MDL-21769 fixed input validation
[moodle.git] / mod / data / field / textarea / field.class.php
1 <?php
2 ///////////////////////////////////////////////////////////////////////////
3 //                                                                       //
4 // NOTICE OF COPYRIGHT                                                   //
5 //                                                                       //
6 // Moodle - Modular Object-Oriented Dynamic Learning Environment         //
7 //          http://moodle.org                                            //
8 //                                                                       //
9 // Copyright (C) 1999-onwards Moodle Pty Ltd  http://moodle.com          //
10 //                                                                       //
11 // This program is free software; you can redistribute it and/or modify  //
12 // it under the terms of the GNU General Public License as published by  //
13 // the Free Software Foundation; either version 2 of the License, or     //
14 // (at your option) any later version.                                   // //                                                                       //
15 // This program is distributed in the hope that it will be useful,       //
16 // but WITHOUT ANY WARRANTY; without even the implied warranty of        //
17 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         //
18 // GNU General Public License for more details:                          //
19 //                                                                       //
20 //          http://www.gnu.org/copyleft/gpl.html                         //
21 //                                                                       //
22 ///////////////////////////////////////////////////////////////////////////
24 require_once($CFG->dirroot.'/lib/filelib.php');
25 require_once($CFG->dirroot.'/repository/lib.php');
27 class data_field_textarea extends data_field_base {
29     var $type = 'textarea';
31     function display_add_field($recordid=0) {
32         global $CFG, $DB, $OUTPUT, $PAGE;
34         $text   = '';
35         $format = 0;
37         $str = '<div title="'.$this->field->description.'">';
39         editors_head_setup();
41         $options = array();
42         $options['trusttext'] = false;
43         $options['forcehttps'] = false;
44         $options['subdirs'] = false;
45         $options['maxfiles'] = 0;
46         $options['maxbytes'] = 0;
47         $options['changeformat'] = 0;
48         $options['noclean'] = false;
50         $itemid = $this->field->id;
51         $field = 'field_'.$itemid;
53         if ($recordid && $content = $DB->get_record('data_content', array('fieldid'=>$this->field->id, 'recordid'=>$recordid))){
54             $text   = $content->content;
55             $format = $content->content1;
56             $text = clean_text($text, $format);
57         } else if (can_use_html_editor()) {
58             $format = FORMAT_HTML;
59         } else {
60             $format = FORMAT_PLAIN;
61         }
63         $editor = get_preferred_texteditor($format);
64         $strformats = format_text_menu();
65         $formats =  $editor->get_supported_formats();
66         foreach ($formats as $fid) {
67             $formats[$fid] = $strformats[$fid];
68         }
69         $editor->use_editor($field, $options);
70         $str .= '<div><textarea id="'.$field.'" name="'.$field.'" rows="15" cols="80">'.s($text).'</textarea></div>';
71         $str .= '<div><select name="'.$field.'_content1">';
72         foreach ($formats as $key=>$desc) {
73             $selected = ($format == $key) ? 'selected="selected"' : '';
74             $str .= '<option value="'.s($key).'" '.$selected.'>'.$desc.'</option>';
75         }
76         $str .= '</select>';
77         $str .= $OUTPUT->help_icon('textformat', get_string('helpformatting'), 'moodle');
78         $str .= '</div>';
80         $str .= '</div>';
81         return $str;
82     }
85     function display_search_field($value = '') {
86         return '<input type="text" size="16" name="f_'.$this->field->id.'" value="'.$value.'" />';
87     }
89     function parse_search_field() {
90         return optional_param('f_'.$this->field->id, '', PARAM_NOTAGS);
91     }
93     function generate_sql($tablealias, $value) {
94         global $DB;
96         $ILIKE = $DB->sql_ilike();
98         static $i=0;
99         $i++;
100         $name = "df_picture_$i";
101         return array(" ({$tablealias}.fieldid = {$this->field->id} AND {$tablealias}.content $ILIKE :$name) ", array($name=>"%$value%"));
102     }
104     function print_after_form() {
105     }
108     function update_content($recordid, $value, $name='') {
109         global $DB;
111         $content = new object;
112         $content->fieldid = $this->field->id;
113         $content->recordid = $recordid;
115         $names = explode('_', $name);
116         if (!empty($names[2])) {
117             $content->$names[2] = clean_param($value, PARAM_NOTAGS);  // content[1-4]
118         } else {
119             $content->content = clean_param($value, PARAM_CLEAN);
120         }
122         if ($oldcontent = $DB->get_record('data_content', array('fieldid'=>$this->field->id, 'recordid'=>$recordid))) {
123             $content->id = $oldcontent->id;
124             return $DB->update_record('data_content', $content);
125         } else {
126             return $DB->insert_record('data_content', $content);
127         }
128     }