classes.php | searchcode

/classes.php

https://github.com/adamfranco/segue-1.x · PHP · 513 lines · 395 code · 64 blank · 54 comment · 75 complexity · dab40df1bfd4f4c115447ed97dd9db1e MD5 · raw file

<? /* $Id$ */

include("objects/objects.inc.php");
$content = '';
$message = '';

ob_start();
session_start();


/* // debug output -- handy :) */
/* print "<pre>"; */
/* print "request:\n"; */
/* print_r($_REQUEST); */
/* print "\n\n"; */
/* print "session:\n"; */
/* print_r($_SESSION); */
/* print "\n\n"; */
/* print "</pre>"; */

// include all necessary files
include("includes.inc.php");

if ($_SESSION['ltype'] != 'admin') {
	// take them right to the user lookup page
	header("Location: username_lookup.php");
	exit;
}

db_connect($dbhost, $dbuser, $dbpass, $dbdb);

// what's the action?
$curraction = $_REQUEST['action'];
$id = $_REQUEST['id'];

if ($curraction == 'del') {
	$id = $_REQUEST['id'];
	if ($id > 0) {
		course::delCourse($id);
		$message = "Class ID $id deleted successfully."; 
	}
}

// if they want to add a class...
if ($curraction == 'add') {
	// check for errors first
	if (course::courseExists(generateCodeFromData($_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year']))) error("A class with that code already exists.");
	if (!ereg("^[a-zA-Z0-9\._\-]{1,}$",$_REQUEST['external_id'])) error("You must enter an external ID. Only combination of charactors \"a-z\" and \"A-Z\", numbers, and the charactors '-_.' are allowed.");
	if (!ereg("^[a-zA-Z]{1,}$",$_REQUEST['department'])) error("You must enter a department. Only charactors \"a-z\" and \"A-Z\" are allowed.");
	if (!ereg("^[0-9]{1,}$",$_REQUEST['number'])) error("You must enter a numeric number.");
	if (!ereg("^[a-zA-Z]{0,}$",$_REQUEST['section'])) error("Your course section must be letters \"a-z\" and \"A-Z\" only");
	if (!array_key_exists($_REQUEST['semester'], $cfg['semesters'])) error("You must enter a semester.");
	if (!ereg("^[0-9]{4}$",$_REQUEST['year'])) error("You must enter a valid 4-digit year.");
	if (!$_REQUEST['owner']) error("You must assign a owner to this class site.");
	$owner_id = db_get_value("user","user_id","user_uname='".addslashes($_REQUEST['owner'])."'");
	if (!$owner_id) error("The class owner you selected is not a register Segue user.");
	
	$external_id = $_REQUEST['external_id'];
	$duplicate_ids_num = 0;
	$query = "
		SELECT class_external_id
		FROM
			class
		WHERE
			class_external_id = '".addslashes($external_id)."'
	";
	$duplicate_ids = db_query($query);
	$duplicate_ids_num = db_num_rows($duplicate_ids);
	
	if ($duplicate_ids_num != 0) {
		error("A class with this external ID has already been created.  You must select a unique external ID.");
	}
	
	// all good
	if (!$error) {

		$query = "
			INSERT INTO
				ugroup
			SET
				ugroup_name = '".generateCodeFromData($_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'])."',
				ugroup_type = 'class'
		";
		db_query($query);
		$ugroup_id = lastid();
		
		if ($owner_id) {
			$query = "
				INSERT INTO
					ugroup_user
				SET
					FK_ugroup = '".addslashes($ugroup_id)."',
					FK_user = '".addslashes($owner_id)."'
			";
			db_query($query);
		}
		
		
		$obj = &new course();
		$obj->external_id = $_REQUEST['external_id'];
		$obj->department = $_REQUEST['department'];
		$obj->number = $_REQUEST['number'];
		$obj->section = $_REQUEST['section'];
		$obj->semester = $_REQUEST['semester'];
		$obj->year = $_REQUEST['year'];
		$obj->name = $_REQUEST['name'];
		$obj->owner = $owner_id;
		$obj->ugroup = $ugroup_id;
//		$obj->classgroup = $_REQUEST['classgroup'];
		$obj->insertDB();
		
