From 6bede2fd229395f34c321a37efa2ea93e7b1a7ba Mon Sep 17 00:00:00 2001 From: Philip Häusler Date: Sun, 28 Dec 2014 13:44:56 +0100 Subject: harden the sql queries --- includes/model/AngelType_model.php | 12 +++++------ includes/model/LogEntries_model.php | 2 +- includes/model/Message_model.php | 6 +++--- includes/model/NeededAngelTypes_model.php | 4 ++-- includes/model/Room_model.php | 2 +- includes/model/ShiftEntry_model.php | 18 ++++++++-------- includes/model/ShiftTypes_model.php | 8 ++++---- includes/model/Shifts_model.php | 32 ++++++++++++++--------------- includes/model/UserAngelTypes_model.php | 34 +++++++++++++++---------------- includes/model/UserGroups_model.php | 2 +- includes/model/User_model.php | 26 +++++++++++------------ 11 files changed, 73 insertions(+), 73 deletions(-) (limited to 'includes/model') diff --git a/includes/model/AngelType_model.php b/includes/model/AngelType_model.php index d0119e6f..5e7f4fb6 100644 --- a/includes/model/AngelType_model.php +++ b/includes/model/AngelType_model.php @@ -8,7 +8,7 @@ function AngelType_delete($angeltype) { return sql_query(" DELETE FROM `AngelTypes` - WHERE `id`=" . sql_escape($angeltype['id']) . " + WHERE `id`='" . sql_escape($angeltype['id']) . "' LIMIT 1"); } @@ -24,9 +24,9 @@ function AngelType_update($angeltype_id, $name, $restricted, $description) { return sql_query(" UPDATE `AngelTypes` SET `name`='" . sql_escape($name) . "', - `restricted`=" . sql_escape($restricted ? 1 : 0) . ", + `restricted`='" . sql_escape($restricted ? 1 : 0) . "', `description`='" . sql_escape($description) . "' - WHERE `id`=" . sql_escape($angeltype_id) . " + WHERE `id`='" . sql_escape($angeltype_id) . "' LIMIT 1"); } @@ -42,7 +42,7 @@ function AngelType_create($name, $restricted, $description) { $result = sql_query(" INSERT INTO `AngelTypes` SET `name`='" . sql_escape($name) . "', - `restricted`=" . sql_escape($restricted ? 1 : 0) . ", + `restricted`='" . sql_escape($restricted ? 1 : 0) . "', `description`='" . sql_escape($description) . "'"); if ($result === false) return false; @@ -69,7 +69,7 @@ function AngelType_validate_name($name, $angeltype) { SELECT * FROM `AngelTypes` WHERE `name`='" . sql_escape($name) . "' - AND NOT `id`=" . sql_escape($angeltype['id']) . " + AND NOT `id`='" . sql_escape($angeltype['id']) . "' LIMIT 1") == 0, $name ); @@ -130,7 +130,7 @@ function AngelType_ids() { * ID */ function AngelType($id) { - $angelType_source = sql_select("SELECT * FROM `AngelTypes` WHERE `id`=" . sql_escape($id) . " LIMIT 1"); + $angelType_source = sql_select("SELECT * FROM `AngelTypes` WHERE `id`='" . sql_escape($id) . "' LIMIT 1"); if ($angelType_source === false) return false; if (count($angelType_source) > 0) diff --git a/includes/model/LogEntries_model.php b/includes/model/LogEntries_model.php index 2e8a8cf7..d13c3692 100644 --- a/includes/model/LogEntries_model.php +++ b/includes/model/LogEntries_model.php @@ -8,7 +8,7 @@ * Message */ function LogEntry_create($nick, $message) { - return sql_query("INSERT INTO `LogEntries` SET `timestamp`=" . sql_escape(time()) . ", `nick`='" . sql_escape($nick) . "', `message`='" . sql_escape($message) . "'"); + return sql_query("INSERT INTO `LogEntries` SET `timestamp`='" . sql_escape(time()) . "', `nick`='" . sql_escape($nick) . "', `message`='" . sql_escape($message) . "'"); } /** diff --git a/includes/model/Message_model.php b/includes/model/Message_model.php index 1e1923e8..7bae0dd4 100644 --- a/includes/model/Message_model.php +++ b/includes/model/Message_model.php @@ -14,7 +14,7 @@ function Message_ids() { * ID */ function Message($id) { - $message_source = sql_select("SELECT * FROM `Messages` WHERE `id`=" . sql_escape($id) . " LIMIT 1"); + $message_source = sql_select("SELECT * FROM `Messages` WHERE `id`='" . sql_escape($id) . "' LIMIT 1"); if ($message_source === false) return false; if (count($message_source) > 0) @@ -38,8 +38,8 @@ function Message_send($id, $text) { $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text)); $to = preg_replace("/([^0-9]{1,})/ui", '', strip_tags($id)); - if (($text != "" && is_numeric($to)) && (sql_num_query("SELECT * FROM `User` WHERE `UID`=" . sql_escape($to) . " AND NOT `UID`=" . sql_escape($user['UID']) . " LIMIT 1") > 0)) { - sql_query("INSERT INTO `Messages` SET `Datum`=" . sql_escape(time()) . ", `SUID`=" . sql_escape($user['UID']) . ", `RUID`=" . sql_escape($to) . ", `Text`='" . sql_escape($text) . "'"); + if (($text != "" && is_numeric($to)) && (sql_num_query("SELECT * FROM `User` WHERE `UID`='" . sql_escape($to) . "' AND NOT `UID`='" . sql_escape($user['UID']) . "' LIMIT 1") > 0)) { + sql_query("INSERT INTO `Messages` SET `Datum`='" . sql_escape(time()) . "', `SUID`='" . sql_escape($user['UID']) . "', `RUID`='" . sql_escape($to) . "', `Text`='" . sql_escape($text) . "'"); return true; } else { return false; diff --git a/includes/model/NeededAngelTypes_model.php b/includes/model/NeededAngelTypes_model.php index e9176d34..8d6b8cce 100644 --- a/includes/model/NeededAngelTypes_model.php +++ b/includes/model/NeededAngelTypes_model.php @@ -10,7 +10,7 @@ function NeededAngelTypes_by_shift($shiftId) { SELECT `NeededAngelTypes`.*, `AngelTypes`.`name`, `AngelTypes`.`restricted` FROM `NeededAngelTypes` JOIN `AngelTypes` ON `AngelTypes`.`id` = `NeededAngelTypes`.`angel_type_id` - WHERE `shift_id`=" . sql_escape($shiftId) . " + WHERE `shift_id`='" . sql_escape($shiftId) . "' AND `count` > 0 ORDER BY `room_id` DESC "); @@ -24,7 +24,7 @@ function NeededAngelTypes_by_shift($shiftId) { FROM `NeededAngelTypes` JOIN `AngelTypes` ON `AngelTypes`.`id` = `NeededAngelTypes`.`angel_type_id` JOIN `Shifts` ON `Shifts`.`RID` = `NeededAngelTypes`.`room_id` - WHERE `Shifts`.`SID`=" . sql_escape($shiftId) . " + WHERE `Shifts`.`SID`='" . sql_escape($shiftId) . "' AND `count` > 0 ORDER BY `room_id` DESC "); diff --git a/includes/model/Room_model.php b/includes/model/Room_model.php index c48abc78..49ad0c60 100644 --- a/includes/model/Room_model.php +++ b/includes/model/Room_model.php @@ -18,7 +18,7 @@ function Room_ids() { * @param $id RID */ function Room($id) { - $room_source = sql_select("SELECT * FROM `Room` WHERE `RID`=" . sql_escape($id) . " AND `show` = 'Y' LIMIT 1"); + $room_source = sql_select("SELECT * FROM `Room` WHERE `RID`='" . sql_escape($id) . "' AND `show` = 'Y' LIMIT 1"); if ($room_source === false) return false; if (count($room_source) > 0) diff --git a/includes/model/ShiftEntry_model.php b/includes/model/ShiftEntry_model.php index 5129f15a..1579b93b 100644 --- a/includes/model/ShiftEntry_model.php +++ b/includes/model/ShiftEntry_model.php @@ -16,7 +16,7 @@ function ShiftEntries_by_shift($shift_id) { FROM `ShiftEntry` JOIN `User` ON `ShiftEntry`.