diff options
author | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2007-12-29 17:35:39 +0000 |
---|---|---|
committer | cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8> | 2007-12-29 17:35:39 +0000 |
commit | f58879ba0d276b61261258345e82b520f6674107 (patch) | |
tree | b3bd41c311d5d574114f917d9cb387f77223daa0 /www-ssl | |
parent | 4ef096e8439bda25ca165e8a1a363040d7e8063d (diff) |
bugfix und security
git-svn-id: svn://svn.cccv.de/engel-system@265 29ba0400-6e00-0410-a75a-ca02368028f8
Diffstat (limited to 'www-ssl')
-rwxr-xr-x | www-ssl/admin/UserPicture.php | 26 | ||||
-rwxr-xr-x | www-ssl/nonpublic/schichtplan_add.php | 78 |
2 files changed, 66 insertions, 38 deletions
diff --git a/www-ssl/admin/UserPicture.php b/www-ssl/admin/UserPicture.php index 1aa74360..7871338b 100755 --- a/www-ssl/admin/UserPicture.php +++ b/www-ssl/admin/UserPicture.php @@ -12,7 +12,7 @@ if( IsSet($_GET["action"]) ) switch ($_GET["action"]) { case 'FormUpload': - echo "Hier kannst Du ein Foto hochladen für:"; + echo "Hier kannst Du ein Foto hochladen för:"; echo "<form action=\"./UserPicture.php?action=sendPicture\" method=\"post\" enctype=\"multipart/form-data\">\n"; echo "\t<select name=\"UID\">\n"; $usql="SELECT * FROM `User` ORDER BY `Nick`"; @@ -76,13 +76,13 @@ if( IsSet($_GET["action"]) ) echo "Fehlerhafter Aufruf"; break; case 'del': - echo "Wollen Sie das Bild von '". UID2Nick( $_GET["UID"]). "' wirklich löschen? ". + echo "Wollen Sie das Bild von '". UID2Nick( $_GET["UID"]). "' wirklich löschen? ". "<a href=\"./UserPicture.php?action=delYes&UID=". $_GET["UID"]. "\">Yes</a>"; break; case 'delYes': if (IsSet($_GET["UID"])) { - echo "Bild von '". UID2Nick( $_GET["UID"]). "' wurde gelöscht:<br>"; + echo "Bild von '". UID2Nick( $_GET["UID"]). "' wurde gelöscht:<br>"; $SQL = "DELETE FROM `UserPicture` WHERE `UID`='". $_GET["UID"]. "' LIMIT 1"; } else @@ -121,24 +121,24 @@ echo "<tr class=\"contenttopic\">\n"; echo "\t<td>User</td>\n"; echo "\t<td>Bild</td>\n"; echo "\t<td>Status</td>\n"; -echo "\t<td>Löschen</td>\n"; +echo "\t<td>Löschen</td>\n"; echo "</tr>"; for( $t = 0; $t < mysql_num_rows($Erg); $t++ ) { - $UID = mysql_result($Erg, $t, "UID"); + $UIDs = mysql_result($Erg, $t, "UID"); echo "\t<tr class=\"content\">\n"; echo "\t\t<td>". UID2Nick(mysql_result($Erg, $t, "UID")). "</td>\n"; - echo "\t\t<td>". displayPictur( $UID, 0). "</td>\n"; + echo "\t\t<td>". displayPictur( $UIDs, 0). "</td>\n"; - if( GetPicturShow( $UID) == "Y") - echo "\t\t<td><a href=\"./UserPicture.php?action=SetN&UID=$UID\">sperren</a></td>\n"; - elseif( GetPicturShow( $UID) == "N") - echo "\t\t<td><a href=\"./UserPicture.php?action=SetY&UID=$UID\">freigeben</a></td>\n"; + if( GetPicturShow( $UIDs) == "Y") + echo "\t\t<td><a href=\"./UserPicture.php?action=SetN&UID=$UIDs\">sperren</a></td>\n"; + elseif( GetPicturShow( $UIDs) == "N") + echo "\t\t<td><a href=\"./UserPicture.php?action=SetY&UID=$UIDs\">freigeben</a></td>\n"; else - echo "\t\t<td>ERROR: show='". GetPicturShow( $UID). "'</td>\n"; - echo "\t\t<td><a href=\"./UserPicture.php?action=del&UID=$UID\">del</a></td>\n"; + echo "\t\t<td>ERROR: show='". GetPicturShow( $UIDs). "'</td>\n"; + echo "\t\t<td><a href=\"./UserPicture.php?action=del&UID=$UIDs\">del</a></td>\n"; echo "\t</tr>\n"; } // ende Auflistung Raeume echo "</table>"; @@ -146,4 +146,4 @@ echo "</table>"; echo "<br><a href=\"./UserPicture.php?action=FormUpload\">picture upload</a>\n"; include ("./inc/footer.php"); -?> +?>
