From 5a935f413dd6dff69df736b437073d343aa8a6ec Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Thu, 2 Jun 2011 01:45:46 +0200
Subject: news

---
 includes/sys_user.php | 109 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 includes/sys_user.php

(limited to 'includes/sys_user.php')

diff --git a/includes/sys_user.php b/includes/sys_user.php
new file mode 100644
index 00000000..6274003d
--- /dev/null
+++ b/includes/sys_user.php
@@ -0,0 +1,109 @@
+<?php
+function UID2Nick($UID) {
+	if ($UID > 0)
+		$SQL = "SELECT Nick FROM `User` WHERE UID='$UID'";
+	else
+		$SQL = "SELECT Name FROM `Groups` WHERE UID='$UID'";
+
+	$Erg = sql_select($SQL);
+
+	if (count($Erg) > 0) {
+		if ($UID > 0)
+			return $Erg[0]['Nick'];
+		else
+			return "Group-" . $Erg[0]['Name'];
+	} else {
+		if ($UID == -1)
+			return "Guest";
+		else
+			return "UserID $UID not found";
+	}
+}
+
+function TID2Type($TID) {
+	global $con;
+
+	$SQL = "SELECT Name FROM `EngelType` WHERE TID='$TID'";
+	$Erg = mysql_query($SQL, $con);
+
+	if (mysql_num_rows($Erg))
+		return mysql_result($Erg, 0);
+	else
+		return "";
+}
+
+function ReplaceSmilies($neueckig) {
+	global $url, $ENGEL_ROOT;
+
+	$neueckig = str_replace(";o))", "<img src=\"pic/smiles/icon_redface.gif\">", $neueckig);
+	$neueckig = str_replace(":-))", "<img src=\"pic/smiles/icon_redface.gif\">", $neueckig);
+	$neueckig = str_replace(";o)", "<img src=\"pic/smiles/icon_wind.gif\">", $neueckig);
+	$neueckig = str_replace(":)", "<img src=\"pic/smiles/icon_smile.gif\">", $neueckig);
+	$neueckig = str_replace(":-)", "<img src=\"pic/smiles/icon_smile.gif\">", $neueckig);
+	$neueckig = str_replace(":(", "<img src=\"pic/smiles/icon_sad.gif\">", $neueckig);
+	$neueckig = str_replace(":-(", "<img src=\"pic/smiles/icon_sad.gif\">", $neueckig);
+	$neueckig = str_replace(":o(", "<img src=\"pic/smiles/icon_sad.gif\">", $neueckig);
+	$neueckig = str_replace(":o)", "<img src=\"pic/smiles/icon_lol.gif\">", $neueckig);
+	$neueckig = str_replace(";o(", "<img src=\"pic/smiles/icon_cry.gif\">", $neueckig);
+	$neueckig = str_replace(";(", "<img src=\"pic/smiles/icon_cry.gif\">", $neueckig);
+	$neueckig = str_replace(";-(", "<img src=\"pic/smiles/icon_cry.gif\">", $neueckig);
+	$neueckig = str_replace("8)", "<img src=\"pic/smiles/icon_rolleyes.gif\">", $neueckig);
+	$neueckig = str_replace("8o)", "<img src=\"pic/smiles/icon_rolleyes.gif\">", $neueckig);
+	$neueckig = str_replace(":P", "<img src=\"pic/smiles/icon_evil.gif\">", $neueckig);
+	$neueckig = str_replace(":-P", "<img src=\"pic/smiles/icon_evil.gif\">", $neueckig);
+	$neueckig = str_replace(":oP", "<img src=\"pic/smiles/icon_evil.gif\">", $neueckig);
+	$neueckig = str_replace(";P", "<img src=\"pic/smiles/icon_mad.gif\">", $neueckig);
+	$neueckig = str_replace(";oP", "<img src=\"pic/smiles/icon_mad.gif\">", $neueckig);
+	$neueckig = str_replace("?)", "<img src=\"pic/smiles/icon_question.gif\">", $neueckig);
+
+	return $neueckig;
+}
+
+function GetPicturShow($UID) {
+	global $con;
+
+	$SQL = "SELECT `show` FROM `UserPicture` WHERE `UID`='$UID'";
+	$res = mysql_query($SQL, $con);
+
+	if (mysql_num_rows($res) == 1)
+		return mysql_result($res, 0, 0);
+	else
+		return "";
+}
+
+function displayPictur($UID, $height = "30") {
+	global $url, $ENGEL_ROOT;
+
+	if ($height > 0)
+		return ("<img src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" height=\"$height\" alt=\"picture of USER$UID\" class=\"photo\">");
+	else
+		return ("<img src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" alt=\"picture of USER$UID\">");
+}
+
+function displayavatar($UID, $height = "30") {
+	global $con, $url, $ENGEL_ROOT;
+
+	if (GetPicturShow($UID) == 'Y')
+		return "&nbsp;" . displayPictur($UID, $height);
+
+	// show avator
+	$asql = "select * from User where UID = $UID";
+	$aerg = mysql_query($asql, $con);
+
+	if (mysql_num_rows($aerg))
+		if (mysql_result($aerg, 0, "Avatar") > 0)
+			return ("&nbsp;<img src=\"" . $url . $ENGEL_ROOT . "pic/avatar/avatar" . mysql_result($aerg, 0, "Avatar") . ".gif\">");
+}
+
+function UIDgekommen($UID) {
+	global $con;
+
+	$SQL = "SELECT `Gekommen` FROM `User` WHERE UID='$UID'";
+	$Erg = mysql_query($SQL, $con);
+
+	if (mysql_num_rows($Erg))
+		return mysql_result($Erg, 0);
+	else
+		return "0";
+}
+?>
-- 
cgit v1.2.3-54-g00ecf


From 91f6e7bbaf7c9ed8820fea59e041c8fa17bcea91 Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Fri, 3 Jun 2011 05:12:50 +0200
Subject: news refined

---
 DB/db_rewrite.sql            |  76 ++++++++++-------
 includes/pages/user_news.php | 197 +++++++++++++++++++++++++------------------
 includes/sys_user.php        |   6 +-
 txt/TODO                     |   2 +-
 www-ssl/css/base.css         |  73 ++++++++++++----
 www-ssl/index.php            |   4 +
 6 files changed, 224 insertions(+), 134 deletions(-)

(limited to 'includes/sys_user.php')

diff --git a/DB/db_rewrite.sql b/DB/db_rewrite.sql
index fa31c6f8..b85f04c9 100644
--- a/DB/db_rewrite.sql
+++ b/DB/db_rewrite.sql
@@ -3,7 +3,7 @@
 -- http://www.phpmyadmin.net
 --
 -- Host: localhost
--- Erstellungszeit: 02. Juni 2011 um 23:02
+-- Erstellungszeit: 03. Juni 2011 um 03:12
 -- Server Version: 5.1.44
 -- PHP-Version: 5.3.1
 
@@ -71,21 +71,23 @@ CREATE TABLE IF NOT EXISTS `Counter` (
 --
 
 INSERT INTO `Counter` (`URL`, `Anz`) VALUES
-('news', 80),
-('login', 24),
+('news', 164),
+('login', 26),
 ('logout', 13),
-('start', 25),
-('faq', 16),
+('start', 26),
+('faq', 18),
 ('credits', 3),
 ('register', 3),
-('admin_rooms', 70),
-('admin_angel_types', 69),
-('user_settings', 116),
-('user_messages', 111),
-('admin_groups', 104),
-('user_questions', 54),
-('admin_questions', 41),
-('admin_faq', 53);
+('admin_rooms', 75),
+('admin_angel_types', 70),
+('user_settings', 125),
+('user_messages', 112),
+('admin_groups', 114),
+('user_questions', 55),
+('admin_questions', 42),
+('admin_faq', 55),
+('admin_news', 2),
+('news_comments', 144);
 
 -- --------------------------------------------------------
 
@@ -131,25 +133,27 @@ CREATE TABLE IF NOT EXISTS `GroupPrivileges` (
   `privilege_id` int(11) NOT NULL,
   PRIMARY KEY (`id`),
   KEY `group_id` (`group_id`,`privilege_id`)
-) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=40 ;
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=51 ;
 
 --
 -- Daten für Tabelle `GroupPrivileges`
 --
 
 INSERT INTO `GroupPrivileges` (`id`, `group_id`, `privilege_id`) VALUES
-(32, -2, 8),
+(42, -2, 15),
 (24, -1, 5),
-(31, -2, 11),
-(30, -2, 9),
+(40, -2, 4),
+(41, -2, 3),
 (23, -1, 2),
-(36, -4, 7),
-(37, -4, 13),
-(29, -2, 3),
-(28, -2, 4),
+(48, -4, 14),
+(46, -4, 7),
+(44, -2, 11),
+(43, -2, 9),
 (12, -5, 10),
-(38, -4, 12),
-(39, -4, 6);
+(47, -4, 13),
+(49, -4, 12),
+(45, -2, 8),
+(50, -4, 6);
 
 -- --------------------------------------------------------
 
@@ -210,7 +214,7 @@ INSERT INTO `Messages` (`id`, `Datum`, `SUID`, `RUID`, `isRead`, `Text`) VALUES
 
 CREATE TABLE IF NOT EXISTS `News` (
   `ID` int(11) NOT NULL AUTO_INCREMENT,
-  `Datum` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
+  `Datum` int(11) NOT NULL,
   `Betreff` varchar(150) NOT NULL DEFAULT '',
   `Text` text NOT NULL,
   `UID` int(11) NOT NULL DEFAULT '0',
@@ -223,9 +227,9 @@ CREATE TABLE IF NOT EXISTS `News` (
 --
 
 INSERT INTO `News` (`ID`, `Datum`, `Betreff`, `Text`, `UID`, `Treffen`) VALUES
-(1, '2011-06-02 21:35:27', '', '', 1, 0),
-(2, '2011-06-02 21:36:57', '', '', 1, 0),
-(3, '2011-06-02 21:36:57', '', '', 1, 0);
+(1, 1307070566, 'asdf', 'asdf', 1, 0),
+(2, 1307070579, 'Achtung, Treffen!', 'Uiuiuiui.', 1, 0),
+(3, 1307070686, 'Achtung, Treffen!', 'Jojojo!', 1, 1);
 
 -- --------------------------------------------------------
 
@@ -241,12 +245,16 @@ CREATE TABLE IF NOT EXISTS `news_comments` (
   `UID` int(11) NOT NULL DEFAULT '0',
   PRIMARY KEY (`ID`),
   KEY `Refid` (`Refid`)
-) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=4 ;
 
 --
 -- Daten für Tabelle `news_comments`
 --
 
+INSERT INTO `news_comments` (`ID`, `Refid`, `Datum`, `Text`, `UID`) VALUES
+(1, 10, '2011-06-03 04:12:28', 'FOobar :)', 1),
+(2, 10, '2011-06-03 04:13:03', 'FOobar :)', 1),
+(3, 10, '2011-06-03 04:13:06', 'FOobar :)', 1);
 
