?id=$cm->id&action=addpage&pageid=".$pageid.$linkadd);
// NoticeFix rearraged
- if ( $_GET['qtype'] == LESSON_SHORTANSWER || $_GET['qtype'] == LESSON_MULTICHOICE || !isset($_GET['qtype']) ) { // only display this option for Multichoice and shortanswer
- if ($_GET['qtype'] == LESSON_SHORTANSWER) {
+ if ( $qtype == LESSON_SHORTANSWER || $qtype == LESSON_MULTICHOICE ) { // only display this option for Multichoice and shortanswer
+ if ($qtype == LESSON_SHORTANSWER) {
echo "<br><br><b>".get_string("casesensitive", "lesson").":</b> \n";
} else {
echo "<br><br><b>".get_string("multianswer", "lesson").":</b> \n";
@@ -576,6 +585,8 @@
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
$pageid = required_param('pageid', PARAM_INT);
if (!$thispage = get_record("lesson_pages", "id", $pageid)) {
@@ -594,13 +605,16 @@
}
}
notice_yesno(get_string("confirmdeletionofthispage","lesson"),
- "lesson.php?action=delete&amp;id=$cm->id&amp;pageid=$pageid",
+ "lesson.php?action=delete&amp;id=$cm->id&amp;pageid=$pageid&amp;sesskey=".$USER->sesskey,
"view.php?id=$cm->id");
}
/****************** continue ************************************/
elseif ($action == 'continue' ) {
+
+ confirm_sesskey();
+
//CDC Chris Berri added this echo call for left menu. must match that in view.php for styles
if ($lesson->displayleft) {
echo '<div class="leftmenu1">';
@@ -1420,6 +1434,8 @@
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
if (empty($_GET['pageid'])) {
error("Delete: pageid missing");
@@ -1532,6 +1548,7 @@
<input type="hidden" name="id" value="<?PHP echo $cm->id ?>">
<input type="hidden" name="action" value="updatepage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>">
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>">
<input type="hidden" name="redisplay" value="0">
<center><table cellpadding=5 border=1>
<?php
@@ -1922,7 +1939,7 @@
lesson_choose_from_menu($jump, "jumpto[$i]", 0, "");
helpbutton("jumpto", get_string("jump", "lesson"), "lesson");
if($lesson->custom) {
- echo get_string("score", "lesson")." $iplus1: <input type=\"text\" name=\"score[$i]\" value=\"-1\" size=\"5\">";
+ echo get_string("score", "lesson")." $iplus1: <input type=\"text\" name=\"score[$i]\" value=\"0\" size=\"5\">";
}
echo "</td></tr>\n";
break;
@@ -1955,6 +1972,8 @@
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$timenow = time();
$form = lesson_clean_data_submitted();
@@ -2153,15 +2172,15 @@
}
echo "<center><table cellpadding=\"5\" border=\"1\">\n";
- echo "<tr><td><a href=\"lesson.php?id=$cm->id&amp;action=moveit&amp;pageid=$pageid&amp;after=0\"><small>".
+ echo "<tr><td><a href=\"lesson.php?id=$cm->id&amp;sesskey=".$USER->sesskey."&amp;action=moveit&amp;pageid=$pageid&amp;after=0\"><small>".
get_string("movepagehere", "lesson")."</small></a></td></tr>\n";
while (true) {
if ($page->id != $pageid) {
if (!$title = trim($page->title)) {
$title = "<< ".get_string("notitle", "lesson")." >>";
}
echo "<tr><td bgcolor=\"$THEME->cellheading2\"><b>$title</b></td></tr>\n";
- echo "<tr><td><a href=\"lesson.php?id=$cm->id&amp;action=moveit&amp;pageid=$pageid&amp;after={$page->id}\"><small>".
+ echo "<tr><td><a href=\"lesson.php?id=$cm->id&amp;sesskey=".$USER->sesskey."&amp;action=moveit&amp;pageid=$pageid&amp;after={$page->id}\"><small>".
get_string("movepagehere", "lesson")."</small></a></td></tr>\n";
}
if ($page->nextpageid) {
@@ -2184,6 +2203,8 @@
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$pageid = required_param('pageid', PARAM_INT); // page to move
if (!$page = get_record("lesson_pages", "id", $pageid)) {
error("Moveit: page not found");
@@ -2285,6 +2306,8 @@
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$timenow = time();
$form = lesson_clean_data_submitted();
Oops, something went wrong.

0 comments on commit f862f00

Please sign in to comment.