diff options
| author | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-04 19:54:51 +0000 |
|---|---|---|
| committer | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2006-12-04 19:54:51 +0000 |
| commit | a52ee4a288ec57c2983173460237e4137440a873 (patch) | |
| tree | 3c4101df8fffbbca647ef9d86e6e9410ca1f26e1 /www-ssl/admin/user.php | |
| parent | 34b50a61f8ec080d66449b7c644e5098102e2145 (diff) | |
SQL injektion behoben
git-svn-id: svn://svn.cccv.de/engel-system@198 29ba0400-6e00-0410-a75a-ca02368028f8
Diffstat (limited to 'www-ssl/admin/user.php')
| -rwxr-xr-x | www-ssl/admin/user.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/www-ssl/admin/user.php b/www-ssl/admin/user.php index 98495b99..52482992 100755 --- a/www-ssl/admin/user.php +++ b/www-ssl/admin/user.php @@ -15,7 +15,7 @@ if (!IsSet($_GET["enterUID"])) echo "\n<a href=\"./user.php?enterUID=-1&Type=Secure\">Edit logout User</a><br><br>\n"; if( !isset($_GET["OrderBy"]) ) $_GET["OrderBy"] = "Nick"; - $SQL = "SELECT * FROM User ORDER BY `". $_GET["OrderBy"]. "` ASC"; + $SQL = "SELECT * FROM `User` ORDER BY `". $_GET["OrderBy"]. "` ASC"; $Erg = mysql_query($SQL, $con); echo mysql_error($con); @@ -96,12 +96,12 @@ if (!IsSet($_GET["enterUID"])) echo "\t<td>"; //check userCVS=OK - $SQL2 = "SELECT UID FROM UserCVS WHERE (UID=". mysql_result($Erg, $n, "UID"). ")"; + $SQL2 = "SELECT `UID` FROM `UserCVS` WHERE (`UID`='". mysql_result($Erg, $n, "UID"). "')"; $Erg2 = mysql_query($SQL2, $con); echo mysql_error($con); if( mysql_num_rows($Erg2)==0) { - $SQL3 = "INSERT INTO `UserCVS` ( `UID`) VALUES ( '". mysql_result($Erg, $n, "UID"). "');"; + $SQL3 = "INSERT INTO `UserCVS` (`UID`) VALUES ('". mysql_result($Erg, $n, "UID"). "');"; $Erg3 = db_query($SQL3, "admin/user.php auto CVS create"); if( $Erg3 ) echo "was create<br>\n"; @@ -135,7 +135,7 @@ else if( $_GET["Type"] == "Normal" ) { - $SQL = "SELECT * FROM User WHERE UID=". $_GET["enterUID"]; + $SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'"; $Erg = mysql_query($SQL, $con); if (mysql_num_rows($Erg) != 1) @@ -243,7 +243,7 @@ else // CVS-Rechte echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n"; - $SQL_CVS = "SELECT * FROM `UserCVS` WHERE UID=". $_GET["enterUID"]; + $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'"; $Erg_CVS = mysql_query($SQL_CVS, $con); if( mysql_num_rows($Erg_CVS) != 1) |