MDL-26796 convert array parameter cleaning to new functions

admin/langimport.php

@@ -43,7 +43,7 @@
 }
 
 $mode          = optional_param('mode', 0, PARAM_INT);              // action
-$pack          = optional_param('pack', array(), PARAM_SAFEDIR);    // pack to install
+$pack          = optional_param_array('pack', array(), PARAM_SAFEDIR);    // pack to install
 $uninstalllang = optional_param('uninstalllang', '', PARAM_LANG);   // installed pack to uninstall
 $confirm       = optional_param('confirm', 0, PARAM_BOOL);          // uninstallation confirmation
 

admin/report/capability/index.php

@@ -18,7 +18,7 @@
 
 // Get URL parameters.
 $capability = optional_param('capability', '', PARAM_CAPABILITY);
-$roleids = optional_param('roles', array('0'), PARAM_INTEGER);
+$roleids = optional_param_array('roles', array('0'), PARAM_INTEGER);
 
 // Clean the passed in list of role ids. If 'All' selected as an option, or
 // if none were selected, do all roles.

admin/report/customlang/edit.php

@@ -59,8 +59,8 @@
 }
 
 if ($translatorsubmitted) {
-    $strings = optional_param('cust', array(), PARAM_RAW);
-    $updates = optional_param('updates', array(), PARAM_INT);
+    $strings = optional_param_array('cust', array(), PARAM_RAW);
+    $updates = optional_param_array('updates', array(), PARAM_INT);
     $checkin = optional_param('savecheckin', false, PARAM_RAW);
 
     if ($checkin === false) {

admin/report/unittest/dbtest.php

@@ -14,7 +14,7 @@
 
 $showpasses   = optional_param('showpasses', false, PARAM_BOOL);
 $codecoverage = optional_param('codecoverage', false, PARAM_BOOL);
-$selected     = optional_param('selected', array(), PARAM_INT);
+$selected     = optional_param_array('selected', array(), PARAM_INT);
 
 // Print the header and check access.
 admin_externalpage_setup('reportdbtest');

group/index.php

@@ -19,7 +19,7 @@
 if ($groupid) {
     $groupids = array($groupid);
 } else {
-    $groupids = optional_param('groups', array(), PARAM_INT);
+    $groupids = optional_param_array('groups', array(), PARAM_INT);
 }
 $singlegroup = (count($groupids) == 1);
 

lib/filelib.php

@@ -588,18 +588,27 @@ function file_get_drafarea_files($draftitemid, $filepath = '/') {
  * @return integer the itemid, or 0 if there is not one yet.
  */
 function file_get_submitted_draft_itemid($elname) {
-    $param = optional_param($elname, 0, PARAM_INT);
-    if ($param) {
-        require_sesskey();
+    // this is a nasty hack, ideally all new elements should use arrays here or there should be a new parameter
+    if (!isset($_REQUEST[$elname])) {
+        return 0;
     }
-    if (is_array($param)) {
+    if (is_array($_REQUEST[$elname])) {
+        $param = optional_param_array($elname, 0, PARAM_INT);
         if (!empty($param['itemid'])) {
             $param = $param['itemid'];
         } else {
             debugging('Missing itemid, maybe caused by unset maxfiles option', DEBUG_DEVELOPER);
             return false;
         }
+
+    } else {
+        $param = optional_param($elname, 0, PARAM_INT);
     }
+
+    if ($param) {
+        require_sesskey();
+    }
+
     return $param;
 }
 

lib/formslib.php

@@ -1384,9 +1384,14 @@ function updateSubmission($submission, $files) {
         } else {
             foreach ($submission as $key=>$s) {
                 if (array_key_exists($key, $this->_types)) {
-                    $submission[$key] = clean_param($s, $this->_types[$key]);
+                    $type = $this->_types[$key];
                 } else {
-                    $submission[$key] = clean_param($s, PARAM_RAW);
+                    $type = PARAM_RAW;
+                }
+                if (is_array($s)) {
+                    $submission[$key] = clean_param_array($s, $type, true);
+                } else {
+                    $submission[$key] = clean_param($s, $type);
                 }
             }
             $this->_submitValues = $submission;

mod/choice/report.php

@@ -7,7 +7,7 @@
     $format     = optional_param('format', CHOICE_PUBLISH_NAMES, PARAM_INT);
     $download   = optional_param('download', '', PARAM_ALPHA);
     $action     = optional_param('action', '', PARAM_ALPHA);
-    $attemptids = optional_param('attemptid', array(), PARAM_INT); //get array of responses to delete.
+    $attemptids = optional_param_array('attemptid', array(), PARAM_INT); //get array of responses to delete.
 
     $url = new moodle_url('/mod/choice/report.php', array('id'=>$id));
     if ($format !== CHOICE_PUBLISH_NAMES) {
@@ -219,7 +219,7 @@
     $results = prepare_choice_show_results($choice, $course, $cm, $users);
     $renderer = $PAGE->get_renderer('mod_choice');
     echo $renderer->display_result($results, has_capability('mod/choice:readresponses', $context));
-    
+
    //now give links for downloading spreadsheets.
     if (!empty($users) && has_capability('mod/choice:downloadresponses',$context)) {
         $downloadoptions = array();

mod/choice/view.php

@@ -6,7 +6,7 @@
 
     $id         = required_param('id', PARAM_INT);                 // Course Module ID
     $action     = optional_param('action', '', PARAM_ALPHA);
-    $attemptids = optional_param('attemptid', array(), PARAM_INT); // array of attempt ids for delete action
+    $attemptids = optional_param_array('attemptid', array(), PARAM_INT); // array of attempt ids for delete action
 
     $url = new moodle_url('/mod/choice/view.php', array('id'=>$id));
     if ($action !== '') {

mod/data/field/checkbox/field.class.php

@@ -96,7 +96,7 @@ function display_search_field($value='') {
     }
 
     function parse_search_field() {
-        $selected    = optional_param('f_'.$this->field->id, array(), PARAM_NOTAGS);
+        $selected    = optional_param_array('f_'.$this->field->id, array(), PARAM_NOTAGS);
         $allrequired = optional_param('f_'.$this->field->id.'_allreq', 0, PARAM_BOOL);
         if (empty($selected)) {
             // no searching

mod/data/field/multimenu/field.class.php

@@ -122,7 +122,7 @@ function display_search_field($value = '') {
     }
 
     function parse_search_field() {
-        $selected    = optional_param('f_'.$this->field->id, array(), PARAM_NOTAGS);
+        $selected    = optional_param_array('f_'.$this->field->id, array(), PARAM_NOTAGS);
         $allrequired = optional_param('f_'.$this->field->id.'_allreq', 0, PARAM_BOOL);
         if (empty($selected)) {
             // no searching

mod/quiz/report/grading/report.php

@@ -439,7 +439,7 @@ protected function validate_submitted_marks() {
         if (!$qubaids) {
             return false;
         }
-        $qubaids = clean_param(explode(',', $qubaids), PARAM_INT);
+        $qubaids = clean_param_array(explode(',', $qubaids), PARAM_INT);
 
         $slots = optional_param('slots', '', PARAM_SEQUENCE);
         if (!$slots) {
@@ -471,7 +471,7 @@ protected function process_submitted_data() {
             return;
         }
 
-        $qubaids = clean_param(explode(',', $qubaids), PARAM_INT);
+        $qubaids = clean_param_array(explode(',', $qubaids), PARAM_INT);
         $attempts = $this->load_attempts_by_usage_ids($qubaids);
 
         $transaction = $DB->start_delegated_transaction();

mod/quiz/report/overview/report.php

@@ -133,14 +133,14 @@ public function display($quiz, $cm, $course) {
         // Process actions.
         if (empty($currentgroup) || $groupstudents) {
             if (optional_param('delete', 0, PARAM_BOOL) && confirm_sesskey()) {
-                if ($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
+                if ($attemptids = optional_param_array('attemptid', array(), PARAM_INT)) {
                     require_capability('mod/quiz:deleteattempts', $this->context);
                     $this->delete_selected_attempts($quiz, $cm, $attemptids, $allowed);
                     redirect($reporturl->out(false, $displayoptions));
                 }
 
             } else if (optional_param('regrade', 0, PARAM_BOOL) && confirm_sesskey()) {
-                if ($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
+                if ($attemptids = optional_param_array('attemptid', array(), PARAM_INT)) {
                     require_capability('mod/quiz:regrade', $this->context);
                     $this->regrade_attempts($quiz, false, $groupstudents, $attemptids);
                     redirect($reporturl->out(false, $displayoptions));

mod/quiz/report/responses/report.php

@@ -124,7 +124,7 @@ public function display($quiz, $cm, $course) {
             $allowed = array();
         }
 
-        if ($attemptids = optional_param('attemptid', array(), PARAM_INT) && confirm_sesskey()) {
+        if ($attemptids = optional_param_array('attemptid', array(), PARAM_INT) && confirm_sesskey()) {
             require_capability('mod/quiz:deleteattempts', $this->context);
             $this->delete_selected_attempts($quiz, $cm, $attemptids, $allowed);
             redirect($reporturl->out(false, $displayoptions));

mod/scorm/report/basic/report.php

@@ -35,7 +35,7 @@ function display($scorm, $cm, $course, $download) {
         global $CFG, $DB, $OUTPUT, $PAGE;
         $contextmodule= get_context_instance(CONTEXT_MODULE, $cm->id);
         $action = optional_param('action', '', PARAM_ALPHA);
-        $attemptids = optional_param('attemptid', array(), PARAM_RAW);
+        $attemptids = optional_param_array('attemptid', array(), PARAM_RAW);
 
         if ($action == 'delete' && has_capability('mod/scorm:deleteresponses', $contextmodule) && confirm_sesskey()) {
             if (scorm_delete_responses($attemptids, $scorm)) { //delete responses.

repository/lib.php

@@ -1501,7 +1501,7 @@ public function get_option($config = '') {
 
     public function filter(&$value) {
         $pass = false;
-        $accepted_types = optional_param('accepted_types', '', PARAM_RAW);
+        $accepted_types = optional_param_array('accepted_types', '', PARAM_RAW);
         $ft = new filetype_parser;
         //$ext = $ft->get_extensions($this->supported_filetypes());
         if (isset($value['children'])) {

repository/repository_ajax.php

@@ -46,7 +46,7 @@
 $page      = optional_param('page', '', PARAM_RAW);             // Page
 $maxbytes  = optional_param('maxbytes', 0, PARAM_INT);          // Maxbytes
 $req_path  = optional_param('p', '', PARAM_RAW);                // Path
-$accepted_types  = optional_param('accepted_types', '*', PARAM_RAW);
+$accepted_types  = optional_param_array('accepted_types', '*', PARAM_RAW);
 $saveas_filename = optional_param('title', '', PARAM_FILE);     // save as file name
 $saveas_path   = optional_param('savepath', '/', PARAM_PATH);   // save as file path
 $search_text   = optional_param('s', '', PARAM_CLEANHTML);

repository/upload/lib.php

@@ -44,7 +44,7 @@ public function print_login() {
     public function upload($saveas_filename, $maxbytes) {
         global $USER, $CFG;
 
-        $types = optional_param('accepted_types', '*', PARAM_RAW);
+        $types = optional_param_array('accepted_types', '*', PARAM_RAW);
         if ((is_array($types) and in_array('*', $types)) or $types == '*') {
             $this->mimetypes = '*';
         } else {

tag/manage.php

@@ -29,9 +29,9 @@
 define('SHOW_ALL_PAGE_SIZE', 50000);
 define('DEFAULT_PAGE_SIZE', 30);
 
-$tagschecked = optional_param('tagschecked', array(), PARAM_INT);
-$newnames    = optional_param('newname', array(), PARAM_TAG);
-$tagtypes    = optional_param('tagtypes', array(), PARAM_ALPHA);
+$tagschecked = optional_param_array('tagschecked', array(), PARAM_INT);
+$newnames    = optional_param_array('newname', array(), PARAM_TAG);
+$tagtypes    = optional_param_array('tagtypes', array(), PARAM_ALPHA);
 $action      = optional_param('action', '', PARAM_ALPHA);
 $perpage     = optional_param('perpage', DEFAULT_PAGE_SIZE, PARAM_INT);
 

user/addnote.php

@@ -27,9 +27,9 @@
 require_once($CFG->dirroot .'/notes/lib.php');
 
 $id    = required_param('id', PARAM_INT);              // course id
-$users = optional_param('userid', array(), PARAM_INT); // array of user id
-$contents = optional_param('contents', array(), PARAM_RAW); // array of user notes
-$states = optional_param('states', array(), PARAM_ALPHA); // array of notes states
+$users = optional_param_array('userid', array(), PARAM_INT); // array of user id
+$contents = optional_param_array('contents', array(), PARAM_RAW); // array of user notes
+$states = optional_param_array('states', array(), PARAM_ALPHA); // array of notes states
 
 $PAGE->set_url('/user/addnote.php', array('id'=>$id));
 

user/groupaddnote.php

@@ -27,7 +27,7 @@
 require_once($CFG->dirroot .'/notes/lib.php');
 
 $id    = required_param('id', PARAM_INT);              // course id
-$users = optional_param('userid', array(), PARAM_INT); // array of user id
+$users = optional_param_array('userid', array(), PARAM_INT); // array of user id
 $content = optional_param('content', '', PARAM_RAW); // note content
 $state = optional_param('state', '', PARAM_ALPHA); // note publish state
 

user/selector/lib.php

@@ -353,7 +353,7 @@ protected function is_validating() {
      */
     protected function load_selected_users() {
         // See if we got anything.
-        $userids = optional_param($this->name, array(), PARAM_INTEGER);
+        $userids = optional_param_array($this->name, array(), PARAM_INTEGER);
         if (empty($userids)) {
             return array();
         }