";
+ }
+
+ // ------------------------------Editing Lab Assignment by Lecturer ------------------------------------
- echo "
";
+
+ if($_GET['act']=="edit"){
+ $getid = mysqli_real_escape_string($con, $_GET["cid"]);
+ $result1 = mysqli_query($con, "SELECT * from lab_reports_table WHERE Lab_Report_ID = '$getid'");
+
+ while($row1 = mysqli_fetch_assoc($result1)) {
+ $Deadline = $row1['Deadline'];
+ $_SESSION['Date'] = trim( strstr($Deadline, ' ', true) );
+ $_SESSION['Time'] = trim( strstr($Deadline, ' ') );
+ $_SESSION['Instructions'] = $row1['Instructions'];
+ $_SESSION['Title'] = $row1['Title'];
+ $_SESSION['Marks'] = $row1['Marks'];
+ $_SESSION['Type'] = $row1['Type'];
}
-
- // ------------------------------Editing Lab Assignment by Lecturer ------------------------------------
-
- if ($_GET['act'] == "edit") {
- $getid = $_GET["cid"];
- $result1 = mysqli_query($con, "SELECT * from lab_reports_table WHERE Lab_Report_ID = '$getid'");
-
- while ($row1 = mysqli_fetch_assoc($result1)) {
- $Deadline = $row1['Deadline'];
- $_SESSION['Date'] = trim(strstr($Deadline, ' ', true));
- $_SESSION['Time'] = trim(strstr($Deadline, ' '));
- $_SESSION['Instructions'] = $row1['Instructions'];
- $_SESSION['Title'] = $row1['Title'];
- $_SESSION['Marks'] = $row1['Marks'];
- $_SESSION['Type'] = $row1['Type'];
+
+ if(isset($_POST['frm_uploadlab'])){
+ $deadlinedate = trim(mysqli_real_escape_string($con, $_POST["deadlinedate"])); // remove spaces
+ $deadlinetime = trim(mysqli_real_escape_string($con, $_POST["deadlinetime"])); // remove spaces
+ $instructions = mysqli_real_escape_string($con, $_POST["instructions"]);
+ $title = mysqli_real_escape_string($con, $_POST["title"]);
+ $marks = mysqli_real_escape_string($con, $_POST["marks"]);
+ $type = mysqli_real_escape_string($con, $_POST["type"]);
+ $Deadline = $deadlinedate." ".$deadlinetime;
+ $date = date("Y-m-d H:i");
+
+ $sql = "UPDATE `lab_reports_table` SET `Deadline` = ('" . $Deadline . "'), `Instructions` = ('" . $instructions . "'), `Title` = ('" . $title . "'), `Marks` = ('" . $marks . "'), `Type` = ('" . $type . "') WHERE `lab_reports_table`.`Lab_Report_ID` = '$getid'";
+ if ($con->query($sql) === TRUE) {
+ $_SESSION["info_Updated"]="Assignment information updated successfully.";
+
+ } else {
+ // echo "Error: " . $sql . "
" . $con->error;
+ echo "Serious error happened whiling updating assignment information.";
}
+ }
+
+ if( $_SESSION['user_type']=="Lecturer"){
+ $Date = $_SESSION['Date'];
+ $Time = $_SESSION['Time'];
+ $Instructions = $_SESSION['Instructions'];
+ $Title = $_SESSION['Title'];
+ $Marks = $_SESSION['Marks'];
+ $Type = $_SESSION['Type'];
+
+ echo "
";
+ ?>
+
-
+
+ Invidual
Group";
+ } else {
+ echo "Submission Type
Invidual
Group";
+ }
?>
-
Post new Lab Assignment
-
+
-
-
-
+ // ------------------------------Posting New Lab Assignment------------------------------------
- Title
-
- Instructions
-
- Marks
-
- Attachment 1
-
+ // Mysql to split 1 string into 2 similar to the tsrstr in php
+ // SELECT SUBSTRING_INDEX(Deadline, ' ', 1) as Date, SUBSTRING_INDEX(Deadline, ' ', -1) as Time from lab_reports_table
- Attachment 2
-
+ if( $_SESSION['user_type']=="Lecturer"){
- Attachment 3
-
+ ?>
+
+
Post new Lab Assignment
+
+
-
+
+ Attachment 3
+
+
+
+ Attachment 4
+
+
+ Submission Type
Invidual
+
+
Group
+
+
+
+";
+
+ echo "
Lab Report Assignment list ";
+
+ error_reporting(0);
+ if(isset($_SESSION["info_Updated"])){
+ echo '
' . $_SESSION['info_Updated'] . '
';
+ $_SESSION['info_Updated'] = null;
+ }
+ if (isset($_SESSION['info_courses'])) {
+ echo '
' . $_SESSION['info_courses'] . '
';
+ $_SESSION['info_courses'] = null;
+ }
+ if (isset($_SESSION['info_courses'])) {
+ echo '
' . $_SESSION['info_courses'] . '
';
+ $_SESSION['info_courses']=null;
+ }
+
+
+
+
