Remove Database::escape_string() without quotes to avoid SQL injections - partial - refs #7440

Author: ywarnier

main/inc/lib/fckeditor/fcktemplates.xml.php

@@ -219,7 +219,7 @@ function load_personal_templates($user_id = 0) {
     $sql = "SELECT template.id, template.title, template.description, template.image, template.ref_doc, document.path
             FROM ".$table_template." template, ".$table_document." document
             WHERE
-                user_id='".Database::escape_string($user_id)."' AND
+                user_id='".intval($user_id)."' AND
                 course_code='".Database::escape_string(api_get_course_id())."' AND
                 document.c_id = $course_id AND
                 document.id = template.ref_doc";

main/inc/lib/groupmanager.lib.php

@@ -611,7 +611,7 @@ public static function set_group_properties(
                     max_student = '".Database::escape_string($maximum_number_of_students)."',
                     self_registration_allowed = '".Database::escape_string($self_registration_allowed)."',
                     self_unregistration_allowed = '".Database::escape_string($self_unregistration_allowed)."',
-                    category_id = '".Database::escape_string($categoryId)."'
+                    category_id = ".intval($categoryId)."
                 WHERE c_id = $course_id AND id=".$group_id;
         $result = Database::query($sql);
 
@@ -895,7 +895,7 @@ public static function update_category(
                     groups_per_user   = '".Database::escape_string($groups_per_user)."',
                     self_reg_allowed = '".Database::escape_string($self_registration_allowed)."',
                     self_unreg_allowed = '".Database::escape_string($self_unregistration_allowed)."',
-                    max_student = ".Database::escape_string($maximum_number_of_students)."
+                    max_student = ".intval($maximum_number_of_students)."
                 WHERE c_id = $course_id AND id = $id";
 
         Database::query($sql);
@@ -1015,8 +1015,8 @@ public static function get_users(
                 WHERE c_id = $courseId AND g.group_id = $group_id";
 
         if (!empty($column) && !empty($direction)) {
-            $column = Database::escape_string($column);
-            $direction = Database::escape_string($direction);
+            $column = Database::escape_string($column, null, false);
+            $direction = ($direction == 'ASC' ? 'ASC' : 'DESC');
             $sql .= " ORDER BY $column $direction";
         }
 
@@ -1306,8 +1306,8 @@ public static function user_in_number_of_groups($user_id, $cat_id = null)
     {
         $table_group_user     = Database :: get_course_table(TABLE_GROUP_USER);
         $table_group         = Database :: get_course_table(TABLE_GROUP);
-        $user_id             = Database::escape_string($user_id);
-        $cat_id             = Database::escape_string($cat_id);
+        $user_id             = intval($user_id);
+        $cat_id             = intval($cat_id);
 
         $course_id = api_get_course_int_id();
         $cat_condition = '';
@@ -1365,7 +1365,7 @@ public static function is_self_unregistration_allowed($user_id, $group_id)
             return false;
         }
         $table_group = Database :: get_course_table(TABLE_GROUP);
-        $group_id = Database::escape_string($group_id);
+        $group_id = intval($group_id);
         $course_id = api_get_course_int_id();
         $db_result = Database::query(
             'SELECT  self_unregistration_allowed
@@ -1389,8 +1389,8 @@ public static function is_subscribed($user_id, $group_id)
             return false;
         }
         $table_group_user = Database :: get_course_table(TABLE_GROUP_USER);
-        $group_id = Database::escape_string($group_id);
-        $user_id = Database::escape_string($user_id);
+        $group_id = intval($group_id);
+        $user_id = intval($user_id);
         $course_id = api_get_course_int_id();
         $sql = 'SELECT 1 FROM '.$table_group_user.'
                 WHERE
@@ -1499,7 +1499,7 @@ public static function get_subscribed_tutors($group_id, $id_only = false)
             $order_clause = " ORDER BY u.official_code, u.firstname, u.lastname";
         }
 
-        $group_id = Database::escape_string($group_id);
+        $group_id = intval($group_id);
         $course_id = api_get_course_int_id();
 
         $sql = "SELECT tg.id, u.user_id, u.lastname, u.firstname, u.email
@@ -1538,8 +1538,8 @@ public static function subscribe_users($user_ids, $group_id)
         if (!empty($user_ids)) {
             foreach ($user_ids as $user_id) {
                 if (self::can_user_subscribe($user_id, $group_id)) {
-                    $user_id = Database::escape_string($user_id);
-                    $group_id = Database::escape_string($group_id);
+                    $user_id = intval($user_id);
+                    $group_id = intval($group_id);
                     $sql = "INSERT INTO ".$table_group_user." (c_id, user_id, group_id)
                             VALUES ('$course_id', '".$user_id."', '".$group_id."')";
                     $result &= Database::query($sql);
@@ -1565,8 +1565,8 @@ public static function subscribe_tutors($user_ids, $group_id)
         $table_group_tutor = Database :: get_course_table(TABLE_GROUP_TUTOR);
 
