From 1b5b81d601cc1860f257ba0eb66178875834a111 Mon Sep 17 00:00:00 2001
From: cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8>
Date: Sun, 6 Nov 2005 00:44:48 +0000
Subject: be begonen auf auf registerglobals=off aus gegeben anlass
 umzustellen, hab nonpublic geschafft Variabenpruefung ist auch auf strickt
 gesetzt und eventuelle error beseitigt

git-svn-id: svn://svn.cccv.de/engel-system@14 29ba0400-6e00-0410-a75a-ca02368028f8
---
 nonpublic/einstellungen.php      | 66 +++++++++++++++++++---------------------
 nonpublic/faq.php                | 10 +++---
 nonpublic/index.php              |  4 +--
 nonpublic/myschichtplan.php      | 20 ++++++------
 nonpublic/schichtplan.php        |  6 ++++
 nonpublic/schichtplan_add.php    | 26 ++++++++--------
 nonpublic/schichtplan_beamer.php |  2 +-
 nonpublic/waeckliste.php         | 13 --------
 nonpublic/wecken.php             | 31 +++++++++++--------
 9 files changed, 88 insertions(+), 90 deletions(-)

(limited to 'nonpublic')

diff --git a/nonpublic/einstellungen.php b/nonpublic/einstellungen.php
index 36fa76a7..214593ae 100755
--- a/nonpublic/einstellungen.php
+++ b/nonpublic/einstellungen.php
@@ -4,12 +4,10 @@ $header = "Deine pers&ouml;nlichen Einstellungen";
 include ("./inc/header.php");
 include ("./inc/crypt.php");
 
-if (!IsSet($action)) {
-
-echo Get_Text(1).$_SESSION['Nick'].",<br>\n\n";
-
-Print_Text(13);
-
+if (!IsSet($_POST["action"])) 
+{
+	echo Get_Text(1).$_SESSION['Nick'].",<br>\n\n";
+	Print_Text(13);
 ?>
 <hr width=\"100%\">
 <? Print_Text("pub_einstellungen_Text_UserData");?>
@@ -115,17 +113,16 @@ Print_Text(13);
 
 //$ANZ_AVATAR= shell_exec("ls ".$_SERVER["DOCUMENT_ROOT"].$ENGEL_ROOT."inc/avatar/ | wc -l");
 $ANZ_AVATAR= shell_exec("ls inc/avatar/ | wc -l");
-
 	    ?> 
 	    
 	    <select name="eAvatar" onChange="document.avatar.src = './inc/avatar/avatar' + this.value  + '.gif'"
 	    			   onKeyup= "document.avatar.src = './inc/avatar/avatar' + this.value  + '.gif'"> 
-	    <option value="0" name="eAvatar" <?php if ($_SESSION['Avatar'] == $i) { echo " selected"; } ?>> <?PHP Print_Text(24); ?> </option>
 	    <?php
-	    for ($i=1; $i <= $ANZ_AVATAR; $i++ ){
-	     echo "\t\t\t\t<option value=\"$i\"";
-	     if ($_SESSION['Avatar'] == $i) { echo " selected"; }
-	     echo ">avatar$i</option>\n";
+	    for ($i=1; $i <= $ANZ_AVATAR; $i++ )
+	    {
+	    	echo "\t\t\t\t<option value=\"$i\"";
+		if ($_SESSION['Avatar'] == $i) { echo " selected"; }
+	    	echo ">avatar$i</option>\n";
 	    }
 	    echo "\n";
 	    ?>
@@ -141,17 +138,18 @@ $ANZ_AVATAR= shell_exec("ls inc/avatar/ | wc -l");
 
 } else {
 
-switch ($action) {
+switch ($_POST["action"]) {
 
 case 'set':
-  if ($new1==$new2){
+  if ($_POST["new1"]==$_POST["new2"]){
 	Print_Text(25); 
 	$sql = "select * from User where UID=".$_SESSION['UID'];
 	$Erg = mysql_query($sql, $con);
-	if (PassCrypt($old)==mysql_result($Erg, $i, "Passwort")) {
+	if (PassCrypt($_POST["old"])==mysql_result($Erg, 0, "Passwort")) {
 		Print_Text(26);
 		Print_Text(27);
-		$usql = "update User set Passwort='".PassCrypt($new1)."' where UID=".$_SESSION['UID']." limit 1";
+		$usql = "update User set Passwort='".PassCrypt($_POST["new1"])."' ".
+			"where UID=".$_SESSION['UID']." limit 1";
 		$Erg = mysql_query($usql, $con);
 		if ($Erg==1) {
 			Print_Text(28);
@@ -168,9 +166,9 @@ case 'set':
 
 case 'colour':
 
