diff options
| author | Philip Häusler <msquare@notrademark.de> | 2014-12-28 13:44:56 +0100 |
|---|---|---|
| committer | Philip Häusler <msquare@notrademark.de> | 2014-12-28 13:44:56 +0100 |
| commit | 6bede2fd229395f34c321a37efa2ea93e7b1a7ba (patch) | |
| tree | a20c74d5bdddae9e1ec9a988e1ba468371a4a995 /includes/model/User_model.php | |
| parent | a6ab81b834fe91b0f0704a7db33e377c8dc63a23 (diff) | |
harden the sql queries
Diffstat (limited to 'includes/model/User_model.php')
| -rw-r--r-- | includes/model/User_model.php | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/includes/model/User_model.php b/includes/model/User_model.php index 516f9adf..c6f8e3bf 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -14,23 +14,23 @@ function User_update($user) { `Nick`='" . sql_escape($user['Nick']) . "', `Name`='" . sql_escape($user['Name']) . "', `Vorname`='" . sql_escape($user['Vorname']) . "', - `Alter`=" . sql_escape($user['Alter']) . ", + `Alter`='" . sql_escape($user['Alter']) . "', `Telefon`='" . sql_escape($user['Telefon']) . "', `DECT`='" . sql_escape($user['DECT']) . "', `Handy`='" . sql_escape($user['Handy']) . "', `email`='" . sql_escape($user['email']) . "', - `email_shiftinfo`=" . sql_escape($user['email_shiftinfo'] ? 'TRUE' : 'FALSE') . ", + `email_shiftinfo`=" . sql_bool($user['email_shiftinfo']) . ", `jabber`='" . sql_escape($user['jabber']) . "', `Size`='" . sql_escape($user['Size']) . "', - `Gekommen`=" . sql_escape($user['Gekommen']) . ", - `Aktiv`=" . sql_escape($user['Aktiv']) . ", - `force_active`=" . sql_escape($user['force_active'] ? 'TRUE' : 'FALSE') . ", - `Tshirt`=" . sql_escape($user['Tshirt']) . ", - `color`=" . sql_escape($user['color']) . ", + `Gekommen`='" . sql_escape($user['Gekommen']) . "', + `Aktiv`='" . sql_escape($user['Aktiv']) . "', + `force_active`=" . sql_bool($user['force_active']) . ", + `Tshirt`='" . sql_escape($user['Tshirt']) . "', + `color`='" . sql_escape($user['color']) . "', `Sprache`='" . sql_escape($user['Sprache']) . "', `Hometown`='" . sql_escape($user['Hometown']) . "', - `got_voucher`=" . sql_escape($user['got_voucher'] ? 'TRUE' : 'FALSE') . " - WHERE `UID`=" . sql_escape($user['UID'])); + `got_voucher`=" . sql_bool($user['got_voucher']) . " + WHERE `UID`='" . sql_escape($user['UID']). "'"); } /** @@ -105,7 +105,7 @@ function Users_by_angeltype_inverted($angeltype) { return sql_select(" SELECT `User`.* FROM `User` - LEFT JOIN `UserAngelTypes` ON (`User`.`UID`=`UserAngelTypes`.`user_id` AND `angeltype_id`=" . sql_escape($angeltype['id']) . ") + LEFT JOIN `UserAngelTypes` ON (`User`.`UID`=`UserAngelTypes`.`user_id` AND `angeltype_id`='" . sql_escape($angeltype['id']) . "') WHERE `UserAngelTypes`.`id` IS NULL ORDER BY `Nick`"); } @@ -124,7 +124,7 @@ function Users_by_angeltype($angeltype) { `UserAngelTypes`.`coordinator` FROM `User` JOIN `UserAngelTypes` ON `User`.`UID`=`UserAngelTypes`.`user_id` - WHERE `UserAngelTypes`.`angeltype_id`=" . sql_escape($angeltype['id']) . " + WHERE `UserAngelTypes`.`angeltype_id`='" . sql_escape($angeltype['id']) . "' ORDER BY `Nick`"); } @@ -150,7 +150,7 @@ function User_validate_Nick($nick) { * @param $id UID */ function User($id) { - $user_source = sql_select("SELECT * FROM `User` WHERE `UID`=" . sql_escape($id) . " LIMIT 1"); + $user_source = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1"); if ($user_source === false) return false; if (count($user_source) > 0) @@ -165,7 +165,7 @@ function User($id) { * @param $id UID */ function mUser_Limit($id) { - $user_source = sql_select("SELECT `UID`, `Nick`, `Name`, `Vorname`, `Telefon`, `DECT`, `Handy`, `email`, `jabber`, `Avatar` FROM `User` WHERE `UID`=" . sql_escape($id) . " LIMIT 1"); + $user_source = sql_select("SELECT `UID`, `Nick`, `Name`, `Vorname`, `Telefon`, `DECT`, `Handy`, `email`, `jabber`, `Avatar` FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1"); if ($user_source === false) return false; if (count($user_source) > 0) |