`UID`=`User`.`UID` JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id` - WHERE `ShiftEntry`.`SID`=" . sql_escape($shift_id)); + WHERE `ShiftEntry`.`SID`='" . sql_escape($shift_id)) . "'"; } /** @@ -27,12 +27,12 @@ function ShiftEntries_by_shift($shift_id) { function ShiftEntry_create($shift_entry) { mail_shift_assign(User($shift_entry['UID']), Shift($shift_entry['SID'])); return sql_query("INSERT INTO `ShiftEntry` SET - `SID`=" . sql_escape($shift_entry['SID']) . ", - `TID`=" . sql_escape($shift_entry['TID']) . ", - `UID`=" . sql_escape($shift_entry['UID']) . ", + `SID`='" . sql_escape($shift_entry['SID']) . "', + `TID`='" . sql_escape($shift_entry['TID']) . "', + `UID`='" . sql_escape($shift_entry['UID']) . "', `Comment`='" . sql_escape($shift_entry['Comment']) . "', `freeload_comment`='" . sql_escape($shift_entry['freeload_comment']) . "', - `freeloaded`=" . sql_escape($shift_entry['freeloaded'] ? 'TRUE' : 'FALSE')); + `freeloaded`=" . sql_bool($shift_entry['freeloaded'])); } /** @@ -42,15 +42,15 @@ function ShiftEntry_update($shift_entry) { return sql_query("UPDATE `ShiftEntry` SET `Comment`='" . sql_escape($shift_entry['Comment']) . "', `freeload_comment`='" . sql_escape($shift_entry['freeload_comment']) . "', - `freeloaded`=" . sql_escape($shift_entry['freeloaded'] ? 'TRUE' : 'FALSE') . " - WHERE `id`=" . sql_escape($shift_entry['id'])); + `freeloaded`=" . sql_bool($shift_entry['freeloaded']) . " + WHERE `id`='" . sql_escape($shift_entry['id']) . "'"); } /** * Get a shift entry. */ function ShiftEntry($shift_entry_id) { - $shift_entry = sql_select("SELECT * FROM `ShiftEntry` WHERE `id`=" . sql_escape($shift_entry_id)); + $shift_entry = sql_select("SELECT * FROM `ShiftEntry` WHERE `id`='" . sql_escape($shift_entry_id) . "'"); if ($shift_entry === false) return false; if (count($shift_entry) == 0) @@ -64,7 +64,7 @@ function ShiftEntry($shift_entry_id) { function ShiftEntry_delete($shift_entry_id) { $shift_entry = ShiftEntry($shift_entry_id); mail_shift_removed(User($shift_entry['UID']), Shift($shift_entry['SID'])); - return sql_query("DELETE FROM `ShiftEntry` WHERE `id`=" . sql_escape($shift_entry_id)); + return sql_query("DELETE FROM `ShiftEntry` WHERE `id`='" . sql_escape($shift_entry_id) . "'"); } /** diff --git a/includes/model/ShiftTypes_model.php b/includes/model/ShiftTypes_model.php index 7b502585..907ad076 100644 --- a/includes/model/ShiftTypes_model.php +++ b/includes/model/ShiftTypes_model.php @@ -5,7 +5,7 @@ * @param int $shifttype_id */ function ShiftType_delete($shifttype_id) { - return sql_query("DELETE FROM `ShiftTypes` WHERE `id`=" . sql_escape($shifttype_id)); + return sql_query("DELETE FROM `ShiftTypes` WHERE `id`='" . sql_escape($shifttype_id) . "'"); } /** @@ -21,7 +21,7 @@ function ShiftType_update($shifttype_id, $name, $angeltype_id, $description) { `name`='" . sql_escape($name) . "', `angeltype_id`=" . sql_null($angeltype_id) . ", `description`='" . sql_escape($description) . "' - WHERE `id`=" . sql_escape($shifttype_id)); + WHERE `id`='" . sql_escape($shifttype_id) . "'"); } /** @@ -35,7 +35,7 @@ function ShiftType_update($shifttype_id, $name, $angeltype_id, $description) { function