projects / atutor.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 90c104c)
1. replaced mysql_real_escape_string() with $addslashes()
authorcindy li <cli@ocad.ca>
Tue, 22 Feb 2011 15:32:26 +0000 (15:32 -0000)
committercindy li <cli@ocad.ca>
Tue, 22 Feb 2011 15:32:26 +0000 (15:32 -0000)
2. sanitized integer fields in lib/at_form_util.php -> at_get_field_value()

mods/basiclti/launch/ims-blti/blti.php patch | blob | history
mods/basiclti/lib/at_form_util.php patch | blob | history
mods/basiclti/tool/admin_create.php patch | blob | history
mods/basiclti/tool/admin_edit.php patch | blob | history
mods/basiclti/tool/content_edit.php patch | blob | history
mods/basiclti/tool/instructor_create.php patch | blob | history
mods/basiclti/tool/instructor_edit.php patch | blob | history

diff --git a/mods/basiclti/launch/ims-blti/blti.php b/mods/basiclti/launch/ims-blti/blti.php
index f08bbf3..024f04b 100644 (file)
--- a/mods/basiclti/launch/ims-blti/blti.php
+++ b/mods/basiclti/launch/ims-blti/blti.php
@@ -110,10 +110,11 @@ class BLTI {
             $this->message = "Constructor requires a secret or database information.";
             return;
         } else {
+               global $addslashes;
             $sql = 'SELECT * FROM '.$parm['table'].' WHERE '.
                 ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key').
                 '='.
-                "'".mysql_real_escape_string($oauth_consumer_key)."'";
+                "'".$addslashes($oauth_consumer_key)."'";
             $result = mysql_query($sql);
             $num_rows = mysql_num_rows($result);
             if ( $num_rows != 1 ) {
diff --git a/mods/basiclti/lib/at_form_util.php b/mods/basiclti/lib/at_form_util.php
index 77a6cae..f0d97f1 100644 (file)
--- a/mods/basiclti/lib/at_form_util.php
+++ b/mods/basiclti/lib/at_form_util.php
@@ -208,6 +208,7 @@ function at_get_field_value($fieldvalue, $type = false) {
        $fieldvalue = $fieldvalue.'';
     } else if ( $type == 'radio' || $type == 'integer') {
         if ( strlen($fieldvalue) < 1 ) $fieldvalue = '0';
+        else $fieldvalue = intval($fieldvalue);
     } else {
         $fieldvalue = "'".$addslashes($fieldvalue)."'";
     }
diff --git a/mods/basiclti/tool/admin_create.php b/mods/basiclti/tool/admin_create.php
index cd7bcbd..7d79328 100644 (file)
--- a/mods/basiclti/tool/admin_create.php
+++ b/mods/basiclti/tool/admin_create.php
@@ -4,41 +4,16 @@ require(AT_INCLUDE_PATH.'vitals.inc.php');
 admin_authenticate(AT_ADMIN_PRIV_BASICLTI);
 
 require_once('forms.php');
-if($_POST['submit']){
-       // filter all POST data
-       $_POST['form_basiclti'] = $addslashes($_POST['form_basiclti']);
-       $_POST['title'] = $addslashes($_POST['title']);
-       $_POST['toolid'] = $addslashes($_POST['toolid']);
-       $_POST['description'] = $addslashes($_POST['description']);
-       $_POST['toolurl'] = $addslashes($_POST['toolurl']);
-       $_POST['resourcekey'] = $addslashes($_POST['resourcekey']);
-       $_POST['password'] = $addslashes($_POST['password']);
-       $_POST['preferheight'] = intval($_POST['preferheight']);
-       $_POST['allowpreferheight'] = intval($_POST['allowpreferheight']);
-       $_POST['launchinpopup'] = intval($_POST['launchinpopup']);
-       $_POST['debuglaunch'] = intval($_POST['debuglaunch']);
-       $_POST['sendname'] = intval($_POST['sendname']);
-       $_POST['sendemailaddr'] = intval($_POST['sendemailaddr']);
-       $_POST['acceptgrades'] = intval($_POST['acceptgrades']);
-       $_POST['allowroster'] = intval($_POST['allowroster']);
-       $_POST['allowsetting'] = intval($_POST['allowsetting']);
-       $_POST['allowcustomparameters'] = intval($_POST['allowcustomparameters']);
-//     $_POST['customparameters'] = $addslashes($_POST['customparameters']);
-       $_POST['organizationid'] = $addslashes($_POST['organizationid']);
-       $_POST['organizationurl'] = $addslashes($_POST['organizationurl']);
-       $_POST['organizationdescr'] = $addslashes($_POST['organizationdescr']);
-       $_POST['submit'] = $addslashes($_POST['submit']);
-}
 
