From 6bede2fd229395f34c321a37efa2ea93e7b1a7ba Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Sun, 28 Dec 2014 13:44:56 +0100
Subject: harden the sql queries

---
 includes/controller/shifts_controller.php | 2 +-
 includes/controller/users_controller.php  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'includes/controller')

diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index 90753217..9982388e 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -145,7 +145,7 @@ function shifts_json_export_controller() {
         INNER JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`) 
         INNER JOIN `ShiftTypes` ON (`Shifts`.`shifttype_id`=`ShiftTypes`.`id`)
         INNER JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`) 
-        WHERE `UID`=" . sql_escape($user['UID']) . " 
+        WHERE `UID`='" . sql_escape($user['UID']) . "' 
         ORDER BY `start`");
   }
   
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index 484d9912..7810ce77 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -74,14 +74,14 @@ function user_controller() {
   $shifts = Shifts_by_user($user_source);
   foreach ($shifts as &$shift) {
     // TODO: Move queries to model
-    $shift['needed_angeltypes'] = sql_select("SELECT DISTINCT `AngelTypes`.* FROM `ShiftEntry` JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id` WHERE `ShiftEntry`.`SID`=" . sql_escape($shift['SID']) . "  ORDER BY `AngelTypes`.`name`");
+    $shift['needed_angeltypes'] = sql_select("SELECT DISTINCT `AngelTypes`.* FROM `ShiftEntry` JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id` WHERE `ShiftEntry`.`SID`='" . sql_escape($shift['SID']) . "'  ORDER BY `AngelTypes`.`name`");
     foreach ($shift['needed_angeltypes'] as &$needed_angeltype) {
       $needed_angeltype['users'] = sql_select("
           SELECT `ShiftEntry`.`freeloaded`, `User`.*
           FROM `ShiftEntry`
           JOIN `User` ON `ShiftEntry`.`UID`=`User`.`UID`
-          WHERE `ShiftEntry`.`SID`=" . sql_escape($shift['SID']) . "
-          AND `ShiftEntry`.`TID`=" . sql_escape($needed_angeltype['id']));
+          WHERE `ShiftEntry`.`SID`='" . sql_escape($shift['SID']) . "'
+          AND `ShiftEntry`.`TID`='" . sql_escape($needed_angeltype['id']) . "'");
     }
   }
   
-- 
cgit v1.2.3-54-g00ecf