ShiftType_create($name, $angeltype_id, $description) { $result = sql_query("INSERT INTO `ShiftTypes` SET `name`='" . sql_escape($name) . "', - `angeltype_id`=" . sql_null($angeltype_id) . ", + `angeltype_id`='" . sql_null($angeltype_id) . "', `description`='" . sql_escape($description) . "'"); if ($result === false) return false; @@ -48,7 +48,7 @@ function ShiftType_create($name, $angeltype_id, $description) { * @param int $shifttype_id */ function ShiftType($shifttype_id) { - $shifttype = sql_select("SELECT * FROM `ShiftTypes` WHERE `id`=" . sql_escape($shifttype_id)); + $shifttype = sql_select("SELECT * FROM `ShiftTypes` WHERE `id`='" . sql_escape($shifttype_id) . "'"); if ($shifttype === false) return false; if ($shifttype == null) diff --git a/includes/model/Shifts_model.php b/includes/model/Shifts_model.php index a0cdbe5d..edf80538 100644 --- a/includes/model/Shifts_model.php +++ b/includes/model/Shifts_model.php @@ -85,7 +85,7 @@ function Shift_signup_allowed($shift, $angeltype, $user_angeltype = null, $user_ * Delete a shift by its external id. */ function Shift_delete_by_psid($shift_psid) { - return sql_query("DELETE FROM `Shifts` WHERE `PSID`=" . sql_escape($shift_psid)); + return sql_query("DELETE FROM `Shifts` WHERE `PSID`='" . sql_escape($shift_psid)."'"); } /** @@ -94,7 +94,7 @@ function Shift_delete_by_psid($shift_psid) { function Shift_delete($shift_id) { mail_shift_delete(Shift($shift_id)); - return sql_query("DELETE FROM `Shifts` WHERE `SID`=" . sql_escape($shift_id)); + return sql_query("DELETE FROM `Shifts` WHERE `SID`='" . sql_escape($shift_id) . "'"); } /** @@ -105,14 +105,14 @@ function Shift_update($shift) { mail_shift_change(Shift($shift['SID']), $shift); return sql_query("UPDATE `Shifts` SET - `shifttype_id`=" . sql_escape($shift['shifttype_id']) . ", - `start`=" . sql_escape($shift['start']) . ", - `end`=" . sql_escape($shift['end']) . ", - `RID`=" . sql_escape($shift['RID']) . ", + `shifttype_id`='" . sql_escape($shift['shifttype_id']) . "', + `start`='" . sql_escape($shift['start']) . "', + `end`='" . sql_escape($shift['end']) . "', + `RID`='" . sql_escape($shift['RID']) . "', `title`=" . sql_null($shift['title']) . ", `URL`=" . sql_null($shift['URL']) . ", `PSID`=" . sql_null($shift['PSID']) . " - WHERE `SID`=" . sql_escape($shift['SID'])); + WHERE `SID`='" . sql_escape($shift['SID']) . "'"); } /** @@ -135,12 +135,12 @@ function Shift_update_by_psid($shift) { */ function Shift_create($shift) { $result = sql_query("INSERT INTO `Shifts` SET - `shifttype_id`=" . sql_escape($shift['shifttype_id']) . ", - `start`=" . sql_escape($shift['start']) . ", - `end`=" . sql_escape($shift['end']) . ", - `RID`=" . sql_escape($shift['RID']) . ", + `shifttype_id`='" . sql_escape($shift['shifttype_id']) . "', + `start`='" . sql_escape($shift['start']) . "', + `end`='" . sql_escape($shift['end']) . "', + `RID`='" . sql_escape($shift['RID']) . "', `title`=" . sql_null($shift['title']) . ", - `URL`=" . sql_null($shift['URL']) . ", + `URL`=" . sql_null($shift['URL']) . "', `PSID`=" . sql_null($shift['PSID'])); if ($result === false) return false; @@ -157,7 +157,7 @@ function Shifts_by_user($user) { JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`) JOIN `ShiftTypes` ON (`ShiftTypes`.