cleanup, security sql fixes
This commit is contained in:
parent
0b2d976b81
commit
3d15b591e3
|
@ -63,12 +63,12 @@ function admin_log() {
|
||||||
$html .= "<hr>\n";
|
$html .= "<hr>\n";
|
||||||
$html .= funktion_db_element_list_2row("Gesamte Arbeit", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID)");
|
$html .= funktion_db_element_list_2row("Gesamte Arbeit", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID)");
|
||||||
$html .= "<br />\n";
|
$html .= "<br />\n";
|
||||||
$html .= funktion_db_element_list_2row("Geleisteter Arbeit", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (ShiftEntry.UID!=0)");
|
$html .= funktion_db_element_list_2row("Geleistete Arbeit", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (ShiftEntry.UID!=0)");
|
||||||
|
|
||||||
$html .= "<hr>\n";
|
$html .= "<hr>\n";
|
||||||
$html .= funktion_db_element_list_2row("Gesamte Arbeit (Ohne Raum aufabau (RID=7)", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (Shifts.RID!=7)");
|
$html .= funktion_db_element_list_2row("Gesamte Arbeit (Ohne Raum Aufbau (RID=7)", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (Shifts.RID!=7)");
|
||||||
$html .= "<br />\n";
|
$html .= "<br />\n";
|
||||||
$html .= funktion_db_element_list_2row("Geleisteter Arbeit (Ohne Raum aufabau (RID=7)", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (ShiftEntry.UID!=0) AND (Shifts.RID!=7)");
|
$html .= funktion_db_element_list_2row("Geleistete Arbeit (Ohne Raum Aufbau (RID=7)", "SELECT COUNT(*) AS `Count [x]`, SUM(Shifts.Len) as `Sum [h]` from Shifts LEFT JOIN ShiftEntry USING(SID) WHERE (ShiftEntry.UID!=0) AND (Shifts.RID!=7)");
|
||||||
|
|
||||||
return $html;
|
return $html;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
function admin_user() {
|
function admin_user() {
|
||||||
global $user;
|
global $user;
|
||||||
|
|
||||||
include ("includes/funktion_db_list.php");
|
include ("includes_old/funktion_db_list.php");
|
||||||
|
|
||||||
$html = "";
|
$html = "";
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ function admin_user() {
|
||||||
$html .= "<table border=\"0\">\n";
|
$html .= "<table border=\"0\">\n";
|
||||||
$html .= "<input type=\"hidden\" name=\"Type\" value=\"Normal\">\n";
|
$html .= "<input type=\"hidden\" name=\"Type\" value=\"Normal\">\n";
|
||||||
|
|
||||||
$SQL = "SELECT * FROM `User` WHERE `UID`='" . $id . "'";
|
$SQL = "SELECT * FROM `User` WHERE `UID`='" . sql_escape($id) . "'";
|
||||||
$Erg = sql_query($SQL);
|
$Erg = sql_query($SQL);
|
||||||
|
|
||||||
$html .= "<tr><td>\n";
|
$html .= "<tr><td>\n";
|
||||||
|
@ -184,21 +184,21 @@ function admin_user() {
|
||||||
|
|
||||||
case 'save' :
|
case 'save' :
|
||||||
$SQL = "UPDATE `User` SET ";
|
$SQL = "UPDATE `User` SET ";
|
||||||
$SQL .= " `Nick` = '" . $_POST["eNick"] . "', `Name` = '" . $_POST["eName"] . "', " .
|
$SQL .= " `Nick` = '" . sql_escape($_POST["eNick"]) . "', `Name` = '" . sql_escape($_POST["eName"]) . "', " .
|
||||||
"`Vorname` = '" . $_POST["eVorname"] . "', " .
|
"`Vorname` = '" . sql_escape($_POST["eVorname"]) . "', " .
|
||||||
"`Telefon` = '" . $_POST["eTelefon"] . "', " .
|
"`Telefon` = '" . sql_escape($_POST["eTelefon"]) . "', " .
|
||||||
"`Handy` = '" . $_POST["eHandy"] . "', " .
|
"`Handy` = '" . sql_escape($_POST["eHandy"]) . "', " .
|
||||||
"`Alter` = '" . $_POST["eAlter"] . "', " .
