diff options
| author | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-04 19:54:51 +0000 |
|---|---|---|
| committer | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-04 19:54:51 +0000 |
| commit | a52ee4a288ec57c2983173460237e4137440a873 (patch) | |
| tree | 3c4101df8fffbbca647ef9d86e6e9410ca1f26e1 | |
| parent | 34b50a61f8ec080d66449b7c644e5098102e2145 (diff) | |
SQL injektion behoben
git-svn-id: svn://svn.cccv.de/engel-system@198 29ba0400-6e00-0410-a75a-ca02368028f8
| -rwxr-xr-x | www-ssl/admin/EngelType.php | 6 | ||||
| -rwxr-xr-x | www-ssl/admin/aktiv.php | 14 | ||||
| -rwxr-xr-x | www-ssl/admin/debug.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/dect.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/faq.php | 26 | ||||
| -rwxr-xr-x | www-ssl/admin/free.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/news.php | 10 | ||||
| -rwxr-xr-x | www-ssl/admin/room.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/schichtplan.php | 24 | ||||
| -rwxr-xr-x | www-ssl/admin/schichtplan_druck.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/shiftadd.php | 2 | ||||
| -rwxr-xr-x | www-ssl/admin/tshirt.php | 4 | ||||
| -rwxr-xr-x | www-ssl/admin/user.php | 10 | ||||
| -rwxr-xr-x | www-ssl/admin/user2.php | 16 | ||||
| -rwxr-xr-x | www-ssl/admin/userDefaultSetting.php | 2 | ||||
| -rwxr-xr-x | www-ssl/makeuser.php | 2 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/einstellungen.php | 22 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/faq.php | 6 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/index.php | 4 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/myschichtplan.php | 7 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/news_comments.php | 6 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/news_output.php | 12 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/schichtplan_add.php | 4 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/waeckliste.php | 2 | ||||
| -rwxr-xr-x | www-ssl/nonpublic/wecken.php | 10 |
25 files changed, 99 insertions, 100 deletions
diff --git a/www-ssl/admin/EngelType.php b/www-ssl/admin/EngelType.php index 03f89b85..192a0d91 100755 --- a/www-ssl/admin/EngelType.php +++ b/www-ssl/admin/EngelType.php @@ -47,7 +47,7 @@ function runSQL_log( $SQL, $commed) -$Sql = "SELECT * FROM `EngelType` ORDER BY NAME"; +$Sql = "SELECT * FROM `EngelType` ORDER BY `NAME`"; $Erg = mysql_query($Sql, $con); if( !IsSet($_GET["action"]) ) @@ -177,9 +177,9 @@ case 'changesave': case 'delete': if (IsSet($_GET["TID"])) { - if( runSQL_log( "DELETE FROM `EngelType` WHERE `TID`='". $_GET["TID"]. "'", "delate EngelType")) + if( runSQL_log( "DELETE FROM `EngelType` WHERE `TID`='". $_GET["TID"]. "'", "delete EngelType")) runSQL_log( "ALTER TABLE `Room` DROP `DEFAULT_EID_". $_GET["TID"]. "`;", - "delate EngelType in Room Table"); + "delete EngelType in Room Table"); } else echo "Fehlerhafter Aufruf"; diff --git a/www-ssl/admin/aktiv.php b/www-ssl/admin/aktiv.php index 35eab81e..1bf7fbe1 100755 --- a/www-ssl/admin/aktiv.php +++ b/www-ssl/admin/aktiv.php @@ -27,7 +27,7 @@ echo "</form>\n"; if( Isset($_POST["ResetActive"]) ) { - $SQLreset = "UPDATE `User` SET `Aktiv` = '0'"; + $SQLreset = "UPDATE `User` SET `Aktiv`='0'"; $ErgReset = db_query($SQLreset, "Reset Active"); if ($ErgReset != 1) echo "Fehler beim zuruecksetzen der Activ\n"; @@ -50,11 +50,11 @@ echo "\t<td>". Get_Text("pub_aktive_Active"). "</td>\n"; echo "</tr>\n"; $SQL = "SELECT ShiftEntry.UID, COUNT(ShiftEntry.UID) AS NR, SUM(Shifts.Len) as LEN ". - "FROM `ShiftEntry` ". - "LEFT JOIN `Shifts` ON ShiftEntry.SID=Shifts.SID ". - "WHERE NOT UID=0 ". - "GROUP BY UID ". - "ORDER BY LEN DESC, NR DESC, UID "; + "FROM `ShiftEntry` ". + "LEFT JOIN `Shifts` ON ShiftEntry.SID=Shifts.SID ". + "WHERE NOT UID=0 ". + "GROUP BY UID ". + "ORDER BY LEN DESC, NR DESC, UID "; $Erg = mysql_query($SQL, $con); echo mysql_error($con); $rowcount = mysql_num_rows($Erg); @@ -76,7 +76,7 @@ for ($i=0; $i<$rowcount; $i++) echo "show set"; else { - $SQL2="UPDATE `User` SET Aktiv=1 WHERE UID=". mysql_result($Erg, $i, "UID"). " LIMIT 1"; + $SQL2="UPDATE `User` SET `Aktiv`='1' WHERE `UID`='". mysql_result($Erg, $i, "UID"). "' LIMIT 1"; $Erg2 = db_query($SQL2, "update Active State"); if ($Erg2 != 1) echo "Fehler beim speichern bei Engel ".UID2Nick(mysql_result($Erg, $i, "UID")); diff --git a/www-ssl/admin/debug.php b/www-ssl/admin/debug.php index aaf1bcb4..961a8164 100755 --- a/www-ssl/admin/debug.php +++ b/www-ssl/admin/debug.php @@ -32,7 +32,7 @@ echo "Deaktiviert"; echo "<h1>Tshirt-Size</h1>"; -$SQL="SELECT `Size`, COUNT(`Size`) FROM User GROUP BY `Size`"; +$SQL="SELECT `Size`, COUNT(`Size`) FROM `User` GROUP BY `Size`"; $Erg = mysql_query($SQL, $con); echo mysql_error($con); $rowcount = mysql_num_rows($Erg); diff --git a/www-ssl/admin/dect.php b/www-ssl/admin/dect.php index 49cb72bc..1092542d 100755 --- a/www-ssl/admin/dect.php +++ b/www-ssl/admin/dect.php @@ -38,7 +38,7 @@ if( $_GET["dial"]=="dial") echo "<select name=\"DECT\">\n"; echo "\t<option value=\"\">costum</option>\n"; - $usql="SELECT * FROM User WHERE NOT DECT='' ORDER BY Nick"; + $usql="SELECT * FROM `User` WHERE NOT `DECT`='' ORDER BY `Nick`"; $uErg = mysql_query($usql, $con); $urowcount = mysql_num_rows($uErg); for ($k=0; $k<$urowcount; $k++) diff --git a/www-ssl/admin/faq.php b/www-ssl/admin/faq.php index b201c4c0..302b3bc5 100755 --- a/www-ssl/admin/faq.php +++ b/www-ssl/admin/faq.php @@ -66,7 +66,7 @@ case "all": break; case "open": - $SQL="SELECT * FROM `Questions` WHERE AID = \"0\" ORDER BY QID DESC"; + $SQL="SELECT * FROM `Questions` WHERE `AID`='0' ORDER BY `QID` DESC"; $quest_bearb=1; // Fragenliste anzeigen echo "\t\tOffene Anfragen:<br>\n"; break; @@ -76,7 +76,7 @@ case "edit": echo "\t\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n"; else { - $SQL = "SELECT * FROM Questions where QID=". $_GET["QID"]; + $SQL = "SELECT * FROM `Questions` WHERE `QID`=`". $_GET["QID"]. "'"; $Erg = mysql_query($SQL, $con); echo "\t\t<form action=\"./faq.php\" method=\"GET\">\n"; echo "\t\tAnfrage von <b>". UID2NICK(mysql_result($Erg, 0, "UID")). "</b>:<br>\n"; @@ -106,9 +106,9 @@ case "save": echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten..."; else { - $SQL = "UPDATE `Questions` SET Question=\"". $_GET["Question"]. - "\", AID=\"". $_SESSION['UID']. "\" , Answer=\"". $_GET["Answer"]. "\" ". - "WHERE QID = \"". $_GET["QID"]. "\" LIMIT 1"; + $SQL = "UPDATE `Questions` SET `Question`='". $_GET["Question"]. + "', `AID`='". $_SESSION['UID']. "' , `Answer`='". $_GET["Answer"]. "' ". + "WHERE `QID`='". $_GET["QID"]. "' LIMIT 1"; $Erg = db_query($SQL, "save Question"); if ($Erg == 1) { @@ -125,10 +125,10 @@ case "transfer": echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; else { - $SQL1="Select * from Questions where QID=". $_GET["QID"]; + $SQL1="SELECT * FROM `Questions` WHERE `QID`='". $_GET["QID"]. "'"; $Erg = mysql_query($SQL1, $con); - $SQL2="INSERT into `FAQ` Values (\"\", \"". - mysql_result($Erg, 0, "Question")."\", \"".mysql_result($Erg, 0, "Answer")."\")"; + $SQL2="INSERT INTO `FAQ` Values ('', '". + mysql_result($Erg, 0, "Question")."', '".mysql_result($Erg, 0, "Answer")."')"; $Erg = db_query($SQL2, "trasfert to request to the FAQ"); if ($Erg == 1) echo "\tDer Eintrag wurde übertragen.<br>\n"; @@ -170,7 +170,7 @@ case "faqedit": echo "\tFehlerhafter Aufruf...<br>Bitte die Bearbeitung nochmals beginnen :)\n"; else { - $SQL = "SELECT * FROM FAQ where FID=". $_GET["FAQID"]; + $SQL = "SELECT * FROM `FAQ` WHERE `FID`='". $_GET["FAQID"]. "'"; $Erg = mysql_query($SQL, $con); // anzahl zeilen @@ -200,7 +200,7 @@ case "faqdelete"; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; else { - $SQL = "DELETE FROM `FAQ` WHERE FID = \"". $_GET["FAQID"]. "\" LIMIT 1"; + $SQL = "DELETE FROM `FAQ` WHERE `FID`='". $_GET["FAQID"]. "' LIMIT 1"; $Erg = db_query($SQL, "delate faq item"); if ($Erg == 1) echo "\tDer Eintrag wurde gelöscht<br>\n"; @@ -214,8 +214,8 @@ case "faqsave"; echo "\tFehlerhafter Aufruf... Bitte die Bearbeitung nochmal starten...\n"; else { - $SQL = "UPDATE `FAQ` SET Frage=\"". $_GET["Frage"]. "\", Antwort=\"". $_GET["Antwort"]. - "\" WHERE FID = \"". $_GET["FAQID"]. "\" LIMIT 1"; + $SQL = "UPDATE `FAQ` SET `Frage`='". $_GET["Frage"]. "', `Antwort`='". $_GET["Antwort"]. + "' WHERE `FID`='". $_GET["FAQID"]. "' LIMIT 1"; $Erg = db_query($SQL, $con); if ($Erg == 1) echo "\tDer Eintrag wurde geändert<br>\n"; @@ -238,7 +238,7 @@ case "faqnew": break; case "faqnewsave"; - $SQL = "INSERT INTO `FAQ` VALUES (\"\", \"". $_GET["Frage"]. "\", \"". $_GET["Antwort"]. "\")"; + $SQL = "INSERT INTO `FAQ` VALUES ('', '". $_GET["Frage"]. "', '". $_GET["Antwort"]. "')"; $Erg = db_query($SQL, "Save new FAQ entry"); if ($Erg == 1) echo "\tDer Eintrag wurde erfasst.