Hui-improve-README.md (#56)

More detail on installation.

Co-authored-by: Lan Hui <1348141770@qq.com>
Reviewed-on: http://121.4.94.30:3000/mrlan/LRR/pulls/56
Co-authored-by: mrlan <mrlan@noreply.121.4.94.30>
Co-committed-by: mrlan <mrlan@noreply.121.4.94.30>

.htaccess

@@ -0,0 +1 @@
+allow from all

Admin.php

@@ -7,14 +7,15 @@ $page = "admin";
 include 'Header.php';
 ?>
 
+
 <?php
-if ($_SESSION['user_type'] != "Lecturer") {
+// Only Lecturer or Admin could access this page
-  $_SESSION["info_login"] = "You must log in first.";
+if ($_SESSION['user_type'] != "Lecturer" && $_SESSION['user_type'] != "Admin") {
-  echo $_SESSION["info_login"];
+    die("Sorry.  Nothing to see here.");
-  header("Location: index.php");
 }
 ?>
 
+
 <style>
   .col-md-4 {
     border-right: 1px solid skyblue;
@@ -36,10 +37,21 @@ if ($_SESSION['user_type'] != "Lecturer") {
         <hr>
     -->
   <div class="col-md-6">
-    <h4> User Account Management </h4>
-    <hr>
 
-    <b>Lecturer / TA Accounts </b><br>
+  <?php 
+  if ($_SESSION['user_type'] == "Lecturer") {
+           
+        echo " <h4> TA Account Management </h4> 
+        <hr> " ;
+        echo    "<b>TA Accounts </b><br>" ;
+      }
+  else if($_SESSION['user_type'] == "Admin"){
+        echo " <h4> Lecturer Account Management </h4> 
+        <hr> ";
+        echo "<b>Lecturer Accounts </b><br>";
+    }
+    
+  ?>
 
     <div class="container">
 
@@ -65,20 +77,45 @@ if ($_SESSION['user_type'] != "Lecturer") {
 
         <div id="home" class="container tab-pane active"><br>
 
-          <b>Create Lecturer/TA Accounts </b>
+      <?php 
+        if ($_SESSION['user_type'] == "Lecturer") {
+                
+            echo "<b>Create TA Accounts </b>";
+             
+          }
+        else if($_SESSION['user_type'] == "Admin"){
+           echo "<b>Create Lecturer Accounts </b>";
+          }
+    
+      ?>
           <form method="post" action="Script.php" id="create_account_form">
             <input type="hidden" name="frm_createlecturrer" value="true" required="" />
-            Full_Name
+            Full Name
             <input type="text" name="fullname" placeholder="Full Name" class="form-control" required="">
             Email
             <input type="text" name="email" placeholder="Email / Student Number" class="form-control" required="">
 
-            Passport_Number / ID (Used as Intial Password)
+            Passport Number / ID (Used as Initial Password)
             <input type="text" class="form-control" name="passport" placeholder="Passport No./ID" required="">
             <br> User Type :
-            <input type="radio" name="type" value="Lecturer" required="" id="role_lecturer"> Lecturer
+
-            <input type="radio" name="type" value="TA" required="" id="role_TA"> T/A
+          <?php 
+
+              if ($_SESSION['user_type'] == "Lecturer") {
+                      
+                    echo ' <input type="radio" name="type" value="TA" required="" id="role_TA"> TA (Teaching Assistant) ';
+
+                }
+              else if($_SESSION['user_type'] == "Admin"){
+                    
+                    echo " <input type='radio' name = 'type' value = 'Lecturer' required = '' id='role_lecturer' > Lecturer ";
+                  
+                }
+
+            ?>  
+
             <input type="submit" class="btn btn-primary" value="Create" id="create_btn"><br>
+            
             <?php
 
             error_reporting(E_ALL);
@@ -112,10 +149,21 @@ if ($_SESSION['user_type'] != "Lecturer") {
             </tr>
             <?php
 
+          if ($_SESSION['user_type'] == "Lecturer") {
+                                  
                 $result = mysqli_query(
                   $con,
-              "SELECT * FROM Users_Table  WHERE UserType in ('Lecturer','TA')"
+                  "SELECT * FROM Users_Table  WHERE UserType in ('TA')"
                 );
+            }
+
+          else if($_SESSION['user_type'] == "Admin"){
+                $result = mysqli_query(
+                  $con,
+                  "SELECT * FROM Users_Table  WHERE UserType in ('Lecturer')"
+                );
+            }
+
             while ($row = mysqli_fetch_assoc($result)) {
               $pass = $row['Passport_Number'];
               $btn = "<button class='btn-primary' onclick=\"updatePass(" . $row['User_ID'] . ",'$pass')\">Reset</button>";

Course.php

@@ -57,9 +57,9 @@ if(!empty($_GET["url"]))
     
 <?php
     
-if (isset($_SESSION['info_ReMarking'])) {
+if (isset($_SESSION['info_general'])) {
-    echo '<hr><div class="alert alert-info" role="alert" style="float:left;">' . $_SESSION['info_ReMarking'] . '</div>';
+    echo '<hr><div class="alert alert-info" role="alert" style="float:left;">' . $_SESSION['info_general'] . '</div>';
-    $_SESSION['info_ReMarking']=null;
+    $_SESSION['info_general']=null;
 }
    
 if (isset($_SESSION['info_courses'])) {
@@ -529,21 +529,37 @@ course_groups_table.Course_Group_id=course_group_members_table.Course_Group_id W
                 $extra3="   <a href='#' class='' onclick='accept($id,0)'>Decline</a></small>"; 
                                 
             }
-            echo "<div  class='btn-default'><small> $name ($status)  $extra  $extra2  $extra3</small></div>";
+
+            # Add "delete group" button and allow only group creator to delete it
+            $extra4 = "<button onclick='delete_group($id)' class='btn btn-danger' style='height: 25px; width: 90px; 
+                        line-height: 10px; font-size: 10px'>DELETE GROUP</button>";
+
+            echo "<div  class='btn-default'><small> $name ($status)  $extra  $extra2  $extra3" . 
+            (($status == "Created")? "$extra4": "")
+            ."</small></div>";
                         
             $rs2=mysqli_query($con,"SELECT `ID`, `Course_Group_id`, course_group_members_table.Student_ID, 
                             course_group_members_table.`Status`,users_table.Full_Name FROM `course_group_members_table` 
 INNER JOIN users_table on users_table.Student_ID=course_group_members_table.Student_ID
 where course_group_members_table.Course_Group_id=$id");
             