`id` = `Shifts`.`shifttype_id`) JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`) - WHERE `UID`=" . sql_escape($user['UID']) . " + WHERE `UID`='" . sql_escape($user['UID']) . "' ORDER BY `start` "); } @@ -173,7 +173,7 @@ function Shifts_filtered() { // filterRoom (Array of integer) - Array of Room IDs (optional, for list request) if (isset($_REQUEST['filterRoom']) && is_array($_REQUEST['filterRoom'])) { foreach ($_REQUEST['filterRoom'] as $key => $value) { - $filter .= ", `RID`=" . sql_escape($value) . " "; + $filter .= ", `RID`='" . sql_escape($value) . "' "; } } @@ -218,8 +218,8 @@ function Shift($id) { SELECT `Shifts`.*, `ShiftTypes`.`name` FROM `Shifts` JOIN `ShiftTypes` ON (`ShiftTypes`.`id` = `Shifts`.`shifttype_id`) - WHERE `SID`=" . sql_escape($id)); - $shiftsEntry_source = sql_select("SELECT `id`, `TID` , `UID` , `freeloaded` FROM `ShiftEntry` WHERE `SID`=" . sql_escape($id)); + WHERE `SID`='" . sql_escape($id) . "'"); + $shiftsEntry_source = sql_select("SELECT `id`, `TID` , `UID` , `freeloaded` FROM `ShiftEntry` WHERE `SID`='" . sql_escape($id) . "'"); if ($shifts_source === false) return false; diff --git a/includes/model/UserAngelTypes_model.php b/includes/model/UserAngelTypes_model.php index 7dcaef7a..19686480 100644 --- a/includes/model/UserAngelTypes_model.php +++ b/includes/model/UserAngelTypes_model.php @@ -8,7 +8,7 @@ function User_angeltypes($user) { SELECT `AngelTypes`.*, `UserAngelTypes`.`confirm_user_id`, `UserAngelTypes`.`coordinator` FROM `UserAngelTypes` JOIN `AngelTypes` ON `UserAngelTypes`.`angeltype_id` = `AngelTypes`.`id` - WHERE `UserAngelTypes`.`user_id`=" . sql_escape($user['UID']) . " + WHERE `UserAngelTypes`.`user_id`='" . sql_escape($user['UID']) . "' "); } @@ -22,7 +22,7 @@ function User_unconfirmed_AngelTypes($user) { SELECT `UnconfirmedMembers`.*, `AngelTypes`.`name` FROM `UserAngelTypes` JOIN `AngelTypes` ON `UserAngelTypes`.`angeltype_id`=`AngelTypes`.`id` JOIN `UserAngelTypes` as `UnconfirmedMembers` ON `UserAngelTypes`.`angeltype_id`=`UnconfirmedMembers`.`angeltype_id` - WHERE `UserAngelTypes`.`user_id`=" . sql_escape($user['UID']) . " + WHERE `UserAngelTypes`.`user_id`='" . sql_escape($user['UID']) . "' AND `UserAngelTypes`.`coordinator`=TRUE AND `AngelTypes`.`restricted`=TRUE AND `UnconfirmedMembers`.`confirm_user_id` IS NULL"); @@ -38,8 +38,8 @@ function User_is_AngelType_coordinator($user, $angeltype) { return (sql_num_query(" SELECT `id` FROM `UserAngelTypes` - WHERE `user_id`=" . sql_escape($user['UID']) . " - AND `angeltype_id`=" . sql_escape($angeltype['id']) . " + WHERE `user_id`='" . sql_escape($user['UID']) . "' + AND `angeltype_id`='" . sql_escape($angeltype['id']) . "' AND `coordinator`=TRUE LIMIT 1") > 0) || in_array('admin_user_angeltypes', privileges_for_user($user['UID'])); } @@ -53,8 +53,8 @@ function User_is_AngelType_coordinator($user, $angeltype) { function UserAngelType_update($user_angeltype_id, $coordinator) { return sql_query(" UPDATE `UserAngelTypes` - SET `coordinator`=" . ($coordinator ? 