Merge commit from fork

AngelFQC · web-flow · commit ef54cc0906a3 · 2025-06-17T18:21:25.000+02:00
* Improve syntax and format code

* Security: Plugin: VChamilo: Use prepared statements in delete and update queries
diff --git a/plugin/vchamilo/ajax/service.php b/plugin/vchamilo/ajax/service.php
@@ -5,7 +5,7 @@
 
 api_protect_admin_script();
 
-$action = isset($_GET['what']) ? $_GET['what'] : '';
+$action = $_GET['what'] ?? '';
 define('CHAMILO_INTERNAL', true);
 
 $plugin = VChamiloPlugin::create();
diff --git a/plugin/vchamilo/views/syncparams.controller.php b/plugin/vchamilo/views/syncparams.controller.php
@@ -1,6 +1,9 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Doctrine\DBAL\Configuration;
+use Doctrine\DBAL\DriverManager;
+
 api_protect_admin_script();
 
 $sql = "SELECT * FROM vchamilo";
@@ -34,27 +37,24 @@
 
             foreach ($vchamilos as $chm) {
                 $table = $chm['main_database'].".settings_current ";
-                $sql = " SELECT * FROM $table 
-                     WHERE 
-                        variable = '{{$setting['variable']}}' AND 
+                $sql = " SELECT * FROM $table
+                     WHERE
+                        variable = '{{$setting['variable']}}' AND
                         access_url = '{$setting['access_url']}'
                     ";
                 $result = Database::query($sql);
 
                 if (Database::num_rows($result)) {
-                    $sql = "UPDATE $table SET 
-                            selected_value = '$value'
-                      WHERE id = $settingId";
-                    Database::query($sql);
+                    Database::update($table, ['selected_Value' => $value, ['id' => $settingId]]);
                 }
             }
         }
         break;
     case 'syncthis':
-        $settingId = isset($_GET['settingid']) ? (int) $_GET['settingid'] : '';
+        $settingId = isset($_GET['settingid']) ? (int) $_GET['settingid'] : 0;
 
-        if (!empty($settingId) && is_numeric($settingId)) {
-            $deleteIfEmpty = isset($_REQUEST['del']) ? $_REQUEST['del'] : '';
+        if ($settingId) {
+            $deleteIfEmpty = $_REQUEST['del'] ?? '';
             $value = $_REQUEST['value'];
             // Getting the local setting record.
             $setting = api_get_settings_params_simple(['id = ?' => $settingId]);
@@ -76,48 +76,43 @@
             $errors = '';
             foreach ($vchamilos as $instance) {
                 $table = 'settings_current';
-                $config = new \Doctrine\DBAL\Configuration();
+                $config = new Configuration();
                 $connectionParams = [
                     'dbname' => $instance['main_database'],
                     'user' => $instance['db_user'],
                     'password' => $instance['db_password'],
                     'host' => $instance['db_host'],
                     'driver' => 'pdo_mysql',
                 ];
-                $connection = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
                 try {
+                    $connection = DriverManager::getConnection($connectionParams, $config);
+
                     $variable = $setting['variable'];
                     $subKey = $setting['subkey'];
                     $category = $setting['category'];
                     $accessUrl = $setting['access_url'];
 
                     if ($deleteIfEmpty && empty($value)) {
-                        $sql = "DELETE FROM $table 
-                                WHERE  
-                                    selected_value = '$value' AND   
-                                    variable = '$variable' AND 
-                                    access_url = '$accessUrl'
-                        ";
-                        $connection->executeQuery($sql);
+                        $connection->delete($table, ['selected_value' => $value, 'variable' => $variable, 'access_url' => $accessUrl]);
                         $case = 'delete';
                     } else {
-                        $sql = "SELECT * FROM $table 
-                                WHERE 
-                                    variable = '$variable' AND 
+                        $sql = "SELECT * FROM $table
+                                WHERE
+                                    variable = '$variable' AND
                                     access_url = '$accessUrl'
                                 ";
-                        $result = $connection->fetchAll($sql);
+                        $result = $connection->fetchAllAssociative($sql);
 
                         if (!empty($result)) {
                             //$sql = "UPDATE $table SET selected_value = '$value' WHERE id = $settingId";
-                            $sql = "UPDATE $table SET selected_value = '$value' WHERE variable = '$variable'";
+                            $criteria = ['variable' => $variable];
                             if (!empty($subKey)) {
-                                $sql .= " AND subkey = '$subKey' ";
+                                $criteria['subkey'] = $subKey;
                             }
                             if (!empty($category)) {
-                                $sql .= " AND category = '$category'";
+                                $criteria['category'] = $category;
                             }
-                            $connection->executeQuery($sql);
+                            $connection->update($table, ['selected_value' => $value], $criteria);
                         } else {
                             $connection->insert($table, $params);
                         }
diff --git a/plugin/vchamilo/views/syncparams.php b/plugin/vchamilo/views/syncparams.php
@@ -6,7 +6,7 @@
 
 api_protect_admin_script();
 
-$action = isset($_GET['what']) ? $_GET['what'] : '';
+$action = $_GET['what'] ?? '';
 define('CHAMILO_INTERNAL', true);
 
 $plugin = VChamiloPlugin::create();
@@ -39,15 +39,15 @@
     $check = '';
     $attrs = ['center' => 'left'];
     $syncButton = '
-        <input class="btn btn-default" type="button" name="syncthis" 
+        <input class="btn btn-default" type="button" name="syncthis"
             value="'.$plugin->get_lang('syncthis').'" onclick="ajax_sync_setting(\''.$param['id'].'\')" />
         <span id="res_'.$param['id'].'"></span>';
     $data = [
         $check,
         isset($param['subkey']) && !empty($param['subkey']) ? $param['variable'].' ['.$param['subkey'].']' : $param['variable'],
         $param['category'],
         $param['access_url'],
-        '<input type="text" disabled name="value_'.$param['id'].'" 
+        '<input type="text" disabled name="value_'.$param['id'].'"
         value="'.htmlspecialchars($param['selected_value'], ENT_COMPAT, 'UTF-8').'" />'.
         '<br />Master value: '.$param['selected_value'],
         $syncButton,
@@ -69,7 +69,7 @@ function ajax_sync_setting(settingid) {
     var webUrl = '".api_get_path(WEB_PATH)."';
     var spare = $('#row_'+settingid).html();
     var formobj = document.forms['settingsform'];
-    var url = webUrl + 'plugin/vchamilo/ajax/service.php?what=syncthis&settingid='+settingid+'&value='+encodeURIComponent(formobj.elements['value_'+settingid].value);    
+    var url = webUrl + 'plugin/vchamilo/ajax/service.php?what=syncthis&settingid='+settingid+'&value='+encodeURIComponent(formobj.elements['value_'+settingid].value);
     $('#row_'+settingid).html('<td colspan=\"7\"><img src=\"'+webUrl+'plugin/vchamilo/pix/ajax_waiter.gif\" /></td>');
     $.get(url, function (data) {
         $('#row_'+settingid).html(spare);
