|
1
|
|
|
<?php |
|
2
|
|
|
// Storage API |
|
3
|
|
|
// PHP Backend |
|
4
|
|
|
// CBlue SPRL, Jean-Karim Bockstael, <[email protected]> |
|
5
|
|
|
|
|
6
|
|
|
require_once '../inc/global.inc.php'; |
|
7
|
|
|
|
|
8
|
|
|
// variable cleaning... |
|
9
|
|
|
foreach (["svkey", "svvalue"] as $key) { |
|
10
|
|
|
$_REQUEST[$key] = Database::escape_string($_REQUEST[$key]); |
|
11
|
|
|
} |
|
12
|
|
|
|
|
13
|
|
|
foreach (["svuser", "svcourse", "svsco", "svlength", "svasc"] as $key) { |
|
14
|
|
|
$_REQUEST[$key] = intval($_REQUEST[$key]); |
|
15
|
|
|
} |
|
16
|
|
|
|
|
17
|
|
|
switch ($_REQUEST['action']) { |
|
18
|
|
|
case "get": |
|
19
|
|
|
print storage_get($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey']); |
|
20
|
|
|
break; |
|
21
|
|
|
case "set": |
|
22
|
|
|
if (storage_can_set($_REQUEST['svuser'])) { |
|
23
|
|
|
echo storage_set($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey'], $_REQUEST['svvalue']); |
|
24
|
|
|
} |
|
25
|
|
|
break; |
|
26
|
|
|
case "getall": |
|
27
|
|
|
print storage_getall($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco']); |
|
28
|
|
|
break; |
|
29
|
|
|
case "stackpush": |
|
30
|
|
|
if (storage_can_set($_REQUEST['svuser'])) { |
|
31
|
|
|
echo storage_stack_push($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey'], $_REQUEST['svvalue']); |
|
32
|
|
|
} |
|
33
|
|
|
break; |
|
34
|
|
|
case "stackpop": |
|
35
|
|
|
if (storage_can_set($_REQUEST['svuser'])) { |
|
36
|
|
|
echo storage_stack_pop($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey']); |
|
37
|
|
|
} |
|
38
|
|
|
break; |
|
39
|
|
|
case "stacklength": |
|
40
|
|
|
print storage_stack_length($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey']); |
|
41
|
|
|
break; |
|
42
|
|
|
case "stackclear": |
|
43
|
|
|
if (storage_can_set($_REQUEST['svuser'])) { |
|
44
|
|
|
echo storage_stack_clear($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey']); |
|
45
|
|
|
} |
|
46
|
|
|
break; |
|
47
|
|
|
case "stackgetall": |
|
48
|
|
|
if (storage_can_set($_REQUEST['svuser'])) { |
|
49
|
|
|
echo storage_stack_getall($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey']); |
|
50
|
|
|
} |
|
51
|
|
|
break; |
|
52
|
|
|
case "getposition": |
|
53
|
|
|
print storage_get_position($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey'], $_REQUEST['svasc']); |
|
|
|
|
|
|
54
|
|
|
break; |
|
55
|
|
|
case "getleaders": |
|
56
|
|
|
print storage_get_leaders($_REQUEST['svuser'], $_REQUEST['svcourse'], $_REQUEST['svsco'], $_REQUEST['svkey'], $_REQUEST['svasc'], $_REQUEST['svlength']); |
|
57
|
|
|
break; |
|
58
|
|
|
case "usersgetall": |
|
59
|
|
|
// security issue |
|
60
|
|
|
print "NOT allowed, security issue, see sources"; |
|
61
|
|
|
// print storage_get_all_users(); |
|
62
|
|
|
break; |
|
63
|
|
|
default: |
|
64
|
|
|
// Do nothing |
|
65
|
|
|
} |
|
66
|
|
|
|
|
67
|
|
|
function storage_can_set($sv_user) |
|
68
|
|
|
{ |
|
69
|
|
|
// platform admin can change any user's stored values, other users can only change their own values |
|
70
|
|
|
$allowed = ((api_is_platform_admin()) || (!empty($sv_user) && $sv_user == api_get_user_id())); |
|
71
|
|
|
if (!$allowed) { |
|
72
|
|
|
echo "ERROR : Not allowed"; |
|
73
|
|
|
} |
|
74
|
|
|
|
|
75
|
|
|
return $allowed; |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
function storage_get($sv_user, $sv_course, $sv_sco, $sv_key) |
|
79
|
|
|
{ |
|
80
|
|
|
$sql = "select sv_value |
|
81
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." |
|
82
|
|
|
where user_id= '$sv_user' |
|
83
|
|
|
and sco_id = '$sv_sco' |
|
84
|
|
|
and course_id = '$sv_course' |
|
85
|
|
|
and sv_key = '$sv_key'"; |
|
86
|
|
|
$res = Database::query($sql); |
|
87
|
|
|
if (Database::num_rows($res) > 0) { |
|
88
|
|
|
$row = Database::fetch_assoc($res); |
|
89
|
|
|
|
|
90
|
|
|
return Security::remove_XSS($row['sv_value']); |
|
91
|
|
|
} else { |
|
92
|
|
|
return null; |
|
93
|
|
|
} |
|
94
|
|
|
} |
|
95
|
|
|
|
|
96
|
|
|
function storage_get_leaders($sv_user, $sv_course, $sv_sco, $sv_key, $sv_asc, $sv_length) |
|
97
|
|
|
{ |
|
98
|
|
|
// get leaders |
|
99
|
|
|
$sql_leaders = "select u.user_id, firstname, lastname, email, username, sv_value as value |
|
100
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." sv, |
|
101
|
|
|
".Database::get_main_table(TABLE_MAIN_USER)." u |
|
102
|
|
|
where u.user_id=sv.user_id |
|
103
|
|
|
and sco_id = '$sv_sco' |
|
104
|
|
|
and course_id = '$sv_course' |
|
105
|
|
|
and sv_key = '$sv_key' |
|
106
|
|
|
order by sv_value ".($sv_asc ? "ASC" : "DESC")." limit $sv_length"; |
|
107
|
|
|
// $sql_data = "select sv.user_id as user_id, sv_key as variable, sv_value as value |
|
108
|
|
|
// from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." sv |
|
109
|
|
|
// where sv.user_id in (select u2.user_id from ($sql_leaders) u2) |
|
110
|
|
|
// and sco_id = '$sv_sco' |
|
111
|
|
|
// and course_id = '$sv_course'"; |
|
112
|
|
|
// $resData = Database::query($sql_data); |
|
113
|
|
|
// $data = Array(); |
|
114
|
|
|
// while($row = Database::fetch_assoc($resData)) |
|
115
|
|
|
// $data[] = $row; // fetching all data |
|
116
|
|
|
// |
|
117
|
|
|
$resLeaders = Database::query($sql_leaders); |
|
118
|
|
|
$result = []; |
|
119
|
|
|
while ($row = Database::fetch_assoc($resLeaders)) { |
|
120
|
|
|
$row["values"] = []; |
|
121
|
|
|
// foreach($data as $dataRow) { |
|
122
|
|
|
// if ($dataRow["user_id"] = $row["user_id"]) |
|
123
|
|
|
// $row["values"][$dataRow["variable"]] = $dataRow["value"]; |
|
124
|
|
|
// } |
|
125
|
|
|
$row['sv_value'] = Security::remove_XSS($row['sv_value']); |
|
126
|
|
|
$result[] = $row; |
|
127
|
|
|
} |
|
128
|
|
|
|
|
129
|
|
|
return json_encode($result); |
|
130
|
|
|
} |
|
131
|
|
|
|
|
132
|
|
|
function storage_get_position($sv_user, $sv_course, $sv_sco, $sv_key, $sv_asc, $sv_length) |
|
133
|
|
|
{ |
|
134
|
|
|
$sql = "select count(list.user_id) as position |
|
135
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." search, |
|
136
|
|
|
".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." list |
|
137
|
|
|
where search.user_id= '$sv_user' |
|
138
|
|
|
and search.sco_id = '$sv_sco' |
|
139
|
|
|
and search.course_id = '$sv_course' |
|
140
|
|
|
and search.sv_key = '$sv_key' |
|
141
|
|
|
and list.sv_value ".($sv_asc ? "<=" : ">=")." search.sv_value |
|
142
|
|
|
and list.sco_id = search.sco_id |
|
143
|
|
|
and list.course_id = search.course_id |
|
144
|
|
|
and list.sv_key = search.sv_key |
|
145
|
|
|
order by list.sv_value"; |
|
146
|
|
|
$res = Database::query($sql); |
|
147
|
|
|
if (Database::num_rows($res) > 0) { |
|
148
|
|
|
$row = Database::fetch_assoc($res); |