 -- --------------------------------------------------------
 
@@ -260,7 +268,7 @@ CREATE TABLE IF NOT EXISTS `Privileges` (
   `desc` varchar(1024) NOT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `name` (`name`)
-) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=14 ;
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=16 ;
 
 --
 -- Daten für Tabelle `Privileges`
@@ -279,7 +287,9 @@ INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES
 (10, 'admin_groups', 'Manage usergroups and their rights'),
 (11, 'user_questions', 'Let users ask questions'),
 (12, 'admin_questions', 'Answer user''s questions'),
-(13, 'admin_faq', 'Edit FAQs');
+(13, 'admin_faq', 'Edit FAQs'),
+(14, 'admin_news', 'Administrate the news section'),
+(15, 'news_comments', 'User can comment news');
 
 -- --------------------------------------------------------
 
@@ -1016,7 +1026,9 @@ INSERT INTO `Sprache` (`TextID`, `Sprache`, `Text`) VALUES
 ('admin_questions', 'DE', 'Fragen beantworten'),
 ('admin_questions', 'EN', 'Answer questions'),
 ('admin_faq', 'DE', 'FAQs bearbeiten'),
-('admin_faq', 'EN', 'Edit FAQs');
+('admin_faq', 'EN', 'Edit FAQs'),
+('news_comments', 'DE', 'News Kommentare'),
+('news_comments', 'EN', 'News comments');
 
 -- --------------------------------------------------------
 
@@ -1059,7 +1071,7 @@ CREATE TABLE IF NOT EXISTS `User` (
 --
 
 INSERT INTO `User` (`UID`, `Nick`, `Name`, `Vorname`, `Alter`, `Telefon`, `DECT`, `Handy`, `email`, `ICQ`, `jabber`, `Size`, `Passwort`, `Gekommen`, `Aktiv`, `Tshirt`, `color`, `Sprache`, `Avatar`, `Menu`, `lastLogIn`, `CreateDate`, `Art`, `kommentar`, `Hometown`) VALUES
-(1, 'admin', '', '', 0, '', '', '', '', '', '', 'L', '21232f297a57a5a743894a0e4a801fc3', 0, 0, 0, 10, 'DE', 115, 'L', 1307055685, '0000-00-00 00:00:00', '', '', ''),
+(1, 'admin', '', '', 0, '', '', '', '', '', '', 'L', '21232f297a57a5a743894a0e4a801fc3', 0, 0, 0, 10, 'DE', 115, 'L', 1307070695, '0000-00-00 00:00:00', '', '', ''),
 (147, 'msquare', '', '', 23, '', '', '', 'msquare@notrademark.de', '', '', 'L', 'e10adc3949ba59abbe56e057f20f883e', 0, 0, 0, 6, 'EN', 0, 'L', 1307042703, '2011-06-02 00:55:09', '', '', '');
 
 -- --------------------------------------------------------
diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index 56c5bb68..34c346dd 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -1,108 +1,139 @@
 <?php
-function user_news() {
-	return "<a href=\"#Neu\">" . Get_Text(3) . "</a>" . user_news_output();
+function display_news($news) {
+	global $privileges, $p;
+
+	$html .= "";
+	$html .= '<article class="news' . ($news['Treffen'] == 1 ? ' meeting' : '') . '">';
+	$html .= '<details>';
+	$html .= date("Y-m-d H:i",$news['Datum']) . ', ';
+	$html .= UID2Nick($news['UID']);
+	if ($p != "news_comments")
+		$html .= ', <a href="' . page_link_to("news_comments") . '&nid=' . $news['ID'] . '">Kommentare (' . sql_num_query("SELECT * FROM `news_comments` WHERE `Refid`='" . sql_escape($news['ID']) . "'") . ') &raquo;</a>';
+	$html .= '</details>';
+	$html .= '<h3>'.($news['Treffen'] == 1 ? '[Meeting] ' : '') . ReplaceSmilies($news['Betreff']) . '</h3>';
+	$html .= '<p>' . ReplaceSmilies(nl2br($news['Text'])) . '</p>';
+	if (in_array("admin_news", $privileges))
+		$html .= "<details><a href=\"" . page_link_to("admin_news") . "&action=edit&id=" . $news['ID'] . "\">Edit</a></details>\n";
+
+	$html .= '</article>';
+	return $html;
 }
 
-function user_news_output() {
-	global $DISPLAY_NEWS, $privileges;
-	
+function user_news_comments() {
+	global $user;
+
 	$html = "";
+	if (isset ($_REQUEST["nid"]) && preg_match("/^[0-9]{1,}$/", $_REQUEST['nid']) && sql_num_query("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1") > 0) {
+		$nid = $_REQUEST["nid"];
+		list ($news) = sql_select("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1");
+		if (isset ($_REQUEST["text"])) {
+			$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['text']));
+			sql_query("INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) VALUES ('" . sql_escape($nid) . "', '" . date("Y-m-d H:i:s") . "', '" . sql_escape($text) . "', '" . sql_escape($user["UID"]) . "')");
+			$html .= success("Eintrag wurde gespeichert");
+		}
 
-	if (isset ($_POST["text"]) && isset ($_POST["betreff"]) && IsSet ($_POST["date"])) {
-		if (!isset ($_POST["treffen"]))
-			$_POST["treffen"] = 0;
-		$SQL = "INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) " .
-		"VALUES ('" . sql_escape($_POST["date"]) . "', '" . sql_escape($_POST["betreff"]) . "', '" . sql_escape($_POST["text"]) . "', '" . sql_escape($_SESSION['uid']) .
-		"', '" . sql_escape($_POST["treffen"]) . "');";
-		$Erg = sql_query($SQL);
-		if ($Erg == 1)
-			$html .= Get_Text(4);
-	}
+		$html .= '<a href="' . page_link_to("news") . '">&laquo; Back</a>';
+		$html .= display_news($news);
 
-	if (!IsSet ($_GET["news_begin"]))
-		$_GET["news_begin"] = 0;
+		$html .= '<h2>Comments</h2>';
+
+		$comments = sql_select("SELECT * FROM `news_comments` WHERE `Refid`='" . $nid . "' ORDER BY 'ID'");
+		foreach ($comments as $comment) {
+			$html .= '<article class="news_comment">';
+			$html .= DisplayAvatar($comment['UID']);
+			$html .= '<details>';
+			$html .= $comment['Datum'] . ', ';
+			$html .= UID2Nick($comment['UID']);
+			$html .= '</details>';
+			$html .= '<p>' . nl2br($comment['Text']) . '</p>';
+			$html .= '</article>';
+		}
 
-	if (!IsSet ($_GET["DISPLAY_NEWS"]))
-		$_GET["DISPLAY_NEWS"] = 5;
+		$html .= "</table>";
+		$html .= '
+					<br />
+					<hr>
+					<h2>Neuer Kommentar:</h2>
+					<a name="Neu">&nbsp;</a>
+					
+					<form action="' . page_link_to("news_comments") . '" method="post">
+					<input type="hidden" name="nid" value="' . $_REQUEST["nid"] . '">
+					<table>
+					 <tr>
+					  <td align="right" valign="top">Text:</td>
+					  <td><textarea name="text" cols="50" rows="10"></textarea></td>
+					 </tr>
+					</table>
+					<br />
+					<input type="submit" value="sichern...">
+					</form>';
+	} else {
+		$html .= "Fehlerhafter Aufruf!";
+	}
 
-	$SQL = "SELECT * FROM `News` ORDER BY `ID` DESC LIMIT " . intval($_GET["news_begin"]) . ", " . intval($_GET["DISPLAY_NEWS"]);
-	$Erg = sql_query($SQL);
+	return $html;
+}
 
-	// anzahl zeilen
-	$news_rows = mysql_num_rows($Erg);
+function user_news() {
+	global $DISPLAY_NEWS, $privileges, $user;
 
-	for ($n = 0; $n < $news_rows; $n++) {
+	$html = "";
 
-		if (mysql_result($Erg, $n, "Treffen") == 0)
-			$html .= "<p class='question'>";
-		else
-			$html .= "<p class='engeltreffen'>";
-
-		$html .= "<u>" . ReplaceSmilies(mysql_result($Erg, $n, "Betreff")) . "</u>\n";
-
-		// Schow Admin Page
-		if ($_SESSION['CVS']["admin/news.php"] == "Y")
-			$html .= " <a href=\"./../admin/news.php?action=change&date=" . mysql_result($Erg, $n, "Datum") . "\">[edit]</a><br />\n\t\t";
-
-		$html .= "<br />&nbsp; &nbsp;<font size=1>" . mysql_result($Erg, $n, "Datum") . ", ";
-		$html .= UID2Nick(mysql_result($Erg, $n, "UID")) . "</font>";
-		// avatar anzeigen?
-		$html .= DisplayAvatar(mysql_result($Erg, $n, "UID"));
-		$html .= "</p>\n";
-		$html .= "<p class='answer'>" . ReplaceSmilies(nl2br(mysql_result($Erg, $n, "Text"))) . "</p>\n";
-		$RefID = mysql_result($Erg, $n, "ID");
-		$countSQL = "SELECT COUNT(*) FROM `news_comments` WHERE `Refid`='$RefID'";
-		$countErg = sql_query($countSQL);
-		$countcom = mysql_result($countErg, 0, "COUNT(*)");
-		$html .= "<p class='comment' align='right'><a href=\"./news_comments.php?nid=$RefID\">$countcom comments</a></p>\n\n";
+	if (isset ($_POST["text"]) && isset ($_POST["betreff"])) {
+		if (!isset ($_POST["treffen"]) || !in_array("admin_news", $privileges))
+			$_POST["treffen"] = 0;
+		sql_query("INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) " .
+		"VALUES ('" . sql_escape(time()) . "', '" . sql_escape($_POST["betreff"]) . "', '" . sql_escape($_POST["text"]) . "', '" . sql_escape($user['UID']) .
+		"', '" . sql_escape($_POST["treffen"]) . "');");
+		$html .= success(Get_Text(4));
 	}
 
-	$html .= "<div align=\"center\">\n\n";
-	$rowerg = sql_query("SELECT * FROM `News`");
-	$rows = mysql_num_rows($rowerg);
-	$dis_rows = round(($rows / $DISPLAY_NEWS) + 0.5);
+	if (isset ($_REQUEST['page']) && preg_match("/^[0-9]{1,}$/", $_REQUEST['page']))
+		$page = $_REQUEST['page'];
+	else
+		$page = 0;
+
+	$news = sql_select("SELECT * FROM `News` ORDER BY `ID` DESC LIMIT " . ($page * $DISPLAY_NEWS) . ", " . $DISPLAY_NEWS);
+	foreach ($news as $entry)
+		$html .= display_news($entry);
+
+	$html .= "<div class=\"pagination\">\n\n";
+	$dis_rows = ceil(sql_num_query("SELECT * FROM `News`") / $DISPLAY_NEWS);
 
