addresses some pen problems

peer/addindividual.php

@@ -35,7 +35,7 @@
 $studentPicker = new StudentPicker( $dbConn, $newsnummer, 'Search and select participant to add.' );
 if ( isSet( $_REQUEST['searchname'] ) ) {
     if ( !preg_match( '/;/', $_REQUEST['searchname'] ) ) {
-        $searchname = $_REQUEST['searchname'];
+        $searchname = vaildate($_REQUEST['searchname'],'anything','xyz');
         $studentPicker->setSearchString( $searchname );
         if ( !isSet( $_REQUEST['newsnummer'] ) ) {
             $newsnummer = $studentPicker->findStudentNumber();

peer/alterproject.php

@@ -20,16 +20,16 @@
     $year -= 1;
 }
 if (isSet($_REQUEST['prj_id'])) {
-    $_SESSION['prj_id'] = $prj_id = $_REQUEST['prj_id'];
+    $_SESSION['prj_id'] = $prj_id = validate($_REQUEST['prj_id'],'integer','0');
 }
 
 $tutor = $tutor_code;
 $owner_id = $peer_id;
 //$dbConn->log($tutor_code);
 if (hasCap(CAP_SYSTEM) && isSet($_REQUEST['owner_id'])) {
     $owner_id = validate($_REQUEST['owner_id'], 'integer', 1);
-    $sql = "update project p set owner_id=$owner_id where prj_id=$prj_id";
-    $resultSet = $dbConn->Execute($sql);
+    $sql = 'update project p set owner_id=$1 where prj_id=$2';
+    $resultSet = $dbConn->Prepare($sql)->execute(array($owner_id,$prj_id));
 }
 // update
 if ($validator_clearance) {

peer/anyselect.php

@@ -19,7 +19,7 @@
 }
 if (isSet($_REQUEST['query_text'])) {
     $sql = $query_text = $_REQUEST['query_text'];
-    $expanded_query=templateWith($query_text, get_defined_vars());
+    $expanded_query = templateWith($query_text, get_defined_vars());
 }
 if (isSet($_REQUEST['query_name'])) {
     $query_name = $_REQUEST['query_name'];
@@ -32,23 +32,32 @@
     $query_name_s = pg_escape_string($_REQUEST['query_name']);
     $query_comment_s = pg_escape_string($_REQUEST['query_comment']);
     $query_text_s = pg_escape_string($_REQUEST['query_text']);
-    $save_query = "begin work;\n"
-            . "update any_query set active = false where owner={$peer_id} and query_name='{$query_name_s}';\n"
-            . "insert into any_query(owner,query_name,query_comment,query)\n"
-            . "values($peer_id,'$query_name_s','$query_comment_s','$query_text_s');"
-            . "\ncommit;";
-    $dbConn->Execute($save_query);
+//    $save_query = ""
+//            . "begin work;\n"
+//            . "update any_query set active = false where owner={$peer_id} and query_name='{$query_name_s}';\n"
+//            . "insert into any_query(owner,query_name,query_comment,query)\n"
+//            . "values(?,?,?,?);"
+//            . "\ncommit;";
+    $save_query = 
+<<<'SQL'
+    begin work
+    update any_query set active = false where owner=$1 and query_name=$2
+    insert into any_query(owner,query_name,query_comment,query)
+    values($3,$4,$5,$6)
+    commit
+SQL;
+    $dbConn->Prepare($save_query)->execute($peer_id,$query_name,$peer_id, $query_name_s, $query_comment_s, $query_text_s);
 }
 
 if (isSet($_REQUEST['delete_query']) && preg_match('/^\d+$/', $_REQUEST['delete_query'])) {
-    $dquery = $_REQUEST['delete_query'];
+    $dquery = validate($_REQUEST['delete_query'],'integer','0');
 
-    $delete_query = "delete from any_query where owner={$peer_id} and any_query_id={$dquery}";
-    $dbConn->Execute($delete_query);
+    $delete_query = "delete from any_query where owner=$1 and any_query_id=$1";
+    $dbConn->Execute($delete_query)->execute($peer_id,$dquery);
 }
 
