SQL injektion behoben

git-svn-id: svn://svn.cccv.de/engel-system@198 29ba0400-6e00-0410-a75a-ca02368028f8
main
cookie 18 years ago
parent 34b50a61f8
commit a52ee4a288

@ -47,7 +47,7 @@ function runSQL_log( $SQL, $commed)
$Sql = "SELECT * FROM `EngelType` ORDER BY NAME"; $Sql = "SELECT * FROM `EngelType` ORDER BY `NAME`";
$Erg = mysql_query($Sql, $con); $Erg = mysql_query($Sql, $con);
if( !IsSet($_GET["action"]) ) if( !IsSet($_GET["action"]) )
@ -177,9 +177,9 @@ case 'changesave':
case 'delete': case 'delete':
if (IsSet($_GET["TID"])) if (IsSet($_GET["TID"]))
{ {
if( runSQL_log( "DELETE FROM `EngelType` WHERE `TID`='". $_GET["TID"]. "'", "delate EngelType")) if( runSQL_log( "DELETE FROM `EngelType` WHERE `TID`='". $_GET["TID"]. "'", "delete EngelType"))
runSQL_log( "ALTER TABLE `Room` DROP `DEFAULT_EID_". $_GET["TID"]. "`;", runSQL_log( "ALTER TABLE `Room` DROP `DEFAULT_EID_". $_GET["TID"]. "`;",
"delate EngelType in Room Table"); "delete EngelType in Room Table");
} }
else else
echo "Fehlerhafter Aufruf"; echo "Fehlerhafter Aufruf";

@ -76,7 +76,7 @@ for ($i=0; $i<$rowcount; $i++)
echo "show set"; echo "show set";
else else
{ {
$SQL2="UPDATE `User` SET Aktiv=1 WHERE UID=". mysql_result($Erg, $i, "UID"). " LIMIT 1"; $SQL2="UPDATE `User` SET `Aktiv`='1' WHERE `UID`='". mysql_result($Erg, $i, "UID"). "' LIMIT 1";
$Erg2 = db_query($SQL2, "update Active State"); $Erg2 = db_query($SQL2, "update Active State");
if ($Erg2 != 1) if ($Erg2 != 1)
echo "Fehler beim speichern bei Engel ".UID2Nick(mysql_result($Erg, $i, "UID")); echo "Fehler beim speichern bei Engel ".UID2Nick(mysql_result($Erg, $i, "UID"));

@ -32,7 +32,7 @@ echo "Deaktiviert";
echo "<h1>Tshirt-Size</h1>"; echo "<h1>Tshirt-Size</h1>";
$SQL="SELECT `Size`, COUNT(`Size`) FROM User GROUP BY `Size`"; $SQL="SELECT `Size`, COUNT(`Size`) FROM `User` GROUP BY `Size`";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
echo mysql_error($con); echo mysql_error($con);
$rowcount = mysql_num_rows($Erg); $rowcount = mysql_num_rows($Erg);

@ -38,7 +38,7 @@ if( $_GET["dial"]=="dial")
echo "<select name=\"DECT\">\n"; echo "<select name=\"DECT\">\n";
echo "\t<option value=\"\">costum</option>\n"; echo "\t<option value=\"\">costum</option>\n";
$usql="SELECT * FROM User WHERE NOT DECT='' ORDER BY Nick"; $usql="SELECT * FROM `User` WHERE NOT `DECT`='' ORDER BY `Nick`";
$uErg = mysql_query($usql, $con); $uErg = mysql_query($usql, $con);
$urowcount = mysql_num_rows($uErg); $urowcount = mysql_num_rows($uErg);
for ($k=0; $k<$urowcount; $k++) for ($k=0; $k<$urowcount; $k++)