 	$html .= Get_Text(5);
 
-	for ($i = 1; $i <= $dis_rows; $i++) {
-		if (!((($i * $DISPLAY_NEWS) - $_GET["news_begin"]) == $DISPLAY_NEWS)) {
-			$html .= '<a href="' . page_link_to("news") . '&news_begin=' . (($i * $DISPLAY_NEWS) - $DISPLAY_NEWS -1) . '">' . $i . '</a>&nbsp; ';
-		} else {
-			$html .= "$i&nbsp; ";
-		}
+	for ($i = 0; $i < $dis_rows; $i++) {
+		if ($i == $_REQUEST['page'])
+			$html .= ($i +1) . "&nbsp; ";
+		else
+			$html .= '<a href="' . page_link_to("news") . '&page=' . $i . '">' . ($i +1) . '</a>&nbsp; ';
 	}
 	$html .= '</div>
-					<br /><hr />
-					<h2>' . Get_Text(6) . '</h2>
-					<a name="Neu">&nbsp;</a>
-					
-					<form action="" method="post">
-					<?PHP
-					
-						// Datum mit uebergeben, um doppelte Eintraege zu verhindern 
-						// (Reload nach dem Eintragen!)
-					?>
-					<input type="hidden" name="date" value="' . date("Y-m-d H:i:s") . '">
-					<table>
-					 <tr>
-					  <td align="right">' . Get_Text(7) . '</td>
-					  <td><input type="text" name="betreff" size="60"></td>
-					 </tr>
-					 <tr>
-					  <td align="right">' . Get_Text(8) . '</td>
-					  <td><textarea name="text" cols="50" rows="10"></textarea></td>
-					 </tr>';
-	if (in_array('news_add_meeting', $privileges)) {
+			<br /><hr />
+			<h2>' . Get_Text(6) . '</h2>
+			<a name="Neu">&nbsp;</a>
+			
+			<form action="" method="post">
+			<table>
+			 <tr>
+			  <td align="right">' . Get_Text(7) . '</td>
+			  <td><input type="text" name="betreff" size="60"></td>
+			 </tr>
+			 <tr>
+			  <td align="right">' . Get_Text(8) . '</td>
+			  <td><textarea name="text" cols="50" rows="10"></textarea></td>
+			 </tr>';
+	if (in_array('admin_news', $privileges)) {
 		$html .= ' <tr>
-										  <td align="right">' . Get_Text(9) . '</td>
-										  <td><input type="checkbox" name="treffen" size="1" value="1"></td>
-										 </tr>';
+		  <td align="right">' . Get_Text(9) . '</td>
+		  <td><input type="checkbox" name="treffen" size="1" value="1"></td>
+		 </tr>';
 
 	}
 	$html .= '</table>
-					<br />
-					<input type="submit" value="' . Get_Text("save") . '">
-					</form>';
+		<br />
+		<input type="submit" value="' . Get_Text("save") . '">
+		</form>';
 	return $html;
 }
 ?>
\ No newline at end of file
diff --git a/includes/sys_user.php b/includes/sys_user.php
index 6274003d..5dcf3f1f 100644
--- a/includes/sys_user.php
+++ b/includes/sys_user.php
@@ -75,9 +75,9 @@ function displayPictur($UID, $height = "30") {
 	global $url, $ENGEL_ROOT;
 
 	if ($height > 0)
-		return ("<img src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" height=\"$height\" alt=\"picture of USER$UID\" class=\"photo\">");
+		return ("<div class=\"avatar\"><img src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" height=\"$height\" alt=\"picture of USER$UID\" class=\"photo\"></div>");
 	else
-		return ("<img src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" alt=\"picture of USER$UID\">");
+		return ("<div class=\"avatar\"><img class=\"avatar\" src=\"" . $url . $ENGEL_ROOT . "ShowUserPicture.php?UID=$UID\" alt=\"picture of USER$UID\"></div>");
 }
 
 function displayavatar($UID, $height = "30") {
@@ -92,7 +92,7 @@ function displayavatar($UID, $height = "30") {
 
 	if (mysql_num_rows($aerg))
 		if (mysql_result($aerg, 0, "Avatar") > 0)
-			return ("&nbsp;<img src=\"" . $url . $ENGEL_ROOT . "pic/avatar/avatar" . mysql_result($aerg, 0, "Avatar") . ".gif\">");
+			return'<div class="avatar">'. ("&nbsp;<img src=\"" . $url . $ENGEL_ROOT . "pic/avatar/avatar" . mysql_result($aerg, 0, "Avatar") . ".gif\">").'</div>';
 }
 
 function UIDgekommen($UID) {
diff --git a/txt/TODO b/txt/TODO
index cebcb0de..fb1b3098 100644
--- a/txt/TODO
+++ b/txt/TODO
@@ -10,12 +10,12 @@ jetzt:
  * weckservice?
 
 später:
+ * Zurück-/Backlinks setzen
  * MD5-Passwörter mit Salt speichern
  * Passwort-Mindestanforderungen stellen
  * User-Avatare (code liegt auskommentiert in user_settings.php)
  * user_messages schön machen
  * Formulare weg von Tabellen
- * user_news lässt sich nicht bedienen (POST ohne redirects...)
  * Privilegien korrigieren (an die vom CVS anpassen)
  * Beim Raum-Management die benötigten Engel anzeigen
  * Löschen nur mit Rückfrage
diff --git a/www-ssl/css/base.css b/www-ssl/css/base.css
index 44e1959c..0a137099 100644
--- a/www-ssl/css/base.css
+++ b/www-ssl/css/base.css
@@ -15,6 +15,12 @@ header {
     width: 100%;
 }
 
+article, details {
+    clear: none;
+    display: block;
+    float: none;
+}
+
 footer {
     clear: both;
     display: block;
@@ -64,13 +70,13 @@ dd {
     margin-left: 20px;
 }
 
-h1, h4 {
+h1, h2, h3, h4 {
     font-size: 16px;
     padding: 0 4px;
 }
 
 hr {
-	margin: 10px 0;
+    margin: 10px 0;
 }
 
 ul {
@@ -81,7 +87,7 @@ nav {
     margin: 0 10px 10px 0;
 }
 
-#content article {
+#content > article {
     padding: 10px;
 }
 
@@ -98,20 +104,28 @@ a.sprache img {
 }
 
 table {
-	border-collapse: collapse;
+    border-collapse: collapse;
 }
 
 th {
-	background: #f0f0f0;
+    background: #f0f0f0;
 }
 
 td, th {
-	border: 1px solid #888;
+    border: 1px solid #888;
 }
 
 textarea {
-	height: 200px;
-	width: 300px;
+    height: 200px;
+    width: 300px;
+}
+
+.clear {
+    clear: both;
+}
+
+.pagination {
+    text-align: center;
 }
 
 .background {
@@ -127,20 +141,49 @@ textarea {
 }
 
 .error {
-	color: #f00;
+    color: #f00;
 }
 
 .success {
-	color: #090;
+    color: #090;
 }
 
 .notice {
-	background: #f0f0f0;
-	border: 2px solid #888;
-	margin: 10px;
-	padding: 10px;
+    background: #f0f0f0;
+    border: 2px solid #888;
+    margin: 10px;
+    padding: 10px;
 }
 
 .new_message {
-	font-weight: bold;
+    font-weight: bold;
+}
+
+.news_comment, .news {
+    border: 1px solid #888;
+    margin: 10px 0;
+}
+
+.news_comment details, .news details {
+    background: #f0f0f0;
+    padding: 4px;
+}
+
+.news_comment p, .news p, h3 {
+    padding: 4px;
+}
+
+.news_comment p, .news_comment details {
+    margin-left: 72px;
+}
+
+.avatar {
+    float: left;
+    margin: 4px;
+    max-width: 64px;
+}
+
+.news.meeting {
+    border: 1px solid #000;
+    box-shadow: 1px 1px 5px #888;
 }
diff --git a/www-ssl/index.php b/www-ssl/index.php
index 8ad025aa..9524459a 100644
--- a/www-ssl/index.php
+++ b/www-ssl/index.php
@@ -36,6 +36,10 @@ if (in_array($p, $privileges)) {
 		require_once ('includes/pages/user_news.php');
 		$content = user_news();
 	}
+	elseif ($p == "news_comments") {
+		require_once ('includes/pages/user_news.php');
+		$content = user_news_comments();
+	}
 	elseif ($p == "user_messages") {
 		$content = user_messages();
 	}
-- 
cgit v1.2.3-54-g00ecf


From 6b155db36c30718ccbe25200d640c177d5d78589 Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Fri, 3 Jun 2011 07:44:50 +0200
Subject: user management

---
 DB/db_rewrite.sql                    |  14 +-
 includes/pages/admin_user.php        | 363 +++++++++++++++++++++++++----------
 includes/sys_template.php            |   2 +-
 includes/sys_user.php                |  11 +-
 txt/TODO                             |   1 -
 www-ssl/admin/userChangeNormal.php   | 133 -------------
 www-ssl/admin/userDefaultSetting.php | 138 -------------
 www-ssl/admin/userSaveNormal.php     | 119 ------------
 8 files changed, 277 insertions(+), 504 deletions(-)
 delete mode 100644 www-ssl/admin/userChangeNormal.php
 delete mode 100644 www-ssl/admin/userDefaultSetting.php
 delete mode 100644 www-ssl/admin/userSaveNormal.php

(limited to 'includes/sys_user.php')

diff --git a/DB/db_rewrite.sql b/DB/db_rewrite.sql
index 20a23f1e..18a75dee 100644
--- a/DB/db_rewrite.sql
+++ b/DB/db_rewrite.sql
@@ -3,7 +3,7 @@
 -- http://www.phpmyadmin.net
 --
 -- Host: localhost
--- Erstellungszeit: 03. Juni 2011 um 04:47
+-- Erstellungszeit: 03. Juni 2011 um 05:44
 -- Server Version: 5.1.44
 -- PHP-Version: 5.3.1
 
@@ -80,15 +80,15 @@ INSERT INTO `Counter` (`URL`, `Anz`) VALUES
 ('register', 8),
 ('admin_rooms', 89),
 ('admin_angel_types', 71),
-('user_settings', 126),
+('user_settings', 131),
 ('user_messages', 113),
 ('admin_groups', 129),
 ('user_questions', 55),
-('admin_questions', 42),
+('admin_questions', 43),
 ('admin_faq', 55),
 ('admin_news', 33),
 ('news_comments', 151),
-('admin_user', 59),
+('admin_user', 157),
 ('user_meetings', 5);
 
 -- --------------------------------------------------------
@@ -1083,8 +1083,7 @@ CREATE TABLE IF NOT EXISTS `User` (
 --
 