+ $result = mysqli_query($con," SELECT `Lab_Report_ID`,Type,Marks, `Course_ID`, `Posted_Date`, `Deadline`, `Instructions`, `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, "
+ . "`Attachment_link_4` FROM `lab_reports_table` WHERE Course_ID=$id ORDER by Lab_Report_ID DESC");
+
+
+ if( $_SESSION['user_type']=="TA")
+ {
+ echo "
*Only Lecturer can post a new lab report assignment ";
+ }
+ if(mysqli_num_rows($result)==0)
+ {
+ echo "No assignments posted so far.";
+
+ } else { while($row = mysqli_fetch_assoc($result)) {
+ $marks=$row['Marks'];
+ $title=$row['Title'];
+ $ins=$row['Instructions'];
+ $posted=$row['Posted_Date'];
+ $deadline=$row['Deadline'];
+ $att1=$row['Attachment_link_1'];
+ $att2=$row['Attachment_link_2'];
+ $att3=$row['Attachment_link_3'];
+ $att4=$row['Attachment_link_4'];
+ $id=$row['Lab_Report_ID'];
+ $cours_id=$row['Course_ID'];
+ $as_type=$row['Type'];
+ $full_link="
$att1 ";
+
+ if($att2!=""){
+ $full_link= $full_link." |
$att2 ";
}
- }
- echo "
";
-
- echo "
Lab Report Assignment list ";
-
- error_reporting(0);
- if (isset($_SESSION["info_Updated"])) {
- echo '
' . $_SESSION['info_Updated'] . '
';
- $_SESSION['info_Updated'] = null;
- }
- if (isset($_SESSION['info_courses'])) {
- echo '
' . $_SESSION['info_courses'] . '
';
- $_SESSION['info_courses'] = null;
- }
- if (isset($_SESSION['info_courses'])) {
- echo '
' . $_SESSION['info_courses'] . '
';
- $_SESSION['info_courses'] = null;
- }
-
- $result = mysqli_query($con, " SELECT `Lab_Report_ID`,Type,Marks, `Course_ID`, `Posted_Date`, `Deadline`, `Instructions`, `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, "
- . "`Attachment_link_4` FROM `lab_reports_table` WHERE Course_ID=$id ORDER by Lab_Report_ID DESC");
-
- if ($_SESSION['user_type'] == "TA") {
- echo "
*Only Lecturer can post a new lab report assignment ";
- }
- if (mysqli_num_rows($result) == 0) {
- echo "No assignments posted so far.";
- } else {
- $counter = 0;
- while ($row = mysqli_fetch_assoc($result)) {
- $marks = $row['Marks'];
- $title = $row['Title'];
- $ins = $row['Instructions'];
- $posted = $row['Posted_Date'];
- $deadline = $row['Deadline'];
- $att1 = $row['Attachment_link_1'];
- $att2 = $row['Attachment_link_2'];
- $att3 = $row['Attachment_link_3'];
- $att4 = $row['Attachment_link_4'];
- $id = $row['Lab_Report_ID'];
- $cours_id = $row['Course_ID'];
- $as_type = $row['Type'];
- $full_link = "
$att1 ";
- $counter += 1;
-
- if ($att2 != "") {
- $full_link = $full_link . " |
$att2 ";
- }
- if ($att3 != "") {
- $full_link = $full_link . " |
$att3 ";
- }
-
- if ($att4 != "") {
- $full_link = $full_link . " |
$att4 ";
- }
-
- $resultx1 = mysqli_query($con, "Select Count(*) as cnt from lab_report_submissions where lab_report_submissions.Lab_Report_ID=$id");
- while ($row = mysqli_fetch_assoc($resultx1)) {
- $count_subs = $row['cnt'];
- }
-
- $resultx2 = mysqli_query($con, "Select COUNT(*) as cnt from lab_report_submissions where lab_report_submissions.Lab_Report_ID=$id and Marks is not null");
- if (mysqli_num_rows($resultx2) == 0) {
- $count_marked = 0;
- } else {
- while ($row = mysqli_fetch_assoc($resultx2)) {
- $count_marked = $row['cnt'];
- }
- }
-
- $header = "Courses > " . $name . "($code) > Assignments > " . $title;
-
- echo "
+ if($att3!=""){
+ $full_link= $full_link." |
$att3 ";
+ }
+
+ if($att4!=""){
+ $full_link= $full_link." |
$att4 ";
+ }
+
+
+
+
+ $resultx1 = mysqli_query($con,"Select Count(*) as cnt from lab_report_submissions where lab_report_submissions.Lab_Report_ID=$id");
+ while($row = mysqli_fetch_assoc($resultx1)) {$count_subs=$row['cnt'];}
+
+ $resultx2 = mysqli_query($con,"Select COUNT(*) as cnt from lab_report_submissions where lab_report_submissions.Lab_Report_ID=$id and Marks is not null");
+ if(mysqli_num_rows($resultx2)==0){$count_marked=0;} else { while($row = mysqli_fetch_assoc($resultx2)) {$count_marked =$row['cnt'];}}