|
149
|
|
|
|
|
150
|
|
|
return $row['position']; |
|
151
|
|
|
} else { |
|
152
|
|
|
return null; |
|
153
|
|
|
} |
|
154
|
|
|
} |
|
155
|
|
|
|
|
156
|
|
|
function storage_set($sv_user, $sv_course, $sv_sco, $sv_key, $sv_value) |
|
157
|
|
|
{ |
|
158
|
|
|
$sv_value = Database::escape_string($sv_value); |
|
159
|
|
|
$sql = "replace into ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." |
|
160
|
|
|
(user_id, sco_id, course_id, sv_key, sv_value) |
|
161
|
|
|
values |
|
162
|
|
|
('$sv_user','$sv_sco','$sv_course','$sv_key','$sv_value')"; |
|
163
|
|
|
$res = Database::query($sql); |
|
164
|
|
|
|
|
165
|
|
|
return Database::affected_rows($res); |
|
166
|
|
|
} |
|
167
|
|
|
|
|
168
|
|
|
function storage_getall($sv_user, $sv_course, $sv_sco) |
|
169
|
|
|
{ |
|
170
|
|
|
$sql = "select sv_key, sv_value |
|
171
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES)." |
|
172
|
|
|
where user_id= '$sv_user' |
|
173
|
|
|
and sco_id = '$sv_sco' |
|
174
|
|
|
and course_id = '$sv_course'"; |
|
175
|
|
|
$res = Database::query($sql); |
|
176
|
|
|
$data = []; |
|
177
|
|
|
while ($row = Database::fetch_assoc($res)) { |
|
178
|
|
|
$row['sv_value'] = Security::remove_XSS($row['sv_value']); |
|
179
|
|
|
$row['sv_key'] = Security::remove_XSS($row['sv_key']); |
|
180
|
|
|
$data[] = $row; |
|
181
|
|
|
} |
|
182
|
|
|
|
|
183
|
|
|
return json_encode($data); |
|
184
|
|
|
} |
|
185
|
|
|
|
|
186
|
|
|
function storage_stack_push($sv_user, $sv_course, $sv_sco, $sv_key, $sv_value) |
|
187
|
|
|
{ |
|
188
|
|
|
$sv_value = Database::escape_string($sv_value); |
|
189
|
|
|
Database::query("start transaction"); |
|
190
|
|
|
$sqlorder = "select ifnull((select max(stack_order) |
|
191
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
192
|
|
|
where user_id= '$sv_user' |
|
193
|
|
|
and sco_id='$sv_sco' |
|
194
|
|
|
and course_id='$sv_course' |
|
195
|
|
|
and sv_key='$sv_key' |
|
196
|
|
|
), 0) as stack_order"; |
|
197
|
|
|
$resorder = Database::query($sqlorder); |
|
198
|
|
|
$row = Database::fetch_assoc($resorder); |
|
199
|
|
|
$stack_order = (1 + $row['stack_order']); |
|
200
|
|
|
$sqlinsert = "insert into ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
201
|
|
|
(user_id, sco_id, course_id, sv_key, stack_order, sv_value) |
|
202
|
|
|
values |
|
203
|
|
|
('$sv_user', '$sv_sco', '$sv_course', '$sv_key', '$stack_order', '$sv_value')"; |
|
204
|
|
|
$resinsert = Database::query($sqlinsert); |
|
205
|
|
|
if ($resorder && $resinsert) { |
|
|
|
|
|
|
206
|
|
|
Database::query("commit"); |
|
207
|
|
|
|
|
208
|
|
|
return 1; |
|
209
|
|
|
} else { |
|
210
|
|
|
Database::query("rollback"); |
|
211
|
|
|
|
|
212
|
|
|
return 0; |
|
213
|
|
|
} |
|
214
|
|
|
} |
|
215
|
|
|
|
|
216
|
|
|
function storage_stack_pop($sv_user, $sv_course, $sv_sco, $sv_key) |
|
217
|
|
|
{ |
|
218
|
|
|
Database::query("start transaction"); |
|
219
|
|
|
$sqlselect = "select sv_value, stack_order |
|
220
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
221
|
|
|
where user_id= '$sv_user' |
|
222
|
|
|
and sco_id='$sv_sco' |
|
223
|
|
|
and course_id='$sv_course' |
|
224
|
|
|
and sv_key='$sv_key' |
|
225
|
|
|
order by stack_order desc |
|
226
|
|
|
limit 1"; |
|
227
|
|
|
$resselect = Database::query($sqlselect); |
|
228
|
|
|
