require_once("../../config.php");
- if ($form = data_submitted($destination)) {
+ if ($form = data_submitted($CFG->wwwroot.'/course/mod.php')) {
if (! $course = get_record("course", "id", $form->course)) {
error("This course doesn't exist");
print_header_simple("$streditingasurvey", "",
"<a href=\"index.php?id=$course->id\">$strsurveys</a>".
- " -> $form->name ($streditingasurvey)");
+ " -> ".stripslashes_safe($form->name)." ($streditingasurvey)");
if (!$form->name or !$form->template) {
error(get_string("filloutallfields"), $_SERVER["HTTP_REFERER"]);
print_simple_box_start('center');
?>
- <form name="form" method="post" action="<?php p($form->destination)?>">
+ <form name="form" method="post" action="<?php echo $CFG->wwwroot.'/course/mod.php'?>">
<table cellpadding="5" align="center">
<tr><td align="right" nowrap="nowrap"><b><?php print_string("name") ?>:</b></td>
- <td><?php p($form->name) ?></a></td></tr>
+ <td><?php p($form->name, true) ?></a></td></tr>
<tr valign="top">
<td align="right" nowrap="nowrap">
<td>
<textarea name="intro" rows="20" cols="50" wrap="virtual"><?php
if ($form->intro) {
- p($form->intro);
+ p($form->intro, true);
} else {
$form->intro = get_field("survey", "intro", "id", $form->template);
$form->intro = get_string($form->intro, "survey");
- p($form->intro);
+ p($form->intro, true);
}
?></textarea>
</td>
</tr>
</table>
+ <?php $form = stripslashes_safe($form);
+ // no db access using $form beyond this point!
+ ?>
<input type="hidden" name="name" value="<?php p($form->name) ?>" />
<input type="hidden" name="template" value="<?php p($form->template) ?>" />
$questions = get_records_list("survey_questions", "id", $survey->questions);
$order = explode(",", $survey->questions);
+ $virtualscales = false;
foreach ($order as $key => $qid) { // Do we have virtual scales?
$question = $questions[$qid];
if ($question->type < 0) {
if ($question->type == 0) { // Plain text field
- echo "<textarea rows=\"3\" cols=\"30\" name=\"$question->id\">$question->options</textarea>";
+ echo "<textarea rows=\"3\" cols=\"30\" name=\"q$question->id\">$question->options</textarea>";
} else if ($question->type > 0) { // Choose one of a number
$strchoose = get_string("choose");
- echo "<select name=\"$question->id\">";
+ echo "<select name=\"q$question->id\">";
echo "<option value=\"0\" selected=\"selected\">$strchoose...</option>";
$options = explode( ",", $question->options);
foreach ($options as $key => $val) {
</table>
<center>
<input type="hidden" name="intro" value="<?php p($form->intro) ?>" />
-<input type="hidden" name="destination" value="<?php echo "$CFG->wwwroot/course/mod.php" ?>" />
-
<input type="hidden" name="course" value="<?php p($form->course) ?>" />
<input type="hidden" name="sesskey" value="<?php p($form->sesskey) ?>" />
<input type="hidden" name="coursemodule" value="<?php p($form->coursemodule) ?>" />
// Check that all the parameters have been provided.
- $id = required_param('id', PARAM_INT); // Course Module ID
- $action = optional_param('action', '', PARAM_ALPHA); // What to look at
- $qid = optional_param('qid', 0, PARAM_INT); // Group ID
- $student = optional_param('student', 0, PARAM_INT); // Student ID
+ $id = required_param('id', PARAM_INT); // Course Module ID
+ $action = optional_param('action', '', PARAM_ALPHA); // What to look at
+ $qid = optional_param('qid', 0, PARAM_INT); // Question ID
+ $student = optional_param('student', 0, PARAM_INT); // Student ID
+ $notes = optional_param('notes', '', PARAM_RAW); // Save teachers notes
if (! $cm = get_record("course_modules", "id", $id)) {
error("Course Module ID was incorrect");
/// Print the menu across the top
+ $virtualscales = false;
+
switch ($action) {
case "summary":
print_heading(get_string("analysisof", "survey", fullname($user)));
- if (isset($notes)) {
+ if ($notes != '' and confirm_sesskey()) {
if (survey_get_analysis($survey->id, $user->id)) {
if (! survey_update_analysis($survey->id, $user->id, $notes)) {
notify("An error occurred while saving your notes. Sorry.");
$table = NULL;
$table->head = array(get_string($question->text, "survey"));
$table->align = array ("left");
- $table->data[] = array("$answer->answer1");
+ $table->data[] = array(s($answer->answer1)); // no html here, just plain text
print_table($table);
print_spacer(30);
}
p($notes);
echo "</textarea><br />";
echo "<input type=\"hidden\" name=\"action\" value=\"student\" />";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".sesskey()."\" />";
echo "<input type=\"hidden\" name=\"student\" value=\"$student\" />";
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\" />";
echo "<input type=\"submit\" value=\"".get_string("savechanges")."\" />";
foreach ($formdata as $key => $val) {
if ($key <> "userid" && $key <> "id") {
if ( substr($key,0,1) == "q") {
- $key = substr($key,1); // keep everything but the 'q'
+ $key = clean_param(substr($key,1), PARAM_ALPHANUM); // keep everything but the 'q', number or Pnumber
}
if ( substr($key,0,1) == "P") {
- $realkey = substr($key,1);
+ $realkey = (int) substr($key,1);
$answers[$realkey][1] = $val;
} else {
$answers[$key][0] = $val;
$table = NULL;
$table->head = array(get_string($question->text, "survey"));
$table->align = array ("left");
- $table->data[] = array("$answer->answer1");
+ $table->data[] = array(s($answer->answer1));//no html here, just plain text
print_table($table);
print_spacer(30);
}
projects / moodle.git / commitdiff