'TRUE' : 'FALSE') . " - WHERE `id`=" . sql_escape($user_angeltype_id) . " + SET `coordinator`=" . sql_bool($coordinator) . " + WHERE `id`='" . sql_escape($user_angeltype_id) . "' LIMIT 1"); } @@ -66,7 +66,7 @@ function UserAngelType_update($user_angeltype_id, $coordinator) { function UserAngelTypes_delete_all($angeltype_id) { return sql_query(" DELETE FROM `UserAngelTypes` - WHERE `angeltype_id`=" . sql_escape($angeltype_id) . " + WHERE `angeltype_id`='" . sql_escape($angeltype_id) . "' AND `confirm_user_id` IS NULL"); } @@ -79,8 +79,8 @@ function UserAngelTypes_delete_all($angeltype_id) { function UserAngelTypes_confirm_all($angeltype_id, $confirm_user) { return sql_query(" UPDATE `UserAngelTypes` - SET `confirm_user_id`=" . sql_escape($confirm_user['UID']) . " - WHERE `angeltype_id`=" . sql_escape($angeltype_id) . " + SET `confirm_user_id`='" . sql_escape($confirm_user['UID']) . "' + WHERE `angeltype_id`='" . sql_escape($angeltype_id) . "' AND `confirm_user_id` IS NULL"); } @@ -93,8 +93,8 @@ function UserAngelTypes_confirm_all($angeltype_id, $confirm_user) { function UserAngelType_confirm($user_angeltype_id, $confirm_user) { return sql_query(" UPDATE `UserAngelTypes` - SET `confirm_user_id`=" . sql_escape($confirm_user['UID']) . " - WHERE `id`=" . sql_escape($user_angeltype_id) . " + SET `confirm_user_id`='" . sql_escape($confirm_user['UID']) . "' + WHERE `id`='" . sql_escape($user_angeltype_id) . "' LIMIT 1"); } @@ -106,7 +106,7 @@ function UserAngelType_confirm($user_angeltype_id, $confirm_user) { function UserAngelType_delete($user_angeltype) { return sql_query(" DELETE FROM `UserAngelTypes` - WHERE `id`=" . sql_escape($user_angeltype['id']) . " + WHERE `id`='" . sql_escape($user_angeltype['id']) . "' LIMIT 1"); } @@ -119,8 +119,8 @@ function UserAngelType_delete($user_angeltype) { function UserAngelType_create($user, $angeltype) { $result = sql_query(" INSERT INTO `UserAngelTypes` SET - `user_id`=" . sql_escape($user['UID']) . ", - `angeltype_id`=" . sql_escape($angeltype['id'])); + `user_id`='" . sql_escape($user['UID']) . "', + `angeltype_id`='" . sql_escape($angeltype['id']) . "'"); if ($result === false) return false; return sql_id(); @@ -135,7 +135,7 @@ function UserAngelType($user_angeltype_id) { $angeltype = sql_select(" SELECT * FROM `UserAngelTypes` - WHERE `id`=" . sql_escape($user_angeltype_id) . " + WHERE `id`='" . sql_escape($user_angeltype_id) . "' LIMIT 1"); if ($angeltype === false) return false; @@ -154,8 +154,8 @@ function UserAngelType_by_User_and_AngelType($user, $angeltype) { $angeltype = sql_select(" SELECT * FROM `UserAngelTypes` - WHERE `user_id`=" . sql_escape($user['UID']) . " - AND `angeltype_id`=" . sql_escape($angeltype['id']) . " + WHERE `user_id`='" . sql_escape($user['UID']) . "' + AND `angeltype_id`='" . sql_escape($angeltype['id']) . "' LIMIT 1"); if ($angeltype === false) return false; diff --git a/includes/model/UserGroups_model.php b/includes/model/UserGroups_model.php index 1d018386..766f402f 100644 --- a/includes/model/UserGroups_model.php +++ b/includes/model/UserGroups_model.php @@ -9,7 +9,7 @@ function User_groups($user) { SELECT `Groups`.* FROM `UserGroups` JOIN `Groups` ON `Groups`.`UID`=`UserGroups`.`group_id` - WHERE `UserGroups`.`uid`=" . sql_escape($user['UID']) . " + WHERE `UserGroups`.`uid`='" . sql_escape($user['UID']) . "' ORDER BY `UserGroups`.