\n";
@@ -184,21 +184,21 @@ function admin_user() {
case 'save' :
$SQL = "UPDATE `User` SET ";
- $SQL .= " `Nick` = '" . $_POST["eNick"] . "', `Name` = '" . $_POST["eName"] . "', " .
- "`Vorname` = '" . $_POST["eVorname"] . "', " .
- "`Telefon` = '" . $_POST["eTelefon"] . "', " .
- "`Handy` = '" . $_POST["eHandy"] . "', " .
- "`Alter` = '" . $_POST["eAlter"] . "', " .
- "`DECT` = '" . $_POST["eDECT"] . "', " .
- "`email` = '" . $_POST["eemail"] . "', " .
- "`ICQ` = '" . $_POST["eICQ"] . "', " .
- "`jabber` = '" . $_POST["ejabber"] . "', " .
- "`Size` = '" . $_POST["eSize"] . "', " .
- "`Gekommen`= '" . $_POST["eGekommen"] . "', " .
- "`Aktiv`= '" . $_POST["eAktiv"] . "', " .
- "`Tshirt` = '" . $_POST["eTshirt"] . "', " .
- "`Hometown` = '" . $_POST["Hometown"] . "' " .
- "WHERE `UID` = '" . $id .
+ $SQL .= " `Nick` = '" . sql_escape($_POST["eNick"]) . "', `Name` = '" . sql_escape($_POST["eName"]) . "', " .
+ "`Vorname` = '" . sql_escape($_POST["eVorname"]) . "', " .
+ "`Telefon` = '" . sql_escape($_POST["eTelefon"]) . "', " .
+ "`Handy` = '" . sql_escape($_POST["eHandy"]) . "', " .
+ "`Alter` = '" . sql_escape($_POST["eAlter"]) . "', " .
+ "`DECT` = '" . sql_escape($_POST["eDECT"]) . "', " .
+ "`email` = '" . sql_escape($_POST["eemail"]) . "', " .
+ "`ICQ` = '" . sql_escape($_POST["eICQ"]) . "', " .
+ "`jabber` = '" . sql_escape($_POST["ejabber"]) . "', " .
+ "`Size` = '" . sql_escape($_POST["eSize"]) . "', " .
+ "`Gekommen`= '" . sql_escape($_POST["eGekommen"]) . "', " .
+ "`Aktiv`= '" . sql_escape($_POST["eAktiv"]) . "', " .
+ "`Tshirt` = '" . sql_escape($_POST["eTshirt"]) . "', " .
+ "`Hometown` = '" .sql_escape( $_POST["Hometown"]) . "' " .
+ "WHERE `UID` = '" . sql_escape($id) .
"' LIMIT 1;";
sql_query($SQL);
$html .= success("Änderung wurde gespeichert...\n");
@@ -229,23 +229,23 @@ function admin_user() {
$html .= "Anzahl Engel: $Zeilen
\n";
$html .= '
-
-
-
- Nick
- |
- Vorname Name |
- Alter |
-
- E-Mail
- |
- Größe |
- Gekommen |
- Aktiv |
- T-Shirt |
- Registriert |
- Änd. |
- ';
+
+
+
+ Nick
+ |
+ Vorname Name |
+ Alter |
+
+ E-Mail
+ |
+ Größe |
+ Gekommen |
+ Aktiv |
+ T-Shirt |
+ Registriert |
+ Änd. |
+ ';
$Gekommen = 0;
$Active = 0;
$Tshirt = 0;
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index db20a207..ecfcde20 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -3,6 +3,8 @@
// Engel registrieren
function guest_register() {
+ global $SubscribeMailinglist;
+
$html = "";
$success = "none";
@@ -75,15 +77,11 @@ function guest_register() {
} else {
$html .= "" . Get_Text("makeuser_writeOK") . "\n";
- $Erg3 = mysql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape(sql_id()) . ", `group_id`=-2");
+ // Assign user-group
+ sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape(sql_id()) . ", `group_id`=-2");
- if ($Erg3 != 1) {
- $html .= " " . Get_Text("makeuser_error_write2") . " \n";
- $error = sql_error();
- } else {
- $html .= Get_Text("makeuser_writeOK2") . " \n";
- $html .= "" . Get_Text("makeuser_writeOK3") . "\n";
- }
+ $html .= Get_Text("makeuser_writeOK2") . " \n";
+ $html .= "" . Get_Text("makeuser_writeOK3") . "\n";
$html .= Get_Text("makeuser_writeOK4") . "\n
\n";
$success = "any";
diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php
index a13b28f0..29b41cae 100644
--- a/includes/pages/user_messages.php
+++ b/includes/pages/user_messages.php
@@ -6,13 +6,7 @@ function user_unread_messages() {
$new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID']));
if ($new_messages > 0)
- return sprintf(
- '%s %s %s ',
- page_link_to("user_messages"),
- Get_Text("pub_messages_new1"),
- $new_messages,
- Get_Text("pub_messages_new2")
- );
+ return sprintf('%s %s %s ', page_link_to("user_messages"), Get_Text("pub_messages_new1"), $new_messages, Get_Text("pub_messages_new2"));
}
return "";
@@ -22,8 +16,7 @@ function user_messages() {
global $user;
if (!isset ($_REQUEST['action'])) {
- $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`="
- . sql_escape($user['UID']) . " ORDER BY `Nick`");
+ $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" . sql_escape($user['UID']) . " ORDER BY `Nick`");
$to_select_data = array (
"" => "Select receiver..."
