diff options
| author | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-11 07:47:43 +0000 |
|---|---|---|
| committer | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-11 07:47:43 +0000 |
| commit | 3f8cf2ca9beb7ef7ccd84912391e3e351be0985b (patch) | |
| tree | 18b9eed3984ef007eb09c96255b14e58172f40f3 | |
| parent | 4736d1eb9ee63f0bc3121e078e2c1ed6669f3fda (diff) | |
sql injektion gemeldet by sven
git-svn-id: svn://svn.cccv.de/engel-system@204 29ba0400-6e00-0410-a75a-ca02368028f8
| -rwxr-xr-x | www-ssl/admin/schichtplan.php | 8 | ||||
| -rwxr-xr-x | www-ssl/inc/funktion_xml_schudle.php | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/www-ssl/admin/schichtplan.php b/www-ssl/admin/schichtplan.php index 12c767c2..3bf2bb4f 100755 --- a/www-ssl/admin/schichtplan.php +++ b/www-ssl/admin/schichtplan.php @@ -40,7 +40,7 @@ echo "<form action=\"".$_SERVER['SCRIPT_NAME']."\" method=\"GET\" >\n"; <?PHP $sql = "SELECT `SID`, `DateS`, `RID`, `Len` FROM `Shifts` ". - "ORDER BY RID, DateS "; + "ORDER BY `RID`, `DateS` "; $Erg = mysql_query($sql, $con); $rowcount = mysql_num_rows($Erg); for( $i = 0; $i < $rowcount; $i++) @@ -300,7 +300,7 @@ case 'changesave': "`Len`='". $_GET["eDauer"]. "', ". "`Man`='". $_GET["eName"]. "', ". "`URL`='". $_GET["eURL"]. "' ". - "WHERE `SID`=". $_GET["SID"]; + "WHERE `SID`='". $_GET["SID"]. "'"; SetHeaderGo2Back(); break; @@ -315,10 +315,10 @@ case 'deleteShifs': if( strpos( " ".$k, "SID") == 1) { echo "Shifts $v wird gelöscht..."; - executeSQL( "DELETE FROM `Shifts` WHERE `SID`=$v LIMIT 1"); + executeSQL( "DELETE FROM `Shifts` WHERE `SID`='$v' LIMIT 1"); echo "<br>\n"; echo "ShiftEntry $v wird gelöscht..."; - executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`= $v"); + executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`='$v'"); echo "<br><br>\n"; } break; diff --git a/www-ssl/inc/funktion_xml_schudle.php b/www-ssl/inc/funktion_xml_schudle.php index 93e664b3..55b1b682 100755 --- a/www-ssl/inc/funktion_xml_schudle.php +++ b/www-ssl/inc/funktion_xml_schudle.php @@ -30,7 +30,7 @@ function SaveSchedule() (substr($_GET["DateXML"], 8, 2)+1). " "; } else - $DateEnd = substr($_GET["DateXML"], 0, 11); + $dAteEnd = substr($_GET["DateXML"], 0, 11); $DateEnd .= "$TimeH:$TimeM:00"; //Namen ermitteln @@ -73,7 +73,7 @@ function SaveSchedule() // erstellt ein Array der Reume $sql2 = "SELECT * FROM `Room` ". - "WHERE `RID` = ".$_GET["RIDXML"]. " ". + "WHERE `RID`='".$_GET["RIDXML"]. "' ". "ORDER BY `Number`, `Name`;"; $Erg2 = mysql_query( $sql2, $con); for( $j=0; $j<mysql_num_fields( $Erg2); $j++) @@ -155,7 +155,7 @@ foreach($XMLmain->sub as $EventKey => $Event) SaveSchedule(); } - $SQL = "SELECT * FROM `Shifts` WHERE PSID='$PSIDXML'"; + $SQL = "SELECT * FROM `Shifts` WHERE `PSID`='$PSIDXML'"; $Erg = mysql_query($SQL, $con); if(mysql_num_rows($Erg)>0) { @@ -210,7 +210,7 @@ echo "<tr><td colspan=\"6\">status: $DS_KO/$DS_OK nicht Aktuel.</td></tr>\n"; //Anzeige von nicht im XML File vorkommende entraege if( $Where =="") - $SQL2 = "SELECT * FROM `Shifts` WHERE NOT PSID = '';"; + $SQL2 = "SELECT * FROM `Shifts` WHERE NOT `PSID`='';"; else $SQL2 = "SELECT * FROM `Shifts` WHERE NOT (".substr( $Where, 4). ") AND NOT PSID = '';"; |