+
+
+ $header="Courses > ".$name."($code) > Assignments > ".$title;
+
+ echo "
$title ($as_type)
$ins
Posted : $posted Deadline : $deadline ($marks Marks) "
- . " $count_subs Submissions ( $count_marked Marked ) Edit | View | Extend Deadline "
- . "
+ . "
$count_subs Submissions ( $count_marked Marked ) Edit | View | Extend Deadline Attachments : $full_link "
+ . "
";
- }
- }
- echo "
";
-
- $resultx1 = mysqli_query($con, "SELECT course_students_table.Student_ID,users_table.Full_Name FROM
+
+
+
+ }}
+ echo "
";
+
+
+
+
+
+ $resultx1 = mysqli_query($con,"SELECT course_students_table.Student_ID,users_table.Full_Name FROM
`course_students_table`
INNER JOIN users_table on users_table.Student_ID=course_students_table.Student_ID
WHERE Course_ID=$course_id");
+
+
+ echo "
+
+
Course Joining Requests
+
-
No Course joining request so far for all your courses
";
- } else {
- while ($row = mysqli_fetch_assoc($result)) {
- $id = $row['ID'];
-
- $name = $row['Course_Name'];
- $code = $row['Course_Code'];
- $faculty = $row['Faculty'];
- $std_name = $row['Full_Name'];
- $academic = $row['Academic_Year'];
-
- echo "
+
+ if(mysqli_num_rows($result)==0)
+ {
+
+ echo "
No Course joining request so far for all your courses
";
+ } else { while($row = mysqli_fetch_assoc($result)) {
+ $id=$row['ID'];
+
+ $name=$row['Course_Name'];
+ $code=$row['Course_Code'];
+ $faculty=$row['Faculty'];
+ $std_name=$row['Full_Name'];
+ $academic=$row['Academic_Year'];
+
+ echo "
$std_name is Requesting to join
[($code) - $name ]
Accept
Decline
";
- }
- }
- ?>
-
- Only Lecturers can Post new Lab report Assignments";
- }
- if ($_SESSION['user_type'] == "Lecturer") { ?>
-
-
Create new Course Portal
-
-
-
-
-
-
-
-
-
-
-
-
-
- ' . $_SESSION['info_Courses_student'] . ' ';
- $_SESSION['info_Courses_student'] = null;
- }
- ?>
-
-
+
+
+
+
+Only Lecturers can Post new Lab report Assignments";
+ }
+ if( $_SESSION['user_type']=="Lecturer"){ ?>
+
+
Create new Course Portal
+
+
+
+
+
+
+
+
+
+
+
-
+
+ ' . $_SESSION['info_Courses_student'] . ' ';
+ $_SESSION['info_Courses_student'] = null;
+ }
+ ?>
+
+
+
- Search Results for Course Code $search
";
- $result = mysqli_query($con, "SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,"
- . " `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` "
- . " , users_table.Full_Name FROM `courses_table` INNER JOIN users_table"
- . " ON users_table.User_ID=courses_table.Lecturer_User_ID where Course_Code like '%{$search}%' and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id)");
- } else {
- echo "
Find Courses under faculty $faculty ";
- $result = mysqli_query($con, "SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,
+
+
+
+
+
+
+
+
+ Search Results for Course Code $search
";
+ $result = mysqli_query($con,"SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,"
+ . " `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` "
+ . " , users_table.Full_Name FROM `courses_table` INNER JOIN users_table"
+ . " ON users_table.User_ID=courses_table.Lecturer_User_ID where Course_Code like '%{$search}%' and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id)");
+ }
+ else
+ {
+ echo "
Find Courses under faculty $faculty ";
+ $result = mysqli_query($con,"SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,
`Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members`
, users_table.Full_Name FROM `courses_table` INNER JOIN users_table
ON users_table.User_ID=courses_table.Lecturer_User_ID where Faculty='$faculty' and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id)");
+ }
+
+
+ if(mysqli_num_rows($result)==0)
+ {
+ echo "No results found for your Search
";
+
+ } else {
+
+ while($row = mysqli_fetch_assoc($result)) {
+ $name=$row['Course_Name'];
+ $code=$row['Course_Code'];
+ $faculty=$row['Faculty'];
+ $lecturer=$row['Full_Name'];