<br>\n"; diff --git a/www-ssl/admin/free.php b/www-ssl/admin/free.php index aadde44a..604660a1 100755 --- a/www-ssl/admin/free.php +++ b/www-ssl/admin/free.php @@ -35,7 +35,7 @@ $SQL = "SELECT Shifts.*, ShiftEntry.*, User.Nick ". "WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );"; */ $SQL = "SELECT Shifts.*, ShiftEntry.* ". - "FROM Shifts INNER JOIN ShiftEntry ON Shifts.SID = ShiftEntry.SID ". + "FROM `Shifts` INNER JOIN ShiftEntry ON Shifts.SID = ShiftEntry.SID ". "WHERE (Shifts.DateS<=Now() AND Shifts.DateE>=Now() );"; //SELECT User.Nick, Schichtplan.*, Schichtbelegung. * FROM User LEFT JOIN Schichtbelegung ON User.UID=Schichtbelegung.UID, Schichtplan LEFT JOIN Schichtbelegung ON Schichtplan.SID = Schichtbelegung.SID WHERE Schichtplan.Date < now() and Schichtplan.EndDate > now() ORDER BY Nick diff --git a/www-ssl/admin/news.php b/www-ssl/admin/news.php index 137695b3..83e64a4a 100755 --- a/www-ssl/admin/news.php +++ b/www-ssl/admin/news.php @@ -9,7 +9,7 @@ include ("./inc/funktion_user.php"); if (!IsSet($_GET["action"])) { - $SQL = "SELECT * from News order by Datum DESC"; + $SQL = "SELECT * FROM `News` ORDER BY `Datum` DESC"; $Erg = mysql_query($SQL, $con); $rowcount = mysql_num_rows($Erg); @@ -52,7 +52,7 @@ else case 'change': if (isset($_GET["date"])) { - $SQL = "SELECT * from News where (Datum='". $_GET["date"]. "')"; + $SQL = "SELECT * FROM `News` WHERE (`Datum`='". $_GET["date"]. "')"; $Erg = mysql_query($SQL, $con); if( mysql_num_rows( $Erg)==1) @@ -91,15 +91,15 @@ else case 'change_save': if( isset($_GET["date"]) && isset($_GET["eBetreff"]) && isset($_GET["eText"]) ) - $chsql="UPDATE News set Betreff = \"". $_GET["eBetreff"]. "\", Text = \"". $_GET["eText"]. - "\", Treffen=". $_GET["eTreffen"]. " where (Datum = '". $_GET["date"]. "') limit 1"; + $chsql="UPDATE `News` SET `Betreff`='". $_GET["eBetreff"]. "', `Text`='". $_GET["eText"]. + "', `Treffen`='". $_GET["eTreffen"]. "' WHERE (`Datum`='". $_GET["date"]. "') limit 1"; else echo "Fehler: nicht genügend parameter übergeben"; break; case 'delete': if (isset($_POST["date"])) - $chsql="DELETE from News where Datum = '". $_POST["date"]. "' limit 1"; + $chsql="DELETE FROM 'News' WHERE `Datum`='". $_POST["date"]. "' LIMIT 1"; else echo "Fehler: \"date\" nicht übergeben"; break; diff --git a/www-ssl/admin/room.php b/www-ssl/admin/room.php index a1502f96..b35b3916 100755 --- a/www-ssl/admin/room.php +++ b/www-ssl/admin/room.php @@ -5,7 +5,7 @@ include ("./inc/header.php"); include ("./inc/funktion_user.php"); include ("./inc/funktion_schichtplan_aray.php"); -$Sql = "SELECT * FROM `Room` ORDER BY Number, Name"; +$Sql = "SELECT * FROM `Room` ORDER BY `Number`, `Name`"; $Erg = mysql_query($Sql, $con); if( !IsSet($_GET["action"]) ) diff --git a/www-ssl/admin/schichtplan.php b/www-ssl/admin/schichtplan.php index 9c904bb2..12c767c2 100755 --- a/www-ssl/admin/schichtplan.php +++ b/www-ssl/admin/schichtplan.php @@ -50,7 +50,7 @@ for( $i = 0; $i < $rowcount; $i++) "value=\"". mysql_result($Erg, $i, "SID"). "\"></td>\n"; echo "\t\t<td>".mysql_result($Erg, $i, "DateS")."</td>\n"; - $sql2= "SELECT `Name` FROM `Room` WHERE `RID`=\"".mysql_result($Erg, $i, "RID")."\""; + $sql2= "SELECT `Name` FROM `Room` WHERE `RID`='".mysql_result($Erg, $i, "RID")."'"; $Erg2 = mysql_query($sql2, $con); if( mysql_num_rows($Erg2) > 0) echo "\t\t<td>".mysql_result($Erg2, 0, "Name")."