         foreach ($user_ids as $user_id) {
-            $user_id = Database::escape_string($user_id);
-            $group_id = Database::escape_string($group_id);
+            $user_id = intval($user_id);
+            $group_id = intval($group_id);
             $sql = "INSERT INTO ".$table_group_tutor." (c_id, user_id, group_id)
                     VALUES ('$course_id', '".$user_id."', '".$group_id."')";
             $result &= Database::query($sql);
@@ -1584,7 +1584,7 @@ public static function unsubscribe_users($user_ids, $group_id)
     {
         $user_ids = is_array($user_ids) ? $user_ids : array ($user_ids);
         $table_group_user = Database :: get_course_table(TABLE_GROUP_USER);
-        $group_id = Database::escape_string($group_id);
+        $group_id = intval($group_id);
         $course_id = api_get_course_int_id();
         $sql = 'DELETE FROM '.$table_group_user.'
                 WHERE c_id = '.$course_id.' AND group_id = '.$group_id.' AND user_id IN ('.implode(',', $user_ids).')';
@@ -1654,8 +1654,8 @@ public static function unsubscribe_all_tutors($group_ids)
     public static function is_tutor_of_group($user_id, $group_id)
     {
         $table_group_tutor = Database :: get_course_table(TABLE_GROUP_TUTOR);
-        $user_id = Database::escape_string($user_id);
-        $group_id = Database::escape_string($group_id);
+        $user_id = intval($user_id);
+        $group_id = intval($group_id);
         $course_id = api_get_course_int_id();
 
         $sql = "SELECT * FROM ".$table_group_tutor."
@@ -1724,7 +1724,7 @@ public static function get_all_tutors()
     public static function is_tutor($user_id)
     {
         $course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
-        $user_id = Database::escape_string($user_id);
+        $user_id = intval($user_id);
 
         $sql = "SELECT tutor_id FROM ".$course_user_table."
 		        WHERE user_id = '".$user_id."' AND c_id ='".api_get_course_int_id()."'"."AND tutor_id=1";

main/inc/lib/legal.lib.php

@@ -35,11 +35,11 @@ public static function add($language, $content, $type, $changes)
 			$version = intval(LegalManager::get_last_condition_version($language));
 			$version++;
 			 $sql = "INSERT INTO $legal_table SET
-			            language_id = '".Database::escape_string($language)."',
+			            language_id = '".$language."',
                         content = '".$content."',
                         changes= '".$changes."',
                         type = '".$type."',
-                        version = '".Database::escape_string($version)."',
+                        version = '".intval($version)."',
                         date = '".$time."'";
 			Database::query($sql);
 
@@ -256,8 +256,8 @@ public static function count()
 	public static function get_type_of_terms_and_conditions($legal_id,$language_id)
     {
 		$legal_conditions_table = Database::get_main_table(TABLE_MAIN_LEGAL);
-		$legal_id=Database::escape_string($legal_id);
-		$language_id=Database::escape_string($language_id);
+		$legal_id = intval($legal_id);
+		$language_id = Database::escape_string($language_id);
 		$sql = 'SELECT type FROM '.$legal_conditions_table.' WHERE legal_id="'.$legal_id.'" AND language_id="'.$language_id.'"';
 		$rs = Database::query($sql);
 

main/inc/lib/lp_item.lib.php

@@ -39,8 +39,8 @@ public function __construct($in_c_id=0, $in_id=0)
             $item_view_table = Database::get_course_table(TABLE_LP_ITEM);
             $sql = "SELECT * FROM $item_view_table
                     WHERE
-                        c_id=".Database::escape_string($in_c_id)." AND
-                        id=".Database::escape_string($in_id);
+                        c_id=".intval($in_c_id)." AND
+                        id=".intval($in_id);
 
             $res = Database::query($sql);
             $data = Database::fetch_array($res);
@@ -79,7 +79,7 @@ public function update_in_bdd()
         $item_view_table = Database::get_course_table(TABLE_LP_ITEM);
         if ($this->c_id > 0 && $this->id > 0) {
             $sql = "UPDATE $item_view_table SET
-                        lp_id = '".Database::escape_string($this->lp_id)."' ,
+                        lp_id = '".intval($this->lp_id)."' ,
                         item_type = '".Database::escape_string($this->item_type)."' ,
                         ref = '".Database::escape_string($this->ref)."' ,
                         title = '".Database::escape_string($this->title)."' ,

main/inc/lib/main_api.lib.php

@@ -3650,7 +3650,7 @@ function api_get_item_property_id($course_code, $tool, $ref)
  */
 function api_track_item_property_update($tool, $ref, $title, $content, $progress)
 {
-    $tbl_stats_item_property = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ITEM_PROPERTY);
+    $tbl_stats_item_property = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ITEM_PROPERTY);
     $course_id = api_get_real_course_id(); //numeric
     $course_code = api_get_course_id(); //alphanumeric
     $item_property_id = api_get_item_property_id($course_code, $tool, $ref);

main/inc/lib/message.lib.php

@@ -445,7 +445,7 @@ public static function delete_message_by_user_receiver($user_receiver_id, $id)
         if ($id != strval(intval($id)))
             return false;
         $user_receiver_id = intval($user_receiver_id);
-        $id = Database::escape_string($id);
+        $id = intval($id);
         $sql = "SELECT * FROM $table_message WHERE id=".$id." AND msg_status<>4;";
         $rs = Database::query($sql);
 