+ $academic=$row['Academic_Year'];
+ $url=$row['URL'];
+ $id=$row['Course_ID'];
+ $v=$row['Verify_New_Members'];
+ $msg2="Join Course";
+ if($v>0)
+ {
+ $msg="
Lecturer verification required";
+ $msg2="Send Joining Request";
}
-
- if (mysqli_num_rows($result) == 0) {
- echo "No results found for your Search
";
- } else {
-
- while ($row = mysqli_fetch_assoc($result)) {
- $name = $row['Course_Name'];
- $code = $row['Course_Code'];
- $faculty = $row['Faculty'];
- $lecturer = $row['Full_Name'];
- $academic = $row['Academic_Year'];
- $url = $row['URL'];
- $id = $row['Course_ID'];
- $v = $row['Verify_New_Members'];
- $msg2 = "Join Course";
- if ($v > 0) {
- $msg = "
Lecturer verification required";
- $msg2 = "Send Joining Request";
- }
-
- echo "
- [$code] $name
($url)
$msg2
+
+ echo "
+ [$code] $name
($url)
$msg2
Faculty: $faculty | Year: $academic | Lecturer: $lecturer $msg
";
- }
- }
}
-
- echo "
My Courses ";
- $result = mysqli_query($con, "SELECT users_table.Full_Name, course_students_table.Status, courses_table.Course_ID, `Course_Name`, `Academic_Year`, `Faculty`, `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` FROM `courses_table`
+ }
+ }
+
+ echo "
My Courses ";
+ $result = mysqli_query($con,"SELECT users_table.Full_Name, course_students_table.Status, courses_table.Course_ID, `Course_Name`, `Academic_Year`, `Faculty`, `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` FROM `courses_table`
INNER JOIN users_table
ON users_table.User_ID=courses_table.Lecturer_User_ID
INNER JOIN course_students_table on course_students_table.Course_ID=courses_table.Course_ID
where course_students_table.Student_ID=$student_id");
-
- if (mysqli_num_rows($result) == 0) {
- echo "
You are not Enrolled in any Course";
- } else {
- while ($row = mysqli_fetch_assoc($result)) {
- $name = $row['Course_Name'];
- $code = $row['Course_Code'];
- $faculty = $row['Faculty'];
- $lecturer = $row['Full_Name'];
- $academic = $row['Academic_Year'];
- $url = $row['URL'];
- $id = $row['Course_ID'];
- $Status = $row['Status'];
-
- if ($Status == "Joined") {
- echo "
+
+ if(mysqli_num_rows($result)==0)
+ {
+ echo "
You are not Enrolled in any Course";
+ } else {
+ while($row = mysqli_fetch_assoc($result)) {
+ $name=$row['Course_Name'];
+ $code=$row['Course_Code'];
+ $faculty=$row['Faculty'];
+ $lecturer=$row['Full_Name'];
+ $academic=$row['Academic_Year'];
+ $url=$row['URL'];
+ $id=$row['Course_ID'];
+ $Status=$row['Status'];
+
+ if($Status=="Joined")
+ {
+ echo "
($code) - $name
($url)
$Status
Open
Faculty : $faculty Year : $academic Lecturer :$lecturer
- ";
- } else {
- echo "
+ ";
+ }
+ else
+ {
+ echo "
($code) - $name $Status
Faculty : $faculty Year : $academic Lecturer :$lecturer
- ";
- }
- }
+ ";
}
-
- echo "
+ }
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ echo "
";
- }
- ?>
-
\ No newline at end of file
+
+
+
";
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+}
+
+?>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Download.php b/Download.php
index 987a485..4ddeb4b 100644
--- a/Download.php
+++ b/Download.php
@@ -7,6 +7,11 @@ session_start();
// 修改这一行设置你的文件下载目录
+// IMPORTANT: Do not delete the following conditional test
+if (strpos($_GET['file'], "../") != false) { // 检查是否有 ../,防止用户构造路径,访问某个他不应该访问的目录
+ die("Sorry. Nothing to download.");
+}
+
$file = "./../../lrr_submission".$_GET['file'];
$filename = basename($file);
@@ -20,7 +25,7 @@ $type = filetype($file);
$today = date("F j, Y, g:i a");
$time = time();
-if ( (isset($_SESSION["user_student_id"]) && strpos($file, $_SESSION["user_student_id"])) || $_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "TA") {
+if ((isset($_SESSION["user_student_id"]) && strpos($file, $_SESSION["user_student_id"]) > 0) || $_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "TA" ) {
// 发送文件头部