-	$chsql="Update User set color= \"$colourid\" where UID = \"".$_SESSION['UID']."\" limit 1";
+	$chsql="Update User set color= \"". $_POST["colourid"]. "\" where UID = \"".$_SESSION['UID']."\" limit 1";
 	$Erg = mysql_query($chsql, $con);
-	$_SESSION['color']=$colourid;
+	$_SESSION['color']=$_POST["colourid"];
 	if ($Erg==1) {
 		Print_Text(32);
 	} else {
@@ -181,9 +179,9 @@ case 'colour':
 
 case 'sprache':
 
-	$chsql="Update User set Sprache = \"$language\" where UID = \"".$_SESSION['UID']."\" limit 1";
+	$chsql="Update User set Sprache = \"". $_POST["language"]. "\" where UID = \"".$_SESSION['UID']."\" limit 1";
 	$Erg = mysql_query($chsql, $con);
-	$_SESSION['Sprache']=$language;
+	$_SESSION['Sprache']=$_POST["language"];
 	if ($Erg==1) {
 		Print_Text(33);
 	} else {
@@ -192,11 +190,10 @@ case 'sprache':
 																		
 	break;
 
-
 case 'avatar':
-	$chsql="Update User set Avatar = \"$eAvatar\" where UID = \"".$_SESSION['UID']."\" limit 1";
+	$chsql="Update User set Avatar = \"". $_POST["eAvatar"]. "\" where UID = \"". $_SESSION['UID']. "\" limit 1";
         $Erg = mysql_query($chsql, $con);
-	$_SESSION['Avatar']=$eAvatar;
+	$_SESSION['Avatar']=$_POST["eAvatar"];
 	if ($Erg==1) {
 		Print_Text(34);
         } else {
@@ -206,22 +203,23 @@ case 'avatar':
 
 case 'setUserData':
 	$chsql= "UPDATE User SET ".
-		"`Nick`='$eNick', `Name`='$eName', `Vorname`='$eVorname', ".
-		"`Alter`='$eAlter', `Telefon`='$eTelefon', `Handy`='$eHandy', ".
-		"`DECT`='$eDECT', `email`='$eemail' ".
+		"`Nick`='". $_POST["eNick"]. "', `Name`='". $_POST["eName"]. "', ".
+		"`Vorname`='". $_POST["eVorname"]. "', `Alter`='". $_POST["eAlter"]. "', ".
+		"`Telefon`='". $_POST["eTelefon"]. "', `Handy`='". $_POST["eHandy"]. "', ".
+		"`DECT`='". $_POST["eDECT"]. "', `email`='". $_POST["eemail"]. "' ".
 		"WHERE UID='". $_SESSION['UID']. "' LIMIT 1;";
         $Erg = mysql_query($chsql, $con);
 
 	if ($Erg==1) 
 	{
-		$_SESSION['Nick'] = $eNick;
-		$_SESSION['Name'] = $eName;
-		$_SESSION['Vorname'] = $eVorname;
-		$_SESSION['Alter'] = $eAlter;
-		$_SESSION['Telefon'] = $eTelefon;
-		$_SESSION['Handy'] = $eHandy;
-		$_SESSION['DECT'] = $eDECT;
-		$_SESSION['email'] = $eemail;
+		$_SESSION['Nick'] = $_POST["eNick"];
+		$_SESSION['Name'] = $_POST["eName"];
+		$_SESSION['Vorname'] = $_POST["eVorname"];
+		$_SESSION['Alter'] = $_POST["eAlter"];
+		$_SESSION['Telefon'] = $_POST["eTelefon"];
+		$_SESSION['Handy'] = $_POST["eHandy"];
+		$_SESSION['DECT'] = $_POST["eDECT"];
+		$_SESSION['email'] = $_POST["eemail"];
 	