+            #Check whether the current user in session is the creator of the group
+            $rs3 = mysqli_query($con, "SELECT `Status` from course_group_members_table where Student_ID = $student_id");
+            $flag = mysqli_fetch_assoc($rs3)['Status'] == "Created";
+
             while($row = mysqli_fetch_assoc($rs2)) {
                 $name=$row['Full_Name'];
                 $id=$row['Course_Group_id'];
                 $status=$row['Status'];
                 $Student_ID=$row['Student_ID'];
                         
-                        
+                #Show group members + remove button next to each member except the creator of the group
-                echo "<li><small> $name-$Student_ID ($status)</small></li>";
+                if($flag){
+                    echo "<li><small> $name-$Student_ID ($status)</small>".(($status != "Created")?"<button onclick='remove_member($Student_ID, $id)' 
+                class='btn btn-danger' style='height: 25px; width: 80px; line-height: 10px;'>remove</button>":"")."</li>";
+                }else{
+                    echo "<li><small> $name-$Student_ID ($status)</small>";
+                } 
                         
             }
                         
@@ -688,5 +704,62 @@ function remarking(data)
     window.location.href = data+"&details="+details;
 }
   
+function remove_member(student_id, group_id) {
+    
+    try
+    {
+        
+
+        $('<form id="frm" method="get" action="Script.php"><input type="hidden" name="removemember" value="true">\n\
+ <input type="hidden" name="student_id" value="'+student_id+'" > \n\
+ <input type="hidden" name="group_id" value="'+group_id+'">\n\
+<input type="hidden" name="url" value="<?php echo $url; ?>"></form>').dialog({
+    modal: true,
+    title:'Remove '+student_id+'?',
+    buttons: {
+        'Confirm': function () {
+            $('#frm').submit();
+	    
+            $(this).dialog('close');
+        },
+        'X': function () {
+	    
+            $(this).dialog('close');
+        }
+	
+    }
+});
+
+    } catch(e){ alert(e); }
+}
+
+function delete_group(id) {
+    
+    try
+    {
+        
+
+        $('<form id="frm" method="get" action="Script.php"><input type="hidden" name="deletegroup" value="true">\n\
+ <input type="hidden" name="group_id" value="'+id+'" > \n\
+<input type="hidden" name="url" value="<?php echo $url; ?>"></form>').dialog({
+    modal: true,
+    title:'Delete this group?',
+    buttons: {
+        'Confirm': function () {
+            $('#frm').submit();
+	    
+            $(this).dialog('close');
+        },
+        'X': function () {
+	    
+            $(this).dialog('close');
+        }
+	
+    }
+});
+
+    } catch(e){ alert(e); }
+}
+
 </script>
     

Courses.php

@@ -153,14 +153,14 @@ New Date/Time <br><input type="date" name="date" required=""> <input type="time"
                     <input type='hidden' name='course_id' value='<?php echo "$id" ?>' required=''/>
                     <input type='hidden' name='url' value='<?php echo ".$course_url." ?>' required=''/>
            
-                    Dealine Date/Time
+                    Deadline Date/Time
                         <div class='row'> 
                     <div class='col-md-7'><input type='date' id='date' name='deadlinedate' placeholder='' class='form-control' required='' value="<?php echo isset($_GET['act']) && $_GET['act']=="edit" ? $Date : ""; ?>"> </div>
                     <div class='col-md-5'> <input type='text' id='time' class='form-control' name='deadlinetime' value="<?php echo isset($_GET['act']) && $_GET['act']=="edit" ? $Time : ""; ?>"> </div> 
                     </div>
 
                     Title
-                        <input type='text'  name='title' placeholder='Ttle' class='form-control' required='' value="<?php echo isset($_GET['act']) && $_GET['act']=="edit" ? $Title : ""; ?>">
+                        <input type='text'  name='title' placeholder='Title' class='form-control' required='' value="<?php echo isset($_GET['act']) && $_GET['act']=="edit" ? $Title : ""; ?>">
                     Instructions
                         <textarea  name='instructions' placeholder='Assignment Instructions' class='form-control' required='' ><?php echo isset($_GET['act']) && $_GET['act']=='edit' ? $Instructions : ''; ?></textarea>
                     Marks
@@ -181,9 +181,9 @@ New Date/Time <br><input type="date" name="date" required=""> <input type="time"
 
 <?php
                     if ($Type == "Individual") {
-                        echo "Submission Type  <input type='radio' name='type' value='Individual' checked /> Invidual  <input type='radio' name='type' value='Group' /> Group";
+                        echo "Submission Type  <input type='radio' name='type' value='Individual' checked /> Individual  <input type='radio' name='type' value='Group' /> Group";
                     } else {
-                        echo "Submission Type  <input type='radio' name='type' value='Individual' /> Invidual  <input type='radio' name='type' value='Group' checked> Group";
+                        echo "Submission Type  <input type='radio' name='type' value='Individual' /> Individual  <input type='radio' name='type' value='Group' checked> Group";
                     }		 
                     ?>
 
@@ -213,14 +213,14 @@ New Date/Time <br><input type="date" name="date" required=""> <input type="time"
                     <input type='hidden' name='course_id' value='<?php echo "$id" ?>' required=''/>
                     <input type='hidden' name='url' value='<?php echo ".$course_url." ?>' required=''/>
                      
-                    Dealine Date/Time
+                    Deadline Date/Time
                         <div class='row'> 
                     <div class='col-md-7'><input type='date' id='date' name='deadlinedate' placeholder='' class='form-control' required='' value=""> </div>
                     <div class='col-md-5'> <input type='time' class='form-control' name='deadlinetime' value=""> </div> 
                     </div>
 
                     Title
-                        <input type='text'  name='title' placeholder='Ttle' class='form-control' required='' value="">
+                        <input type='text'  name='title' placeholder='Title' class='form-control' required='' value="">
                     Instructions
                         <textarea  name='instructions' placeholder='Assignment Instructions' class='form-control' required='' value=""></textarea>
                     Marks
@@ -238,7 +238,7 @@ New Date/Time <br><input type="date" name="date" required=""> <input type="time"
                     Attachment 4
                         <input type='file'  name='attachment4' placeholder='Attachment 4' class='form-control' >
                     <br>
-                    Submission Type  <input type='radio' name='type' value='Individual' required=''> Invidual
+                    Submission Type  <input type='radio' name='type' value='Individual' required=''> Individual
 
