[SASHA-Code] SF.net SVN: sasha:[83] trunk/SASHA/inc/lib
Brought to you by:
gphemsley
Menu
▾
▴
[SASHA-Code] SF.net SVN: sasha:[83] trunk/SASHA/inc/lib
|
From: <gph...@us...> - 2010-01-20 05:26:36
|
Revision: 83
http://sasha.svn.sourceforge.net/sasha/?rev=83&view=rev
Author: gphemsley
Date: 2010-01-20 05:26:26 +0000 (Wed, 20 Jan 2010)
Log Message:
-----------
Escape text used in SQL queries using Database::escape(), rather than addslashes().
Fix another BIT-related bug in Forms::_create_course_selector().
Modified Paths:
--------------
trunk/SASHA/inc/lib/lib.assignments.php
trunk/SASHA/inc/lib/lib.forms.php
trunk/SASHA/inc/lib/lib.tests.php
Modified: trunk/SASHA/inc/lib/lib.assignments.php
===================================================================
--- trunk/SASHA/inc/lib/lib.assignments.php 2010-01-20 03:06:18 UTC (rev 82)
+++ trunk/SASHA/inc/lib/lib.assignments.php 2010-01-20 05:26:26 UTC (rev 83)
@@ -34,8 +34,8 @@
if( $submit )
{
$schedule_id = (int) $_POST['schedule_id'];
- $assignment_name = ( exists( $_POST['assignment_name'] ) ) ? addslashes( (string) $_POST['assignment_name'] ) : FALSE;
- $description = ( exists( $_POST['description'] ) ) ? addslashes( (string) $_POST['description'] ) : NULL;
+ $assignment_name = ( exists( $_POST['assignment_name'] ) ) ? $_POST['assignment_name'] : FALSE;
+ $description = ( exists( $_POST['description'] ) ) ? $_POST['description'] : NULL;
$assigned_date = mktime( 0, 0, 0, (int) $_POST['assigned_date']['month'], (int) $_POST['assigned_date']['day'], (int) $_POST['assigned_date']['year'] );
$due_date = mktime( 0, 0, 0, (int) $_POST['due_date']['month'], (int) $_POST['due_date']['day'], (int) $_POST['due_date']['year'] );
@@ -54,13 +54,13 @@
else
{
$sql = "INSERT INTO assignments ( schedule_id, assignment_name, description, assigned_date, due_date )
- VALUES ( $schedule_id, '$assignment_name', '$description', $assigned_date, $due_date )";
+ VALUES ( $schedule_id, '" . $Database->escape( $assignment_name ) . "', '" . $Database->escape( $description ) . "', $assigned_date, $due_date )";
$result = $Database->query( $sql );
if( $result )
{
- print_message( 'good', 'Assignment "' . htmlentities( stripslashes( $assignment_name ), ENT_QUOTES, 'UTF-8' ) . '" (due ' . date( 'F j, Y', $due_date ) . ') added successfully.', 'Addition succeeded.' );
+ print_message( 'good', 'Assignment "' . htmlentities( $assignment_name, ENT_QUOTES, 'UTF-8' ) . '" (due ' . date( 'F j, Y', $due_date ) . ') added successfully.', 'Addition succeeded.' );
}
}
}
@@ -136,8 +136,8 @@
if( $submit )
{
$schedule_id = (int) $_POST['schedule_id'];
- $assignment_name = ( exists( $_POST['assignment_name'] ) ) ? addslashes( (string) $_POST['assignment_name'] ) : FALSE;
- $description = ( exists( $_POST['description'] ) ) ? addslashes( (string) $_POST['description'] ) : NULL;
+ $assignment_name = ( exists( $_POST['assignment_name'] ) ) ? $_POST['assignment_name'] : FALSE;
+ $description = ( exists( $_POST['description'] ) ) ? $_POST['description'] : NULL;
$assigned_date = mktime( 0, 0, 0, (int) $_POST['assigned_date']['month'], (int) $_POST['assigned_date']['day'], (int) $_POST['assigned_date']['year'] );
