From d43c477605478dc4e66a59d219fad960f0d48c38 Mon Sep 17 00:00:00 2001
From: "Pieter van den Hombergh (homberghp)" <p.vandenhombergh@fontys.nl>
Date: Tue, 9 Apr 2019 14:05:35 +0200
Subject: [PATCH] addresses some pen problems

---
 peer/addindividual.php    |   2 +-
 peer/alterproject.php     |   6 +-
 peer/anyselect.php        |  37 ++++++----
 peer/buit.php             | 148 --------------------------------------
 peer/burnrubber.php       |   2 +-
 peer/classmaker.php       |  16 +++--
 peer/classphoto.php       |  35 ++++-----
 peer/vang.php             |  65 -----------------
 peer/youvote.php          |  61 ----------------
 peer/zipit.php            |   7 +-
 peerlib/studentpicker.php |   2 +-
 peerlib/validators.php    | 101 ++++++++++++++------------
 12 files changed, 117 insertions(+), 365 deletions(-)
 delete mode 100644 peer/buit.php
 delete mode 100644 peer/vang.php
 delete mode 100644 peer/youvote.php

diff --git a/peer/addindividual.php b/peer/addindividual.php
index 41edeb8..5ce8229 100644
--- a/peer/addindividual.php
+++ b/peer/addindividual.php
@@ -35,7 +35,7 @@
 $studentPicker = new StudentPicker( $dbConn, $newsnummer, 'Search and select participant to add.' );
 if ( isSet( $_REQUEST['searchname'] ) ) {
     if ( !preg_match( '/;/', $_REQUEST['searchname'] ) ) {
-        $searchname = $_REQUEST['searchname'];
+        $searchname = vaildate($_REQUEST['searchname'],'anything','xyz');
         $studentPicker->setSearchString( $searchname );
         if ( !isSet( $_REQUEST['newsnummer'] ) ) {
             $newsnummer = $studentPicker->findStudentNumber();
diff --git a/peer/alterproject.php b/peer/alterproject.php
index 8112d74..28d1091 100644
--- a/peer/alterproject.php
+++ b/peer/alterproject.php
@@ -20,7 +20,7 @@
     $year -= 1;
 }
 if (isSet($_REQUEST['prj_id'])) {
-    $_SESSION['prj_id'] = $prj_id = $_REQUEST['prj_id'];
+    $_SESSION['prj_id'] = $prj_id = validate($_REQUEST['prj_id'],'integer','0');
 }
 
 $tutor = $tutor_code;
@@ -28,8 +28,8 @@
 //$dbConn->log($tutor_code);
 if (hasCap(CAP_SYSTEM) && isSet($_REQUEST['owner_id'])) {
     $owner_id = validate($_REQUEST['owner_id'], 'integer', 1);
-    $sql = "update project p set owner_id=$owner_id where prj_id=$prj_id";
-    $resultSet = $dbConn->Execute($sql);
+    $sql = 'update project p set owner_id=$1 where prj_id=$2';
+    $resultSet = $dbConn->Prepare($sql)->execute(array($owner_id,$prj_id));
 }
 // update
 if ($validator_clearance) {
diff --git a/peer/anyselect.php b/peer/anyselect.php
index 426ebec..c790816 100644
--- a/peer/anyselect.php
+++ b/peer/anyselect.php
@@ -19,7 +19,7 @@
 }
 if (isSet($_REQUEST['query_text'])) {
     $sql = $query_text = $_REQUEST['query_text'];
-    $expanded_query=templateWith($query_text, get_defined_vars());
+    $expanded_query = templateWith($query_text, get_defined_vars());
 }
 if (isSet($_REQUEST['query_name'])) {
     $query_name = $_REQUEST['query_name'];
@@ -32,23 +32,32 @@
     $query_name_s = pg_escape_string($_REQUEST['query_name']);
     $query_comment_s = pg_escape_string($_REQUEST['query_comment']);
     $query_text_s = pg_escape_string($_REQUEST['query_text']);
-    $save_query = "begin work;\n"
-            . "update any_query set active = false where owner={$peer_id} and query_name='{$query_name_s}';\n"
-            . "insert into any_query(owner,query_name,query_comment,query)\n"
-            . "values($peer_id,'$query_name_s','$query_comment_s','$query_text_s');"
-            . "\ncommit;";
-    $dbConn->Execute($save_query);
+//    $save_query = ""
+//            . "begin work;\n"
+//            . "update any_query set active = false where owner={$peer_id} and query_name='{$query_name_s}';\n"
+//            . "insert into any_query(owner,query_name,query_comment,query)\n"
+//            . "values(?,?,?,?);"
+//            . "\ncommit;";
+    $save_query = 
+<<<'SQL'
+    begin work
+    update any_query set active = false where owner=$1 and query_name=$2
+    insert into any_query(owner,query_name,query_comment,query)
+    values($3,$4,$5,$6)
+    commit
+SQL;
+    $dbConn->Prepare($save_query)->execute($peer_id,$query_name,$peer_id, $query_name_s, $query_comment_s, $query_text_s);
 }
 
 if (isSet($_REQUEST['delete_query']) && preg_match('/^\d+$/', $_REQUEST['delete_query'])) {
-    $dquery = $_REQUEST['delete_query'];
+    $dquery = validate($_REQUEST['delete_query'],'integer','0');
 