 		Print_Text("pub_einstellungen_UserDateSaved");
         } 
diff --git a/nonpublic/faq.php b/nonpublic/faq.php
index d8388f50..6470ba4f 100755
--- a/nonpublic/faq.php
+++ b/nonpublic/faq.php
@@ -5,9 +5,9 @@ include ("./inc/header.php");
 
 
 // Erstaufruf, oder Frage bereits abgeschickt?
-if (!IsSet($eUID)) {
-
-Print_Text(35);
+if (!IsSet($_POST["eUID"])) 
+{
+	Print_Text(35);
 ?>
 <br><br>
 <form action="./faq.php" method="POST">
@@ -20,9 +20,9 @@ Print_Text(35);
 } else {
 // Auswertung d. Formular-Daten:
 
-echo "<b>".Get_Text(37)."</b><br><br>\n".nl2br($frage)."<br><br>\n".Get_Text(38)."<br>\n";
+echo "<b>".Get_Text(37)."</b><br><br>\n".nl2br($_POST["frage"])."<br><br>\n".Get_Text(38)."<br>\n";
 
-$SQL = "INSERT into Questions VALUES (\"\", \"".$_SESSION['UID']."\", \"$frage\", \"\", \"\")";
+$SQL = "INSERT into Questions VALUES (\"\", \"".$_SESSION['UID']."\", \"". $_POST["frage"]. "\", \"\", \"\")";
 $Erg = mysql_query($SQL, $con);
 
 }
diff --git a/nonpublic/index.php b/nonpublic/index.php
index 0646714e..d46b0a10 100755
--- a/nonpublic/index.php
+++ b/nonpublic/index.php
@@ -10,7 +10,7 @@ session_start(); // alte Session - falls vorhanden - wiederherstellen...
 
 if (!IsSet($_SESSION['UID'])) {
 
-	$sql = "select * from User where Nick = '$user'";
+	$sql = "select * from User where Nick = '". $_POST["user"]. "'";
 
 	$userstring = mysql_query($sql, $con);
 
@@ -18,7 +18,7 @@ if (!IsSet($_SESSION['UID'])) {
 	$user_anz  = mysql_num_rows($userstring);
 
 	if ($user_anz == 1) { // Check, ob User angemeldet wird...
-		if (mysql_result($userstring, 0, "Passwort") == PassCrypt($password)) { // Passwort ok...
+		if (mysql_result($userstring, 0, "Passwort") == PassCrypt($_POST["password"])) { // Passwort ok...
 			// Session wird eingeleitet und Session-Variablen gesetzt..
 			//  session_start();
 			session_name("Himmel");
diff --git a/nonpublic/myschichtplan.php b/nonpublic/myschichtplan.php
index c9bfb703..dba8b6a9 100755
--- a/nonpublic/myschichtplan.php
+++ b/nonpublic/myschichtplan.php
@@ -8,7 +8,7 @@ include ("./inc/funktionen.php");
 include ("./inc/funktion_schichtplan.php");
 
 
-If( !IsSet($action) ) 
+If( !IsSet($_GET["action"]) ) 
 {
 
 	echo Get_Text("Hello").$_SESSION['Nick'].", <br>\n";
@@ -81,12 +81,12 @@ echo "</table>\n\n";
 } 
 else
 {
-    If( $action == "austragen" ) 
+    If( $_GET["action"] == "austragen" ) 
     {
 	echo Get_Text("pub_mywake_delate1")."<br>\n";
 
 	$sql = "SELECT * FROM `Shifts` WHERE ";
-	$sql.= "(SID = \"$SID\")";
+	$sql.= "(SID = \"". $_GET["SID"]. "\")";
 	$Erg = mysql_query($sql, $con);
 
 	$schichtdate = mysql_result( $Erg, 0, "DateS" );
@@ -106,7 +106,7 @@ else
 	{
 		$sql2 = "UPDATE `ShiftEntry` ".
 			"SET `UID` = '0', `Comment` = NULL ".
-		        "WHERE `SID` = '$SID' AND `UID` = '". $_SESSION['UID']. "' LIMIT 1;";
+		        "WHERE `SID` = '". $_GET["SID"]. "' AND `UID` = '". $_SESSION['UID']. "' LIMIT 1;";
 		$Erg2 = mysql_query($sql2, $con);
 		if ($Erg2 == 1)
 	   		echo Get_Text("pub_mywake_add_ok"). "\n";
@@ -116,27 +116,27 @@ else
 	else 
 		echo Get_Text("pub_mywake_after"). "\n";
     }
-    elseif( $action == "edit" ) 
+    elseif( $_GET["action"] == "edit" ) 
     {
     	echo Get_Text("pub_myshift_Edit_Text1"). "\n";
 	
 	$sql = "SELECT * FROM `ShiftEntry` WHERE ";
-	$sql.= "(SID=\"$SID\" AND UID=\"". $_SESSION['UID']. "\" )";
+	$sql.= "(SID=\"". $_GET["SID"]. "\" AND UID=\"". $_SESSION['UID']. "\" )";
 	$Erg = mysql_query($sql, $con);
 
 	echo "<form action=\"./myschichtplan.php\" method=\"post\">\n";
 	echo "<textarea name='newtext' cols='50' rows='10'>". mysql_result( $Erg, 0, "Comment" ). "</textarea><br><br>\n";
 	echo "<input type=\"submit\" value=\"save\">\n";
-	echo "<input type=\"hidden\" name=\"SID\" value=\"$SID\">\n";
+	echo "<input type=\"hidden\" name=\"SID\" value=\"". $_GET["SID"]. "\">\n";
 	echo "<input type=\"hidden\" name=\"action\" value=\"editSave\">\n";
 	echo "</form>";
     }
-    elseif( $action == "editSave" ) 
+    elseif( $_GET["action"] == "editSave" ) 
     {
     	echo Get_Text("pub_myshift_EditSave_Text1"). "<br>\n";
 	$sql = "UPDATE `ShiftEntry` ".
-	       "SET `Comment` = \"". $newtext. "\" ".
-	       "WHERE `SID`='$SID' AND `UID`='". $_SESSION['UID']. "' LIMIT 1;";
+	       "SET `Comment` = \"". $_GET["newtext"]. "\" ".
+	       "WHERE `SID`='". $_GET["SID"]. "' AND `UID`='". $_SESSION['UID']. "' LIMIT 1;";
 	$Erg = mysql_query($sql, $con);
 	if ($Erg == 1)
 		echo "\t ...". Get_Text("pub_myshift_EditSave_OK"). "\n";
diff --git a/nonpublic/schichtplan.php b/nonpublic/schichtplan.php
index 1dc9af87..b784be0c 100755
--- a/nonpublic/schichtplan.php
+++ b/nonpublic/schichtplan.php
@@ -2,6 +2,12 @@
 $title = "Himmel";
 $header = "Schichtpl&auml;ne";
 $submenus = 2;
+
+if( isset($_GET["ausdatum"]))
+	$ausdatum = $_GET["ausdatum"];
+if( isset($_GET["raum"]))
+	$raum = $_GET["raum"];
+
 include ("./inc/header.php");
 include ("./inc/funktion_user.php");
 include ("./inc/funktionen.php");
diff --git a/nonpublic/schichtplan_add.php b/nonpublic/schichtplan_add.php
index 33b25d2c..21a0b508 100755
--- a/nonpublic/schichtplan_add.php
+++ b/nonpublic/schichtplan_add.php
@@ -6,11 +6,11 @@ include ("./inc/funktion_user.php");
 include ("./inc/funktion_schichtplan.php");
 include ("./inc/funktionen.php");
 
-if (isset($newtext) && isset($SID) && isset($TID)) {
+if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) {
 	SetHeaderGo2Back();
  
