diff --git a/~dev_rating/application/classes/Model/Admin/Students.php b/~dev_rating/application/classes/Model/Admin/Students.php
index 03222f0317c848646a7b5b54395b2bbaba2d0cc7..e77fab402e3557a5b199ceee17a9b999a7db89ef 100644
--- a/~dev_rating/application/classes/Model/Admin/Students.php
+++ b/~dev_rating/application/classes/Model/Admin/Students.php
@@ -11,7 +11,8 @@ class Model_Admin_Students extends Model
public function getGradeID($gradeNum, $degree)
{
- $sql = "SELECT `GetGradeID`('$gradeNum', '$degree') AS `ID`; ";
+ $degree = Database::instance()->escape($degree);
+ $sql = "SELECT `GetGradeID`('$gradeNum', $degree) AS `ID`; ";
return DB::query(Database::SELECT, $sql)->execute()->get('ID');
}
diff --git a/~dev_rating/application/classes/Model/DataArr/Students.php b/~dev_rating/application/classes/Model/DataArr/Students.php
index 004887c8c1b0a2c8201cf3a1cc817f52595ca356..38d231e3734731ac1755966e12d956ad31e5b66c 100644
--- a/~dev_rating/application/classes/Model/DataArr/Students.php
+++ b/~dev_rating/application/classes/Model/DataArr/Students.php
@@ -41,7 +41,8 @@ class Model_DataArr_Students extends Model
public function SearchStudents($GradeID, $GroupID, $FacultyID, $Name, $DisciplineID)
{
- $sql = "CALL `SearchStudents`('$GradeID', '$GroupID', '$FacultyID', '$Name', '$DisciplineID'); ";
+ $Name = Database::instance()->escape($Name);
+ $sql = "CALL `SearchStudents`('$GradeID', '$GroupID', '$FacultyID', $Name, '$DisciplineID'); ";
return DB::query(Database::SELECT, $sql)->execute();
}
}
diff --git a/~dev_rating/application/classes/Model/DataArr/Teachers.php b/~dev_rating/application/classes/Model/DataArr/Teachers.php
index a449650a3a9c72606891702afb78bd1bfaf1fef8..866d15006c04eab232011e7b202415230eec3028 100644
--- a/~dev_rating/application/classes/Model/DataArr/Teachers.php
+++ b/~dev_rating/application/classes/Model/DataArr/Teachers.php
@@ -21,12 +21,20 @@ class Model_DataArr_Teachers extends Model
}
public function searchTeachers($FacultyID, $DepartmentID, $Last, $First, $Second) {
- $sql = "CALL `SearchTeachers`('$FacultyID', '$DepartmentID', '$Last', '$First', '$Second'); ";
+ $db = Database::instance();
+ $Last = $db->escape($Last);
+ $Second = $db->escape($Second);
+ $First = $db->escape($First);
+ $sql = "CALL `SearchTeachers`('$FacultyID', '$DepartmentID', $Last, $First, $Second); ";
return DB::query(Database::SELECT, $sql)->execute();
}
public function searchTeacherNew($FacultyID, $DepartmentID, $Last, $First, $Second, $DisciplineID) {
- $sql = "CALL `SearchTeacherNew`('$FacultyID', '$DepartmentID', '$Last', '$First', '$Second', '$DisciplineID'); ";
+ $db = Database::instance();
+ $Last = $db->escape($Last);
+ $Second = $db->escape($Second);
+ $First = $db->escape($First);
+ $sql = "CALL `SearchTeacherNew`('$FacultyID', '$DepartmentID', $Last, $First, $Second, '$DisciplineID'); ";
return DB::query(Database::SELECT, $sql)->execute();
}
diff --git a/~dev_rating/application/classes/Model/System.php b/~dev_rating/application/classes/Model/System.php
index 0ec6304bf4317f9dc43354a0b7f64075fe10b85a..ed77c95c1bac106e058fe72cfd5976c78621950f 100644
--- a/~dev_rating/application/classes/Model/System.php
+++ b/~dev_rating/application/classes/Model/System.php
@@ -4,6 +4,8 @@ class Model_System extends Model
{
public function getBitmaskForRoute($routeName)
{
+ $db = Database::instance();
+ $routeName = $db->escape($routeName);
$sql = "SELECT `GetBitmaskByPagename`('$routeName') AS `Bitmask`; ";
return DB::query(Database::SELECT, $sql)->execute()->get('Bitmask');
}
diff --git a/~dev_rating/application/classes/Model/Teacher/Map.php b/~dev_rating/application/classes/Model/Teacher/Map.php
index 30790463b0f54975102f59eea697894cc089000e..efe4beaa5801ce984cc1f534b031433789466482 100644
--- a/~dev_rating/application/classes/Model/Teacher/Map.php
+++ b/~dev_rating/application/classes/Model/Teacher/Map.php
@@ -25,7 +25,9 @@ class Model_Teacher_Map extends Model
public function addModule($teacherID, $disciplineID, $title)
