Remove Database::escape_string() without quotes to avoid SQL injections - partial - refs #7440

Author: ywarnier

main/inc/lib/add_courses_to_session_functions.lib.php

@@ -31,10 +31,10 @@ public static function search_courses($needle, $type)
 
 			$cond_course_code = '';
 			if (!empty($id_session)) {
-				$id_session = Database::escape_string($id_session);
+				$id_session = intval($id_session);
 				// check course_code from session_rel_course table
 				$sql = 'SELECT course_code FROM '.$tbl_session_rel_course.'
-						WHERE id_session ="'.(int)$id_session.'"';
+						WHERE id_session = '.$id_session;
 				$res = Database::query($sql);
 				$course_codes = '';
 				if (Database::num_rows($res) > 0) {

main/inc/lib/blog.lib.php

@@ -165,7 +165,7 @@ public static function edit_blog ($blog_id, $title, $subtitle) {
 		$this_blog_id = Database::insert_id();
 
 		//update item_property (update)
-		api_item_property_update(api_get_course_info(), TOOL_BLOGS, Database::escape_string($blog_id), 'BlogUpdated', api_get_user_id());
+		api_item_property_update(api_get_course_info(), TOOL_BLOGS, intval($blog_id), 'BlogUpdated', api_get_user_id());
 
 		// Update course homepage link
 		$sql = "UPDATE $tbl_tool SET name = '".Database::escape_string($title)."' WHERE c_id = $course_id AND link = 'blog/blog.php?blog_id=".Database::escape_string((int)$blog_id)."' LIMIT 1";
@@ -217,7 +217,7 @@ public static function delete_blog ($blog_id) {
 		Database::query($sql);
 
 		//update item_property (delete)
-		api_item_property_update(api_get_course_info(), TOOL_BLOGS, Database::escape_string($blog_id), 'delete', api_get_user_id());
+		api_item_property_update(api_get_course_info(), TOOL_BLOGS, intval($blog_id), 'delete', api_get_user_id());
 	}
 
 	/**
@@ -278,7 +278,7 @@ public static function create_post ($title, $full_text, $file_comment, $blog_id)
 					// Storing the attachments if any
 					if ($result) {
 						$sql='INSERT INTO '.$blog_table_attachment.'(c_id, filename,comment, path, post_id,size, blog_id,comment_id) '.
-							 "VALUES ($course_id, '".Database::escape_string($file_name)."', '".Database::escape_string($comment)."', '".Database::escape_string($new_file_name)."' , '".$last_post_id."', '".intval($_FILES['user_upload']['size'])."',  '".$blog_id."', '0' )";
+							 "VALUES ($course_id, '".Database::escape_string($file_name)."', '".$comment."', '".Database::escape_string($new_file_name)."' , '".$last_post_id."', '".intval($_FILES['user_upload']['size'])."',  '".$blog_id."', '0' )";
 						$result=Database::query($sql);
 						$message.=' / '.get_lang('AttachmentUpload');
 					}
@@ -404,7 +404,7 @@ public static function create_comment($title, $full_text, $file_comment,$blog_id
 					if ($result)
 					{
 						$sql='INSERT INTO '.$blog_table_attachment.'(c_id, filename,comment, path, post_id,size,blog_id,comment_id) '.
-							 "VALUES ($course_id, '".Database::escape_string($file_name)."', '".Database::escape_string($comment)."', '".Database::escape_string($new_file_name)."' , '".$post_id."', '".$_FILES['user_upload']['size']."',  '".$blog_id."', '".$last_id."'  )";
+							 "VALUES ($course_id, '".Database::escape_string($file_name)."', '".$comment."', '".Database::escape_string($new_file_name)."' , '".$post_id."', '".$_FILES['user_upload']['size']."',  '".$blog_id."', '".$last_id."'  )";
 						$result=Database::query($sql);
 						$message.=' / '.get_lang('AttachmentUpload');
 					}
@@ -423,9 +423,9 @@ public static function delete_comment ($blog_id, $post_id, $comment_id) {
 		// Init
 		$tbl_blogs_comments = Database::get_course_table(TABLE_BLOGS_COMMENTS);
 		$tbl_blogs_rating = Database::get_course_table(TABLE_BLOGS_RATING);
-		$blog_id = Database::escape_string($blog_id);
-		$post_id = Database::escape_string($post_id);
-		$comment_id = Database::escape_string($comment_id);
+		$blog_id = intval($blog_id);
+		$post_id = intval($post_id);
+		$comment_id = intval($comment_id);
 
