Moodle

Quotes in gradebook category name breaks category weighting

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 1.6.1
  • Fix Version/s: None
  • Component/s: Gradebook
  • Labels:
    None
  • Environment:
    probably not relevent (RHEL, PHP 5.x mysql 5.x)
  • Database:
    MySQL
  • Affected Branches:
    MOODLE_16_STABLE

Description

Gradebook categories that incluide double quotes result in an error something like [[category non-numeric]] and the category weighting doesn't update. This is a minor bug but looks a bit like an sql injection issue.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
David Monllaó added a comment -

The name of the form fields includes the name of the category. Changing category names to category ids solves the problem.

The file to modify is /moodle/grade/lib.php:

  • function grade_get_category_weight($course, $category)
    . line 39 change:
    $sql = "SELECT id, weight, drop_x_lowest, bonus_points, hidden, c.id AS cat_id
    FROM {$CFG->prefix}grade_category c
    WHERE c.courseid=$course
    AND c.name='$category'";
    for:
    $sql = "SELECT id, weight, drop_x_lowest, bonus_points, hidden, c.id AS cat_id
    FROM {$CFG->prefix}grade_category c
    WHERE c.courseid=$course
    AND c.id='$category'";
  • function grade_set_grade_weights()
    . line 2247 change:
    $submitted_category = optional_param($form_catname);
    for:
    $submitted_category = optional_param($category->id);
    . line 2250 change:
    $weight = grade_get_category_weight($course->id, $category->name);
    for:
    $weight = grade_get_category_weight($course->id, $category->id);
    . line 2257 change:
    $cur_drop = optional_param("drop_x_lowest$form_catname");
    $cur_bonus_points = optional_param("bonus_points$form_catname");
    $cur_hidden = optional_param("hidden$form_catname");
    for:
    $cur_drop = optional_param("drop_x_lowest$category->id");
    $cur_bonus_points = optional_param("bonus_points$category->id");
    $cur_hidden = optional_param("hidden$category->id");
  • function grade_display_grade_weights()
    . line 2234 change:
    echo '<tr><td align="center" class="generalboxcontent">'.$category->name.'</td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="'.$form_catname.'" value="'.$val.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="drop_x_lowest'.$form_catname.'" value="'.$category->drop_x_lowest.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="bonus_points'.$form_catname.'" value="'.$category->bonus_points.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="checkbox" name="hidden'.$form_catname.'" ';
    for
    $form_catid = $category->id;
    echo '<tr><td align="center" class="generalboxcontent">'.$category->name.'</td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="'.$form_catid.'" value="'.$val.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="drop_x_lowest'.$form_catid.'" value="'.$category->drop_x_lowest.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="bonus_points'.$form_catid.'" value="'.$category->bonus_points.'" /></td>';
    echo '<td align="center" class="generalboxcontent"><input type="checkbox" name="hidden'.$form_catid.'" ';
Show
David Monllaó added a comment - The name of the form fields includes the name of the category. Changing category names to category ids solves the problem. The file to modify is /moodle/grade/lib.php:
  • function grade_get_category_weight($course, $category) . line 39 change: $sql = "SELECT id, weight, drop_x_lowest, bonus_points, hidden, c.id AS cat_id FROM {$CFG->prefix}grade_category c WHERE c.courseid=$course AND c.name='$category'"; for: $sql = "SELECT id, weight, drop_x_lowest, bonus_points, hidden, c.id AS cat_id FROM {$CFG->prefix}grade_category c WHERE c.courseid=$course AND c.id='$category'";
  • function grade_set_grade_weights() . line 2247 change: $submitted_category = optional_param($form_catname); for: $submitted_category = optional_param($category->id); . line 2250 change: $weight = grade_get_category_weight($course->id, $category->name); for: $weight = grade_get_category_weight($course->id, $category->id); . line 2257 change: $cur_drop = optional_param("drop_x_lowest$form_catname"); $cur_bonus_points = optional_param("bonus_points$form_catname"); $cur_hidden = optional_param("hidden$form_catname"); for: $cur_drop = optional_param("drop_x_lowest$category->id"); $cur_bonus_points = optional_param("bonus_points$category->id"); $cur_hidden = optional_param("hidden$category->id");
  • function grade_display_grade_weights() . line 2234 change: echo '<tr><td align="center" class="generalboxcontent">'.$category->name.'</td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="'.$form_catname.'" value="'.$val.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="drop_x_lowest'.$form_catname.'" value="'.$category->drop_x_lowest.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="bonus_points'.$form_catname.'" value="'.$category->bonus_points.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="checkbox" name="hidden'.$form_catname.'" '; for $form_catid = $category->id; echo '<tr><td align="center" class="generalboxcontent">'.$category->name.'</td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="'.$form_catid.'" value="'.$val.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="drop_x_lowest'.$form_catid.'" value="'.$category->drop_x_lowest.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="text" size="5" name="bonus_points'.$form_catid.'" value="'.$category->bonus_points.'" /></td>'; echo '<td align="center" class="generalboxcontent"><input type="checkbox" name="hidden'.$form_catid.'" ';
Hide
Permalink
David Monllaó added a comment -

The file for 1.6 installations changing category name for category ids

Show
David Monllaó added a comment - The file for 1.6 installations changing category name for category ids
Hide
Permalink
David Monllaó added a comment -

After solving the weight problem, we have seen another problem in show qualifications.

After we enter a category with quotes in her name the qualifications are not shown.

I have attached the modified file (grade/lib.php)

The modifications are into: URV Integració #39 comments like

// URV Integració #39
// commented moodle lines
$newlines
// URV Integració #39 FI

Show
David Monllaó added a comment - After solving the weight problem, we have seen another problem in show qualifications. After we enter a category with quotes in her name the qualifications are not shown. I have attached the modified file (grade/lib.php) The modifications are into: URV Integració #39 comments like // URV Integració #39 // commented moodle lines $newlines // URV Integració #39 FI
Hide
Permalink
Michael de Raadt added a comment -

Thanks for reporting this issue.

We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.

If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

Michael d;

lqjjLKA0p6

Show
Michael de Raadt added a comment - Thanks for reporting this issue. We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d; lqjjLKA0p6
Hide
Permalink
Michael de Raadt added a comment -

I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Show
Michael de Raadt added a comment - I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.