-    $delete_query = "delete from any_query where owner={$peer_id} and any_query_id={$dquery}";
-    $dbConn->Execute($delete_query);
+    $delete_query = "delete from any_query where owner=$1 and any_query_id=$1";
+    $dbConn->Execute($delete_query)->execute($peer_id,$dquery);
 }
 
 $spreadSheetWriter = new SpreadSheetWriter($dbConn, $expanded_query);
-$fdate=date('Y-m-d-H-i');
+$fdate = date('Y-m-d-H-i');
 $filename = "anyquery-{$fdate}";
 
 $spreadSheetWriter->setFilename($filename)
@@ -77,7 +86,7 @@
 $my_queries_table = '';
 if ($resultSet !== FALSE) {
     if (!$resultSet->EOF) {
-        $my_queries_table .="<table border='1' style='border-collapse:collapse; background:rgba(224,224,224,0.8)' width='100%'>\n"
+        $my_queries_table .= "<table border='1' style='border-collapse:collapse; background:rgba(224,224,224,0.8)' width='100%'>\n"
                 . "<tr><th>query id</th><th>owner id</th><th>query comment</th><th>query text</th><th>&nbsp;</th></tr>";
         while (!$resultSet->EOF) {
             extract($resultSet->fields);
@@ -87,7 +96,7 @@
                     . "<td>$query_comment</td><td><pre>$query</pre></td><td><a href='{$PHP_SELF}?delete_query={$any_query_id}' title='delete query'><img src='images/delete-icon.png' border='0' alt='delete'/></td></tr>\n";
             $resultSet->moveNext();
         }
-        $my_queries_table .="</table>\n";
+        $my_queries_table .= "</table>\n";
     }
 }
 
