diff options
| author | Philip Häusler <msquare@notrademark.de> | 2011-06-13 19:34:01 +0200 |
|---|---|---|
| committer | Philip Häusler <msquare@notrademark.de> | 2011-06-13 19:34:01 +0200 |
| commit | 3d15b591e3f4196846fff005cc800feb383073c7 (patch) | |
| tree | 3b4385f7efb6b818485e9e3fbaded249e8607d7e /includes/pages/user_messages.php | |
| parent | 0b2d976b81195b3d7a2ab50da6f1e0edba59e5ce (diff) | |
cleanup, security sql fixes
Diffstat (limited to 'includes/pages/user_messages.php')
| -rw-r--r-- | includes/pages/user_messages.php | 150 |
1 files changed, 9 insertions, 141 deletions
diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php index a13b28f0..29b41cae 100644 --- a/includes/pages/user_messages.php +++ b/includes/pages/user_messages.php @@ -6,13 +6,7 @@ function user_unread_messages() { $new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID'])); if ($new_messages > 0) - return sprintf( - '<p class="notice"><a href="%s">%s %s %s</a></p><hr />', - page_link_to("user_messages"), - Get_Text("pub_messages_new1"), - $new_messages, - Get_Text("pub_messages_new2") - ); + return sprintf('<p class="notice"><a href="%s">%s %s %s</a></p><hr />', page_link_to("user_messages"), Get_Text("pub_messages_new1"), $new_messages, Get_Text("pub_messages_new2")); } return ""; @@ -22,8 +16,7 @@ function user_messages() { global $user; if (!isset ($_REQUEST['action'])) { - $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" - . sql_escape($user['UID']) . " ORDER BY `Nick`"); + $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" . sql_escape($user['UID']) . " ORDER BY `Nick`"); $to_select_data = array ( "" => "Select receiver..." @@ -35,23 +28,11 @@ function user_messages() { $to_select = html_select_key('to', $to_select_data, ''); $messages_html = ""; - $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" - . sql_escape($user['UID']) - . " OR `RUID`=" . sql_escape($user['UID']) - . " ORDER BY `isRead`,`Datum` DESC" - ); + $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" . sql_escape($user['UID']) . " OR `RUID`=" . sql_escape($user['UID']) . " ORDER BY `isRead`,`Datum` DESC"); foreach ($messages as $message) { - $messages_html .= sprintf( - '<tr %s> <td>%s</td> <td>%s</td> <td>%s</td> <td>%s</td>' - .'<td>%s</td>', - ($message['isRead'] == 'N' ? ' class="new_message"' : ''), - ($message['isRead'] == 'N' ? '•' : ''), - date("Y-m-d H:i", $message['Datum']), - UID2Nick($message['SUID']), - UID2Nick($message['RUID']), - str_replace("\n", '<br />', $message['Text']) - ); + $messages_html .= sprintf('<tr %s> <td>%s</td> <td>%s</td> <td>%s</td> <td>%s</td>' . + '<td>%s</td>', ($message['isRead'] == 'N' ? ' class="new_message"' : ''), ($message['isRead'] == 'N' ? '•' : ''), date("Y-m-d H:i", $message['Datum']), UID2Nick($message['SUID']), UID2Nick($message['RUID']), str_replace("\n", '<br />', $message['Text'])); $messages_html .= '<td>'; if ($message['RUID'] == $user['UID']) { @@ -65,8 +46,7 @@ function user_messages() { return template_render('../templates/user_messages.html', array ( 'link' => page_link_to("user_messages"), - 'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n" - . Get_Text("pub_messages_text1") . "<br /><br />\n", + 'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n" . Get_Text("pub_messages_text1") . "<br /><br />\n", 'messages' => $messages_html, 'new_label' => Get_Text("pub_messages_Neu"), 'date_label' => Get_Text("pub_messages_Datum"), @@ -118,122 +98,10 @@ function user_messages() { return error(Get_Text("pub_messages_Send_Error")); } break; - } - return ""; - } - - if (!isset ($_GET["action"])) - $_GET["action"] = "start"; - - switch ($_GET["action"]) { - case "start" : - echo Get_Text("Hello") . $_SESSION['Nick'] . ", <br />\n"; - echo Get_Text("pub_messages_text1") . "<br /><br />\n"; - - //show exist Messages - $SQL = "SELECT * FROM `Messages` WHERE `SUID`='" . $_SESSION["UID"] . "' OR `RUID`='" . $_SESSION["UID"] . "'"; - $erg = mysql_query($SQL, $con); - - echo "<table border=\"0\" class=\"border\" cellpadding=\"2\" cellspacing=\"1\">\n"; - echo "<tr>\n"; - echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Datum") . "</b></td>\n"; - echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Von") . "</b></td>\n"; - echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_An") . "</b></td>\n"; - echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Text") . "</b></td>\n"; - echo "<td class=\"contenttopic\"></td>\n"; - echo "</tr>\n"; - - for ($i = 0; $i < mysql_num_rows($erg); $i++) { - echo "<tr class=\"content\">\n"; - echo "<td>" . mysql_result($erg, $i, "Datum") . "</td>\n"; - echo "<td>" . UID2Nick(mysql_result($erg, $i, "SUID")) . "</td>\n"; - echo "<td>" . UID2Nick(mysql_result($erg, $i, "RUID")) . "</td>\n"; - echo "<td>" . mysql_result($erg, $i, "Text") . "</td>\n"; - echo "<td>"; - - if (mysql_result($erg, $i, "RUID") == $_SESSION["UID"]) { - echo "<a href=\"?action=DelMsg&Datum=" . mysql_result($erg, $i, "Datum") . "\">" . Get_Text("pub_messages_DelMsg") . "</a>"; - - if (mysql_result($erg, $i, "isRead") == "N") - echo "<a href=\"?action=MarkRead&Datum=" . mysql_result($erg, $i, "Datum") . "\">" . Get_Text("pub_messages_MarkRead") . "</a>"; - } else { - if (mysql_result($erg, $i, "isRead") == "N") - echo Get_Text("pub_messages_NotRead"); - } - - echo "</td>\n"; - echo "</tr>\n"; - } - - // send Messeges - echo "<form action=\"" . $_SERVER['SCRIPT_NAME'] . "?action=SendMsg\" method=\"POST\">"; - echo "<tr class=\"content\">\n"; - echo "<td></td>\n"; - echo "<td></td>\n"; - - // Listet alle Nicks auf - echo "<td><select name=\"RUID\">\n"; - - $usql = "SELECT * FROM `User` WHERE (`UID`!='" . $_SESSION["UID"] . "') ORDER BY `Nick`"; - $uErg = mysql_query($usql, $con); - $urowcount = mysql_num_rows($uErg); - for ($k = 0; $k < $urowcount; $k++) { - echo "<option value=\"" . mysql_result($uErg, $k, "UID") . "\">" . mysql_result($uErg, $k, "Nick") . "</option>\n"; - } - - echo "</select></td>\n"; - echo "<td><textarea name=\"Text\" cols=\"30\" rows=\"10\"></textarea></td>\n"; - echo "<td><input type=\"submit\" value=\"" . Get_Text("save") . "\"></td>\n"; - echo "</tr>\n"; - echo "</form>"; - - echo "</table>\n"; - break; - - case "SendMsg" : - echo Get_Text("pub_messages_Send1") . "...<br />\n"; - - $SQL = "INSERT INTO `Messages` ( `Datum` , `SUID` , `RUID` , `Text` ) VALUES (" . - "'" . gmdate("Y-m-j H:i:s", time()) . "', " . - "'" . $_SESSION["UID"] . "', " . - "'" . $_POST["RUID"] . "', " . - "'" . $_POST["Text"] . "');"; - - $Erg = mysql_query($SQL, $con); - - if ($Erg == 1) - echo Get_Text("pub_messages_Send_OK") . "\n"; - else - echo Get_Text("pub_messages_Send_Error") . "...\n(" . mysql_error($con) . ")"; - break; - - case "MarkRead" : - $SQL = "UPDATE `Messages` SET `isRead` = 'Y' " . - "WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID`='" . $_SESSION["UID"] . "' " . - "LIMIT 1 ;"; - $Erg = mysql_query($SQL, $con); - - if ($Erg == 1) - echo Get_Text("pub_messages_MarkRead_OK") . "\n"; - else - echo Get_Text("pub_messages_MarkRead_KO") . "...\n(" . mysql_error($con) . ")"; - break; - - case "DelMsg" : - $SQL = "DELETE FROM `Messages` " . - "WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID` ='" . $_SESSION["UID"] . "' " . - "LIMIT 1;"; - $Erg = mysql_query($SQL, $con); - - if ($Erg == 1) - echo Get_Text("pub_messages_DelMsg_OK") . "\n"; - else - echo Get_Text("pub_messages_DelMsg_KO") . "...\n(" . mysql_error($con) . ")"; - break; - - default : - echo Get_Text("pub_messages_NoCommand"); + default : + return error("Wrong action."); + } } } ?> |