header("Content-type: $type");
header('Content-Disposition: attachment;filename="'.urldecode($filename).'"');
diff --git a/Script.php b/Script.php
index 68c3b3c..d1110ef 100644
--- a/Script.php
+++ b/Script.php
@@ -35,7 +35,6 @@ function is_valid_student_number($student_id)
// ############################### SIGN UP ##################################
if (!empty($_POST["form_signup"])) {
-
$student_id = trim(mysqli_real_escape_string($con, $_POST["user_student_id"]));
// validate student number
@@ -53,18 +52,19 @@ if (!empty($_POST["form_signup"])) {
return;
}
+
// Check if the student number isn't already registered
$student_result = mysqli_query($con, "SELECT * FROM `users_table` WHERE Student_ID='$student_id'");
if (mysqli_num_rows($student_result) > 0) {
- $_SESSION["info_signup"] = "This Student ID is already in use! Please contact Student Management Office
for help.";
+ $_SESSION["info_signup"] = "This Student ID is already in use! Please contact Student Management Office for help.";
header("Location: signup.php");
return;
}
}
// ############################### CREATE STUDENT USER ##################################
-if (!empty($_POST["form_signup"])) {
+if (!empty($_POST["form_signup"])) {
$fullname = mysqli_real_escape_string($con, $_POST["fullname"]);
$student_id = mysqli_real_escape_string($con, $_POST["user_student_id"]);
$email = mysqli_real_escape_string($con, $_POST["email"]);
@@ -270,7 +270,7 @@ if (!empty($_POST["frm_createlecturrer"])) {
$email = mysqli_real_escape_string($con, $_POST["email"]);
$fullname = mysqli_real_escape_string($con, $_POST["fullname"]);
$type = mysqli_real_escape_string($con, $_POST["type"]);
- $password = $passport;
+ $password = mysqli_real_escape_string($con, $_POST["passport"]);
// check if email is taken
$result = mysqli_query($con,
"SELECT * FROM Users_Table WHERE email='$email'");
@@ -300,7 +300,7 @@ function is_valid_file_format($file)
'cvc', 'c', 'class', 'cpp', 'h', 'java', 'sh', 'swift', 'zip', 'rar', 'ods', 'xlr', 'bak', 'ico', 'swf'
);
- utf8_encode($filename = $_FILES[$file]['name']);
+ $filename = $_FILES[$file]['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
$result = in_array($ext, $allowed);
return $result;
@@ -452,10 +452,8 @@ function checksize($file)
}
// ############################### Submit Assignment ##################################
-
if (!empty($_POST["frm_submitlab"])) {
- /* Posting values to database */
$lab_id = mysqli_real_escape_string($con, $_POST["lab_id"]);
$student_id = $_POST["student_id"];
$group_id = $_POST["group_id"];
@@ -552,19 +550,19 @@ if (!empty($_POST["frm_submitlab"])) {
$targetfile4 = "";
if (strlen($_FILES['attachment1']['name']) > 2) { // why greater than 2???
- $targetfile = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . $_FILES['attachment1']['name'];
+ $targetfile = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . rawurlencode($_FILES['attachment1']['name']);
}
if (strlen($_FILES['attachment2']['name']) > 2) {
- $targetfile2 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . $_FILES['attachment2']['name'];
+ $targetfile2 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . rawurlencode($_FILES['attachment2']['name']);
}
if (strlen($_FILES['attachment3']['name']) > 2) {
- $targetfile3 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . $_FILES['attachment3']['name'];
+ $targetfile3 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . rawurlencode($_FILES['attachment3']['name']);
}
if (strlen($_FILES['attachment4']['name']) > 2) {
- $targetfile4 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . $_FILES['attachment4']['name'];
+ $targetfile4 = "/" . $student_id . "/" . $url . "/" . $lab_name . "/" . rawurlencode($_FILES['attachment4']['name']);
}
// When $group_id is not properly initialized, use integer 0 as its value.