$due_date = mktime( 0, 0, 0, (int) $_POST['due_date']['month'], (int) $_POST['due_date']['day'], (int) $_POST['due_date']['year'] );
$status = (int) $_POST['status'];
@@ -157,14 +157,14 @@
else
{
$sql = "UPDATE assignments
- SET schedule_id = $schedule_id, assignment_name = '$assignment_name', description = '$description', assigned_date = $assigned_date, due_date = $due_date, status = $status
+ SET schedule_id = $schedule_id, assignment_name = '" . $Database->escape( $assignment_name ) . "', description = '" . $Database->escape( $description ) . "', assigned_date = $assigned_date, due_date = $due_date, status = $status
WHERE assignment_id = $assignment_id";
$result = $Database->query( $sql );
if( $result )
{
- print_message( 'good', 'Assignment "' . htmlentities( stripslashes( $assignment_name ), ENT_QUOTES, 'UTF-8' ) . '" (due ' . date( 'F j, Y', $due_date ) . ') updated successfully.', 'Update succeeded.' );
+ print_message( 'good', 'Assignment "' . htmlentities( $assignment_name, ENT_QUOTES, 'UTF-8' ) . '" (due ' . date( 'F j, Y', $due_date ) . ') updated successfully.', 'Update succeeded.' );
$this->list_assignments();
Modified: trunk/SASHA/inc/lib/lib.forms.php
===================================================================
--- trunk/SASHA/inc/lib/lib.forms.php 2010-01-20 03:06:18 UTC (rev 82)
+++ trunk/SASHA/inc/lib/lib.forms.php 2010-01-20 05:26:26 UTC (rev 83)
@@ -641,7 +641,7 @@
{
$selected = ( $row['schedule_id'] == $current_schedule_id ) ? ' selected="selected"' : '';
- print "\t\t\t\t" . '<option value="' . $row['schedule_id'] . '"' . $selected . '>' . $SASHA->format_institution( $row['institution'] ) . ' — ' . $SASHA->format_course( $row['subject'], $row['course'], $row['institution'] ) . ' (' . $row['section'] . ') — ' . $SASHA->format_instructors( $row['instructors'], '; ' ) . ' (' . $SASHA->format_schedule_type( $row['schedule_type'] ) . ': ' . $SASHA->format_days( $row['days'], 'binary', 'html' ) . ')</option>' . "\n";
+ print "\t\t\t\t" . '<option value="' . $row['schedule_id'] . '"' . $selected . '>' . $SASHA->format_institution( $row['institution'] ) . ' — ' . $SASHA->format_course( $row['subject'], $row['course'], $row['institution'] ) . ' (' . $row['section'] . ') — ' . $SASHA->format_instructors( $row['instructors'], '; ' ) . ' (' . $SASHA->format_schedule_type( $row['schedule_type'] ) . ': ' . $SASHA->format_days( $row['days'], NULL, 'html' ) . ')</option>' . "\n";
}
$Database->free_result( $result );
Modified: trunk/SASHA/inc/lib/lib.tests.php
===================================================================
--- trunk/SASHA/inc/lib/lib.tests.php 2010-01-20 03:06:18 UTC (rev 82)
+++ trunk/SASHA/inc/lib/lib.tests.php 2010-01-20 05:26:26 UTC (rev 83)
@@ -38,8 +38,8 @@
$schedule_id = (int) $_POST['schedule_id'];
$test_type = (int) $_POST['test_type'];
- $test_name = ( exists( $_POST['test_name'] ) ) ? addslashes( (string) $_POST['test_name'] ) : FALSE;
- $description = ( exists( $_POST['description'] ) ) ? addslashes( (string) $_POST['description'] ) : NULL;
+ $test_name = ( exists( $_POST['test_name'] ) ) ? $_POST['test_name'] : FALSE;
+ $description = ( exists( $_POST['description'] ) ) ? $_POST['description'] : NULL;