\ No newline at end of file diff --git a/www-ssl/nonpublic/schichtplan_add.php b/www-ssl/nonpublic/schichtplan_add.php index 6e226e35..d5ae50f7 100755 --- a/www-ssl/nonpublic/schichtplan_add.php +++ b/www-ssl/nonpublic/schichtplan_add.php @@ -15,6 +15,12 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) { $beginSchicht = mysql_result($ShiftErg, 0, "DateS"); $endSchicht = mysql_result($ShiftErg, 0, "DateE"); + //wenn keien rechte definiert sind + if( !isset($_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ])) + $_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ] = "Y"; + + if( $_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ] == "Y") + { // Ueberpruefung, ob der Engel bereits für eine Schicht zu dieser Zeit eingetragen ist $SSQL="SELECT * FROM `Shifts`". " INNER JOIN `ShiftEntry` ON `ShiftEntry`.`SID` = `Shifts`.`SID`". @@ -57,40 +63,62 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) { }//TO Many USERS }//Allready in Shift + } + else + { + echo "<h1>:-(</h1>"; + array_push($error_messages, "Hack atteck\n"); + } } -elseif (isset($_GET["SID"]) && isset($_GET["TID"])) { - echo Get_Text("pub_schichtplan_add_Text1"). "<br><br>\n\n". - "<form action=\"./schichtplan_add.php\" method=\"post\">\n". - "<table border=\"0\">\n"; +elseif (isset($_GET["SID"]) && isset($_GET["TID"])) +{ + //wenn keien rechte definiert sind + if( !isset($_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ])) + $_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ] = "Y"; + + - $SQL = "SELECT * FROM `Shifts` WHERE "; - $SQL .="(`SID` = '". $_GET["SID"]. "')"; - $Erg = mysql_query($SQL, $con); + if( $_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ] == "Y") + { + + echo Get_Text("pub_schichtplan_add_Text1"). "<br><br>\n\n". + "<form action=\"./schichtplan_add.php\" method=\"post\">\n". + "<table border=\"0\">\n"; + + $SQL = "SELECT * FROM `Shifts` WHERE "; + $SQL .="(`SID` = '". $_GET["SID"]. "')"; + $Erg = mysql_query($SQL, $con); - echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>". - mysql_result($Erg, 0, "DateS"). "</td></tr>\n"; + echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>". + mysql_result($Erg, 0, "DateS"). "</td></tr>\n"; - echo "<tr><td>". Get_Text("pub_schichtplan_add_Place"). ":</td> <td>". - $RoomID[ mysql_result($Erg, 0, "RID") ]. "</td></tr>\n"; + echo "<tr><td>". Get_Text("pub_schichtplan_add_Place"). ":</td> <td>". + $RoomID[ mysql_result($Erg, 0, "RID") ]. "</td></tr>\n"; - echo "<tr><td>". Get_Text("pub_schichtplan_add_Job"). ":</td> <td>". - $EngelTypeID[$_GET["TID"]]. "</td></tr>\n"; + echo "<tr><td>". Get_Text("pub_schichtplan_add_Job"). ":</td> <td>". + $EngelTypeID[$_GET["TID"]]. "</td></tr>\n"; - echo "<tr><td>". Get_Text("pub_schichtplan_add_Len"). ":</td> <td>". - mysql_result($Erg, 0, "Len"). "h</td></tr>\n"; + echo "<tr><td>". Get_Text("pub_schichtplan_add_Len"). ":</td> <td>". + mysql_result($Erg, 0, "Len"). "h</td></tr>\n"; - echo "<tr><td>". Get_Text("pub_schichtplan_add_TextFor"). ":</td> <td>". - mysql_result($Erg, 0, "Man"). "</td></tr>\n"; + echo "<tr><td>". Get_Text("pub_schichtplan_add_TextFor"). ":</td> <td>". + mysql_result($Erg, 0, "Man"). "</td></tr>\n"; - echo "<tr><td valign='top'>". Get_Text("pub_schichtplan_add_Comment"). ":</td>\n <td>". - "<textarea name='newtext' cols='50' rows='10'></textarea> </td></tr>\n"; + echo "<tr><td valign='top'>". Get_Text("pub_schichtplan_add_Comment"). ":</td>\n <td>". + "<textarea name='newtext' cols='50' rows='10'></textarea> </td></tr>\n"; - echo "<tr><td> </td>\n". - "<td><input type=\"submit\" value=\"". Get_Text("pub_schichtplan_add_submit"). "\"> </td></tr>\n". - "</table>\n". - "<input type=\"hidden\" name=\"SID\" value=\"". $_GET["SID"]. "\">\n". - "<input type=\"hidden\" name=\"TID\" value=\"". $_GET["TID"]. "\">\n". - "</form>"; + echo "<tr><td> </td>\n". + "<td><input type=\"submit\" value=\"". Get_Text("pub_schichtplan_add_submit"). "\"> </td></tr>\n". + "</table>\n". + "<input type=\"hidden\" name=\"SID\" value=\"". $_GET["SID"]. "\">\n". + "<input type=\"hidden\" name=\"TID\" value=\"". $_GET["TID"]. "\">\n". + "</form>"; + } + else + { + echo "<h1>:-(</h1>"; + array_push($error_messages, "Hack atteck\n"); + } } |