@@ -597,9 +595,9 @@ if (!empty($_POST["frm_submitlab"])) {
// JOIN COURSE
if (!empty($_GET["JoinCourse"])) {
- $id = $_GET["id"];
- $student_id = $_GET["std"];
- $joining = $_GET["joining"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $student_id = mysqli_real_escape_string($con, $_GET["std"]);
+ $joining = mysqli_real_escape_string($con, $_GET["joining"]);
$status = "Pending";
if ($joining == 0) {
@@ -626,12 +624,12 @@ if (!empty($_GET["JoinCourse"])) {
if (!empty($_GET["savemarks"])) {
- $id = $_GET["id"];
- $marks = $_GET["marks"];
- $total = $_GET["total"];
- $feedback = $_GET["feedback"];
- $header = $_GET["header"];
- $labid = $_GET["labid"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $marks = mysqli_real_escape_string($con, $_GET["marks"]);
+ $total = mysqli_real_escape_string($con, $_GET["total"]);
+ $feedback = mysqli_real_escape_string($con, $_GET["feedback"]);
+ $header = mysqli_real_escape_string($con, $_GET["header"]);
+ $labid = mysqli_real_escape_string($con, $_GET["labid"]);
$status = "Marked";
if ($marks > $total) {
@@ -660,12 +658,12 @@ if (!empty($_GET["savemarks"])) {
#Update Report Visibility
if (!empty($_GET["updatevisibility"])) {
- $id = $_GET["id"];
- $marks = $_GET["marks"];
- $total = $_GET["total"];
- $status = $_GET["status"];
- $header = $_GET["header"];
- $labid = $_GET["labid"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $marks = mysqli_real_escape_string($con, $_GET["marks"]);
+ $total = mysqli_real_escape_string($con, $_GET["total"]);
+ $status = mysqli_real_escape_string($con, $_GET["status"]);
+ $header = mysqli_real_escape_string($con, $_GET["header"]);
+ $labid = mysqli_real_escape_string($con, $_GET["labid"]);
$sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID=$id
";
@@ -683,11 +681,11 @@ if (!empty($_GET["updatevisibility"])) {
if (!empty($_GET["remarking"])) {
- $id = $_GET["id"];
- $url = $_GET["url"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
- $status = $_GET["status"];
- $details = $_GET["details"];
+ $status = mysqli_real_escape_string($con, $_GET["status"]);
+ $details = mysqli_real_escape_string($con, $_GET["details"]);
$sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID=$id
";
@@ -705,10 +703,10 @@ if (!empty($_GET["remarking"])) {
if (!empty($_GET["creategroup"])) {
- $student_id = $_GET["student_id"];
- $url = $_GET["url"];
- $id = $_GET["id"];
- $name = $_GET["name"];
+ $student_id = mysqli_real_escape_string($con, $_GET["student_id"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $name = mysqli_real_escape_string($con, $_GET["name"]);
$sql = "INSERT INTO `course_groups_table`(`Group_Name`,
`Group_Leader`, `Course_id`) VALUES ('$name',$student_id,$id)";
@@ -737,10 +735,10 @@ if (!empty($_GET["creategroup"])) {
if (!empty($_GET["groupinvite"])) {
- $student_id = $_GET["student_id"];
- $url = $_GET["url"];
- $courseid = $_GET["courseid"];
- $groupid = $_GET["groupid"];
+ $student_id = mysqli_real_escape_string($con, $_GET["student_id"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
+ $courseid = mysqli_real_escape_string($con, $_GET["courseid"]);
+ $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
$result = mysqli_query($con, "SELECT * FROM course_group_members_table where Course_Group_id = '$groupid' and Student_ID = '$student_id'");
if (mysqli_num_rows($result) > 0) {
@@ -796,10 +794,10 @@ if (!empty($_GET["groupinvite"])) {
if (!empty($_GET["acceptinvite"])) {
- $student_id = $_GET["student_id"];
- $url = $_GET["url"];
- $action = $_GET["action"];
- $groupid = $_GET["groupid"];
+ $student_id = mysqli_real_escape_string($con, $_GET["student_id"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
+ $action = mysqli_real_escape_string($con, $_GET["action"]);
+ $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
if ($action == 1) {
$sql = "Update `course_group_members_table` set Status='Joined' where Course_Group_id =$groupid and student_id=$student_id
@@ -821,14 +819,14 @@ if (!empty($_GET["acceptinvite"])) {
if (!empty($_GET["extenddeadline"])) {
- $id = $_GET["id"];
- $date = $_GET["date"];
- $time = $_GET["time"];
- $type = $_GET["type"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $date = mysqli_real_escape_string($con, $_GET["date"]);