@@ -35,23 +28,11 @@ function user_messages() {
$to_select = html_select_key('to', $to_select_data, '');
$messages_html = "";
- $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`="
- . sql_escape($user['UID'])
- . " OR `RUID`=" . sql_escape($user['UID'])
- . " ORDER BY `isRead`,`Datum` DESC"
- );
+ $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" . sql_escape($user['UID']) . " OR `RUID`=" . sql_escape($user['UID']) . " ORDER BY `isRead`,`Datum` DESC");
foreach ($messages as $message) {
- $messages_html .= sprintf(
- ' %s | %s | %s | %s | '
- .'%s | ',
- ($message['isRead'] == 'N' ? ' class="new_message"' : ''),
- ($message['isRead'] == 'N' ? '•' : ''),
- date("Y-m-d H:i", $message['Datum']),
- UID2Nick($message['SUID']),
- UID2Nick($message['RUID']),
- str_replace("\n", ' ', $message['Text'])
- );
+ $messages_html .= sprintf(' %s | %s | %s | %s | ' .
+ '%s | ', ($message['isRead'] == 'N' ? ' class="new_message"' : ''), ($message['isRead'] == 'N' ? '•' : ''), date("Y-m-d H:i", $message['Datum']), UID2Nick($message['SUID']), UID2Nick($message['RUID']), str_replace("\n", ' ', $message['Text']));
$messages_html .= '';
if ($message['RUID'] == $user['UID']) {
@@ -65,8 +46,7 @@ function user_messages() {
return template_render('../templates/user_messages.html', array (
'link' => page_link_to("user_messages"),
- 'greeting' => Get_Text("Hello") . $user['Nick'] . ", \n"
- . Get_Text("pub_messages_text1") . "
\n",
+ 'greeting' => Get_Text("Hello") . $user['Nick'] . ", \n" . Get_Text("pub_messages_text1") . "
\n",
'messages' => $messages_html,
'new_label' => Get_Text("pub_messages_Neu"),
'date_label' => Get_Text("pub_messages_Datum"),
@@ -118,122 +98,10 @@ function user_messages() {
return error(Get_Text("pub_messages_Send_Error"));
}
break;
- }
- return "";
- }
-
- if (!isset ($_GET["action"]))
- $_GET["action"] = "start";
-
- switch ($_GET["action"]) {
- case "start" :
- echo Get_Text("Hello") . $_SESSION['Nick'] . ", \n";
- echo Get_Text("pub_messages_text1") . "
\n";
-
- //show exist Messages
- $SQL = "SELECT * FROM `Messages` WHERE `SUID`='" . $_SESSION["UID"] . "' OR `RUID`='" . $_SESSION["UID"] . "'";
- $erg = mysql_query($SQL, $con);
-
- echo "\n";
- echo "\n";
- echo "" . Get_Text("pub_messages_Datum") . " | \n";
- echo "" . Get_Text("pub_messages_Von") . " | \n";
- echo "" . Get_Text("pub_messages_An") . " | \n";
- echo "" . Get_Text("pub_messages_Text") . " | \n";
- echo " | \n";
- echo " \n";
-
- for ($i = 0; $i < mysql_num_rows($erg); $i++) {
- echo "\n";
- echo "" . mysql_result($erg, $i, "Datum") . " | \n";
- echo "" . UID2Nick(mysql_result($erg, $i, "SUID")) . " | \n";
- echo "" . UID2Nick(mysql_result($erg, $i, "RUID")) . " | \n";
- echo "" . mysql_result($erg, $i, "Text") . " | \n";
- echo "";
-
- if (mysql_result($erg, $i, "RUID") == $_SESSION["UID"]) {
- echo "" . Get_Text("pub_messages_DelMsg") . "";
-
- if (mysql_result($erg, $i, "isRead") == "N")
- echo "" . Get_Text("pub_messages_MarkRead") . "";
- } else {
- if (mysql_result($erg, $i, "isRead") == "N")
- echo Get_Text("pub_messages_NotRead");
- }
-
- echo " | \n";
- echo " \n";
- }
-
- // send Messeges
- echo "";
-
- echo " \n";
- break;
-
- case "SendMsg" :
- echo Get_Text("pub_messages_Send1") . "... \n";
-
- $SQL = "INSERT INTO `Messages` ( `Datum` , `SUID` , `RUID` , `Text` ) VALUES (" .