{
- $sql = "SELECT `AddModule`('$teacherID', '$disciplineID', '$title') AS `Num`;";
+ $db = Database::instance();
+ $title = $db->escape($title);
+ $sql = "SELECT `AddModule`('$teacherID', '$disciplineID', $title) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
@@ -43,7 +45,9 @@ class Model_Teacher_Map extends Model
public function changeModuleName($teacherID, $moduleID, $Name)
{
- $sql = "SELECT `ChangeModuleName`('$teacherID', '$moduleID', '$Name') AS `Num`;";
+ $db = Database::instance();
+ $Name = $db->escape($Name);
+ $sql = "SELECT `ChangeModuleName`('$teacherID', '$moduleID', $Name) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
@@ -61,7 +65,9 @@ class Model_Teacher_Map extends Model
public function changeSubmoduleName($teacherID, $submoduleID, $Name)
{
- $sql = "SELECT `ChangeSubmoduleName`('$teacherID', '$submoduleID', '$Name') AS `Num`;";
+ $db = Database::instance();
+ $Name = $db->escape($Name);
+ $sql = "SELECT `ChangeSubmoduleName`('$teacherID', '$submoduleID', $Name) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
@@ -83,7 +89,9 @@ class Model_Teacher_Map extends Model
public function changeSubmoduleMaxAndControl($teacherID, $SubmoduleID, $MaxRate, $ControlType)
{
- $sql = "SELECT `ChangeSubmoduleMaxAndControl`('$teacherID', '$SubmoduleID', '$MaxRate', '$ControlType') AS `Num`;";
+ $db = Database::instance();
+ $ControlType = $db->escape($ControlType);
+ $sql = "SELECT `ChangeSubmoduleMaxAndControl`('$teacherID', '$SubmoduleID', '$MaxRate', $ControlType) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
@@ -126,13 +134,17 @@ class Model_Teacher_Map extends Model
public function changeDisciplineControl($teacherID, $DisciplineID, $Control)
{
- $sql = "SELECT `ChangeDisciplineControl`('$teacherID', '$DisciplineID', '$Control') AS `Num`;";
+ $db = Database::instance();
+ $Control = $db->escape($Control);
+ $sql = "SELECT `ChangeDisciplineControl`('$teacherID', '$DisciplineID', $Control) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
public function changeDisciplineHours($teacherID, $DisciplineID, $Hours, $Type)
{
- $sql = "SELECT `ChangeDisciplineHours`('$teacherID', '$DisciplineID', '$Hours', '$Type') AS `Num`;";
+ $db = Database::instance();
+ $Type = $db->escape($Type);
+ $sql = "SELECT `ChangeDisciplineHours`('$teacherID', '$DisciplineID', '$Hours', $Type) AS `Num`;";
return DB::query(Database::SELECT, $sql)->execute();
}
@@ -191,8 +203,11 @@ class Model_Teacher_Map extends Model
// }
// deprecated (moved in helpers)
- public function searchTeachers($FacultyID, $DepartmentID, $Name, $DisciplineID) {
- $sql = "CALL `SearchTeachers`('$FacultyID', '$DepartmentID', '$Name', '$DisciplineID'); ";
+ public function searchTeachers($FacultyID, $DepartmentID, $Name, $DisciplineID)
+ {
+ $db = Database::instance();
+ $Name = $db->escape($Name);
+ $sql = "CALL `SearchTeachers`('$FacultyID', '$DepartmentID', $Name, '$DisciplineID'); ";
return DB::query(Database::SELECT, $sql)->execute();
}
diff --git a/~dev_rating/application/classes/Model/errMessages.php b/~dev_rating/application/classes/Model/errMessages.php
index 5ae82590bd648a655787cd82523399e79c922491..51d46d930484cada3481a6194640155cbe52c19a 100644
--- a/~dev_rating/application/classes/Model/errMessages.php
+++ b/~dev_rating/application/classes/Model/errMessages.php
@@ -11,7 +11,10 @@ class Model_errMessages extends Model
public function newRequest($accID, $title, $description)
{
- $sql = "SELECT `CreateRequest`('$accID', '$title', '$description') AS 'Num'; ";
+ $db = Database::instance();
+ $description = $db->escape($description);
+ $title = $db->escape($title);
+ $sql = "SELECT `CreateRequest`('$accID', $title, $description) AS 'Num'; ";
return DB::query(Database::SELECT, $sql)->execute();
}
diff --git a/~dev_rating/modules/account/classes/Model/Kohana/Account.php b/~dev_rating/modules/account/classes/Model/Kohana/Account.php
index 677e86801b7ca93eccd67b0eb6ed0331c7de6a98..61cbbc65a740acf7063d7d64d867d0b267d290d4 100644
