From 3f8cf2ca9beb7ef7ccd84912391e3e351be0985b Mon Sep 17 00:00:00 2001 From: cookie Date: Mon, 11 Dec 2006 07:47:43 +0000 Subject: [PATCH] sql injektion gemeldet by sven git-svn-id: svn://svn.cccv.de/engel-system@204 29ba0400-6e00-0410-a75a-ca02368028f8 --- www-ssl/admin/schichtplan.php | 8 ++++---- www-ssl/inc/funktion_xml_schudle.php | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/www-ssl/admin/schichtplan.php b/www-ssl/admin/schichtplan.php index 12c767c2..3bf2bb4f 100755 --- a/www-ssl/admin/schichtplan.php +++ b/www-ssl/admin/schichtplan.php @@ -40,7 +40,7 @@ echo "
\n"; \n"; echo "ShiftEntry $v wird gelöscht..."; - executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`= $v"); + executeSQL( "DELETE FROM `ShiftEntry` WHERE `SID`='$v'"); echo "

\n"; } break; diff --git a/www-ssl/inc/funktion_xml_schudle.php b/www-ssl/inc/funktion_xml_schudle.php index 93e664b3..55b1b682 100755 --- a/www-ssl/inc/funktion_xml_schudle.php +++ b/www-ssl/inc/funktion_xml_schudle.php @@ -30,7 +30,7 @@ function SaveSchedule() (substr($_GET["DateXML"], 8, 2)+1). " "; } else - $DateEnd = substr($_GET["DateXML"], 0, 11); + $dAteEnd = substr($_GET["DateXML"], 0, 11); $DateEnd .= "$TimeH:$TimeM:00"; //Namen ermitteln @@ -73,7 +73,7 @@ function SaveSchedule() // erstellt ein Array der Reume $sql2 = "SELECT * FROM `Room` ". - "WHERE `RID` = ".$_GET["RIDXML"]. " ". + "WHERE `RID`='".$_GET["RIDXML"]. "' ". "ORDER BY `Number`, `Name`;"; $Erg2 = mysql_query( $sql2, $con); for( $j=0; $jsub as $EventKey => $Event) SaveSchedule(); } - $SQL = "SELECT * FROM `Shifts` WHERE PSID='$PSIDXML'"; + $SQL = "SELECT * FROM `Shifts` WHERE `PSID`='$PSIDXML'"; $Erg = mysql_query($SQL, $con); if(mysql_num_rows($Erg)>0) { @@ -210,7 +210,7 @@ echo "status: $DS_KO/$DS_OK nicht Aktuel.\n"; //Anzeige von nicht im XML File vorkommende entraege if( $Where =="") - $SQL2 = "SELECT * FROM `Shifts` WHERE NOT PSID = '';"; + $SQL2 = "SELECT * FROM `Shifts` WHERE NOT `PSID`='';"; else $SQL2 = "SELECT * FROM `Shifts` WHERE NOT (".substr( $Where, 4). ") AND NOT PSID = '';";