|
"`Alter` = '" . sql_escape($_POST["eAlter"]) . "', " .
|
||||||
"`DECT` = '" . $_POST["eDECT"] . "', " .
|
"`DECT` = '" . sql_escape($_POST["eDECT"]) . "', " .
|
||||||
"`email` = '" . $_POST["eemail"] . "', " .
|
"`email` = '" . sql_escape($_POST["eemail"]) . "', " .
|
||||||
"`ICQ` = '" . $_POST["eICQ"] . "', " .
|
"`ICQ` = '" . sql_escape($_POST["eICQ"]) . "', " .
|
||||||
"`jabber` = '" . $_POST["ejabber"] . "', " .
|
"`jabber` = '" . sql_escape($_POST["ejabber"]) . "', " .
|
||||||
"`Size` = '" . $_POST["eSize"] . "', " .
|
"`Size` = '" . sql_escape($_POST["eSize"]) . "', " .
|
||||||
"`Gekommen`= '" . $_POST["eGekommen"] . "', " .
|
"`Gekommen`= '" . sql_escape($_POST["eGekommen"]) . "', " .
|
||||||
"`Aktiv`= '" . $_POST["eAktiv"] . "', " .
|
"`Aktiv`= '" . sql_escape($_POST["eAktiv"]) . "', " .
|
||||||
"`Tshirt` = '" . $_POST["eTshirt"] . "', " .
|
"`Tshirt` = '" . sql_escape($_POST["eTshirt"]) . "', " .
|
||||||
"`Hometown` = '" . $_POST["Hometown"] . "' " .
|
"`Hometown` = '" .sql_escape( $_POST["Hometown"]) . "' " .
|
||||||
"WHERE `UID` = '" . $id .
|
"WHERE `UID` = '" . sql_escape($id) .
|
||||||
"' LIMIT 1;";
|
"' LIMIT 1;";
|
||||||
sql_query($SQL);
|
sql_query($SQL);
|
||||||
$html .= success("Änderung wurde gespeichert...\n");
|
$html .= success("Änderung wurde gespeichert...\n");
|
||||||
|
@ -229,23 +229,23 @@ function admin_user() {
|
||||||
|
|
||||||
$html .= "Anzahl Engel: $Zeilen<br /><br />\n";
|
$html .= "Anzahl Engel: $Zeilen<br /><br />\n";
|
||||||
$html .= '
|
$html .= '
|
||||||
<table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
|
<table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
|
||||||
<tr class="contenttopic">
|
<tr class="contenttopic">
|
||||||
<th>
|
<th>
|
||||||
<a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
|
<a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
|
||||||
</th>
|
</th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
|
||||||
<th>
|
<th>
|
||||||
<a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
|
<a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
|
||||||
</th>
|
</th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Größe</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Größe</a></th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
|
||||||
<th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registriert</a></th>
|
<th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registriert</a></th>
|
||||||
<th>Änd.</th>
|
<th>Änd.</th>
|
||||||
</tr></thead>';
|
</tr></thead>';
|
||||||
$Gekommen = 0;
|
$Gekommen = 0;
|
||||||
$Active = 0;
|
$Active = 0;
|
||||||
$Tshirt = 0;
|
$Tshirt = 0;
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
|
|
||||||
// Engel registrieren
|
// Engel registrieren
|
||||||
function guest_register() {
|
function guest_register() {
|
||||||
|
global $SubscribeMailinglist;
|
||||||
|
|
||||||
$html = "";
|
$html = "";
|
||||||
$success = "none";
|
$success = "none";
|
||||||
|
|
||||||
|
@ -75,15 +77,11 @@ function guest_register() {
|
||||||
} else {
|
} else {
|
||||||
$html .= "<p class=\"success\">" . Get_Text("makeuser_writeOK") . "\n";
|
