bugfix link to user informations

author: Angelo Cuccato <cuccato@web.de> 2010-11-07 14:45:28 +0100
committer: Angelo Cuccato <cuccato@web.de> 2010-11-07 14:45:28 +0100
commit: 4cd60813539039dbedff97f4359a5094b0286dd8 (patch)
tree: bcd69d581ab21fe94e232f921525aaad713cb2d1
parent: 566035d0b8e9718cc5465533f2b4db7a936180a8 (diff)
5 files changed, 11 insertions, 208 deletions
diff --git a/DEV/sec-notices b/DEV/sec-notices
index 5032c8a0..ec5df269 100644
--- a/DEV/sec-notices
+++ b/DEV/sec-notices
@@ -1,3 +1,2 @@
-rem hole(sql-injection) in makeuser.php (no secure.php but sql-query)
 todo: replace secure.php
 
diff --git a/includes/funktion_activeUser.php b/includes/funktion_activeUser.php
index 946af304..808ccf73 100755
--- a/includes/funktion_activeUser.php
+++ b/includes/funktion_activeUser.php
@@ -39,8 +39,8 @@ for( $i=0; $i<mysql_num_rows($Erg); $i++)
 	if( $_SESSION['UID']>0 )
 		echo DisplayAvatar( mysql_result( $Erg, $i, "UID"));
 	// Schow Admin Page
-	if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
-		echo " <a href=\"./../admin/user.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">". 
+	if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
+		echo " <a href=\"./../admin/userChangeNormal.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">". 
 			mysql_result( $Erg, $i, "Nick"). "</a>";
 	else
 		echo mysql_result( $Erg, $i, "Nick");
diff --git a/includes/funktion_schichtplan.php b/includes/funktion_schichtplan.php
index b8babed9..ae4bf821 100755
--- a/includes/funktion_schichtplan.php
+++ b/includes/funktion_schichtplan.php
@@ -104,8 +104,8 @@ function ausgabe_Feld_Inhalt( $SID, $Man )
 			
 			foreach( $TempValue["Engel"] as $TempEngelEntry=> $TempEngelID )
 			{
-				if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
-					$Spalten.= " <a href=\"./../admin/user.php?enterUID=$TempEngelID&Type=Normal\">"; 
+				if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
+					$Spalten.= " <a href=\"./../admin/userChangeNormal.php?enterUID=$TempEngelID&Type=Normal\">"; 
 
 				if( $_SESSION['CVS'][ "admin/schichtplan.php" ] == "Y" )
 				{
@@ -124,7 +124,7 @@ function ausgabe_Feld_Inhalt( $SID, $Man )
       					$Spalten.= "&nbsp;&nbsp;". UID2Nick( $TempEngelID ).
       						   ($_GET["Icon"]==1? DisplayAvatar( $TempEngelID ): "").
 						   "<br>\n\t\t";
-				if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
+				if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
 					$Spalten.= " </a>"; 
 			}
 			$Spalten = substr( $Spalten, 0, strlen($Spalten)-7 );
diff --git a/www-ssl/admin/free.php b/www-ssl/admin/free.php
index cb9b1f91..1781d434 100755
--- a/www-ssl/admin/free.php
+++ b/www-ssl/admin/free.php
@@ -63,7 +63,7 @@ $inuse="";
 for ($i=0; $i < $Zeilen; $i++)
 {
 	echo "<tr class=\"content\">\n";
-	echo "<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". 
+	echo "<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". 
 		UID2Nick(mysql_result($Erg, $i, "UID")). "</td></a>\n";
 	echo "<td></td>\n";
 	echo "<td>". mysql_result($Erg, $i, "RID"). "</td>\n";
@@ -92,7 +92,7 @@ $Zeilen  = mysql_num_rows($Erg);
 for ($i=0; $i < $Zeilen; $i++)
 {
 	echo "\t<tr class=\"content\">\n";
-	echo "\t\t<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
+	echo "\t\t<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
 		mysql_result($Erg, $i, "Nick"). "</a></td>\n";
 	echo "\t\t<td>". mysql_result($Erg, $i, "DECT"). "</td>\n";
  	echo "\n</tr>\n";
diff --git a/www-ssl/admin/user.php b/www-ssl/admin/user.php
index 5f0888e4..1b99ec4b 100755
--- a/www-ssl/admin/user.php
+++ b/www-ssl/admin/user.php
@@ -101,206 +101,10 @@ if (!IsSet($_GET["enterUID"]))
 		"<td>$Gekommen</td><td>$Active</td><td>$Tshirt</td><td></td></tr>\n";
 	echo "\t</table>\n";
 	// Ende Userliste
-} 
-else 
-{ 
-	// UserID wurde mit uebergeben --> Aendern...
-
-	echo "Hallo,<br>".
-	 	"hier kannst du den Eintrag &auml;ndern. Unter dem Punkt 'Gekommen' ".
-		"wird der Engel als anwesend markiert, ein Ja bei Aktiv bedeutet, ".
-		"dass der Engel aktiv war und damit ein Anspruch auf ein T-Shirt hat. ".
-		"Wenn T-Shirt ein 'Ja' enth&auml;lt, bedeutet dies, dass der Engel ".
-		"bereits sein T-Shirt erhalten hat.<br><br>\n";
-
-	echo "<form action=\"./user2.php?action=change\" method=\"POST\">\n";
-	echo "<table border=\"0\">\n";
-	echo "<input type=\"hidden\" name=\"Type\" value=\"". $_GET["Type"]. "\">\n";
-
-	if( $_GET["Type"] == "Normal" )
-	{
-		$SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'";
-		$Erg = mysql_query($SQL, $con);
-		
-		if (mysql_num_rows($Erg) != 1) 
-			echo "<tr><td>Sorry, der Engel (UID=". $_GET["enterUID"]. 
-				") wurde in der Liste nicht gefunden.</td></tr>";
-		else
-		{
-			echo "<tr><td>\n";
-			echo "<table>\n";
-			echo "  <tr><td>Nick</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eNick\" value=\"".
-				mysql_result($Erg, 0, "Nick")."\"></td></tr>\n";
-			echo "  <tr><td>lastLogIn</td><td>".
-				"<input type=\"text\" size=\"20\" name=\"elastLogIn\" value=\"".
-				mysql_result($Erg, 0, "lastLogIn"). "\" disabled></td></tr>\n";
-			echo "  <tr><td>Name</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eName\" value=\"".
-				mysql_result($Erg, 0, "Name")."\"></td></tr>\n";
-			echo "  <tr><td>Vorname</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eVorname\" value=\"".
-				mysql_result($Erg, 0, "Vorname")."\"></td></tr>\n";
-			echo "  <tr><td>Alter</td><td>".
-				"<input type=\"text\" size=\"5\" name=\"eAlter\" value=\"".
-				mysql_result($Erg, 0, "Alter")."\"></td></tr>\n";
-			echo "  <tr><td>Telefon</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eTelefon\" value=\"".
-				mysql_result($Erg, 0, "Telefon")."\"></td></tr>\n";
-			echo "  <tr><td>Handy</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eHandy\" value=\"".
-				mysql_result($Erg, 0, "Handy")."\"></td></tr>\n";
-			echo "  <tr><td>DECT</td><td>".
-				"<input type=\"text\" size=\"4\" name=\"eDECT\" value=\"".
-				mysql_result($Erg, 0, "DECT")."\"></td></tr>\n";
-			echo "  <tr><td>email</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eemail\" value=\"".
-				mysql_result($Erg, 0, "email")."\"></td></tr>\n";
-			echo "  <tr><td>ICQ</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"eICQ\" value=\"".
-				mysql_result($Erg, 0, "ICQ")."\"></td></tr>\n";
-			echo "  <tr><td>jabber</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"ejabber\" value=\"".
-				mysql_result($Erg, 0, "jabber")."\"></td></tr>\n";
-			echo "  <tr><td>Size</td><td>".
-				"<input type=\"text\" size=\"5\" name=\"eSize\" value=\"".
-				mysql_result($Erg, 0, "Size")."\"></td></tr>\n";
-			echo "  <tr><td>Passwort</td><td>".
-				"<a href=\"./user2.php?action=newpw&eUID="
-				.mysql_result($Erg, 0, "UID")."\">neues Kennwort setzen</a></td></tr>\n";
-  
-			// Gekommen? 
-			echo "  <tr><td>Gekommen</td><td>\n";
-			echo "      <input type=\"radio\" name=\"eGekommen\" value=\"0\"";
-			if (mysql_result($Erg, 0, "Gekommen")=='0') 
-				echo " checked"; 
-			echo ">No \n";
-			echo "      <input type=\"radio\" name=\"eGekommen\" value=\"1\"";
-			if (mysql_result($Erg, 0, "Gekommen")=='1') 
-				echo " checked";
-			echo ">Yes \n";
-			echo "</td></tr>\n";
-
-			// Aktiv?
-			echo "  <tr><td>Aktiv</td><td>\n";
-			echo "      <input type=\"radio\" name=\"eAktiv\" value=\"0\"";
-			if (mysql_result($Erg, 0, "Aktiv")=='0') 
-				echo " checked";
-			echo ">No \n";
-			echo "      <input type=\"radio\" name=\"eAktiv\" value=\"1\"";
-			if (mysql_result($Erg, 0, "Aktiv")=='1') 
-				echo " checked"; 
-			echo ">Yes \n";
-			echo "</td></tr>\n";
-
-			// T-Shirt bekommen? 
-			echo "  <tr><td>T-Shirt</td><td>\n";
-			echo "      <input type=\"radio\" name=\"eTshirt\" value=\"0\"";
-			if (mysql_result($Erg, 0, "Tshirt")=='0')
-				echo " checked";
-			echo ">No \n";
-			echo "      <input type=\"radio\" name=\"eTshirt\" value=\"1\"";
-			if (mysql_result($Erg, 0, "Tshirt")=='1') 
-				echo " checked";
-			echo ">Yes \n";
-			echo "</td></tr>\n";
-
-			// Menu links/rechts 
-			echo "  <tr><td>Menu</td><td>\n";
-			echo "      <input type=\"radio\" name=\"eMenu\" value=\"L\"";
-			if (mysql_result($Erg, 0, "Menu")=='L')
-				echo " checked";
-			echo ">L \n";
-			echo "      <input type=\"radio\" name=\"eMenu\" value=\"R\"";
-			if (mysql_result($Erg, 0, "Menu")=='R') 
-				echo " checked";
-			echo ">R \n";
-			echo "</td></tr>\n";
-			
-			echo "  <tr><td>Hometown</td><td>".
-				"<input type=\"text\" size=\"40\" name=\"Hometown\" value=\"".
-				mysql_result($Erg, 0, "Hometown")."\"></td></tr>\n";
-			
-			echo "</table>\n</td><td valign=\"top\">". displayavatar($_GET["enterUID"], FALSE). "</td></tr>";
-		}
-	}//IF TYPE Normal
-	if( $_GET["Type"] == "Secure" )
-	{
-		// CVS-Rechte
-		echo "  <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n";
-
-		$SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'";
-		$Erg_CVS =  mysql_query($SQL_CVS, $con);
-		
-		if( mysql_num_rows($Erg_CVS) != 1) 
-			echo "Sorry, der Engel (UID=". $_GET["enterUID"]. ") wurde in der Liste nicht gefunden.";
-		else
-		{
-			$CVS_Data = mysql_fetch_array($Erg_CVS);
-			$CVS_Data_i = 1;
-			foreach ($CVS_Data as $CVS_Data_Name => $CVS_Data_Value) 
-			{
-		  		$CVS_Data_i++;
-				//nur jeder zweiter sonst wird f�r jeden text noch die position (Zahl) ausgegeben
-				if( $CVS_Data_i%2 && $CVS_Data_Name!="UID") 
-				{
-					if($CVS_Data_Name=="GroupID") {
-						if( $_GET["enterUID"] > 0 )
-						{
-							echo "<tr><td><b>Group</b></td>\n".
-								"<td><select name=\"GroupID\">";
-
-							$SQL_Group = "SELECT * FROM `UserGroups`";
-							$Erg_Group =  mysql_query($SQL_Group, $con);
-							for ($n = 0 ; $n < mysql_num_rows($Erg_Group) ; $n++)
-							{
-								$UID =  mysql_result($Erg_Group, $n, "UID");
-								echo "\t<option value=\"$UID\"";
-								if( $CVS_Data_Value == $UID)
-									echo " selected";
-								echo ">". mysql_result($Erg_Group, $n, "Name"). "</option>\n";
-							}
-							echo "</select></td></tr>";
-						}
-					} else {
-						echo "<tr><td>$CVS_Data_Name</td>\n<td>";
-						echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"Y\" ";
-						if( $CVS_Data_Value == "Y" )	
-					   		echo " checked";
-						echo ">allow \n";
-						echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"N\" ";
-						if( $CVS_Data_Value == "N" )
-					    		echo " checked";
-						echo ">denied \n";
-						if( $_GET["enterUID"] > 0 )
-						{
-							echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"G\" ";
-							if( $CVS_Data_Value == "G" )
-					    			echo " checked";
-							echo ">group-setting \n";
-							echo "</td></tr>";
-					    	}
-					}
-				} //IF
-			} //Foreach	    
-			echo "</td></tr>\n";
-		} // IF TYPE
-	}
-
-	// Ende Formular
-	echo "</td></tr>\n";
-	echo "</table>\n<br>\n";
-	echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n";
-	echo "<input type=\"submit\" value=\"sichern...\">\n";
-	echo "</form>";
-
-	if( $_GET["Type"] == "Normal" )
-	{
-		echo "<form action=\"./user2.php?action=delete\" method=\"POST\">\n";
-		echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n";
-		echo "<input type=\"submit\" value=\"l&ouml;schen...\">\n";
-		echo "</form>";
-	}
+}
+else
+{
+	echo "error";
 }
 
 include ("../../includes/footer.php");
author	Angelo Cuccato <cuccato@web.de>	2010-11-07 14:45:28 +0100
committer	Angelo Cuccato <cuccato@web.de>	2010-11-07 14:45:28 +0100
commit	4cd60813539039dbedff97f4359a5094b0286dd8 (patch)
tree	bcd69d581ab21fe94e232f921525aaad713cb2d1
parent	566035d0b8e9718cc5465533f2b4db7a936180a8 (diff)