@@ -112,7 +121,7 @@
     <div>For query <pre><?= $sql ?></pre>
         <?php
         if ($sql != '' && !preg_match("/(begin|drop|delete|insert|commit)/", $sql)) {
-            $expanded_sql=templateWith($sql, get_defined_vars());
+            $expanded_sql = templateWith($sql, get_defined_vars());
             simpletable($dbConn, $expanded_sql, "<table id='myTable' class='tablesorter' summary='your requested data'"
                     . " style='empty-cells:show;border-collapse:collapse' border='1'>");
         }
diff --git a/peer/buit.php b/peer/buit.php
deleted file mode 100644
index 609995c..0000000
--- a/peer/buit.php
+++ /dev/null
@@ -1,148 +0,0 @@
-<?php
-requireCap(CAP_SYSTEM);
-require_once('peerutils.php');
-require_once('validators.php');
-require_once('simplequerytable.php');
-
-if ( isSet( $_REQUEST['newscancode'] ) ) {
-  $id = validate( $_REQUEST['newscancode'], 'integer', '0' );
-} else if ( isSet( $_REQUEST['id'] ) ) {
-  $id = $_REQUEST['id'];
-} else {
-  $id = 0;
-}
-$boxes = array( );
-$sql = "select id,roepnaam||coalesce(' '||tussenvoegsel||' '::text,' ')||achternaam as name,\n" .
-        "straat||' '||huisnr as adres, plaats,country as land,postcode,gebdat,omschrijving_studieprog,status,cohort,'fotos/'||coalesce(rp.snummer,0)||'.jpg' as foto, \n" .
-        "rtrim(coalesce(ju.diplvo,j.diplvo)) as diplvo,\n" .
-        "rtrim(coalesce(ju.cijfer,j.cijfer)) as cijfer,\n" .
-        "rtrim(coalesce(ju.betbew,j.betbew)) as betbew,\n" .
-        "rtrim(coalesce(ju.pasprt,j.pasprt)) as pasprt,\n" .
-        "rtrim(coalesce(ju.uittre,j.uittre)) as uittre,\n" .
-        "rtrim(coalesce(ju.renrij,j.renrij)) as renrij \n" .
-        "from jaaglijst j join jaag_naws naws using(id) left join (select * from  jaaglijst_update where id=$id \n" .
-        "\tand trans_id=(select max(trans_id) from jaaglijst_update where id=$id))ju using(id) \n" .
-        "join iso3166 i on (naws.land=i.a3) left join registered_photos rp on (id=snummer) where id=$id \n";
-$resultSet = $dbConn->execute( $sql );
-if ( $resultSet === false ) {
-  echo ( "<br>Cannot get jaagbuit data with " . $sql . " reason " . $dbConn->ErrorMsg() . "<br>");
-}
-if ( !$resultSet->EOF ) {
-  extract( $resultSet->fields );
-  $checks = array( 'diplvo', 'cijfer', 'betbew', 'pasprt', 'uittre', 'renrij' );
-  $rownr = 0;
-  foreach ( $checks as $check ) {
-    switch ( $check ) {
-      case 'diplvo':
-        $title = 'Kopie Diploma<br/> vooropleiding';
-        $img = 'images/diploma_thumb.jpg';
-        break;
-      case 'cijfer':
-        $title = 'Gewaarmerkte <br/>Cijferlijst';
-        $img = 'images/rapport_thumb.gif';
-        break;
-      case 'betbew':
-        $title = 'Betalingsbewijs';
-        $img = 'images/bankafschrift_thumb.jpg';
-        break;
-      case 'pasprt':
-        $title = 'Kopie paspoort';
-        $img = 'images/passport_thumb.jpg';
-        break;
-      case 'uittre':
-        $title = 'Uittreksel<br/>bevolkingsregister';
-        $img = 'images/bevolkingsregister_thumb.jpg';
-        break;
-      case 'renrij':
-        $title = 'Herinschrijving<br/>studielink';
-        $img = 'images/studielinklogo_thumb.png';
-        break;
-    }
-
-    if ( $resultSet->fields[$check] == 'Voltooid' || $resultSet->fields[$check] == 'Vrijstelling' ) {
-      $widgetcells = "<td colspan='2' style='text-align:center;font-weight:normal;font-style:italic;font-size:80%'>" . $resultSet->fields[$check] . "</td>";
-    } else {
-      if ( $resultSet->fields[$check] == 'Ingeleverd' ) {
-        $checked = 'checked';
-      } else {
-        $checked = '';
-      }
-      $widgetcells = "\t<td  class='button'>\n" .
