Sepe plugin: Add Database::escape_string

Author: jmontoyaa

plugin/sepe/ws/service.php

@@ -1,8 +1,7 @@
 <?php
+
 /* For licensing terms, see /license.txt */
-/**
- * @package chamilo.webservices
- */
+
 ini_set('log_errors_max_len', 0);
 ini_set('soap.wsdl_cache_enabled', '0');
 ini_set('soap.wsdl_cache_ttl', '0');
@@ -16,7 +15,6 @@
 
 require_once $libpath.'nusoap/class.nusoap_base.php';
 require_once api_get_path(SYS_PLUGIN_PATH).'sepe/src/wsse/soap-server-wsse.php';
-//require_once api_get_path(SYS_PLUGIN_PATH).'sepe/src/wsse/soap-wsse.php';
 
 $ns = api_get_path(WEB_PLUGIN_PATH)."sepe/ws/ProveedorCentroTFWS.wsdl";
 $wsdl = api_get_path(SYS_PLUGIN_PATH)."sepe/ws/ProveedorCentroTFWS.wsdl";
@@ -90,24 +88,24 @@ function authenticate($WSUser, $WSKey)
     $tUser = Database::get_main_table(TABLE_MAIN_USER);
     $tApi = Database::get_main_table(TABLE_MAIN_USER_API_KEY);
     $login = Database::escape_string($WSUser);
-    $sql = "SELECT u.user_id, u.status FROM $tUser u, $tApi a 
-            WHERE 
-                u.username='".$login."' AND  
-                u.user_id = a.user_id AND 
-                a.api_service = 'dokeos' AND 
+    $WSKey = Database::escape_string($WSKey);
+
+    $sql = "SELECT u.user_id, u.status FROM $tUser u, $tApi a
+            WHERE
+                u.username='".$login."' AND
+                u.user_id = a.user_id AND
+                a.api_service = 'dokeos' AND
                 a.api_key='".$WSKey."'";
     $result = Database::query($sql);
 
     if (Database::num_rows($result) > 0) {
         $row = Database::fetch_row($result);
-        if ($row[1] == '4') { //UserManager::is_admin($row[0])) {
+        if ($row[1] == '4') {
             return true;
-        } else {
-            return false;
         }
-    } else {
-        return false;
     }
+
+    return false;
 }
 
 $doc = new DOMDocument();