summaryrefslogtreecommitdiff
path: root/includes/controller
diff options
context:
space:
mode:
authorPhilip Häusler <msquare@notrademark.de>2014-12-28 13:44:56 +0100
committerPhilip Häusler <msquare@notrademark.de>2014-12-28 13:44:56 +0100
commit6bede2fd229395f34c321a37efa2ea93e7b1a7ba (patch)
treea20c74d5bdddae9e1ec9a988e1ba468371a4a995 /includes/controller
parenta6ab81b834fe91b0f0704a7db33e377c8dc63a23 (diff)
harden the sql queries
Diffstat (limited to 'includes/controller')
-rw-r--r--includes/controller/shifts_controller.php2
-rw-r--r--includes/controller/users_controller.php6
2 files changed, 4 insertions, 4 deletions
diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index 90753217..9982388e 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -145,7 +145,7 @@ function shifts_json_export_controller() {
INNER JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`)
INNER JOIN `ShiftTypes` ON (`Shifts`.`shifttype_id`=`ShiftTypes`.`id`)
INNER JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`)
- WHERE `UID`=" . sql_escape($user['UID']) . "
+ WHERE `UID`='" . sql_escape($user['UID']) . "'
ORDER BY `start`");
}
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index 484d9912..7810ce77 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -74,14 +74,14 @@ function user_controller() {
$shifts = Shifts_by_user($user_source);
foreach ($shifts as &$shift) {
// TODO: Move queries to model
- $shift['needed_angeltypes'] = sql_select("SELECT DISTINCT `AngelTypes`.* FROM `ShiftEntry` JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id` WHERE `ShiftEntry`.`SID`=" . sql_escape($shift['SID']) . " ORDER BY `AngelTypes`.`name`");
+ $shift['needed_angeltypes'] = sql_select("SELECT DISTINCT `AngelTypes`.* FROM `ShiftEntry` JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id` WHERE `ShiftEntry`.`SID`='" . sql_escape($shift['SID']) . "' ORDER BY `AngelTypes`.`name`");
foreach ($shift['needed_angeltypes'] as &$needed_angeltype) {
$needed_angeltype['users'] = sql_select("
SELECT `ShiftEntry`.`freeloaded`, `User`.*
FROM `ShiftEntry`
JOIN `User` ON `ShiftEntry`.`UID`=`User`.`UID`
- WHERE `ShiftEntry`.`SID`=" . sql_escape($shift['SID']) . "
- AND `ShiftEntry`.`TID`=" . sql_escape($needed_angeltype['id']));
+ WHERE `ShiftEntry`.`SID`='" . sql_escape($shift['SID']) . "'
+ AND `ShiftEntry`.`TID`='" . sql_escape($needed_angeltype['id']) . "'");
}
}