-              "\t\t<button type='button' onclick=\"javascript:toggle('$check')\">\t" .
-              "\t\t\t<img align='middle' src='$img'/>\n" .
-              "\t\t</button>\n" .
-              "\t</td>\n" .
-              "\t<td><input type='checkbox' name='$check' id='$check' value='Ingeleverd' $checked />\n" .
-              "\t\t<input type='hidden' name='boxes[]' value='$check'/>\n" .
-              "\t</td>\n";
-    }
-
-    $boxwidget = "<tr class='" . (($rownr++ % 2) ? 'odd' : 'even') . " big'>\n" .
-            "<td class='itemtext'>$title</td>\n" .
-            $widgetcells .
-            "</tr>\n";
-    $boxes[$check] = $boxwidget;
-  }
-} else {
-  $name = 'NOT FOUND';
-}
-
-$sqlhistory = "select  \n" .
-        "to_char(ts,'YYYY-MM-DD HH24:MI') as date_time,\n" .
-        "rtrim(coalesce(ju.diplvo,j.diplvo)) as diplvo,\n" .
-        "rtrim(coalesce(ju.cijfer,j.cijfer)) as cijfer,\n" .
-        "rtrim(coalesce(ju.betbew,j.betbew)) as betbew,\n" .
-        "rtrim(coalesce(ju.pasprt,j.pasprt)) as pasprt,\n" .
-        "rtrim(coalesce(ju.uittre,j.uittre)) as uittre, \n" .
-        "rtrim(coalesce(ju.renrij,j.renrij)) as renrij, \n" .
-        " trans_id,operator,op_name as operator_name\n" .
-        " from jaaglijst j left join jaaglijst_update ju using (id) natural join transaction_operator where id =$id\n" .
-        "union\n" .
-        "select to_char((select value::timestamp from peer_settings where key='jaag_import'),'YYYY-MM-DD HH24:MI') as date_time,\n" .
-        "j.diplvo, \n" .
-        "j.cijfer,\n" .
-        "j.betbew,\n" .
-        "j.pasprt,\n" .
-        "j.uittre, \n" .
-        "j.renrij, \n" .
-        " 0 as trans_id,0 as operator,'Initial import from PS' as operator_name\n" .
-        " from jaaglijst j where id =$id\n" .
-        "order by trans_id desc";
-$resultSet = $dbConn->execute( $sqlhistory );
-if ( $resultSet === false ) {
-  echo ( "<br>Cannot get prj_id milestone " . $sql . " reason " . $dbConn->ErrorMsg() . "<br>");
-}
-$hisTable = "<table border='1' style='border-collapse:collapse'>
-<tr>
-<th class='tabledata head' style='text-algin:left;'>Date time</th>
-
-  <th class='tabledata head' style='text-algin:left;'>Diplvo</th>
-  <th class='tabledata head' style='text-algin:left;'>Cijfer</th>
-  <th class='tabledata head' style='text-algin:left;'>Betbew</th>
-  <th class='tabledata head' style='text-algin:left;'>Pasprt</th>
-  <th class='tabledata head' style='text-algin:left;'>Uittre</th>
-  <th class='tabledata head' style='text-algin:left;'>Studielink</th>
-  <th class='tabledata head' style='text-algin:left;'>Trans id</th>
-
-  <th class='tabledata head' style='text-algin:left;'>Operator</th>
-  <th class='tabledata head' style='text-algin:left;'>Operator name</th>
-</tr>\n";
-
-while ( !$resultSet->EOF ) {
-  extract( $resultSet->fields );
-  $hisTable .= "<tr>\n\t<td>$date_time</td>\n" .
-          "\t<td class='$diplvo'>$diplvo</td>\n" .
-          "\t<td class='$cijfer'>$cijfer</td>\n" .
-          "\t<td class='$betbew'>$betbew</td>\n" .
-          "\t<td class='$pasprt'>$pasprt</td>\n" .
-          "\t<td class='$uittre'>$uittre</td>\n" .
-          "\t<td class='$renrij'>$renrij</td>\n" .
-          "\t<td style='text-align:right'>$trans_id</td>\n" .
-          "\t<td style='text-align:center'>$operator</td>\n" .
-          "\t<td>$operator_name</td>\n" .
-          "</tr>\n";
-  $resultSet->moveNext();
-}
-$hisTable .="</table>\n";
-include 'templates/buit.xhtml';
-?>
\ No newline at end of file
diff --git a/peer/burnrubber.php b/peer/burnrubber.php
index 2150606..f663e14 100644
--- a/peer/burnrubber.php
+++ b/peer/burnrubber.php
@@ -2,7 +2,7 @@
 requireCap(CAP_SYSTEM);
 