`group_id` "); } diff --git a/includes/model/User_model.php b/includes/model/User_model.php index 516f9adf..c6f8e3bf 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -14,23 +14,23 @@ function User_update($user) { `Nick`='" . sql_escape($user['Nick']) . "', `Name`='" . sql_escape($user['Name']) . "', `Vorname`='" . sql_escape($user['Vorname']) . "', - `Alter`=" . sql_escape($user['Alter']) . ", + `Alter`='" . sql_escape($user['Alter']) . "', `Telefon`='" . sql_escape($user['Telefon']) . "', `DECT`='" . sql_escape($user['DECT']) . "', `Handy`='" . sql_escape($user['Handy']) . "', `email`='" . sql_escape($user['email']) . "', - `email_shiftinfo`=" . sql_escape($user['email_shiftinfo'] ? 'TRUE' : 'FALSE') . ", + `email_shiftinfo`=" . sql_bool($user['email_shiftinfo']) . ", `jabber`='" . sql_escape($user['jabber']) . "', `Size`='" . sql_escape($user['Size']) . "', - `Gekommen`=" . sql_escape($user['Gekommen']) . ", - `Aktiv`=" . sql_escape($user['Aktiv']) . ", - `force_active`=" . sql_escape($user['force_active'] ? 'TRUE' : 'FALSE') . ", - `Tshirt`=" . sql_escape($user['Tshirt']) . ", - `color`=" . sql_escape($user['color']) . ", + `Gekommen`='" . sql_escape($user['Gekommen']) . "', + `Aktiv`='" . sql_escape($user['Aktiv']) . "', + `force_active`=" . sql_bool($user['force_active']) . ", + `Tshirt`='" . sql_escape($user['Tshirt']) . "', + `color`='" . sql_escape($user['color']) . "', `Sprache`='" . sql_escape($user['Sprache']) . "', `Hometown`='" . sql_escape($user['Hometown']) . "', - `got_voucher`=" . sql_escape($user['got_voucher'] ? 'TRUE' : 'FALSE') . " - WHERE `UID`=" . sql_escape($user['UID'])); + `got_voucher`=" . sql_bool($user['got_voucher']) . " + WHERE `UID`='" . sql_escape($user['UID']). "'"); } /** @@ -105,7 +105,7 @@ function Users_by_angeltype_inverted($angeltype) { return sql_select(" SELECT `User`.* FROM `User` - LEFT JOIN `UserAngelTypes` ON (`User`.`UID`=`UserAngelTypes`.`user_id` AND `angeltype_id`=" . sql_escape($angeltype['id']) . ") + LEFT JOIN `UserAngelTypes` ON (`User`.`UID`=`UserAngelTypes`.`user_id` AND `angeltype_id`='" . sql_escape($angeltype['id']) . "') WHERE `UserAngelTypes`.`id` IS NULL ORDER BY `Nick`"); } @@ -124,7 +124,7 @@ function Users_by_angeltype($angeltype) { `UserAngelTypes`.`coordinator` FROM `User` JOIN `UserAngelTypes` ON `User`.`UID`=`UserAngelTypes`.`user_id` - WHERE `UserAngelTypes`.`angeltype_id`=" . sql_escape($angeltype['id']) . " + WHERE `UserAngelTypes`.`angeltype_id`='" . sql_escape($angeltype['id']) . "' ORDER BY `Nick`"); } @@ -150,7 +150,7 @@ function User_validate_Nick($nick) { * @param $id UID */ function User($id) { - $user_source = sql_select("SELECT * FROM `User` WHERE `UID`=" . sql_escape($id) . " LIMIT 1"); + $user_source = sql_select("SELECT * FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1"); if ($user_source === false) return false; if (count($user_source) > 0) @@ -165,7 +165,7 @@ function User($id) { * @param $id UID */ function mUser_Limit($id) { - $user_source = sql_select("SELECT `UID`, `Nick`, `Name`, `Vorname`, `Telefon`, `DECT`, `Handy`, `email`, `jabber`, `Avatar` FROM `User` WHERE `UID`=" . sql_escape($id) . " LIMIT 1"); + $user_source = sql_select("SELECT `UID`, `Nick`, `Name`, `Vorname`, `Telefon`, `DECT`, `Handy`, `email`, `jabber`, `Avatar` FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1"); if ($user_source === false) return false; if (count($user_source) > 0) -- cgit v1.2.3-54-g00ecf