--- a/~dev_rating/modules/account/classes/Model/Kohana/Account.php
+++ b/~dev_rating/modules/account/classes/Model/Kohana/Account.php
@@ -4,7 +4,8 @@ class Model_Kohana_Account extends Model
{
public function setHashKey($key)
{
- $sql = "SELECT `SetHashKey`('$key') AS `Key`;";
+ $key = Database::instance()->escape($key);
+ $sql = "SELECT `SetHashKey`($key) AS `Key`;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Key');
}
@@ -17,49 +18,82 @@ class Model_Kohana_Account extends Model
}
public function checkAuth($login, $password) {
- $sql = "SELECT `SignIn`('$login', '$password') AS `ID`;";
+ $db = Database::instance();
+ $login = $db->escape($login);
+ $password = $db->escape($password);
+ $sql = "SELECT `SignIn`($login, $password) AS `ID`;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('ID');
}
public function ChangeTeacherInfo($id, $lastName, $firstName, $secondName, $degreeID, $departamentID)
{
- $sql = "SELECT `ChangeTeacherInfo`('$id', '$lastName', '$firstName', '$secondName', '$degreeID', '$departamentID') AS `UserID`;";
+ $db = Database::instance();
+ $lastName = $db->escape($lastName);
+ $secondName = $db->escape($secondName);
+ $firstName = $db->escape($firstName);
+ $sql = "SELECT `ChangeTeacherInfo`('$id', $lastName, $firstName, $secondName, '$degreeID', '$departamentID') AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public function createTeacher($lastName, $firstName, $secondName, $degreeID, $departamentID, $activationCode)
{
- $sql = "SELECT `CreateTeacher`('$lastName', '$firstName', '$secondName', '$degreeID', '$departamentID', '$activationCode') AS `UserID`;";
+ $db = Database::instance();
+ $lastName = $db->escape($lastName);
+ $secondName = $db->escape($secondName);
+ $firstName = $db->escape($firstName);
+ $activationCode = $db->escape($activationCode);
+ $sql = "SELECT `CreateTeacher`($lastName, $firstName, $secondName, '$degreeID', '$departamentID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public function createTeacherByDepName($lastName, $firstName, $secondName, $departamentName, $facultyID, $activationCode)
{
- $sql = "SELECT `CreateTeacherByDepName`('$lastName', '$firstName', '$secondName', '$departamentName', '$facultyID', '$activationCode') AS `UserID`;";
+ $db = Database::instance();
+ $lastName = $db->escape($lastName);
+ $secondName = $db->escape($secondName);
+ $firstName = $db->escape($firstName);
+ $activationCode = $db->escape($activationCode);
+ $departamentName = $db->escape($departamentName);
+ $sql = "SELECT `CreateTeacherByDepName`($lastName, $firstName, $secondName, $departamentName, '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public function createStudent($lastName, $firstName, $secondName, $grade, $groupNum, $facultyID, $activationCode)
{
- $sql = "SELECT `CreateStudent`('$lastName', '$firstName', '$secondName', '$grade', '$groupNum', '$facultyID', '$activationCode') AS `UserID`;";
+ $db = Database::instance();
+ $lastName = $db->escape($lastName);
+ $secondName = $db->escape($secondName);
+ $firstName = $db->escape($firstName);
+ $activationCode = $db->escape($activationCode);
+ $sql = "SELECT `CreateStudent`($lastName, $firstName, $secondName, '$grade', '$groupNum', '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public function createStudentEx($lastName, $firstName, $secondName, $gradeNum, $groupNum, $degree, $specialization, $facultyID, $activationCode)
{
- $sql = "SELECT `CreateStudentEx`('$lastName', '$firstName', '$secondName', '$gradeNum', '$groupNum', '$degree', '$specialization', '$facultyID', '$activationCode') AS `UserID`;";
+ $db = Database::instance();
+ $lastName = $db->escape($lastName);
+ $secondName = $db->escape($secondName);
+ $firstName = $db->escape($firstName);
+ $activationCode = $db->escape($activationCode);
+ $degree = $db->escape($degree);
+ $specialization = $db->escape($specialization);