 require_once 'rubberstuff.php';
-$filename = $_REQUEST['rubberproduct'];
+$filename = validate($_REQUEST['rubberproduct'],'filename','x.txt');
 $filename = "$rubberbase/".preg_replace('/^(\.\/)+/','',$filename).'*';
 //echo "/bin/rm -f $filename";
 @`/bin/rm -f $filename`;
diff --git a/peer/classmaker.php b/peer/classmaker.php
index 1514655..3ec7403 100644
--- a/peer/classmaker.php
+++ b/peer/classmaker.php
@@ -1,4 +1,5 @@
 <?php
+
 requireCap(CAP_ALTER_STUDENT_CLASS);
 require_once 'component.php';
 require_once('navigation2.php');
@@ -21,16 +22,19 @@
 $prefix = 'noprefix';
 
 if (isSet($_REQUEST['oldclass_id'])) {
-    $_SESSION['oldclass_id'] = $oldclass_id = $_REQUEST['oldclass_id'];
+    $_SESSION['oldclass_id'] = $oldclass_id = vaildate($_REQUEST['oldclass_id'], 'integer', '0');
 }
 if (isSet($_POST['newclass_id'])) {
-    $_SESSION['newclass_id'] = $newclass_id = $_POST['newclass_id'];
+    $_SESSION['newclass_id'] = $newclass_id = validate($_POST['newclass_id'], 'integer', '0');
 }
 if (isSet($oldclass_id)) {
-    $sql = "select trim(faculty_short) as faculty_short,trim(sclass) as sclass,\n"
-            . "lower(rtrim(faculty_short)||'.'||rtrim(sclass)) as prefix\n"
-            . " from student_class join faculty using(faculty_id) where class_id=$oldclass_id";
-    $resultSet = $dbConn->Execute($sql);
+    $sql = <<<'SQL'
+   select trim(faculty_short) as faculty_short,trim(sclass) as sclass,
+   lower(rtrim(faculty_short)||'.'||rtrim(sclass)) as prefix
+   from student_class join faculty using(faculty_id) where class_id=\$1
+SQL;
+
+    $resultSet = $dbConn->Execute($sql)->execute(array($oldclass_id));
     if ($resultSet !== false) {
         extract($resultSet->fields);
     }
diff --git a/peer/classphoto.php b/peer/classphoto.php
index 59a50ca..d42647e 100644
--- a/peer/classphoto.php
+++ b/peer/classphoto.php
@@ -17,7 +17,7 @@
     extract($resultSet->fields);
 
 if (isSet($_REQUEST['class_id'])) {
-    $_SESSION['class_id'] = $class_id = $_REQUEST['class_id'];
+    $_SESSION['class_id'] = $class_id = validate($_REQUEST['class_id'], 'integer', '0');
 }
 
 $style = file_get_contents('js/balloonscript.html');
@@ -28,9 +28,8 @@
 $oldClassSelector = $classSelectorClass->setAutoSubmit(true)->addConstraint('sort1 < 10 and student_count <>0')->getSelector();
 
