diff --git a/include/antwort.class.php b/include/antwort.class.php index ba50ef7da..cc2b96486 100644 --- a/include/antwort.class.php +++ b/include/antwort.class.php @@ -51,7 +51,7 @@ class antwort extends basis_db */ public function load($antwort_id) { - $qry = "SELECT * FROM testtool.tbl_antwort WHERE antwort_id='".addslashes($antwort_id)."'"; + $qry = "SELECT * FROM testtool.tbl_antwort WHERE antwort_id=".$this->db_add_param($antwort_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -100,15 +100,15 @@ class antwort extends basis_db if($this->new) //Wenn new true ist dann ein INSERT absetzen ansonsten ein UPDATE { $qry = 'INSERT INTO testtool.tbl_antwort (pruefling_id, vorschlag_id) VALUES('. - $this->addslashes($this->pruefling_id).",". - $this->addslashes($this->vorschlag_id).");"; + $this->db_add_param($this->pruefling_id, FHC_INTEGER).",". + $this->db_add_param($this->vorschlag_id, FHC_INTEGER).");"; } else { $qry = 'UPDATE testtool.tbl_antwort SET'. - ' vorschlag_id='.$this->addslashes($this->vorschlag_id).','. - ' pruefling_id='.$this->addslashes($this->pruefling_id).','. - " WHERE antwort_id='".addslashes($this->antwort_id)."'"; + ' vorschlag_id='.$this->db_add_param($this->vorschlag_id, FHC_INTEGER).','. + ' pruefling_id='.$this->db_add_param($this->pruefling_id, FHC_INTEGER).','. + " WHERE antwort_id=".$this->db_add_param($this->antwort_id, FHC_INTEGER,false); } if($this->db_query($qry)) @@ -137,7 +137,7 @@ class antwort extends basis_db return false; } - $qry = "DELETE FROM testtool.tbl_antwort WHERE antwort_id='".addslashes($antwort_id)."'"; + $qry = "DELETE FROM testtool.tbl_antwort WHERE antwort_id=".$this->db_add_param($antwort_id, FHC_INTEGER, false); if($this->db_query($qry)) { return true; @@ -162,8 +162,8 @@ class antwort extends basis_db JOIN testtool.tbl_vorschlag USING(vorschlag_id) WHERE tbl_vorschlag.frage_id=tbl_pruefling_frage.frage_id AND - pruefling_id='".addslashes($pruefling_id)."' AND - tbl_vorschlag.frage_id='".addslashes($frage_id)."'"; + pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." AND + tbl_vorschlag.frage_id=".$this->db_add_param($frage_id, FHC_INTEGER, false); if($this->db_query($qry)) { diff --git a/include/frage.class.php b/include/frage.class.php index 5a3a678d9..7011d94c4 100644 --- a/include/frage.class.php +++ b/include/frage.class.php @@ -80,7 +80,7 @@ class frage extends basis_db return false; } - $qry = "SELECT * FROM testtool.tbl_frage WHERE frage_id='".addslashes($frage_id)."'"; + $qry = "SELECT * FROM testtool.tbl_frage WHERE frage_id=".$this->db_add_param($frage_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -89,7 +89,7 @@ class frage extends basis_db $this->frage_id = $row->frage_id; $this->gebiet_id = $row->gebiet_id; $this->nummer = $row->nummer; - $this->demo = ($row->demo=='t'?true:false); + $this->demo = $this->db_parse_bool($row->demo); $this->kategorie_kurzbz = $row->kategorie_kurzbz; $this->updateamum = $row->updateamum; $this->updatevon = $row->updatevon; @@ -101,13 +101,13 @@ class frage extends basis_db } else { - $this->errormsg = "Kein Eintrag gefunden fuer $frage_id"; + $this->errormsg = "Kein Eintrag gefunden"; return false; } } else { - $this->errormsg = "Fehler beim Laden: $qry"; + $this->errormsg = "Fehler beim Laden"; return false; } } @@ -138,26 +138,26 @@ class frage extends basis_db { $qry = 'BEGIN;INSERT INTO testtool.tbl_frage (kategorie_kurzbz, gebiet_id, level, nummer, demo, insertamum, insertvon, updateamum, updatevon) VALUES('. - $this->addslashes($this->kategorie_kurzbz).','. - $this->addslashes($this->gebiet_id).','. - $this->addslashes($this->level).','. - $this->addslashes($this->nummer).','. - ($this->demo?'true':'false').','. - $this->addslashes($this->insertamum).','. - $this->addslashes($this->insertvon).','. + $this->db_add_param($this->kategorie_kurzbz).','. + $this->db_add_param($this->gebiet_id, FHC_INTEGER).','. + $this->db_add_param($this->level).','. + $this->db_add_param($this->nummer).','. + $this->db_add_param($this->demo, FHC_BOOLEAN).','. + $this->db_add_param($this->insertamum).','. + $this->db_add_param($this->insertvon).','. 'null,null);'; } else { $qry = 'UPDATE testtool.tbl_frage SET'. - ' gebiet_id='.$this->addslashes($this->gebiet_id).','. - ' kategorie_kurzbz='.$this->addslashes($this->kategorie_kurzbz).','. - ' level='.$this->addslashes($this->level).','. - ' nummer='.$this->addslashes($this->nummer).','. - ' demo='.($this->demo?'true':'false').','. - ' updateamum='.$this->addslashes($this->updateamum).','. - ' updatevon='.$this->addslashes($this->updatevon). - " WHERE frage_id='".addslashes($this->frage_id)."';"; + ' gebiet_id='.$this->db_add_param($this->gebiet_id, FHC_INTEGER).','. + ' kategorie_kurzbz='.$this->db_add_param($this->kategorie_kurzbz).','. + ' level='.$this->db_add_param($this->level).','. + ' nummer='.$this->db_add_param($this->nummer).','. + ' demo='.$this->db_add_param($this->demo, FHC_BOOLEAN).','. + ' updateamum='.$this->db_add_param($this->updateamum).','. + ' updatevon='.$this->db_add_param($this->updatevon). + " WHERE frage_id=".$this->db_add_param($this->frage_id, FHC_INTEGER, false).";"; } if($this->db_query($qry)) @@ -194,7 +194,7 @@ class frage extends basis_db } else { - $this->errormsg = 'Fehler beim Speichern der Frage:'.$qry; + $this->errormsg = 'Fehler beim Speichern der Frage'; return false; } } @@ -210,24 +210,24 @@ class frage extends basis_db { $qry = 'INSERT INTO testtool.tbl_frage_sprache (frage_id, sprache, text, bild, audio, insertamum, insertvon, updateamum, updatevon) VALUES('. - $this->addslashes($this->frage_id).','. - $this->addslashes($this->sprache).','. - $this->addslashes($this->text).','. - $this->addslashes($this->bild).','. - $this->addslashes($this->audio).','. - $this->addslashes($this->insertamum).','. - $this->addslashes($this->insertvon).','. + $this->db_add_param($this->frage_id, FHC_INTEGER).','. + $this->db_add_param($this->sprache).','. + $this->db_add_param($this->text).','. + $this->db_add_param($this->bild).','. + $this->db_add_param($this->audio).','. + $this->db_add_param($this->insertamum).','. + $this->db_add_param($this->insertvon).','. 'null,null);'; } else { $qry = 'UPDATE testtool.tbl_frage_sprache SET'. - ' text='.$this->addslashes($this->text).','. - ' bild='.$this->addslashes($this->bild).','. - ' audio='.$this->addslashes($this->audio).','. - ' updateamum='.$this->addslashes($this->updateamum).','. - ' updatevon='.$this->addslashes($this->updatevon). - " WHERE frage_id='".addslashes($this->frage_id)."' AND sprache='".addslashes($this->sprache)."';"; + ' text='.$this->db_add_param($this->text).','. + ' bild='.$this->db_add_param($this->bild).','. + ' audio='.$this->db_add_param($this->audio).','. + ' updateamum='.