$start_date = mktime( (int) $start_date_time['hour'], (int) $start_date_time['minute'], 0, (int) $_POST['start_date']['month'], (int) $_POST['start_date']['day'], (int) $_POST['start_date']['year'] );
$end_date = mktime( (int) $end_date_time['hour'], (int) $end_date_time['minute'], 0, (int) $_POST['end_date']['month'], (int) $_POST['end_date']['day'], (int) $_POST['end_date']['year'] );
@@ -50,13 +50,13 @@
elseif( $test_name )
{
$sql = "INSERT INTO tests ( user_id, schedule_id, test_type, test_name, description, start_date, end_date )
- VALUES ( {$User->user_info['id']}, $schedule_id, $test_type, '$test_name', '$description', $start_date, $end_date )";
+ VALUES ( {$User->user_info['id']}, $schedule_id, $test_type, '" . $Database->escape( $test_name ) . "', '" . $Database->escape( $description ) . "', $start_date, $end_date )";
$result = $Database->query( $sql );
if( $result )
{
- print_message( 'good', 'Test "' . htmlentities( stripslashes( $test_name ), ENT_QUOTES, 'UTF-8' ) . '" (on ' . date( 'F j, Y', $start_date ) . ') added successfully.', 'Addition successful.' );
+ print_message( 'good', 'Test "' . htmlentities( $test_name, ENT_QUOTES, 'UTF-8' ) . '" (on ' . date( 'F j, Y', $start_date ) . ') added successfully.', 'Addition successful.' );
}
}
else
@@ -145,8 +145,8 @@
$schedule_id = (int) $_POST['schedule_id'];
$test_type = (int) $_POST['test_type'];
- $test_name = ( exists( $_POST['test_name'] ) ) ? addslashes( (string) $_POST['test_name'] ) : FALSE;
- $description = ( exists( $_POST['description'] ) ) ? addslashes( (string) $_POST['description'] ) : NULL;
+ $test_name = ( exists( $_POST['test_name'] ) ) ? $_POST['test_name'] : FALSE;
+ $description = ( exists( $_POST['description'] ) ) ? $_POST['description'] : NULL;
$start_date = mktime( (int) $start_date_time['hour'], (int) $start_date_time['minute'], 0, (int) $_POST['start_date']['month'], (int) $_POST['start_date']['day'], (int) $_POST['start_date']['year'] );
$end_date = mktime( (int) $end_date_time['hour'], (int) $end_date_time['minute'], 0, (int) $_POST['end_date']['month'], (int) $_POST['end_date']['day'], (int) $_POST['end_date']['year'] );
$received_score = ( exists( $_POST['received_score'] ) ) ? (float) $_POST['received_score'] : NULL;
@@ -161,7 +161,7 @@
elseif( $test_name )
{
$sql = "UPDATE tests
- SET schedule_id = $schedule_id, test_type = $test_type, test_name = '$test_name', description = '$description', start_date = $start_date, end_date = $end_date
+ SET schedule_id = $schedule_id, test_type = $test_type, test_name = '" . $Database->escape( $test_name ) . "', description = '" . $Database->escape( $description ) . "', start_date = $start_date, end_date = $end_date
$score
WHERE test_id = $test_id";
@@ -169,7 +169,7 @@
if( $result )
{
- print_message( 'good', 'Test "' . htmlentities( stripslashes( $test_name ), ENT_QUOTES, 'UTF-8' ) . '" (on ' . date( 'F j, Y', $start_date ) . ') updated successfully.', 'Update successful.' );
+ print_message( 'good', 'Test "' . htmlentities( $test_name, ENT_QUOTES, 'UTF-8' ) . '" (on ' . date( 'F j, Y', $start_date ) . ') updated successfully.', 'Update successful.' );
$this->list_tests();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