$rowselect = Database::fetch_assoc($resselect); |
|
229
|
|
|
$stack_order = $rowselect['stack_order']; |
|
230
|
|
|
$sqldelete = "delete |
|
231
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
232
|
|
|
where user_id= '$sv_user' |
|
233
|
|
|
and sco_id='$sv_sco' |
|
234
|
|
|
and course_id='$sv_course' |
|
235
|
|
|
and sv_key='$sv_key' |
|
236
|
|
|
and stack_order='$stack_order'"; |
|
237
|
|
|
$resdelete = Database::query($sqldelete); |
|
238
|
|
|
if ($resselect && $resdelete) { |
|
|
|
|
|
|
239
|
|
|
Database::query("commit"); |
|
240
|
|
|
|
|
241
|
|
|
return Security::remove_XSS($rowselect['sv_value']); |
|
242
|
|
|
} else { |
|
243
|
|
|
Database::query("rollback"); |
|
244
|
|
|
|
|
245
|
|
|
return null; |
|
246
|
|
|
} |
|
247
|
|
|
} |
|
248
|
|
|
|
|
249
|
|
|
function storage_stack_length($sv_user, $sv_course, $sv_sco, $sv_key) |
|
250
|
|
|
{ |
|
251
|
|
|
$sql = "select count(*) as length |
|
252
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
253
|
|
|
where user_id= '$sv_user' |
|
254
|
|
|
and sco_id='$sv_sco' |
|
255
|
|
|
and course_id='$sv_course' |
|
256
|
|
|
and sv_key='$sv_key'"; |
|
257
|
|
|
$res = Database::query($sql); |
|
258
|
|
|
$row = Database::fetch_assoc($res); |
|
259
|
|
|
|
|
260
|
|
|
return $row['length']; |
|
261
|
|
|
} |
|
262
|
|
|
|
|
263
|
|
|
function storage_stack_clear($sv_user, $sv_course, $sv_sco, $sv_key) |
|
264
|
|
|
{ |
|
265
|
|
|
$sql = "delete |
|
266
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
267
|
|
|
where user_id= '$sv_user' |
|
268
|
|
|
and sco_id='$sv_sco' |
|
269
|
|
|
and course_id='$sv_course' |
|
270
|
|
|
and sv_key='$sv_key'"; |
|
271
|
|
|
$res = Database::query($sql); |
|
272
|
|
|
|
|
273
|
|
|
return Database::num_rows($res); |
|
274
|
|
|
} |
|
275
|
|
|
|
|
276
|
|
|
function storage_stack_getall($sv_user, $sv_course, $sv_sco, $sv_key) |
|
277
|
|
|
{ |
|
278
|
|
|
$sql = "select stack_order as stack_order, sv_value as value |
|
279
|
|
|
from ".Database::get_main_table(TABLE_TRACK_STORED_VALUES_STACK)." |
|
280
|
|
|
where user_id= '$sv_user' |
|
281
|
|
|
and sco_id='$sv_sco' |
|
282
|
|
|
and course_id='$sv_course' |
|
283
|
|
|
and sv_key='$sv_key'"; |
|
284
|
|
|
$res = Database::query($sql); |
|
285
|
|
|
$results = []; |
|
286
|
|
|
while ($row = Database::fetch_assoc($res)) { |
|
287
|
|
|
$row['value'] = Security::remove_XSS($row['value']); |
|
288
|
|
|
$results[] = $row; |
|
289
|
|
|
} |
|
290
|
|
|
|
|
291
|
|
|
return json_encode($results); |
|
292
|
|
|
} |
|
293
|
|
|
|
|
294
|
|
|
function storage_get_all_users() |
|
295
|
|
|
{ |
|
296
|
|
|
$sql = "select user_id, username, firstname, lastname |
|
297
|
|
|
from ".Database::get_main_table(TABLE_MAIN_USER)." |
|
298
|
|
|
order by user_id asc"; |
|
299
|
|
|
$res = Database::query($sql); |
|
300
|
|
|
$results = []; |
|
301
|
|
|
while ($row = Database::fetch_assoc($res)) { |
|
302
|
|
|
$results[] = $row; |
|
303
|
|
|
} |
|
304
|
|
|
|
|
305
|
|
|
return json_encode($results); |
|
306
|
|
|
} |
|
307
|
|
|
|
chamilo /
chamilo-lms
Julio Montoya
Loading history...
This check compares calls to functions or methods with their respective definitions. If the call has less arguments than are defined, it raises an issue.
If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. Please note the @ignore annotation hint above.