Fix queries: Add Database::escape_string + int casting

jmontoyaa · jmontoyaa · commit d501af7f9db4 · 2021-08-18T13:51:19.000+02:00
diff --git a/main/blog/blog.php b/main/blog/blog.php
@@ -7,7 +7,7 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
-$blog_id = isset($_GET['blog_id']) ? $_GET['blog_id'] : 0;
+$blog_id = isset($_GET['blog_id']) ? (int) $_GET['blog_id'] : 0;
 
 if (empty($blog_id)) {
     api_not_allowed(true);
diff --git a/main/forum/download.php b/main/forum/download.php
@@ -42,7 +42,7 @@
         WHERE
             f.c_id = '.$course_id.' AND
             a.c_id = '.$course_id.' AND
-            path LIKE BINARY "'.$doc_url.'"';
+            path LIKE BINARY "'.Database::escape_string($doc_url).'"';
 
 $result = Database::query($sql);
 $row = Database::fetch_array($result);
diff --git a/main/inc/ajax/exercise.ajax.php b/main/inc/ajax/exercise.ajax.php
@@ -167,6 +167,10 @@
         $sidx = $_REQUEST['sidx']; //index to filter
         $sord = $_REQUEST['sord']; //asc or desc
 
+        if (!in_array($sidx, ['firstname', 'lastname', 'start_date'])) {
+            $sidx = 1;
+        }
+
         if (!in_array($sord, ['asc', 'desc'])) {
             $sord = 'desc';
         }
diff --git a/main/session/session_category_list.php b/main/session/session_category_list.php
@@ -27,15 +27,15 @@ function selectAll(idCheck,numRows,action) {
 
 $page = isset($_GET['page']) ? (int) $_GET['page'] : null;
 $action = isset($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : null;
-$sort = isset($_GET['sort']) && in_array($_GET['sort'], ['name', 'nbr_session', 'date_start', 'date_end'])
-    ? Security::remove_XSS($_GET['sort'])
-    : 'name';
+$columns = ['name', 'nbr_session', 'date_start', 'date_end'];
+$sort = isset($_GET['sort']) && in_array($_GET['sort'], $columns) ? Security::remove_XSS($_GET['sort']) : 'name';
 $idChecked = isset($_REQUEST['idChecked']) ? Security::remove_XSS($_REQUEST['idChecked']) : null;
-$order = isset($_REQUEST['order']) ? Security::remove_XSS($_REQUEST['order']) : 'ASC';
+$order = $_REQUEST['order'] ?? 'ASC';
+$order = $order === 'ASC' ? 'DESC' : 'ASC';
 $keyword = isset($_REQUEST['keyword']) ? Security::remove_XSS($_REQUEST['keyword']) : null;
 
 if ($action === 'delete_on_session' || $action === 'delete_off_session') {
-    $delete_session = $action == 'delete_on_session' ? true : false;
+    $delete_session = $action === 'delete_on_session' ? true : false;
     SessionManager::delete_session_category($idChecked, $delete_session);
     Display::addFlash(Display::return_message(get_lang('SessionCategoryDelete')));
     header('Location: '.api_get_self().'?sort='.$sort);
@@ -91,7 +91,6 @@ function selectAll(idCheck,numRows,action) {
 
     $query_rows = "SELECT count(*) as total_rows
                   FROM $tbl_session_category sc $where ";
-    $order = ($order == 'ASC') ? 'DESC' : 'ASC';
     $result_rows = Database::query($query_rows);
     $recorset = Database::fetch_array($result_rows);
     $num = $recorset['total_rows'];