</td>\n"; @@ -83,7 +83,7 @@ case 'change': else { - $sql = "SELECT * FROM `Shifts` WHERE (`SID` = \"". $_GET["SID"]. "\" )"; + $sql = "SELECT * FROM `Shifts` WHERE (`SID` = '". $_GET["SID"]. "' )"; $Erg = mysql_query($sql, $con); echo "Schicht abändern: <br>\n"; @@ -138,7 +138,7 @@ case 'change': echo "<br><hr>\n\n\n\n"; //Freie Engelschichten - $sql3 = "SELECT TID FROM `ShiftEntry` WHERE SID=". $_GET["SID"]. " AND UID=0"; + $sql3 = "SELECT `TID` FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "' AND `UID`='0'"; $Erg3 = mysql_query($sql3, $con); $rowcount = mysql_num_rows($Erg3); @@ -153,7 +153,7 @@ case 'change': echo "<br><hr>\n\n\n\n"; //Ausgabe eingetragener schischten - $sql3 = "SELECT * FROM `ShiftEntry` WHERE SID=". $_GET["SID"]. " AND NOT UID=0"; + $sql3 = "SELECT * FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "' AND NOT `UID`='0'"; $Erg3 = mysql_query($sql3, $con); $rowcount = mysql_num_rows($Erg3); @@ -180,7 +180,7 @@ case 'change': echo "<select name=\"UIDs\">\n"; echo "\t<option value=\"0\">--neu--</option>\n"; - $usql="select * from User order by Nick"; + $usql="SELECT * FROM `User` ORDER BY `Nick`"; $uErg = mysql_query($usql, $con); $urowcount = mysql_num_rows($uErg); for ($k=0; $k<$urowcount; $k++) @@ -240,15 +240,15 @@ case 'engeladd': if( mysql_num_rows($ERG) != 0 ) { $chSQL = "UPDATE `ShiftEntry` SET ". - "`UID`='". $_GET["UIDs"]. "', `Comment`='shift added by ".$_SESSION['Nick']."' "; - $chSQL .= "WHERE (`SID`='". $_GET["SID"]. "' AND ". + "`UID`='". $_GET["UIDs"]. "', `Comment`='shift added by ".$_SESSION['Nick']."' ". + "WHERE (`SID`='". $_GET["SID"]. "' AND ". "`TID`='". $_GET["TID"]. "' AND `UID`='0' ) LIMIT 1"; } else { - $chSQL = "INSERT INTO `ShiftEntry` (`SID`, `TID`, `UID`, `Comment`) VALUES ("; - $chSQL .= "'". $_GET["SID"]. "', '". $_GET["TID"]. "', ". - "'". $_GET["UIDs"]. "', 'shift added by ".$_SESSION['Nick']."')"; + $chSQL = "INSERT INTO `ShiftEntry` (`SID`, `TID`, `UID`, `Comment`) VALUES (". + "'". $_GET["SID"]. "', '". $_GET["TID"]. "', ". + "'". $_GET["UIDs"]. "', 'shift added by ".$_SESSION['Nick']."')"; } echo "Es wird folgende Schicht zusätzlich eingetragen:<br>\n"; echo "Engel: ".UID2Nick($_GET["UIDs"])."<br>\n"; @@ -305,8 +305,8 @@ case 'changesave': break; case 'delete': - $chSQL = "DELETE FROM `Shifts` WHERE `SID`=". $_GET["SID"]. " LIMIT 1"; - $ch2SQL = "DELETE FROM `ShiftEntry` WHERE `SID`=". $_GET["SID"]; + $chSQL = "DELETE FROM `Shifts` WHERE `SID`='". $_GET["SID"]. "' LIMIT 1"; + $ch2SQL = "DELETE FROM `ShiftEntry` WHERE `SID`='". $_GET["SID"]. "'"; SetHeaderGo2Back(); break; diff --git a/www-ssl/admin/schichtplan_druck.php b/www-ssl/admin/schichtplan_druck.php index 55dc2041..bef2dc06 100755 --- a/www-ssl/admin/schichtplan_druck.php +++ b/www-ssl/admin/schichtplan_druck.php @@ -50,7 +50,7 @@ for ($i = 0 ; $i < mysql_fetch_row($Erg) ; $i++) <select name="Raum"> <?php - $res = mysql_query("SELECT Name, RID FROM `Room` WHERE `show`!='N' ORDER BY Name;",$con); + $res = mysql_query("SELECT Name, RID FROM `Room` WHERE `show`!='N' ORDER BY `Name`;",$con); for ($i = 0; $i < mysql_num_rows($res); $i++) { diff --git a/www-ssl/admin/shiftadd.php b/www-ssl/admin/shiftadd.php index e873f5e0..15e54735 100755 --- a/www-ssl/admin/shiftadd.php +++ b/www-ssl/admin/shiftadd.php @@ -273,7 +273,7 @@ function CreateNewEntry() // Ist eintarg schon vorhanden? - $SQL = "SELECT SID FROM `Shifts` "; + $SQL = "SELECT `SID` FROM `Shifts` "; $SQL .= "WHERE (". "`DateS` = '". $_DateS. "' AND ". "`DateE` = '". $_DateE. "' AND ". diff --git a/www-ssl/admin/tshirt.php b/www-ssl/admin/tshirt.php index 2e843e92..87dc1c73 100755 --- a/www-ssl/admin/tshirt.php +++ b/www-ssl/admin/tshirt.php @@ -9,7 +9,7 @@ include ("./inc/funktion_user.php"); If (IsSet($_GET["aktiv"])) { - $SQL="Update User set Tshirt=\"1\" where UID=\"". $_GET["aktiv"]. "\" limit 1"; + $SQL="UPDATE `User` SET `Tshirt`='1' WHERE `UID`='". $_GET["aktiv"]. "' limit 1"; $Erg = mysql_query($SQL, $con); if ($Erg == 1) { } else { @@ -25,7 +25,7 @@ Hinter diesem erscheint ein Link, über den man eintragen kann, dass der Eng Liste aller aktiven Engel: <?PHP -$SQL = "SELECT * from User where (Aktiv = 1) ORDER BY Nick ASC"; +$SQL = "SELECT * FROM `User` WHERE (`Aktiv`='1') ORDER BY `Nick` ASC"; $Erg = mysql_query($SQL, $con); $rowcount = mysql_num_rows($Erg); diff --git a/www-ssl/admin/user.php b/www-ssl/admin/user.php index 98495b99..52482992 100755 --- a/www-ssl/admin/user.php +++ b/www-ssl/admin/user.php @@ -15,7 +15,7 @@ if (!IsSet($_GET["enterUID"])) echo "\n<a href=\"./user.php?enterUID=-1&Type=Secure\">Edit logout User</a><br><br>\n"; if( !isset($_GET["OrderBy"]) ) $_GET["OrderBy"] = "Nick"; - $SQL = "SELECT * FROM User ORDER BY `". $_GET["OrderBy"]. "` ASC"; + $SQL = "SELECT * FROM `User` ORDER BY `". $_GET["OrderBy"]. "` ASC"; $Erg = mysql_query($SQL, $con); echo mysql_error($con); @@ -96,12 +96,12 @@ if (!IsSet($_GET["enterUID"])) echo "\t<td>"; //check userCVS=OK - $SQL2 = "SELECT UID FROM UserCVS WHERE (UID=". mysql_result($Erg, $n, "UID"). ")"; + $SQL2 = "SELECT `UID` FROM `UserCVS` WHERE (`UID`='". mysql_result($Erg, $n, "UID"). "')"; $Erg2 = mysql_query($SQL2, $con); echo mysql_error($con); if( mysql_num_rows($Erg2)==0) { - $SQL3 = "INSERT INTO `UserCVS` ( `UID`) VALUES ( '". mysql_result($Erg, $n, "UID"). "');"; + $SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES ('". mysql_result($Erg, $n, "UID"). "');"; $Erg3 = db_query($SQL3, "admin/user.php auto CVS create"); if( $Erg3 ) echo "was create<br>\n"; @@ -135,7 +135,7 @@ else if( $_GET["Type"] == "Normal" ) { - $SQL = "SELECT * FROM User WHERE UID=". $_GET["enterUID"]; + $SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'"; $Erg = mysql_query($SQL, $con); if (mysql_num_rows($Erg) != 1) @@ -243,7 +243,7 @@ else // CVS-Rechte echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n"; - $SQL_CVS = "SELECT * FROM `UserCVS` WHERE UID=". $_GET["enterUID"]; + $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'"; $Erg_CVS = mysql_query($SQL_CVS, $con); if( mysql_num_rows($Erg_CVS) != 1) diff --git a/www-ssl/admin/user2.php b/www-ssl/admin/user2.php index e1792d4e..ce349f40 100755 --- a/www-ssl/admin/user2.php +++ b/www-ssl/admin/user2.php @@ -48,7 +48,7 @@ if (IsSet($_GET["action"])) elseif ($_POST["Type"] == "Secure") { $SQL2 = "UPDATE `UserCVS` SET "; - $SQL_CVS = "SELECT * FROM `UserCVS` WHERE UID=". $_POST["enterUID"]; + $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_POST["enterUID"]. "'"; $Erg_CVS = mysql_query($SQL_CVS, $con); $CVS_Data = mysql_fetch_array($Erg_CVS); $CVS_Data_i = 1; @@ -59,7 +59,7 @@ if (IsSet($_GET["action"])) $CVS_Data_i++; } $SQL2 = substr( $SQL2, 0, strlen($SQL2)-2 ); - $SQL2.= " WHERE `UID` = '". $_POST["enterUID"]. "' LIMIT 1;"; + $SQL2.= " WHERE `UID`='". $_POST["enterUID"]. "' LIMIT 1;"; echo "<br>Secure-"; $Erg = db_query($SQL2, "change user CVS"); if ($Erg == 1) { @@ -79,7 +79,7 @@ if (IsSet($_GET["action"])) if (IsSet($_POST["enterUID"])) { echo "delate User..."; - $SQL="DELETE FROM `User` WHERE `UID` = '". $_POST["enterUID"]. "' LIMIT 1;"; + $SQL="DELETE FROM `User` WHERE `UID`='". $_POST["enterUID"]. "' LIMIT 1;"; $Erg = db_query($SQL, "User delete"); if ($Erg == 1) { echo "Änderung wurde gesichert...\n"; @@ -88,7 +88,7 @@ if (IsSet($_GET["action"])) } echo "<br>\ndelate UserCVS..."; - $SQL2="DELETE FROM `UserCVS` WHERE `UID` = '". $_POST["enterUID"]. "' LIMIT 1;"; + $SQL2="DELETE FROM `UserCVS` WHERE `UID`='". $_POST["enterUID"]. "' LIMIT 1;"; $Erg = db_query($SQL2, "User CVS delete"); if ($Erg == 1) { echo "Änderung wurde gesichert...\n"; @@ -97,8 +97,8 @@ if (IsSet($_GET["action"])) } echo "<br>\ndelate UserEntry..."; - $SQL3="UPDATE `ShiftEntry` SET `UID` = '0', `Comment` = NULL ". - "WHERE `UID` = '". $_POST["enterUID"]. "';"; + $SQL3="UPDATE `ShiftEntry` SET `UID`='0', `Comment`=NULL ". + "WHERE `UID`='". $_POST["enterUID"]. "';"; $Erg = db_query($SQL3, "delate UserEntry"); if ($Erg == 1) { echo "Änderung wurde gesichert...\n"; @@ -112,7 +112,7 @@ if (IsSet($_GET["action"])) case "newpw": echo "Bitte neues Kennwort für <b>"; // Get Nick - $USQL = "SELECT * FROM User WHERE UID=". $_GET["eUID"]; + $USQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["eUID"]. "'"; $Erg = mysql_query($USQL, $con); echo mysql_result($Erg, 0, "Nick"); echo "</b> eingeben:<br>"; @@ -129,7 +129,7 @@ if (IsSet($_GET["action"])) { // beide Passwoerter passen... $_POST["ePasswort"] = PassCrypt($_POST["ePasswort"]); $SQL = "UPDATE `User` SET `Passwort`='". $_POST["ePasswort"]. "' ". - "WHERE `UID` = '". $_POST["eUID"]. "'"; + "WHERE `UID`='". $_POST["eUID"]. "'"; $Erg = db_query($SQL, "User new passwort"); if ($Erg == 1) { echo "Änderung wurde gesichert...\n"; diff --git a/www-ssl/admin/userDefaultSetting.php b/www-ssl/admin/userDefaultSetting.php index 5ab7e653..51debdb1 100755 --- a/www-ssl/admin/userDefaultSetting.php +++ b/www-ssl/admin/userDefaultSetting.php @@ -46,7 +46,7 @@ if( isset( $_GET["Field"]) && isset( $_GET["Default"]) && isset( $_GET["Send"])) "[". mysql_error(). "]<br><br>"; break; case "SetForAllUser": - $SQL = "UPDATE `UserCVS` SET `". $_GET["Field"]. "` = '". $_GET["Default"]. "'"; + $SQL = "UPDATE `UserCVS` SET `". $_GET["Field"]. "`='". $_GET["Default"]. "'"; $Erg = mysql_query( $SQL, $con); if( $Erg == 1) echo "<H2>UPDATE ".