From: defacer Date: Fri, 19 Nov 2004 02:47:00 +0000 (+0000) Subject: Correct construction of SQL clauses (fix for SC#20). X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=482dbe0cd483035f4a60652a456f1b80a2aa0cb1;p=moodle.git Correct construction of SQL clauses (fix for SC#20). Improved conformance with the new _param() functions a bit. --- diff --git a/calendar/lib.php b/calendar/lib.php index 6b3634c92f..87bfb8ef1f 100644 --- a/calendar/lib.php +++ b/calendar/lib.php @@ -388,6 +388,7 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura if(is_bool($users) && is_bool($groups) && is_bool($courses)) { return false; } + if(is_array($users) && !empty($users)) { // Events from a number of users if(!empty($whereclause)) $whereclause .= ' OR'; @@ -407,6 +408,7 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura // No user at all // No need to do anything } + if(is_array($groups) && !empty($groups)) { // Events from a number of groups if(!empty($whereclause)) $whereclause .= ' OR'; @@ -422,6 +424,8 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura if(!empty($whereclause)) $whereclause .= ' OR '; $whereclause .= ' groupid != 0'; } + // boolean false (no groups at all): we don't need to do anything + if(is_array($courses)) { // A number of courses (maybe none at all!) if(!empty($courses)) { @@ -446,6 +450,14 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura $whereclause .= ' groupid = 0 AND courseid != 0'; } + // Security check: if, by now, we have NOTHING in $whereclause, then it means + // that NO event-selecting clauses were defined. Thus, we won't be returning ANY + // events no matter what. Allowing the code to proceed might return a completely + // valid query with only time constraints, thus selecting ALL events in that time frame! + if(empty($whereclause)) { + return false; + } + if ($ignorehidden) { if (!empty($whereclause)) $whereclause .= ' AND'; $whereclause .= ' visible = 1'; diff --git a/calendar/view.php b/calendar/view.php index 4107d78f07..a12992e7f6 100644 --- a/calendar/view.php +++ b/calendar/view.php @@ -44,11 +44,7 @@ require_once($CFG->dirroot.'/course/lib.php'); require_once($CFG->dirroot.'/calendar/lib.php'); - optional_variable($_GET['view'], 'upcoming'); optional_variable($_GET['course'], 0); - optional_variable($_GET['cal_d']); - optional_variable($_GET['cal_m']); - optional_variable($_GET['cal_y']); if(!$site = get_site()) { redirect($CFG->wwwroot.'/'.$CFG->admin.'/index.php'); @@ -60,10 +56,14 @@ $nav = calendar_get_link_tag(get_string('calendar', 'calendar'), CALENDAR_URL.'view.php?view=upcoming&', $now['mday'], $now['mon'], $now['year']); - // Make sure that the GET variables are correct - $day = intval($_GET['cal_d']); - $mon = intval($_GET['cal_m']); - $yr = intval($_GET['cal_y']); + optional_param('view', 'upcoming'); + optional_param('cal_d', 0, PARAM_INT); + optional_param('cal_m', 0, PARAM_INT); + optional_param('cal_y', 0, PARAM_INT); + $day = $cal_d; + $mon = $cal_m; + $yr = $cal_y; + if(!checkdate($mon, $day, $yr)) { $day = intval($now['mday']); $mon = intval($now['mon']); @@ -71,7 +71,7 @@ } $time = mktime(0, 0, 0, $mon, $day, $yr); - switch($_GET['view']) { + switch($view) { case 'day': $text = strftime(get_string('strftimedate'), $time); if($text[0] == '0') { @@ -139,7 +139,7 @@ echo ''; - switch($_GET['view']) { + switch($view) { case 'day': calendar_show_day($day, $mon, $yr, $courses, $groups, $users); break; @@ -161,7 +161,7 @@ list($prevmon, $prevyr) = calendar_sub_month($mon, $yr); list($nextmon, $nextyr) = calendar_add_month($mon, $yr); $getvars = 'cal_d='.$day.'&cal_m='.$mon.'&cal_y='.$yr; // For filtering - echo calendar_filter_controls($_GET['view'], $getvars); + echo calendar_filter_controls($view, $getvars); echo '
'; echo calendar_top_controls('display', array('m' => $prevmon, 'y' => $prevyr)); echo calendar_get_mini($courses, $groups, $users, $prevmon, $prevyr);