                                                 <input type='radio' name='type' value='Group' required=''> Group
                     <hr>
@@ -552,27 +552,32 @@ if( $_SESSION['user_type']=="Student")
 <?php 
     error_reporting(0);
     $student_id= $_SESSION['user_student_id'];
+    // current academic year - i.e 2021 - 2022 , so we will show in search result:
+    // course containing either 2021 or 2022 as academic year.
+    $oldest_academic_year = date('Y') - 1;
     if(!empty($_GET["search"]) || !empty($_GET["faculty"]))
     {
         $search = trim(mysqli_real_escape_string($con, $_GET["search"]));
+        $search = strtoupper($_GET['search']);
         $faculty = mysqli_real_escape_string($con, $_GET["faculty"]);
     
-       
+        // the user has not entered something under "Find course by Code"
         if($faculty=="")
         {
             echo "<h4> Search Results for Course Code $search</h4><hr>";
             $result = mysqli_query($con,"SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,"
                                    . " `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members`  "
                                    . " , users_table.Full_Name  FROM `courses_table` INNER JOIN users_table"
-                                   . " ON users_table.User_ID=courses_table.Lecturer_User_ID where Course_Code like '%{$search}%' and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id)");
+                                   . " ON users_table.User_ID=courses_table.Lecturer_User_ID where Academic_Year >= $oldest_academic_year and Course_Code like '%{$search}%'  and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id) order by Academic_Year desc");
         } 
+        // the user has entered something under "Find course by Code"
         else
         {
             echo "<h3> Find Courses under faculty $faculty</h3>";
             $result = mysqli_query($con,"SELECT `Course_ID`, `Course_Name`, `Academic_Year`, `Faculty`,
        `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` 
          , users_table.Full_Name  FROM `courses_table` INNER JOIN users_table
-         ON users_table.User_ID=courses_table.Lecturer_User_ID where Faculty='$faculty'  and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id)");
+         ON users_table.User_ID=courses_table.Lecturer_User_ID where Academic_Year >= $oldest_academic_year  and Faculty='$faculty'  and courses_table.Course_ID not in (select course_id from course_students_table where Student_ID=$student_id) order by Academic_Year desc");
         }
      
 
@@ -605,7 +610,7 @@ if( $_SESSION['user_type']=="Student")
             }
         }
     }
-     
+    // Otherwise, list the student's joined courses (already done), in reverse chronological order
     echo "<h4> My Courses </h4>";
     $result = mysqli_query($con,"SELECT users_table.Full_Name, course_students_table.Status, courses_table.Course_ID, `Course_Name`, `Academic_Year`, `Faculty`, `Lecturer_User_ID`, `TA_User_ID`, `Course_Code`, `URL`, `Verify_New_Members` FROM `courses_table`
 INNER JOIN users_table
@@ -613,7 +618,7 @@ INNER JOIN users_table
 
 INNER JOIN course_students_table on course_students_table.Course_ID=courses_table.Course_ID
 
-                  where course_students_table.Student_ID=$student_id");
+                  where course_students_table.Student_ID=$student_id order by Academic_Year desc");
  
     if(mysqli_num_rows($result)==0)
     {
@@ -678,17 +683,19 @@ INNER JOIN course_students_table on course_students_table.Course_ID=courses_tabl
             <div class='row'> 
             <div class='col-md-10'> 
             <div class='row'><div class='col-md-6'> Find course by Code
-            <input  type='text' class='form-control' name='search' placeholder='Enter Course Code'>
+            <input  type='text' class='form-control' name='search' maxlength='11' placeholder='Enter Course Code'>
             </div><div class='col-md-6'>
 List courses by faculty
 
 <select name='faculty' class='form-control'>";
         $result = mysqli_query($con,"SELECT   DISTINCT(Faculty) as Faculty FROM `courses_table`");
-        if(mysqli_num_rows($result)==0)
+        if(mysqli_num_rows($result)==0){
-        {} else { while($row = mysqli_fetch_assoc($result)) {
-                $fname=$row['Faculty'];
 
-                echo "<option value=''> Search by faculty </option> <option value='$fname'> $fname </option>";
+        } else { 
+            echo"<option value=''> Search by faculty </option>";
+            while($row = mysqli_fetch_assoc($result)) {
+                $fname=$row['Faculty'];
+                echo " <option value='$fname'> $fname </option>";
             }}
 
         echo "</select></div></div>

Download.php

@@ -8,7 +8,7 @@ session_start();
 
 // 修改这一行设置你的文件下载目录
 // IMPORTANT: Do not delete the following conditional test
-if (strpos($_GET['file'], "../") != false) { // 检查是否有 ../，防止用户构造路径，访问某个他不应该访问的目录
+if (strpos($_GET['file'], "../") !== false) { // 检查是否有 ../，防止用户构造路径，访问某个他不应该访问的目录
     die("Sorry.  Nothing to download.");
 }
 

Header.php

@@ -22,6 +22,12 @@ if (mysqli_connect_errno()) {
   <link href="./css/bootstrap.min.css" rel="stylesheet" type="text/css" />
   <link href="./font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css" />
   <link href="./css/bootstrap.min.css" rel="stylesheet" type="text/css" />
+  <!-- *this css file can be used across all the websites 
+  and any new css class can be added there.
+  * The reason is to make the css code reusable.
+  * the css file is used by submissions.php
+-->
+  <link href = "./css/main.css" rel = "stylesheet" type = "text/css" />
 
   <script src="./css/jquery.min.js" type="text/javascript"></script>
   <script src="./css/bootsrap.min.js" type="text/javascript"></script>

NoDirectPhpAcess.php

@@ -2,6 +2,6 @@
     // https://stackoverflow.com/questions/33999475/prevent-direct-url-access-to-php-file
     if (!isset($_SERVER['HTTP_REFERER']) ) {
         /* choose the appropriate page to redirect users */
-        die( header( 'location: index.php' ) );
+        die( header( 'location: logout.php' ) );
     }
 ?>

README.md

@@ -18,15 +18,17 @@ Our mission is to make the experience of submitting assignments great for tens o
 # Installation Instructions
 
 
-## Hui's steps
+## Hui steps
 
 I spent about two hours installing LRR to a bare, remote Ubuntu server (Ubuntu 20.04 LTS).
 
