SQL injektion behoben

git-svn-id: svn://svn.cccv.de/engel-system@196 29ba0400-6e00-0410-a75a-ca02368028f8
main
cookie 18 years ago
parent 30ee094c86
commit 7512e8b5e7

@ -54,7 +54,7 @@ else
$_SESSION['IP'] = $_SERVER['REMOTE_ADDR']; $_SESSION['IP'] = $_SERVER['REMOTE_ADDR'];
// CVS import Data // CVS import Data
$SQL = "SELECT * FROM `UserCVS` WHERE UID=".$_SESSION['UID']; $SQL = "SELECT * FROM `UserCVS` WHERE UID='".$_SESSION['UID']."'";
$Erg_CVS = mysql_query($SQL, $con); $Erg_CVS = mysql_query($SQL, $con);
$_SESSION['CVS'] = mysql_fetch_array($Erg_CVS); $_SESSION['CVS'] = mysql_fetch_array($Erg_CVS);

@ -17,7 +17,7 @@ switch( $_GET["action"])
//##################### //#####################
//show exist Messages //show exist Messages
//##################### //#####################
$SQL = "SELECT * FROM `Messages` WHERE `SUID`=". $_SESSION["UID"]. " OR `RUID`=". $_SESSION["UID"]; $SQL = "SELECT * FROM `Messages` WHERE `SUID`='". $_SESSION["UID"]. "' OR `RUID`='". $_SESSION["UID"]. "'";
$erg = mysql_query($SQL, $con); $erg = mysql_query($SQL, $con);
echo "<table border=\"0\" class=\"border\" cellpadding=\"2\" cellspacing=\"1\">\n"; echo "<table border=\"0\" class=\"border\" cellpadding=\"2\" cellspacing=\"1\">\n";
@ -100,7 +100,7 @@ switch( $_GET["action"])
case "MarkRead": case "MarkRead":
$SQL = "UPDATE `Messages` SET `isRead` = 'Y' ". $SQL = "UPDATE `Messages` SET `isRead` = 'Y' ".
"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID`=". $_SESSION["UID"]. " ". "WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID`='". $_SESSION["UID"]. "' ".
"LIMIT 1 ;"; "LIMIT 1 ;";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)
@ -111,7 +111,7 @@ switch( $_GET["action"])
case "DelMsg": case "DelMsg":
$SQL = "DELETE FROM `Messages` ". $SQL = "DELETE FROM `Messages` ".
"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID` = ". $_SESSION["UID"]. " ". "WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID` ='". $_SESSION["UID"]. "' ".
"LIMIT 1;"; "LIMIT 1;";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)

Loading…
Cancel
Save