From 3f8cf2ca9beb7ef7ccd84912391e3e351be0985b Mon Sep 17 00:00:00 2001
From: cookie <cookie@29ba0400-6e00-0410-a75a-ca02368028f8>
Date: Mon, 11 Dec 2006 07:47:43 +0000
Subject: sql injektion gemeldet by sven

git-svn-id: svn://svn.cccv.de/engel-system@204 29ba0400-6e00-0410-a75a-ca02368028f8
---
 www-ssl/inc/funktion_xml_schudle.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'www-ssl/inc')

diff --git a/www-ssl/inc/funktion_xml_schudle.php b/www-ssl/inc/funktion_xml_schudle.php
index 93e664b3..55b1b682 100755
--- a/www-ssl/inc/funktion_xml_schudle.php
+++ b/www-ssl/inc/funktion_xml_schudle.php
@@ -30,7 +30,7 @@ function SaveSchedule()
 				   (substr($_GET["DateXML"], 8, 2)+1). " ";
 		}
 		else
-			$DateEnd = substr($_GET["DateXML"], 0, 11);
+			$dAteEnd = substr($_GET["DateXML"], 0, 11);
 		$DateEnd .= "$TimeH:$TimeM:00";
 		
 		//Namen ermitteln
@@ -73,7 +73,7 @@ function SaveSchedule()
 				
 				// erstellt ein Array der Reume
 			        $sql2 =	"SELECT * FROM `Room` ".
-					"WHERE `RID` = ".$_GET["RIDXML"]. " ".
+					"WHERE `RID`='".$_GET["RIDXML"]. "' ".
 		        		"ORDER BY `Number`, `Name`;";
 				$Erg2 = mysql_query( $sql2, $con);
 				for( $j=0; $j<mysql_num_fields( $Erg2); $j++)
@@ -155,7 +155,7 @@ foreach($XMLmain->sub as $EventKey => $Event)
 			SaveSchedule();
 		}
 			
-		$SQL = "SELECT * FROM `Shifts` WHERE PSID='$PSIDXML'";
+		$SQL = "SELECT * FROM `Shifts` WHERE `PSID`='$PSIDXML'";
 		$Erg = mysql_query($SQL, $con);
 		if(mysql_num_rows($Erg)>0)
 		{
@@ -210,7 +210,7 @@ echo "<tr><td colspan=\"6\">status: $DS_KO/$DS_OK nicht Aktuel.</td></tr>\n";
 
 //Anzeige von nicht im XML File vorkommende entraege
 if( $Where =="")
-	$SQL2 = "SELECT * FROM `Shifts` WHERE NOT PSID = '';";
+	$SQL2 = "SELECT * FROM `Shifts` WHERE NOT `PSID`='';";
 else
 	$SQL2 = "SELECT * FROM `Shifts` WHERE NOT (".substr( $Where, 4). ") AND NOT PSID = '';";
 	
-- 
cgit v1.2.3-54-g00ecf