@ -66,7 +66,7 @@ case "all":
break; break;
case "open": case "open":
$SQL="SELECT * FROM `Questions` WHERE AID = \"0\" ORDER BY QID DESC"; $SQL="SELECT * FROM `Questions` WHERE `AID`='0' ORDER BY `QID` DESC";
$quest_bearb=1; // Fragenliste anzeigen $quest_bearb=1; // Fragenliste anzeigen
echo "\t\tOffene Anfragen:<br>\n"; echo "\t\tOffene Anfragen:<br>\n";
break; break;
@ -76,7 +76,7 @@ case "edit":
echo "\t\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n"; echo "\t\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n";
else else
{ {
$SQL = "SELECT * FROM Questions where QID=". $_GET["QID"]; $SQL = "SELECT * FROM `Questions` WHERE `QID`=`". $_GET["QID"]. "'";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
echo "\t\t<form action=\"./faq.php\" method=\"GET\">\n"; echo "\t\t<form action=\"./faq.php\" method=\"GET\">\n";
echo "\t\tAnfrage von <b>". UID2NICK(mysql_result($Erg, 0, "UID")). "</b>:<br>\n"; echo "\t\tAnfrage von <b>". UID2NICK(mysql_result($Erg, 0, "UID")). "</b>:<br>\n";
@ -106,9 +106,9 @@ case "save":
echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten..."; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...";
else else
{ {
$SQL = "UPDATE `Questions` SET Question=\"". $_GET["Question"]. $SQL = "UPDATE `Questions` SET `Question`='". $_GET["Question"].
"\", AID=\"". $_SESSION['UID']. "\" , Answer=\"". $_GET["Answer"]. "\" ". "', `AID`='". $_SESSION['UID']. "' , `Answer`='". $_GET["Answer"]. "' ".
"WHERE QID = \"". $_GET["QID"]. "\" LIMIT 1"; "WHERE `QID`='". $_GET["QID"]. "' LIMIT 1";
$Erg = db_query($SQL, "save Question"); $Erg = db_query($SQL, "save Question");
if ($Erg == 1) if ($Erg == 1)
{ {
@ -125,10 +125,10 @@ case "transfer":
echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n";
else else
{ {
$SQL1="Select * from Questions where QID=". $_GET["QID"]; $SQL1="SELECT * FROM `Questions` WHERE `QID`='". $_GET["QID"]. "'";
$Erg = mysql_query($SQL1, $con); $Erg = mysql_query($SQL1, $con);
$SQL2="INSERT into `FAQ` Values (\"\", \"". $SQL2="INSERT INTO `FAQ` Values ('', '".
mysql_result($Erg, 0, "Question")."\", \"".mysql_result($Erg, 0, "Answer")."\")"; mysql_result($Erg, 0, "Question")."', '".mysql_result($Erg, 0, "Answer")."')";
$Erg = db_query($SQL2, "trasfert to request to the FAQ"); $Erg = db_query($SQL2, "trasfert to request to the FAQ");
if ($Erg == 1) if ($Erg == 1)
echo "\tDer Eintrag wurde &uuml;bertragen.<br>\n"; echo "\tDer Eintrag wurde &uuml;bertragen.<br>\n";
@ -170,7 +170,7 @@ case "faqedit":
echo "\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n"; echo "\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n";
else else
{ {
$SQL = "SELECT * FROM FAQ where FID=". $_GET["FAQID"]; $SQL = "SELECT * FROM `FAQ` WHERE `FID`='". $_GET["FAQID"]. "'";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
// anzahl zeilen // anzahl zeilen
@ -200,7 +200,7 @@ case "faqdelete";
echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n";
else else
{ {
$SQL = "DELETE FROM `FAQ` WHERE FID = \"". $_GET["FAQID"]. "\" LIMIT 1"; $SQL = "DELETE FROM `FAQ` WHERE `FID`='". $_GET["FAQID"]. "' LIMIT 1";
$Erg = db_query($SQL, "delate faq item"); $Erg = db_query($SQL, "delate faq item");
if ($Erg == 1) if ($Erg == 1)
echo "\tDer Eintrag wurde gel&ouml;scht<br>\n"; echo "\tDer Eintrag wurde gel&ouml;scht<br>\n";
@ -214,8 +214,8 @@ case "faqsave";
echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n";
else else
{ {
$SQL = "UPDATE `FAQ` SET Frage=\"". $_GET["Frage"]. "\", Antwort=\"". $_GET["Antwort"]. $SQL = "UPDATE `FAQ` SET `Frage`='". $_GET["Frage"]. "', `Antwort`='". $_GET["Antwort"].
"\" WHERE FID = \"". $_GET["FAQID"]. "\" LIMIT 1"; "' WHERE `FID`='". $_GET["FAQID"]. "' LIMIT 1";
$Erg = db_query($SQL, $con); $Erg = db_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)
echo "\tDer Eintrag wurde ge&auml;ndert<br>\n"; echo "\tDer Eintrag wurde ge&auml;ndert<br>\n";
@ -238,7 +238,7 @@ case "faqnew":
break; break;
case "faqnewsave"; case "faqnewsave";
$SQL = "INSERT INTO `FAQ` VALUES (\"\", \"". $_GET["Frage"]. "\", \"". $_GET["Antwort"]. "\")"; $SQL = "INSERT INTO `FAQ` VALUES ('', '". $_GET["Frage"]. "', '". $_GET["Antwort"]. "')";
$Erg = db_query($SQL, "Save new FAQ entry"); $Erg = db_query($SQL, "Save new FAQ entry");
if ($Erg == 1) if ($Erg == 1)
echo "\tDer Eintrag wurde erfasst.<br>\n"; echo "\tDer Eintrag wurde erfasst.<br>\n";

@ -35,7 +35,7 @@ $SQL = "SELECT Shifts.*, ShiftEntry.*, User.Nick ".
"WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );"; "WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );";
*/ */
$SQL = "SELECT Shifts.*, ShiftEntry.* ". $SQL = "SELECT Shifts.*, ShiftEntry.* ".
"FROM Shifts INNER JOIN ShiftEntry ON Shifts.SID = ShiftEntry.SID ". "FROM `Shifts` INNER JOIN ShiftEntry ON Shifts.SID = ShiftEntry.SID ".
"WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );"; "WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );";
//SELECT User.Nick, Schichtplan.*, Schichtbelegung. * FROM User LEFT JOIN Schichtbelegung ON User.UID=Schichtbelegung.UID, Schichtplan LEFT JOIN Schichtbelegung ON Schichtplan.SID = Schichtbelegung.SID WHERE Schichtplan.Date < now() and Schichtplan.EndDate > now() ORDER BY Nick //SELECT User.Nick, Schichtplan.*, Schichtbelegung. * FROM User LEFT JOIN Schichtbelegung ON User.UID=Schichtbelegung.UID, Schichtplan LEFT JOIN Schichtbelegung ON Schichtplan.SID = Schichtbelegung.SID WHERE Schichtplan.Date < now() and Schichtplan.EndDate > now() ORDER BY Nick

