bugfix und security
git-svn-id: svn://svn.cccv.de/engel-system@265 29ba0400-6e00-0410-a75a-ca02368028f8
This commit is contained in:
parent
4ef096e843
commit
f58879ba0d
|
@ -12,7 +12,7 @@ if( IsSet($_GET["action"]) )
|
|||
switch ($_GET["action"])
|
||||
{
|
||||
case 'FormUpload':
|
||||
echo "Hier kannst Du ein Foto hochladen für:";
|
||||
echo "Hier kannst Du ein Foto hochladen för:";
|
||||
echo "<form action=\"./UserPicture.php?action=sendPicture\" method=\"post\" enctype=\"multipart/form-data\">\n";
|
||||
echo "\t<select name=\"UID\">\n";
|
||||
$usql="SELECT * FROM `User` ORDER BY `Nick`";
|
||||
|
@ -76,13 +76,13 @@ if( IsSet($_GET["action"]) )
|
|||
echo "Fehlerhafter Aufruf";
|
||||
break;
|
||||
case 'del':
|
||||
echo "Wollen Sie das Bild von '". UID2Nick( $_GET["UID"]). "' wirklich löschen? ".
|
||||
echo "Wollen Sie das Bild von '". UID2Nick( $_GET["UID"]). "' wirklich löschen? ".
|
||||
"<a href=\"./UserPicture.php?action=delYes&UID=". $_GET["UID"]. "\">Yes</a>";
|
||||
break;
|
||||
case 'delYes':
|
||||
if (IsSet($_GET["UID"]))
|
||||
{
|
||||
echo "Bild von '". UID2Nick( $_GET["UID"]). "' wurde gelöscht:<br>";
|
||||
echo "Bild von '". UID2Nick( $_GET["UID"]). "' wurde gelöscht:<br>";
|
||||
$SQL = "DELETE FROM `UserPicture` WHERE `UID`='". $_GET["UID"]. "' LIMIT 1";
|
||||
}
|
||||
else
|
||||
|
@ -121,24 +121,24 @@ echo "<tr class=\"contenttopic\">\n";
|
|||
echo "\t<td>User</td>\n";
|
||||
echo "\t<td>Bild</td>\n";
|
||||
echo "\t<td>Status</td>\n";
|
||||
echo "\t<td>Löschen</td>\n";
|
||||
echo "\t<td>Löschen</td>\n";
|
||||
echo "</tr>";
|
||||
|
||||
for( $t = 0; $t < mysql_num_rows($Erg); $t++ )
|
||||
{
|
||||
$UID = mysql_result($Erg, $t, "UID");
|
||||
$UIDs = mysql_result($Erg, $t, "UID");
|
||||
echo "\t<tr class=\"content\">\n";
|
||||
|
||||
echo "\t\t<td>". UID2Nick(mysql_result($Erg, $t, "UID")). "</td>\n";
|
||||
echo "\t\t<td>". displayPictur( $UID, 0). "</td>\n";
|
||||
echo "\t\t<td>". displayPictur( $UIDs, 0). "</td>\n";
|
||||
|
||||
if( GetPicturShow( $UID) == "Y")
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=SetN&UID=$UID\">sperren</a></td>\n";
|
||||
elseif( GetPicturShow( $UID) == "N")
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=SetY&UID=$UID\">freigeben</a></td>\n";
|
||||
if( GetPicturShow( $UIDs) == "Y")
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=SetN&UID=$UIDs\">sperren</a></td>\n";
|
||||
elseif( GetPicturShow( $UIDs) == "N")
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=SetY&UID=$UIDs\">freigeben</a></td>\n";
|
||||
else
|
||||
echo "\t\t<td>ERROR: show='". GetPicturShow( $UID). "'</td>\n";
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=del&UID=$UID\">del</a></td>\n";
|
||||
echo "\t\t<td>ERROR: show='". GetPicturShow( $UIDs). "'</td>\n";
|
||||
echo "\t\t<td><a href=\"./UserPicture.php?action=del&UID=$UIDs\">del</a></td>\n";
|
||||
echo "\t</tr>\n";
|
||||
} // ende Auflistung Raeume
|
||||
echo "</table>";
|
||||
|
|
|
@ -15,6 +15,12 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) {
|
|||
$beginSchicht = mysql_result($ShiftErg, 0, "DateS");
|
||||
$endSchicht = mysql_result($ShiftErg, 0, "DateE");
|
||||
|
||||
//wenn keien rechte definiert sind
|
||||
if( !isset($_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ]))
|
||||
$_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ] = "Y";
|
||||
|
||||
if( $_SESSION['CVS'][ $TID2Name[$_POST["TID"]] ] == "Y")
|
||||
{
|
||||
// Ueberpruefung, ob der Engel bereits für eine Schicht zu dieser Zeit eingetragen ist
|
||||
$SSQL="SELECT * FROM `Shifts`".
|
||||
" INNER JOIN `ShiftEntry` ON `ShiftEntry`.`SID` = `Shifts`.`SID`".
|
||||
|
@ -57,8 +63,24 @@ if (isset($_POST["newtext"]) && isset($_POST["SID"]) && isset($_POST["TID"])) {
|
|||
|
||||
}//TO Many USERS
|
||||
}//Allready in Shift
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "<h1>:-(</h1>";
|
||||
array_push($error_messages, "Hack atteck\n");
|
||||
}
|
||||
}
|
||||
elseif (isset($_GET["SID"]) && isset($_GET["TID"])) {
|
||||
elseif (isset($_GET["SID"]) && isset($_GET["TID"]))
|
||||
{
|
||||
//wenn keien rechte definiert sind
|
||||
if( !isset($_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ]))
|
||||
$_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ] = "Y";
|
||||
|
||||
|
||||
|
||||
if( $_SESSION['CVS'][ $TID2Name[$_GET["TID"]] ] == "Y")
|
||||
{
|
||||
|
||||
echo Get_Text("pub_schichtplan_add_Text1"). "<br><br>\n\n".
|
||||
"<form action=\"./schichtplan_add.php\" method=\"post\">\n".
|
||||
"<table border=\"0\">\n";
|
||||
|
@ -91,6 +113,12 @@ elseif (isset($_GET["SID"]) && isset($_GET["TID"])) {
|
|||
"<input type=\"hidden\" name=\"SID\" value=\"". $_GET["SID"]. "\">\n".
|
||||
"<input type=\"hidden\" name=\"TID\" value=\"". $_GET["TID"]. "\">\n".
|
||||
"</form>";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "<h1>:-(</h1>";
|
||||
array_push($error_messages, "Hack atteck\n");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue