More sql escapes

main
Daniel Friesel 14 years ago
parent f7b335f8ae
commit e715245e12

@ -71,7 +71,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
$Spalten .= funktion_isLinkAllowed_addLink_OrEmpty("admin/schichtplan.php?action=change&SID=$SID", "edit<br />\n");
///////////////////////////////////////////////////////////////////
// Ausgabe des Schischtnamens
// Ausgabe des Schichtnamens
///////////////////////////////////////////////////////////////////
$SQL = "SELECT `URL` FROM `Shifts` WHERE (`SID` = '$SID');";
$Erg = mysql_query($SQL, $con);
@ -84,7 +84,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
///////////////////////////////////////////////////////////////////
// SQL abfrage f<>r die ben<65>tigten schichten
///////////////////////////////////////////////////////////////////
$SQL = "SELECT * FROM `ShiftEntry` WHERE (`SID` = '$SID') ORDER BY `TID`, `UID` DESC ;";
$SQL = "SELECT * FROM `ShiftEntry` WHERE (`SID` = '" . sql_escape($SID) . "') ORDER BY `TID`, `UID` DESC ;";
$Erg = mysql_query($SQL, $con);
$Anzahl = mysql_num_rows($Erg);
@ -164,7 +164,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
// ausgabe ben<65>tigter Engel
////////////////////////////
//in vergangenheit
$SQLtime = "SELECT `DateE` FROM `Shifts` WHERE (`SID`='$SID' AND `DateE` >= '" .
$SQLtime = "SELECT `DateE` FROM `Shifts` WHERE (`SID`='" . sql_escape($SID) . "' AND `DateE` >= '" .
gmdate("Y-m-d H:i:s", time() + $gmdateOffset) . "')";
$Ergtime = mysql_query($SQLtime, $con);
if (mysql_num_rows($Ergtime) > 0) {
@ -219,8 +219,8 @@ function CreateRoomShifts($raum) {
// beginnt die erste schicht vor dem heutigen tag und geht dar<61>ber hinaus
/////////////////////////////////////////////////////////////
$SQLSonder = "SELECT `SID`, `DateS`, `DateE` , `Len`, `Man` FROM `Shifts` " .
"WHERE ((`RID` = '$raum') AND (`DateE` > '$ausdatum 23:59:59') AND " .
"(`DateS` < '$ausdatum 00:00:00') ) ORDER BY `DateS`;";
"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` > '$ausdatum 23:59:59') AND " .
"(`DateS` < '" . sql_escape($ausdatum) . " 00:00:00') ) ORDER BY `DateS`;";
$ErgSonder = mysql_query($SQLSonder, $con);
if ((mysql_num_rows($ErgSonder) > 1)) {
if (funktion_isLinkAllowed("admin/schichtplan.php") === TRUE) {
@ -249,8 +249,9 @@ function CreateRoomShifts($raum) {
// beginnt die erste schicht vor dem heutigen tag?
/////////////////////////////////////////////////////////////
$SQLSonder = "SELECT `SID`, `DateS`, `DateE` , `Len`, `Man` FROM `Shifts` " .
"WHERE ((`RID` = '$raum') AND (`DateE` > '$ausdatum 00:00:00') AND " .
"(`DateS` < '$ausdatum 00:00:00') ) ORDER BY `DateS`;";
"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` > '" . sql_escape($ausdatum) . " 00:00:00') AND " .
"(`DateS` < '" . sql_escape($ausdatum) . " 00:00:00') ) ORDER BY `DateS`;";
$ErgSonder = mysql_query($SQLSonder, $con);
if ((mysql_num_rows($ErgSonder) > 1)) {
if (funktion_isLinkAllowed("admin/schichtplan.php") === TRUE) {
@ -276,9 +277,9 @@ function CreateRoomShifts($raum) {
// gibt die schichten f<>r den tag aus
/////////////////////////////////////////////////////////////
$SQL = "SELECT `SID`, `DateS`, `Len`, `Man` FROM `Shifts` " .
"WHERE ((`RID` = '$raum') and " .
"(`DateS` >= '$ausdatum $ZeitZeiger:00:00') and " .
"(`DateS` like '$ausdatum%')) ORDER BY `DateS`;";
"WHERE ((`RID` = '" . sql_escape($raum) . "') and " .
"(`DateS` >= '" . sql_escape($ausdatum) . ' ' . sql_escape($ZeitZeiger) . ":00:00') and " .
"(`DateS` like '" . sql_escape($ausdatum) . "%')) ORDER BY `DateS`;";
$Erg = mysql_query($SQL, $con);
for ($i = 0; $i < mysql_num_rows($Erg); ++ $i) {
$ZeitPos = substr(mysql_result($Erg, $i, "DateS"), 11, 2) + (substr(mysql_result($Erg, $i, "DateS"), 14, 2) / 60);
@ -370,7 +371,7 @@ function SummRoomShifts($raum) {
global $ausdatum, $con, $debug, $GlobalZeileProStunde;
$SQLSonder = "SELECT `SID`, `DateS`, `Len`, `Man` FROM `Shifts` " .
"WHERE ((`RID` = '$raum') AND (`DateE` >= '$ausdatum 00:00:00') AND " .
"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` >= '$ausdatum 00:00:00') AND " .
"(`DateS` <= '$ausdatum 23:59:59') ) ORDER BY `DateS`;";
$ErgSonder = mysql_query($SQLSonder, $con);

@ -1,9 +1,9 @@
<?php
function UID2Nick($UID) {
if ($UID > 0)
$SQL = "SELECT Nick FROM `User` WHERE UID='$UID'";
$SQL = "SELECT Nick FROM `User` WHERE UID='" . sql_escape($UID) . "'";
else
$SQL = "SELECT Name FROM `Groups` WHERE UID='$UID'";
$SQL = "SELECT Name FROM `Groups` WHERE UID='" . sql_escape($UID) . "'";
$Erg = sql_select($SQL);
@ -23,7 +23,7 @@ function UID2Nick($UID) {
function TID2Type($TID) {
global $con;
$SQL = "SELECT Name FROM `EngelType` WHERE TID='$TID'";
$SQL = "SELECT Name FROM `EngelType` WHERE TID='" . sql_escape($TID) . "'";
$Erg = mysql_query($SQL, $con);
if (mysql_num_rows($Erg))
@ -62,7 +62,7 @@ function ReplaceSmilies($neueckig) {
function GetPicturShow($UID) {
global $con;
$SQL = "SELECT `show` FROM `UserPicture` WHERE `UID`='$UID'";
$SQL = "SELECT `show` FROM `UserPicture` WHERE `UID`='" . sql_escape($UID) . "'";
$res = mysql_query($SQL, $con);
if (mysql_num_rows($res) == 1)
@ -95,7 +95,7 @@ function displayavatar($UID, $height = "30") {
function UIDgekommen($UID) {
global $con;
$SQL = "SELECT `Gekommen` FROM `User` WHERE UID='$UID'";
$SQL = "SELECT `Gekommen` FROM `User` WHERE UID='" . sql_escape($UID) . "'";
$Erg = mysql_query($SQL, $con);
if (mysql_num_rows($Erg))

Loading…
Cancel
Save