+ $time = mysqli_real_escape_string($con, $_GET["time"]);
+ $type = mysqli_real_escape_string($con, $_GET["type"]);
- $stdid = $_GET["stdid"];
- $reason = $_GET["reason"];
- $url = $_GET["url"];
+ $stdid = mysqli_real_escape_string($con, $_GET["stdid"]);
+ $reason = mysqli_real_escape_string($con, $_GET["reason"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
$deadline = $date . " " . $time;
if ($type == 1) {
@@ -852,11 +850,11 @@ if (!empty($_GET["extenddeadline"])) {
if (!empty($_GET["ignoreremarking"])) {
- $id = $_GET["id"];
- $total = $_GET["total"];
- $header = $_GET["header"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $total = mysqli_real_escape_string($con, $_GET["total"]);
+ $header = mysqli_real_escape_string($con, $_GET["header"]);
- $subid = $_GET["subid"];
+ $subid = mysqli_real_escape_string($con, $_GET["subid"]);
$sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID=$subid";
@@ -873,8 +871,8 @@ if (!empty($_GET["ignoreremarking"])) {
if (!empty($_GET["assignTA"])) {
- $id = $_GET["id"];
- $ta = $_GET["ta"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $ta = mysqli_real_escape_string($con, $_GET["ta"]);
$sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ($id,$ta)";
@@ -891,8 +889,8 @@ if (!empty($_GET["assignTA"])) {
if (!empty($_GET["AcceptStudent"])) {
- $id = $_GET["id"];
- $rs = $_GET["rs"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $rs = mysqli_real_escape_string($con, $_GET["rs"]);
if ($rs == "yes") {
$sql = "Update course_students_table set Status='Joined' Where ID=$id";
@@ -919,12 +917,12 @@ if (!empty($_GET["AcceptStudent"])) {
if (!empty($_GET["action"])) {
$action = $_GET["action"];
- $uid = $_GET["uid"];
+ $uid = mysqli_real_escape_string($con, $_GET["uid"]);
- $pass = $_GET["pass"];
+ $pass = mysqli_real_escape_string($con, $_GET["pass"]);
$pass = password_hash($pass, PASSWORD_DEFAULT);
- $status = $_GET["status"];
+ $status = mysqli_real_escape_string($con, $_GET["status"]);
// validate uid
if (intval($uid) < 0) {
@@ -932,12 +930,12 @@ if (!empty($_GET["action"])) {
return;
}
- if ($action == "passchange") {
+ if ($action == "passchange" && $_SESSION['user_id'] == $uid) {
$sql = "UPDATE users_table set Password='$pass' where User_ID=$uid;";
if ($con->query($sql) === TRUE) {
error_reporting(0);
echo "Password has been changed";
- // return;
+ //return;
$_SESSION["infoChangePassword"] = $type . " User password was changed successfully.";
header("Location: index.php");
} else {
@@ -946,7 +944,7 @@ if (!empty($_GET["action"])) {
}
}
- if ($action == "statuschange") {
+ if ($action == "statuschange" && $_SESSION['user_id'] == $uid && ($_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "Admin")) {
$sql = "UPDATE users_table set Status='$status' where User_ID=$uid;";
if ($con->query($sql) === TRUE) {
$_SESSION["info_Admin_Users"] = $type . " user Status updated successfully ";
@@ -1007,8 +1005,8 @@ if (!empty($_POST["frm_createCourse"])) {
if (!empty($_GET["exportgrade"])) {
- $lab = $_GET["lab"];
- $lab_name = $_GET["lab_name"];
+ $lab = mysqli_real_escape_string($con, $_GET["lab"]);
+ $lab_name = mysqli_real_escape_string($con, $_GET["lab_name"]);
error_reporting(0);
diff --git a/Submissions.php b/Submissions.php
index b921545..44b9ad7 100644
--- a/Submissions.php
+++ b/Submissions.php
@@ -10,7 +10,7 @@ $group_id = $_SESSION["user_group_id"];
$c_date = date("Y-m-d H:i");
if (!empty($_GET["id"])) {
- $id = $_GET["id"];
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
$course_id = $id;
}
@@ -139,7 +139,6 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Pending' order by Sub
if (mysqli_num_rows($result1) == 0) {
echo "No Un-Marked Submissions for this Lab Report.";
} else {
- $mark_submission_btn_counter = 0;
while ($row = mysqli_fetch_assoc($result1)) {
$title = $row['Title'];
$Marks = $row['Marks'];
@@ -158,7 +157,6 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Pending' order by Sub
$groupname = $row['Group_Name'];
$groupleader = $row['Group_Leader'];
$student_id = $row['sub_std'];
- $mark_submission_btn_counter += 1;
if ($submitted_group == 0) {
$submitted_by = $student_name . "(" . $student_id . ")";
