summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--DEV/sec-notices1
-rwxr-xr-xincludes/funktion_activeUser.php4
-rwxr-xr-xincludes/funktion_schichtplan.php6
-rwxr-xr-xwww-ssl/admin/free.php4
-rwxr-xr-xwww-ssl/admin/user.php204
5 files changed, 11 insertions, 208 deletions
diff --git a/DEV/sec-notices b/DEV/sec-notices
index 5032c8a0..ec5df269 100644
--- a/DEV/sec-notices
+++ b/DEV/sec-notices
@@ -1,3 +1,2 @@
-rem hole(sql-injection) in makeuser.php (no secure.php but sql-query)
todo: replace secure.php
diff --git a/includes/funktion_activeUser.php b/includes/funktion_activeUser.php
index 946af304..808ccf73 100755
--- a/includes/funktion_activeUser.php
+++ b/includes/funktion_activeUser.php
@@ -39,8 +39,8 @@ for( $i=0; $i<mysql_num_rows($Erg); $i++)
if( $_SESSION['UID']>0 )
echo DisplayAvatar( mysql_result( $Erg, $i, "UID"));
// Schow Admin Page
- if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
- echo " <a href=\"./../admin/user.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">".
+ if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
+ echo " <a href=\"./../admin/userChangeNormal.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">".
mysql_result( $Erg, $i, "Nick"). "</a>";
else
echo mysql_result( $Erg, $i, "Nick");
diff --git a/includes/funktion_schichtplan.php b/includes/funktion_schichtplan.php
index b8babed9..ae4bf821 100755
--- a/includes/funktion_schichtplan.php
+++ b/includes/funktion_schichtplan.php
@@ -104,8 +104,8 @@ function ausgabe_Feld_Inhalt( $SID, $Man )
foreach( $TempValue["Engel"] as $TempEngelEntry=> $TempEngelID )
{
- if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
- $Spalten.= " <a href=\"./../admin/user.php?enterUID=$TempEngelID&Type=Normal\">";
+ if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
+ $Spalten.= " <a href=\"./../admin/userChangeNormal.php?enterUID=$TempEngelID&Type=Normal\">";
if( $_SESSION['CVS'][ "admin/schichtplan.php" ] == "Y" )
{
@@ -124,7 +124,7 @@ function ausgabe_Feld_Inhalt( $SID, $Man )
$Spalten.= "&nbsp;&nbsp;". UID2Nick( $TempEngelID ).
($_GET["Icon"]==1? DisplayAvatar( $TempEngelID ): "").
"<br>\n\t\t";
- if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" )
+ if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" )
$Spalten.= " </a>";
}
$Spalten = substr( $Spalten, 0, strlen($Spalten)-7 );
diff --git a/www-ssl/admin/free.php b/www-ssl/admin/free.php
index cb9b1f91..1781d434 100755
--- a/www-ssl/admin/free.php
+++ b/www-ssl/admin/free.php
@@ -63,7 +63,7 @@ $inuse="";
for ($i=0; $i < $Zeilen; $i++)
{
echo "<tr class=\"content\">\n";
- echo "<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
+ echo "<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
UID2Nick(mysql_result($Erg, $i, "UID")). "</td></a>\n";
echo "<td></td>\n";
echo "<td>". mysql_result($Erg, $i, "RID"). "</td>\n";
@@ -92,7 +92,7 @@ $Zeilen = mysql_num_rows($Erg);
for ($i=0; $i < $Zeilen; $i++)
{
echo "\t<tr class=\"content\">\n";
- echo "\t\t<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
+ echo "\t\t<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">".
mysql_result($Erg, $i, "Nick"). "</a></td>\n";
echo "\t\t<td>". mysql_result($Erg, $i, "DECT"). "</td>\n";
echo "\n</tr>\n";
diff --git a/www-ssl/admin/user.php b/www-ssl/admin/user.php
index 5f0888e4..1b99ec4b 100755
--- a/www-ssl/admin/user.php
+++ b/www-ssl/admin/user.php
@@ -101,206 +101,10 @@ if (!IsSet($_GET["enterUID"]))
"<td>$Gekommen</td><td>$Active</td><td>$Tshirt</td><td></td></tr>\n";
echo "\t</table>\n";
// Ende Userliste
-}
-else
-{
- // UserID wurde mit uebergeben --> Aendern...
-
- echo "Hallo,<br>".
- "hier kannst du den Eintrag &auml;ndern. Unter dem Punkt 'Gekommen' ".