 	// datum der einzutragenden schicht heraussuhen...
-	$ShiftSQL = "SELECT `DateS`, `DateE` FROM `Shifts` WHERE `SID`='$SID'";
+	$ShiftSQL = "SELECT `DateS`, `DateE` FROM `Shifts` WHERE `SID`='". $_POST["SID"]. ".'";
 	$ShiftErg = mysql_query ($ShiftSQL, $con);
 	$beginSchicht = mysql_result($ShiftErg, 0, "DateS");
 	$endSchicht   = mysql_result($ShiftErg, 0, "DateE");
@@ -34,7 +34,7 @@ if (isset($newtext) && isset($SID) && isset($TID)) {
 	{
 		//ermitteln der noch gesuchten
 		$SQL3 = "SELECT * FROM `ShiftEntry`".
-			" WHERE ((`SID` = '$SID') and (`TID` = '$TID') and (`UID` = '0'));";
+			" WHERE ((`SID` = '". $_POST["SID"]. "') and (`TID` = '". $_POST["TID"]. "') and (`UID` = '0'));";
 		$Erg3 = mysql_query($SQL3, $con);
 
 		if( mysql_num_rows($Erg3) <= 0 ) 
@@ -44,8 +44,10 @@ if (isset($newtext) && isset($SID) && isset($TID)) {
 			//write shift
 			$SQL = "UPDATE `ShiftEntry` SET ".
 				"`UID` = '". $_SESSION['UID']. "', ".
-				"`Comment` = '$newtext' ".
-				"WHERE ((`SID` = '$SID') and (`TID` = '$TID') and (`UID` = '0')) LIMIT 1;";
+				"`Comment` = '". $_POST["newtext"]. "' ".
+				"WHERE ( (`SID` = '". $_POST["SID"]. "') and ".
+					"(`TID` = '". $_POST["TID"]. "') and ".
+					"(`UID` = '0')) LIMIT 1;";
 			$Erg = mysql_query($SQL, $con);
 
 			if ($Erg != 1)
@@ -56,13 +58,13 @@ if (isset($newtext) && isset($SID) && isset($TID)) {
 		}//TO Many USERS
 	}//Allready in Shift
 }
-elseif (isset($SID) && isset($TID)) {
+elseif (isset($_GET["SID"]) && isset($_GET["TID"])) {
   echo Get_Text("pub_schichtplan_add_Text1"). "<br><br>\n\n".
-	"<form action=\"./schichtplan_add.php\" method=\"post\">".
-	"<table border=\"0\">";
+	"<form action=\"./schichtplan_add.php\" method=\"post\">\n".
+	"<table border=\"0\">\n";
 
   $SQL = "SELECT * FROM `Shifts` WHERE ";
-  $SQL .="(SID = '".$SID."')";
+  $SQL .="(SID = '". $_GET["SID"]. "')";
   $Erg = mysql_query($SQL, $con);
   
   echo "<tr><td>". Get_Text("pub_schichtplan_add_Date"). ":</td> <td>".
@@ -72,7 +74,7 @@ elseif (isset($SID) && isset($TID)) {
        $RoomID[ mysql_result($Erg, 0, "RID") ]. "</td></tr>\n";
        
   echo "<tr><td>". Get_Text("pub_schichtplan_add_Job"). ":</td> <td>".
-       $EngelTypeID[$TID]. "</td></tr>\n";
+       $EngelTypeID[$_GET["TID"]]. "</td></tr>\n";
        
   echo "<tr><td>". Get_Text("pub_schichtplan_add_Len"). ":</td> <td>".
        mysql_result($Erg, 0, "Len"). "h</td></tr>\n";
@@ -86,8 +88,8 @@ elseif (isset($SID) && isset($TID)) {
   echo "<tr><td>&nbsp;</td>\n".
 	"<td><input type=\"submit\" value=\"". Get_Text("pub_schichtplan_add_submit"). "\"> </td></tr>\n".
 	"</table>\n".
-	"<input type=\"hidden\" name=\"SID\" value=\"$SID\">\n".
-	"<input type=\"hidden\" name=\"TID\" value=\"$TID\">\n".
+	"<input type=\"hidden\" name=\"SID\" value=\"". $_GET["SID"]. "\">\n".
+	"<input type=\"hidden\" name=\"TID\" value=\"". $_GET["TID"]. "\">\n".
 	"</form>";
 
 }
diff --git a/nonpublic/schichtplan_beamer.php b/nonpublic/schichtplan_beamer.php
index 6274b289..bcaca64c 100755
--- a/nonpublic/schichtplan_beamer.php
+++ b/nonpublic/schichtplan_beamer.php
@@ -15,7 +15,7 @@ $Time = time()+3600+3600;
 <HEAD>
 <TITLE>Schichtpl&auml;ne f&uuml;r Beamer</TITLE>
 <!--<link rel=stylesheet type="text/css" href="./inc/css/style1.css">-->
-<meta http-equiv="refresh" content="30; URL=<?substr($url, 0, strlen($url)-1). $ENGEL_ROOT. $Page["Name"]?>">
+<meta http-equiv="refresh" content="30; URL=<?echo substr($url, 0, strlen($url)-1). $_SERVER['PHP_SELF']?>">
 </HEAD>
 <BODY>
 <?
diff --git a/nonpublic/waeckliste.php b/nonpublic/waeckliste.php
index 80303168..198a741a 100755
--- a/nonpublic/waeckliste.php
+++ b/nonpublic/waeckliste.php
@@ -6,19 +6,6 @@ $header = "Weckdienst - Liste der zu weckenden Engel";
 
 include ("./inc/header.php");
 
-if ($eintragen == "Weck mich!") {
-  $SQL = "INSERT INTO Wecken (`UID`, `Date`, `Ort`, `Bemerkung`) VALUES (".$_SESSION['UID'].", \"$Date\", \"$Ort\", \"$Bemerkung\") ";
-  $Erg = mysql_query($SQL, $con);
-  if ($Erg == 1) { Print_Text(4); }
-}
-
-if ($eintragen == "loeschen") {
-  $SQL = "Delete from Wecken where UID = ".$_SESSION['UID']." and ID = $weckID limit 1";
-  $Erg = mysql_query($SQL, $con);
-  if ($Erg == 1) { 
-  	Print_Text(4); 
-  }
-}
 ?>
 
 <? echo Get_Text(1). $_SESSION['Nick'].",<br>\n".
diff --git a/nonpublic/wecken.php b/nonpublic/wecken.php
index 91c64d93..f7145336 100755
--- a/nonpublic/wecken.php
+++ b/nonpublic/wecken.php
@@ -5,19 +5,24 @@ $header = "Weckdienst";
 include ("./inc/header.php");
 include ("./inc/funktion_user.php");
 
-if ($eintragen == Get_Text("pub_wake_bouton") ) {
-  $SQL = "INSERT INTO Wecken (`UID`, `Date`, `Ort`, `Bemerkung`) VALUES (".$_SESSION['UID'].", \"$Date\", \"$Ort\", \"$Bemerkung\") ";
-  $Erg = mysql_query($SQL, $con);
-  if ($Erg == 1) { Print_Text(4); }
-}
-
-if ($eintragen == "loeschen") {
-  $SQL = "Delete from Wecken where UID = ".$_SESSION['UID']." and ID = $weckID limit 1";
-  $Erg = mysql_query($SQL, $con);
-  if ($Erg == 1) { 
-  	Print_Text(4); 
-  }
-}
+if( isset($_POST["eintragen"]))
+	if( $_POST["eintragen"] == Get_Text("pub_wake_bouton") ) 
+	{
+		$SQL = "INSERT INTO Wecken (`UID`, `Date`, `Ort`, `Bemerkung`) ".
+			"VALUES (".$_SESSION['UID'].", \"". $_POST["Date"]. "\", \"". $_POST["Ort"]. 
+				"\", \"". $_POST["Bemerkung"]. "\") ";
+		$Erg = mysql_query($SQL, $con);
+		if ($Erg == 1) 
+			Print_Text(4);
+	}
+if( isset($_GET["eintragen"]))
+	if ($_GET["eintragen"] == "loeschen") 
+	{
+		$SQL = "Delete from Wecken where UID = ".$_SESSION['UID']." and ID = ". $_GET["weckID"]." limit 1";
+		$Erg = mysql_query($SQL, $con);
+		if ($Erg == 1)
+			Print_Text(4); 
+	}
 ?>
 
 <? echo Get_Text("Hello").$_SESSION['Nick'].",<br>".Get_Text("pub_wake_beschreibung")?>
-- 
cgit v1.2.3-54-g00ecf