 INSERT INTO `User` (`UID`, `Nick`, `Name`, `Vorname`, `Alter`, `Telefon`, `DECT`, `Handy`, `email`, `ICQ`, `jabber`, `Size`, `Passwort`, `Gekommen`, `Aktiv`, `Tshirt`, `color`, `Sprache`, `Avatar`, `Menu`, `lastLogIn`, `CreateDate`, `Art`, `kommentar`, `Hometown`) VALUES
-(1, 'admin', '', '', 0, '', '', '', '', '', '', 'L', '21232f297a57a5a743894a0e4a801fc3', 0, 0, 0, 10, 'DE', 115, 'L', 1307076377, '0000-00-00 00:00:00', '', '', ''),
-(147, 'msquare', '', '', 23, '', '', '', 'msquare@notrademark.de', '', '', 'L', 'e10adc3949ba59abbe56e057f20f883e', 0, 0, 0, 6, 'EN', 0, 'L', 1307042703, '2011-06-02 00:55:09', '', '', '');
+(1, 'admin', 'Gates', 'Bill', 42, '', '', '', '', '', '', '', '4297f44b13955235245b2497399d7a93', 0, 0, 0, 10, 'DE', 115, 'L', 1307079838, '0000-00-00 00:00:00', '', '', '');
 
 -- --------------------------------------------------------
 
@@ -1184,8 +1183,7 @@ INSERT INTO `UserGroups` (`id`, `uid`, `group_id`) VALUES
 (1, 1, -2),
 (2, 1, -3),
 (3, 1, -5),
-(4, 1, -4),
-(5, 147, -2);
+(4, 1, -4);
 
 -- --------------------------------------------------------
 
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index b64c9678..497f5fdb 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -1,111 +1,280 @@
 <?php
 function admin_user() {
+	global $user;
+
 	include ("includes/funktion_db_list.php");
 
 	$html = "";
-	// Userliste, keine UID uebergeben...
-
-	$html .= "<a href=\"" . page_link_to("register") . "\">Neuen Engel eintragen &raquo;</a><br /><br />\n";
-
-	if (!isset ($_GET["OrderBy"]))
-		$_GET["OrderBy"] = "Nick";
-	$SQL = "SELECT * FROM `User` ORDER BY `" . $_GET["OrderBy"] . "` ASC";
-	$Erg = sql_query($SQL);
-
-	// anzahl zeilen
-	$Zeilen = mysql_num_rows($Erg);
-
-	$html .= "Anzahl Engel: $Zeilen<br /><br />\n";
-	$html .= '
-	<table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
-	  <tr class="contenttopic">
-	    <th>
-	      <a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
-	    </th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
-	    <th>
-	      <a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
-	    </th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Gr&ouml;&szlig;e</a></th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
-	    <th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registrier</a></th>
-	    <th>&Auml;nd.</th>
-	  </tr></thead>';
-	$Gekommen = 0;
-	$Active = 0;
-	$Tshirt = 0;
-
-	for ($n = 0; $n < $Zeilen; $n++) {
-		$title = "";
-		$user_groups = sql_select("SELECT * FROM `UserGroups` JOIN `Groups` ON (`Groups`.`UID` = `UserGroups`.`group_id`) WHERE `UserGroups`.`uid`=" . sql_escape(mysql_result($Erg, $n, "UID")) . " ORDER BY `Groups`.`Name`");
-		$groups = array ();
-		foreach ($user_groups as $user_group) {
-			$groups[] = $user_group['Name'];
+
+	if (isset ($_REQUEST['id']) && preg_match("/^[0-9]{1,}$/", $_REQUEST['id']) && sql_num_query("SELECT * FROM `User` WHERE `UID`=" . sql_escape($_REQUEST['id'])) > 0) {
+		$id = $_REQUEST['id'];
+		if (!isset ($_REQUEST['action'])) {
+			$html .= "Hallo,<br />" .
+			"hier kannst du den Eintrag &auml;ndern. Unter dem Punkt 'Gekommen' " .
+			"wird der Engel als anwesend markiert, ein Ja bei Aktiv bedeutet, " .
+			"dass der Engel aktiv war und damit ein Anspruch auf ein T-Shirt hat. " .
+			"Wenn T-Shirt ein 'Ja' enth&auml;lt, bedeutet dies, dass der Engel " .
+			"bereits sein T-Shirt erhalten hat.<br /><br />\n";
+
+			$html .= "<form action=\"" . page_link_to("admin_user") . "&action=save&id=$id\" method=\"post\">\n";
+			$html .= "<table border=\"0\">\n";
+			$html .= "<input type=\"hidden\" name=\"Type\" value=\"Normal\">\n";
+
+			$SQL = "SELECT * FROM `User` WHERE `UID`='" . $id . "'";
+			$Erg = sql_query($SQL);
+
+			$html .= "<tr><td>\n";
+			$html .= "<table>\n";
+			$html .= "  <tr><td>Nick</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eNick\" value=\"" .
+			mysql_result($Erg, 0, "Nick") . "\"></td></tr>\n";
+			$html .= "  <tr><td>lastLogIn</td><td>" .
+			date("Y-m-d H:i", mysql_result($Erg, 0, "lastLogIn")) . "</td></tr>\n";
+			$html .= "  <tr><td>Name</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eName\" value=\"" .
+			mysql_result($Erg, 0, "Name") . "\"></td></tr>\n";
+			$html .= "  <tr><td>Vorname</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eVorname\" value=\"" .
+			mysql_result($Erg, 0, "Vorname") . "\"></td></tr>\n";
+			$html .= "  <tr><td>Alter</td><td>" .
+			"<input type=\"text\" size=\"5\" name=\"eAlter\" value=\"" .
+			mysql_result($Erg, 0, "Alter") . "\"></td></tr>\n";
+			$html .= "  <tr><td>Telefon</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eTelefon\" value=\"" .
+			mysql_result($Erg, 0, "Telefon") . "\"></td></tr>\n";
+			$html .= "  <tr><td>Handy</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eHandy\" value=\"" .
+			mysql_result($Erg, 0, "Handy") . "\"></td></tr>\n";
+			$html .= "  <tr><td>DECT</td><td>" .
+			"<input type=\"text\" size=\"4\" name=\"eDECT\" value=\"" .
+			mysql_result($Erg, 0, "DECT") . "\"></td></tr>\n";
+			$html .= "  <tr><td>email</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eemail\" value=\"" .
+			mysql_result($Erg, 0, "email") . "\"></td></tr>\n";
+			$html .= "  <tr><td>ICQ</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"eICQ\" value=\"" .
+			mysql_result($Erg, 0, "ICQ") . "\"></td></tr>\n";
+			$html .= "  <tr><td>jabber</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"ejabber\" value=\"" .
+			mysql_result($Erg, 0, "jabber") . "\"></td></tr>\n";
+			$html .= "  <tr><td>Size</td><td>" .
+			html_select_key('size', array (
+				'S' => "S",
+				'M' => "M",
+				'L' => "L",
+				'XL' => "XL",
+				'2XL' => "2XL",
+				'3XL' => "3XL",
+				'4XL' => "4XL",
+				'5XL' => "5XL",
+				'S-G' => "S Girl",
+				'M-G' => "M Girl",
+				'L-G' => "L Girl",
+				'XL-G' => "XL Girl"
+			), mysql_result($Erg, 0, "Size")) . "</td></tr>\n";
+
+			$options = array (
+				'1' => "Yes",
+				'0' => "No"
+			);
+
+			// Gekommen? 
+			$html .= "  <tr><td>Gekommen</td><td>\n";
+			$html .= html_options('eGekommen', $options, mysql_result($Erg, 0, "Gekommen")) . "</td></tr>\n";
+
+			// Aktiv?
+			$html .= "  <tr><td>Aktiv</td><td>\n";
+			$html .= html_options('eAktiv', $options, mysql_result($Erg, 0, "Aktiv")) . "</td></tr>\n";
+
+			// T-Shirt bekommen? 
+			$html .= "  <tr><td>T-Shirt</td><td>\n";
+			$html .= html_options('eTshirt', $options, mysql_result($Erg, 0, "Tshirt")) . "</td></tr>\n";
+
+			$html .= "  <tr><td>Hometown</td><td>" .
+			"<input type=\"text\" size=\"40\" name=\"Hometown\" value=\"" .
+			mysql_result($Erg, 0, "Hometown") . "\"></td></tr>\n";
+
+			$html .= "</table>\n</td><td valign=\"top\">" . displayavatar($id, false) . "</td></tr>";
+
+			$html .= "</td></tr>\n";
+			$html .= "</table>\n<br />\n";
+			$html .= "<input type=\"hidden\" name=\"id\" value=\"" . $id . "\">\n";
+			$html .= "<input type=\"submit\" value=\"Speichern\">\n";
+			$html .= "</form>";
+
+			$html .= "<hr />";
+
+			$html .= "Hier kannst Du das Passwort dieses Engels neu setzen:<form action=\"" . page_link_to("admin_user") . "&action=change_pw&id=$id\" method=\"post\">\n";
+			$html .= "<table>\n";
+			$html .= "  <tr><td>Passwort</td><td>" .
+			"<input type=\"password\" size=\"40\" name=\"new_pw\" value=\"\"></td></tr>\n";
+			$html .= "  <tr><td>Wiederholung</td><td>" .
+			"<input type=\"password\" size=\"40\" name=\"new_pw2\" value=\"\"></td></tr>\n";
+
+			$html .= "</table>";
+			$html .= "<input type=\"hidden\" name=\"id\" value=\"" . $id . "\">\n";
+			$html .= "<input type=\"submit\" value=\"Speichern\">\n";
+			$html .= "</form>";
+
+			$html .= "<hr />";
+
+			$html .= "<form action=\"" . page_link_to("admin_user") . "&action=delete&id=" . $id . "\" method=\"post\">\n";
+			$html .= "<input type=\"hidden\" name=\"id\" value=\"" . $id . "\">\n";
+			$html .= "<input type=\"submit\" value=\"Löschen\">\n";
+			$html .= "</form>";
+
+			$html .= "<hr />";
+			$html .= funktion_db_element_list_2row("Freeloader Shifts", "SELECT `Remove_Time`, `Length`, `Comment` FROM `ShiftFreeloader` WHERE UID=" . $_REQUEST['id']);
+		} else {
+			switch ($_REQUEST['action']) {
+				case 'delete' :
+					if ($user['UID'] != $id) {
+						sql_query("DELETE FROM `User` WHERE `UID`=" . sql_escape($id) . " LIMIT 1");
+						sql_query("DELETE FROM `UserGroups` WHERE `uid`=" . sql_escape($id));
+						sql_query("UPDATE `ShiftEntry` SET `UID`=0, `Comment`=NULL WHERE `UID`=" . sql_escape($id));
+						$html .= success("Benutzer gelöscht!");
+					} else {
+						$html .= error("Du kannst Dich nicht selber löschen!");
+					}
+					break;
+
+				case 'save' :
+					$SQL = "UPDATE `User` SET ";
+					$SQL .= " `Nick` = '" . $_POST["eNick"] . "', `Name` = '" . $_POST["eName"] . "', " .
+					"`Vorname` = '" . $_POST["eVorname"] . "', " .
+					"`Telefon` = '" . $_POST["eTelefon"] . "', " .
+					"`Handy` = '" . $_POST["eHandy"] . "', " .
+					"`Alter` = '" . $_POST["eAlter"] . "', " .
+					"`DECT` = '" . $_POST["eDECT"] . "', " .
+					"`email` = '" . $_POST["eemail"] . "', " .
+					"`ICQ` = '" . $_POST["eICQ"] . "', " .
+					"`jabber` = '" . $_POST["ejabber"] . "', " .
+					"`Size` = '" . $_POST["eSize"] . "', " .
+					"`Gekommen`= '" . $_POST["eGekommen"] . "', " .
+					"`Aktiv`= '" . $_POST["eAktiv"] . "', " .
+					"`Tshirt` = '" . $_POST["eTshirt"] . "', " .
+					"`Hometown` = '" . $_POST["Hometown"] . "' " .
+					"WHERE `UID` = '" . $id .
+					"' LIMIT 1;";
+					sql_query($SQL);
+					$html .= success("Änderung wurde gespeichert...\n");
+					break;
+
+				case 'change_pw' :
+					if ($_REQUEST['new_pw'] != "" && $_REQUEST['new_pw'] == $_REQUEST['new_pw2']) {
+						sql_query("UPDATE `User` SET `Passwort`='" . sql_escape(PassCrypt($_REQUEST['new_pw'])) . "' WHERE `UID`=" . sql_escape($id) . " LIMIT 1");
+						$html .= success("Passwort neu gesetzt.");
+					} else {
+						$html .= error("Die Eingaben müssen übereinstimmen und dürfen nicht leer sein!");
+					}
+					break;
+			}
 		}
-		$title .= 'Groups: ' . join(", ", $groups) . "<br />";
-		if (strlen(mysql_result($Erg, $n, "Telefon")) > 0)
-			$title .= "Tel: " . mysql_result($Erg, $n, "Telefon") . "<br />";
-		if (strlen(mysql_result($Erg, $n, "Handy")) > 0)
-			$title .= "Handy: " . mysql_result($Erg, $n, "Handy") . "<br />";
-		if (strlen(mysql_result($Erg, $n, "DECT")) > 0)
-			$title .= "DECT: <a href=\"./dect.php?custum=" . mysql_result($Erg, $n, "DECT") . "\">" .
-			mysql_result($Erg, $n, "DECT") . "</a><br />";
-		if (strlen(mysql_result($Erg, $n, "Hometown")) > 0)
-			$title .= "Hometown: " . mysql_result($Erg, $n, "Hometown") . "<br />";
-		if (strlen(mysql_result($Erg, $n, "lastLogIn")) > 0)
-			$title .= "Last login: " . date("Y-m-d H:i", mysql_result($Erg, $n, "lastLogIn")) . "<br />";
-		if (strlen(mysql_result($Erg, $n, "Art")) > 0)
-			$title .= "Type: " . mysql_result($Erg, $n, "Art") . "<br />";
-		if (strlen(mysql_result($Erg, $n, "ICQ")) > 0)
-			$title .= "ICQ: " . mysql_result($Erg, $n, "ICQ") . "<br />";
-		if (strlen(mysql_result($Erg, $n, "jabber")) > 0)
-			$title .= "jabber: " . mysql_result($Erg, $n, "jabber") . "<br />";
-
-		$html .= "<tr class=\"content\">\n";
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Nick") . "</td>\n";
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Vorname") . " " . mysql_result($Erg, $n, "Name") . "</td>\n";
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Alter") . "</td>\n";
-		$html .= "\t<td>";
-		if (strlen(mysql_result($Erg, $n, "email")) > 0)
-			$html .= "<a href=\"mailto:" . mysql_result($Erg, $n, "email") . "\">" .
-			mysql_result($Erg, $n, "email") . "</a>";
-		$html .= '<div class="hidden">' . $title . '</div>';
-		$html .= "</td>\n";
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Size") . "</td>\n";
-		$Gekommen += mysql_result($Erg, $n, "Gekommen");
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Gekommen") . "</td>\n";
-		$Active += mysql_result($Erg, $n, "Aktiv");
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Aktiv") . "</td>\n";
-		$Tshirt += mysql_result($Erg, $n, "Tshirt");
-		$html .= "\t<td>" . mysql_result($Erg, $n, "Tshirt") . "</td>\n";
-		$html .= "<td>" . mysql_result($Erg, $n, "CreateDate") . "</td>";
-		$html .= "\t<td>" . '<a href="">Edit</a>' .
-		"</td>\n";
-		$html .= "</tr>\n";
-	}
-	$html .= "<tr>" .
-	"<td></td><td></td><td></td><td></td><td></td>" .
-	"<td>$Gekommen</td><td>$Active</td><td>$Tshirt</td><td></td><td></td></tr>\n";
-	$html .= "\t</table>\n";
-	// Ende Userliste
+	} else {
+		// Userliste, keine UID uebergeben...
+
+		$html .= "<a href=\"" . page_link_to("register") . "\">Neuen Engel eintragen &raquo;</a><br /><br />\n";
 
