diff options
-rw-r--r-- | DEV/sec-notices | 1 | ||||
-rwxr-xr-x | includes/funktion_activeUser.php | 4 | ||||
-rwxr-xr-x | includes/funktion_schichtplan.php | 6 | ||||
-rwxr-xr-x | www-ssl/admin/free.php | 4 | ||||
-rwxr-xr-x | www-ssl/admin/user.php | 204 |
5 files changed, 11 insertions, 208 deletions
diff --git a/DEV/sec-notices b/DEV/sec-notices index 5032c8a0..ec5df269 100644 --- a/DEV/sec-notices +++ b/DEV/sec-notices @@ -1,3 +1,2 @@ -rem hole(sql-injection) in makeuser.php (no secure.php but sql-query) todo: replace secure.php diff --git a/includes/funktion_activeUser.php b/includes/funktion_activeUser.php index 946af304..808ccf73 100755 --- a/includes/funktion_activeUser.php +++ b/includes/funktion_activeUser.php @@ -39,8 +39,8 @@ for( $i=0; $i<mysql_num_rows($Erg); $i++) if( $_SESSION['UID']>0 ) echo DisplayAvatar( mysql_result( $Erg, $i, "UID")); // Schow Admin Page - if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" ) - echo " <a href=\"./../admin/user.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">". + if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" ) + echo " <a href=\"./../admin/userChangeNormal.php?enterUID=". mysql_result( $Erg, $i, "UID"). "&Type=Normal\">". mysql_result( $Erg, $i, "Nick"). "</a>"; else echo mysql_result( $Erg, $i, "Nick"); diff --git a/includes/funktion_schichtplan.php b/includes/funktion_schichtplan.php index b8babed9..ae4bf821 100755 --- a/includes/funktion_schichtplan.php +++ b/includes/funktion_schichtplan.php @@ -104,8 +104,8 @@ function ausgabe_Feld_Inhalt( $SID, $Man ) foreach( $TempValue["Engel"] as $TempEngelEntry=> $TempEngelID ) { - if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" ) - $Spalten.= " <a href=\"./../admin/user.php?enterUID=$TempEngelID&Type=Normal\">"; + if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" ) + $Spalten.= " <a href=\"./../admin/userChangeNormal.php?enterUID=$TempEngelID&Type=Normal\">"; if( $_SESSION['CVS'][ "admin/schichtplan.php" ] == "Y" ) { @@ -124,7 +124,7 @@ function ausgabe_Feld_Inhalt( $SID, $Man ) $Spalten.= " ". UID2Nick( $TempEngelID ). ($_GET["Icon"]==1? DisplayAvatar( $TempEngelID ): ""). "<br>\n\t\t"; - if( $_SESSION['CVS'][ "admin/user.php" ] == "Y" ) + if( $_SESSION['CVS'][ "admin/userChangeNormal.php" ] == "Y" ) $Spalten.= " </a>"; } $Spalten = substr( $Spalten, 0, strlen($Spalten)-7 ); diff --git a/www-ssl/admin/free.php b/www-ssl/admin/free.php index cb9b1f91..1781d434 100755 --- a/www-ssl/admin/free.php +++ b/www-ssl/admin/free.php @@ -63,7 +63,7 @@ $inuse=""; for ($i=0; $i < $Zeilen; $i++) { echo "<tr class=\"content\">\n"; - echo "<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". + echo "<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". UID2Nick(mysql_result($Erg, $i, "UID")). "</td></a>\n"; echo "<td></td>\n"; echo "<td>". mysql_result($Erg, $i, "RID"). "</td>\n"; @@ -92,7 +92,7 @@ $Zeilen = mysql_num_rows($Erg); for ($i=0; $i < $Zeilen; $i++) { echo "\t<tr class=\"content\">\n"; - echo "\t\t<td><a href=\"./user.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". + echo "\t\t<td><a href=\"./userChangeNormal.php?Type=Normal&enterUID=". mysql_result($Erg, $i, "UID"). "\">". mysql_result($Erg, $i, "Nick"). "</a></td>\n"; echo "\t\t<td>". mysql_result($Erg, $i, "DECT"). "</td>\n"; echo "\n</tr>\n"; diff --git a/www-ssl/admin/user.php b/www-ssl/admin/user.php index 5f0888e4..1b99ec4b 100755 --- a/www-ssl/admin/user.php +++ b/www-ssl/admin/user.php @@ -101,206 +101,10 @@ if (!IsSet($_GET["enterUID"])) "<td>$Gekommen</td><td>$Active</td><td>$Tshirt</td><td></td></tr>\n"; echo "\t</table>\n"; // Ende Userliste -} -else -{ - // UserID wurde mit uebergeben --> Aendern... - - echo "Hallo,<br>". - "hier kannst du den Eintrag ändern. Unter dem Punkt 'Gekommen' ". - "wird der Engel als anwesend markiert, ein Ja bei Aktiv bedeutet, ". - "dass der Engel aktiv war und damit ein Anspruch auf ein T-Shirt hat. ". - "Wenn T-Shirt ein 'Ja' enthält, bedeutet dies, dass der Engel ". - "bereits sein T-Shirt erhalten hat.