 
-$sql = "select * from hoofdgrp where hoofdgrp='$class_id'";
-$sql = "select * from student_class natural join faculty where class_id='$class_id'";
-$resultSet = $dbConn->Execute($sql);
+$sql = 'select * from student_class natural join faculty where class_id=$1';
+$resultSet = $dbConn->Prepare($sql)->execute(array($class_id));
 if ($resultSet === false) {
     die("<br>Cannot get class data with " . $sql . " reason " . $dbConn->ErrorMsg() . "<br>");
 }
@@ -41,21 +40,23 @@
 $page_opening = "Class photos for class  $faculty_short.$sclass $class_id $year-" . ($year + 1);
 $nav = new Navigation($tutor_navtable, basename($PHP_SELF), $page_opening);
 $nav->setInterestMap($tabInterestCount);
-$sql = "SELECT distinct st.snummer as number," .
-        "st.roepnaam||' '||coalesce(regexp_replace(st.tussenvoegsel,'''','&rsquo;')||' ','')||st.achternaam as name,\n" .
-        "st.achternaam,st.roepnaam,st.tussenvoegsel,cohort,cohort,st.opl as opl_code,pcn,lang,sex,gebdat,\n" .
-        "straat,huisnr,pcode,plaats,nationaliteit,\n" .
-        "td.roepnaam||coalesce(' '||td.tussenvoegsel,'')||' '||td.achternaam as slb,coalesce(td.tutor,'---') as slb_ab,\n" .
-        "st.hoofdgrp as sclass, st.snummer as participant, course_description as opleiding,gebdat as birthday,\n" .
-        "'fotos/'||image as image\n" .
-        " from student_email st \n" .
-        "left join fontys_course fc on(st.opl=fc.course)\n" .
-        "left join tutor_join_student td on (st.slb=td.snummer)\n" .
-        "where class_id='$class_id'  " .
-        "order by achternaam,roepnaam";
+$sql = <<<'SQL'
+    SELECT distinct st.snummer as number, 
+    st.roepnaam||' '||coalesce(regexp_replace(st.tussenvoegsel,'''','&rsquo;')||' ','')||st.achternaam as name, 
+    st.achternaam,st.roepnaam,st.tussenvoegsel,cohort,cohort,st.opl as opl_code,pcn,lang,sex,gebdat, 
+    straat,huisnr,pcode,plaats,nationaliteit, 
+    td.roepnaam||coalesce(' '||td.tussenvoegsel,'')||' '||td.achternaam as slb,coalesce(td.tutor,'---') as slb_ab, 
+    st.hoofdgrp as sclass, st.snummer as participant, course_description as opleiding,gebdat as birthday, 
+    'fotos/'||image as image 
+     from student_email st  
+    left join fontys_course fc on(st.opl=fc.course) 
+    left join tutor_join_student td on (st.slb=td.snummer) 
+    where class_id=$1   
+    order by achternaam,roepnaam
+SQL;
 