- "'" . gmdate("Y-m-j H:i:s", time()) . "', " .
- "'" . $_SESSION["UID"] . "', " .
- "'" . $_POST["RUID"] . "', " .
- "'" . $_POST["Text"] . "');";
-
- $Erg = mysql_query($SQL, $con);
-
- if ($Erg == 1)
- echo Get_Text("pub_messages_Send_OK") . "\n";
- else
- echo Get_Text("pub_messages_Send_Error") . "...\n(" . mysql_error($con) . ")";
- break;
-
- case "MarkRead" :
- $SQL = "UPDATE `Messages` SET `isRead` = 'Y' " .
- "WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID`='" . $_SESSION["UID"] . "' " .
- "LIMIT 1 ;";
- $Erg = mysql_query($SQL, $con);
-
- if ($Erg == 1)
- echo Get_Text("pub_messages_MarkRead_OK") . "\n";
- else
- echo Get_Text("pub_messages_MarkRead_KO") . "...\n(" . mysql_error($con) . ")";
- break;
-
- case "DelMsg" :
- $SQL = "DELETE FROM `Messages` " .
- "WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID` ='" . $_SESSION["UID"] . "' " .
- "LIMIT 1;";
- $Erg = mysql_query($SQL, $con);
-
- if ($Erg == 1)
- echo Get_Text("pub_messages_DelMsg_OK") . "\n";
- else
- echo Get_Text("pub_messages_DelMsg_KO") . "...\n(" . mysql_error($con) . ")";
- break;
-
- default :
- echo Get_Text("pub_messages_NoCommand");
+ default :
+ return error("Wrong action.");
+ }
}
}
?>
diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index 818c2da2..48b3764c 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -9,7 +9,7 @@ function user_meetings() {
else
$page = 0;
- $news = sql_select("SELECT * FROM `News` WHERE `Treffen`=1 ORDER BY `ID` DESC LIMIT " . ($page * $DISPLAY_NEWS) . ", " . $DISPLAY_NEWS);
+ $news = sql_select("SELECT * FROM `News` WHERE `Treffen`=1 ORDER BY `ID` DESC LIMIT " . sql_escape($page * $DISPLAY_NEWS) . ", " . sql_escape($DISPLAY_NEWS));
foreach ($news as $entry)
$html .= display_news($entry);
@@ -54,7 +54,7 @@ function user_news_comments() {
$html = "";
if (isset ($_REQUEST["nid"]) && preg_match("/^[0-9]{1,}$/", $_REQUEST['nid']) && sql_num_query("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1") > 0) {
$nid = $_REQUEST["nid"];
- list ($news) = sql_select("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1");
+ list ($news) = sql_select("SELECT * FROM `News` WHERE `ID`=" . sql_escape($nid) . " LIMIT 1");
if (isset ($_REQUEST["text"])) {
$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['text']));
sql_query("INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) VALUES ('" . sql_escape($nid) . "', '" . date("Y-m-d H:i:s") . "', '" . sql_escape($text) . "', '" . sql_escape($user["UID"]) . "')");
@@ -66,7 +66,7 @@ function user_news_comments() {
$html .= 'Kommentare';
- $comments = sql_select("SELECT * FROM `news_comments` WHERE `Refid`='" . $nid . "' ORDER BY 'ID'");
+ $comments = sql_select("SELECT * FROM `news_comments` WHERE `Refid`='" . sql_escape($nid) . "' ORDER BY 'ID'");
foreach ($comments as $comment) {
$html .= ' | |