@ -9,7 +9,7 @@ include ("./inc/funktion_user.php");
if (!IsSet($_GET["action"])) if (!IsSet($_GET["action"]))
{ {
$SQL = "SELECT * from News order by Datum DESC"; $SQL = "SELECT * FROM `News` ORDER BY `Datum` DESC";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
$rowcount = mysql_num_rows($Erg); $rowcount = mysql_num_rows($Erg);
@ -52,7 +52,7 @@ else
case 'change': case 'change':
if (isset($_GET["date"])) if (isset($_GET["date"]))
{ {
$SQL = "SELECT * from News where (Datum='". $_GET["date"]. "')"; $SQL = "SELECT * FROM `News` WHERE (`Datum`='". $_GET["date"]. "')";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if( mysql_num_rows( $Erg)==1) if( mysql_num_rows( $Erg)==1)
@ -91,15 +91,15 @@ else
case 'change_save': case 'change_save':
if( isset($_GET["date"]) && isset($_GET["eBetreff"]) && isset($_GET["eText"]) ) if( isset($_GET["date"]) && isset($_GET["eBetreff"]) && isset($_GET["eText"]) )
$chsql="UPDATE News set Betreff = \"". $_GET["eBetreff"]. "\", Text = \"". $_GET["eText"]. $chsql="UPDATE `News` SET `Betreff`='". $_GET["eBetreff"]. "', `Text`='". $_GET["eText"].
"\", Treffen=". $_GET["eTreffen"]. " where (Datum = '". $_GET["date"]. "') limit 1"; "', `Treffen`='". $_GET["eTreffen"]. "' WHERE (`Datum`='". $_GET["date"]. "') limit 1";
else else
echo "Fehler: nicht genügend parameter übergeben"; echo "Fehler: nicht genügend parameter übergeben";
break; break;
case 'delete': case 'delete':
if (isset($_POST["date"])) if (isset($_POST["date"]))
$chsql="DELETE from News where Datum = '". $_POST["date"]. "' limit 1"; $chsql="DELETE FROM 'News' WHERE `Datum`='". $_POST["date"]. "' LIMIT 1";
else else
echo "Fehler: \"date\" nicht übergeben"; echo "Fehler: \"date\" nicht übergeben";
break; break;

@ -5,7 +5,7 @@ include ("./inc/header.php");
include ("./inc/funktion_user.php"); include ("./inc/funktion_user.php");
include ("./inc/funktion_schichtplan_aray.php"); include ("./inc/funktion_schichtplan_aray.php");
$Sql = "SELECT * FROM `Room` ORDER BY Number, Name"; $Sql = "SELECT * FROM `Room` ORDER BY `Number`, `Name`";
$Erg = mysql_query($Sql, $con); $Erg = mysql_query($Sql, $con);
if( !IsSet($_GET["action"]) ) if( !IsSet($_GET["action"]) )

@ -50,7 +50,7 @@ for( $i = 0; $i < $rowcount; $i++)
"value=\"". mysql_result($Erg, $i, "SID"). "\"></td>\n"; "value=\"". mysql_result($Erg, $i, "SID"). "\"></td>\n";
echo "\t\t<td>".mysql_result($Erg, $i, "DateS")."</td>\n"; echo "\t\t<td>".mysql_result($Erg, $i, "DateS")."</td>\n";
$sql2= "SELECT `Name` FROM `Room` WHERE `RID`=\"".mysql_result($Erg, $i, "RID")."\""; $sql2= "SELECT `Name` FROM `Room` WHERE `RID`='".mysql_result($Erg, $i, "RID")."'";
$Erg2 = mysql_query($sql2, $con); $Erg2 = mysql_query($sql2, $con);
if( mysql_num_rows($Erg2) > 0) if( mysql_num_rows($Erg2) > 0)
echo "\t\t<td>".mysql_result($Erg2, 0, "Name")."</td>\n"; echo "\t\t<td>".mysql_result($Erg2, 0, "Name")."</td>\n";
@ -83,7 +83,7 @@ case 'change':
else else
{ {
$sql = "SELECT * FROM `Shifts` WHERE (`SID` = \"". $_GET["SID"]. "\" )"; $sql = "SELECT * FROM `Shifts` WHERE (`SID` = '". $_GET["SID"]. "' )";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
echo "Schicht ab&auml;ndern: <br>\n"; echo "Schicht ab&auml;ndern: <br>\n";
@ -138,7 +138,7 @@ case 'change':
echo "<br><hr>\n\n\n\n"; echo "<br><hr>\n\n\n\n";
//Freie Engelschichten //Freie Engelschichten
$sql3 = "SELECT TID FROM `ShiftEntry` WHERE SID=". $_GET["SID"]. " AND UID=0"; $sql3 = "SELECT `TID` FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "' AND `UID`='0'";
$Erg3 = mysql_query($sql3, $con); $Erg3 = mysql_query($sql3, $con);
$rowcount = mysql_num_rows($Erg3); $rowcount = mysql_num_rows($Erg3);
@ -153,7 +153,7 @@ case 'change':
echo "<br><hr>\n\n\n\n"; echo "<br><hr>\n\n\n\n";
//Ausgabe eingetragener schischten //Ausgabe eingetragener schischten
$sql3 = "SELECT * FROM `ShiftEntry` WHERE SID=". $_GET["SID"]. " AND NOT UID=0"; $sql3 = "SELECT * FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "' AND NOT `UID`='0'";
$Erg3 = mysql_query($sql3, $con); $Erg3 = mysql_query($sql3, $con);
$rowcount = mysql_num_rows($Erg3); $rowcount = mysql_num_rows($Erg3);
@ -180,7 +180,7 @@ case 'change':
echo "<select name=\"UIDs\">\n"; echo "<select name=\"UIDs\">\n";
echo "\t<option value=\"0\">--neu--</option>\n"; echo "\t<option value=\"0\">--neu--</option>\n";
$usql="select * from User order by Nick"; $usql="SELECT * FROM `User` ORDER BY `Nick`";
$uErg = mysql_query($usql, $con); $uErg = mysql_query($usql, $con);
$urowcount = mysql_num_rows($uErg); $urowcount = mysql_num_rows($uErg);
for ($k=0; $k<$urowcount; $k++) for ($k=0; $k<$urowcount; $k++)
@ -240,14 +240,14 @@ case 'engeladd':
if( mysql_num_rows($ERG) != 0 ) if( mysql_num_rows($ERG) != 0 )
{ {
$chSQL = "UPDATE `ShiftEntry` SET ". $chSQL = "UPDATE `ShiftEntry` SET ".
"`UID`='". $_GET["UIDs"]. "', `Comment`='shift added by ".$_SESSION['Nick']."' "; "`UID`='". $_GET["UIDs"]. "', `Comment`='shift added by ".$_SESSION['Nick']."' ".
$chSQL .= "WHERE (`SID`='". $_GET["SID"]. "' AND ". "WHERE (`SID`='". $_GET["SID"]. "' AND ".
"`TID`='". $_GET["TID"]. "' AND `UID`='0' ) LIMIT 1"; "`TID`='". $_GET["TID"]. "' AND `UID`='0' ) LIMIT 1";
} }
else else
{ {
$chSQL = "INSERT INTO `ShiftEntry` (`SID`, `TID`, `UID`, `Comment`) VALUES ("; $chSQL = "INSERT INTO `ShiftEntry` (`SID`, `TID`, `UID`, `Comment`) VALUES (".
$chSQL .= "'". $_GET["SID"]. "', '". $_GET["TID"]. "', ". "'". $_GET["SID"]. "', '". $_GET["TID"]. "', ".
"'". $_GET["UIDs"]. "', 'shift added by ".$_SESSION['Nick']."')"; "'". $_GET["UIDs"]. "', 'shift added by ".$_SESSION['Nick']."')";
} }
echo "Es wird folgende Schicht zus&auml;tzlich eingetragen:<br>\n"; echo "Es wird folgende Schicht zus&auml;tzlich eingetragen:<br>\n";
@ -305,8 +305,8 @@ case 'changesave':
break; break;
case 'delete': case 'delete':
$chSQL = "DELETE FROM `Shifts` WHERE `SID`=". $_GET["SID"]. " LIMIT 1"; $chSQL = "DELETE FROM `Shifts` WHERE `SID`='". $_GET["SID"]. "' LIMIT 1";
$ch2SQL = "DELETE FROM `ShiftEntry` WHERE `SID`=". $_GET["SID"]; $ch2SQL = "DELETE FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "'";
SetHeaderGo2Back(); SetHeaderGo2Back();
break; break;

@ -50,7 +50,7 @@ for ($i = 0 ; $i < mysql_fetch_row($Erg) ; $i++)
<select name="Raum"> <select name="Raum">
<?php <?php
$res = mysql_query("SELECT Name, RID FROM `Room` WHERE `show`!='N' ORDER BY Name;",$con); $res = mysql_query("SELECT Name, RID FROM `Room` WHERE `show`!='N' ORDER BY `Name`;",$con);
for ($i = 0; $i < mysql_num_rows($res); $i++) for ($i = 0; $i < mysql_num_rows($res); $i++)
{ {

@ -273,7 +273,7 @@ function CreateNewEntry()
// Ist eintarg schon vorhanden? // Ist eintarg schon vorhanden?
$SQL = "SELECT SID FROM `Shifts` "; $SQL = "SELECT `SID` FROM `Shifts` ";
$SQL .= "WHERE (". $SQL .= "WHERE (".
"`DateS` = '". $_DateS. "' AND ". "`DateS` = '". $_DateS. "' AND ".
"`DateE` = '". $_DateE. "' AND ". "`DateE` = '". $_DateE. "' AND ".

@ -9,7 +9,7 @@ include ("./inc/funktion_user.php");
If (IsSet($_GET["aktiv"])) { If (IsSet($_GET["aktiv"])) {
$SQL="Update User set Tshirt=\"1\" where UID=\"". $_GET["aktiv"]. "\" limit 1"; $SQL="UPDATE `User` SET `Tshirt`='1' WHERE `UID`='". $_GET["aktiv"]. "' limit 1";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) { if ($Erg == 1) {
} else { } else {
@ -25,7 +25,7 @@ Hinter diesem erscheint ein Link, &uuml;ber den man eintragen kann, dass der Eng
Liste aller aktiven Engel: Liste aller aktiven Engel:
<?PHP <?PHP
$SQL = "SELECT * from User where (Aktiv = 1) ORDER BY Nick ASC"; $SQL = "SELECT * FROM `User` WHERE (`Aktiv`='1') ORDER BY `Nick` ASC";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
$rowcount = mysql_num_rows($Erg); $rowcount = mysql_num_rows($Erg);

@ -15,7 +15,7 @@ if (!IsSet($_GET["enterUID"]))
echo "\n<a href=\"./user.php?enterUID=-1&Type=Secure\">Edit logout User</a><br><br>\n"; echo "\n<a href=\"./user.php?enterUID=-1&Type=Secure\">Edit logout User</a><br><br>\n";
if( !isset($_GET["OrderBy"]) ) $_GET["OrderBy"] = "Nick"; if( !isset($_GET["OrderBy"]) ) $_GET["OrderBy"] = "Nick";
$SQL = "SELECT * FROM User ORDER BY `". $_GET["OrderBy"]. "` ASC"; $SQL = "SELECT * FROM `User` ORDER BY `". $_GET["OrderBy"]. "` ASC";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
echo mysql_error($con); echo mysql_error($con);
@ -96,7 +96,7 @@ if (!IsSet($_GET["enterUID"]))
echo "\t<td>"; echo "\t<td>";
//check userCVS=OK //check userCVS=OK
$SQL2 = "SELECT UID FROM UserCVS WHERE (UID=". mysql_result($Erg, $n, "UID"). ")"; $SQL2 = "SELECT `UID` FROM `UserCVS` WHERE (`UID`='". mysql_result($Erg, $n, "UID"). "')";
$Erg2 = mysql_query($SQL2, $con); $Erg2 = mysql_query($SQL2, $con);
echo mysql_error($con); echo mysql_error($con);
if( mysql_num_rows($Erg2)==0) if( mysql_num_rows($Erg2)==0)
@ -135,7 +135,7 @@ else
if( $_GET["Type"] == "Normal" ) if( $_GET["Type"] == "Normal" )
{ {
$SQL = "SELECT * FROM User WHERE UID=". $_GET["enterUID"]; $SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if (mysql_num_rows($Erg) != 1) if (mysql_num_rows($Erg) != 1)
@ -243,7 +243,7 @@ else
// CVS-Rechte // CVS-Rechte
echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n"; echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n";
$SQL_CVS = "SELECT * FROM `UserCVS` WHERE UID=". $_GET["enterUID"]; $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'";
$Erg_CVS = mysql_query($SQL_CVS, $con); $Erg_CVS = mysql_query($SQL_CVS, $con);
if( mysql_num_rows($Erg_CVS) != 1) if( mysql_num_rows($Erg_CVS) != 1)

@ -48,7 +48,7 @@ if (IsSet($_GET["action"]))
elseif ($_POST["Type"] == "Secure") elseif ($_POST["Type"] == "Secure")
{ {
$SQL2 = "UPDATE `UserCVS` SET "; $SQL2 = "UPDATE `UserCVS` SET ";
$SQL_CVS = "SELECT * FROM `UserCVS` WHERE UID=". $_POST["enterUID"]; $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_POST["enterUID"]. "'";
$Erg_CVS = mysql_query($SQL_CVS, $con); $Erg_CVS = mysql_query($SQL_CVS, $con);
$CVS_Data = mysql_fetch_array($Erg_CVS); $CVS_Data = mysql_fetch_array($Erg_CVS);
$CVS_Data_i = 1; $CVS_Data_i = 1;
@ -112,7 +112,7 @@ if (IsSet($_GET["action"]))
case "newpw": case "newpw":
echo "Bitte neues Kennwort f&uuml;r <b>"; echo "Bitte neues Kennwort f&uuml;r <b>";
// Get Nick // Get Nick
$USQL = "SELECT * FROM User WHERE UID=". $_GET["eUID"]; $USQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["eUID"]. "'";
$Erg = mysql_query($USQL, $con); $Erg = mysql_query($USQL, $con);
echo mysql_result($Erg, 0, "Nick"); echo mysql_result($Erg, 0, "Nick");
echo "</b> eingeben:<br>"; echo "</b> eingeben:<br>";

@ -78,7 +78,7 @@ if( isset($_POST["send"]))
$Erg2 = mysql_query($SQL2, $con); $Erg2 = mysql_query($SQL2, $con);
$Data = mysql_fetch_array($Erg2); $Data = mysql_fetch_array($Erg2);
$SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES (". $Data["UID"]. ");"; $SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES ('". $Data["UID"]. "');";
$Erg3 = mysql_query($SQL3, $con); $Erg3 = mysql_query($SQL3, $con);
if ($Erg3 != 1) if ($Erg3 != 1)
{ {