$_GET["Field"]. " = ". $_GET["Default"]. " for all Users succesfull</h2>\n"; diff --git a/www-ssl/makeuser.php b/www-ssl/makeuser.php index b02f6923..b7df67a0 100755 --- a/www-ssl/makeuser.php +++ b/www-ssl/makeuser.php @@ -78,7 +78,7 @@ if( isset($_POST["send"])) $Erg2 = mysql_query($SQL2, $con); $Data = mysql_fetch_array($Erg2); - $SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES (". $Data["UID"]. ");"; + $SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES ('". $Data["UID"]. "');"; $Erg3 = mysql_query($SQL3, $con); if ($Erg3 != 1) { diff --git a/www-ssl/nonpublic/einstellungen.php b/www-ssl/nonpublic/einstellungen.php index faf72be5..eaec09fb 100755 --- a/www-ssl/nonpublic/einstellungen.php +++ b/www-ssl/nonpublic/einstellungen.php @@ -140,13 +140,13 @@ switch ($_POST["action"]) { case 'set': if ($_POST["new1"]==$_POST["new2"]){ Print_Text(25); - $sql = "select * from User where UID=".$_SESSION['UID']; + $sql = "SELECT * FROM `User` WHERE `UID`='".$_SESSION['UID']. "'"; $Erg = mysql_query($sql, $con); if (PassCrypt($_POST["old"])==mysql_result($Erg, 0, "Passwort")) { Print_Text(26); Print_Text(27); - $usql = "update User set Passwort='".PassCrypt($_POST["new1"])."' ". - "where UID=".$_SESSION['UID']." limit 1"; + $usql = "UPDATE `User` SET `Passwort`='". PassCrypt($_POST["new1"]). "' ". + " WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1"; $Erg = mysql_query($usql, $con); if ($Erg==1) { Print_Text(28); @@ -163,10 +163,10 @@ case 'set': case 'colour': - $chsql="Update User set ". - "`color` = \"". $_POST["colourid"]. "\", ". - "`Menu`= \"". $_POST["eMenu"]. "\" ". - "where UID = \"".$_SESSION['UID']."\" limit 1"; + $chsql="UPDATE `User` SET ". + "`color`= '". $_POST["colourid"]. "', ". + "`Menu`= '". $_POST["eMenu"]. "' ". + "WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1"; $Erg = mysql_query($chsql, $con); echo mysql_error($con); $_SESSION['color']=$_POST["colourid"]; @@ -180,7 +180,7 @@ case 'colour': case 'sprache': - $chsql="Update User set Sprache = \"". $_POST["language"]. "\" where UID = \"".$_SESSION['UID']."\" limit 1"; + $chsql="UPDATE `User` SET `Sprache` = '". $_POST["language"]. "' WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1"; $Erg = mysql_query($chsql, $con); $_SESSION['Sprache']=$_POST["language"]; if ($Erg==1) { @@ -191,7 +191,7 @@ case 'sprache': break; case 'avatar': - $chsql="Update User set Avatar = \"". $_POST["eAvatar"]. "\" where UID = \"". $_SESSION['UID']. "\" limit 1"; + $chsql="UPDATE `User` SET `Avatar`='". $_POST["eAvatar"]. "' WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1"; $Erg = mysql_query($chsql, $con); $_SESSION['Avatar']=$_POST["eAvatar"]; if ($Erg==1) { @@ -202,14 +202,14 @@ case 'avatar': break; case 'setUserData': - $chsql= "UPDATE User SET ". + $chsql= "UPDATE `User` SET ". "`Nick`='". $_POST["eNick"]. "', `Name`='". $_POST["eName"]. "', ". "`Vorname`='". $_POST["eVorname"]. "', `Alter`='". $_POST["eAlter"]. "', ". "`Telefon`='". $_POST["eTelefon"]. "', `Handy`='". $_POST["eHandy"]. "', ". "`DECT`='". $_POST["eDECT"]. "', `email`='". $_POST["eemail"]. "', ". "`ICQ`='". $_POST["eICQ"]. "', `jabber`='". $_POST["ejabber"]."', ". "`Hometown`='". $_POST["Hometown"]. "' ". - "WHERE UID='". $_SESSION['UID']. "' LIMIT 1;"; + "WHERE `UID`='". $_SESSION['UID']. "' LIMIT 1;"; $Erg = mysql_query($chsql, $con); if ($Erg==1) diff --git a/www-ssl/nonpublic/faq.php b/www-ssl/nonpublic/faq.php index fb7dab8c..b7d01835 100755 --- a/www-ssl/nonpublic/faq.php +++ b/www-ssl/nonpublic/faq.php @@ -23,7 +23,7 @@ if (!IsSet($_POST["eUID"])) echo "<b>".Get_Text(37)."</b><br><br>\n".nl2br($_POST["frage"])."<br><br>\n".Get_Text(38)."<br>\n"; -$SQL = "INSERT into Questions VALUES (\"\", \"".$_SESSION['UID']."\", \"". $_POST["frage"]. "\", \"\", \"\")"; +$SQL = "INSERT INTO `Questions` VALUES ('', '".$_SESSION['UID']."', '". $_POST["frage"]. "', '', '')"; $Erg = mysql_query($SQL, $con); } @@ -32,7 +32,7 @@ echo "<br>\n<b>".Get_Text(39)."