Commit 37c0ecf3 authored by François Jacquet's avatar François Jacquet
Browse files

Remove old string escaping method

Remove str_replace("\'","''",$value)
parent e4d98c0f
......@@ -69,11 +69,11 @@ function UpdateAttendanceDaily($student_id,$date='',$comment=false)
$current_RET = DBGet(DBQuery("SELECT MINUTES_PRESENT,STATE_VALUE,COMMENT FROM ATTENDANCE_DAY WHERE STUDENT_ID='$student_id' AND SCHOOL_DATE='$date'"));
if(count($current_RET) && $current_RET[1]['MINUTES_PRESENT']!=$total)
DBQuery("UPDATE ATTENDANCE_DAY SET MINUTES_PRESENT='$total',STATE_VALUE='$length'".($comment!==false?",COMMENT='".str_replace("\'","''",$comment)."'":'')." WHERE STUDENT_ID='$student_id' AND SCHOOL_DATE='$date'");
DBQuery("UPDATE ATTENDANCE_DAY SET MINUTES_PRESENT='$total',STATE_VALUE='$length'".($comment!==false?",COMMENT='".$comment."'":'')." WHERE STUDENT_ID='$student_id' AND SCHOOL_DATE='$date'");
elseif(count($current_RET) && $comment!==false && $current_RET[1]['COMMENT']!=$comment)
DBQuery("UPDATE ATTENDANCE_DAY SET COMMENT='".str_replace("\'","''",$comment)."' WHERE STUDENT_ID='$student_id' AND SCHOOL_DATE='$date'");
DBQuery("UPDATE ATTENDANCE_DAY SET COMMENT='".$comment."' WHERE STUDENT_ID='$student_id' AND SCHOOL_DATE='$date'");
elseif(count($current_RET)==0)
DBQuery("INSERT INTO ATTENDANCE_DAY (SYEAR,STUDENT_ID,SCHOOL_DATE,MINUTES_PRESENT,STATE_VALUE,MARKING_PERIOD_ID,COMMENT) values('".UserSyear()."','$student_id','$date','$total','$length','".GetCurrentMP('QTR',$date)."','".str_replace("\'","''",$comment)."')");
DBQuery("INSERT INTO ATTENDANCE_DAY (SYEAR,STUDENT_ID,SCHOOL_DATE,MINUTES_PRESENT,STATE_VALUE,MARKING_PERIOD_ID,COMMENT) values('".UserSyear()."','$student_id','$date','$total','$length','".GetCurrentMP('QTR',$date)."','".$comment."')");
}
?>
?>
\ No newline at end of file
......@@ -77,12 +77,12 @@ function SaveData($iu_extra,$fields_done=false,$field_names=false)
if($value)
{
$ins_fields[$table] .= $column.',';
$ins_values[$table] .= "'".str_replace("\'","''",$value)."',";
$ins_values[$table] .= "'".$value."',";
$go = true;
}
}
else
$sql[$table] .= "$column='".str_replace("\'","''",str_replace(''',"''",$value))."',";
$sql[$table] .= "$column='".str_replace(''',"''",$value)."',";
}
if($id=='new')
$sql[$table] = 'INSERT INTO '.$table.' (' . $iu_extra['fields'][$table].mb_substr($ins_fields[$table],0,-1) . ') values(' . $iu_extra['values'][$table].mb_substr($ins_values[$table],0,-1) . ')';
......
......@@ -75,7 +75,7 @@ if($_REQUEST['attendance'] && $_POST['attendance'] && AllowEdit())
$sql = "UPDATE $table SET ADMIN='Y',COURSE_PERIOD_ID='".$current_schedule_RET[$student_id][$period_id][1]['COURSE_PERIOD_ID']."',";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE SCHOOL_DATE='$date' AND PERIOD_ID='$period_id' AND STUDENT_ID='$student_id'".$extra_sql;
DBQuery($sql);
......@@ -98,7 +98,7 @@ if($_REQUEST['attendance'] && $_POST['attendance'] && AllowEdit())
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......
......@@ -16,7 +16,7 @@ if($_REQUEST['attendance'] && $_POST['attendance'] && AllowEdit())
$sql = "UPDATE ATTENDANCE_PERIOD SET ADMIN='Y',";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE SCHOOL_DATE='".$date."' AND COURSE_PERIOD_ID='".$period."' AND STUDENT_ID='".$student_id."'";
DBQuery($sql);
......@@ -37,7 +37,7 @@ if($_REQUEST['attendance'] && $_POST['attendance'] && AllowEdit())
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......
