sql injektion gemeldet by sven

git-svn-id: svn://svn.cccv.de/engel-system@204 29ba0400-6e00-0410-a75a-ca02368028f8
main
cookie 18 years ago
parent 4736d1eb9e
commit 3f8cf2ca9b

@ -40,7 +40,7 @@ echo "<form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"GET\" >\n";
<?PHP <?PHP
$sql = "SELECT `SID`, `DateS`, `RID`, `Len` FROM `Shifts` ". $sql = "SELECT `SID`, `DateS`, `RID`, `Len` FROM `Shifts` ".
"ORDER BY RID, DateS "; "ORDER BY `RID`, `DateS` ";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
$rowcount = mysql_num_rows($Erg); $rowcount = mysql_num_rows($Erg);
for( $i = 0; $i < $rowcount; $i++) for( $i = 0; $i < $rowcount; $i++)
@ -300,7 +300,7 @@ case 'changesave':
"`Len`='". $_GET["eDauer"]. "', ". "`Len`='". $_GET["eDauer"]. "', ".
"`Man`='". $_GET["eName"]. "', ". "`Man`='". $_GET["eName"]. "', ".
"`URL`='". $_GET["eURL"]. "' ". "`URL`='". $_GET["eURL"]. "' ".
"WHERE `SID`=". $_GET["SID"]; "WHERE `SID`='". $_GET["SID"]. "'";
SetHeaderGo2Back(); SetHeaderGo2Back();
break; break;
@ -315,10 +315,10 @@ case 'deleteShifs':
if( strpos( " ".$k, "SID") == 1) if( strpos( " ".$k, "SID") == 1)
{ {
echo "Shifts $v wird gelöscht..."; echo "Shifts $v wird gelöscht...";
executeSQL( "DELETE FROM `Shifts` WHERE `SID`=$v LIMIT 1"); executeSQL( "DELETE FROM `Shifts` WHERE `SID`='$v' LIMIT 1");
echo "<br>\n"; echo "<br>\n";
echo "ShiftEntry $v wird gelöscht..."; echo "ShiftEntry $v wird gelöscht...";
executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`= $v"); executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`='$v'");
echo "<br><br>\n"; echo "<br><br>\n";
} }
break; break;

@ -30,7 +30,7 @@ function SaveSchedule()
(substr($_GET["DateXML"], 8, 2)+1). " "; (substr($_GET["DateXML"], 8, 2)+1). " ";
} }
else else
$DateEnd = substr($_GET["DateXML"], 0, 11); $dAteEnd = substr($_GET["DateXML"], 0, 11);
$DateEnd .= "$TimeH:$TimeM:00"; $DateEnd .= "$TimeH:$TimeM:00";
//Namen ermitteln //Namen ermitteln
@ -73,7 +73,7 @@ function SaveSchedule()
// erstellt ein Array der Reume // erstellt ein Array der Reume
$sql2 = "SELECT * FROM `Room` ". $sql2 = "SELECT * FROM `Room` ".
"WHERE `RID` = ".$_GET["RIDXML"]. " ". "WHERE `RID`='".$_GET["RIDXML"]. "' ".
"ORDER BY `Number`, `Name`;"; "ORDER BY `Number`, `Name`;";
$Erg2 = mysql_query( $sql2, $con); $Erg2 = mysql_query( $sql2, $con);
for( $j=0; $j<mysql_num_fields( $Erg2); $j++) for( $j=0; $j<mysql_num_fields( $Erg2); $j++)
@ -155,7 +155,7 @@ foreach($XMLmain->sub as $EventKey => $Event)
SaveSchedule(); SaveSchedule();
} }
$SQL = "SELECT * FROM `Shifts` WHERE PSID='$PSIDXML'"; $SQL = "SELECT * FROM `Shifts` WHERE `PSID`='$PSIDXML'";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if(mysql_num_rows($Erg)>0) if(mysql_num_rows($Erg)>0)
{ {
@ -210,7 +210,7 @@ echo "<tr><td colspan=\"6\">status: $DS_KO/$DS_OK nicht Aktuel.</td></tr>\n";
//Anzeige von nicht im XML File vorkommende entraege //Anzeige von nicht im XML File vorkommende entraege
if( $Where =="") if( $Where =="")
$SQL2 = "SELECT * FROM `Shifts` WHERE NOT PSID = '';"; $SQL2 = "SELECT * FROM `Shifts` WHERE NOT `PSID`='';";
else else
$SQL2 = "SELECT * FROM `Shifts` WHERE NOT (".substr( $Where, 4). ") AND NOT PSID = '';"; $SQL2 = "SELECT * FROM `Shifts` WHERE NOT (".substr( $Where, 4). ") AND NOT PSID = '';";

Loading…
Cancel
Save