From eff9c473a6260863d459411d1211321ace1d4494 Mon Sep 17 00:00:00 2001
From: toyomoyo <toyomoyo>
Date: Wed, 4 Jul 2007 02:16:41 +0000
Subject: [PATCH] some grade import cleaning

---
 grade/import/csv/index.php         | 21 ++++++++++++---------
 grade/import/grade_import_form.php |  9 +++++++--
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/grade/import/csv/index.php b/grade/import/csv/index.php
index 08fbc4353d..1ed05acc52 100755
--- a/grade/import/csv/index.php
+++ b/grade/import/csv/index.php
@@ -35,17 +35,18 @@ $mform = new grade_import_form();
 // they are somehow not returned with get_data()
 // if ($formdata = $mform2->get_data()) {
 if (($formdata = data_submitted()) && !empty($formdata->map)) {
-  
+
     // if mapping informatioin is supplied
 
     foreach ($formdata->maps as $i=>$header) {
-        $map[$header] = $formdata->mapping[$i];
-    }    
+        // either "new" or existing ids, clean using alphanum
+        $map[clean_param($header, PARAM_RAW)] = clean_param($formdata->mapping[clean_param($i, PARAM_INT)], PARAM_ALPHANUM);
+    }
 
-    $map[$formdata->mapfrom] = $formdata->mapto;
+    $map[clean_param($formdata->mapfrom, PARAM_RAW)] = clean_param($formdata->mapto, PARAM_RAW);
 
     // temporary file name supplied by form
-    $filename = $CFG->dataroot.'/temp/'.$formdata->filename;
+    $filename = $CFG->dataroot.'/temp/'.clean_param($formdata->filename, PARAM_FILE);
 
     // Large files are likely to take their time and memory. Let PHP know
     // that we'll take longer, and that the process should be recycled soon
@@ -63,7 +64,7 @@ if (($formdata = data_submitted()) && !empty($formdata->map)) {
         $importcode = time();
     
         // --- get header (field names) ---
-        $header = split($csv_delimiter, fgets($fp,1024));
+        $header = split($csv_delimiter, clean_param(fgets($fp,1024), PARAM_RAW));
     
         foreach ($header as $i => $h) {
             $h = trim($h); $header[$i] = $h; // remove whitespace
@@ -82,8 +83,9 @@ if (($formdata = data_submitted()) && !empty($formdata->map)) {
             // each line is a student record
             foreach ($line as $key => $value) {  
                 //decode encoded commas
+                $value = clean_param($value, PARAM_RAW);
                 $value = preg_replace($csv_encode,$csv_delimiter2,trim($value));
-                
+
                 switch ($map[$header[$key]]) {
                     case 'userid': //
                         if (!$user = get_record('user','id', $value)) {
@@ -247,7 +249,7 @@ if (($formdata = data_submitted()) && !empty($formdata->map)) {
     $fp = fopen($filename, "r");        
   
     // --- get header (field names) ---
-    $header = split($csv_delimiter, fgets($fp,1024));
+    $header = split($csv_delimiter, clean_param(fgets($fp,1024), PARAM_RAW));
     
     // print some preview
     $numlines = 0; // 0 preview lines displayed
@@ -256,6 +258,7 @@ if (($formdata = data_submitted()) && !empty($formdata->map)) {
     echo '<table>';
     echo '<tr>';
     foreach ($header as $h) {
+        $h = clean_param($h, PARAM_RAW);
         echo '<th>'.$h.'</th>'; 
     }
     echo '</tr>';
@@ -263,7 +266,7 @@ if (($formdata = data_submitted()) && !empty($formdata->map)) {
         $lines = split($csv_delimiter, fgets($fp,1024));     
         echo '<tr>';
         foreach ($lines as $line) {
-            echo '<td>'.$line.'</td>';;
+            echo '<td>'.clean_param($line, PARAM_RAW).'</td>';;
         }
         $numlines ++;
         echo '</tr>';
diff --git a/grade/import/grade_import_form.php b/grade/import/grade_import_form.php
index 9c223e8f66..13314be619 100755
--- a/grade/import/grade_import_form.php
+++ b/grade/import/grade_import_form.php
@@ -7,9 +7,11 @@ class grade_import_form extends moodleform {
 
         // course id needs to be passed for auth purposes
         $mform->addElement('hidden', 'id', optional_param('id'));
+        $mform->setType('id', PARAM_INT);
         $mform->addElement('header', 'general', get_string('importfile', 'grades'));
         // file upload
         $mform->addElement('file', 'userfile', get_string('file'));
+        $mform->setType('userfile', PARAM_FILE);
         $mform->addRule('userfile', null, 'required');
         $textlib = new textlib();
         $encodings = $textlib->get_encodings();
@@ -17,6 +19,7 @@ class grade_import_form extends moodleform {
 
         $options = array('10'=>10, '20'=>20, '100'=>100, '1000'=>1000, '100000'=>100000); 
         $mform->addElement('select', 'previewrows', 'Preview rows', $options); // TODO: localize
+        $mform->setType('previewrows', PARAM_INT);
         $this->add_action_buttons(false, get_string('uploadgrades', 'grades'));
     }
 
@@ -66,7 +69,7 @@ class grade_import_mapping_form extends moodleform {
         include_once($CFG->libdir.'/gradelib.php');
         
         if ($id) {
-            if ($grade_items = grade_grades::fetch_all(array('courseid'=>$id))) {
+            if ($grade_items = grade_item::fetch_all(array('courseid'=>$id))) {
                 foreach ($grade_items as $grade_item) {
                     $gradeitems[$grade_item->idnumber] = $grade_item->itemname;      
                 }
@@ -93,10 +96,12 @@ class grade_import_mapping_form extends moodleform {
         
         // course id needs to be passed for auth purposes
         $mform->addElement('hidden', 'map', 1);
+        $mform->setType('map', PARAM_INT);
         $mform->addElement('hidden', 'id', optional_param('id'));
+        $mform->setType('id', PARAM_INT);
         //echo '<input name="filename" value='.$newfilename.' type="hidden" />';
         $mform->addElement('hidden', 'filename', $newfilename);
-        
+        $mform->setType('filename', PARAM_FILE);
         $this->add_action_buttons(false, get_string('uploadgrades', 'grades'));        
         
     }
-- 
2.39.5