- "wird der Engel als anwesend markiert, ein Ja bei Aktiv bedeutet, ".
- "dass der Engel aktiv war und damit ein Anspruch auf ein T-Shirt hat. ".
- "Wenn T-Shirt ein 'Ja' enth&auml;lt, bedeutet dies, dass der Engel ".
- "bereits sein T-Shirt erhalten hat.<br><br>\n";
-
- echo "<form action=\"./user2.php?action=change\" method=\"POST\">\n";
- echo "<table border=\"0\">\n";
- echo "<input type=\"hidden\" name=\"Type\" value=\"". $_GET["Type"]. "\">\n";
-
- if( $_GET["Type"] == "Normal" )
- {
- $SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'";
- $Erg = mysql_query($SQL, $con);
-
- if (mysql_num_rows($Erg) != 1)
- echo "<tr><td>Sorry, der Engel (UID=". $_GET["enterUID"].
- ") wurde in der Liste nicht gefunden.</td></tr>";
- else
- {
- echo "<tr><td>\n";
- echo "<table>\n";
- echo " <tr><td>Nick</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eNick\" value=\"".
- mysql_result($Erg, 0, "Nick")."\"></td></tr>\n";
- echo " <tr><td>lastLogIn</td><td>".
- "<input type=\"text\" size=\"20\" name=\"elastLogIn\" value=\"".
- mysql_result($Erg, 0, "lastLogIn"). "\" disabled></td></tr>\n";
- echo " <tr><td>Name</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eName\" value=\"".
- mysql_result($Erg, 0, "Name")."\"></td></tr>\n";
- echo " <tr><td>Vorname</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eVorname\" value=\"".
- mysql_result($Erg, 0, "Vorname")."\"></td></tr>\n";
- echo " <tr><td>Alter</td><td>".
- "<input type=\"text\" size=\"5\" name=\"eAlter\" value=\"".
- mysql_result($Erg, 0, "Alter")."\"></td></tr>\n";
- echo " <tr><td>Telefon</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eTelefon\" value=\"".
- mysql_result($Erg, 0, "Telefon")."\"></td></tr>\n";
- echo " <tr><td>Handy</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eHandy\" value=\"".
- mysql_result($Erg, 0, "Handy")."\"></td></tr>\n";
- echo " <tr><td>DECT</td><td>".
- "<input type=\"text\" size=\"4\" name=\"eDECT\" value=\"".
- mysql_result($Erg, 0, "DECT")."\"></td></tr>\n";
- echo " <tr><td>email</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eemail\" value=\"".
- mysql_result($Erg, 0, "email")."\"></td></tr>\n";
- echo " <tr><td>ICQ</td><td>".
- "<input type=\"text\" size=\"40\" name=\"eICQ\" value=\"".
- mysql_result($Erg, 0, "ICQ")."\"></td></tr>\n";
- echo " <tr><td>jabber</td><td>".
- "<input type=\"text\" size=\"40\" name=\"ejabber\" value=\"".
- mysql_result($Erg, 0, "jabber")."\"></td></tr>\n";
- echo " <tr><td>Size</td><td>".
- "<input type=\"text\" size=\"5\" name=\"eSize\" value=\"".
- mysql_result($Erg, 0, "Size")."\"></td></tr>\n";
- echo " <tr><td>Passwort</td><td>".
- "<a href=\"./user2.php?action=newpw&eUID="
- .mysql_result($Erg, 0, "UID")."\">neues Kennwort setzen</a></td></tr>\n";
-
- // Gekommen?
- echo " <tr><td>Gekommen</td><td>\n";
- echo " <input type=\"radio\" name=\"eGekommen\" value=\"0\"";
- if (mysql_result($Erg, 0, "Gekommen")=='0')
- echo " checked";
- echo ">No \n";
- echo " <input type=\"radio\" name=\"eGekommen\" value=\"1\"";
- if (mysql_result($Erg, 0, "Gekommen")=='1')
- echo " checked";
- echo ">Yes \n";
- echo "</td></tr>\n";
-
- // Aktiv?
- echo " <tr><td>Aktiv</td><td>\n";
- echo " <input type=\"radio\" name=\"eAktiv\" value=\"0\"";
- if (mysql_result($Erg, 0, "Aktiv")=='0')
- echo " checked";
- echo ">No \n";
- echo " <input type=\"radio\" name=\"eAktiv\" value=\"1\"";
- if (mysql_result($Erg, 0, "Aktiv")=='1')
- echo " checked";
- echo ">Yes \n";
- echo "</td></tr>\n";
-
- // T-Shirt bekommen?
