Skip to content

Commit 93ed464

Browse files
jmontoyaajmontoyaa
committed
Fix queries: Add Database::escape_string
1 parent f398b5b commit 93ed464

File tree

3 files changed

+27
-23
lines changed

3 files changed

+27
-23
lines changed

main/admin/dashboard_add_users_to_user.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,9 @@ function search_users($needle, $type = 'multiple')
6767

6868
$xajax_response = new xajaxResponse();
6969
$return = '';
70+
$needle = Database::escape_string($needle);
71+
$type = Database::escape_string($type);
72+
7073
if (!empty($needle) && !empty($type)) {
7174
$assigned_users_to_hrm = [];
7275

@@ -387,8 +390,8 @@ function remove_item(origin) {
387390

388391
if (api_is_multiple_url_enabled()) {
389392
$sql = "SELECT user.user_id, username, lastname, firstname
390-
FROM $tbl_user user
391-
LEFT JOIN $tbl_access_url_rel_user au
393+
FROM $tbl_user user
394+
LEFT JOIN $tbl_access_url_rel_user au
392395
ON (au.user_id = user.user_id)
393396
WHERE
394397
$without_assigned_users

main/inc/lib/add_courses_to_session_functions.lib.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,11 @@ public static function search_courses($needle, $type, $id_session)
3232
// xajax send utf8 datas... datas in db can be non-utf8 datas
3333
$charset = api_get_system_encoding();
3434
$needle = api_convert_encoding($needle, $charset, 'utf-8');
35+
$needle = Database::escape_string($needle);
3536

3637
$cond_course_code = '';
3738
if (!empty($id_session)) {
38-
$id_session = intval($id_session);
39+
$id_session = (int) $id_session;
3940
// check course_code from session_rel_course table
4041
$sql = 'SELECT c_id FROM '.$tbl_session_rel_course.'
4142
WHERE session_id = '.$id_session;

main/session/session_add.php

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
$this_section = SECTION_PLATFORM_ADMIN;
1414

1515
SessionManager::protectSession(null, false);
16-
1716
api_protect_limit_for_session_admin();
1817

1918
$formSent = 0;
@@ -35,6 +34,7 @@ function search_coachs($needle)
3534
$return = '';
3635

3736
if (!empty($needle)) {
37+
$needle = Database::escape_string($needle);
3838
$order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname, username' : ' ORDER BY lastname, firstname, username';
3939

4040
// search users where username or firstname or lastname begins likes $needle
@@ -166,44 +166,44 @@ function check_session_name($name)
166166
$('#access').val(0);
167167
$('#access').selectpicker('render');
168168
accessSwitcher(0);
169-
$('#duration').val(parseInt(data.duration));
170-
} else {
169+
$('#duration').val(parseInt(data.duration));
170+
} else {
171171
$('#access').val(1);
172172
$('#access').selectpicker('render');
173173
accessSwitcher(1);
174-
174+
175175
var variables = [
176176
'display_start_date',
177177
'access_start_date',
178178
'coach_access_start_date',
179179
'display_end_date',
180180
'access_end_date',
181-
'coach_access_end_date'
182-
];
181+
'coach_access_end_date'
182+
];
183183
variables.forEach(function(variable) {
184-
var variableName = variable + '_to_local_time';
185-
if (data[variableName]) {
184+
var variableName = variable + '_to_local_time';
185+
if (data[variableName]) {
186186
var parsedDate = $.datepicker.parseDateTime(
187-
'yy-mm-dd',
188-
'hh:mm:ss',
187+
'yy-mm-dd',
188+
'hh:mm:ss',
189189
data[variableName]
190-
);
190+
);
191191
if (parsedDate) {
192192
$('#'+variable).datetimepicker('setDate', parsedDate);
193-
}
193+
}
194194
}
195195
});
196196
}
197-
197+
198198
$('[name=\'show_description\']').prop('checked', false);
199199
if (data.show_description) {
200200
$('[name=\'show_description\']').prop('checked', true);
201201
}
202-
202+
203203
$('[name=\'send_subscription_notification\']').prop('checked', false);
204204
if (data.send_subscription_notification) {
205205
$('[name=\'send_subscription_notification\']').prop('checked', true);
206-
}
206+
}
207207
208208
$.each(data.extra_fields, function(i, item) {
209209
var fieldName = 'extra_'+item.variable;
@@ -250,7 +250,7 @@ function check_session_name($name)
250250
break;
251251
case '4': // simple select
252252
case '5': // multiple select
253-
var options = item.value.split(';');
253+
var options = item.value.split(';');
254254
$('#'+fieldName+'').val(options);
255255
$('#'+fieldName+'').selectpicker('render');
256256
break;
@@ -328,20 +328,20 @@ function check_session_name($name)
328328
if (item.value) {
329329
// $('input[name='+fieldName+']').val(item.value);
330330
var url = '".$urlUpload."';
331-
331+
332332
url = url + item.value;
333-
333+
334334
var divFormGroup = fieldName + '-form-group';
335335
var divWrapper = fieldName + '_crop_image';
336336
var divPreview = fieldName + '_preview_image';
337337
var divCropButton = fieldName + '_crop_button';
338338
var cropResult = fieldName + '_crop_result';
339-
339+
340340
$('[name=\''+cropResult+'\']').val('import_file_from_session::' + sessionId);
341341
$('#' + divFormGroup).show();
342342
$('#' + divWrapper).show();
343343
$('#' + divCropButton).hide();
344-
$('#' + divPreview).attr('src', url);
344+
$('#' + divPreview).attr('src', url);
345345
//$('[name=\''+fieldName+'\']')
346346
}
347347
break;

0 commit comments

Comments
 (0)