More GET to POST

actions.php

@@ -606,7 +606,7 @@
 				//mysql_query($query) or die("Query failed : " . mysql_error());
 			}
 		}
-	} else if ($_GET['action']=="unenroll") {
+	} else if ($_POST['action']=="unenroll") {
 		if ($myrights < 6) {
 			echo "<html><body>\nError: Guests can't unenroll from courses</body></html";
 			exit;

admin/diagonetime.php

@@ -70,8 +70,8 @@
 			$code_list[] = $row;
 		}
 	}
-} else if (isset($_GET['delete'])) {
-	if ($_GET['delete']=='true') {
+} else if (isset($_POST['delete'])) {
+	if ($_POST['delete']=='true') {
 		//DB $query = "DELETE FROM imas_diag_onetime WHERE diag='$diag'";
 		//DB mysql_query($query) or die("Query failed : " . mysql_error());
 		$stm = $DBH->prepare("DELETE FROM imas_diag_onetime WHERE diag=:diag");
@@ -135,9 +135,11 @@
 			echo '</form>';
 		}
 	} else if (isset($_GET['delete'])) {
-		echo "<p>Are you sure you want to delete all one-time passwords for this diagnostic?</p>\n";
-		echo "<p><input type=button value=\"Delete\" onclick=\"window.location='diagonetime.php?id=" . Sanitize::encodeUrlParam($diag) . "&delete=true'\">\n";
+		echo '<form method="POST" action="diagonetime.php?id=' . Sanitize::encodeUrlParam($diag).'">';
+		echo '<p><button type=submit name="delete" value="true">'._('Delete').'</button>';
 		echo "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='admin.php'\"></p>\n";
+		echo '</form>';
+
 	} else {
 		echo "<b>All one-time passwords</b> <a href=\"diagonetime.php?id=" . Sanitize::encodeUrlParam($diag) . "&generate=true\">Generate</a> <a href=\"diagonetime.php?id=" . Sanitize::encodeUrlParam($diag) . "&delete=check\">Delete all</a>";
 		echo '<table><thead><tr><th>Codes</th><th>Good For</th><th>Created</th></tr></thead><tbody>';

admin/externaltools.php

@@ -94,7 +94,7 @@
 	$ltfrom = str_replace('&','&',$ltfrom);
 	header('Location: ' . $GLOBALS['basesiteurl'] . "/admin/externaltools.php?cid=$cid$ltfrom");
 	exit;
-} else if (isset($_GET['delete']) && $_GET['delete']=='true') {
+} else if (isset($_POST['delete']) && $_POST['delete']=='true') {
 	$id = Sanitize::onlyInt($_GET['id']);
 	if ($id>0) {
 		if ($isadmin) {
@@ -136,7 +136,8 @@
 		$name = $stm->fetchColumn(0);
 
 		echo '<p>Are you SURE you want to delete the tool <b>'.$name.'</b>?  Doing so will break ALL placements of this tool.</p>';
-		echo '<form method="post" action="externaltools.php?cid='.$cid.$ltfrom.'&amp;id='.$_GET['id'].'&amp;delete=true">';
+		echo '<form method="post" action="externaltools.php?cid='.$cid.$ltfrom.'&amp;id='.$_GET['id'].'">';
+		echo '<input type=hidden name=delete value=true />';
 		echo '<input type=submit value="Yes, I\'m Sure">';
 		echo '<input type=button value="Nevermind" class="secondarybtn" onclick="window.location=\'externaltools.php?cid='.$cid.'\'">';
 		echo '</form>';

course/addquestions.php

@@ -243,7 +243,7 @@
 	}
 	*/
 	if (isset($_GET['withdraw'])) {
-		if (isset($_POST['withdrawtype']) && isset($_GET['confirmed'])) {
+		if (isset($_POST['withdrawtype'])) {
 			if (strpos($_GET['withdraw'],'-')!==false) {
 				$isingroup = true;
 				$loc = explode('-',$_GET['withdraw']);
@@ -359,7 +359,7 @@
 			$overwriteBody = 1;
 			$body = "<div class=breadcrumb>$curBreadcrumb</div>\n";
 			$body .= "<h3>Withdraw Question</h3>";
-			$body .= "<form method=post action=\"addquestions.php?cid=$cid&aid=$aid&withdraw=".Sanitize::encodeStringForDisplay($_GET['withdraw'])."&confirmed=true\">";
+			$body .= "<form method=post action=\"addquestions.php?cid=$cid&aid=$aid&withdraw=".Sanitize::encodeStringForDisplay($_GET['withdraw'])."\">";
 			if ($isingroup) {
 				$body .= '<p><b>This question is part of a group of questions</b>.  </p>';
 				$body .= '<input type=radio name="withdrawtype" value="groupzero" > Set points possible and all student scores to zero <b>for all questions in group</b><br/>';

course/addwiki.php

@@ -32,8 +32,8 @@
 	$cid = Sanitize::courseId($_GET['cid']);
 	$block = $_GET['block'];
 
-	if (isset($_GET['clearattempts'])) {
-		if ($_GET['clearattempts']=='true') {
+	if (isset($_REQUEST['clearattempts'])) {
+		if (isset($_POST['clearattempts']) && $_POST['clearattempts']=="true") {
 			$id = Sanitize::onlyInt($_GET['id']);
 			//DB $query = "DELETE FROM imas_wiki_revisions WHERE wikiid='$id'";
 			//DB mysql_query($query) or die("Query failed : " . mysql_error());
@@ -270,8 +270,11 @@
 	$id = $_GET['id'];
 	echo '<p>Are you SURE you want to delete all contents and history for this Wiki page? ';
 	echo 'This will clear contents for all groups if you are using groups.</p>';
-	echo "<p><a href=\"addwiki.php?cid=$cid&id=$id&clearattempts=true\">Yes, I'm Sure</a> | ";
-	echo "<a href=\"addwiki.php?cid=$cid&id=$id\">Nevermind</a></p>";
+
+	echo '<form method="POST" action="'.sprintf('addwiki.php?cid=%d&id=%d', $cid, $id) .'">';
+	echo '<p><button type=submit name="clearattempts" value="true">'._("Yes, I'm Sure").'</button>';
+	echo "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".sprintf('addwiki.php?cid=%d&id=%d', $cid, $id)."'\"></p>\n";
+	echo '</form>';
 
 } else { //default display
 

course/convertintro.php

@@ -110,7 +110,7 @@ function convertintro($current_intro) {
 	}
 }
 
-if (isset($_GET['confirm']) && $_GET['confirm']=='all') {
+if (isset($_POST['convert']) && $_POST['convert']=='all') {
 	//DB $query = "SELECT intro,id,name FROM imas_assessments WHERE courseid='$cid'";
 	//DB $result = mysql_query($query) or die("Query failed : " . mysql_error());
 	$stm = $DBH->prepare("SELECT intro,id,name FROM imas_assessments WHERE courseid=:courseid");
@@ -122,8 +122,8 @@ function convertintro($current_intro) {
 		if ($introjson !== false) {
 			//DB $query = "UPDATE imas_assessments SET intro='".addslashes(json_encode($introjson))."' WHERE id='{$row[1]}'";
 			//DB mysql_query($query) or die("Query failed : " . mysql_error());
-			$stm = $DBH->prepare("UPDATE imas_assessments SET intro=:intro WHERE id=:id");
-			$stm->execute(array(':id'=>$row[1], ':intro'=>json_encode($introjson)));
+			$stm2 = $DBH->prepare("UPDATE imas_assessments SET intro=:intro WHERE id=:id");
+			$stm2->execute(array(':id'=>$row[1], ':intro'=>json_encode($introjson)));
 			$converted[] = $row[2];
 		}
 	}
@@ -149,7 +149,7 @@ function convertintro($current_intro) {
 		exit;
 	}
 
