MDL-14967 More upgrades

diff --git a/lib/grade/grade_category.php b/lib/grade/grade_category.php
index f93c662126bed4af34f168a84ecc97ab83040510..cd6a188e70fb96fe5348732261e1aabbb1106cd8 100644 (file)
--- a/lib/grade/grade_category.php
+++ b/lib/grade/grade_category.php
@@ -417,31 +417,34 @@ class grade_category extends grade_object {
         if (empty($depends_on)) {
             $items = false;
         } else {
-            $gis = implode(',', $depends_on);
+            list($usql, $params) = $DB->get_in_or_equal($depends_on);
             $sql = "SELECT *
-                      FROM {$CFG->prefix}grade_items
-                     WHERE id IN ($gis)";
-            $items = $DB->get_records_sql($sql);
+                      FROM {grade_items}
+                     WHERE id $usql";
+            $items = $DB->get_records_sql($sql, $params);
         }
 
+        $grade_inst = new grade_grade();
+        $fields = 'g.'.implode(',g.', $grade_inst->required_fields);
+
+        // where to look for final grades - include grade of this item too, we will store the results there
+        $gis = array_merge($depends_on, array($this->grade_item->id));
+        list($usql, $params) = $DB->get_in_or_equal($gis);
+
         if ($userid) {
-            $usersql = "AND g.userid=$userid";
+            $usersql = "AND g.userid=?";
+            $params[] = $userid;
         } else {
             $usersql = "";
         }
 
-        $grade_inst = new grade_grade();
-        $fields = 'g.'.implode(',g.', $grade_inst->required_fields);
-
-        // where to look for final grades - include grade of this item too, we will store the results there
-        $gis = implode(',', array_merge($depends_on, array($this->grade_item->id)));
         $sql = "SELECT $fields
-                  FROM {$CFG->prefix}grade_grades g, {$CFG->prefix}grade_items gi
-                 WHERE gi.id = g.itemid AND gi.id IN ($gis) $usersql
+                  FROM {grade_grades} g, {grade_items} gi
+                 WHERE gi.id = g.itemid AND gi.id $usql $usersql
               ORDER BY g.userid";
 
         // group the results by userid and aggregate the grades for this user
-        if ($rs = $DB->get_recordset_sql($sql)) {
+        if ($rs = $DB->get_recordset_sql($sql, $params)) {
             $prevuser = 0;
             $grade_values = array();
             $excluded     = array();
@@ -1294,9 +1297,10 @@ class grade_category extends grade_object {
      * @static
      */
     public static function updated_forced_settings() {
-        global $CFG;
-        $sql = "UPDATE {$CFG->prefix}grade_items SET needsupdate=1 WHERE itemtype='course' or itemtype='category'";
-        execute_sql($sql, false);
+        global $CFG, $DB;
+        $params = array(1, 'course', 'category');
+        $sql = "UPDATE {grade_items} SET needsupdate=? WHERE itemtype=? or itemtype=?";
+        $DB->execute($sql, $params);
     }
 }
 ?>

diff --git a/lib/grade/grade_grade.php b/lib/grade/grade_grade.php
index f299e4b40c2978de209a188c47b9b01bfede4c0a..d72dc6055d8323ec482a9bbf0857eed523f42278 100644 (file)
--- a/lib/grade/grade_grade.php
+++ b/lib/grade/grade_grade.php
@@ -384,11 +384,10 @@ class grade_grade extends grade_object {
     public function check_locktime_all($items) {
         global $CFG, $DB;
 
-        $items_sql = implode(',', $items);
-
         $now = time(); // no rounding needed, this is not supposed to be called every 10 seconds
-
-        if ($rs = $DB->get_recordset_select('grade_grades', "itemid IN ($items_sql) AND locked = 0 AND locktime > 0 AND locktime < $now")) {
+        list($usql, $params) = $DB->get_in_or_equal($items);
+        $params[] = $now;
+        if ($rs = $DB->get_recordset_select('grade_grades', "itemid $usql AND locked = 0 AND locktime > 0 AND locktime < ?")) {
             foreach ($rs as $grade) {
                 $grade_grade = new grade_grade($grade, false);
                 $grade_grade->locked = time();

diff --git a/lib/grade/grade_item.php b/lib/grade/grade_item.php
index f43fc539faae0ac19d69ecdc2bce9a5384563698..c23ec32abcf481230231223cd82f7a9087162b9a 100644 (file)
--- a/lib/grade/grade_item.php
+++ b/lib/grade/grade_item.php
@@ -434,7 +434,7 @@ class grade_item extends grade_object {
             if (!empty($cm->idnumber)) {
                 return false;
             }
-            if ($DB->set_field('course_modules', 'idnumber', addslashes($idnumber), array('id' => $cm->id))) {
+            if ($DB->set_field('course_modules', 'idnumber', $idnumber, array('id' => $cm->id))) {
                 $this->idnumber = $idnumber;
                 return $this->update();
             }
@@ -608,9 +608,10 @@ class grade_item extends grade_object {
      * @param return int Number of hidden grades
      */
     public function has_hidden_grades($groupsql="", $groupwheresql="") {
-        global $CFG, $DB;
-        return $DB->get_field_sql("SELECT COUNT(*) FROM {$CFG->prefix}grade_grades g LEFT JOIN "
-                            ."{$CFG->prefix}user u ON g.userid = u.id $groupsql WHERE itemid = $this->id AND hidden = 1 $groupwheresql");
+        global $DB;
+        $params = array($this->id);
+        return $DB->get_field_sql("SELECT COUNT(*) FROM {grade_grades} g LEFT JOIN "
+                            ."{user} u ON g.userid = u.id $groupsql WHERE itemid = ? AND hidden = 1 $groupwheresql", $params);
     }
 
     /**
@@ -677,7 +678,8 @@ class grade_item extends grade_object {
         $grade_inst = new grade_grade();
         $fields = implode(',', $grade_inst->required_fields);
         if ($userid) {
-            $rs = $DB->get_recordset_select('grade_grades', "itemid={$this->id} AND userid=$userid", null, '', $fields);
+            $params = array($this->id, $userid);
+            $rs = $DB->get_recordset_select('grade_grades', "itemid=? AND userid=?", $params, '', $fields);
         } else {
             $rs = $DB->get_recordset('grade_grades', array('itemid' => $this->id), '', $fields);
         }
@@ -1154,13 +1156,14 @@ class grade_item extends grade_object {
     }
 
     public function move_after_sortorder($sortorder) {
-        global $CFG;
+        global $CFG, $DB;
 
         //make some room first
-        $sql = "UPDATE {$CFG->prefix}grade_items
+        $params = array($sortorder, $this->courseid);
+        $sql = "UPDATE {grade_items}
                    SET sortorder = sortorder + 1
-                 WHERE sortorder > $sortorder AND courseid = {$this->courseid}";
-        execute_sql($sql, false);
+                 WHERE sortorder > ? AND courseid = ?";
+        $DB->execute($sql, $params);
 
         $this->set_sortorder($sortorder + 1);
     }
@@ -1244,6 +1247,8 @@ class grade_item extends grade_object {
             }
 
         } else if ($grade_category = $this->load_item_category()) {
+            $params = array();
+
             //only items with numeric or scale values can be aggregated
             if ($this->gradetype != GRADE_TYPE_VALUE and $this->gradetype != GRADE_TYPE_SCALE) {
                 $this->dependson_cache = array();
@@ -1259,40 +1264,47 @@ class grade_item extends grade_object {
             }
 
             if (empty($CFG->grade_includescalesinaggregation)) {
-                $gtypes = "gi.gradetype = ".GRADE_TYPE_VALUE;
+                $gtypes = "gi.gradetype = ?";
+                $params[] = GRADE_TYPE_VALUE;
             } else {
-                $gtypes = "(gi.gradetype = ".GRADE_TYPE_VALUE." OR gi.gradetype = ".GRADE_TYPE_SCALE.")";
+                $gtypes = "(gi.gradetype = ? OR gi.gradetype = ?)";
+                $params[] = GRADE_TYPE_VALUE;
+                $params[] = GRADE_TYPE_SCALE;
             }
 
             if ($grade_category->aggregatesubcats) {
                 // return all children excluding category items
+                $params[] = $grade_category->id;
                 $sql = "SELECT gi.id
-                          FROM {$CFG->prefix}grade_items gi
+                          FROM {grade_items} gi
                          WHERE $gtypes
                                $outcomes_sql
                                AND gi.categoryid IN (
                                   SELECT gc.id
-                                    FROM {$CFG->prefix}grade_categories gc
-                                   WHERE gc.path LIKE '%/{$grade_category->id}/%')";
+                                    FROM {grade_categories} gc
+                                   WHERE gc.path LIKE '%?%')";
 
             } else {
+                $params[] = $grade_category->id;
+                $params[] = $grade_category->id;
+                $params[] = GRADE_TYPE_VALUE;
+                $params[] = GRADE_TYPE_SCALE;
                 $sql = "SELECT gi.id
-                          FROM {$CFG->prefix}grade_items gi
-                         WHERE gi.categoryid = {$grade_category->id}
-                               AND $gtypes
+                          FROM {grade_items} gi
+                         WHERE $gtypes
+                               AND gi.categoryid = ?
                                $outcomes_sql
-
                         UNION
 
                         SELECT gi.id
-                          FROM {$CFG->prefix}grade_items gi, {$CFG->prefix}grade_categories gc
+                          FROM {grade_items} gi, {grade_categories} gc
                          WHERE (gi.itemtype = 'category' OR gi.itemtype = 'course') AND gi.iteminstance=gc.id
-                               AND gc.parent = {$grade_category->id}
+                               AND gc.parent = ?
                                AND $gtypes
                                $outcomes_sql";
             }
 
-            if ($children = $DB->get_records_sql($sql)) {
+            if ($children = $DB->get_records_sql($sql, $params)) {
                 $this->dependson_cache = array_keys($children);
                 return $this->dependson_cache;
             } else {
@@ -1619,14 +1631,15 @@ class grade_item extends grade_object {
         }
 
         // precreate grades - we need them to exist
+        $params = array($this->id);
         $sql = "SELECT DISTINCT go.userid
-                  FROM {$CFG->prefix}grade_grades go
-                       JOIN {$CFG->prefix}grade_items gi
+                  FROM {grade_grades} go
+                       JOIN {grade_items} gi
                        ON gi.id = go.itemid
-                       LEFT OUTER JOIN {$CFG->prefix}grade_grades g
-                       ON (g.userid = go.userid AND g.itemid = $this->id)
+                       LEFT OUTER JOIN {grade_grades} g
+                       ON (g.userid = go.userid AND g.itemid = ?)
                  WHERE gi.id <> $this->id AND g.id IS NULL";
-        if ($missing = $DB->get_records_sql($sql)) {
+        if ($missing = $DB->get_records_sql($sql, $params)) {
             foreach ($missing as $m) {
                 $grade = new grade_grade(array('itemid'=>$this->id, 'userid'=>$m->userid), false);
                 $grade->grade_item =& $this;
@@ -1647,10 +1660,12 @@ class grade_item extends grade_object {
 
         // where to look for final grades?
         // this itemid is added so that we use only one query for source and final grades
-        $gis = implode(',', array_merge($useditems, array($this->id)));
+        $gis = array_merge($useditems, array($this->id));
+        list($usql, $params) = $DB->get_in_or_equal($gis);
 
         if ($userid) {
-            $usersql = "AND g.userid=$userid";
+            $usersql = "AND g.userid=?";
+            $params[] = $userid;
         } else {
             $usersql = "";
         }
@@ -1658,15 +1673,16 @@ class grade_item extends grade_object {
         $grade_inst = new grade_grade();
         $fields = 'g.'.implode(',g.', $grade_inst->required_fields);
 
+        $params[] = $this->courseid;
         $sql = "SELECT $fields
-                  FROM {$CFG->prefix}grade_grades g, {$CFG->prefix}grade_items gi
-                 WHERE gi.id = g.itemid AND gi.courseid={$this->courseid} AND gi.id IN ($gis) $usersql
-              ORDER BY g.userid";
+                  FROM {grade_grades} g, {grade_items} gi
+                 WHERE gi.id = g.itemid AND gi.id $usql $usersql AND gi.courseid=?
+                 ORDER BY g.userid";
 
         $return = true;
 
         // group the grades by userid and use formula on the group
-        if ($rs = $DB->get_recordset_sql($sql)) {
+        if ($rs = $DB->get_recordset_sql($sql, $params)) {
             $prevuser = 0;
             $grade_records   = array();
             $oldgrade    = null;
@@ -1808,13 +1824,13 @@ class grade_item extends grade_object {
             $grade_items = array();
 
         } else {
-            $gis = implode(',', $useditems);
-
+            list($usql, $params) = $DB->get_in_or_equal($useditems);
+            $params[] = $this->courseid;
             $sql = "SELECT gi.*
-                      FROM {$CFG->prefix}grade_items gi
-                     WHERE gi.id IN ($gis) and gi.courseid={$this->courseid}"; // from the same course only!
+                      FROM {grade_items} gi
+                     WHERE gi.id $usql and gi.courseid=?"; // from the same course only!
 
-            if (!$grade_items = $DB->get_records_sql($sql)) {
+            if (!$grade_items = $DB->get_records_sql($sql, $params)) {
                 $grade_items = array();
             }
         }

diff --git a/lib/grade/grade_object.php b/lib/grade/grade_object.php
index fdedb135f1effbd7f212a4f2b6ff2c21d00c6c3e..6a71955fbc8c1f1ad34089e6f585fde36ccb9c51 100644 (file)
--- a/lib/grade/grade_object.php
+++ b/lib/grade/grade_object.php
@@ -154,6 +154,8 @@ abstract class grade_object {
         $wheresql = array();
 
         // remove incorrect params
+        $named_params = array();
+
         foreach ($params as $var=>$value) {
             if (!in_array($var, $instance->required_fields) and !array_key_exists($var, $instance->optional_fields)) {
                 continue;
@@ -161,8 +163,8 @@ abstract class grade_object {
             if (is_null($value)) {
                 $wheresql[] = " $var IS NULL ";
             } else {
-                $value = addslashes($value);
-                $wheresql[] = " $var = '$value' ";
+                $wheresql[] = " $var = ? ";
+                $named_params[] = $value;
             }
         }
 
@@ -173,7 +175,7 @@ abstract class grade_object {
         }
 
         global $DB;
-        if ($datas = $DB->get_records_select($table, $wheresql, array('id'))) {
+        if ($datas = $DB->get_records_select($table, $wheresql, $named_params)) {
             $result = array();
             foreach($datas as $data) {
                 $instance = new $classname();
@@ -202,7 +204,7 @@ abstract class grade_object {
 
         $data = $this->get_record_data();
 
-        if (!$DB->update_record($this->table, addslashes_recursive($data))) {
+        if (!$DB->update_record($this->table, $data)) {
             return false;
         }
 
@@ -213,7 +215,7 @@ abstract class grade_object {
             $data->source       = $source;
             $data->timemodified = time();
             $data->userlogged   = $USER->id;
-            $DB->insert_record($this->table.'_history', addslashes_recursive($data));
+            $DB->insert_record($this->table.'_history', $data);
         }
 
         return true;
@@ -243,7 +245,7 @@ abstract class grade_object {
                 $data->source       = $source;
                 $data->timemodified = time();
                 $data->userlogged   = $USER->id;
-                $DB->insert_record($this->table.'_history', addslashes_recursive($data));
+                $DB->insert_record($this->table.'_history', $data);
             }
             return true;
 
@@ -287,7 +289,7 @@ abstract class grade_object {
 
         $data = $this->get_record_data();
 
-        if (!$this->id = $DB->insert_record($this->table, addslashes_recursive($data))) {
+        if (!$this->id = $DB->insert_record($this->table, $data)) {
             debugging("Could not insert object into db");
             return false;
         }
@@ -304,7 +306,7 @@ abstract class grade_object {
             $data->source       = $source;
             $data->timemodified = time();
             $data->userlogged   = $USER->id;
-            $DB->insert_record($this->table.'_history', addslashes_recursive($data));
+            $DB->insert_record($this->table.'_history', $data);
         }
 
         return $this->id;

diff --git a/lib/grade/grade_outcome.php b/lib/grade/grade_outcome.php
index 0e39fc2e8e64bd7d74005d45144cfab95279b2af..0e55c9fb269365826e58dea5561acca2953421e7 100644 (file)
--- a/lib/grade/grade_outcome.php
+++ b/lib/grade/grade_outcome.php
@@ -91,8 +91,9 @@ class grade_outcome extends grade_object {
      * @return boolean success
      */
     public function delete($source=null) {
+        global $DB;
         if (!empty($this->courseid)) {
-            delete_records('grade_outcomes_courses', 'outcomeid', $this->id, 'courseid', $this->courseid);
+            $DB->delete_records('grade_outcomes_courses', array('outcomeid' => $this->id, 'courseid' => $this->courseid));
         }
         return parent::delete($source);
     }
@@ -147,7 +148,7 @@ class grade_outcome extends grade_object {
             return false;
         }
 
-        if (!record_exists('grade_outcomes_courses', 'courseid', $courseid, 'outcomeid', $this->id)) {
+        if (!$DB->record_exists('grade_outcomes_courses', array('courseid' => $courseid, 'outcomeid' => $this->id))) {
             $goc = new object();
             $goc->courseid  = $courseid;
             $goc->outcomeid = $this->id;
@@ -225,12 +226,13 @@ class grade_outcome extends grade_object {
         global $CFG, $DB;
 
         $result = array();
+        $params = array($courseid);
         $sql = "SELECT go.*
-                  FROM {$CFG->prefix}grade_outcomes go, {$CFG->prefix}grade_outcomes_courses goc
-                 WHERE go.id = goc.outcomeid AND goc.courseid = {$courseid}
+                  FROM {grade_outcomes} go, {grade_outcomes_courses} goc
+                 WHERE go.id = goc.outcomeid AND goc.courseid = ?
               ORDER BY go.id ASC";
 
-        if ($datas = $DB->get_records_sql($sql)) {
+        if ($datas = $DB->get_records_sql($sql, $params)) {
             foreach($datas as $data) {
                 $instance = new grade_outcome();
                 grade_object::set_properties($instance, $data);
@@ -279,13 +281,13 @@ class grade_outcome extends grade_object {
      * @return int
      */
     public function get_course_uses_count() {
-        global $CFG;
+        global $DB;
 
         if (!empty($this->courseid)) {
             return 1;
         }
 
-        return count_records('grade_outcomes_courses', 'outcomeid', $this->id);
+        return $DB->count_records('grade_outcomes_courses', array('outcomeid' => $this->id));
     }
 
     /**
@@ -293,7 +295,8 @@ class grade_outcome extends grade_object {
      * @return int
      */
     public function get_item_uses_count() {
-        return count_records('grade_items', 'outcomeid', $this->id);
+        global $DB;
+        return $DB->count_records('grade_items', array('outcomeid' => $this->id));
     }
 
     /**
@@ -321,24 +324,27 @@ class grade_outcome extends grade_object {
             return false;
         }
 
+        $params = array($this->id);
+
         $wheresql = '';
         if (!is_null($courseid)) {
-            $wheresql = " AND {$CFG->prefix}grade_items.courseid = $courseid ";
+            $wheresql = " AND {grade_items}.courseid = ? ";
+            $params[] = $courseid;
         }
 
         $selectadd = '';
         if ($items !== false) {
-            $selectadd = ", {$CFG->prefix}grade_items.* ";
+            $selectadd = ", {grade_items}.* ";
         }
 
         $sql = "SELECT finalgrade $selectadd
-                  FROM {$CFG->prefix}grade_grades, {$CFG->prefix}grade_items, {$CFG->prefix}grade_outcomes
-                 WHERE {$CFG->prefix}grade_outcomes.id = {$CFG->prefix}grade_items.outcomeid
-                   AND {$CFG->prefix}grade_items.id = {$CFG->prefix}grade_grades.itemid
-                   AND {$CFG->prefix}grade_outcomes.id = $this->id
+                  FROM {grade_grades}, {grade_items}, {grade_outcomes}
+                 WHERE {grade_outcomes}.id = {grade_items}.outcomeid
+                   AND {grade_items}.id = {grade_grades}.itemid
+                   AND {grade_outcomes}.id = ?
                    $wheresql";
 
-        $grades = $DB->get_records_sql($sql);
+        $grades = $DB->get_records_sql($sql, $params);
         $retval = array();
 
         if ($average !== false && count($grades) > 0) {

diff --git a/lib/grade/grade_scale.php b/lib/grade/grade_scale.php
index c506ccf9eff4e678e0a4af6ac0626af2f03fda0b..779d293c1934f6eaa3e5c126501de9975843d9ea 100644 (file)
--- a/lib/grade/grade_scale.php
+++ b/lib/grade/grade_scale.php
@@ -236,14 +236,15 @@ class grade_scale extends grade_object {
         global $CFG;
 
         // count grade items excluding the
-        $sql = "SELECT COUNT(id) FROM {$CFG->prefix}grade_items WHERE scaleid = {$this->id} AND outcomeid IS NULL";
-        if (count_records_sql($sql)) {
+        $params = array($this->id);
+        $sql = "SELECT COUNT(id) FROM {grade_items} WHERE scaleid = ? AND outcomeid IS NULL";
+        if ($DB->count_records_sql($sql, $params)) {
             return true;
         }
 
         // count outcomes
-        $sql = "SELECT COUNT(id) FROM {$CFG->prefix}grade_outcomes WHERE scaleid = {$this->id}";
-        if (count_records_sql($sql)) {
+        $sql = "SELECT COUNT(id) FROM {grade_outcomes} WHERE scaleid = ?";
+        if ($DB->count_records_sql($sql, $params)) {
             return true;
         }
 

diff --git a/lib/grade/simpletest/testgradeitem.php b/lib/grade/simpletest/testgradeitem.php
index 07fc0e12f22e9871110a6ad0562f0e50681c2c66..62afda742467014d15d008347b36816115b5ec7d 100755 (executable)
--- a/lib/grade/simpletest/testgradeitem.php
+++ b/lib/grade/simpletest/testgradeitem.php
@@ -210,7 +210,7 @@ class grade_item_test extends grade_test {
         $this->assertEqual($grade_item->sortorder, 6);
 
         $after = grade_item::fetch(array('id'=>$this->grade_items[6]->id));
-        $this->assertEqual($after->sortorder, 7);
+        $this->assertEqual($after->sortorder, 8);
     }
 
     function test_grade_item_get_name() {