$this->db_add_param($this->updateamum).','. + ' updatevon='.$this->db_add_param($this->updatevon). + " WHERE frage_id=".$this->db_add_param($this->frage_id, FHC_INTEGER, false)." AND sprache=".$this->db_add_param($this->sprache).";"; } if($this->db_query($qry)) @@ -236,7 +236,7 @@ class frage extends basis_db } else { - $this->errormsg = 'Fehler beim Speichern der Frage:'.$qry; + $this->errormsg = 'Fehler beim Speichern der Frage'; return false; } } @@ -251,7 +251,7 @@ class frage extends basis_db public function getFragen($gebiet_id, $nummer) { $qry = "SELECT * FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."' AND nummer='".addslashes($nummer)."'"; + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND nummer=".$this->db_add_param($nummer); if($this->db_query($qry)) { @@ -264,7 +264,7 @@ class frage extends basis_db $obj->gebiet_id = $row->gebiet_id; $obj->level = $row->level; $obj->nummer = $row->nummer; - $obj->demo = ($row->demo=='t'?true:false); + $obj->demo = $this->db_parse_bool($row->demo); $this->result[] = $obj; } @@ -287,7 +287,7 @@ class frage extends basis_db public function getFragenGebiet($gebiet_id) { $qry = "SELECT * FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."' ORDER BY nummer"; + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." ORDER BY nummer"; if($this->db_query($qry)) { @@ -300,7 +300,7 @@ class frage extends basis_db $obj->gebiet_id = $row->gebiet_id; $obj->level = $row->level; $obj->nummer = $row->nummer; - $obj->demo = ($row->demo=='t'?true:false); + $obj->demo = $this->db_parse_bool($row->demo); $this->result[] = $obj; } @@ -329,22 +329,22 @@ class frage extends basis_db if($demo) { $qry = "SELECT frage_id FROM testtool.tbl_frage - WHERE tbl_frage.gebiet_id='".addslashes($gebiet_id)."' + WHERE tbl_frage.gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND demo "; if(!is_null($frage_id)) - $qry.=" AND nummer<(SELECT nummer FROM testtool.tbl_frage WHERE frage_id='".addslashes($frage_id)."')"; + $qry.=" AND nummer<(SELECT nummer FROM testtool.tbl_frage WHERE frage_id=".$this->db_add_param($frage_id, FHC_INTEGER).")"; $qry .= " ORDER BY nummer DESC LIMIT 1"; } else { $qry = "SELECT frage_id FROM testtool.tbl_pruefling_frage JOIN testtool.tbl_frage USING(frage_id) WHERE - tbl_frage.gebiet_id='".addslashes($gebiet_id)."' AND - tbl_pruefling_frage.pruefling_id='".addslashes($pruefling_id)."' AND + tbl_frage.gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND + tbl_pruefling_frage.pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." AND NOT demo "; if(!is_null($frage_id)) - $qry.=" AND tbl_pruefling_frage.nummer>(SELECT nummer FROM testtool.tbl_pruefling_frage WHERE pruefling_id='".addslashes($pruefling_id)."' AND frage_id='".addslashes($frage_id)."' LIMIT 1)"; + $qry.=" AND tbl_pruefling_frage.nummer>(SELECT nummer FROM testtool.tbl_pruefling_frage WHERE pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." AND frage_id=".$this->db_add_param($frage_id, FHC_INTEGER)." LIMIT 1)"; elseif(is_null($frage_id) && $levelgebiet) $qry.=" AND tbl_pruefling_frage.endtime is null "; @@ -372,7 +372,7 @@ class frage extends basis_db public function getFrageSprache($frage_id, $sprache) { $qry = "SELECT * FROM testtool.tbl_frage_sprache JOIN testtool.tbl_frage USING(frage_id) - WHERE frage_id='".addslashes($frage_id)."' AND sprache='".addslashes($sprache)."'"; + WHERE frage_id=".