-	if (isset($_GET['confirm'])) {
+	if (isset($_POST['convert'])) {
 		//DB $query = "UPDATE imas_assessments SET intro='".addslashes(json_encode($introjson))."' WHERE id='$aid'";
 		//DB mysql_query($query) or die("Query failed : " . mysql_error());
 		$stm = $DBH->prepare("UPDATE imas_assessments SET intro=:intro WHERE id=:id");
@@ -212,10 +212,16 @@ function convertintro($current_intro) {
 			}
 		}
 		echo '<p>'._('Do you want to convert this assessment?').'</p>';
-		echo '<p><button type="button" onClick="window.location=\'convertintro.php?cid='.$cid.'&aid='.$aid.'&confirm=true\'">'._('Convert').'</button> ';
-		echo '<button type="button" class="secondarybtn" onClick="window.location=\'addassessment.php?cid='.$cid.'&id='.$aid.'\'">'._('Nevermind').'</button></p>';
+
+		echo '<form method="POST" action="'.sprintf('convertintro.php?cid=%d&aid=%d',$cid,$aid).'">';
+		echo '<p><button type=submit name="convert" value="one">'._('Convert').'</button>';
+		echo '<button type="button" class="secondarybtn" onClick="window.location=\''.sprintf('addassessment.php?cid=%d&aid=%d',$cid,$aid).'\'">'._('Nevermind').'</button></p>';
+		echo '</form>';
+
 		echo '<p>&nbsp;</p>';
-		echo '<p><button type="button" class="secondarybtn" onClick="if(confirm(\'Are you SURE??? This is risky and can NOT be undone. Make sure you have a backup just in case something goes wrong.\')){window.location=\'convertintro.php?cid='.$cid.'&aid='.$aid.'&confirm=all\'}">'._('Convert All Assessments in Course').'</button> ';
+		echo '<form method="POST" action="'.sprintf('convertintro.php?cid=%d&aid=%d',$cid,$aid).'" onsubmit="return confirm(\'Are you SURE??? This is risky and can NOT be undone. Make sure you have a backup just in case something goes wrong.\');">';
+		echo '<p><button type="submit" name="convert" value="all">'._('Convert All Assessments in Course').'</button></p>';
+		echo '</form>';
 		require("../footer.php");
 	}
 }

course/edittoolscores.php

@@ -50,8 +50,9 @@
 	}
 
 
-	if (isset($_GET['clear']) && $isteacher) {
-		if (isset($_GET['confirm'])) {
+	/*Not called from anywhere?
+	if (isset($_REQUEST['clear']) && $isteacher) {
+		if (isset($_POST['confirm'])) {
 			//DB $query = "DELETE FROM imas_grades WHERE gradetype='exttool' AND gradetypeid='$lid'";
 			//DB mysql_query($query) or die("Query failed : " . mysql_error());
 			$stm = $DBH->prepare("DELETE FROM imas_grades WHERE gradetype='exttool' AND gradetypeid=:gradetypeid");
@@ -61,12 +62,20 @@
 		} else {
 			require("../header.php");
 			echo "<p>Are you SURE you want to clear all associated grades on this item from the gradebook?</p>";
-			echo "<p><a href=\"edittoolscores.php?stu={$_GET['stu']}&gbmode={$_GET['gbmode']}&cid=$cid&lid=$lid&confirm=true\">Clear Scores</a>";
-			echo " <a href=\"gradebook.php?stu={$_GET['stu']}&gbmode={$_GET['gbmode']}&cid=$cid\">Nevermind</a>";
+			
+			$querystring = http_build_query(array('stu'=>$_GET['stu'], 'cid'=>$cid, 'lid'=> $lid));
+			echo '<form method="POST" action="edittoolscores.php?'.$querystring.'">';
+			echo '<p><button type=submit name="confirm" value="true">'._('Clear Scores').'</button>';
+			
+			$querystring2 = http_build_query(array('stu'=>$_GET['stu'], 'cid'=>$cid));
+			echo " <a href=\"gradebook.php?$querystring2\">Nevermind</a></p>";
+			echo '</form>';
+			
 			require("../footer.php");
 			exit;
 		}
 	}
+	*/
 
 	//check for grades marked as newscore that aren't really new
 	//shouldn't happen, but could happen if two browser windows open