@ -140,13 +140,13 @@ switch ($_POST["action"]) {
case 'set': case 'set':
if ($_POST["new1"]==$_POST["new2"]){ if ($_POST["new1"]==$_POST["new2"]){
Print_Text(25); Print_Text(25);
$sql = "select * from User where UID=".$_SESSION['UID']; $sql = "SELECT * FROM `User` WHERE `UID`='".$_SESSION['UID']. "'";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
if (PassCrypt($_POST["old"])==mysql_result($Erg, 0, "Passwort")) { if (PassCrypt($_POST["old"])==mysql_result($Erg, 0, "Passwort")) {
Print_Text(26); Print_Text(26);
Print_Text(27); Print_Text(27);
$usql = "update User set Passwort='".PassCrypt($_POST["new1"])."' ". $usql = "UPDATE `User` SET `Passwort`='". PassCrypt($_POST["new1"]). "' ".
"where UID=".$_SESSION['UID']." limit 1"; " WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1";
$Erg = mysql_query($usql, $con); $Erg = mysql_query($usql, $con);
if ($Erg==1) { if ($Erg==1) {
Print_Text(28); Print_Text(28);
@ -163,10 +163,10 @@ case 'set':
case 'colour': case 'colour':
$chsql="Update User set ". $chsql="UPDATE `User` SET ".
"`color` = \"". $_POST["colourid"]. "\", ". "`color`= '". $_POST["colourid"]. "', ".
"`Menu`= \"". $_POST["eMenu"]. "\" ". "`Menu`= '". $_POST["eMenu"]. "' ".
"where UID = \"".$_SESSION['UID']."\" limit 1"; "WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1";
$Erg = mysql_query($chsql, $con); $Erg = mysql_query($chsql, $con);
echo mysql_error($con); echo mysql_error($con);
$_SESSION['color']=$_POST["colourid"]; $_SESSION['color']=$_POST["colourid"];
@ -180,7 +180,7 @@ case 'colour':
case 'sprache': case 'sprache':
$chsql="Update User set Sprache = \"". $_POST["language"]. "\" where UID = \"".$_SESSION['UID']."\" limit 1"; $chsql="UPDATE `User` SET `Sprache` = '". $_POST["language"]. "' WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1";
$Erg = mysql_query($chsql, $con); $Erg = mysql_query($chsql, $con);
$_SESSION['Sprache']=$_POST["language"]; $_SESSION['Sprache']=$_POST["language"];
if ($Erg==1) { if ($Erg==1) {
@ -191,7 +191,7 @@ case 'sprache':
break; break;
case 'avatar': case 'avatar':
$chsql="Update User set Avatar = \"". $_POST["eAvatar"]. "\" where UID = \"". $_SESSION['UID']. "\" limit 1"; $chsql="UPDATE `User` SET `Avatar`='". $_POST["eAvatar"]. "' WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1";
$Erg = mysql_query($chsql, $con); $Erg = mysql_query($chsql, $con);
$_SESSION['Avatar']=$_POST["eAvatar"]; $_SESSION['Avatar']=$_POST["eAvatar"];
if ($Erg==1) { if ($Erg==1) {
@ -202,14 +202,14 @@ case 'avatar':
break; break;
case 'setUserData': case 'setUserData':
$chsql= "UPDATE User SET ". $chsql= "UPDATE `User` SET ".
"`Nick`='". $_POST["eNick"]. "', `Name`='". $_POST["eName"]. "', ". "`Nick`='". $_POST["eNick"]. "', `Name`='". $_POST["eName"]. "', ".
"`Vorname`='". $_POST["eVorname"]. "', `Alter`='". $_POST["eAlter"]. "', ". "`Vorname`='". $_POST["eVorname"]. "', `Alter`='". $_POST["eAlter"]. "', ".
"`Telefon`='". $_POST["eTelefon"]. "', `Handy`='". $_POST["eHandy"]. "', ". "`Telefon`='". $_POST["eTelefon"]. "', `Handy`='". $_POST["eHandy"]. "', ".
"`DECT`='". $_POST["eDECT"]. "', `email`='". $_POST["eemail"]. "', ". "`DECT`='". $_POST["eDECT"]. "', `email`='". $_POST["eemail"]. "', ".
"`ICQ`='". $_POST["eICQ"]. "', `jabber`='". $_POST["ejabber"]."', ". "`ICQ`='". $_POST["eICQ"]. "', `jabber`='". $_POST["ejabber"]."', ".
"`Hometown`='". $_POST["Hometown"]. "' ". "`Hometown`='". $_POST["Hometown"]. "' ".
"WHERE UID='". $_SESSION['UID']. "' LIMIT 1;"; "WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1;";
$Erg = mysql_query($chsql, $con); $Erg = mysql_query($chsql, $con);
if ($Erg==1) if ($Erg==1)

@ -23,7 +23,7 @@ if (!IsSet($_POST["eUID"]))
echo "<b>".Get_Text(37)."</b><br><br>\n".nl2br($_POST["frage"])."<br><br>\n".Get_Text(38)."<br>\n"; echo "<b>".Get_Text(37)."</b><br><br>\n".nl2br($_POST["frage"])."<br><br>\n".Get_Text(38)."<br>\n";
$SQL = "INSERT into Questions VALUES (\"\", \"".$_SESSION['UID']."\", \"". $_POST["frage"]. "\", \"\", \"\")"; $SQL = "INSERT INTO `Questions` VALUES ('', '".$_SESSION['UID']."', '". $_POST["frage"]. "', '', '')";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
} }
@ -32,7 +32,7 @@ echo "<br>\n<b>".Get_Text(39)."</b><br>\n";
echo "<hr width=\"99%\">\n"; echo "<hr width=\"99%\">\n";
echo "<br><b>".Get_Text(40)."</b><br>\n"; echo "<br><b>".Get_Text(40)."</b><br>\n";
$SQL = "SELECT * from Questions where UID = ".$_SESSION['UID']." and AID=\"0\" ORDER BY 'QID' DESC"; $SQL = "SELECT * FROM `Questions` WHERE `UID` = ". $_SESSION['UID']. " AND `AID`='0' ORDER BY 'QID' DESC";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
// anzahl zeilen // anzahl zeilen
@ -52,7 +52,7 @@ if ($Zeilen==0){
echo "<hr width=\"99%\">\n"; echo "<hr width=\"99%\">\n";
echo "<br><b>".Get_Text(42)."</b><br>\n"; echo "<br><b>".Get_Text(42)."</b><br>\n";
$SQL = "SELECT * from Questions where UID = ".$_SESSION['UID']." and AID<>\"0\" ORDER BY 'QID' DESC"; $SQL = "SELECT * FROM `Questions` WHERE `UID`='".$_SESSION['UID']."' and `AID`<>'0' ORDER BY 'QID' DESC";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
// anzahl zeilen // anzahl zeilen