<br><br>\n"; - - echo "<form action=\"./user2.php?action=change\" method=\"POST\">\n"; - echo "<table border=\"0\">\n"; - echo "<input type=\"hidden\" name=\"Type\" value=\"". $_GET["Type"]. "\">\n"; - - if( $_GET["Type"] == "Normal" ) - { - $SQL = "SELECT * FROM `User` WHERE `UID`='". $_GET["enterUID"]. "'"; - $Erg = mysql_query($SQL, $con); - - if (mysql_num_rows($Erg) != 1) - echo "<tr><td>Sorry, der Engel (UID=". $_GET["enterUID"]. - ") wurde in der Liste nicht gefunden.</td></tr>"; - else - { - echo "<tr><td>\n"; - echo "<table>\n"; - echo " <tr><td>Nick</td><td>". - "<input type=\"text\" size=\"40\" name=\"eNick\" value=\"". - mysql_result($Erg, 0, "Nick")."\"></td></tr>\n"; - echo " <tr><td>lastLogIn</td><td>". - "<input type=\"text\" size=\"20\" name=\"elastLogIn\" value=\"". - mysql_result($Erg, 0, "lastLogIn"). "\" disabled></td></tr>\n"; - echo " <tr><td>Name</td><td>". - "<input type=\"text\" size=\"40\" name=\"eName\" value=\"". - mysql_result($Erg, 0, "Name")."\"></td></tr>\n"; - echo " <tr><td>Vorname</td><td>". - "<input type=\"text\" size=\"40\" name=\"eVorname\" value=\"". - mysql_result($Erg, 0, "Vorname")."\"></td></tr>\n"; - echo " <tr><td>Alter</td><td>". - "<input type=\"text\" size=\"5\" name=\"eAlter\" value=\"". - mysql_result($Erg, 0, "Alter")."\"></td></tr>\n"; - echo " <tr><td>Telefon</td><td>". - "<input type=\"text\" size=\"40\" name=\"eTelefon\" value=\"". - mysql_result($Erg, 0, "Telefon")."\"></td></tr>\n"; - echo " <tr><td>Handy</td><td>". - "<input type=\"text\" size=\"40\" name=\"eHandy\" value=\"". - mysql_result($Erg, 0, "Handy")."\"></td></tr>\n"; - echo " <tr><td>DECT</td><td>". - "<input type=\"text\" size=\"4\" name=\"eDECT\" value=\"". - mysql_result($Erg, 0, "DECT")."\"></td></tr>\n"; - echo " <tr><td>email</td><td>". - "<input type=\"text\" size=\"40\" name=\"eemail\" value=\"". - mysql_result($Erg, 0, "email")."\"></td></tr>\n"; - echo " <tr><td>ICQ</td><td>". - "<input type=\"text\" size=\"40\" name=\"eICQ\" value=\"". - mysql_result($Erg, 0, "ICQ")."\"></td></tr>\n"; - echo " <tr><td>jabber</td><td>". - "<input type=\"text\" size=\"40\" name=\"ejabber\" value=\"". - mysql_result($Erg, 0, "jabber")."\"></td></tr>\n"; - echo " <tr><td>Size</td><td>". - "<input type=\"text\" size=\"5\" name=\"eSize\" value=\"". - mysql_result($Erg, 0, "Size")."\"></td></tr>\n"; - echo " <tr><td>Passwort</td><td>". - "<a href=\"./user2.php?action=newpw&eUID=" - .mysql_result($Erg, 0, "UID")."\">neues Kennwort setzen</a></td></tr>\n"; - - // Gekommen? - echo " <tr><td>Gekommen</td><td>\n"; - echo " <input type=\"radio\" name=\"eGekommen\" value=\"0\""; - if (mysql_result($Erg, 0, "Gekommen")=='0') - echo " checked"; - echo ">No \n"; - echo " <input type=\"radio\" name=\"eGekommen\" value=\"1\""; - if (mysql_result($Erg, 0, "Gekommen")=='1') - echo " checked"; - echo ">Yes \n"; - echo "</td></tr>\n"; - - // Aktiv? - echo " <tr><td>Aktiv</td><td>\n"; - echo " <input type=\"radio\" name=\"eAktiv\" value=\"0\""; - if (mysql_result($Erg, 0, "Aktiv")=='0') - echo " checked"; - echo ">No \n"; - echo " <input type=\"radio\" name=\"eAktiv\" value=\"1\""; - if (mysql_result($Erg, 0, "Aktiv")=='1') - echo " checked"; - echo ">Yes \n"; - echo "</td></tr>\n"; - - // T-Shirt bekommen? - echo " <tr><td>T-Shirt</td><td>\n"; - echo " <input type=\"radio\" name=\"eTshirt\" value=\"0\""; - if (mysql_result($Erg, 0, "Tshirt")=='0') - echo " checked"; - echo ">No \n"; - echo " <input type=\"radio\" name=\"eTshirt\" value=\"1\""; - if (mysql_result($Erg, 0, "Tshirt")=='1') - echo " checked"; - echo ">Yes \n"; - echo "</td></tr>\n"; - - // Menu links/rechts - echo " <tr><td>Menu</td><td>\n"; - echo " <input type=\"radio\" name=\"eMenu\" value=\"L\""; - if (mysql_result($Erg, 0, "Menu")=='L') - echo " checked"; - echo ">L \n"; - echo " <input type=\"radio\" name=\"eMenu\" value=\"R\""; - if (mysql_result($Erg, 0, "Menu")=='R') - echo " checked"; - echo ">R \n"; - echo "</td></tr>\n"; - - echo " <tr><td>Hometown</td><td>". - "<input type=\"text\" size=\"40\" name=\"Hometown\" value=\"". - mysql_result($Erg, 0, "Hometown")."\"></td></tr>\n"; - - echo "</table>\n</td><td valign=\"top\">". displayavatar($_GET["enterUID"], FALSE). "</td></tr>"; - } - }//IF TYPE Normal - if( $_GET["Type"] == "Secure" ) - { - // CVS-Rechte - echo " <tr><td><br><u>Rights of \"". UID2Nick($_GET["enterUID"]). "\":</u></td></tr>\n"; - - $SQL_CVS = "SELECT * FROM `UserCVS` WHERE `UID`='". $_GET["enterUID"]. "'"; - $Erg_CVS = mysql_query($SQL_CVS, $con); - - if( mysql_num_rows($Erg_CVS) != 1) - echo "Sorry, der Engel (UID=". $_GET["enterUID"]. ") wurde in der Liste nicht gefunden."; - else - { - $CVS_Data = mysql_fetch_array($Erg_CVS); - $CVS_Data_i = 1; - foreach ($CVS_Data as $CVS_Data_Name => $CVS_Data_Value) - { - $CVS_Data_i++; - //nur jeder zweiter sonst wird für jeden text noch die position (Zahl) ausgegeben - if( $CVS_Data_i%2 && $CVS_Data_Name!="UID") - { - if($CVS_Data_Name=="GroupID") { - if( $_GET["enterUID"] > 0 ) - { - echo "<tr><td><b>Group</b></td>\n". - "<td><select name=\"GroupID\">"; - - $SQL_Group = "SELECT * FROM `UserGroups`"; - $Erg_Group = mysql_query($SQL_Group, $con); - for ($n = 0 ; $n < mysql_num_rows($Erg_Group) ; $n++) - { - $UID = mysql_result($Erg_Group, $n, "UID"); - echo "\t<option value=\"$UID\""; - if( $CVS_Data_Value == $UID) - echo " selected"; - echo ">". mysql_result($Erg_Group, $n, "Name"). "</option>\n"; - } - echo "</select></td></tr>"; - } - } else { - echo "<tr><td>$CVS_Data_Name</td>\n<td>"; - echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"Y\" "; - if( $CVS_Data_Value == "Y" ) - echo " checked"; - echo ">allow \n"; - echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"N\" "; - if( $CVS_Data_Value == "N" ) - echo " checked"; - echo ">denied \n"; - if( $_GET["enterUID"] > 0 ) - { - echo "<input type=\"radio\" name=\"".($CVS_Data_i-1)."\" value=\"G\" "; - if( $CVS_Data_Value == "G" ) - echo " checked"; - echo ">group-setting \n"; - echo "</td></tr>"; - } - } - } //IF - } //Foreach - echo "</td></tr>\n"; - } // IF TYPE - } - - // Ende Formular - echo "</td></tr>\n"; - echo "</table>\n<br>\n"; - echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n"; - echo "<input type=\"submit\" value=\"sichern...\">\n"; - echo "</form>"; - - if( $_GET["Type"] == "Normal" ) - { - echo "<form action=\"./user2.php?action=delete\" method=\"POST\">\n"; - echo "<input type=\"hidden\" name=\"enterUID\" value=\"". $_GET["enterUID"]. "\">\n"; - echo "<input type=\"submit\" value=\"löschen...\">\n"; - echo "</form>"; - } +} +else +{ + echo "error"; } include ("../../includes/footer.php"); |