 if (isset($_POST['cancel'])) {
         $msg->addFeedback('CANCELLED');
         header('Location: '.AT_BASE_HREF.'mods/basiclti/index_admin.php');
         exit;
 } else if (isset($_POST['form_basiclti'])) {
-
     if ( at_form_validate($blti_admin_form, $msg) ) {
+       global $addslashes;
         $sql = "SELECT count(*) cnt FROM ".TABLE_PREFIX."basiclti_tools WHERE toolid = '".
-               mysql_real_escape_string($_POST['toolid'])."';";
+               $addslashes($_POST['toolid'])."';";
         $result = mysql_query($sql, $db) or die(mysql_error());
         $row = mysql_fetch_assoc($result);
 
diff --git a/mods/basiclti/tool/admin_edit.php b/mods/basiclti/tool/admin_edit.php
index ffc6f0b..8265955 100644 (file)
--- a/mods/basiclti/tool/admin_edit.php
+++ b/mods/basiclti/tool/admin_edit.php
@@ -38,8 +38,9 @@ if (isset($_POST['cancel'])) {
 } else if (isset($_POST['form_basiclti'], $tool)) {
 
     if ( at_form_validate($blti_admin_form, $msg) ) {
+       global $addslashes;
         $sql = "SELECT count(*) cnt FROM ".TABLE_PREFIX."basiclti_tools WHERE toolid = '".
-                mysql_real_escape_string($_POST['toolid'])."' AND id != $tool;";
+                $addslashes($_POST['toolid'])."' AND id != $tool;";
         $result = mysql_query($sql, $db) or die(mysql_error());
         $row = mysql_fetch_assoc($result);
 
diff --git a/mods/basiclti/tool/content_edit.php b/mods/basiclti/tool/content_edit.php
index 456bf5d..7c54544 100644 (file)
--- a/mods/basiclti/tool/content_edit.php
+++ b/mods/basiclti/tool/content_edit.php
@@ -11,18 +11,6 @@ $_POST['framed'] = intval($_POST['framed']);
 $_POST['popup'] = intval($_POST['popup']);
 $_POST['cid'] = intval($_POST['cid']);
 
-// Filter all POST data //
-$_POST['toolid'] = $addslashes($_POST['toolid']);
-$_POST['cid'] = intval($_POST['cid']);
-$_POST['preferheight'] = intval($_POST['preferheight']);
-$_POST['launchinpopup'] = intval($_POST['launchinpopup']);
-$_POST['debuglaunch'] = intval($_POST['debuglaunch']);
-$_POST['sendname'] = intval($_POST['sendname']);
-$_POST['sendemailaddr'] = intval($_POST['sendemailaddr']);
-$_POST['allowroster'] = intval($_POST['allowroster']);
-$_POST['allowsetting'] = intval($_POST['allowsetting']);
-$_POST['customparameters'] = $addslashes($_POST['customparameters']);
-
 if ( !is_int($_SESSION['course_id']) || $_SESSION['course_id'] < 1 ) {
     $msg->addFeedback('NEED_COURSE_ID');
     exit;
diff --git a/mods/basiclti/tool/instructor_create.php b/mods/basiclti/tool/instructor_create.php
index 9b95850..6ad6864 100644 (file)
--- a/mods/basiclti/tool/instructor_create.php
+++ b/mods/basiclti/tool/instructor_create.php
@@ -5,28 +5,6 @@ authenticate(AT_PRIV_BASICLTI);
 
 require_once('forms.php');
 