@@ -763,14 +763,15 @@ public static function exist_message($user_id, $id)
         $table_message = Database::get_main_table(TABLE_MESSAGE);
         $query = "SELECT id FROM $table_message
                   WHERE
-                    user_receiver_id=".Database::escape_string($user_id)." AND
-                    id='".Database::escape_string($id)."'";
+                    user_receiver_id = ".intval($user_id)." AND
+                    id = '".intval($id)."'";
         $result = Database::query($query);
         $num = Database::num_rows($result);
-        if ($num > 0)
+        if ($num > 0) {
             return true;
-        else
+        } else {
             return false;
+        }
     }
 
     /**
@@ -973,8 +974,8 @@ public static function show_message_box_sent()
             $query = "SELECT * FROM $table_message
                       WHERE
                             user_sender_id=".api_get_user_id()." AND
-                            id=".intval(Database::escape_string($_GET['id_send']))." AND
-                            msg_status=4;";
+                            id=".intval($_GET['id_send'])." AND
+                            msg_status = 4;";
             $result = Database::query($query);
             $message_id = intval($_GET['id_send']);
         }

main/inc/lib/notebook.lib.php

@@ -59,7 +59,7 @@ static function save_note($values)
 					 $course_id,
 					'" . api_get_user_id() . "',
 					'" . Database::escape_string(api_get_course_id()) . "',
-					'" . Database::escape_string($_SESSION['id_session']) . "',
+					'" . intval($_SESSION['id_session']) . "',
 					'" . Database::escape_string($values['note_title']) . "',
 					'" . Database::escape_string($values['note_comment']) . "',
 					'" . Database::escape_string(date('Y-m-d H:i:s')) . "',
@@ -119,7 +119,7 @@ static function update_note($values) {
         $sql = "UPDATE $t_notebook SET
 					user_id = '" . api_get_user_id() . "',
 					course = '" . Database::escape_string(api_get_course_id()) . "',
-					session_id = '" . Database::escape_string($_SESSION['id_session']) . "',
+					session_id = '" . intval($_SESSION['id_session']) . "',
 					title = '" . Database::escape_string($values['note_title']) . "',
 					description = '" . Database::escape_string($values['note_comment']) . "',
 					update_date = '" . Database::escape_string(date('Y-m-d H:i:s')) . "'

main/inc/lib/online.inc.php

@@ -393,7 +393,7 @@ function who_is_online_in_this_course($from, $number_of_items, $uid, $time_limit
 
     $online_time 		= time() - $time_limit*60;
     $current_date		= api_get_utc_datetime($online_time);
-    $track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE);
+    $track_online_table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
     $course_code         = Database::escape_string($course_code);
 
     $from = intval($from);
@@ -424,7 +424,7 @@ function who_is_online_in_this_course($from, $number_of_items, $uid, $time_limit
 
 function who_is_online_in_this_course_count($uid, $time_limit, $coursecode=null) {
 	if(empty($coursecode)) return false;
-	$track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE);
+	$track_online_table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
 	$coursecode = Database::escape_string($coursecode);
 	$time_limit = Database::escape_string($time_limit);
 
@@ -451,7 +451,7 @@ function who_is_online_in_this_course_count($uid, $time_limit, $coursecode=null)
  */
 function GetFullUserName($uid) {
 	$uid = (int) $uid;
-	$uid = Database::escape_string($uid);
+	$uid = intval($uid);
 	$user_table = Database::get_main_table(TABLE_MAIN_USER);
 	$query = "SELECT firstname, lastname FROM ".$user_table." WHERE user_id='$uid'";
 	$result = @Database::query($query);

main/inc/lib/search/tool_processors/document_processor.class.php

@@ -75,7 +75,7 @@ private function get_information($course_id, $doc_id) {
             $item_property_table = Database::get_course_table(TABLE_ITEM_PROPERTY);
             $doc_table = Database::get_course_table(TABLE_DOCUMENT);
 
-            $doc_id = Database::escape_string($doc_id);
+            $doc_id = intval($doc_id);
             $sql = "SELECT * FROM       $doc_table
                     WHERE      $doc_table.id = $doc_id AND c_id = $course_id 
                     LIMIT 1";

main/inc/lib/search/tool_processors/learnpath_processor.class.php

@@ -98,7 +98,7 @@ private function get_information($course_id, $lp_id, $has_document_id = TRUE) {
             $lp_table = Database::get_course_table(TABLE_LP_MAIN);
             $doc_table = Database::get_course_table(TABLE_DOCUMENT);
 
-            $lp_id = Database::escape_string($lp_id);
+            $lp_id = intval($lp_id);
 
             if ($has_document_id) {
                 $sql = "SELECT $lpi_table.id, $lp_table.name, $lp_table.author, $doc_table.path