</b><br>\n"; echo "<hr width=\"99%\">\n"; echo "<br><b>".Get_Text(40)."</b><br>\n"; -$SQL = "SELECT * from Questions where UID = ".$_SESSION['UID']." and AID=\"0\" ORDER BY 'QID' DESC"; +$SQL = "SELECT * FROM `Questions` WHERE `UID` = ". $_SESSION['UID']. " AND `AID`='0' ORDER BY 'QID' DESC"; $Erg = mysql_query($SQL, $con); // anzahl zeilen @@ -52,7 +52,7 @@ if ($Zeilen==0){ echo "<hr width=\"99%\">\n"; echo "<br><b>".Get_Text(42)."</b><br>\n"; -$SQL = "SELECT * from Questions where UID = ".$_SESSION['UID']." and AID<>\"0\" ORDER BY 'QID' DESC"; +$SQL = "SELECT * FROM `Questions` WHERE `UID`='".$_SESSION['UID']."' and `AID`<>'0' ORDER BY 'QID' DESC"; $Erg = mysql_query($SQL, $con); // anzahl zeilen diff --git a/www-ssl/nonpublic/index.php b/www-ssl/nonpublic/index.php index 20b32c00..ba47e4d9 100755 --- a/www-ssl/nonpublic/index.php +++ b/www-ssl/nonpublic/index.php @@ -20,7 +20,7 @@ if ( !IsSet($_POST["user"])) } else { // User ist noch nicht angemeldet - $sql = "select * from User where Nick = '". $_POST["user"]. "'"; + $sql = "SELECT * FROM `User` WHERE `Nick`='". $_POST["user"]. "'"; $userstring = mysql_query($sql, $con); // anzahl zeilen @@ -54,7 +54,7 @@ else $_SESSION['IP'] = $_SERVER['REMOTE_ADDR']; // CVS import Data - $SQL = "SELECT * FROM `UserCVS` WHERE UID='".$_SESSION['UID']."'"; + $SQL = "SELECT * FROM `UserCVS` WHERE `UID`='".$_SESSION['UID']."'"; $Erg_CVS = mysql_query($SQL, $con); $_SESSION['CVS'] = mysql_fetch_array($Erg_CVS); diff --git a/www-ssl/nonpublic/myschichtplan.php b/www-ssl/nonpublic/myschichtplan.php index 5aac2b61..be10951b 100755 --- a/www-ssl/nonpublic/myschichtplan.php +++ b/www-ssl/nonpublic/myschichtplan.php @@ -88,8 +88,7 @@ else { echo Get_Text("pub_mywake_delate1")."<br>\n"; - $sql = "SELECT * FROM `Shifts` WHERE "; - $sql.= "(SID = \"". $_GET["SID"]. "\")"; + $sql = "SELECT * FROM `Shifts` WHERE (`SID` = '". $_GET["SID"]. "')"; $Erg = mysql_query($sql, $con); $schichtdate = mysql_result( $Erg, 0, "DateS" ); @@ -124,7 +123,7 @@ else echo Get_Text("pub_myshift_Edit_Text1"). "\n"; $sql = "SELECT * FROM `ShiftEntry` WHERE "; - $sql.= "(SID=\"". $_GET["SID"]. "\" AND UID=\"". $_SESSION['UID']. "\" )"; + $sql.= "(`SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "')"; $Erg = mysql_query($sql, $con); echo "<form action=\"./myschichtplan.php\" method=\"GET\">\n"; @@ -138,7 +137,7 @@ else { echo Get_Text("pub_myshift_EditSave_Text1"). "<br>\n"; $sql = "UPDATE `ShiftEntry` ". - "SET `Comment` = \"". $_GET["newtext"]. "\" ". + "SET `Comment` = '". $_GET["newtext"]. "' ". "WHERE `SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "' LIMIT 1;"; $Erg = mysql_query($sql, $con); if ($Erg == 1) diff --git a/www-ssl/nonpublic/news_comments.php b/www-ssl/nonpublic/news_comments.php index 6e303cea..a1019765 100755 --- a/www-ssl/nonpublic/news_comments.php +++ b/www-ssl/nonpublic/news_comments.php @@ -12,8 +12,8 @@ if( IsSet( $_GET["nid"])) if( IsSet( $_GET["text"])) { - $ch_sql="INSERT INTO news_comments (Refid, Datum, Text, UID) VALUES ('". - $_GET["nid"]. "', '". date("Y-m-d H:i:s"). "', '". $_GET["text"]. "', '". $_SESSION["UID"]. "')"; + $ch_sql="INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) ". + "VALUES ('". $_GET["nid"]. "', '". date("Y-m-d H:i:s"). "', '". $_GET["text"]. "', '". $_SESSION["UID"]. "')"; $Erg = mysql_query($ch_sql, $con); if ($Erg == 1) { @@ -22,7 +22,7 @@ if( IsSet( $_GET["text"])) } } -$SQL = "SELECT * FROM news_comments where Refid = '". $_GET["nid"]. "' ORDER BY 'ID'"; +$SQL = "SELECT * FROM `news_comments` WHERE `Refid`='". $_GET["nid"]. "' ORDER BY 'ID'"; $Erg = mysql_query($SQL, $con); echo mysql_error( $con); // anzahl zeilen diff --git a/www-ssl/nonpublic/news_output.php b/www-ssl/nonpublic/news_output.php index 6c6fb8ff..b37c9591 100755 --- a/www-ssl/nonpublic/news_output.php +++ b/www-ssl/nonpublic/news_output.php @@ -7,9 +7,9 @@ if( isset( $_POST["text"]) && isset( $_POST["betreff"]) && IsSet( $_POST["date"] { if( !isset( $_POST["treffen"])) $_POST["treffen"] = 0; - $SQL = "INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) "; - $SQL.= "VALUES ('". $_POST["date"]. "', '". $_POST["betreff"]. "', '". $_POST["text"]. "', '".$_SESSION['UID']; - $SQL.= "', '". $_POST["treffen"]. "');"; + $SQL = "INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) ". + "VALUES ('". $_POST["date"]. "', '". $_POST["betreff"]. "', '". $_POST["text"]. "', '".$_SESSION['UID']. + "', '". $_POST["treffen"]. "');"; $Erg = mysql_query($SQL, $con); if ($Erg == 1) Print_Text(4); @@ -21,7 +21,7 @@ if( !IsSet( $_GET["news_begin"])) if( !IsSet( $_GET["DISPLAY_NEWS"])) $_GET["DISPLAY_NEWS"] = 5; -$SQL = "SELECT * FROM `News` ORDER BY 'ID' DESC LIMIT ". $_GET["news_begin"]. ",". $_GET["DISPLAY_NEWS"]; +$SQL = "SELECT * FROM `News` ORDER BY 'ID' DESC LIMIT ". intval($_GET["news_begin"]). ", ". intval($_GET["DISPLAY_NEWS"]); $Erg = mysql_query($SQL, $con); // anzahl zeilen @@ -48,14 +48,14 @@ for ($n = 0 ; $n < $news_rows ; $n++) echo "</p>\n"; echo "<p class='answer'>". ReplaceSmilies(nl2br(mysql_result($Erg, $n, "Text"))) ."</p>\n"; $RefID=mysql_result($Erg, $n, "ID"); - $countSQL="SELECT COUNT(*) from news_comments where Refid = '$RefID'"; + $countSQL="SELECT COUNT(*) FROM `news_comments` WHERE `Refid`='$RefID'"; $countErg = mysql_query($countSQL, $con); $countcom = mysql_result($countErg, 0, "COUNT(*)"); echo "<p class='comment' align='right'><a href=\"./news_comments.php?nid=$RefID\">$countcom comments</a></p>\n\n"; } echo "<div align=\"center\">\n\n"; -$rowerg = mysql_query("select * from News", $con); +$rowerg = mysql_query("SELECT * FROM `News`", $con); $rows = mysql_num_rows($rowerg); $dis_rows = round (($rows / $DISPLAY_NEWS)+0.5); diff --git a/www-ssl/nonpublic/schichtplan_add.php b/www-ssl/nonpublic/schichtplan_add.php index f12690c7..69170763 100755 --- a/www-ssl/nonpublic/schichtplan_add.php +++ b/www-ssl/nonpublic/schichtplan_add.php @@ -35,7 +35,7 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) { { //ermitteln der noch gesuchten $SQL3 = "SELECT * FROM `ShiftEntry`". - " WHERE ((`SID` = '". $_POST["SID"]. "') and (`TID` = '". $_POST["TID"]. "') and (`UID` = '0'));"; + " WHERE ((`SID` = '". $_POST["SID"]. "') AND (`TID` = '". $_POST["TID"]. "') AND (`UID` = '0'));"; $Erg3 = mysql_query($SQL3, $con); if( mysql_num_rows($Erg3) <= 0 ) @@ -65,7 +65,7 @@ elseif (isset($_GET["SID"]) && isset($_GET["TID"])) { "<table border=\"0\">\n"; $SQL = "SELECT * FROM `Shifts` WHERE "; - $SQL .="(SID = '". $_GET["SID"]. "')"; + $SQL .="(`SID` = '". $_GET["SID"]. "')"; $Erg = mysql_query($SQL, $con); echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>". diff --git a/www-ssl/nonpublic/waeckliste.php b/www-ssl/nonpublic/waeckliste.php index b2c2e420..15e1a4de 100755 --- a/www-ssl/nonpublic/waeckliste.php +++ b/www-ssl/nonpublic/waeckliste.php @@ -20,7 +20,7 @@ include ("./inc/header.php"); </tr> <?PHP - $sql = "Select * from Wecken order by Date asc"; + $sql = "SELECT * FROM `Wecken` ORDER BY `Date` ASC"; $Erg = mysql_query($sql, $con); $count = mysql_num_rows($Erg); diff --git a/www-ssl/nonpublic/wecken.php b/www-ssl/nonpublic/wecken.php index 66597dbb..6758da2b 100755 --- a/www-ssl/nonpublic/wecken.php +++ b/www-ssl/nonpublic/wecken.php @@ -8,9 +8,9 @@ include ("./inc/funktion_user.php"); if( isset($_POST["eintragen"])) if( $_POST["eintragen"] == Get_Text("pub_wake_bouton") ) { - $SQL = "INSERT INTO Wecken (`UID`, `Date`, `Ort`, `Bemerkung`) ". - "VALUES (".$_SESSION['UID'].", \"". $_POST["Date"]. "\", \"". $_POST["Ort"]. - "\", \"". $_POST["Bemerkung"]. "\") "; + $SQL = "INSERT INTO `Wecken` (`UID`, `Date`, `Ort`, `Bemerkung`) ". + "VALUES ('". $_SESSION['UID']. "', '". $_POST["Date"]. "', '". $_POST["Ort"]. "', ". + "'". $_POST["Bemerkung"]. "')"; $Erg = mysql_query($SQL, $con); if ($Erg == 1) Print_Text(4); @@ -18,7 +18,7 @@ if( isset($_POST["eintragen"])) if( isset($_GET["eintragen"])) if ($_GET["eintragen"] == "loeschen") { - $SQL = "Delete from Wecken where UID = ".$_SESSION['UID']." and ID = ". $_GET["weckID"]." limit 1"; + $SQL = "DELETE FROM `Wecken` WHERE `UID`='". $_SESSION['UID']. "' AND `ID`='". $_GET["weckID"]."' LIMIT 1"; $Erg = mysql_query($SQL, $con); if ($Erg == 1) Print_Text(4); @@ -38,7 +38,7 @@ echo Get_Text("pub_wake_beschreibung2"); ?> </tr> <?PHP - $sql = "Select * from Wecken where UID='".$_SESSION['UID']."' order by Date asc"; + $sql = "SELECT * FROM `Wecken` WHERE `UID`='". $_SESSION['UID']. "' ORDER BY `Date` ASC"; $Erg = mysql_query($sql, $con); $count = mysql_num_rows($Erg); |