-LRR needs Apache and MySQL to run.  I followed [How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04) to set up these server applications.
+LRR needs Apache and MySQL to run.  I followed [How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04) to set up these server applications.  [How to install and configure PHP](https://ubuntu.com/server/docs/programming-php) is also a good guide.
 
-LRR uses a database called `lrr`.  I need to export the existing `lrr` to a plain text file (including many sql commands) and import that text file to the newly created `lrr` database on the new server.
+LRR uses a database called `lrr`.  So create this database using MySQL root account.  Open MySQL's prompt using `sudo mysql`.  Create the database using command `CREATE DATABASE lrr;`, and grant all privileges to MySQL user `lrr` using command `GRANT ALL PRIVILEGES ON lrr.* TO 'mnc'@'localhost' WITH GRANT OPTION;`.   If MySQL user mnc does not exist, create it using command `CREATE USER 'mnc'@'localhost' IDENTIFIED BY 'password'`.
-The command for exporting the database is `mysqldump -u mnc -p lrr > lrr_database_dump.txt`.
+
-The command for importing is `mysql -u mnc -p lrr < lrr_database_dump.txt`.  Read [How to Import and Export MySQL Databases in Linux](https://phoenixnap.com/kb/import-and-export-mysql-database) for more detail.
+To facilitate data migration, I need to export the existing `lrr` to a plain text file (including many sql commands) and import that text file to the newly created `lrr` database on the new server.
+The command for exporting the database is `mysqldump -u mnc -p lrr > lrr_database_dump.txt`, where mnc after -u is MySQL's username, and lrr after -p is the database name.
+The command for importing is `mysql -u mnc -p lrr < lrr_database_dump.txt`.  Read [How to Import and Export MySQL Databases in Linux](https://phoenixnap.com/kb/import-and-export-mysql-database) for more detail. Do not have lrr_database_dump.txt?  You can use lrr_database.sql in this repo instead.
 
 LRR also needs to store assignment submissions.  We store them in a folder called `../../lrr_submission`.  Note that `lrr_submission` is two levels above the project folder (where many PHP files reside).  I copied this folder from the existing one.  I think it is also OK if you create an empty folder.   
 We need to set a proper owner and accessibility for `lrr_submission` using the following two commands:
@@ -49,7 +51,7 @@ Enable the site lrr: `sudo a2ensite lrr`.  Restart the apache server: `sudo syst
 Visit the LRR application by entering this URL in a web browser: http://121.4.94.30/.
 
 
-## Enock's steps
+## Enock steps
 
 Enock, a graduate student here, has made a tutorial about how he deployed LRR to a remote server (http://lanlab.org/course/2021s/spm/PuTTY-Server.txt).
 
@@ -171,49 +173,49 @@ We can also communicate through pull requests.  You make a pull request, I revie
 
 GitHub Account - Full Name - Student number
 
-CODEwithZAKI - Omar Mohamud Mohamed - 202025800041
+CODEwithZAKI - Omar Mohamud Mohamed - 2020041
 
-BloudYoussef - Khayat Youssef - 202025800042 
+BloudYoussef - Khayat Youssef - 2020042 
 
-TanakaMichelle - Tanaka Michelle Sandati - 201732120134
+TanakaMichelle - Tanaka Michelle Sandati - 2017134
 
-WhyteAsamoah  - Yeboah Martha Asamoah   - 201732120135
+WhyteAsamoah  - Yeboah Martha Asamoah   - 2017135
 
-xiaoyusoil - ZhengXiaoyu - 201732120110
+xiaoyusoil - ZhengXiaoyu - 2017110
 
-Benny123-cell - ZhangBin - 201732120127
+Benny123-cell - ZhangBin - 2017127
 
-421281726 - LiJiaxing - 201732120118
+421281726 - LiJiaxing - 2017118
 
-zhenghongyu-david - ZhengHongyu - 201732120128
+zhenghongyu-david - ZhengHongyu - 2017128
 
-wkytz - YeHantao - 201732120125
+wkytz - YeHantao - 2017125
 
-zego000 - GaoZeng - 201732120117
+zego000 - GaoZeng - 2017117
 
-Richard1427 - XieJiacong - 201732120123
+Richard1427 - XieJiacong - 2017123
 
-yutengYing - YingYuteng - 201732120126
+yutengYing - YingYuteng - 2017126
 
-Samrusike  - Samantha Rusike  - 201632120140
+Samrusike  - Samantha Rusike  - 2016140
 
 *enockkays* <enockkhondowe94@yahoo.com>
 
-*Teecloudy*  - Ashly Tafadzwa Dhani - 201632120150
+*Teecloudy*  - Ashly Tafadzwa Dhani - 201150
 
-GuedaliaBonheurSPM - Guedalia Youma - 201925800221
+GuedaliaBonheurSPM - Guedalia Youma - 2019221
 
-ACorneille - Alimasi Corneille - 201925800168
+ACorneille - Alimasi Corneille - 2019168
 
-Tabithakipanga - Kipanga Dorcas - 201925800170
+Tabithakipanga - Kipanga Dorcas - 2019170
 
-Mary-AK  - Mary Akussah Doe - 201925800173
+Mary-AK  - Mary Akussah Doe - 2019173
 
-pkkumson  - Kumson Princewill Kum - 201925800166
+pkkumson  - Kumson Princewill Kum - 2019166
 
-Twizere  -  Twizere Pacifique  -  201925800174
+Twizere  -  Twizere Pacifique  -  2019174
 
-Nicole-Rutagengwa  - Nicole Rutagengwa  - 201925800169
+Nicole-Rutagengwa  - Nicole Rutagengwa  - 2019169
 
 *hema-001* - Ibrahim Mohamed Ibrahim Ismail - omitted
 

Reset_password.php

@@ -8,8 +8,8 @@
 
 
 include 'Header.php';
-$token=$_GET['token'];
+$token = htmlspecialchars($_GET['token']);
-$email=$_GET['email'];
+$email = htmlspecialchars($_GET['email']);
 ?>
 
 <div class="row">

Script.php

@@ -98,16 +98,15 @@ if (!empty($_POST["form_signup"])) {
 
     // check for strong password
     if (!$containsAll) {
-        $_SESSION['info_signup'] = "Password must have at least characters that include lowercase letters, uppercase letters, numbers and sepcial characters (e.g., !?.,*^).";
+        $_SESSION['info_signup'] = "Password must have at least characters that include lowercase letters, uppercase letters, numbers and special characters (e.g., !?.,*^).";
         header("Location: signup.php");
         return;
     }
 