......@@ -20,7 +20,7 @@ if($_REQUEST['values'] && $_POST['values'])
$sql = "UPDATE ATTENDANCE_CODE_CATEGORIES SET ";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE ID='$id'";
DBQuery($sql);
......@@ -46,7 +46,7 @@ if($_REQUEST['values'] && $_POST['values'])
if(isset($value) && $value!='')
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......
......@@ -27,7 +27,7 @@ if($_REQUEST['attendance'] && $_POST['attendance'] && AllowEdit())
$sql = "UPDATE ATTENDANCE_PERIOD SET ADMIN='Y',";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE SCHOOL_DATE='".$school_date."' AND PERIOD_ID='".$_REQUEST['period_id']."' AND STUDENT_ID='".$student_id."'";
DBQuery($sql);
......
......@@ -42,7 +42,7 @@ if($_REQUEST['values'])
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......@@ -78,7 +78,7 @@ if($_REQUEST['values'])
{
if($value)
{
$value = str_replace("\'","''",$value);
$value = $value;
$sql = "INSERT INTO PEOPLE_JOIN_CONTACTS ";
$fields = 'ID,PERSON_ID,TITLE,VALUE,';
$values = db_seq_nextval('PEOPLE_SEQ').",'".$person_id."','$column','$value',";
......@@ -98,7 +98,7 @@ if($_REQUEST['values'])
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......@@ -123,7 +123,7 @@ if($_REQUEST['values'])
$sql = "UPDATE STUDENTS SET ";
foreach($_REQUEST['values']['STUDENTS'] as $column_name=>$value)
{
$sql .= "$column_name='".str_replace("\'","''",$value)."',";
$sql .= "$column_name='".$value."',";
}
$sql = mb_substr($sql,0,-1) . " WHERE STUDENT_ID='".UserStudentID()."'";
......
......@@ -25,7 +25,7 @@ if($_REQUEST['values'] && $_POST['values'])
$sql = "UPDATE DISCIPLINE_FIELD_USAGE SET ";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE ID='$id'";
$go = true;
}
......@@ -47,7 +47,7 @@ if($_REQUEST['values'] && $_POST['values'])
if($value && $column!='SORT_ORDER' && $column!='SELECT_OPTIONS')
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......@@ -64,7 +64,7 @@ if($_REQUEST['values'] && $_POST['values'])
if($value && $column!='DATA_TYPE')
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
}
}
......
......@@ -63,7 +63,7 @@ if($_REQUEST['values'] && $_POST['values'])
{
$fields .= $column.',';
if(!is_array($value))
$values .= "'".str_replace("\'","''",str_replace('"','"',$value))."',";
$values .= "'".str_replace('"','"',$value)."',";
else
{
$values .= "'||";
......
......@@ -22,7 +22,7 @@ if($_REQUEST['values'] && $_POST['values'])
$sql = "UPDATE DISCIPLINE_CATEGORIES SET ";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
$sql = mb_substr($sql,0,-1) . " WHERE ID='$id'";
$go = true;
}
......@@ -44,7 +44,7 @@ if($_REQUEST['values'] && $_POST['values'])
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......
......@@ -41,7 +41,7 @@ if($_REQUEST['values'] && $_POST['values'])
foreach($_REQUEST['values'] as $column_name=>$value)
{
if(!is_array($value))
$sql .= "$column_name='".str_replace("\'","''",str_replace("’","''",$value))."',";
$sql .= "$column_name='".str_replace("’","''",$value)."',";
else
{
$sql .= $column_name."='||";
......
......@@ -33,7 +33,7 @@ if($_REQUEST['values'] && $_POST['values'])
foreach($columns as $column=>$value)
{
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
}
$sql = mb_substr($sql,0,-1) . " WHERE ID='$id'";
DBQuery($sql);
......@@ -51,7 +51,7 @@ if($_REQUEST['values'] && $_POST['values'])
if($value)
{
$fields .= $column.',';
$values .= "'".str_replace("\'","''",$value)."',";
$values .= "'".$value."',";
$go = true;
}
}
......
......@@ -22,7 +22,7 @@ if($_REQUEST['modfunc']=='update')
$sql = "UPDATE FOOD_SERVICE_ITEMS SET ";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
if($_REQUEST['tab_id']!='new')
$sql = mb_substr($sql,0,-1) . " WHERE MENU_ITEM_ID='$id'";
......@@ -50,7 +50,7 @@ if($_REQUEST['modfunc']=='update')
if($value)
{
$fields .= $column.',';
$values .= '\''.str_replace("\'","''",$value).'\',';
$values .= '\''.$value.'\',';
$go = true;
}
$sql .= '(' . mb_substr($fields,0,-1) . ') values(' . mb_substr($values,0,-1) . ')';
......