         $course_id = api_get_course_int_id();
 
@@ -2713,9 +2713,9 @@ function get_blog_attachment($blog_id, $post_id=null,$comment_id=null)
 {
 	$blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
 
-	$blog_id = Database::escape_string($blog_id);
-	$comment_id = Database::escape_string($comment_id);
-	$post_id = Database::escape_string($post_id);
+	$blog_id = intval($blog_id);
+	$comment_id = intval($comment_id);
+	$post_id = intval($post_id);
 	$row=array();
 	$where='';
 	if (!empty ($post_id) && is_numeric($post_id)) {
@@ -2754,9 +2754,9 @@ function delete_all_blog_attachment($blog_id,$post_id=null,$comment_id=null)
 
 	global $_course;
 	$blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
-	$blog_id = Database::escape_string($blog_id);
-	$comment_id = Database::escape_string($comment_id);
-	$post_id = Database::escape_string($post_id);
+	$blog_id = intval($blog_id);
+	$comment_id = intval($comment_id);
+	$post_id = intval($post_id);
 
     $course_id = api_get_course_int_id();
 
@@ -2836,7 +2836,7 @@ function get_blog_post_from_user($course_code, $user_id) {
 function get_blog_comment_from_user($course_code, $user_id) {
 		$tbl_blogs 			= Database::get_course_table(TABLE_BLOGS);
 		$tbl_blog_comment 	= Database::get_course_table(TABLE_BLOGS_COMMENTS);
-		$user_id 			= Database::escape_string($user_id);
+		$user_id 			= intval($user_id);
 
 		$course_info 		= api_get_course_info($course_code);
 		$course_id 			= $course_info['real_id'];

main/inc/lib/classmanager.lib.php

@@ -160,7 +160,7 @@ public static function subscribe_to_course($class_id, $course_code) {
         $tbl_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
         $sql = "INSERT IGNORE INTO $tbl_course_class SET course_code = '".Database::escape_string($course_code)."', class_id = '".Database::escape_string($class_id)."'";
         Database::query($sql);
-        $sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."'";
+        $sql = "SELECT user_id FROM $tbl_class_user WHERE class_id = '".intval($class_id)."'";
         $res = Database::query($sql);
         while ($user = Database::fetch_object($res)) {
             CourseManager :: subscribe_user($user->user_id, $course_code);
@@ -181,7 +181,7 @@ public static function unsubscribe_from_course($class_id, $course_code)
         $single_class_users = Database::query($sql);
         while ($single_class_user = Database::fetch_object($single_class_users))
         {
-            $sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".Database::escape_string($class_id)."' AND user_id = '".Database::escape_string($single_class_user->user_id)."'";
+            $sql = "SELECT * FROM $tbl_class_user WHERE class_id = '".intval($class_id)."' AND user_id = '".Database::escape_string($single_class_user->user_id)."'";
             $res = Database::query($sql);
             if (Database::num_rows($res) > 0)
             {

main/inc/lib/course.lib.php

@@ -253,7 +253,7 @@ public static function get_courses_list(
         if (!in_array($orderdirection, array('ASC', 'DESC'))) {
             $sql .= 'ASC';
         } else {
-            $sql .= Database::escape_string($orderdirection);
+            $sql .= ($orderdirection == 'ASC'?'ASC':'DESC');
         }
 
         if (!empty($howmany) && is_int($howmany) and $howmany > 0) {
@@ -263,7 +263,7 @@ public static function get_courses_list(
         }
         if (!empty($from)) {
             $from = intval($from);
-            $sql .= ' OFFSET '.Database::escape_string($from);
+            $sql .= ' OFFSET '.intval($from);
         } else {
             $sql .= ' OFFSET 0';
         }
@@ -301,7 +301,7 @@ public static function get_user_in_course_status($user_id, $course_code)
     {
         $result = Database::fetch_array(Database::query(
             "SELECT status FROM ".Database::get_main_table(TABLE_MAIN_COURSE_USER)."
-            WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".Database::escape_string($user_id))
+            WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".intval($user_id))
         );
 