     // check if email is taken
     $result = mysqli_query($con, "SELECT * FROM users_table WHERE email='$email'");
-    if(mysqli_num_rows($result) != 0)
+    if (mysqli_num_rows($result) != 0) {
-    {
+        $_SESSION["info_signup"] = "Email address " . $email . "  is already in use.";
-        $_SESSION["info_signup"]="Email address ".$email."  is already in use.";
         $_SESSION['user_fullname'] = null;
         header("Location: signup.php");
         return;
@@ -147,7 +146,7 @@ if (!empty($_POST["frm_login"])) {
     $password = mysqli_real_escape_string($con, $_POST["password"]);
     $result = mysqli_query($con, "SELECT * FROM users_table WHERE (Student_ID='$user') OR (Email='$user')");
     if (mysqli_num_rows($result) == 0) {
-        $_SESSION["info_login"] = "Inavlid user name information.";
+        $_SESSION["info_login"] = "Invalid user name information.";
         echo $_SESSION["info_login"];
         header("Location: index.php");
     } else {
@@ -196,7 +195,6 @@ if (!empty($_POST["frm_recover_password"])) {
     // validate student number
     if (strlen($student_id) != 12  || is_numeric($student_id) == FALSE) {
         $_SESSION["info_recover_password"] = "Invalid student number.";
-        #echo "Invalid student number.";
         header("Location: recover_password.php");
         return;
     }
@@ -248,7 +246,7 @@ if (!empty($_POST["frm_reset_password"])) {
 
                 // Password Update
                 $hashed_password = hash('sha512', $password);
-                $sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID=$userid;";
+                $sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID='$userid';";
                 if ($con->query($sql) === TRUE) {
 
                     error_reporting(0);
@@ -272,18 +270,20 @@ if (!empty($_POST["frm_createlecturrer"])) {
     $type = mysqli_real_escape_string($con, $_POST["type"]);
     $password = mysqli_real_escape_string($con, $_POST["passport"]);
     // check if email is taken
-    $result = mysqli_query($con,
+    $result = mysqli_query(
-                           "SELECT * FROM Users_Table WHERE email='$email'");
+        $con,
-    if(mysqli_num_rows($result)!=0)
+        "SELECT * FROM Users_Table WHERE email='$email'"
-    {
+    );
-        $_SESSION["info_Admin_Users"]="Email address : ".$email." is already in use.";
+    if (mysqli_num_rows($result) != 0) {
+        $_SESSION["info_Admin_Users"] = "Email address : " . $email . " is already in use.";
         header("Location: Admin.php");
     }
-    $sql= "INSERT INTO `users_table`(`Email`, `Password`, `Full_Name`, `UserType`) VALUES "
+    $password_hash = password_hash("$password", PASSWORD_DEFAULT);
-        . "('$email','$password','$fullname','$type')";
+    $sql = "INSERT INTO `users_table`(`Email`, `Password`, `Full_Name`, `UserType`) VALUES "
+        . "('$email','$password_hash','$fullname','$type')";
 
     if ($con->query($sql) === TRUE) {
-        $_SESSION["info_Admin_Users"] = $type . " user Created successfully : email " . $email . " and $password as Password.";
+        $_SESSION["info_Admin_Users"] = $type . " user created successfully. Use email " . $email . " as account name and $password as password.";
         header("Location: Admin.php");
     } else {
         echo "Error: " . $sql . "<br>" . $con->error;
@@ -430,7 +430,7 @@ if (!empty($_POST["frm_uploadlab"])) {
 
     $sql = "INSERT INTO `lab_reports_table`(`Course_ID`, `Posted_Date`, `Deadline`, `Instructions`,
                      `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, `Attachment_link_4`,Marks,Type) 
-                     VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3',$marks,'$type')";
+                     VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3','$marks','$type')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -467,7 +467,7 @@ if (!empty($_POST["frm_submitlab"])) {
     $date = date("Y-m-d H:i:s");
 
     // GET UPLOADED FILES
-    $labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID=$lab_id");
+    $labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID='$lab_id'");
     while ($row = mysqli_fetch_assoc($labName)) {
         $lab_name = $row['Title'];
         $_SESSION['Sub_Type'] = $row['Type']; // submission type, either Individual or Group
@@ -571,13 +571,13 @@ if (!empty($_POST["frm_submitlab"])) {
         $group_id = 0; // FIXME
     }
 
-    $sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID=$lab_id and Student_id=$student_id and Course_Group_id=$group_id";
+    $sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID='$lab_id' and Student_id='$student_id' and Course_Group_id='$group_id'";
     if ($con->query($sql1) === TRUE) {
     }
 
     $sql = "INSERT INTO `lab_report_submissions`(`Submission_Date`, `Lab_Report_ID`, `Student_id`,"
         . " `Course_Group_id`, `Attachment1`, `Notes`, `Attachment2`, `Attachment3`, `Attachment4`, `Status`, `Title`,`Remarking_Reason`)"
-        . " VALUES ('$date',$lab_id,$student_id,$group_id,'$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4',"
+        . " VALUES ('$date','$lab_id','$student_id','$group_id','$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4',"
         . "'Pending','$title','')";
 
     if ($con->query($sql) === TRUE) {
@@ -665,7 +665,7 @@ if (!empty($_GET["updatevisibility"])) {
     $header = mysqli_real_escape_string($con, $_GET["header"]);
     $labid = mysqli_real_escape_string($con, $_GET["labid"]);
 
-    $sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID=$id
+    $sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID='$id'
               ";
 
     if ($con->query($sql) === TRUE) {
@@ -681,18 +681,18 @@ if (!empty($_GET["updatevisibility"])) {
 
 if (!empty($_GET["remarking"])) {
 
-    $id = mysqli_real_escape_string($con, $_GET["id"]);
+    $id = htmlspecialchars(mysqli_real_escape_string($con, $_GET["id"]));
-    $url = mysqli_real_escape_string($con, $_GET["url"]);
+    $url = htmlspecialchars(mysqli_real_escape_string($con, $_GET["url"]));
 
-    $status = mysqli_real_escape_string($con, $_GET["status"]);
+    $status = htmlspecialchars(mysqli_real_escape_string($con, $_GET["status"]));
-    $details = mysqli_real_escape_string($con, $_GET["details"]);
+    $details = htmlspecialchars(mysqli_real_escape_string($con, $_GET["details"]));
 
-    $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID=$id
+    $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID='$id'
               ";
 
     if ($con->query($sql) === TRUE) {
 
-        $_SESSION["info_ReMarking"] = "Remarking Request Sent";
+        $_SESSION["info_general"] = "Remarking Request Sent";
         header("Location: Course.php?url=" . $url);
     } else {
         echo "Error: " . $sql . "<br>" . $con->error;
@@ -709,7 +709,7 @@ if (!empty($_GET["creategroup"])) {
     $name = mysqli_real_escape_string($con, $_GET["name"]);
 
     $sql = "INSERT INTO `course_groups_table`(`Group_Name`, 
-                  `Group_Leader`, `Course_id`) VALUES ('$name',$student_id,$id)";
+                  `Group_Leader`, `Course_id`) VALUES ('$name','$student_id','$id')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -719,9 +719,9 @@ if (!empty($_GET["creategroup"])) {
         }
 
         $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`) 
-                          VALUES ($gid,$student_id,'Created')";
+                          VALUES ('$gid','$student_id','Created')";
         if ($con->query($sql) === TRUE) {
-            $_SESSION["info_ReMarking"] = "Course group Created";
+            $_SESSION["info_general"] = "Course group Created";
             header("Location: Course.php?url=" . $url);
         } else {
             echo "Error: " . $sql . "<br>" . $con->error;
@@ -739,14 +739,21 @@ if (!empty($_GET["groupinvite"])) {
     $url = mysqli_real_escape_string($con, $_GET["url"]);
     $courseid = mysqli_real_escape_string($con, $_GET["courseid"]);
     $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
+    $student = mysqli_query($con, "SELECT * FROM students_data WHERE Student_ID = '$student_id'  ");
+
+    if (mysqli_num_rows($student) > 0) {
 
         $result = mysqli_query($con, "SELECT * FROM course_group_members_table where Course_Group_id = '$groupid' and Student_ID = '$student_id'");
         if (mysqli_num_rows($result) > 0) {
-        $_SESSION["info_ReMarking"] = $student_id . " has already been invited";
+            $_SESSION["info_general"] = $student_id . " has already been invited.";
             header("Location: Course.php?url=" . $url);
         } else {
             $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`)
-                      VALUES ($groupid,$student_id,'Invited')";
+                        VALUES ('$groupid','$student_id','Invited')";
+        }
+    } else {
+        $_SESSION["info_general"] = $student_id . " is an invalid student number.";
+        header("Location: Course.php?url=" . $url);
     }
 
     if ($con->query($sql) === TRUE) {
@@ -764,26 +771,26 @@ if (!empty($_GET["groupinvite"])) {
 
             if ($Group_Member == '0') {
                 mysqli_query($con, "UPDATE `course_groups_table` SET `Group_Member` = ('" . $student_id . "') WHERE `course_groups_table`.`Course_Group_id` = '$groupid'");
-                $_SESSION["info_ReMarking"] = $student_id . " was invited to the group";
+                $_SESSION["info_general"] = $student_id . " was invited to the group.";
                 header("Location: Course.php?url=" . $url);
             } elseif ($Group_Member2 == '0') {
                 mysqli_query($con, "UPDATE `course_groups_table` SET `Group_Member2` = ('" . $student_id . "') WHERE `course_groups_table`.`Course_Group_id` = '$groupid'");
-                $_SESSION["info_ReMarking"] = $student_id . " was invited to the group";
+                $_SESSION["info_general"] = $student_id . " was invited to the group.";
                 header("Location: Course.php?url=" . $url);
             } elseif ($Group_Member3 == '0') {
                 mysqli_query($con, "UPDATE `course_groups_table` SET `Group_Member3` = ('" . $student_id . "') WHERE `course_groups_table`.`Course_Group_id` = '$groupid'");
-                $_SESSION["info_ReMarking"] = $student_id . " was invited to the group";
+                $_SESSION["info_general"] = $student_id . " was invited to the group.";
                 header("Location: Course.php?url=" . $url);
             } elseif ($Group_Member4 == '0') {
                 mysqli_query($con, "UPDATE `course_groups_table` SET `Group_Member4` = ('" . $student_id . "') WHERE `course_groups_table`.`Course_Group_id` = '$groupid'");
-                $_SESSION["info_ReMarking"] = $student_id . " was invited to the group";
+                $_SESSION["info_general"] = $student_id . " was invited to the group.";
                 header("Location: Course.php?url=" . $url);
             } else {
-                $_SESSION["info_ReMarking"] = " You cant add any more members";
+                $_SESSION["info_general"] = " You cannot add any more members";
                 header("Location: Course.php?url=" . $url);
             }
         }
-        $_SESSION["info_ReMarking"] = $student_id . " was invited to the group";
+        $_SESSION["info_general"] = $student_id . " was invited to the group.";
         header("Location: Course.php?url=" . $url);
     } else {
         echo "Error: " . $sql . "<br>" . $con->error;
@@ -800,15 +807,51 @@ if (!empty($_GET["acceptinvite"])) {
     $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
 
     if ($action == 1) {
-        $sql = "Update  `course_group_members_table` set Status='Joined' where  Course_Group_id =$groupid and student_id=$student_id 
+        $sql = "Update  `course_group_members_table` set Status='Joined' where  Course_Group_id ='$groupid' and student_id='$student_id' 
                          ";
     } else {
-        $sql = "Delete from  `course_group_members_table`  where  Course_Group_id =$groupid and student_id=$student_id 
+        $sql = "Delete from  `course_group_members_table`  where  Course_Group_id ='$groupid' and student_id='$student_id' 
                          ";
     }
 
     if ($con->query($sql) === TRUE) {
-        $_SESSION["info_ReMarking"] = " Group Invite Updated";
+        $_SESSION["info_general"] = " Group Invite Updated";
+        header("Location: Course.php?url=" . $url);
+    } else {
+        echo "Error: " . $sql . "<br>" . $con->error;
+    }
+}
+
+#Remove a member from group
+
+if (!empty($_GET["removemember"])) {
+
+    $student_id = mysqli_real_escape_string($con, $_GET["student_id"]);
+    $group_id = mysqli_real_escape_string($con, $_GET["group_id"]);
+    $url = mysqli_real_escape_string($con, $_GET["url"]);
+
+    $sql = "Delete from  `course_group_members_table`  where  student_id=$student_id and Course_Group_id=$group_id";
+
+    if ($con->query($sql) === TRUE) {
+        $_SESSION["info_general"] = " Member " . $student_id . " removed from the group";
+        header("Location: Course.php?url=" . $url);
+    } else {
+        echo "Error: " . $sql . "<br>" . $con->error;
+    }
+}
+
+#Delete a whole group
+
+if (!empty($_GET["deletegroup"])) {
+
+    $group_id = mysqli_real_escape_string($con, $_GET["group_id"]);
+    $url = mysqli_real_escape_string($con, $_GET["url"]);
+
+    $sql1 = "Delete from  `course_group_members_table`  where  Course_Group_id=$group_id";
+    $sql2 = "Delete from `course_groups_table` where Course_Group_id=$group_id";
+
+    if ($con->query($sql1) === TRUE && $con->query($sql2) === TRUE) {
+        $_SESSION["info_general"] = " Group has been deleted successfully. ";
         header("Location: Course.php?url=" . $url);
     } else {
         echo "Error: " . $sql . "<br>" . $con->error;
@@ -830,11 +873,11 @@ if (!empty($_GET["extenddeadline"])) {
     $deadline = $date . " " . $time;
 
     if ($type == 1) {
-        $sql = "UPDATE `lab_reports_table` SET  `Deadline`='$deadline'  WHERE Lab_Report_ID=$id";
+        $sql = "UPDATE `lab_reports_table` SET  `Deadline`='$deadline'  WHERE Lab_Report_ID='$id'";
     } else {
         $sql = "INSERT INTO `extended_deadlines_table`(`Student_ID`, "
             . "`Lab_Report_ID`, `Extended_Deadline_Date`,"
-            . " `ReasonsForExtension`) VALUES ($stdid,$id,'$deadline','$reason')";
+            . " `ReasonsForExtension`) VALUES ('$stdid','$id','$deadline','$reason')";
     }
 
     if ($con->query($sql) === TRUE) {
@@ -856,7 +899,7 @@ if (!empty($_GET["ignoreremarking"])) {
 
     $subid = mysqli_real_escape_string($con, $_GET["subid"]);
 
-    $sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID=$subid";
+    $sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID='$subid'";
 
     if ($con->query($sql) === TRUE) {
 
@@ -874,7 +917,7 @@ if (!empty($_GET["assignTA"])) {
     $id = mysqli_real_escape_string($con, $_GET["id"]);
     $ta = mysqli_real_escape_string($con, $_GET["ta"]);
 
-    $sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ($id,$ta)";
+    $sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ('$id','$ta')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -893,9 +936,9 @@ if (!empty($_GET["AcceptStudent"])) {
     $rs = mysqli_real_escape_string($con, $_GET["rs"]);
 
     if ($rs == "yes") {
-        $sql = "Update  course_students_table set Status='Joined' Where ID=$id";
+        $sql = "Update  course_students_table set Status='Joined' Where ID='$id'";
     } else {
-        $sql = "Delete FROM  course_students_table Where ID=$id";
+        $sql = "Delete FROM  course_students_table Where ID='$id'";
     }
 
     if ($con->query($sql) === TRUE) {
@@ -931,7 +974,7 @@ if (!empty($_GET["action"])) {
     }
 
     if ($action == "passchange"  && $_SESSION['user_id'] == $uid) {
-        $sql = "UPDATE users_table set Password='$pass' where User_ID=$uid;";
+        $sql = "UPDATE users_table set Password='$pass' where User_ID='$uid';";
         if ($con->query($sql) === TRUE) {
             error_reporting(0);
             echo "Password has been changed";
@@ -945,7 +988,7 @@ if (!empty($_GET["action"])) {
     }
 
     if ($action == "statuschange" && $_SESSION['user_id'] == $uid && ($_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "Admin")) {
-        $sql = "UPDATE users_table set Status='$status' where User_ID=$uid;";
+        $sql = "UPDATE users_table set Status='$status' where User_ID='$uid';";
         if ($con->query($sql) === TRUE) {
             $_SESSION["info_Admin_Users"] = $type . " user  Status updated successfully ";
             header("Location: Admin.php");
@@ -1018,7 +1061,7 @@ INNER JOIN lab_reports_table on lab_reports_table.Lab_Report_ID=lab_report_submi
 
 INNER JOIN users_table on users_table.Student_ID=lab_report_submissions.Student_id
 
-WHERE lab_report_submissions.Lab_Report_ID=$lab";
+WHERE lab_report_submissions.Lab_Report_ID='$lab'";
 
     $export  = mysqli_query($con, $select);
 
@@ -1048,7 +1091,7 @@ WHERE lab_report_submissions.Lab_Report_ID=$lab";
     }
 
     header("Content-type: application/octet-stream");
-    header("Content-Disposition: attachment; filename=$lab_name Garde Sheet.xls");
+    header("Content-Disposition: attachment; filename=$lab_name Grade Sheet.xls");
     header("Pragma: no-cache");
     header("Expires: 0");
     print "$header\n$data";

Student.php

@@ -9,7 +9,7 @@ include 'Header.php';
 <div class="row" style="width:80%;margin:auto;">
 
     <div class="col-md-6">
-        <h1> STUEDNT Account Created , Now you can Browse Course Portals </h1>
+        <h1> Student Account Created. Now you can Browse Course Portals </h1>
     </div>
 
 </div>

Submissions.php

@@ -183,7 +183,7 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Pending' order by Sub
                             }
 
                             echo "   <k href='#'>   <div class='btn btn-default break-word' style='dislay:block; word-wrap: break-word; border: 1px solid #F0F0F0;border-left: 4px solid #03407B;'>
-  $title  <br> by: <b> $submitted_by </b>
+  $title  <br> by: <b> <span class = 'text-selectable'>$submitted_by </span> </b>
    <br> <span style='font-size:8pt'>Submitted : $posted   <button class='btn-sm btn-info' style='margin-left:50px;' onclick='mark($Submission_ID,\"$title\",$total)'>  Mark Submission</button><br> Attachments : $full_link </span>  
 </div></k>";
                         }
@@ -262,8 +262,13 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Marked'  Order by lab
                             if ($att4 != "") {
                                 $full_link = $full_link . "| <a href='~\..\Lab_Report_Submisions\\$att4'>$att4</a>";
                             }
-                            echo "   <k href='#'>   <div class='btn btn-default break-word' style='dislay:block; word-wrap: break-word; border: 1px solid #F0F0F0;border-left: 4px solid #03407B;'>
+                            // you will notice why i used span here to wrap the $submitted_by variable
-  $title  <br> by : <b> $submitted_by  &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [ Marked $Marks ] </b>  &nbsp; Visibility : <b>$Visibility </b>  <button class='btn-sm btn-success' style='margin-left:50px;' onclick='updatev($Submission_ID)'>Update visibility</button> 
+                            // because if we wrap with span , the css class text-selectable can be used only by the submittedBy variable
+                            // if you want to use text-selectable class on whole div, just call the css class
+
+
+                            echo "   <k href='#'>   <div class='btn btn-default break-word ' style='dislay:block; word-wrap: break-word; border: 1px solid #F0F0F0;border-left: 4px solid #03407B;'>
+  $title  <br> by : <b> <span class = 'text-selectable'>$submitted_by </span> &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [ Marked $Marks ] </b>  &nbsp; Visibility : <b>$Visibility </b>  <button class='btn-sm btn-success' style='margin-left:50px;' onclick='updatev($Submission_ID)'>Update visibility</button> 
    <hr> Lecturer/TA notes : $notes<br> <span style='font-size:8pt'>Submitted : $posted        <b>  </b> <button class='btn-sm btn-info' style='margin-left:50px;' onclick='mark($Submission_ID,\"$title\",$total)'>  Re-Mark Submission</button><br> Attachments : $full_link </span>  
 </div></k>";
                         }
@@ -341,8 +346,8 @@ where Lab_Report_ID=$id and lab_report_submissions.Status='Remarking'");
                             if ($att4 != "") {
                                 $full_link = $full_link . "| <a href='~\..\Lab_Report_Submisions\\$att4'>$att4</a>";
                             }
-                            echo "   <k href='#'>   <div class='btn btn-default break-word' style='dislay:block; word-wrap: break-word; border: 1px solid #F0F0F0;border-left: 4px solid #03407B;'>
+                            echo "   <k href='#'>   <div class='btn btn-default break-word ' style='dislay:block; word-wrap: break-word; border: 1px solid #F0F0F0;border-left: 4px solid #03407B;'>
-  $title  <br> by : <b> $submitted_by  &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [ Marked $Marks ] </b> <br> Remarking Reason : <b>$remarking_reason </b>
+  $title  <br> by : <b> <span class = 'text-selectable'>$submitted_by </span>  &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [ Marked $Marks ] </b> <br> Remarking Reason : <b>$remarking_reason </b>
    <hr> <span style='font-size:8pt'>Submitted : $posted        <b>  </b> "
                                 . "<button class='btn-sm btn-info' style='margin-left:50px;' onclick='mark($Submission_ID,\"$title\",$total)'>  Re-Mark Submission</button>"
                                 . " &nbsp; &nbsp;&nbsp;&nbsp;<a href='~\..\Script.php?ignoreremarking=yes&id=$id&subid=$Submission_ID&header=$header&total=$total&status=Marked' class='btn-sm btn-warning'>  Ignore Request </a>"

batch_insert.php

@@ -19,7 +19,7 @@ if (!$conn) {
 }
 
 //获得用户名数据
-$source = $_POST['users'];
+$source = mysqli_real_escape_string($conn,$_POST['users']);
 
 //如有多个空格，删除剩一个空格
 $source1 = preg_replace('/\s\s+/', ' ', $source);
@@ -31,13 +31,12 @@ $source2 = trim($source1);
 //根据空格拆分
 $user = explode(' ', $source2);
 
-
 //插入数据
 for($index=0; $index < count($user); $index++) {
     $result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'");    
     if (mysqli_num_rows($result) < 1) {
         if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) {
-            echo "SQL Error: " . $sql_stmt . "<br>" . mysqli_error($conn);
+            echo "SQL Error: " . $sql_stmt . "<br>" .htmlspecialchars(mysqli_error($conn));
         } else {
             echo "<p>Student number $user[$index] added.</p>";
         }

css/main.css

@@ -0,0 +1,11 @@
+
+/* this css class is used to enable copying in text with the mouse. */
+.text-selectable {
+     
+    -webkit-user-select: text;
+    -moz-user-select: text;
+    -ms-user-select: text;
+    user-select: text;
+    cursor:auto
+  
+   }

index.php

@@ -82,7 +82,7 @@ if (isset($_SESSION["user_fullname"])) {
 
 
 <div id="footer">
-    LRR was originally developed as a <a href="http://lanlab.org/course/2018f/se/homepage.html" style="color:white;">software engineering course project</a> by Mohamed Nor and Elmahdi Houzi.  Please submit your suggestions or bug reports to  lanhui _at_ zjnu.edu.cn.  Last updated on 18/04/2020 by Ashly. <a href="./homepage" style="color:white;">More information ...</a>
+    LRR was originally developed as a <a href="http://lanlab.org/course/2018f/se/homepage.html" style="color:white;">software engineering course project</a> by Mohamed Nor and Elmahdi Houzi.  Please submit your suggestions or bug reports to  lanhui.  Last updated on 18/04/2020 by Ashly. <a href="./homepage" style="color:white;">More information ...</a>
     </div>
 
 </body>

logout.php

@@ -1,11 +1,11 @@
 <?php
 
-// Destory sessions & redirect to index
-
-session_destroy();
-session_unset();
 // Start a new session
 session_start();
+// Destory sessions & redirect to index
+session_destroy();
+session_unset();
+
 
 // Generate a new session ID
 session_regenerate_id(true);

recover_password.php

@@ -27,9 +27,9 @@ include 'Header.php';
       <div class="panel-body">
         <form method="post" action="Script.php">
         <input type="hidden" name="frm_recover_password" value="true"/>
-        Student number  <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo $_SESSION['student_number']; ?>">
+        Student number  <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['student_number']); ?>">
 	<br/>
-        Email  <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo $_SESSION['user_email']; ?>">
+        Email  <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['user_email']); ?>">
 	<br/>
         <input type="submit" class="btn-primary" value="Recover">
           
@@ -38,7 +38,7 @@ include 'Header.php';
 <?php
 
 if(isset($_SESSION['info_recover_password'])) {
-  echo  '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['info_recover_password'].'</div>';
+  echo  '<hr><div class="alert alert-danger" role="alert">'.htmlspecialchars($_SESSION['info_recover_password']).'</div>';
   $_SESSION['info_recover_password']=null;
 }