@ -20,7 +20,7 @@ if ( !IsSet($_POST["user"]))
} }
else else
{ // User ist noch nicht angemeldet { // User ist noch nicht angemeldet
$sql = "select * from User where Nick = '". $_POST["user"]. "'"; $sql = "SELECT * FROM `User` WHERE `Nick`='". $_POST["user"]. "'";
$userstring = mysql_query($sql, $con); $userstring = mysql_query($sql, $con);
// anzahl zeilen // anzahl zeilen
@ -54,7 +54,7 @@ else
$_SESSION['IP'] = $_SERVER['REMOTE_ADDR']; $_SESSION['IP'] = $_SERVER['REMOTE_ADDR'];
// CVS import Data // CVS import Data
$SQL = "SELECT * FROM `UserCVS` WHERE UID='".$_SESSION['UID']."'"; $SQL = "SELECT * FROM `UserCVS` WHERE `UID`='".$_SESSION['UID']."'";
$Erg_CVS = mysql_query($SQL, $con); $Erg_CVS = mysql_query($SQL, $con);
$_SESSION['CVS'] = mysql_fetch_array($Erg_CVS); $_SESSION['CVS'] = mysql_fetch_array($Erg_CVS);

@ -88,8 +88,7 @@ else
{ {
echo Get_Text("pub_mywake_delate1")."<br>\n"; echo Get_Text("pub_mywake_delate1")."<br>\n";
$sql = "SELECT * FROM `Shifts` WHERE "; $sql = "SELECT * FROM `Shifts` WHERE (`SID` = '". $_GET["SID"]. "')";
$sql.= "(SID = \"". $_GET["SID"]. "\")";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
$schichtdate = mysql_result( $Erg, 0, "DateS" ); $schichtdate = mysql_result( $Erg, 0, "DateS" );
@ -124,7 +123,7 @@ else
echo Get_Text("pub_myshift_Edit_Text1"). "\n"; echo Get_Text("pub_myshift_Edit_Text1"). "\n";
$sql = "SELECT * FROM `ShiftEntry` WHERE "; $sql = "SELECT * FROM `ShiftEntry` WHERE ";
$sql.= "(SID=\"". $_GET["SID"]. "\" AND UID=\"". $_SESSION['UID']. "\" )"; $sql.= "(`SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "')";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
echo "<form action=\"./myschichtplan.php\" method=\"GET\">\n"; echo "<form action=\"./myschichtplan.php\" method=\"GET\">\n";
@ -138,7 +137,7 @@ else
{ {
echo Get_Text("pub_myshift_EditSave_Text1"). "<br>\n"; echo Get_Text("pub_myshift_EditSave_Text1"). "<br>\n";
$sql = "UPDATE `ShiftEntry` ". $sql = "UPDATE `ShiftEntry` ".
"SET `Comment` = \"". $_GET["newtext"]. "\" ". "SET `Comment` = '". $_GET["newtext"]. "' ".
"WHERE `SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "' LIMIT 1;"; "WHERE `SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "' LIMIT 1;";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
if ($Erg == 1) if ($Erg == 1)

@ -12,8 +12,8 @@ if( IsSet( $_GET["nid"]))
if( IsSet( $_GET["text"])) if( IsSet( $_GET["text"]))
{ {
$ch_sql="INSERT INTO news_comments (Refid, Datum, Text, UID) VALUES ('". $ch_sql="INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) ".
$_GET["nid"]. "', '". date("Y-m-d H:i:s"). "', '". $_GET["text"]. "', '". $_SESSION["UID"]. "')"; "VALUES ('". $_GET["nid"]. "', '". date("Y-m-d H:i:s"). "', '". $_GET["text"]. "', '". $_SESSION["UID"]. "')";
$Erg = mysql_query($ch_sql, $con); $Erg = mysql_query($ch_sql, $con);
if ($Erg == 1) if ($Erg == 1)
{ {
@ -22,7 +22,7 @@ if( IsSet( $_GET["text"]))
} }
} }
$SQL = "SELECT * FROM news_comments where Refid = '". $_GET["nid"]. "' ORDER BY 'ID'"; $SQL = "SELECT * FROM `news_comments` WHERE `Refid`='". $_GET["nid"]. "' ORDER BY 'ID'";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
echo mysql_error( $con); echo mysql_error( $con);
// anzahl zeilen // anzahl zeilen

@ -7,9 +7,9 @@ if( isset( $_POST["text"]) && isset( $_POST["betreff"]) && IsSet( $_POST["date"]
{ {
if( !isset( $_POST["treffen"])) if( !isset( $_POST["treffen"]))
$_POST["treffen"] = 0; $_POST["treffen"] = 0;
$SQL = "INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) "; $SQL = "INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) ".
$SQL.= "VALUES ('". $_POST["date"]. "', '". $_POST["betreff"]. "', '". $_POST["text"]. "', '".$_SESSION['UID']; "VALUES ('". $_POST["date"]. "', '". $_POST["betreff"]. "', '". $_POST["text"]. "', '".$_SESSION['UID'].
$SQL.= "', '". $_POST["treffen"]. "');"; "', '". $_POST["treffen"]. "');";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)
Print_Text(4); Print_Text(4);
@ -21,7 +21,7 @@ if( !IsSet( $_GET["news_begin"]))
if( !IsSet( $_GET["DISPLAY_NEWS"])) if( !IsSet( $_GET["DISPLAY_NEWS"]))
$_GET["DISPLAY_NEWS"] = 5; $_GET["DISPLAY_NEWS"] = 5;
$SQL = "SELECT * FROM `News` ORDER BY 'ID' DESC LIMIT ". $_GET["news_begin"]. ",". $_GET["DISPLAY_NEWS"]; $SQL = "SELECT * FROM `News` ORDER BY 'ID' DESC LIMIT ". intval($_GET["news_begin"]). ", ". intval($_GET["DISPLAY_NEWS"]);
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
// anzahl zeilen // anzahl zeilen
@ -48,14 +48,14 @@ for ($n = 0 ; $n < $news_rows ; $n++)
echo "</p>\n"; echo "</p>\n";
echo "<p class='answer'>". ReplaceSmilies(nl2br(mysql_result($Erg, $n, "Text"))) ."</p>\n"; echo "<p class='answer'>". ReplaceSmilies(nl2br(mysql_result($Erg, $n, "Text"))) ."</p>\n";
$RefID=mysql_result($Erg, $n, "ID"); $RefID=mysql_result($Erg, $n, "ID");
$countSQL="SELECT COUNT(*) from news_comments where Refid = '$RefID'"; $countSQL="SELECT COUNT(*) FROM `news_comments` WHERE `Refid`='$RefID'";
$countErg = mysql_query($countSQL, $con); $countErg = mysql_query($countSQL, $con);
$countcom = mysql_result($countErg, 0, "COUNT(*)"); $countcom = mysql_result($countErg, 0, "COUNT(*)");
echo "<p class='comment' align='right'><a href=\"./news_comments.php?nid=$RefID\">$countcom comments</a></p>\n\n"; echo "<p class='comment' align='right'><a href=\"./news_comments.php?nid=$RefID\">$countcom comments</a></p>\n\n";
} }
echo "<div align=\"center\">\n\n"; echo "<div align=\"center\">\n\n";
$rowerg = mysql_query("select * from News", $con); $rowerg = mysql_query("SELECT * FROM `News`", $con);
$rows = mysql_num_rows($rowerg); $rows = mysql_num_rows($rowerg);
$dis_rows = round (($rows / $DISPLAY_NEWS)+0.5); $dis_rows = round (($rows / $DISPLAY_NEWS)+0.5);