......@@ -22,7 +22,7 @@ if($_REQUEST['modfunc']=='update')
$sql = "UPDATE FOOD_SERVICE_MENUS SET ";
foreach($columns as $column=>$value)
$sql .= $column."='".str_replace("\'","''",$value)."',";
$sql .= $column."='".$value."',";
if($_REQUEST['tab_id']!='new')
$sql = mb_substr($sql,0,-1) . " WHERE CATEGORY_ID='$id'";
......@@ -50,7 +50,7 @@ if($_REQUEST['modfunc']=='update')
if($value)
{
$fields .= $column.',';
$values .= '\''.str_replace("\'","''",$value).'\',';
$values .= '\''.$value.'\',';
$go = true;
}
$sql .= '(' . mb_substr($fields,0,-1) . ') values(' . mb_substr($values,0,-1) . ')';
......
......@@ -8,7 +8,7 @@ if($_REQUEST['modfunc']=='update')
{
$sql = "UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET ";
foreach($_REQUEST['food_service'] as $column_name=>$value)
$sql .= $column_name."='".str_replace("\'","''",trim($value))."',";
$sql .= $column_name."='".trim($value)."',";
$sql = mb_substr($sql,0,-1)." WHERE STUDENT_ID='".UserStudentID()."'";
DBQuery($sql);
}
......
......@@ -8,7 +8,7 @@ if($_REQUEST['modfunc']=='update')
{
if($_REQUEST['food_service']['BARCODE'])
{
$RET = DBGet(DBQuery("SELECT ACCOUNT_ID FROM FOOD_SERVICE_STUDENT_ACCOUNTS WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."' AND STUDENT_ID!='".UserStudentID()."'"));
$RET = DBGet(DBQuery("SELECT ACCOUNT_ID FROM FOOD_SERVICE_STUDENT_ACCOUNTS WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."' AND STUDENT_ID!='".UserStudentID()."'"));
if($RET)
{
$student_RET = DBGet(DBQuery("SELECT s.FIRST_NAME||' '||s.LAST_NAME AS FULL_NAME FROM STUDENTS s,FOOD_SERVICE_STUDENT_ACCOUNTS fssa WHERE s.STUDENT_ID=fssa.STUDENT_ID AND fssa.ACCOUNT_ID='".$RET[1]['ACCOUNT_ID']."'"));
......@@ -17,7 +17,7 @@ if($_REQUEST['modfunc']=='update')
}
else
{
$RET = DBGet(DBQuery("SELECT STAFF_ID FROM FOOD_SERVICE_STAFF_ACCOUNTS WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'"));
$RET = DBGet(DBQuery("SELECT STAFF_ID FROM FOOD_SERVICE_STAFF_ACCOUNTS WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."'"));
if($RET)
{
$staff_RET = DBGet(DBQuery("SELECT FIRST_NAME||' '||LAST_NAME AS FULL_NAME FROM STAFF WHERE STAFF_ID='".$RET[1]['STAFF_ID']."'"));
......@@ -33,13 +33,13 @@ if($_REQUEST['modfunc']=='update')
$sql = "UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET ";
foreach($_REQUEST['food_service'] as $column_name=>$value)
{
$sql .= $column_name."='".str_replace("\'","''",trim($value))."',";
$sql .= $column_name."='".trim($value)."',";
}
$sql = mb_substr($sql,0,-1)." WHERE STUDENT_ID='".UserStudentID()."'";
if($_REQUEST['food_service']['BARCODE'])
{
DBQuery("UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'");
DBQuery("UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'");
DBQuery("UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."'");
DBQuery("UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."'");
}
DBQuery($sql);
}
......
......@@ -15,7 +15,7 @@ if($_REQUEST['values'] && $_POST['values'] && $_REQUEST['save'])
$id = $id[1]['SEQ_ID'];
$fields = 'ITEM_ID,TRANSACTION_ID,AMOUNT,DISCOUNT,SHORT_NAME,DESCRIPTION';
$values = "'0','".$id."','".($_REQUEST['values']['TYPE']=='Debit' ? -$amount : $amount)."',NULL,'".mb_strtoupper($_REQUEST['values']['OPTION'])."','".str_replace("\'","''",$_REQUEST['values']['OPTION'].' '.$_REQUEST['values']['DESCRIPTION'])."'";
$values = "'0','".$id."','".($_REQUEST['values']['TYPE']=='Debit' ? -$amount : $amount)."',NULL,'".mb_strtoupper($_REQUEST['values']['OPTION'])."','".$_REQUEST['values']['OPTION'].' '.$_REQUEST['values']['DESCRIPTION']."'";
$sql = "INSERT INTO FOOD_SERVICE_TRANSACTION_ITEMS (".$fields.") values (".$values.")";
DBQuery($sql);
......
......@@ -105,7 +105,7 @@ if($_REQUEST['values'] && $_POST['values'])
if($current_RET[$id])
{
$sql = 'UPDATE FOOD_SERVICE_COMPLETED SET ';
$sql .= 'COUNT=\''.str_replace("\'","''",str_replace("`","''",$value['COUNT'])).'\' ';
$sql .= 'COUNT=\''.$value['COUNT'].'\' ';
$sql .= 'WHERE STAFF_ID=\''.User('STAFF_ID').'\' AND SCHOOL_DATE=\''.$date.'\' AND PERIOD_ID=\''.UserPeriod().'\' AND MENU_ID=\''.$_REQUEST['menu_id'].'\' AND ITEM_ID=\''.$id.'\'';
}
else
......
......@@ -8,7 +8,7 @@ if($_REQUEST['modfunc']=='update')
{
$sql = "UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET ";
foreach($_REQUEST['food_service'] as $column_name=>$value)
$sql .= $column_name."='".str_replace("\'","''",trim($value))."',";
$sql .= $column_name."='".trim($value)."',";
$sql = mb_substr($sql,0,-1)." WHERE STAFF_ID='".UserStaffID()."'";
DBQuery($sql);
}
......
......@@ -17,7 +17,7 @@ if($_REQUEST['modfunc']=='update')
{
if($_REQUEST['food_service']['BARCODE'])
{
$RET = DBGet(DBQuery("SELECT STAFF_ID FROM FOOD_SERVICE_STAFF_ACCOUNTS WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."' AND STAFF_ID!='".UserStaffID()."'"));
$RET = DBGet(DBQuery("SELECT STAFF_ID FROM FOOD_SERVICE_STAFF_ACCOUNTS WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."' AND STAFF_ID!='".UserStaffID()."'"));
if($RET)
{
$staff_RET = DBGet(DBQuery("SELECT FIRST_NAME||' '||LAST_NAME AS FULL_NAME FROM STAFF WHERE STAFF_ID='".$RET[1]['STAFF_ID']."'"));
......@@ -26,7 +26,7 @@ if($_REQUEST['modfunc']=='update')
}
else
{
$RET = DBGet(DBQuery("SELECT ACCOUNT_ID FROM FOOD_SERVICE_STUDENT_ACCOUNTS WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'"));
$RET = DBGet(DBQuery("SELECT ACCOUNT_ID FROM FOOD_SERVICE_STUDENT_ACCOUNTS WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE']))."'");
if($RET)
{
$student_RET = DBGet(DBQuery("SELECT s.FIRST_NAME||' '||s.LAST_NAME AS FULL_NAME FROM STUDENTS s,FOOD_SERVICE_STUDENT_ACCOUNTS fssa WHERE s.STUDENT_ID=fssa.STUDENT_ID AND fssa.ACCOUNT_ID='".$RET[1]['ACCOUNT_ID']."'"));
......@@ -39,12 +39,12 @@ if($_REQUEST['modfunc']=='update')
{
$sql = 'UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET ';
foreach($_REQUEST['food_service'] as $column_name=>$value)
$sql .= $column_name."='".str_replace("\'","''",trim($value))."',";
$sql .= $column_name."='".trim($value)."',";
$sql = mb_substr($sql,0,-1)." WHERE STAFF_ID='".UserStaffID()."'";
if($_REQUEST['food_service']['BARCODE'])
{
DBQuery("UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'");
DBQuery("UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".str_replace("\'","''",trim($_REQUEST['food_service']['BARCODE']))."'");
DBQuery("UPDATE FOOD_SERVICE_STAFF_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."'");
DBQuery("UPDATE FOOD_SERVICE_STUDENT_ACCOUNTS SET BARCODE=NULL WHERE BARCODE='".trim($_REQUEST['food_service']['BARCODE'])."'");
}
DBQuery($sql);
unset($_REQUEST['modfunc']);
......@@ -71,7 +71,7 @@ if($_REQUEST['modfunc']=='create')
foreach($_REQUEST['food_service'] as $column_name=>$value)
{
$fields .= $column_name.',';
$values .= "'".str_replace("\'","''",trim($value))."',";
$values .= "'".trim($value)."',";
}
$sql = 'INSERT INTO FOOD_SERVICE_STAFF_ACCOUNTS ('.mb_substr($fields,0,-1).') values ('.mb_substr($values,0,-1).')';
DBQuery($sql);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment