From 09b0a7448930ec388f531437a9e9895e4fb81c8f Mon Sep 17 00:00:00 2001
From: Adam Zammit <adam.zammit@acspri.org.au>
Date: Tue, 24 Nov 2015 13:21:52 +1100
Subject: [PATCH] Fixed Bug: Web first case generation failing with some insert
 strings

---
 admin/assignsample.php           |  3 ++-
 functions/functions.operator.php | 19 ++++++++++---------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/admin/assignsample.php b/admin/assignsample.php
index 36f35929..7d9eaa94 100644
--- a/admin/assignsample.php
+++ b/admin/assignsample.php
@@ -149,7 +149,8 @@ if (isset($_GET['questionnaire_id']) && isset($_GET['sample'])  && isset($_GET['
 
 		foreach($rs as $r)
 		{
-			add_case($r['sample_id'],$questionnaire_id,"NULL",$testing,41, true);
+		  set_time_limit(30);			
+		  add_case($r['sample_id'],$questionnaire_id,"NULL",$testing,41, true);
 		}
 
 		$db->CompleteTrans();
diff --git a/functions/functions.operator.php b/functions/functions.operator.php
index 40acf1de..7e8f5c64 100644
--- a/functions/functions.operator.php
+++ b/functions/functions.operator.php
@@ -448,28 +448,28 @@ function add_case($sample_id,$questionnaire_id,$operator_id = "NULL",$testing =
 	
 			if ($addlimeattributes)
 			{
-				$lfirstname = $db->GetOne("SELECT sv.val 
+				$lfirstname = $db->qstr($db->GetOne("SELECT sv.val 
 								FROM sample_var as sv, sample_import_var_restrict as s 
 								WHERE sv.var_id = s.var_id
 								AND sv.sample_id = '$sample_id'
-								AND s.type = '6'");
+								AND s.type = '6'"));
 
-				$llastname = $db->GetOne("SELECT sv.val 
+				$llastname = $db->qstr($db->GetOne("SELECT sv.val 
 								FROM sample_var as sv, sample_import_var_restrict as s 
 								WHERE sv.var_id = s.var_id
 								AND sv.sample_id = '$sample_id'
-								AND s.type = '7'");
+								AND s.type = '7'"));
 
-				$lemail = $db->GetOne("SELECT sv.val 
+				$lemail = $db->qstr($db->GetOne("SELECT sv.val 
 								FROM sample_var as sv, sample_import_var_restrict as s 
 								WHERE sv.var_id = s.var_id
 								AND sv.sample_id = '$sample_id'
-								AND s.type = '8'");
+								AND s.type = '8'"));
 
 			}
 	
 			$sql = "INSERT INTO ".LIME_PREFIX."tokens_$lime_sid (tid,firstname,lastname,email,token,language,sent,completed,mpid)
-			VALUES (NULL,'$lfirstname','$llastname','$lemail','$token','".DEFAULT_LOCALE."','N','N',NULL)";
+			VALUES (NULL,$lfirstname,$llastname,$lemail,'$token','".DEFAULT_LOCALE."','N','N',NULL)";
 
 			$db->Execute($sql);
 
@@ -485,7 +485,6 @@ function add_case($sample_id,$questionnaire_id,$operator_id = "NULL",$testing =
 					WHERE sid = '$lime_sid'";
 
 				$names = $db->GetOne($sql);
-
     				$attdescriptiondata=explode("\n",$names);
     				$atts=array();
 
@@ -503,8 +502,10 @@ function add_case($sample_id,$questionnaire_id,$operator_id = "NULL",$testing =
 								AND sv.sample_id = '$sample_id'
 								AND s.var LIKE '$val'");
 
+					$lval = $db->qstr($lval);
+		
 					$sql = "UPDATE " . LIME_PREFIX . "tokens_$lime_sid
-						SET $key = '$lval'
+						SET $key = $lval
 						WHERE tid = '$tid'";
 
 					$db->Execute($sql);