course/gb-viewasid.php

@@ -176,10 +176,11 @@
 				$body = getconfirmheader();
 			}
 			$overwriteBody = true;
+			$querystring = http_build_query(array('stu'=>$stu, 'cid'=>$cid, 'asid'=>$_GET['asid'], 'from'=>$from, 'uid'=>$_GET['uid']));
 			$body .= "<p>Are you sure you want to clear this $pers's assessment attempt?  This will make it appear the $pers never tried the assessment, and the $pers will receive a new version of the assessment.</p>";
-			$body .= '<form method="POST" action="'.Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&asid={$_GET['asid']}&from=$from&uid={$_GET['uid']}").'">';
+			$body .= '<form method="POST" action="gb-viewasid.php?'.$querystring.'">';
 			$body .= '<p><button type=submit name="clearattempt" value="confirmed">'._('Really Clear').'</button> ';
-			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&from=$from&asid={$_GET['asid']}&uid={$_GET['uid']}")."'\"></p>\n";
+			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='gb-viewasid.php?$querystring'\"></p>\n";
 			$body .= '</form>';
 			//exit;
 		}
@@ -198,10 +199,11 @@
 		} else {
 			$overwriteBody = true;
 			$body = getconfirmheader();
+			$querystring = http_build_query(array('stu'=>$stu, 'cid'=>$cid, 'asid'=>$_GET['asid'], 'from'=>$from, 'uid'=>$_GET['uid']));
 			$body .= "<p>Are you sure you want to separate this student from their current group?</p>";
-			$body .= '<form method="POST" action="'.Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&asid={$_GET['asid']}&from=$from&uid={$_GET['uid']}").'">';
+			$body .= '<form method="POST" action="gb-viewasid.php?'.$querystring.'">';
 			$body .= '<p><button type=submit name="breakfromgroup" value="confirmed">'._('Really Separate').'</button> ';
-			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&from=$from&asid={$_GET['asid']}&uid={$_GET['uid']}")."'\"></p>\n";
+			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='gb-viewasid.php?$querystring'\"></p>\n";
 			$body .= '</form>';
 			//exit;
 		}
@@ -272,10 +274,11 @@
 				$pers = 'student';
 				$body = getconfirmheader();
 			}
+			$querystring = http_build_query(array('stu'=>$stu, 'cid'=>$cid, 'asid'=>$_GET['asid'], 'from'=>$from, 'uid'=>$_GET['uid']));
 			$body .= "<p>Are you sure you want to clear this $pers's scores for this assessment?</p>";
-			$body .= '<form method="POST" action="'.Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&asid={$_GET['asid']}&from=$from&uid={$_GET['uid']}").'">';
+			$body .= '<form method="POST" action="gb-viewasid.php?'.$querystring.'">';
 			$body .= '<p><button type=submit name="clearscores" value="confirmed">'._('Really Clear').'</button> ';
-			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&from=$from&asid={$_GET['asid']}&uid={$_GET['uid']}")."'\"></p>\n";
+			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"gb-viewasid.php?$querystring'\"></p>\n";
 			$body .= '</form>';
 			//exit;
 		}
@@ -396,12 +399,13 @@
 				$pers = 'student';
 				$body = getconfirmheader();
 			}
+			$querystring = http_build_query(array('stu'=>$stu, 'cid'=>$cid, 'asid'=>$_GET['asid'], 'from'=>$from, 'uid'=>$_GET['uid']));
 			$body .= "<p>Are you sure you want to clear this $pers's scores for this question?</p>";
-			$body .= '<form method="POST" action="'.Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&asid={$_GET['asid']}&from=$from&uid={$_GET['uid']}").'">';
+			$body .= '<form method="POST" action="gb-viewasid.php?'.$querystring.'">';
 			$body .= '<p><button type=submit name="noregen" value="1">'._('Really Clear').'</button> ';
 			$body .= '<button type=submit name="regen" value="1">'._('Really Clear and Regen').'</button> ';
 			$body .= '<input type="hidden" name="clearq" value="'.Sanitize::encodeStringForDisplay($_GET['clearq']).'"/>';
-			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".Sanitize::encodeStringForDisplay("gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&from=$from&asid={$_GET['asid']}&uid={$_GET['uid']}")."'\"></p>\n";
+			$body .= "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='gb-viewasid.php?$querystring'\"></p>\n";
 			$body .= '</form>';
 
 			//echo "<p><input type=button onclick=\"window.location='gb-viewasid.php?stu=$stu&gbmode=$gbmode&cid=$cid&from=$from&asid={$_GET['asid']}&clearq={$_GET['clearq']}&uid={$_GET['uid']}&confirmed=true'\" value=\"Really Clear\"> \n";

course/managelibs.php

@@ -367,7 +367,7 @@
 			}
 		}
 	} else if (isset($_GET['remove'])) {
-		if (isset($_GET['confirmed'])) {
+		if (isset($_POST['delq'])) {
 			//DB $query = "SELECT DISTINCT qsetid FROM imas_library_items WHERE libid='{$_GET['remove']}'";
 			//DB $result = mysql_query($query) or die("Query failed : " . mysql_error());
 			//DB while ($row = mysql_fetch_row($result)) {