 //$dbConn->log($sql);
-$resultSet = $dbConn->Execute($sql);
+$resultSet = $dbConn->Prepare($sql)->execute(array($class_id));
 if ($resultSet === false) {
     die("<br>Cannot get student data with \"" . $sql . '", cause ' . $dbConn->ErrorMsg() . "<br>");
 }
diff --git a/peer/vang.php b/peer/vang.php
deleted file mode 100644
index a7ae97f..0000000
--- a/peer/vang.php
+++ /dev/null
@@ -1,65 +0,0 @@
-<?php
-  //  phpinfo();
-requireCap(CAP_SYSTEM);
-if (isSet($_REQUEST['id']) &&
-    isSet($_REQUEST['boxes'])) {
-  $id=$_REQUEST['id'];
-  $sql1 = "select id, \n".
-    "rtrim(coalesce(ju.diplvo,j.diplvo)) as diplvo,\n".
-    "rtrim(coalesce(ju.cijfer,j.cijfer)) as cijfer,\n".
-    "rtrim(coalesce(ju.betbew,j.betbew)) as betbew,\n".
-    "rtrim(coalesce(ju.pasprt,j.pasprt)) as pasprt,\n".
-    "rtrim(coalesce(ju.uittre,j.uittre)) as uittre, \n".
-    "rtrim(coalesce(ju.renrij,j.renrij)) as renrij, \n".
-    "coalesce(trans_id,0) as trans_id from jaaglijst j \n".
-    "left join (select * from  jaaglijst_update where id=$id and trans_id=(select max(trans_id) ".
-    "from jaaglijst_update where id=$id)) ju using(id)\n"."where id=$id\n";
-  $dbConn->log($sql1);
-  $resultSet=$dbConn->execute($sql1);
-  if ($resultSet === false ) {
-    echo "cannot execlute <pre>$sql1</pre>, cause <pre>".$dbConn->ErrorMsg()."</pre>\n";
-  }
-  $mustInsert=false;
-  $ov = array();
-  $ov['diplvo'] = $resultSet->fields['diplvo'];
-  $ov['cijfer'] = $resultSet->fields['cijfer'];
-  $ov['betbew'] = $resultSet->fields['betbew'];
-  $ov['pasprt'] = $resultSet->fields['pasprt'];
-  $ov['uittre'] = $resultSet->fields['uittre'];
-  $ov['renrij'] = $resultSet->fields['renrij'];
-  // echo "<pre>\n$sql1</pre>\n";
-  // echo "<pre>\nov=";
-  // print_r($resultSet->fields);
-  // print_r($ov);
-
-  foreach ($_REQUEST['boxes'] as $box) {
-    if (isSet($_REQUEST[$box])) {
-      $ov[$box] = 'Ingeleverd'; 
-    } else {
-      $ov[$box] = 'Gestart'; 
-    }
-    if ($resultSet->fields[$box] != $ov[$box] ) { 
-      $mustInsert = $mustInsert || true; 
-    }
-  }
-  if ($mustInsert) {
-    $trans_id = $dbConn->transactionStart('jaaglijst update');
-    extract($ov);
-    $sql = "insert into jaaglijst_update (id,cijfer,betbew,diplvo,pasprt,uittre,renrij,trans_id)\n".
-      "values($id ,'$cijfer','$betbew','$diplvo','$pasprt','$uittre','$renrij',$trans_id);\n";
-    $dbConn->log($sql);
-    $rts=$dbConn->execute($sql);      
-    if ($rts===false){
-      $dbConn->Execute("rollback;");
-      die("Cannot get update with $sql cause ".$dbConn->ErrorMsg());
-    } else {
-      $dbConn->transactionEnd();
-    }
-  }
-  // // echo "<pre>\nov=";
-  // print_r($ov);
-  // echo $mustInsert.' + '.$sql;
-  // echo "</pre>\n";
- }
-header('Location: '.$_SERVER['HTTP_REFERER']); 
-?>
\ No newline at end of file
diff --git a/peer/youvote.php b/peer/youvote.php
deleted file mode 100644
index 37d627f..0000000
--- a/peer/youvote.php
+++ /dev/null
@@ -1,61 +0,0 @@
-<?php
-requireCap(CAP_SYSTEM);
-?>
-<html>
-    <head>
-        <title>You vote</title>
-        <style type='text/css'>
-            .odd {}
-            .even{background:#ddf;} 
-            form { width: 400px; }
-            form table div { float: left; }
-            form table div.full { clear: both; }
-            form table div label { display: block; }
-        </style>
-    </head>
-    <body>
-        <?php
-        if (isset($_REQUEST['submit'])) {
-            echo "p0 = {$_REQUEST['p0']}</br>";
-            echo "p1 = {$_REQUEST['p1']}</br>";
-            echo "p2 = {$_REQUEST['p2']}</br>";
-            echo "p3 = {$_REQUEST['p3']}</br>";
-            echo "p4 = {$_REQUEST['p4']}</br>";
-            echo "p5 = {$_REQUEST['p5']}</br>";
-        }
-        ?>
-        <h1>your votes please</h1>
-        <form id='votes' action="youvote.php" method='get'>
-            <?php
-            require_once'youtubelink.php';
-            /*
-             * To change this template, choose Tools | Templates
-             * and open the template in the editor.
-             */
-
-// vote on youtube films
-            $sql = "select * from grp_detail where prjm_id=516 and grp_name <> 'Attic' order by grp_num";
-            $resultSet = $dbConn->Execute($sql);
-            if ($resultSet === false) {
-                die('cannot get project data:' . $dbConn->ErrorMsg() . ' with <pre>' . $sql . "</pre>\n");
-            }
-            $count = 0;
-            echo "<table style='border-collapse:collapse' border='1'><tr><th>grp</th><th>name</th><th>tutor</th><th colspan='6'>rank<th></tr>\n";
-            while (!$resultSet->EOF) {
-                extract($resultSet->fields);
-                $rowClass = ((++$count) % 2) == 0 ? 'even' : 'odd';
-                echo "<tr class='$rowClass'><td>$grp_num</td><td>$grp_name</td><td>$tutor</td>\n";
-                for ($i = 0; $i < 6; $i++) {
-                    echo "\t\t<th><div><label for='p{$i}_{$prjtg_id}'>{$i}</label><input type='radio' "
-                    . " name='p{$i}[]' id='p{$i}_{$prjtg_id}' style='vertical-align: middle' value='$prjtg_id' class='g$prjtg_id'/></div></th>\n";
-                }
-                echo "<td>" . youtubelink($youtube_link, $yt_id, '') . "</td>\n"
-                . "</tr>\n";
-                $resultSet->moveNext();
-            }
-            echo "</table>";
-            ?>
-            <input type='submit' name='submit'/>
-        </form>
-    </body>
-</html>
diff --git a/peer/zipit.php b/peer/zipit.php
index c1f9822..5178dce 100644
--- a/peer/zipit.php
+++ b/peer/zipit.php
@@ -1,18 +1,19 @@
 <?php
 requireCap(CAP_TUTOR);
+require_once'validators.php';
 /*
  * To change this template, choose Tools | Templates
  * and open the template in the editor.
  */
 if ( isSet( $_REQUEST['prjm_id'] ) ) {
-  $prjm_id = $_REQUEST['prjm_id'];
-  $_SESSION['prjm_id'] = $prjm_id;
+  $prjm_id = validate($_REQUEST['prjm_id'],'integer','0');
+  $_SESSION['prjm_id'] = validate($prjm_id,'integer','0');
 }
 