- echo " <tr><td>T-Shirt</td><td>\n";
- echo " <input type=\"radio\" name=\"eTshirt\" value=\"0\"";
- if (mysql_result($Erg, 0, "Tshirt")=='0')
- echo " checked";
- echo ">No \n";
- echo " <input type=\"radio\" name=\"eTshirt\" value=\"1\"";
- if (mysql_result($Erg, 0, "Tshirt")=='1')
- echo " checked";
- echo ">Yes \n";
- echo "</td></tr>\n";
-
- // Menu links/rechts
- echo " <tr><td>Menu</td><td>\n";
- echo " <input type=\"radio\" name=\"eMenu\" value=\"L\"";
- if (mysql_result($Erg, 0, "Menu")=='L')
- echo " checked";
- echo ">L \n";
- echo " <input type=\"radio\" name=\"eMenu\" value=\"R\"";
- if (mysql_result($Erg, 0, "Menu")=='R')
- echo " checked";
- echo ">R \n";
- echo "</td></tr>\n";
-
- echo " <tr><td>Hometown</td><td>".
- "<input type=\"text\" size=\"40\" name=\"Hometown\" value=\"".
- mysql_result($Erg, 0, "Hometown")."\"></td></tr>\n";
-
- echo "</table>\n</td><td valign=\"top\">". displayavatar($_GET["enterUID"], FALSE). "</td></tr>";
- }
- }//IF TYPE Normal
- if( $_GET["Type"] == "Secure" )
- {
- // CVS-Rechte
- echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n";
-
- $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'";
- $Erg_CVS = mysql_query($SQL_CVS, $con);
-
- if( mysql_num_rows($Erg_CVS) != 1)
- echo "Sorry, der Engel (UID=". $_GET["enterUID"]. ") wurde in der Liste nicht gefunden.";
- else
- {
- $CVS_Data = mysql_fetch_array($Erg_CVS);
- $CVS_Data_i = 1;
- foreach ($CVS_Data as $CVS_Data_Name => $CVS_Data_Value)
- {
- $CVS_Data_i++;
- //nur jeder zweiter sonst wird für jeden text noch die position (Zahl) ausgegeben
- if( $CVS_Data_i%2 && $CVS_Data_Name!="UID")
- {
- if($CVS_Data_Name=="GroupID") {
- if( $_GET["enterUID"] > 0 )
- {
- echo "<tr><td><b>Group</b></td>\n".
- "<td><select name=\"GroupID\">";
-
- $SQL_Group = "SELECT * FROM `UserGroups`";
- $Erg_Group = mysql_query($SQL_Group, $con);
- for ($n = 0 ; $n < mysql_num_rows($Erg_Group) ; $n++)
- {
- $UID = mysql_result($Erg_Group, $n, "UID");
- echo "\t<option value=\"$UID\"";
- if( $CVS_Data_Value == $UID)
- echo " selected";
- echo ">". mysql_result($Erg_Group, $n, "Name"). "</option>\n";
- }
- echo "</select></td></tr>";
- }
- } else {
- echo "<tr><td>$CVS_Data_Name</td>\n<td>";
- echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"Y\" ";
- if( $CVS_Data_Value == "Y" )
- echo " checked";
- echo ">allow \n";
- echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"N\" ";
- if( $CVS_Data_Value == "N" )
- echo " checked";
- echo ">denied \n";
- if( $_GET["enterUID"] > 0 )
- {
- echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"G\" ";
- if( $CVS_Data_Value == "G" )
- echo " checked";
- echo ">group-setting \n";
- echo "</td></tr>";
- }
- }
- } //IF
- } //Foreach
- echo "</td></tr>\n";
- } // IF TYPE
- }
-
- // Ende Formular
- echo "</td></tr>\n";
- echo "</table>\n<br>\n";
- echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n";
- echo "<input type=\"submit\" value=\"sichern...\">\n";
- echo "</form>";
-
- if( $_GET["Type"] == "Normal" )
- {
- echo "<form action=\"./user2.php?action=delete\" method=\"POST\">\n";
- echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n";
- echo "<input type=\"submit\" value=\"l&ouml;schen...\">\n";
- echo "</form>";
- }
+}
+else
+{
+ echo "error";
}
include ("../../includes/footer.php");