@@ -186,7 +184,7 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Pending' order by Sub
echo "
$title $submitted_by
- Submitted : $posted Mark Submission
+ Submitted : $posted Mark Submission
";
}
}
@@ -421,8 +419,8 @@ where course_group_members_table.Course_Group_id=$id");
try {
$('').dialog({
modal: true,
title: 'Mark Submission',
@@ -472,4 +470,4 @@ Update Visibility Public Pri
alert(e);
}
}
-
\ No newline at end of file
+
diff --git a/SubmitLab.php b/SubmitLab.php
index 0ed44d5..c8b1fdb 100644
--- a/SubmitLab.php
+++ b/SubmitLab.php
@@ -3,123 +3,133 @@ include 'NoDirectPhpAcess.php';
?>
- '$c_date' ORDER by Lab_Report_ID DESC");
- if (mysqli_num_rows($result1) == 0) {
- echo "No active assignments for this course so far.";
- } else {
-
- while ($row = mysqli_fetch_assoc($result1)) {
-
- $Course_ID = $row['Course_ID'];
- $title = $row['Title'];
- $ins = $row['Instructions'];
- $posted = $row['Posted_Date'];
- $deadline = $row['Deadline'];
- $att1 = $row['Attachment_link_1'];
- $att2 = $row['Attachment_link_2'];
- $att3 = $row['Attachment_link_3'];
- $att4 = $row['Attachment_link_4'];
- $labid = $row['Lab_Report_ID'];
- $type = $row['Type'];
-
- //----------------------------------Giving both the Group Admin and Group Members same priviledges to submit assignment--------------------------------------
- if ($type == "Group") {
- $resultx1 = mysqli_query($con, "SELECT Course_Group_id FROM `course_groups_table` WHERE (Course_id=$Course_ID) and ((Group_Member=$student_id ) or (Group_Member2=$student_id ) or (Group_Member3=$student_id ) or (Group_Member4=$student_id ) or (Group_Leader=$student_id))");
- while ($row = mysqli_fetch_assoc($resultx1)) {
- $_SESSION["Group_ID"] = $row['Course_Group_id'];
- }
-
- if ($_SESSION["Group_ID"] < 1) {
- echo "
This Lab report can only be submitted by Group Admin ";
- return;
- }
+$c_date = date("Y-m-d H:i");
+$student_id = $_SESSION["user_student_id"];
+
+if(!empty($_GET["id"]))
+{
+ $id = mysqli_real_escape_string($con, $_GET["id"]);
+ $url = mysqli_real_escape_string($con, $_GET["url"]);
+
+ $result1 = mysqli_query($con," SELECT `Type`, `Lab_Report_ID`, `Course_ID`, `Posted_Date`, `Deadline`, `Instructions`, `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, `Attachment_link_4` FROM `lab_reports_table` WHERE Lab_Report_ID=$id and Deadline > '$c_date' ORDER by Lab_Report_ID DESC");
+ if(mysqli_num_rows($result1) == 0)
+ {
+ echo "No active assignments for this course so far.";
+
+ } else {
+
+ while($row = mysqli_fetch_assoc($result1)) {
+
+ $Course_ID = $row['Course_ID'];
+ $title = $row['Title'];
+ $ins = $row['Instructions'];
+ $posted = $row['Posted_Date'];
+ $deadline = $row['Deadline'];
+ $att1 = $row['Attachment_link_1'];
+ $att2 = $row['Attachment_link_2'];
+ $att3 = $row['Attachment_link_3'];
+ $att4 = $row['Attachment_link_4'];
+ $labid = $row['Lab_Report_ID'];
+ $type = $row['Type'];
+
+ //----------------------------------Giving both the Group Admin and Group Members same priviledges to submit assignment--------------------------------------
+ if($type=="Group"){
+ $resultx1 = mysqli_query($con,"SELECT Course_Group_id FROM `course_groups_table` WHERE (Course_id=$Course_ID) and ((Group_Member=$student_id ) or (Group_Member2=$student_id ) or (Group_Member3=$student_id ) or (Group_Member4=$student_id ) or (Group_Leader=$student_id))");
+ while($row = mysqli_fetch_assoc($resultx1)) {
+ $_SESSION["Group_ID"] = $row['Course_Group_id'];
+ }
+
+ if($_SESSION["Group_ID"] < 1)
+ {
+ echo"
This Lab report can only be submitted by Group Admin ";
+ return;
}
-
- $full_link = "
$att1 ";
-
- if ($att2 != "") {
- $full_link = $full_link . "|
$att2 ";
- }
- if ($att3 != "") {
- $full_link = $full_link . "|
$att3 ";
- }
-
- if ($att4 != "") {
- $full_link = $full_link . "|
$att4 ";
- }
-
- echo "
+ }
+
+
+ $full_link=" $att1 ";
+
+ if($att2!=""){
+ $full_link = $full_link."|
$att2 ";
+ }
+ if($att3!=""){
+ $full_link = $full_link."|
$att3 ";
+ }
+
+ if($att4!=""){
+ $full_link = $full_link."|
$att4 ";
+ }
+
+ echo "
";
- echo "";
- }
+ echo "";
}
}
+}
- $Group_ID = $_SESSION["Group_ID"];
+$Group_ID = $_SESSION["Group_ID"];
- ?>
+?>
+
+
+
-
Submit Lab Report Assignment
-
+
Submit Lab Report Assignment
+
-
-
\ No newline at end of file
+