-if($_POST['submit']){
-       // Filter all POST data //
-       $_POST['form_basiclti'] = $addslashes($_POST['form_basiclti']);
-       $_POST['title'] = $addslashes($_POST['title']);
-       $_POST['toolid'] = $addslashes($_POST['toolid']);
-       $_POST['description'] = $addslashes($_POST['description']);
-       $_POST['toolurl'] = $addslashes($_POST['toolurl']);
-       $_POST['resourcekey'] = $addslashes($_POST['resourcekey']);
-       $_POST['password'] = $addslashes($_POST['password']);
-       $_POST['preferheight'] = intval($_POST['preferheight']);
-       $_POST['allowpreferheight'] = intval($_POST['allowpreferheight']);
-       $_POST['launchinpopup'] = intval($_POST['launchinpopup']);
-       $_POST['debuglaunch'] = intval($_POST['debuglaunch']);
-       $_POST['sendname'] = intval($_POST['sendname']);
-       $_POST['sendemailaddr'] = intval($_POST['sendemailaddr']);
-       $_POST['acceptgrades'] = intval($_POST['acceptgrades']);
-       $_POST['allowroster'] = intval($_POST['allowroster']);
-       $_POST['allowsetting'] = intval($_POST['allowsetting']);
-       $_POST['allowcustomparameters'] = intval($_POST['allowcustomparameters']);
-       //$_POST['customparameters'] = $addslashes($_POST['customparameters']);
-       $_POST['submit'] = $addslashes($_POST['submit']);
-}
 if ( !is_int($_SESSION['course_id']) || $_SESSION['course_id'] < 1 ) {
     $msg->addFeedback('NEED_COURSE_ID');
     exit;
@@ -39,8 +17,9 @@ if (isset($_POST['cancel'])) {
 } else if (isset($_POST['form_basiclti']) && isset($_POST['submit'])) {
 
     if ( at_form_validate($blti_instructor_form, $msg) ) {
-        $sql = "SELECT count(*) cnt FROM ".TABLE_PREFIX."basiclti_tools WHERE toolid = '".
-                mysql_real_escape_string($_POST['toolid'])."' AND course_id = ". $_SESSION['course_id'];
+        global $addslashes;
+       $sql = "SELECT count(*) cnt FROM ".TABLE_PREFIX."basiclti_tools WHERE toolid = '".
+                $addslashes($_POST['toolid'])."' AND course_id = ". $_SESSION['course_id'];
         $result = mysql_query($sql, $db) or die(mysql_error());
         $row = mysql_fetch_assoc($result);
 
diff --git a/mods/basiclti/tool/instructor_edit.php b/mods/basiclti/tool/instructor_edit.php
index b78bdf3..f193706 100644 (file)
--- a/mods/basiclti/tool/instructor_edit.php
+++ b/mods/basiclti/tool/instructor_edit.php
@@ -20,8 +20,9 @@ if (isset($_POST['cancel'])) {
 } else if (isset($_POST['form_basiclti'], $tool)) {
 
     if ( at_form_validate($blti_instructor_form, $msg) ) {
+       global $addslashes;
         $sql = "SELECT count(*) cnt FROM ".TABLE_PREFIX."basiclti_tools WHERE toolid = '".
-                mysql_real_escape_string($_POST['toolid'])."' AND id != $tool".
+                $addslashes($_POST['toolid'])."' AND id != $tool".
                 " AND course_id = ". $_SESSION['course_id'];
         $result = mysql_query($sql, $db) or die(mysql_error());
         $row = mysql_fetch_assoc($result);
Course Management Learning Management Tools