         return $result['status'];
@@ -316,7 +316,7 @@ public static function get_tutor_in_course_status($user_id, $course_code)
     {
         $result = Database::fetch_array(Database::query(
                 "SELECT tutor_id FROM ".Database::get_main_table(TABLE_MAIN_COURSE_USER)."
-                WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".Database::escape_string($user_id))
+                WHERE course_code = '".Database::escape_string($course_code)."' AND user_id = ".intval($user_id))
         );
 
         return $result['tutor_id'];
@@ -3868,7 +3868,7 @@ function get_user_course_categories() {
         global $_user;
         $output = array();
         $table_category = Database::get_user_personal_table(TABLE_USER_COURSE_CATEGORY);
-        $sql = "SELECT * FROM ".$table_category." WHERE user_id='".Database::escape_string($_user['user_id'])."'";
+        $sql = "SELECT * FROM ".$table_category." WHERE user_id='".intval($_user['user_id'])."'";
         $result = Database::query($sql);
         while ($row = Database::fetch_array($result)) {
             $output[$row['id']] = $row['title'];

main/inc/lib/course_category.lib.php

@@ -101,7 +101,7 @@ function addNode($code, $name, $canHaveCourses, $parent_id)
     $tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
     $code = trim(Database::escape_string($code));
     $name = trim(Database::escape_string($name));
-    $parent_id = Database::escape_string($parent_id);
+    $parent_id = intval($parent_id);
     $canHaveCourses = Database::escape_string($canHaveCourses);
     $code = generate_course_code($code);
 
@@ -220,7 +220,7 @@ function moveNodeUp($code, $tree_pos, $parent_id)
     $tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
     $code = Database::escape_string($code);
     $tree_pos = Database::escape_string($tree_pos);
-    $parent_id = Database::escape_string($parent_id);
+    $parent_id = intval($parent_id);
     $sql = "SELECT code,tree_pos
             FROM $tbl_category
             WHERE parent_id " . (empty($parent_id) ? "IS NULL" : "='$parent_id'") . " AND tree_pos<'$tree_pos'
@@ -246,11 +246,11 @@ function moveNodeUp($code, $tree_pos, $parent_id)
  * @param $cpt
  * @return mixed
  */
-function compterFils($pere, $cpt)
+function compterFils($parent, $cpt)
 {
     $tbl_category = Database::get_main_table(TABLE_MAIN_CATEGORY);
-    $pere = Database::escape_string($pere);
-    $result = Database::query("SELECT code FROM $tbl_category WHERE parent_id='$pere'");
+    $parent = intval($parent);
+    $result = Database::query("SELECT code FROM $tbl_category WHERE parent_id='$parent'");
 
     while ($row = Database::fetch_array($result)) {
         $cpt = compterFils($row['code'], $cpt);

main/inc/lib/course_request.lib.php

@@ -299,7 +299,7 @@ public static function update_course_request(
                 objetives = "%s", target_audience = "%s", status = "%s", info = "%s", exemplary_content = "%s"
             WHERE id = '.$id, Database::get_main_table(TABLE_MAIN_COURSE_REQUEST),
             Database::escape_string($code),
-            Database::escape_string($user_id),
+            intval($user_id),
             Database::escape_string($directory),
             Database::escape_string($db_name),
             Database::escape_string($course_language),

main/inc/lib/document.lib.php

@@ -983,7 +983,7 @@ public static function is_folder($_course, $document_id)
     {
         $TABLE_DOCUMENT = Database::get_course_table(TABLE_DOCUMENT);
         $course_id = $_course['real_id'];
-        $document_id = Database::escape_string($document_id);
+        $document_id = intval($document_id);
         $sql = "SELECT filetype FROM $TABLE_DOCUMENT
                 WHERE c_id = $course_id AND id= $document_id";
         $result = Database::fetch_array(Database::query($sql), 'ASSOC');
@@ -1467,7 +1467,7 @@ public static function set_document_as_template($title, $description, $document_
                     '" . Database::escape_string($title) . "',
                     '" . Database::escape_string($description) . "',
                     '" . Database::escape_string($course_code) . "',
-                    '" . Database::escape_string($user_id) . "',
+                    '" . intval($user_id) . "',
                     '" . Database::escape_string($document_id_for_template) . "',
                     '" . Database::escape_string($image) . "')";
         Database::query($sql);
@@ -1486,8 +1486,8 @@ public static function unset_document_as_template($document_id, $course_code, $u
     {
         $table_template = Database::get_main_table(TABLE_MAIN_TEMPLATES);
         $course_code = Database::escape_string($course_code);
-        $user_id = Database::escape_string($user_id);
-        $document_id = Database::escape_string($document_id);
+        $user_id = intval($user_id);
+        $document_id = intval($document_id);
 