		$message = "Class '".generateCodeFromData($_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'])."' added successfully.";
		unset($_REQUEST['external_id'],$_REQUEST['name'],$_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'],$_REQUEST['owner'],$_REQUEST['ugroup']);
	}
}

// if they're editing a course
if ($curraction == 'edit') {
	if ($_REQUEST['commit']==1) {
		if (!ereg("^[a-zA-Z]{1,}$",$_REQUEST['department'])) error("You must enter a department. Only charactors \"a-z\" and \"A-Z\" are allowed.");
		if (!ereg("^[0-9]{1,}$",$_REQUEST['number'])) error("You must enter a numeric number.");
		if (!ereg("^[a-zA-Z0-9]{0,}$",$_REQUEST['section'])) error("Your course section must be letters \"a-z\" and \"A-Z\" only");
		if (!array_key_exists($_REQUEST['semester'], $cfg['semesters'])) error("You must enter a semester.");
		if (!ereg("^[0-9]{4}$",$_REQUEST['year'])) error("You must enter a valid 4-digit year.");
		$owner_id = db_get_value("user","user_id","user_uname='".addslashes($_REQUEST['owner'])."'");
		if (!$owner_id) error("The class owner you selected is not a register Segue user.");

		if (!$error) {

			$obj = &new course();
			$obj->fetchCourseID($_REQUEST['id']);
			$obj->external_id = $_REQUEST['external_id'];
			$obj->department = $_REQUEST['department'];
			$obj->number = $_REQUEST['number'];
			$obj->section = $_REQUEST['section'];
			$obj->semester = $_REQUEST['semester'];
			$obj->year = $_REQUEST['year'];
			$obj->name = $_REQUEST['name'];
			$obj->owner = $owner_id;
	//		$obj->ugroup = $ugroup_id;
	//		$obj->classgroup = $_REQUEST['classgroup'];
			$obj->updateDB();
			
			$query = "
				UPDATE
					ugroup
				SET
					ugroup_name='".generateCodeFromData($_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'])."'
				WHERE
					ugroup_id='".addslashes($obj->ugroup)."'
			";
			db_query($query);
			
			if ($owner_id && !db_get_line("ugroup_user","FK_user='".addslashes($owner_id)."' AND FK_ugroup = '".addslashes($obj->ugroup)."'")) {
				$query = "
					INSERT INTO
						ugroup_user
					SET
						FK_ugroup = '".addslashes($obj->ugroup)."',
						FK_user = '".addslashes($owner_id)."'
				";
				db_query($query);
			}
			
			$message = "Class '".generateCodeFromData($_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'])."' updated successfully.";
			unset($_REQUEST['external_id'],$_REQUEST['name'],$_REQUEST['department'],$_REQUEST['number'],$_REQUEST['section'],$_REQUEST['semester'],$_REQUEST['year'],$_REQUEST['owner'],$_REQUEST['ugroup']);
		}
	}
}
		
/* if ($curraction == 'resetpw') { */
/* 	$id = $_REQUEST['id']; */
/* 	if ($id > 0) { */
/* 		$obj = &new user(); */
/* 		$obj->fetchUserID($id); */
/* 		$obj->randpass(5,3); */
/* 		$obj->updateDB(); */
/* 		$obj->sendemail(1); */
/* 		$message = "A random password has been generated for '".$obj->uname."' and an email has been sent to them."; */
/* 	} */
/* } */

/******************************************************************************
 * get search variables and create query
 ******************************************************************************/