 $sql = "select afko,year,prjm_id,doctype,milestone,tutor,grp_num,rel_file_path,doc_type_desc,author,author_name,archfilename\n"
         . "from upload_archive_names where prjm_id=$prjm_id";
 if (isSet( $_REQUEST['doctype'] ) ){
-    $doctype=$_REQUEST['doctype'];
+    $doctype=validate($_REQUEST['doctype'],'integer','0');
     $sql .= " and doctype=$doctype";
 }
 $resultSet = $dbConn->Execute( $sql );
diff --git a/peerlib/studentpicker.php b/peerlib/studentpicker.php
index 18cd295..1fab8e0 100644
--- a/peerlib/studentpicker.php
+++ b/peerlib/studentpicker.php
@@ -23,7 +23,7 @@ function __construct(&$con, $newsnummer, $name = 'Add student') {
         $this->newsnummer = $newsnummer;
         $this->pickerName = $name;
         if (isSet($_REQUEST['searchname']) && !preg_match('/;/', $_REQUEST['searchname'])) {
-            $this->searchString = $_REQUEST['searchname'];
+            $this->searchString = validate($_REQUEST['searchname'], 'anything','xyz');
         }
     }
 
diff --git a/peerlib/validators.php b/peerlib/validators.php
index bb2503f..303c8ee 100644
--- a/peerlib/validators.php
+++ b/peerlib/validators.php
@@ -1,60 +1,71 @@
 <?php
-  /* $Id: validators.php 1729 2014-02-06 10:30:18Z hom $ */
-  /*
-   * validator is var name, regex, replacement value
-   */
-$validators=array(
-		  'snummer' =>  array( '/^\d{4,8}$/', 1),
-		  'doc_id'  =>  array( '/^\d+$/', 0),
-		  'date'    =>  array( '/^\d{4}-\d{2}-\d{2}','1970-01-01'),
-		  'prj_id'  =>  array( '/^\d+$/',1),
-		  'peer_id' =>  array( '/^\d{4,8}$/', 0 ),
-		  'milestone'=> array( '/^\d{1,2}$/',1),
-		  'prj_id_milestone' => array( '/\d+?:\d{1,2}$/','1:1'),
-		  'prj_id_milestone_grp_num' => array( '/\d+?:\d{1,2}:\d{1,2}$/','1:1:1'),
-		  'prj_task_id' => array( '/\d+?:\d+?:\d+?$/','0:0:0'),
-		  'sortorder' => array( '/^(asc|desc)$/','asc'),
-		  'grp_count' => array( '/^\d{1,2}$/',2),
-		  'tutor'   => array( '/^[A-Z]{3}$/','HEU' ), 
-		  'sclass'  => array( '/^\w{1,6}$/','TIPT1' ), 
-		  'grp_num' => array('/^\d{1,3}$/',1),
-		  'doctype' => array('/^\d+$/',1),
-		  'fotodir' => array('/^(fotos|mfotos)$/','fotos'),
-		  'integer' => array('/^\d+$/',1),
-		  'phone_number' => array('/^\+?(\d|\s){8,20}$/','+31877877777'),
-		  'signed_integer' => array('/^(\+|-)\d+$/',0),
-		  'split_minute' => array('/^(\d+\s*days?\s*)?(\d+?(:\d{2}){1,2}|\d{1,2})?$/','0 00:00:00'),
-		  'timestamp' => array('/^\s*\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}$/','1955-03-18 21:58:12'),
-		  'duration' => array('/^\d{2}:\d{2}:\d{2}$/','00:00:00'),
-		  'cword4' => array('/^\w{1,4}$/','unkn'),
-		  'cword6' => array('/^\w{1,6}$/','unknow'),
-		  'email' => array( '/^\w+(\w|\-|\.)*\@[a-zA-Z0-9][a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$/','unknown@mythical.com'),
-		  'project.grp_num' => array( '/^(\w+)?\.\d+$/','dfelt.1'),
-		  'year_month' => array('/^\d{4}:\d{1,2}$/','2005-01'),
-		  'grp_num_contact' => array('/^\d+:\d{4,8}$/','1:879417'),
-		  'countrycode2' => array('/^[A-Z]{2}$/','NL'),
-		  );
+
+/* $Id: validators.php 1729 2014-02-06 10:30:18Z hom $ */
+/*
+ * validator is var name, regex, replacement value
+ */
+$validators = array(
+    'snummer' => array('/^\d{4,8}$/', 1),
+    'doc_id' => array('/^\d+$/', 0),
+    'date' => array('/^\d{4}-\d{2}-\d{2}', '1970-01-01'),
+    'prj_id' => array('/^\d+$/', 1),
+    'peer_id' => array('/^\d{4,8}$/', 0),
+    'milestone' => array('/^\d{1,2}$/', 1),
+    'prj_id_milestone' => array('/\d+?:\d{1,2}$/', '1:1'),
+    'prj_id_milestone_grp_num' => array('/\d+?:\d{1,2}:\d{1,2}$/', '1:1:1'),
+    'prj_task_id' => array('/\d+?:\d+?:\d+?$/', '0:0:0'),
+    'sortorder' => array('/^(asc|desc)$/', 'asc'),
+    'grp_count' => array('/^\d{1,2}$/', 2),
+    'tutor' => array('/^[A-Z]{3}$/', 'HEU'),
+    'sclass' => array('/^\w{1,6}$/', 'TIPT1'),
+    'grp_num' => array('/^\d{1,3}$/', 1),
+    'doctype' => array('/^\d+$/', 1),
+    'fotodir' => array('/^(fotos|mfotos)$/', 'fotos'),
+    'integer' => array('/^\d+$/', 1),
+    'phone_number' => array('/^\+?(\d|\s){8,20}$/', '+31877877777'),
+    'signed_integer' => array('/^(\+|-)\d+$/', 0),
+    'split_minute' => array('/^(\d+\s*days?\s*)?(\d+?(:\d{2}){1,2}|\d{1,2})?$/', '0 00:00:00'),
+    'timestamp' => array('/^\s*\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}$/', '1955-03-18 21:58:12'),
+    'duration' => array('/^\d{2}:\d{2}:\d{2}$/', '00:00:00'),
+    'cword4' => array('/^\w{1,4}$/', 'unkn'),
+    'cword6' => array('/^\w{1,6}$/', 'unknow'),
+    'email' => array('/^\w+(\w|\-|\.)*\@[a-zA-Z0-9][a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$/', 'unknown@mythical.com'),
+    'project.grp_num' => array('/^(\w+)?\.\d+$/', 'dfelt.1'),
+    'year_month' => array('/^\d{4}:\d{1,2}$/', '2005-01'),
+    'grp_num_contact' => array('/^\d+:\d{4,8}$/', '1:879417'),
+    'countrycode2' => array('/^[A-Z]{2}$/', 'NL'),
+    'anything' => array('/^[A-Za-z0-9_ \.\-\][,]*$/','xyz'),
+);
+
 /**
  * @param $value to be validated
  * @param $typename : type to validate against
  * @param $replacement : replacement in $value is invalid
  * @return $value or replacement if $typename known, 0 if typename unknown
  */
-function validate($value, $typename, $replacement ) {
+function validate($value, $typename, $replacement) {
     global $validators;
-    if ( isset( $validators[$typename] ) ) {
-	if (preg_match($validators[$typename][0],$value)) return $value;
-	else return $replacement;
-    } else return 0;
+    if (isset($validators[$typename])) {
+        if (preg_match($validators[$typename][0], $value))
+            return $value;
+        else
+            return $replacement;
+    } else
+        return 0;
 }
+
 /**
  * date tester.
  */
-function validate_date($value, $replacement='1970-01-01') {
-    $match=array(); // 0=full string, 1= year, 2=month, 3=day
-    if (!preg_match('/^(\d{4})-(\d{2})-(\d{2})$/',$value,$match)) return $replacement;
+function validate_date($value, $replacement = '1970-01-01') {
+    $match = array(); // 0=full string, 1= year, 2=month, 3=day
+    if (!preg_match('/^(\d{4})-(\d{2})-(\d{2})$/', $value, $match))
+        return $replacement;
     //    echo "<pre>"; print_r($match); echo "</pre><br/>\n";
-    if (checkdate($match[2],$match[3],$match[1])) return $value;
-    else return $replacement;
+    if (checkdate($match[2], $match[3], $match[1]))
+        return $value;
+    else
+        return $replacement;
 }
+
 ?>
\ No newline at end of file