-	$html .= "<hr /><h2>Statistics</h2>";
-	$html .= funktion_db_element_list_2row("Hometown", "SELECT COUNT(`Hometown`), `Hometown` FROM `User` GROUP BY `Hometown`");
+		if (!isset ($_GET["OrderBy"]))
+			$_GET["OrderBy"] = "Nick";
+		$SQL = "SELECT * FROM `User` ORDER BY `" . sql_escape($_GET["OrderBy"]) . "` ASC";
+		$Erg = sql_query($SQL);
 
-	$html .= "<br />\n";
+		// anzahl zeilen
+		$Zeilen = mysql_num_rows($Erg);
 
-	$html .= funktion_db_element_list_2row("Engeltypen", "SELECT COUNT(`Art`), `Art` FROM `User` GROUP BY `Art`");
+		$html .= "Anzahl Engel: $Zeilen<br /><br />\n";
+		$html .= '
+									<table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
+									  <tr class="contenttopic">
+									    <th>
+									      <a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
+									    </th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
+									    <th>
+									      <a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
+									    </th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Gr&ouml;&szlig;e</a></th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
+									    <th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registrier</a></th>
+									    <th>&Auml;nd.</th>
+									  </tr></thead>';
+		$Gekommen = 0;
+		$Active = 0;
+		$Tshirt = 0;
 
-	$html .= "<br />\n";
+		for ($n = 0; $n < $Zeilen; $n++) {
+			$title = "";
+			$user_groups = sql_select("SELECT * FROM `UserGroups` JOIN `Groups` ON (`Groups`.`UID` = `UserGroups`.`group_id`) WHERE `UserGroups`.`uid`=" . sql_escape(mysql_result($Erg, $n, "UID")) . " ORDER BY `Groups`.`Name`");
+			$groups = array ();
+			foreach ($user_groups as $user_group) {
+				$groups[] = $user_group['Name'];
+			}
+			$title .= 'Groups: ' . join(", ", $groups) . "<br />";
+			if (strlen(mysql_result($Erg, $n, "Telefon")) > 0)
+				$title .= "Tel: " . mysql_result($Erg, $n, "Telefon") . "<br />";
+			if (strlen(mysql_result($Erg, $n, "Handy")) > 0)
+				$title .= "Handy: " . mysql_result($Erg, $n, "Handy") . "<br />";
+			if (strlen(mysql_result($Erg, $n, "DECT")) > 0)
+				$title .= "DECT: <a href=\"./dect.php?custum=" . mysql_result($Erg, $n, "DECT") . "\">" .
+				mysql_result($Erg, $n, "DECT") . "</a><br />";
+			if (strlen(mysql_result($Erg, $n, "Hometown")) > 0)
+				$title .= "Hometown: " . mysql_result($Erg, $n, "Hometown") . "<br />";
+			if (strlen(mysql_result($Erg, $n, "lastLogIn")) > 0)
+				$title .= "Last login: " . date("Y-m-d H:i", mysql_result($Erg, $n, "lastLogIn")) . "<br />";
+			if (strlen(mysql_result($Erg, $n, "Art")) > 0)
+				$title .= "Type: " . mysql_result($Erg, $n, "Art") . "<br />";
+			if (strlen(mysql_result($Erg, $n, "ICQ")) > 0)
+				$title .= "ICQ: " . mysql_result($Erg, $n, "ICQ") . "<br />";
+			if (strlen(mysql_result($Erg, $n, "jabber")) > 0)
+				$title .= "jabber: " . mysql_result($Erg, $n, "jabber") . "<br />";
 
-	$html .= funktion_db_element_list_2row("Used Groups", "SELECT Groups.Name AS 'GroupName', COUNT(Groups.Name) AS Count FROM `UserGroups` " .
-	"LEFT JOIN `Groups` ON Groups.UID = UserGroups.group_id " .
-	"WHERE (UserGroups.group_id!='NULL') " .
-	"GROUP BY `GroupName` " .
-	"");
+			$html .= "<tr class=\"content\">\n";
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Nick") . "</td>\n";
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Vorname") . " " . mysql_result($Erg, $n, "Name") . "</td>\n";
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Alter") . "</td>\n";
+			$html .= "\t<td>";
+			if (strlen(mysql_result($Erg, $n, "email")) > 0)
+				$html .= "<a href=\"mailto:" . mysql_result($Erg, $n, "email") . "\">" .
+				mysql_result($Erg, $n, "email") . "</a>";
+			$html .= '<div class="hidden">' . $title . '</div>';
+			$html .= "</td>\n";
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Size") . "</td>\n";
+			$Gekommen += mysql_result($Erg, $n, "Gekommen");
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Gekommen") . "</td>\n";
+			$Active += mysql_result($Erg, $n, "Aktiv");
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Aktiv") . "</td>\n";
+			$Tshirt += mysql_result($Erg, $n, "Tshirt");
+			$html .= "\t<td>" . mysql_result($Erg, $n, "Tshirt") . "</td>\n";
+			$html .= "<td>" . mysql_result($Erg, $n, "CreateDate") . "</td>";
+			$html .= "\t<td>" . '<a href="' . page_link_to("admin_user") . '&id=' . mysql_result($Erg, $n, "UID") . '">Edit</a>' .
+			"</td>\n";
+			$html .= "</tr>\n";
+		}
+		$html .= "<tr>" .
+		"<td></td><td></td><td></td><td></td><td></td>" .
+		"<td>$Gekommen</td><td>$Active</td><td>$Tshirt</td><td></td><td></td></tr>\n";
+		$html .= "\t</table>\n";
+		// Ende Userliste
+
+		$html .= "<hr /><h2>Statistics</h2>";
+		$html .= funktion_db_element_list_2row("Hometown", "SELECT COUNT(`Hometown`), `Hometown` FROM `User` GROUP BY `Hometown`");
+
+		$html .= "<br />\n";
+
+		$html .= funktion_db_element_list_2row("Engeltypen", "SELECT COUNT(`Art`), `Art` FROM `User` GROUP BY `Art`");
+
+		$html .= "<br />\n";
+
+		$html .= funktion_db_element_list_2row("Used Groups", "SELECT Groups.Name AS 'GroupName', COUNT(Groups.Name) AS Count FROM `UserGroups` " .
+		"LEFT JOIN `Groups` ON Groups.UID = UserGroups.group_id " .
+		"WHERE (UserGroups.group_id!='NULL') " .
+		"GROUP BY `GroupName` " .
+		"");
+	}
 	return $html;
 }
 ?>
\ No newline at end of file
diff --git a/includes/sys_template.php b/includes/sys_template.php
index 893d2d7e..7524b0cb 100644
--- a/includes/sys_template.php
+++ b/includes/sys_template.php
@@ -18,7 +18,7 @@ function template_render($file, $data) {
 function html_options($name, $options, $selected = "") {
 	$html = "";
 	foreach ($options as $value => $label)
-		$html .= '<input type="radio"' . ($value == $selected ? ' selected="selected"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label;
+		$html .= '<input type="radio"' . ($value == $selected ? ' checked="checked"' : '') . ' name="' . $name . '" value="' . $value . '"> ' . $label;
 