$html .= "<p class=\"success\">" . Get_Text("makeuser_writeOK") . "\n";
|
||||||
|
|
||||||
$Erg3 = mysql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape(sql_id()) . ", `group_id`=-2");
|
// Assign user-group
|
||||||
|
sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape(sql_id()) . ", `group_id`=-2");
|
||||||
|
|
||||||
if ($Erg3 != 1) {
|
$html .= Get_Text("makeuser_writeOK2") . "<br />\n";
|
||||||
$html .= "<h1>" . Get_Text("makeuser_error_write2") . "<br />\n";
|
$html .= "<h1>" . Get_Text("makeuser_writeOK3") . "</h1>\n";
|
||||||
$error = sql_error();
|
|
||||||
} else {
|
|
||||||
$html .= Get_Text("makeuser_writeOK2") . "<br />\n";
|
|
||||||
$html .= "<h1>" . Get_Text("makeuser_writeOK3") . "</h1>\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
$html .= Get_Text("makeuser_writeOK4") . "</p><p></p>\n<br /><br />\n";
|
$html .= Get_Text("makeuser_writeOK4") . "</p><p></p>\n<br /><br />\n";
|
||||||
$success = "any";
|
$success = "any";
|
||||||
|
|
|
@ -6,13 +6,7 @@ function user_unread_messages() {
|
||||||
$new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID']));
|
$new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID']));
|
||||||
|
|
||||||
if ($new_messages > 0)
|
if ($new_messages > 0)
|
||||||
return sprintf(
|
return sprintf('<p class="notice"><a href="%s">%s %s %s</a></p><hr />', page_link_to("user_messages"), Get_Text("pub_messages_new1"), $new_messages, Get_Text("pub_messages_new2"));
|
||||||
'<p class="notice"><a href="%s">%s %s %s</a></p><hr />',
|
|
||||||
page_link_to("user_messages"),
|
|
||||||
Get_Text("pub_messages_new1"),
|
|
||||||
$new_messages,
|
|
||||||
Get_Text("pub_messages_new2")
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return "";
|
return "";
|
||||||
|
@ -22,8 +16,7 @@ function user_messages() {
|
||||||
global $user;
|
global $user;
|
||||||
|
|
||||||
if (!isset ($_REQUEST['action'])) {
|
if (!isset ($_REQUEST['action'])) {
|
||||||
$users = sql_select("SELECT * FROM `User` WHERE NOT `UID`="
|
$users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" . sql_escape($user['UID']) . " ORDER BY `Nick`");
|
||||||
. sql_escape($user['UID']) . " ORDER BY `Nick`");
|
|
||||||
|
|
||||||
$to_select_data = array (
|
$to_select_data = array (
|
||||||
"" => "Select receiver..."
|
"" => "Select receiver..."
|
||||||
|
@ -35,23 +28,11 @@ function user_messages() {
|
||||||
$to_select = html_select_key('to', $to_select_data, '');
|
$to_select = html_select_key('to', $to_select_data, '');
|
||||||
|
|
||||||
$messages_html = "";
|
$messages_html = "";
|
||||||
$messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`="
|
$messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" . sql_escape($user['UID']) . " OR `RUID`=" . sql_escape($user['UID']) . " ORDER BY `isRead`,`Datum` DESC");
|
||||||
. sql_escape($user['UID'])
|
|
||||||
. " OR `RUID`=" . sql_escape($user['UID'])
|
|
||||||
. " ORDER BY `isRead`,`Datum` DESC"
|
|
||||||
);
|
|
||||||
foreach ($messages as $message) {
|
foreach ($messages as $message) {
|
||||||
|
|
||||||
$messages_html .= sprintf(
|
$messages_html .= sprintf('<tr %s> <td>%s</td> <td>%s</td> <td>%s</td> <td>%s</td>' .
|
||||||
'<tr %s> <td>%s</td> <td>%s</td> <td>%s</td> <td>%s</td>'
|
'<td>%s</td>', ($message['isRead'] == 'N' ? ' class="new_message"' : ''), ($message['isRead'] == 'N' ? '•' : ''), date("Y-m-d H:i", $message['Datum']), UID2Nick($message['SUID']), UID2Nick($message['RUID']), str_replace("\n", '<br />', $message['Text']));
|
||||||
.'<td>%s</td>',
|
|
||||||
($message['isRead'] == 'N' ? ' class="new_message"' : ''),
|
|
||||||
($message['isRead'] == 'N' ? '•' : ''),
|
|
||||||
date("Y-m-d H:i", $message['Datum']),
|
|
||||||
UID2Nick($message['SUID']),
|
|
||||||
UID2Nick($message['RUID']),
|
|
||||||
str_replace("\n", '<br />', $message['Text'])
|
|
||||||
);
|
|
||||||
|
|
||||||
$messages_html .= '<td>';
|
$messages_html .= '<td>';
|
||||||
if ($message['RUID'] == $user['UID']) {
|
if ($message['RUID'] == $user['UID']) {
|
||||||
|
@ -65,8 +46,7 @@ function user_messages() {
|
||||||
|
|
||||||
return template_render('../templates/user_messages.html', array (
|
return template_render('../templates/user_messages.html', array (
|
||||||
'link' => page_link_to("user_messages"),
|
'link' => page_link_to("user_messages"),
|
||||||
'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n"
|
'greeting' => Get_Text("Hello") . $user['Nick'] . ", <br />\n" . Get_Text("pub_messages_text1") . "<br /><br />\n",
|
||||||
. Get_Text("pub_messages_text1") . "<br /><br />\n",
|
|
||||||
'messages' => $messages_html,
|
'messages' => $messages_html,
|
||||||
'new_label' => Get_Text("pub_messages_Neu"),
|
'new_label' => Get_Text("pub_messages_Neu"),
|
||||||
'date_label' => Get_Text("pub_messages_Datum"),
|
'date_label' => Get_Text("pub_messages_Datum"),
|
||||||
|
@ -118,122 +98,10 @@ function user_messages() {
|
||||||
return error(Get_Text("pub_messages_Send_Error"));
|
return error(Get_Text("pub_messages_Send_Error"));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
default :
|
||||||
|
return error("Wrong action.");
|
||||||
}
|
}
|
||||||
return "";
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!isset ($_GET["action"]))
|
|
||||||
$_GET["action"] = "start";
|
|
||||||
|
|
||||||
switch ($_GET["action"]) {
|
|
||||||
case "start" :
|
|
||||||
echo Get_Text("Hello") . $_SESSION['Nick'] . ", <br />\n";
|
|
||||||
echo Get_Text("pub_messages_text1") . "<br /><br />\n";
|
|
||||||
|
|
||||||
//show exist Messages
|
|
||||||
$SQL = "SELECT * FROM `Messages` WHERE `SUID`='" . $_SESSION["UID"] . "' OR `RUID`='" . $_SESSION["UID"] . "'";
|
|
||||||
$erg = mysql_query($SQL, $con);
|
|
||||||
|
|
||||||
echo "<table border=\"0\" class=\"border\" cellpadding=\"2\" cellspacing=\"1\">\n";
|
|
||||||
echo "<tr>\n";
|
|
||||||
echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Datum") . "</b></td>\n";
|
|
||||||
echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Von") . "</b></td>\n";
|
|
||||||
echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_An") . "</b></td>\n";
|
|
||||||
echo "<td class=\"contenttopic\"><b>" . Get_Text("pub_messages_Text") . "</b></td>\n";
|
|
||||||
echo "<td class=\"contenttopic\"></td>\n";
|
|
||||||
echo "</tr>\n";
|
|
||||||
|
|
||||||
for ($i = 0; $i < mysql_num_rows($erg); $i++) {
|
|
||||||
echo "<tr class=\"content\">\n";
|
|
||||||
echo "<td>" . mysql_result($erg, $i, "Datum") . "</td>\n";
|
|
||||||
echo "<td>" . UID2Nick(mysql_result($erg, $i, "SUID")) . "</td>\n";
|
|
||||||
echo "<td>" . UID2Nick(mysql_result($erg, $i, "RUID")) . "</td>\n";
|
|
||||||
echo "<td>" . mysql_result($erg, $i, "Text") . "</td>\n";
|
|
||||||
echo "<td>";
|
|
||||||
|
|
||||||
if (mysql_result($erg, $i, "RUID") == $_SESSION["UID"]) {
|
|
||||||
echo "<a href=\"?action=DelMsg&Datum=" . mysql_result($erg, $i, "Datum") . "\">" . Get_Text("pub_messages_DelMsg") . "</a>";
|
|
||||||
|
|
||||||
if (mysql_result($erg, $i, "isRead") == "N")
|
|
||||||
echo "<a href=\"?action=MarkRead&Datum=" . mysql_result($erg, $i, "Datum") . "\">" . Get_Text("pub_messages_MarkRead") . "</a>";
|
|
||||||
} else {
|
|
||||||
if (mysql_result($erg, $i, "isRead") == "N")
|
|
||||||
echo Get_Text("pub_messages_NotRead");
|
|
||||||
}
|
|
||||||
|
|
||||||
echo "</td>\n";
|
|
||||||
echo "</tr>\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
// send Messeges
|
|
||||||
echo "<form action=\"" . $_SERVER['SCRIPT_NAME'] . "?action=SendMsg\" method=\"POST\">";
|
|
||||||
echo "<tr class=\"content\">\n";
|
|
||||||
echo "<td></td>\n";
|
|
||||||
echo "<td></td>\n";
|
|
||||||
|
|
||||||
// Listet alle Nicks auf
|
|
||||||
echo "<td><select name=\"RUID\">\n";
|
|
||||||
|
|
||||||
$usql = "SELECT * FROM `User` WHERE (`UID`!='" . $_SESSION["UID"] . "') ORDER BY `Nick`";
|
|
||||||
$uErg = mysql_query($usql, $con);
|
|
||||||
$urowcount = mysql_num_rows($uErg);
|
|
||||||
|
|
||||||
for ($k = 0; $k < $urowcount; $k++) {
|
|
||||||
echo "<option value=\"" . mysql_result($uErg, $k, "UID") . "\">" . mysql_result($uErg, $k, "Nick") . "</option>\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
echo "</select></td>\n";
|
|
||||||
echo "<td><textarea name=\"Text\" cols=\"30\" rows=\"10\"></textarea></td>\n";
|
|
||||||
echo "<td><input type=\"submit\" value=\"" . Get_Text("save") . "\"></td>\n";
|
|
||||||
echo "</tr>\n";
|
|
||||||
echo "</form>";
|
|
||||||
|
|
||||||
echo "</table>\n";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case "SendMsg" :
|
|
||||||
echo Get_Text("pub_messages_Send1") . "...<br />\n";
|
|
||||||
|
|
||||||
$SQL = "INSERT INTO `Messages` ( `Datum` , `SUID` , `RUID` , `Text` ) VALUES (" .
|
|
||||||
"'" . gmdate("Y-m-j H:i:s", time()) . "', " .
|
|
||||||
"'" . $_SESSION["UID"] . "', " .
|
|
||||||
"'" . $_POST["RUID"] . "', " .
|
|
||||||
"'" . $_POST["Text"] . "');";
|
|
||||||
|
|
||||||
$Erg = mysql_query($SQL, $con);
|
|
||||||
|
|
||||||
if ($Erg == 1)
|
|
||||||
echo Get_Text("pub_messages_Send_OK") . "\n";
|
|
||||||
else
|
|
||||||
echo Get_Text("pub_messages_Send_Error") . "...\n(" . mysql_error($con) . ")";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case "MarkRead" :
|
|
||||||
$SQL = "UPDATE `Messages` SET `isRead` = 'Y' " .
|
|
||||||
"WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID`='" . $_SESSION["UID"] . "' " .
|
|
||||||
"LIMIT 1 ;";
|
|
||||||
$Erg = mysql_query($SQL, $con);
|
|
||||||
|
|
||||||
if ($Erg == 1)
|
|
||||||
echo Get_Text("pub_messages_MarkRead_OK") . "\n";
|
|
||||||
else
|
|
||||||
echo Get_Text("pub_messages_MarkRead_KO") . "...\n(" . mysql_error($con) . ")";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case "DelMsg" :
|
|
||||||
$SQL = "DELETE FROM `Messages` " .
|
|
||||||
"WHERE `Datum` = '" . $_GET["Datum"] . "' AND `RUID` ='" . $_SESSION["UID"] . "' " .
|
|
||||||
"LIMIT 1;";
|
|
||||||
$Erg = mysql_query($SQL, $con);
|
|
||||||
|
|
||||||
if ($Erg == 1)
|
|
||||||
echo Get_Text("pub_messages_DelMsg_OK") . "\n";
|
|
||||||
else
|
|
||||||
echo Get_Text("pub_messages_DelMsg_KO") . "...\n(" . mysql_error($con) . ")";
|
|
||||||
break;
|
|
||||||
|
|
||||||
default :
|
|
||||||
echo Get_Text("pub_messages_NoCommand");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
|
|
|
@ -9,7 +9,7 @@ function user_meetings() {
|
||||||
else
|
else
|
||||||
$page = 0;
|
$page = 0;
|
||||||
|
|
||||||
$news = sql_select("SELECT * FROM `News` WHERE `Treffen`=1 ORDER BY `ID` DESC LIMIT " . ($page * $DISPLAY_NEWS) . ", " . $DISPLAY_NEWS);
|
$news = sql_select("SELECT * FROM `News` WHERE `Treffen`=1 ORDER BY `ID` DESC LIMIT " . sql_escape($page * $DISPLAY_NEWS) . ", " . sql_escape($DISPLAY_NEWS));
|
||||||
foreach ($news as $entry)
|
foreach ($news as $entry)
|
||||||
$html .= display_news($entry);
|
$html .= display_news($entry);
|
||||||
|
|
||||||
|
@ -54,7 +54,7 @@ function user_news_comments() {
|
||||||
$html = "";
|
$html = "";
|
||||||
if (isset ($_REQUEST["nid"]) && preg_match("/^[0-9]{1,}$/", $_REQUEST['nid']) && sql_num_query("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1") > 0) {
|
if (isset ($_REQUEST["nid"]) && preg_match("/^[0-9]{1,}$/", $_REQUEST['nid']) && sql_num_query("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1") > 0) {
|
||||||
$nid = $_REQUEST["nid"];
|
$nid = $_REQUEST["nid"];
|
||||||
list ($news) = sql_select("SELECT * FROM `News` WHERE `ID`=" . sql_escape($_REQUEST['nid']) . " LIMIT 1");
|
list ($news) = sql_select("SELECT * FROM `News` WHERE `ID`=" . sql_escape($nid) . " LIMIT 1");
|
||||||
if (isset ($_REQUEST["text"])) {
|
if (isset ($_REQUEST["text"])) {
|
||||||
$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['text']));
|
$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['text']));
|
||||||
sql_query("INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) VALUES ('" . sql_escape($nid) . "', '" . date("Y-m-d H:i:s") . "', '" . sql_escape($text) . "', '" . sql_escape($user["UID"]) . "')");
|
sql_query("INSERT INTO `news_comments` (`Refid`, `Datum`, `Text`, `UID`) VALUES ('" . sql_escape($nid) . "', '" . date("Y-m-d H:i:s") . "', '" . sql_escape($text) . "', '" . sql_escape($user["UID"]) . "')");
|
||||||
|
@ -66,7 +66,7 @@ function user_news_comments() {
|
||||||
|
|
||||||
$html .= '<h2>Kommentare</h2>';
|
$html .= '<h2>Kommentare</h2>';
|
||||||
|
|
||||||
$comments = sql_select("SELECT * FROM `news_comments` WHERE `Refid`='" . $nid . "' ORDER BY 'ID'");
|
$comments = sql_select("SELECT * FROM `news_comments` WHERE `Refid`='" . sql_escape($nid) . "' ORDER BY 'ID'");
|
||||||
foreach ($comments as $comment) {
|
foreach ($comments as $comment) {
|
||||||
$html .= '<article class="news_comment">';
|
$html .= '<article class="news_comment">';
|
||||||
$html .= DisplayAvatar($comment['UID']);
|
$html .= DisplayAvatar($comment['UID']);
|
||||||
|
@ -122,7 +122,7 @@ function user_news() {
|
||||||
else
|
else
|
||||||
$page = 0;
|
$page = 0;
|
||||||
|
|
||||||
$news = sql_select("SELECT * FROM `News` ORDER BY `ID` DESC LIMIT " . ($page * $DISPLAY_NEWS) . ", " . $DISPLAY_NEWS);
|
$news = sql_select("SELECT * FROM `News` ORDER BY `ID` DESC LIMIT " . sql_escape($page * $DISPLAY_NEWS) . ", " . sql_escape($DISPLAY_NEWS));
|
||||||
foreach ($news as $entry)
|
foreach ($news as $entry)
|
||||||
$html .= display_news($entry);
|
$html .= display_news($entry);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue