SQL injektion behoben

git-svn-id: svn://svn.cccv.de/engel-system@196 29ba0400-6e00-0410-a75a-ca02368028f8

2 files changed, 4 insertions, 4 deletions

diff --git a/www-ssl/nonpublic/index.php b/www-ssl/nonpublic/index.php
index b65dd9c4..20b32c00 100755
--- a/www-ssl/nonpublic/index.php
+++ b/www-ssl/nonpublic/index.php
@@ -54,7 +54,7 @@ else
 			$_SESSION['IP'] = $_SERVER['REMOTE_ADDR'];
 		
 			// CVS import Data
-			$SQL = "SELECT * FROM `UserCVS` WHERE UID=".$_SESSION['UID'];
+			$SQL = "SELECT * FROM `UserCVS` WHERE UID='".$_SESSION['UID']."'";
 			$Erg_CVS =  mysql_query($SQL, $con);
 			$_SESSION['CVS'] = mysql_fetch_array($Erg_CVS);
 			
diff --git a/www-ssl/nonpublic/messages.php b/www-ssl/nonpublic/messages.php
index 09aa9b7f..ab6e5402 100755
--- a/www-ssl/nonpublic/messages.php
+++ b/www-ssl/nonpublic/messages.php
@@ -17,7 +17,7 @@ switch( $_GET["action"])
 		//#####################
 		//show exist Messages
 		//#####################
-		$SQL = "SELECT * FROM `Messages` WHERE `SUID`=". $_SESSION["UID"]. " OR `RUID`=". $_SESSION["UID"];
+		$SQL = "SELECT * FROM `Messages` WHERE `SUID`='". $_SESSION["UID"]. "' OR `RUID`='". $_SESSION["UID"]. "'";
 		$erg = mysql_query($SQL, $con);
 	
 		echo "<table border=\"0\" class=\"border\" cellpadding=\"2\" cellspacing=\"1\">\n";
@@ -100,7 +100,7 @@ switch( $_GET["action"])
 	
 	case "MarkRead":
 		$SQL = "UPDATE `Messages` SET `isRead` = 'Y' ".
-			"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID`=". $_SESSION["UID"]. " ".
+			"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID`='". $_SESSION["UID"]. "' ".
 			"LIMIT 1 ;";
 		$Erg = mysql_query($SQL, $con);
 		if ($Erg == 1) 
@@ -111,7 +111,7 @@ switch( $_GET["action"])
 	
 	case "DelMsg":
 		$SQL = "DELETE FROM `Messages` ".
-			"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID` = ". $_SESSION["UID"]. " ".
+			"WHERE `Datum` = '". $_GET["Datum"]. "' AND `RUID` ='". $_SESSION["UID"]. "' ".
 			"LIMIT 1;";
 		$Erg = mysql_query($SQL, $con);
 		if ($Erg == 1)