 	return $html;
 }
diff --git a/includes/sys_user.php b/includes/sys_user.php
index 5dcf3f1f..4f55da38 100644
--- a/includes/sys_user.php
+++ b/includes/sys_user.php
@@ -86,13 +86,10 @@ function displayavatar($UID, $height = "30") {
 	if (GetPicturShow($UID) == 'Y')
 		return "&nbsp;" . displayPictur($UID, $height);
 
-	// show avator
-	$asql = "select * from User where UID = $UID";
-	$aerg = mysql_query($asql, $con);
-
-	if (mysql_num_rows($aerg))
-		if (mysql_result($aerg, 0, "Avatar") > 0)
-			return'<div class="avatar">'. ("&nbsp;<img src=\"" . $url . $ENGEL_ROOT . "pic/avatar/avatar" . mysql_result($aerg, 0, "Avatar") . ".gif\">").'</div>';
+	$user = sql_select("SELECT * FROM `User` WHERE `UID`=" . sql_escape($UID) . " LIMIT 1");
+	if (count($user) > 0)
+		if ($user[0]['Avatar'] > 0)
+			return '<div class="avatar">' . ("&nbsp;<img src=\"pic/avatar/avatar" . $user[0]['Avatar'] . ".gif\">") . '</div>';
 }
 
 function UIDgekommen($UID) {
diff --git a/txt/TODO b/txt/TODO
index 02dd8626..9d29b09c 100644
--- a/txt/TODO
+++ b/txt/TODO
@@ -4,7 +4,6 @@ jetzt:
  * schichtadministration
  * meine schichten
  * schichten
- * meetings
  * weckservice?
 
