Skip to content

Commit ef54cc0

Browse files
authored
Merge commit from fork
* Improve syntax and format code * Security: Plugin: VChamilo: Use prepared statements in delete and update queries
1 parent 874f59c commit ef54cc0

File tree

3 files changed

+27
-32
lines changed

3 files changed

+27
-32
lines changed

plugin/vchamilo/ajax/service.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55

66
api_protect_admin_script();
77

8-
$action = isset($_GET['what']) ? $_GET['what'] : '';
8+
$action = $_GET['what'] ?? '';
99
define('CHAMILO_INTERNAL', true);
1010

1111
$plugin = VChamiloPlugin::create();

plugin/vchamilo/views/syncparams.controller.php

Lines changed: 22 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
<?php
22
/* For licensing terms, see /license.txt */
33

4+
use Doctrine\DBAL\Configuration;
5+
use Doctrine\DBAL\DriverManager;
6+
47
api_protect_admin_script();
58

69
$sql = "SELECT * FROM vchamilo";
@@ -34,27 +37,24 @@
3437

3538
foreach ($vchamilos as $chm) {
3639
$table = $chm['main_database'].".settings_current ";
37-
$sql = " SELECT * FROM $table
38-
WHERE
39-
variable = '{{$setting['variable']}}' AND
40+
$sql = " SELECT * FROM $table
41+
WHERE
42+
variable = '{{$setting['variable']}}' AND
4043
access_url = '{$setting['access_url']}'
4144
";
4245
$result = Database::query($sql);
4346

4447
if (Database::num_rows($result)) {
45-
$sql = "UPDATE $table SET
46-
selected_value = '$value'
47-
WHERE id = $settingId";
48-
Database::query($sql);
48+
Database::update($table, ['selected_Value' => $value, ['id' => $settingId]]);
4949
}
5050
}
5151
}
5252
break;
5353
case 'syncthis':
54-
$settingId = isset($_GET['settingid']) ? (int) $_GET['settingid'] : '';
54+
$settingId = isset($_GET['settingid']) ? (int) $_GET['settingid'] : 0;
5555

56-
if (!empty($settingId) && is_numeric($settingId)) {
57-
$deleteIfEmpty = isset($_REQUEST['del']) ? $_REQUEST['del'] : '';
56+
if ($settingId) {
57+
$deleteIfEmpty = $_REQUEST['del'] ?? '';
5858
$value = $_REQUEST['value'];
5959
// Getting the local setting record.
6060
$setting = api_get_settings_params_simple(['id = ?' => $settingId]);
@@ -76,48 +76,43 @@
7676
$errors = '';
7777
foreach ($vchamilos as $instance) {
7878
$table = 'settings_current';
79-
$config = new \Doctrine\DBAL\Configuration();
79+
$config = new Configuration();
8080
$connectionParams = [
8181
'dbname' => $instance['main_database'],
8282
'user' => $instance['db_user'],
8383
'password' => $instance['db_password'],
8484
'host' => $instance['db_host'],
8585
'driver' => 'pdo_mysql',
8686
];
87-
$connection = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
8887
try {
88+
$connection = DriverManager::getConnection($connectionParams, $config);
89+
8990
$variable = $setting['variable'];
9091
$subKey = $setting['subkey'];
9192
$category = $setting['category'];
9293
$accessUrl = $setting['access_url'];
9394

9495
if ($deleteIfEmpty && empty($value)) {
95-
$sql = "DELETE FROM $table
96-
WHERE
97-
selected_value = '$value' AND
98-
variable = '$variable' AND
99-
access_url = '$accessUrl'
100-
";
101-
$connection->executeQuery($sql);
96+
$connection->delete($table, ['selected_value' => $value, 'variable' => $variable, 'access_url' => $accessUrl]);
10297
$case = 'delete';
10398
} else {
104-
$sql = "SELECT * FROM $table
105-
WHERE
106-
variable = '$variable' AND
99+
$sql = "SELECT * FROM $table
100+
WHERE
101+
variable = '$variable' AND
107102
access_url = '$accessUrl'
108103
";
109-
$result = $connection->fetchAll($sql);
104+
$result = $connection->fetchAllAssociative($sql);
110105

111106
if (!empty($result)) {
112107
//$sql = "UPDATE $table SET selected_value = '$value' WHERE id = $settingId";
113-
$sql = "UPDATE $table SET selected_value = '$value' WHERE variable = '$variable'";
108+
$criteria = ['variable' => $variable];
114109
if (!empty($subKey)) {
115-
$sql .= " AND subkey = '$subKey' ";
110+
$criteria['subkey'] = $subKey;
116111
}
117112
if (!empty($category)) {
118-
$sql .= " AND category = '$category'";
113+
$criteria['category'] = $category;
119114
}
120-
$connection->executeQuery($sql);
115+
$connection->update($table, ['selected_value' => $value], $criteria);
121116
} else {
122117
$connection->insert($table, $params);
123118
}

plugin/vchamilo/views/syncparams.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66

77
api_protect_admin_script();
88

9-
$action = isset($_GET['what']) ? $_GET['what'] : '';
9+
$action = $_GET['what'] ?? '';
1010
define('CHAMILO_INTERNAL', true);
1111

1212
$plugin = VChamiloPlugin::create();
@@ -39,15 +39,15 @@
3939
$check = '';
4040
$attrs = ['center' => 'left'];
4141
$syncButton = '
42-
<input class="btn btn-default" type="button" name="syncthis"
42+
<input class="btn btn-default" type="button" name="syncthis"
4343
value="'.$plugin->get_lang('syncthis').'" onclick="ajax_sync_setting(\''.$param['id'].'\')" />
4444
<span id="res_'.$param['id'].'"></span>';
4545
$data = [
4646
$check,
4747
isset($param['subkey']) && !empty($param['subkey']) ? $param['variable'].' ['.$param['subkey'].']' : $param['variable'],
4848
$param['category'],
4949
$param['access_url'],
50-
'<input type="text" disabled name="value_'.$param['id'].'"
50+
'<input type="text" disabled name="value_'.$param['id'].'"
5151
value="'.htmlspecialchars($param['selected_value'], ENT_COMPAT, 'UTF-8').'" />'.
5252
'<br />Master value: '.$param['selected_value'],
5353
$syncButton,
@@ -69,7 +69,7 @@ function ajax_sync_setting(settingid) {
6969
var webUrl = '".api_get_path(WEB_PATH)."';
7070
var spare = $('#row_'+settingid).html();
7171
var formobj = document.forms['settingsform'];
72-
var url = webUrl + 'plugin/vchamilo/ajax/service.php?what=syncthis&settingid='+settingid+'&value='+encodeURIComponent(formobj.elements['value_'+settingid].value);
72+
var url = webUrl + 'plugin/vchamilo/ajax/service.php?what=syncthis&settingid='+settingid+'&value='+encodeURIComponent(formobj.elements['value_'+settingid].value);
7373
$('#row_'+settingid).html('<td colspan=\"7\"><img src=\"'+webUrl+'plugin/vchamilo/pix/ajax_waiter.gif\" /></td>');
7474
$.get(url, function (data) {
7575
$('#row_'+settingid).html(spare);

0 commit comments

Comments
 (0)