Improved alterstandardtime in view of security

Author: tobiasreischmann

alterstandardtime.php

@@ -18,24 +18,13 @@
 
 require_login();
 require_sesskey();
-if (!is_siteadmin()) {
-    header('HTTP/1.0 403 Forbidden');
-    echo '403 Forbidden';
-    return;
-}
-$starttime = optional_param('starttime', 'NULL', PARAM_INT);
-$endtime = optional_param('endtime', 'NULL', PARAM_INT);
-$cat = required_param('category', PARAM_INT);
+require_capability('moodle/site:config', context_system::instance());
 
-if (!preg_match('/^[[0-9]*|NULL]$/', strval($starttime))) {
-    exit("securtity violation1");
-}
-if (!preg_match('/^[[0-9]*|NULL]$/', strval($endtime))) {
-    exit("security violaion2");
-}
+$starttime = optional_param('starttime', null, PARAM_INT);
+$endtime = optional_param('endtime', null, PARAM_INT);
+$cat = required_param('category', PARAM_INT);
 
-// Not safe against SQL-injection. But site admin has access to Database anyway, right?
 global $DB;
-$sql = "UPDATE {block_evasys_sync_categories} SET standard_time_start = $starttime, standard_time_end = $endtime " .
-    "WHERE id = ?";
-$DB->execute($sql, array($cat));
+$sql = 'UPDATE {block_evasys_sync_categories} SET standard_time_start = ?, standard_time_end = ? ' .
+    'WHERE id = ?';
+$DB->execute($sql, array($starttime, $endtime, $cat));