+ $sql = "SELECT `CreateStudentEx`($lastName, $firstName, $secondName, '$gradeNum', '$groupNum', $degree, $specialization, '$facultyID', $activationCode) AS `UserID`;";
$key = DB::query(Database::SELECT, $sql)->execute();
return $key->get('UserID');
}
public function createSubject($name, $abbr, $facultyID)
{
- $sql = "SELECT `CreateSubject`('$facultyID', '$name', '$abbr') AS `Num`;";
+ $db = Database::instance();
+ $name = $db->escape($name);
+ $abbr = $db->escape($abbr);
+ $sql = "SELECT `CreateSubject`('$facultyID', $name, $abbr) AS `Num`;";
$response = DB::query(Database::SELECT, $sql)->execute();
return $response->get('Num');
}
@@ -80,42 +114,48 @@ class Model_Kohana_Account extends Model
public function changeMail($id, $mail)
{
- $sql = "SELECT `ChangeMail`('$id', '$mail') AS Num;";
+ $mail = Database::instance()->escape($mail);
+ $sql = "SELECT `ChangeMail`('$id', $mail) AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
public function changeLogin($id, $login)
{
- $sql = "SELECT `ChangeLogin`('$id', '$login') AS Num;";
+ $login = Database::instance()->escape($login);
+ $sql = "SELECT `ChangeLogin`('$id', $login) AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
public function changePassword($id, $password)
{
- $sql = "SELECT `ChangePassword`('$id', '$password') AS Num;";
+ $password = Database::instance()->escape($password);
+ $sql = "SELECT `ChangePassword`('$id', $password) AS Num;";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query->get('Num');
}
public function getAccNumByLogin($login)
{
- $sql = "SELECT `GetAccCountByLogin`('$login') AS Num;";
+ $login = Database::instance()->escape($login);
+ $sql = "SELECT `GetAccCountByLogin`($login) AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
}
public function getAccNumByMail($email)
{
- $sql = "SELECT `GetAccCountByMail`('$email') AS Num;";
+ $email = Database::instance()->escape($email);
+ $sql = "SELECT `GetAccCountByMail`($email) AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
}
public function isActivationCodeValid($code)
{
- $sql = "SELECT `GetAccCountByCode`('$code') AS Num;";
+ $code = Database::instance()->escape($code);
+ $sql = "SELECT `GetAccCountByCode`($code) AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
foreach ($res as $value) {
$count = $value['Num'];
@@ -125,35 +165,46 @@ class Model_Kohana_Account extends Model
public function createRecoveryToken($email, $token)
{
- $sql = "SELECT `CreateRecoveryToken`('$email', '$token') AS Num;";
+ $db = Database::instance();
+ $email = $db->escape($email);
+ $token = $db->escape($token);
+ $sql = "SELECT `CreateRecoveryToken`($email, $token) AS Num;";
$res = DB::query(Database::SELECT, $sql)->execute();
return $res->get('Num');
}
public function getRecoveryInfoByEMail($email)
{
- $sql = "CALL GetRecoveryInfoByEMail('$email');";
+ $email = Database::instance()->escape($email);
+ $sql = "CALL GetRecoveryInfoByEMail($email);";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query;
}
public function getRecoveryInfoByToken($token)
{
- $sql = "CALL GetRecoveryInfoByToken('$token');";
+ $token = Database::instance()->escape($token);
+ $sql = "CALL GetRecoveryInfoByToken($token);";
$query = DB::query(Database::SELECT, $sql)->execute();
return $query;
}
public function useRecoveryToken($token)
{
- $sql = "SELECT `UseRecoveryToken`('$token') AS Num;";
+ $token = Database::instance()->escape($token);
+ $sql = "SELECT `UseRecoveryToken`($token) AS Num;";
$email = DB::query(Database::SELECT, $sql)->execute();
return $email->get('Num');
}
public function activateAccount($login, $password, $email, $code)
{
- $sql = "SELECT `ActivateAccount` ('$code', '$login', '$email', '$password') AS `Num`; ";
+ $db = Database::instance();
+ $login = $db->escape($login);
+ $password = $db->escape($password);
+ $email = $db->escape($email);
+ $code = $db->escape($code);
+ $sql = "SELECT `ActivateAccount` ($code, $login, $email, $password) AS `Num`; ";
$res = DB::query(Database::SELECT, $sql)->execute();
foreach ($res as $value) {
$id = $value['Num'];