$class_external_id = $_REQUEST['class_external_id'];
$class_name = $_REQUEST['class_name'];
$class_dept = $_REQUEST['class_dept'];
$semester = $_REQUEST['semester'];
$class_year = $_REQUEST['class_year'];
$class_owner = $_REQUEST['class_owner'];

if ($curraction == 'edit') {
	$where = "class_id ='".addslashes($id)."'";
} else {
	$where = "class_external_id LIKE '%'";
}
		
if ($class_external_id) $where = "class_external_id LIKE '".addslashes($class_external_id)."%'";
if ($class_name) $where .= " AND class_name LIKE '%".addslashes($class_name)."%'";
if ($class_dept) $where .= " AND class_department LIKE '".addslashes($class_dept)."%'";
if ($semester == "any") {
	$where .= " AND class_semester LIKE '%'";
} else if ($semester) {
	$where .= " AND class_semester = '".addslashes($semester)."'";
}
if ($class_year) $where .= " AND class_year LIKE '".addslashes($class_year)."%'";
if ($class_owner) $where .= " AND (classowner.user_uname LIKE '%".addslashes($class_owner)."%' OR classowner.user_fname LIKE '%".addslashes($class_owner)."%')";

if ($findall) {
	$class_external_id = "%";
	$class_name = "";
	$class_dept = "";
	$semester = "any";
	$class_year = "";
	$class_owner = "";
	$where = "class_external_id LIKE '%'";
}

/******************************************************************************
 * query database only if search has been made
 ******************************************************************************/
 

if ($curraction == "edit" || $class_external_id || $class_name || $class_dept ||	$semester || $class_year || $class_owner) {
	$query = "
		SELECT
			COUNT(*) AS class_count
		FROM
			class
				LEFT JOIN
			user AS classowner
				ON
			class.FK_owner = user_id
				LEFT JOIN
			classgroup
				ON
			FK_classgroup = classgroup_id
				LEFT JOIN
			ugroup
				ON
			FK_ugroup = ugroup_id
		WHERE
			$where";		
		
	$r = db_query($query);
	$a = db_fetch_assoc($r);
	$numclasses = $a[class_count];
	
	
	if (isset($_REQUEST['lowerlimit']))
		$lowerlimit = intval($_REQUEST['lowerlimit']);
	else
		$lowerlimit = 0;
	
	if ($lowerlimit < 0) 
		$lowerlimit = 0;
	
	$limit = " limit $lowerlimit,30";
	


	$query = "
		SELECT
			class_id,
			class_external_id,
			class_name,
			class_department,
			class_number,
			class_section,
			class_semester,
			class_year,
			classowner.user_id AS classowner_id,
			classowner.user_uname AS classowner_uname,
			classowner.user_fname AS classowner_fname,
			classgroup_id,
			classgroup_name,
			ugroup_id
		FROM
			class
				LEFT JOIN
			user AS classowner
				ON
			class.FK_owner = user_id
				LEFT JOIN
			classgroup
				ON
			FK_classgroup = classgroup_id
				LEFT JOIN
			ugroup
				ON
			FK_ugroup = ugroup_id
		WHERE
			$where
		ORDER BY
			class_year DESC, class_department ASC, class_number ASC, class_section ASC
		$limit";
			
	
	$r = db_query($query);
}
//print $where;
printerr();

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Classes</title>
<? 
include("themes/common/logs_css.inc.php"); 
include("themes/common/header.inc.php");
?>
</head>
<body onload="document.searchform.name.focus()">
<?
/******************************************************************************
 * Get site id for links to participation section
 ******************************************************************************/
	
	$siteObj =&new site($site);
	$siteid = $siteObj->id;

if ($_SESSION['ltype']=='admin') {
	print "<table width='100%'  class='bg'><tr><td class='bg'>
	Logs: <a href='viewsites.php?$sid&amp;site=$site'>sites</a>
	 | <a href='viewusers.php?$sid&amp;site=$site'>users</a>
	</td><td align='right' class='bg'>
	<a href='users.php?$sid&amp;site=$site'>add/edit users</a> | 
	  add/edit classes | 
	<a href='add_slot.php?$sid&amp;site=$site'>add/edit slots</a> |
	<a href='update.php?$sid&amp;site=$site'>segue updates</a>
	</td></tr></table>";
}

if ($site) {
	print "<div align='right'>";
	print "<a href='add_students.php?$sid&amp;name=$site'>Roster</a>";
	print " | <a href='email.php?$sid&amp;siteid=$siteid&amp;site=$site&amp;action=list&amp;scope=site'>Participation</a>";
	print " | Logs";
	print "</div><br />";
}


?>

<?=$content?>

<table cellspacing='1' width='100%' id='maintable'>
<tr><td>
	<table cellspacing='1' width='100%'>
		<tr><td>
			<form action="<? echo $PHP_SELF ?>" method='get' name='searchform'>
			Code: <input type='text' name='class_external_id' size='10' value='<?echo $class_external_id?>' /> 
			Name: <input type='text' name='class_name' size='10' value='<?echo $class_name?>' />
			Dept: <input type='text' name='class_dept' size='3' value='<?echo $class_dept?>' />
			Semester:
			<select name='semester'>
				<option<?=($semester=='any')?" selected='selected'":""?> value='any'>Any</option>
				<?
					foreach (array_keys($cfg['semesters']) as $semesterKey) {
						print "<option".(($semester == $semesterKey)?" selected='selected'":"")." value='".$semesterKey."'>";
						print $cfg['semesters'][$semesterKey]['name'];
						print "</option>";
					}
				?>
			</select>
			Year: <input type='text' name='class_year' size='5' value='<?echo $class_year?>' />
			Owner: <input type='text' name='class_owner' size='7' value='<?echo $class_owner?>' />
			<input type='submit' name='search' value='Find' />
			<input type='submit' name='findall' value='Find All' />
			</form>
			</td>
			<td align='right'>
			<?
			$tpages = ceil($numclasses/30);
			$curr = ceil(($lowerlimit+30)/30);
			$prev = $lowerlimit-30;
			if ($prev < 0) $prev = 0;
			$next = $lowerlimit+30;
			if ($next >= $numclasses) $next = $numclasses-30;
			if ($next < 0) $next = 0;
			print "$curr of $tpages ";
	//		print "$prev $lowerlimit $next ";
			if ($prev != $lowerlimit)
				print "<input type='button' value='&lt;&lt;' onclick='window.location=\"$PHP_SELF?$sid&lowerlimit=$prev&class_external_id=$class_external_id&class_name=$class_name&class_dept=$class_dept&semester=$semester&order=$order&class_year=$class_year&class_owner=$class_owner\"' />\n";
			if ($next != $lowerlimit && $next > $lowerlimit)
				print "<input type='button' value='&gt;&gt;' onclick='window.location=\"$PHP_SELF?$sid&lowerlimit=$next&class_external_id=$class_external_id&class_name=$class_name&class_dept=$class_dept&semester=$semester&order=$order&class_year=$class_year&class_owner=$class_owner\"' />\n";
			?>
			

		</td></tr>
		</table>
		<? 
		if (!db_num_rows($r)) {
			 print "No matching classes found"; 
		} else {
			//$numclasses = db_num_rows($r);
			print "Total classes found: ".$numclasses;
		}	 				 
		?>

		<form method='post' name='addform' action="<? echo $PHP_SELF ?>">
		<table width='100%'>
			<tr>
			<th>id</th>
			<th>code</th>
			<th>external id</th>
			<th>name</th>
			<th>department</th>
			<th>number</th>
			<th>section</th>
			<th>semester</th>
			<th>year</th>
			<th>owner</th>
			<th>group</th>
			<th>options</th>
			</tr>
			
			<? if ($curraction != 'edit') { doClassForm($_REQUEST); } 
			
			if ($curraction == 'edit') {
				$a = db_fetch_assoc($r);
				//print " id=";
				//print $a['class_external_id'];
				doClassForm($a,'class_',1);
				
			 // output found users	
			} else if ($r) {					
				while ($a = db_fetch_assoc($r)) {					
						print "<tr>";
						print "<td align='center'>".$a['class_id']."</td>";
						print "<td>".generateCourseCode($a['class_id'])."</td>";
						print "<td>".$a['class_external_id']."</td>";
						print "<td>".$a['class_name']."</td>";
						print "<td>".$a['class_department']."</td>";
						print "<td>".$a['class_number']."</td>";
						print "<td>".$a['class_section']."</td>";
						print "<td>".$cfg['semesters'][$a['class_semester']]['name']."</td>";
						print "<td>".$a['class_year']."</td>";
						print "<td>".(($a['classowner_id'])?$a['classowner_fname']." (".$a['classowner_uname'].")":"")."</td>";
						print "<td>".$a['classgroup_name']."</td>";
						print "<td align='center'><span style='white-space: nowrap;'>";
						print "<a href='classes.php?$sid&amp;action=del&amp;id=".$a['class_id']."'>del</a> | \n";
						print "<a href='classes.php?$sid&amp;action=edit&amp;id=".$a['class_id']."'>edit</a> | \n";
						print "<a href=\"Javascript:sendWindow('addstudents',500,350,'add_students.php?$sid&amp;ugroup_id=".$a['ugroup_id']."')\">students</a>\n";
						print "</span></td>";
						print "</tr>";
					}
				}
			?>
			
		</table>
		</form>
	</td>
</tr>
</table>

<br />
<div align='right'><input type='button' value='Close Window' onclick='window.close()' /></div>
<?
function doClassForm($a,$p='',$e=0) {
	global $cfg;
	?>
		
		<tr>
		<td><?=($e)?$a[$p.'id']:"&nbsp;"?></td>
  		<td><?=($e)?generateCourseCode($a[$p.'id']):""?></td>
		<td><input type='text' name='external_id' size='10' value="<?=$a[$p.'external_id']?>" /></td>
		<td><input type='text' name='name' size='20' value="<?=$a[$p.'name']?>" /></td>
		<td><input type='text' name='department' size='3' value="<?=$a[$p.'department']?>" /></td>
		<td><input type='text' name='number' size='3' value="<?=$a[$p.'number']?>" /></td>
		<td><input type='text' name='section' size='1' value="<?=$a[$p.'section']?>" /></td>
		<td><select name='semester'>
		<?
		foreach (array_keys($cfg['semesters']) as $semesterKey) {
			print "<option".(($a[$p.'semester'] == $semesterKey)?" selected='selected'":"")." value='".$semesterKey."'>";
			print $cfg['semesters'][$semesterKey]['name'];
			print "</option>";
		}
		?>
		</select>
		</td>
		<td><input type='text' name='year' size='4' value="<?=$a[$p.'year']?>" /></td>
		<td><input type='text' name='owner' size='8' value="<?=$a['classowner_uname']?>" /> <a href="Javascript:sendWindow('addeditor',400,250,'add_editor.php?$sid&amp;comingfrom=classes')">choose</a></td>
		<td><?=$a[classgroup_name]?></td>
		<td align='center'>
		<input type='hidden' name='action' value='<?=($e)?"edit":"add"?>' />
		<?=($e)?"<input type='hidden' name='id' value='".$a[$p."id"]."' /><input type='hidden' name='commit' value='1' />":""?>
		<a href='#' onclick='document.addform.submit()'><?=($e)?"update":"add class"?></a>
		<!-- | <a href='classes.php'>cancel</a> -->
		</td>
		</tr>

	<?
}

/* // debug output -- handy :) */
/* print "<pre>"; */
/* print "request:\n"; */
/* print_r($_REQUEST); */
/* print "\n\n"; */
/* print "session:\n"; */
/* print_r($_SESSION); */
/* print "\n\n"; */
/* print "</pre>"; */
?>

</body>
</html>
Alerts (71)

'<?' Short <? tags detected; use full <?php tags for server compatibility
1 356 397 423
'include(' Dynamic include detected; use static paths (e.g., include '/path/file.php') to prevent code injection
3 22
'$_REQUEST[' Unbounded request input detected; limit size (e.g., check Content-Length or use max input vars) to prevent memory exhaustion
33 34 37 47 48 49 50 51 52 53 54 55 58 81 100 101 102 103 104 105 106 112 113 119 120 121 122 123 124 125 131 132 133 134 135 136 137 138 148 165 166 187 188 189 190 191 192 252 253
Complexity hotspot; lines 47 to 54 (total complexity: 8)
47 48 49 50 51 52 53 54
Complexity hotspot; lines 118 to 124 (total complexity: 8)
118 119 120 121 122 123 124
'global $' Use of global variables; prefer dependency injection or function parameters
466