Security issue - adding intval and escape_string functions

main/gradebook/gradebook.php

@@ -1,27 +1,5 @@
 <?php
-/*
-==============================================================================
-	Dokeos - elearning and course management software
-
-	Copyright (c) 2008 Dokeos Latinoamerica SAC
-	Copyright (c) 2006-2008 Dokeos SPRL
-	Copyright (c) 2006 Ghent University (UGent)
-	Copyright (c) various contributors
-
-	For a full list of contributors, see "credits.txt".
-	The full license can be read in "license.txt".
-
-	This program is free software; you can redistribute it and/or
-	modify it under the terms of the GNU General Public License
-	as published by the Free Software Foundation; either version 2
-	of the License, or (at your option) any later version.
-
-	See the GNU General Public License for more details.
-
-	Contact address: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium
-	Mail: info@dokeos.com
-==============================================================================
-*/
+/* For licensing terms, see /license.txt */
 $language_file= 'gradebook';
 // $cidReset : This is the main difference with gradebook.php, here we say,
 // basically, that we are inside a course, and many things depend from that

main/gradebook/gradebook_add_cat.php

@@ -1,27 +1,5 @@
 <?php
-/*
-==============================================================================
-	Dokeos - elearning and course management software
-
-	Copyright (c) 2008 Dokeos Latinoamerica SAC
-    Copyright (c) 2006 Dokeos SPRL
-	Copyright (c) 2006 Ghent University (UGent)
-	Copyright (c) various contributors
-
-	For a full list of contributors, see "credits.txt".
-	The full license can be read in "license.txt".
-
-	This program is free software; you can redistribute it and/or
-	modify it under the terms of the GNU General Public License
-	as published by the Free Software Foundation; either version 2
-	of the License, or (at your option) any later version.
-
-	See the GNU General Public License for more details.
-
-	Contact address: Dokeos, 108 rue du Corbeau, B-1030 Brussels, Belgium
-	Mail: info@dokeos.com
-==============================================================================
-*/
+/* For licensing terms, see /license.txt */
 $language_file = 'gradebook';
 require_once '../inc/global.inc.php';
 $_in_course = true;

main/gradebook/lib/flatview_data_generator.class.php

@@ -3,7 +3,7 @@
 /**
  * Class to select, sort and transform object data into array data,
  * used for the teacher's flat view
- * @author Bert Stepp�
+ * @author Bert Steppé
  */
 class FlatViewDataGenerator
 {

main/gradebook/lib/gradebook_functions_users.inc.php

@@ -2,20 +2,21 @@
 /* For licensing terms, see /license.txt */
 /**
  * Various user related functions
- * @package dokeos.gradebook
+ * @package chamilo.gradebook
  */
 /**
  * returns users within a course given by param
  * @param $course_id
  */
 function get_users_in_course($course_id) {
-	$tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
-	$tbl_session_course_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
-	$tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
+	$tbl_course_user 			= Database :: get_main_table(TABLE_MAIN_COURSE_USER);
+	$tbl_session_course_user 	= Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
+	$tbl_user 					= Database :: get_main_table(TABLE_MAIN_USER);
 
 	$order_clause = api_sort_by_first_name() ? ' ORDER BY firstname, lastname ASC' : ' ORDER BY lastname, firstname ASC';
 
 	$current_session = api_get_session_id();
+	$course_id = Databse::escape_string($course_id);
 
 	if (!empty($current_session)) {
 		$sql = "SELECT user.user_id,lastname,firstname
@@ -31,9 +32,6 @@ function get_users_in_course($course_id) {
 			." AND course_rel_user.course_code='".$course_id."'"
 			.$order_clause;
 	}
-
-
-
 	$result = Database::query($sql);
 	return get_user_array_from_sql_result($result);
 }
@@ -71,7 +69,7 @@ function get_all_users ($evals = array(), $links = array()) {
 
 			$sql = 'SELECT user.user_id,lastname,firstname'
 					.' FROM '.$tbl_res.' as res, '.$tbl_user.' as user'
-					.' WHERE res.evaluation_id = '.$eval->get_id()
+					.' WHERE res.evaluation_id = '.intval($eval->get_id())
 					.' AND res.user_id = user.user_id';
 			$result = Database::query($sql);
 			$users = array_merge($users,get_user_array_from_sql_result($result));
@@ -99,6 +97,8 @@ function find_students($mask= '') {
 	if (!api_is_allowed_to_create_course() || empty ($mask)) {
 		return null;
 	}
+	$mask = Database::escape_string($mask);
+	 
 	$tbl_user= Database :: get_main_table(TABLE_MAIN_USER);
 	$tbl_cru= Database :: get_main_table(TABLE_MAIN_COURSE_USER);
 	$sql= 'SELECT DISTINCT user.user_id, user.lastname, user.firstname, user.email' . ' FROM ' . $tbl_user . ' user';
@@ -126,7 +126,7 @@ function find_students($mask= '') {
  */
 function get_user_info_from_id($userid) {
 	$user_table= Database :: get_main_table(TABLE_MAIN_USER);
-	$sql= 'SELECT * FROM ' . $user_table . ' WHERE user_id=' . $userid;
+	$sql= 'SELECT * FROM ' . $user_table . ' WHERE user_id=' . intval($userid);
 	$res= Database::query($sql);
 	$user= Database::fetch_array($res,ASSOC);
 	return $user;

main/gradebook/lib/user_data_generator.class.php

@@ -3,7 +3,7 @@
 /**
  * Class to select, sort and transform object data into array data,
  * used for a student's general view
- * @author Bert Stepp�
+ * @author Bert Steppé
  */
 class UserDataGenerator
 {