         $sql = 'SELECT id FROM ' . $table_template . '
                 WHERE
@@ -1718,13 +1718,13 @@ public static function attach_gradebook_certificate($course_id, $document_id)
         $tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
         $session_id = api_get_session_id();
         if ($session_id == 0 || is_null($session_id)) {
-            $sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
+            $sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
         } elseif ($session_id > 0) {
-            $sql_session = 'AND session_id=' . Database::escape_string($session_id);
+            $sql_session = 'AND session_id=' . intval($session_id);
         } else {
             $sql_session = '';
         }
-        $sql = 'UPDATE ' . $tbl_category . ' SET document_id="' . Database::escape_string($document_id) . '"
+        $sql = 'UPDATE ' . $tbl_category . ' SET document_id="' . intval($document_id) . '"
                WHERE course_code="' . Database::escape_string($course_id) . '" ' . $sql_session;
         Database::query($sql);
     }
@@ -1739,9 +1739,9 @@ public static function get_default_certificate_id($course_id)
         $tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
         $session_id = api_get_session_id();
         if ($session_id == 0 || is_null($session_id)) {
-            $sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
+            $sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
         } elseif ($session_id > 0) {
-            $sql_session = 'AND session_id=' . Database::escape_string($session_id);
+            $sql_session = 'AND session_id=' . intval($session_id);
         } else {
             $sql_session = '';
         }
@@ -1911,9 +1911,9 @@ public static function remove_attach_certificate($course_id, $default_certificat
             $tbl_category = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
             $session_id = api_get_session_id();
             if ($session_id == 0 || is_null($session_id)) {
-                $sql_session = 'AND (session_id=' . Database::escape_string($session_id) . ' OR isnull(session_id)) ';
+                $sql_session = 'AND (session_id=' . intval($session_id) . ' OR isnull(session_id)) ';
             } elseif ($session_id > 0) {
-                $sql_session = 'AND session_id=' . Database::escape_string($session_id);
+                $sql_session = 'AND session_id=' . intval($session_id);
             } else {
                 $sql_session = '';
             }

main/inc/lib/events.lib.inc.php

@@ -1613,8 +1613,8 @@ function event_send_mail($event_name, $params)
  */
 function check_if_mail_already_sent($event_name, $user_from, $user_to = null) {
     $event_name = Database::escape_string($event_name);
-    $user_to = Database::escape_string($user_to);
-    $user_from = Database::escape_string($user_from);
+    $user_to = intval($user_to);
+    $user_from = intval($user_from);
     if ($user_to == null) {
         $sql = 'SELECT COUNT(*) as total FROM ' . Database::get_main_table(TABLE_EVENT_SENT) . '
                 WHERE user_from = '.$user_from.' AND event_type_name = "'.$event_name.'"';

main/inc/lib/extra_field_value.lib.php

@@ -384,7 +384,7 @@ public function save($params, $show_query = false)
     public function get_values_by_handler_and_field_id($item_id, $field_id, $transform = false)
     {
         $field_id = intval($field_id);
-        $item_id = Database::escape_string($item_id);
+        $item_id = intval($item_id);
 
         $sql = "SELECT s.*, field_type FROM {$this->table} s
                 INNER JOIN {$this->table_handler_field} sf ON (s.field_id = sf.id)
@@ -466,7 +466,7 @@ public function searchValuesByField($tag, $field_id, $limit = 10)
      */
     public function get_values_by_handler_and_field_variable($item_id, $field_variable, $transform = false)
     {
-        $item_id = Database::escape_string($item_id);
+        $item_id = intval($item_id);
         $field_variable = Database::escape_string($field_variable);
 
         $sql = "SELECT s.*, field_type FROM {$this->table} s
@@ -637,7 +637,7 @@ public function delete_all_values_by_field_id($field_id)
     public function delete_values_by_handler_and_field_id($item_id, $field_id)
     {
         $field_id = intval($field_id);
-        $item_id = Database::escape_string($item_id);
+        $item_id = intval($item_id);
         $sql = "DELETE FROM {$this->table}
                 WHERE {$this->handler_id} = '$item_id' AND field_id = '".$field_id."' ";
         Database::query($sql);