 später:
diff --git a/www-ssl/admin/userChangeNormal.php b/www-ssl/admin/userChangeNormal.php
deleted file mode 100644
index 36eb4b6d..00000000
--- a/www-ssl/admin/userChangeNormal.php
+++ /dev/null
@@ -1,133 +0,0 @@
-<?php
-require_once ('../bootstrap.php');
-
-$title = "User-Liste";
-$header = "Editieren der Engelliste";
-include ("includes/header.php");
-include ("includes/funktion_db_list.php");
-
-if (IsSet ($_GET["enterUID"])) {
-	// UserID wurde mit uebergeben --> Aendern...
-
-	echo "Hallo,<br />" .
-	"hier kannst du den Eintrag &auml;ndern. Unter dem Punkt 'Gekommen' " .
-	"wird der Engel als anwesend markiert, ein Ja bei Aktiv bedeutet, " .
-	"dass der Engel aktiv war und damit ein Anspruch auf ein T-Shirt hat. " .
-	"Wenn T-Shirt ein 'Ja' enth&auml;lt, bedeutet dies, dass der Engel " .
-	"bereits sein T-Shirt erhalten hat.<br /><br />\n";
-
-	echo "<form action=\"./userSaveNormal.php?action=change\" method=\"POST\">\n";
-	echo "<table border=\"0\">\n";
-	echo "<input type=\"hidden\" name=\"Type\" value=\"Normal\">\n";
-
-	$SQL = "SELECT * FROM `User` WHERE `UID`='" . $_GET["enterUID"] . "'";
-	$Erg = mysql_query($SQL, $con);
-
-	if (mysql_num_rows($Erg) != 1)
-		echo "<tr><td>Sorry, der Engel (UID=" . $_GET["enterUID"] .
-		") wurde in der Liste nicht gefunden.</td></tr>";
-	else {
-		echo "<tr><td>\n";
-		echo "<table>\n";
-		echo "  <tr><td>Nick</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eNick\" value=\"" .
-		mysql_result($Erg, 0, "Nick") . "\"></td></tr>\n";
-		echo "  <tr><td>lastLogIn</td><td>" .
-		"<input type=\"text\" size=\"20\" name=\"elastLogIn\" value=\"" .
-		mysql_result($Erg, 0, "lastLogIn") . "\" disabled></td></tr>\n";
-		echo "  <tr><td>Name</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eName\" value=\"" .
-		mysql_result($Erg, 0, "Name") . "\"></td></tr>\n";
-		echo "  <tr><td>Vorname</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eVorname\" value=\"" .
-		mysql_result($Erg, 0, "Vorname") . "\"></td></tr>\n";
-		echo "  <tr><td>Alter</td><td>" .
-		"<input type=\"text\" size=\"5\" name=\"eAlter\" value=\"" .
-		mysql_result($Erg, 0, "Alter") . "\"></td></tr>\n";
-		echo "  <tr><td>Telefon</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eTelefon\" value=\"" .
-		mysql_result($Erg, 0, "Telefon") . "\"></td></tr>\n";
-		echo "  <tr><td>Handy</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eHandy\" value=\"" .
-		mysql_result($Erg, 0, "Handy") . "\"></td></tr>\n";
-		echo "  <tr><td>DECT</td><td>" .
-		"<input type=\"text\" size=\"4\" name=\"eDECT\" value=\"" .
-		mysql_result($Erg, 0, "DECT") . "\"></td></tr>\n";
-		echo "  <tr><td>email</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eemail\" value=\"" .
-		mysql_result($Erg, 0, "email") . "\"></td></tr>\n";
-		echo "  <tr><td>ICQ</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"eICQ\" value=\"" .
-		mysql_result($Erg, 0, "ICQ") . "\"></td></tr>\n";
-		echo "  <tr><td>jabber</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"ejabber\" value=\"" .
-		mysql_result($Erg, 0, "jabber") . "\"></td></tr>\n";
-		echo "  <tr><td>Size</td><td>" .
-		"<input type=\"text\" size=\"5\" name=\"eSize\" value=\"" .
-		mysql_result($Erg, 0, "Size") . "\"></td></tr>\n";
-		echo "  <tr><td>Passwort</td><td>" .
-		"<a href=\"./userSaveNormal.php?action=newpw&eUID=" .
-		mysql_result($Erg, 0, "UID") . "\">neues Kennwort setzen</a></td></tr>\n";
-
-		// Gekommen? 
-		echo "  <tr><td>Gekommen</td><td>\n";
-		echo "      <input type=\"radio\" name=\"eGekommen\" value=\"0\"";
-		if (mysql_result($Erg, 0, "Gekommen") == '0')
-			echo " checked";
-		echo ">No \n";
-		echo "      <input type=\"radio\" name=\"eGekommen\" value=\"1\"";
-		if (mysql_result($Erg, 0, "Gekommen") == '1')
-			echo " checked";
-		echo ">Yes \n";
-		echo "</td></tr>\n";
-
-		// Aktiv?
-		echo "  <tr><td>Aktiv</td><td>\n";
-		echo "      <input type=\"radio\" name=\"eAktiv\" value=\"0\"";
-		if (mysql_result($Erg, 0, "Aktiv") == '0')
-			echo " checked";
-		echo ">No \n";
-		echo "      <input type=\"radio\" name=\"eAktiv\" value=\"1\"";
-		if (mysql_result($Erg, 0, "Aktiv") == '1')
-			echo " checked";
-		echo ">Yes \n";
-		echo "</td></tr>\n";
-
-		// T-Shirt bekommen? 
-		echo "  <tr><td>T-Shirt</td><td>\n";
-		echo "      <input type=\"radio\" name=\"eTshirt\" value=\"0\"";
-		if (mysql_result($Erg, 0, "Tshirt") == '0')
-			echo " checked";
-		echo ">No \n";
-		echo "      <input type=\"radio\" name=\"eTshirt\" value=\"1\"";
-		if (mysql_result($Erg, 0, "Tshirt") == '1')
-			echo " checked";
-		echo ">Yes \n";
-		echo "</td></tr>\n";
-
-		echo "  <tr><td>Hometown</td><td>" .
-		"<input type=\"text\" size=\"40\" name=\"Hometown\" value=\"" .
-		mysql_result($Erg, 0, "Hometown") . "\"></td></tr>\n";
-
-		echo "</table>\n</td><td valign=\"top\">" . displayavatar($_GET["enterUID"], FALSE) . "</td></tr>";
-	}
-
-	echo "</td></tr>\n";
-	echo "</table>\n<br />\n";
-	echo "<input type=\"hidden\" name=\"enterUID\" value=\"" . $_GET["enterUID"] . "\">\n";
-	echo "<input type=\"submit\" value=\"sichern...\">\n";
-	echo "</form>";
-
-	echo "<form action=\"./userSaveNormal.php?action=delete\" method=\"POST\">\n";
-	echo "<input type=\"hidden\" name=\"enterUID\" value=\"" . $_GET["enterUID"] . "\">\n";
-	echo "<input type=\"submit\" value=\"l&ouml;schen...\">\n";
-	echo "</form>";
-
-	echo "<hr>";
-	funktion_db_element_list_2row("Freeloader Shifts", "SELECT `Remove_Time`, `Length`, `Comment` FROM `ShiftFreeloader` WHERE UID=" . $_GET["enterUID"]);
-}
-
-include ("includes/footer.php");
-?>
-
-
diff --git a/www-ssl/admin/userDefaultSetting.php b/www-ssl/admin/userDefaultSetting.php
deleted file mode 100644
index e7a69925..00000000
--- a/www-ssl/admin/userDefaultSetting.php
+++ /dev/null
@@ -1,138 +0,0 @@
-<?php
-require_once ('../bootstrap.php');
-
-$title = "Defalut User Setting";
-$header = "Defalut User Setting";
-include ("includes/header.php");
-include ("includes/funktion_db_list.php");
-
-echo "Hallo " . $_SESSION['Nick'] .
-",<br />\nhier hast du die M&ouml;glichkeit, die Defaulteinstellungen f&uuml;r neue User einzustellen:<br /><br />\n";
-
-echo "<table border=\"0\" class=\"border\">\n";
-echo "\t<tr class=\"contenttopic\">\n";
-echo "\t\t<th>Page</th>\n\t\t<th>Show</th>\n\t\t<th></th>\n";
-echo "\t</tr>\n";
-
-if (isset ($_GET["Field"]) && isset ($_GET["Default"]) && isset ($_GET["Send"])) {
-	switch ($_GET["Send"]) {
-		case "New" :
-			$SQL = "ALTER TABLE `UserCVS` ADD `" . $_GET["Field"] . "` " .
-			"CHAR( 1 ) DEFAULT '" . $_GET["Default"] . "' NOT NULL";
-			$Erg = db_query($SQL, "New user default setting");
-			if ($Erg == 1)
-				echo "<H2>Create " . $_GET["Field"] . " = " . $_GET["Default"] . " succesfull</h2>\n";
-			else
-				echo "<H2>Create " . $_GET["Field"] . " = " . $_GET["Default"] . " error...</h2>\n" .
-				"[" . mysql_error() . "]<br /><br />";
-			break;
-		case "Del" :
-			echo "\t<tr class=\"content\">\n";
-			echo "\t\t<form action=\"userDefaultSetting.php\">\n";
-			echo "\t\t\t<td><input name=\"Field\" type=\"text\" value=\"" . $_GET["Field"] . "\" readonly></td>\n";
-			echo "\t\t\t<td><input name=\"Default\" type=\"text\" value=\"" . $_GET["Default"] . "\" readonly></td>\n";
-			echo "\t\t\t<td><input type=\"submit\" name=\"Send\" value=\"Del sure\"></td>\n";
-			echo "\t\t</form>\n";
-			echo "\t</tr>\n";
-			break;
-		case "Del sure" :
-			$SQL = "ALTER TABLE `UserCVS` DROP `" . $_GET["Field"] . "` ";
-			$Erg = db_query($SQL, "del user default setting");
-			if ($Erg == 1)
-				echo "<H2>Delete " . $_GET["Field"] . " succesfull</h2>\n";
-			else
-				echo "<H2>Delete " . $_GET["Field"] . " error...</h2>\n" .
-				"[" . mysql_error() . "]<br /><br />";
-			break;
-		case "SetForAllUser" :
-			$SQL = "UPDATE `UserCVS` SET `" . $_GET["Field"] . "`='" . $_GET["Default"] . "' WHERE UID>0";
-			$Erg = db_query($SQL, "Set new user default setting for all user");
-			if ($Erg == 1)
-				echo "<H2>UPDATE " . $_GET["Field"] . " = " . $_GET["Default"] . " for all Users succesfull</h2>\n";
-			else
-				echo "<H2>UPDATE " . $_GET["Field"] . " = " . $_GET["Default"] . " for all Users error...</h2>\n" .
-				"[" . mysql_error() . "]<br /><br />";
-		case "Save" :
-			$SQL = "ALTER TABLE `UserCVS` CHANGE `" . $_GET["Field"] . "` " .
-			"`" . $_GET["Field"] . "` CHAR( 1 ) NOT NULL DEFAULT '" . $_GET["Default"] . "'";
-			$Erg = db_query($SQL, "Save user default setting");
-			if ($Erg == 1)
-				echo "<H2>Write " . $_GET["Field"] . " = " . $_GET["Default"] . " succesfull</h2>\n";
-			else
-				echo "<H2>Write " . $_GET["Field"] . " = " . $_GET["Default"] . " error...</h2>\n" .
-				"[" . mysql_error() . "]<br /><br />";
-			break;
-	} //SWITCH
-} //IF(
-
-$erg = mysql_query("SHOW COLUMNS FROM `UserCVS`");
-echo mysql_error();
-echo "\t<tr class=\"content\">\n";
-echo "\t\t<form action=\"userDefaultSetting.php\">\n";
-echo "\t\t\t<input name=\"Field\" type=\"hidden\" value=\GroupID\">\n";
-echo "\t\t\t<td>Group</td>\n";
-echo "\t\t\t<td><select name=\"GroupID\">";
-
-$SQL_Group = "SELECT * FROM `UserGroups`";
-$Erg_Group = mysql_query($SQL_Group, $con);
-for ($n = 0; $n < mysql_num_rows($Erg_Group); $n++) {
-	$UID = mysql_result($Erg_Group, $n, "UID");
-	echo "\t<option value=\"$UID\"";
-	if (mysql_result($erg, 1, "Default") == $UID)
-		echo " selected";
-	echo ">" . mysql_result($Erg_Group, $n, "Name") . "</option>\n";
-}
-echo "</select></td>\n";
-echo "\t\t\t<td><input type=\"submit\" name=\"Send\" value=\"Save\">\n";
-echo "\t\t\t    <input type=\"submit\" name=\"Send\" value=\"SetForAllUser\"></td>\n";
-echo "\t\t</form>\n";
-echo "\t</tr>\n";
-
-for ($i = 2; $i < mysql_num_rows($erg); $i++) {
-	echo "\t<tr class=\"content\">\n";
-	echo "\t\t<form action=\"userDefaultSetting.php\">\n";
-	echo "\t\t\t<input name=\"Field\" type=\"hidden\" value=\"" . mysql_result($erg, $i, "Field") . "\">\n";
-	echo "\t\t\t<td>" . mysql_result($erg, $i, "Field") . "</td>\n";
-	echo "\t\t\t<td>\n";
-
-	echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"Y\"";
-	if (mysql_result($erg, $i, "Default") == "Y")
-		echo " checked";
-	echo ">allow\n";
-
-	echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"N\"";
-	if (mysql_result($erg, $i, "Default") == "N")
-		echo " checked";
-	echo ">denied\n";
-
-	echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"G\"";
-	if (mysql_result($erg, $i, "Default") == "G")
-		echo " checked";
-	echo ">group-setting\n";
-
-	echo "\t\t\t</td>\n";
-	echo "\t\t\t<td><input type=\"submit\" name=\"Send\" value=\"Save\">\n";
-	echo "\t\t\t    <input type=\"submit\" name=\"Send\" value=\"Del\">\n";
-	echo "\t\t\t    <input type=\"submit\" name=\"Send\" value=\"SetForAllUser\"></td>\n";
-	echo "\t\t</form>\n";
-	echo "\t</tr>\n";
-}
-
-echo "\t<tr class=\"content\">\n";
-echo "\t\t<form action=\"userDefaultSetting.php\">\n";
-echo "\t\t\t<input name=\"New\" type=\"hidden\" value=\"New\">\n";
-echo "\t\t\t<td><input name=\"Field\" type=\"text\" value=\"new\"></td>\n";
-echo "\t\t\t<td>\n";
-echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"Y\">allow\n";
-echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"N\">denied\n";
-echo "\t\t\t\t<input type=\"radio\" name=\"Default\" value=\"G\" checked>group-setting\n";
-echo "\t\t\t</td>\n";
-echo "\t\t\t<td><input type=\"submit\" name=\"Send\" value=\"New\"></td>\n";
-echo "\t\t</form>\n";
-echo "\t</tr>\n";
-
-echo "</table>\n";
-
-include ("includes/footer.php");
-?>
-
diff --git a/www-ssl/admin/userSaveNormal.php b/www-ssl/admin/userSaveNormal.php
deleted file mode 100644
index deaf96d9..00000000
--- a/www-ssl/admin/userSaveNormal.php
+++ /dev/null
@@ -1,119 +0,0 @@
-<?php
-require_once ('../bootstrap.php');
-
-$title = "User-Liste";
-$header = "Index";
-include ("includes/header.php");
-include ("includes/funktion_db_list.php");
-include ("includes/crypt.php");
-include ("includes/funktion_db.php");
-
-if (IsSet ($_GET["action"])) {
-	SetHeaderGo2Back();
-	echo "Gesendeter Befehl: " . $_GET["action"] . "<br />";
-
-	switch ($_GET["action"]) {
-		case "change" :
-			if (IsSet ($_POST["enterUID"])) {
-				if ($_POST["Type"] == "Normal") {
-					$SQL = "UPDATE `User` SET ";
-					$SQL .= " `Nick` = '" . $_POST["eNick"] . "', `Name` = '" . $_POST["eName"] . "', " .
-					"`Vorname` = '" . $_POST["eVorname"] . "', " .
-					"`Telefon` = '" . $_POST["eTelefon"] . "', " .
-					"`Handy` = '" . $_POST["eHandy"] . "', " .
-					"`DECT` = '" . $_POST["eDECT"] . "', " .
-					"`email` = '" . $_POST["eemail"] . "', " .
-					"`ICQ` = '" . $_POST["eICQ"] . "', " .
-					"`jabber` = '" . $_POST["ejabber"] . "', " .
-					"`Size` = '" . $_POST["eSize"] . "', " .
-					"`Gekommen`= '" . $_POST["eGekommen"] . "', " .
-					"`Aktiv`= '" . $_POST["eAktiv"] . "', " .
-					"`Tshirt` = '" . $_POST["eTshirt"] . "', " .
-					"`Hometown` = '" . $_POST["Hometown"] . "' " .
-					"WHERE `UID` = '" . $_POST["enterUID"] .
-					"' LIMIT 1;";
-					echo "User-";
-					$Erg = db_query($SQL, "change user details");
-					if ($Erg == 1) {
-						echo "&Auml;nderung wurde gesichert...\n";
-					} else {
-						echo "Fehler beim speichern...\n(" . mysql_error($con) . ")";
-					}
-				} else
-					echo "<h1>Fehler: Unbekanter Type (" . $_POST["Type"] . ") �bergeben\n</h1>\n";
-			} else
-				echo "<h1>Fehler: UserID (enterUID) wurde nicht per POST �bergeben</h1>\n";
-			break;
-
-		case "delete" :
-			if (IsSet ($_POST["enterUID"])) {
-				echo "delate User...";
-				$SQL = "DELETE FROM `User` WHERE `UID`='" . $_POST["enterUID"] . "' LIMIT 1;";
-				$Erg = db_query($SQL, "User delete");
-				if ($Erg == 1) {
-					echo "&Auml;nderung wurde gesichert...\n";
-				} else {
-					echo "Fehler beim speichern...\n(" . mysql_error($con) . ")";
-				}
-
-				echo "<br />\ndelate UserCVS...";
-				$SQL2 = "DELETE FROM `UserCVS` WHERE `UID`='" . $_POST["enterUID"] . "' LIMIT 1;";
-				$Erg = db_query($SQL2, "User CVS delete");
-				if ($Erg == 1) {
-					echo "&Auml;nderung wurde gesichert...\n";
-				} else {
-					echo "Fehler beim speichern...\n(" . mysql_error($con) . ")";
-				}
-
-				echo "<br />\ndelate UserEntry...";
-				$SQL3 = "UPDATE `ShiftEntry` SET `UID`='0', `Comment`=NULL " .
-				"WHERE `UID`='" . $_POST["enterUID"] . "';";
-				$Erg = db_query($SQL3, "delate UserEntry");
-				if ($Erg == 1) {
-					echo "&Auml;nderung wurde gesichert...\n";
-				} else {
-					echo "Fehler beim speichern...\n(" . mysql_error($con) . ")";
-				}
-			}
-			break;
-
-		case "newpw" :
-			echo "Bitte neues Kennwort f&uuml;r <b>";
-			// Get Nick
-			$USQL = "SELECT * FROM `User` WHERE `UID`='" . $_GET["eUID"] . "'";
-			$Erg = mysql_query($USQL, $con);
-			echo mysql_result($Erg, 0, "Nick");
-			echo "</b> eingeben:<br />";
-			echo "<form action=\"./userSaveNormal.php?action=newpwsave\" method=\"POST\">\n";
-			echo "<input type=\"Password\" name=\"ePasswort\">";
-			echo "<input type=\"Password\" name=\"ePasswort2\">";
-			echo "<input type=\"hidden\" name=\"eUID\" value=\"" . $_GET["eUID"] . "\">";
-			echo "<input type=\"submit\" value=\"sichern...\">\n";
-			echo "</form>";
-			break;
-
-		case "newpwsave" :
-			if ($_POST["ePasswort"] == $_POST["ePasswort2"]) { // beide Passwoerter passen... 
-				$_POST["ePasswort"] = PassCrypt($_POST["ePasswort"]);
-				$SQL = "UPDATE `User` SET `Passwort`='" . $_POST["ePasswort"] . "' " .
-				"WHERE `UID`='" . $_POST["eUID"] . "'";
-				$Erg = db_query($SQL, "User new passwort");
-				if ($Erg == 1) {
-					echo "&Auml;nderung wurde gesichert...\n";
-				} else {
-					echo "Fehler beim speichern...\n(" . mysql_error($con) . ")";
-				}
-			} else
-				echo "Das Passwort wurde nicht &uuml;bereinstimmend eingegeben!";
-			break;
-	} // end switch
-
-	// ende - Action ist gesetzt 
-} else {
-	// kein Action gesetzt -> abbruch
-	echo "Unzul&auml;ssiger Aufruf.<br />Bitte neu editieren...";
-}
-
-include ("includes/footer.php");
-?>
-
-- 
cgit v1.2.3-54-g00ecf