 $spreadSheetWriter = new SpreadSheetWriter($dbConn, $expanded_query);
-$fdate=date('Y-m-d-H-i');
+$fdate = date('Y-m-d-H-i');
 $filename = "anyquery-{$fdate}";
 
 $spreadSheetWriter->setFilename($filename)
@@ -77,7 +86,7 @@
 $my_queries_table = '';
 if ($resultSet !== FALSE) {
     if (!$resultSet->EOF) {
-        $my_queries_table .="<table border='1' style='border-collapse:collapse; background:rgba(224,224,224,0.8)' width='100%'>\n"
+        $my_queries_table .= "<table border='1' style='border-collapse:collapse; background:rgba(224,224,224,0.8)' width='100%'>\n"
                 . "<tr><th>query id</th><th>owner id</th><th>query comment</th><th>query text</th><th>&nbsp;</th></tr>";
         while (!$resultSet->EOF) {
             extract($resultSet->fields);
@@ -87,7 +96,7 @@
                     . "<td>$query_comment</td><td><pre>$query</pre></td><td><a href='{$PHP_SELF}?delete_query={$any_query_id}' title='delete query'><img src='images/delete-icon.png' border='0' alt='delete'/></td></tr>\n";
             $resultSet->moveNext();
         }
-        $my_queries_table .="</table>\n";
+        $my_queries_table .= "</table>\n";
     }
 }
 
@@ -112,7 +121,7 @@
     <div>For query <pre><?= $sql ?></pre>
         <?php
         if ($sql != '' && !preg_match("/(begin|drop|delete|insert|commit)/", $sql)) {
-            $expanded_sql=templateWith($sql, get_defined_vars());
+            $expanded_sql = templateWith($sql, get_defined_vars());
             simpletable($dbConn, $expanded_sql, "<table id='myTable' class='tablesorter' summary='your requested data'"
                     . " style='empty-cells:show;border-collapse:collapse' border='1'>");
         }

peer/burnrubber.php

@@ -2,7 +2,7 @@
 requireCap(CAP_SYSTEM);
 
 require_once 'rubberstuff.php';
-$filename = $_REQUEST['rubberproduct'];
+$filename = validate($_REQUEST['rubberproduct'],'filename','x.txt');
 $filename = "$rubberbase/".preg_replace('/^(\.\/)+/','',$filename).'*';
 //echo "/bin/rm -f $filename";
 @`/bin/rm -f $filename`;

peer/classmaker.php

@@ -1,4 +1,5 @@
 <?php
+
 requireCap(CAP_ALTER_STUDENT_CLASS);
 require_once 'component.php';
 require_once('navigation2.php');
@@ -21,16 +22,19 @@
 $prefix = 'noprefix';
 
 if (isSet($_REQUEST['oldclass_id'])) {
-    $_SESSION['oldclass_id'] = $oldclass_id = $_REQUEST['oldclass_id'];
+    $_SESSION['oldclass_id'] = $oldclass_id = vaildate($_REQUEST['oldclass_id'], 'integer', '0');
 }
 if (isSet($_POST['newclass_id'])) {
-    $_SESSION['newclass_id'] = $newclass_id = $_POST['newclass_id'];
+    $_SESSION['newclass_id'] = $newclass_id = validate($_POST['newclass_id'], 'integer', '0');
 }
 if (isSet($oldclass_id)) {
-    $sql = "select trim(faculty_short) as faculty_short,trim(sclass) as sclass,\n"
-            . "lower(rtrim(faculty_short)||'.'||rtrim(sclass)) as prefix\n"
-            . " from student_class join faculty using(faculty_id) where class_id=$oldclass_id";
-    $resultSet = $dbConn->Execute($sql);
+    $sql = <<<'SQL'
+   select trim(faculty_short) as faculty_short,trim(sclass) as sclass,
+   lower(rtrim(faculty_short)||'.'||rtrim(sclass)) as prefix
+   from student_class join faculty using(faculty_id) where class_id=\$1
+SQL;
+
+    $resultSet = $dbConn->Execute($sql)->execute(array($oldclass_id));
     if ($resultSet !== false) {
         extract($resultSet->fields);
     }

peer/classphoto.php

@@ -17,7 +17,7 @@
     extract($resultSet->fields);
 
 if (isSet($_REQUEST['class_id'])) {
-    $_SESSION['class_id'] = $class_id = $_REQUEST['class_id'];
+    $_SESSION['class_id'] = $class_id = validate($_REQUEST['class_id'], 'integer', '0');
 }
 
 $style = file_get_contents('js/balloonscript.html');
@@ -28,9 +28,8 @@
 $oldClassSelector = $classSelectorClass->setAutoSubmit(true)->addConstraint('sort1 < 10 and student_count <>0')->getSelector();
 
 
-$sql = "select * from hoofdgrp where hoofdgrp='$class_id'";
-$sql = "select * from student_class natural join faculty where class_id='$class_id'";
-$resultSet = $dbConn->Execute($sql);
+$sql = 'select * from student_class natural join faculty where class_id=$1';
+$resultSet = $dbConn->Prepare($sql)->execute(array($class_id));
 if ($resultSet === false) {
     die("<br>Cannot get class data with " . $sql . " reason " . $dbConn->ErrorMsg() . "<br>");
 }
@@ -41,21 +40,23 @@
 $page_opening = "Class photos for class  $faculty_short.$sclass $class_id $year-" . ($year + 1);
 $nav = new Navigation($tutor_navtable, basename($PHP_SELF), $page_opening);
 $nav->setInterestMap($tabInterestCount);
-$sql = "SELECT distinct st.snummer as number," .
-        "st.roepnaam||' '||coalesce(regexp_replace(st.tussenvoegsel,'''','&rsquo;')||' ','')||st.achternaam as name,\n" .
-        "st.achternaam,st.roepnaam,st.tussenvoegsel,cohort,cohort,st.opl as opl_code,pcn,lang,sex,gebdat,\n" .
-        "straat,huisnr,pcode,plaats,nationaliteit,\n" .
-        "td.roepnaam||coalesce(' '||td.tussenvoegsel,'')||' '||td.achternaam as slb,coalesce(td.tutor,'---') as slb_ab,\n" .
-        "st.hoofdgrp as sclass, st.snummer as participant, course_description as opleiding,gebdat as birthday,\n" .
-        "'fotos/'||image as image\n" .
-        " from student_email st \n" .
-        "left join fontys_course fc on(st.opl=fc.course)\n" .
-        "left join tutor_join_student td on (st.slb=td.snummer)\n" .
-        "where class_id='$class_id'  " .
-        "order by achternaam,roepnaam";
+$sql = <<<'SQL'
+    SELECT distinct st.snummer as number, 
+    st.roepnaam||' '||coalesce(regexp_replace(st.tussenvoegsel,'''','&rsquo;')||' ','')||st.achternaam as name, 
+    st.achternaam,st.roepnaam,st.tussenvoegsel,cohort,cohort,st.opl as opl_code,pcn,lang,sex,gebdat, 
+    straat,huisnr,pcode,plaats,nationaliteit, 
+    td.roepnaam||coalesce(' '||td.tussenvoegsel,'')||' '||td.achternaam as slb,coalesce(td.tutor,'---') as slb_ab, 
+    st.hoofdgrp as sclass, st.snummer as participant, course_description as opleiding,gebdat as birthday, 
+    'fotos/'||image as image 
+     from student_email st  
+    left join fontys_course fc on(st.opl=fc.course) 
+    left join tutor_join_student td on (st.slb=td.snummer) 
+    where class_id=$1   
+    order by achternaam,roepnaam
+SQL;
 
 //$dbConn->log($sql);
-$resultSet = $dbConn->Execute($sql);
+$resultSet = $dbConn->Prepare($sql)->execute(array($class_id));
 if ($resultSet === false) {
     die("<br>Cannot get student data with \"" . $sql . '", cause ' . $dbConn->ErrorMsg() . "<br>");
 }