@ -35,7 +35,7 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) {
{ {
//ermitteln der noch gesuchten //ermitteln der noch gesuchten
$SQL3 = "SELECT * FROM `ShiftEntry`". $SQL3 = "SELECT * FROM `ShiftEntry`".
" WHERE ((`SID` = '". $_POST["SID"]. "') and (`TID` = '". $_POST["TID"]. "') and (`UID` = '0'));"; " WHERE ((`SID` = '". $_POST["SID"]. "') AND (`TID` = '". $_POST["TID"]. "') AND (`UID` = '0'));";
$Erg3 = mysql_query($SQL3, $con); $Erg3 = mysql_query($SQL3, $con);
if( mysql_num_rows($Erg3) <= 0 ) if( mysql_num_rows($Erg3) <= 0 )
@ -65,7 +65,7 @@ elseif (isset($_GET["SID"]) && isset($_GET["TID"])) {
"<table border=\"0\">\n"; "<table border=\"0\">\n";
$SQL = "SELECT * FROM `Shifts` WHERE "; $SQL = "SELECT * FROM `Shifts` WHERE ";
$SQL .="(SID = '". $_GET["SID"]. "')"; $SQL .="(`SID` = '". $_GET["SID"]. "')";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>". echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>".

@ -20,7 +20,7 @@ include ("./inc/header.php");
</tr> </tr>
<?PHP <?PHP
$sql = "Select * from Wecken order by Date asc"; $sql = "SELECT * FROM `Wecken` ORDER BY `Date` ASC";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
$count = mysql_num_rows($Erg); $count = mysql_num_rows($Erg);

@ -8,9 +8,9 @@ include ("./inc/funktion_user.php");
if( isset($_POST["eintragen"])) if( isset($_POST["eintragen"]))
if( $_POST["eintragen"] == Get_Text("pub_wake_bouton") ) if( $_POST["eintragen"] == Get_Text("pub_wake_bouton") )
{ {
$SQL = "INSERT INTO Wecken (`UID`, `Date`, `Ort`, `Bemerkung`) ". $SQL = "INSERT INTO `Wecken` (`UID`, `Date`, `Ort`, `Bemerkung`) ".
"VALUES (".$_SESSION['UID'].", \"". $_POST["Date"]. "\", \"". $_POST["Ort"]. "VALUES ('". $_SESSION['UID']. "', '". $_POST["Date"]. "', '". $_POST["Ort"]. "', ".
"\", \"". $_POST["Bemerkung"]. "\") "; "'". $_POST["Bemerkung"]. "')";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)
Print_Text(4); Print_Text(4);
@ -18,7 +18,7 @@ if( isset($_POST["eintragen"]))
if( isset($_GET["eintragen"])) if( isset($_GET["eintragen"]))
if ($_GET["eintragen"] == "loeschen") if ($_GET["eintragen"] == "loeschen")
{ {
$SQL = "Delete from Wecken where UID = ".$_SESSION['UID']." and ID = ". $_GET["weckID"]." limit 1"; $SQL = "DELETE FROM `Wecken` WHERE `UID`='". $_SESSION['UID']. "' AND `ID`='". $_GET["weckID"]."' LIMIT 1";
$Erg = mysql_query($SQL, $con); $Erg = mysql_query($SQL, $con);
if ($Erg == 1) if ($Erg == 1)
Print_Text(4); Print_Text(4);
@ -38,7 +38,7 @@ echo Get_Text("pub_wake_beschreibung2"); ?>
</tr> </tr>
<?PHP <?PHP
$sql = "Select * from Wecken where UID='".$_SESSION['UID']."' order by Date asc"; $sql = "SELECT * FROM `Wecken` WHERE `UID`='". $_SESSION['UID']. "' ORDER BY `Date` ASC";
$Erg = mysql_query($sql, $con); $Erg = mysql_query($sql, $con);
$count = mysql_num_rows($Erg); $count = mysql_num_rows($Erg);

Loading…
Cancel
Save