From e715245e1298313a1c9be3574d71b83b8f849da3 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 10 Jun 2011 10:30:51 +0200
Subject: More sql escapes

---
 includes/sys_shift.php | 23 ++++++++++++-----------
 includes/sys_user.php  | 10 +++++-----
 2 files changed, 17 insertions(+), 16 deletions(-)

(limited to 'includes/sys_user.php')

diff --git a/includes/sys_shift.php b/includes/sys_shift.php
index ff75465c..7baeb8a4 100644
--- a/includes/sys_shift.php
+++ b/includes/sys_shift.php
@@ -71,7 +71,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
 	$Spalten .= funktion_isLinkAllowed_addLink_OrEmpty("admin/schichtplan.php?action=change&SID=$SID", "edit<br />\n");
 
 	///////////////////////////////////////////////////////////////////
-	// Ausgabe des Schischtnamens
+	// Ausgabe des Schichtnamens
 	///////////////////////////////////////////////////////////////////
 	$SQL = "SELECT `URL` FROM `Shifts` WHERE (`SID` = '$SID');";
 	$Erg = mysql_query($SQL, $con);
@@ -84,7 +84,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
 	///////////////////////////////////////////////////////////////////
 	// SQL abfrage f�r die ben�tigten schichten
 	///////////////////////////////////////////////////////////////////
-	$SQL = "SELECT * FROM `ShiftEntry` WHERE (`SID` = '$SID') ORDER BY `TID`, `UID` DESC ;";
+	$SQL = "SELECT * FROM `ShiftEntry` WHERE (`SID` = '" . sql_escape($SID) . "') ORDER BY `TID`, `UID` DESC ;";
 	$Erg = mysql_query($SQL, $con);
 
 	$Anzahl = mysql_num_rows($Erg);
@@ -164,7 +164,7 @@ function ausgabe_Feld_Inhalt($SID, $Man) {
 				// ausgabe ben�tigter Engel
 				////////////////////////////
 				//in vergangenheit
-				$SQLtime = "SELECT `DateE` FROM `Shifts` WHERE (`SID`='$SID' AND `DateE` >= '" .
+				$SQLtime = "SELECT `DateE` FROM `Shifts` WHERE (`SID`='" . sql_escape($SID) . "' AND `DateE` >= '" .
 				gmdate("Y-m-d H:i:s", time() + $gmdateOffset) . "')";
 				$Ergtime = mysql_query($SQLtime, $con);
 				if (mysql_num_rows($Ergtime) > 0) {
@@ -219,8 +219,8 @@ function CreateRoomShifts($raum) {
 	// beginnt die erste schicht vor dem heutigen tag und geht dar�ber hinaus
 	/////////////////////////////////////////////////////////////
 	$SQLSonder = "SELECT `SID`, `DateS`, `DateE` , `Len`, `Man` FROM `Shifts` " .
-	"WHERE ((`RID` = '$raum') AND (`DateE` > '$ausdatum 23:59:59') AND " .
-	"(`DateS` < '$ausdatum 00:00:00') ) ORDER BY `DateS`;";
+	"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` > '$ausdatum 23:59:59') AND " .
+	"(`DateS` < '" . sql_escape($ausdatum) . " 00:00:00') ) ORDER BY `DateS`;";
 	$ErgSonder = mysql_query($SQLSonder, $con);
 	if ((mysql_num_rows($ErgSonder) > 1)) {
 		if (funktion_isLinkAllowed("admin/schichtplan.php") === TRUE) {
@@ -249,8 +249,9 @@ function CreateRoomShifts($raum) {
 	// beginnt die erste schicht vor dem heutigen tag?
 	/////////////////////////////////////////////////////////////
 	$SQLSonder = "SELECT `SID`, `DateS`, `DateE` , `Len`, `Man` FROM `Shifts` " .
-	"WHERE ((`RID` = '$raum') AND (`DateE` > '$ausdatum 00:00:00') AND " .
-	"(`DateS` < '$ausdatum 00:00:00') ) ORDER BY `DateS`;";
+	"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` > '" . sql_escape($ausdatum) . " 00:00:00') AND " .
+	"(`DateS` < '" . sql_escape($ausdatum) . " 00:00:00') ) ORDER BY `DateS`;";
+
 	$ErgSonder = mysql_query($SQLSonder, $con);
 	if ((mysql_num_rows($ErgSonder) > 1)) {
 		if (funktion_isLinkAllowed("admin/schichtplan.php") === TRUE) {
@@ -276,9 +277,9 @@ function CreateRoomShifts($raum) {
 	// gibt die schichten f�r den tag aus
 	/////////////////////////////////////////////////////////////
 	$SQL = "SELECT `SID`, `DateS`, `Len`, `Man` FROM `Shifts` " .
-	"WHERE ((`RID` = '$raum') and " .
-	"(`DateS` >= '$ausdatum $ZeitZeiger:00:00') and " .
-	"(`DateS` like '$ausdatum%')) ORDER BY `DateS`;";
+	"WHERE ((`RID` = '" . sql_escape($raum) . "') and " .
+	"(`DateS` >= '" . sql_escape($ausdatum) . ' ' . sql_escape($ZeitZeiger) . ":00:00') and " .
+	"(`DateS` like '" . sql_escape($ausdatum) . "%')) ORDER BY `DateS`;";
 	$Erg = mysql_query($SQL, $con);
 	for ($i = 0; $i < mysql_num_rows($Erg); ++ $i) {
 		$ZeitPos = substr(mysql_result($Erg, $i, "DateS"), 11, 2) + (substr(mysql_result($Erg, $i, "DateS"), 14, 2) / 60);
@@ -370,7 +371,7 @@ function SummRoomShifts($raum) {
 	global $ausdatum, $con, $debug, $GlobalZeileProStunde;
 
 	$SQLSonder = "SELECT `SID`, `DateS`, `Len`, `Man` FROM `Shifts` " .
-	"WHERE ((`RID` = '$raum') AND (`DateE` >= '$ausdatum 00:00:00') AND " .
+	"WHERE ((`RID` = '" . sql_escape($raum) . "') AND (`DateE` >= '$ausdatum 00:00:00') AND " .
 	"(`DateS` <= '$ausdatum 23:59:59') ) ORDER BY `DateS`;";
 
 	$ErgSonder = mysql_query($SQLSonder, $con);
diff --git a/includes/sys_user.php b/includes/sys_user.php
index 4f55da38..8d5a6ae6 100644
--- a/includes/sys_user.php
+++ b/includes/sys_user.php
@@ -1,9 +1,9 @@
 <?php
 function UID2Nick($UID) {
 	if ($UID > 0)
-		$SQL = "SELECT Nick FROM `User` WHERE UID='$UID'";
+		$SQL = "SELECT Nick FROM `User` WHERE UID='" . sql_escape($UID) . "'";
 	else
-		$SQL = "SELECT Name FROM `Groups` WHERE UID='$UID'";
+		$SQL = "SELECT Name FROM `Groups` WHERE UID='" . sql_escape($UID) . "'";
 
 	$Erg = sql_select($SQL);
 
@@ -23,7 +23,7 @@ function UID2Nick($UID) {
 function TID2Type($TID) {
 	global $con;
 
-	$SQL = "SELECT Name FROM `EngelType` WHERE TID='$TID'";
+	$SQL = "SELECT Name FROM `EngelType` WHERE TID='" . sql_escape($TID) . "'";
 	$Erg = mysql_query($SQL, $con);
 
 	if (mysql_num_rows($Erg))
@@ -62,7 +62,7 @@ function ReplaceSmilies($neueckig) {
 function GetPicturShow($UID) {
 	global $con;
 
-	$SQL = "SELECT `show` FROM `UserPicture` WHERE `UID`='$UID'";
+	$SQL = "SELECT `show` FROM `UserPicture` WHERE `UID`='" . sql_escape($UID) . "'";
 	$res = mysql_query($SQL, $con);
 
 	if (mysql_num_rows($res) == 1)
@@ -95,7 +95,7 @@ function displayavatar($UID, $height = "30") {
 function UIDgekommen($UID) {
 	global $con;
 
-	$SQL = "SELECT `Gekommen` FROM `User` WHERE UID='$UID'";
+	$SQL = "SELECT `Gekommen` FROM `User` WHERE UID='" . sql_escape($UID) . "'";
 	$Erg = mysql_query($SQL, $con);
 
 	if (mysql_num_rows($Erg))
-- 
cgit v1.2.3-54-g00ecf