$this->db_add_param($frage_id, FHC_INTEGER)." AND sprache=".$this->db_add_param($sprache); if($this->db_query($qry)) { @@ -389,7 +389,7 @@ class frage extends basis_db $this->updatevon = $row->updatevon; $this->level = $row->level; - $this->demo = ($row->demo=='t'?true:false); + $this->demo = $this->db_parse_bool($row->demo); $this->nummer = $row->nummer; return true; @@ -440,7 +440,7 @@ class frage extends basis_db { // Anzahl der bereits vorhandenen Fragen holen $qry = "SELECT count(*) as anzahl FROM testtool.tbl_pruefling_frage JOIN testtool.tbl_frage USING(frage_id) - WHERE gebiet_id='".addslashes($gebiet_id)."' AND pruefling_id='".addslashes($pruefling_id)."'"; + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER); if($this->db_query($qry)) { if($row = $this->db_fetch_object()) @@ -459,7 +459,7 @@ class frage extends basis_db $maxfragen = $gebiet->maxfragen; // Wie viele Fragen gibt es in diesem Gebiet - $qry = "SELECT count(*) as anzahl FROM testtool.tbl_frage WHERE NOT demo AND gebiet_id='".addslashes($gebiet_id)."'"; + $qry = "SELECT count(*) as anzahl FROM testtool.tbl_frage WHERE NOT demo AND gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER); if($this->db_query($qry)) { if($row = $this->db_fetch_object()) @@ -480,7 +480,7 @@ class frage extends basis_db if($gebiet->levelgleichverteilung) { $qry = "SELECT level, count(*) as anzahl FROM testtool.tbl_frage - WHERE NOT demo AND gebiet_id='".addslashes($gebiet_id)."' + WHERE NOT demo AND gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." GROUP BY level ORDER BY level"; @@ -529,8 +529,8 @@ class frage extends basis_db FROM testtool.tbl_pruefling_frage JOIN testtool.tbl_frage USING(frage_id) WHERE - tbl_frage.gebiet_id='".addslashes($gebiet_id)."' AND - tbl_pruefling_frage.pruefling_id='".addslashes($pruefling_id)."' + tbl_frage.gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND + tbl_pruefling_frage.pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." ORDER BY nummer DESC LIMIT 1;"; if($this->db_query($qry)) { @@ -541,7 +541,7 @@ class frage extends basis_db } else { - $this->errormsg = 'Fehler beim Generieren des Fragenpools'.$qry; + $this->errormsg = 'Fehler beim Generieren des Fragenpools'; $this->db_query('ROLLBACK'); return false; } @@ -577,7 +577,7 @@ class frage extends basis_db return false; } - $qry = "SELECT * FROM testtool.tbl_pruefling_frage WHERE prueflingfrage_id='".addslashes($prueflingfrage_id)."'"; + $qry = "SELECT * FROM testtool.tbl_pruefling_frage WHERE prueflingfrage_id=".$this->db_add_param($prueflingfrage_id, FHC_INTEGER); if($this->db_query($qry)) { if($row = $this->db_fetch_object()) @@ -625,7 +625,7 @@ class frage extends basis_db return false; } - $qry = "SELECT * FROM testtool.tbl_pruefling_frage WHERE pruefling_id='".addslashes($pruefling_id)."' AND frage_id='".addslashes($frage_id)."'"; + $qry = "SELECT * FROM testtool.tbl_pruefling_frage WHERE pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." AND frage_id=".$this->db_add_param($frage_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -694,21 +694,21 @@ class frage extends basis_db if($new) { $qry = 'INSERT INTO testtool.tbl_pruefling_frage(pruefling_id, frage_id, nummer, begintime, endtime) VALUES('. - $this->addslashes($this->pruefling_id).','. - $this->addslashes($this->frage_id).','. - $this->addslashes($this->nummer).','. - $this->addslashes($this->begintime).','. - $this->addslashes($this->endtime).');'; + $this->db_add_param($this->pruefling_id, FHC_INTEGER).','. + $this->db_add_param($this->frage_id, FHC_INTEGER).','. + $this->db_add_param($this->nummer).','. + $this->db_add_param($this->begintime).','. + $this->db_add_param($this->endtime).');'; } else { $qry = 'UPDATE testtool.tbl_pruefling_frage SET'. - ' pruefling_id='.$this->addslashes($this->pruefling_id).','. - ' frage_id='.$this->addslashes($this->frage_id).','. - ' nummer='.$this->addslashes($this->nummer).','. - ' begintime='.$this->addslashes($this->begintime).','. - ' endtime='.$this->addslashes($this->endtime). - " WHERE prueflingfrage_id='".addslashes($this->prueflingfrage_id)."'"; + ' pruefling_id='.$this->db_add_param($this->pruefling_id, FHC_INTEGER).','. + ' frage_id='.$this->db_add_param($this->frage_id, FHC_INTEGER).','. + ' nummer='.$this->db_add_param($this->nummer).','. + ' begintime='.$this->db_add_param($this->begintime).','. + ' endtime='.$this->db_add_param($this->endtime). + " WHERE prueflingfrage_id=".$this->db_add_param($this->prueflingfrage_id, FHC_INTEGER, false); } if($this->db_query($qry)) @@ -737,9 +737,9 @@ class frage extends basis_db //Frage suchen die dem pruefling noch nicht zugeordnet ist $qry = "SELECT frage_id FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."' AND + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND frage_id NOT IN (SELECT frage_id FROM testtool.tbl_pruefling_frage - WHERE pruefling_id='".addslashes($pruefling_id)."' + WHERE pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER, false)." ) AND NOT demo"; @@ -747,13 +747,13 @@ class frage extends basis_db if($gebiet->level_start!='') { $level2 = $pruefling->getPrueflingLevel($pruefling_id, $gebiet_id); - $qry.=" AND level='".addslashes($level2)."'"; + $qry.=" AND level=".$this->db_add_param($level2); } // Bei Levelgleichverteilung wird der Level mituebergeben if(!is_null($level)) { - $qry.=" AND level='".addslashes($level)."'"; + $qry.=" AND level=".$this->db_add_param($level); } //Sortierung diff --git a/include/gebiet.class.php b/include/gebiet.class.php index ebc77caaf..e9147ae11 100644 --- a/include/gebiet.class.php +++ b/include/gebiet.class.php @@ -72,7 +72,7 @@ class gebiet extends basis_db */ public function load($gebiet_id) { - $qry = "SELECT * FROM testtool.tbl_gebiet WHERE gebiet_id='".addslashes($gebiet_id)."'"; + $qry = "SELECT * FROM testtool.tbl_gebiet WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -83,15 +83,15 @@ class gebiet extends basis_db $this->bezeichnung = $row->bezeichnung; $this->beschreibung = $row->beschreibung; $this->zeit = $row->zeit; - $this->multipleresponse = ($row->multipleresponse=='t'?true:false); - $this->kategorien = ($row->kategorien=='t'?true:false); + $this->multipleresponse = $this->db_parse_bool($row->multipleresponse); + $this->kategorien = $this->db_parse_bool($row->kategorien); $this->maxfragen = $row->maxfragen; - $this->zufallfrage = ($row->zufallfrage=='t'?true:false); - $this->zufallvorschlag = ($row->zufallvorschlag=='t'?true:false); + $this->zufallfrage = $this->db_parse_bool($row->zufallfrage); + $this->zufallvorschlag = $this->db_parse_bool($row->zufallvorschlag); $this->level_start = $row->level_start; $this->level_sprung_auf = $row->level_sprung_auf; $this->level_sprung_ab = $row->level_sprung_ab; - $this->levelgleichverteilung = ($row->levelgleichverteilung=='t'?true:($row->levelgleichverteilung=='f'?false:null)); + $this->levelgleichverteilung = $this->db_parse_bool($row->levelgleichverteilung); $this->maxpunkte = $row->maxpunkte; $this->insertamum = $row->insertamum; $this->insertvon = $row->insertvon; @@ -194,46 +194,46 @@ class gebiet extends basis_db $qry = 'BEGIN;INSERT INTO testtool.tbl_gebiet (kurzbz, bezeichnung, beschreibung, zeit, multipleresponse, kategorien, maxfragen, zufallfrage, zufallvorschlag, level_start, level_sprung_auf, level_sprung_ab, levelgleichverteilung, maxpunkte, antwortenprozeile, insertamum, insertvon , updateamum, updatevon) VALUES('. - $this->addslashes($this->kurzbz).",". - $this->addslashes($this->bezeichnung).",'". - $this->addslashes($this->beschreibung).",'". - $this->addslashes($this->zeit).",". - ($this->multipleresponse?'true':'false').",". - $this->addslashes($this->kategorien).",". - $this->addslashes($this->maxfragen).",". - ($this->zufallfrage?'true':'false').",'". - ($this->zufallvorschlag?'true':'false').",'". - $this->addslashes($this->level_start).",". - $this->addslashes($this->level_sprung_auf).",". - $this->addslashes($this->level_sprung_ab).",". - ($this->levelgleichverteilung?'true':($this->levelgleichverteilung==false?'false':'null')).",". - $this->addslashes($this->maxpunkte).",". - $this->addslashes($this->antwortenprozeile).",". - $this->addslashes($this->insertamum).",". - $this->addslashes($this->insertvon). - ",null, null);"; + $this->db_add_param($this->kurzbz).','. + $this->db_add_param($this->bezeichnung).','. + $this->db_add_param($this->beschreibung).','. + $this->db_add_param($this->zeit).','. + $this->db_add_param($this->multipleresponse, FHC_BOOLEAN).','. + $this->db_add_param($this->kategorien, FHC_BOOLEAN).','. + $this->db_add_param($this->maxfragen).','. + $this->db_add_param($this->zufallfrage, FHC_BOOLEAN).','. + $this->db_add_param($this->zufallvorschlag, FHC_BOOLEAN).','. + $this->db_add_param($this->level_start).','. + $this->db_add_param($this->level_sprung_auf).','. + $this->db_add_param($this->level_sprung_ab).','. + $this->db_add_param($this->levelgleichverteilung, FHC_BOOLEAN).','. + $this->db_add_param($this->maxpunkte).','. + $this->db_add_param($this->antwortenprozeile).','. + $this->db_add_param($this->insertamum).','. + $this->db_add_param($this->insertvon). + ',null, null);'; } else { $qry = 'UPDATE testtool.tbl_gebiet SET'. - ' kurzbz='.$this->addslashes($this->kurzbz).','. - ' bezeichnung='.$this->addslashes($this->bezeichnung).','. - ' beschreibung='.$this->addslashes($this->beschreibung).','. - ' zeit='.$this->addslashes($this->zeit).','. - ' multipleresponse='.($this->multipleresponse?'true':'false').','. - ' kategorien='.($this->kategorien?'true':'false').','. - ' maxfragen='.$this->addslashes($this->maxfragen).','. - ' zufallfrage='.($this->zufallfrage?'true':'false').','. - ' zufallvorschlag='.($this->zufallvorschlag?'true':'false').','. - ' level_start='.$this->addslashes($this->level_start).','. - ' level_sprung_auf='.$this->addslashes($this->level_sprung_auf).','. - ' level_sprung_ab='.$this->addslashes($this->level_sprung_ab).','. - ' levelgleichverteilung='.($this->levelgleichverteilung?'true':($this->levelgleichverteilung==false?'false':'null')).','. - ' maxpunkte='.$this->addslashes($this->maxpunkte).','. - ' antwortenprozeile='.$this->addslashes($this->antwortenprozeile).','. - ' updateamum='.$this->addslashes($this->updateamum).','. - ' updatevon='.$this->addslashes($this->updatevon). - " WHERE gebiet_id='".addslashes($this->gebiet_id)."';"; + ' kurzbz='.$this->db_add_param($this->kurzbz).','. + ' bezeichnung='.$this->db_add_param($this->bezeichnung).','. + ' beschreibung='.$this->db_add_param($this->beschreibung).','. + ' zeit='.$this->db_add_param($this->zeit).','. + ' multipleresponse='.$this->db_add_param($this->multipleresponse, FHC_BOOLEAN).','. + ' kategorien='.$this->db_add_param($this->kategorien, FHC_BOOLEAN).','. + ' maxfragen='.$this->db_add_param($this->maxfragen).','. + ' zufallfrage='.$this->db_add_param($this->zufallfrage, FHC_BOOLEAN).','. + ' zufallvorschlag='.$this->db_add_param($this->zufallvorschlag, FHC_BOOLEAN).','. + ' level_start='.$this->db_add_param($this->level_start).','. + ' level_sprung_auf='.$this->db_add_param($this->level_sprung_auf).','. + ' level_sprung_ab='.$this->db_add_param($this->level_sprung_ab).','. + ' levelgleichverteilung='.$this->db_add_param($this->levelgleichverteilung, FHC_BOOLEAN).','. + ' maxpunkte='.$this->db_add_param($this->maxpunkte).','. + ' antwortenprozeile='.$this->db_add_param($this->antwortenprozeile).','. + ' updateamum='.$this->db_add_param($this->updateamum).','. + ' updatevon='.$this->db_add_param($this->updatevon). + " WHERE gebiet_id=".$this->db_add_param($this->gebiet_id, FHC_INTEGER, false).";"; } if($this->db_query($qry)) @@ -300,7 +300,7 @@ class gebiet extends basis_db //Von jedem level muessen mindestens maxfragen vorhanden sein wenn levels aktiv ist if($this->level_start!='') { - $qry = "SELECT count(*) as anzahl, level FROM testtool.tbl_frage WHERE gebiet_id='".addslashes($gebiet_id)."' GROUP BY level"; + $qry = "SELECT count(*) as anzahl, level FROM testtool.tbl_frage WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER, false)." GROUP BY level"; if($this->db_query($qry)) { while($row = $this->db_fetch_object()) @@ -316,7 +316,7 @@ class gebiet extends basis_db //Pruefen ob jede Fragen mindestens 2 Vorschlaege hat $qry = "SELECT frage_id, nummer FROM testtool.tbl_frage WHERE (SELECT count(*) as anzahl FROM testtool.tbl_vorschlag WHERE frage_id=tbl_frage.frage_id)<2 - AND gebiet_id='".addslashes($gebiet_id)."' AND NOT demo;"; + AND gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND NOT demo;"; if($this->db_query($qry)) { while($row = $this->db_fetch_object()) @@ -328,7 +328,7 @@ class gebiet extends basis_db //Wenn Levels verwendet werden, muessen mindestens 2 Verschiedene Level vorhanden sein if($this->level_start!='') { - $qry = "SELECT level FROM testtool.tbl_frage WHERE gebiet_id='".addslashes($gebiet_id)."' AND level is not null GROUP by level"; + $qry = "SELECT level FROM testtool.tbl_frage WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND level is not null GROUP by level"; if($this->db_query($qry)) { if($this->db_num_rows()<2) @@ -343,7 +343,7 @@ class gebiet extends basis_db { if($this->maxfragen!='' && $this->maxfragen!=0) { - $qry = "SELECT count(*) as anzahl FROM testtool.tbl_frage WHERE gebiet_id='".addslashes($gebiet_id)."' AND not demo AND level is not null GROUP BY level"; + $qry = "SELECT count(*) as anzahl FROM testtool.tbl_frage WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND not demo AND level is not null GROUP BY level"; if($this->db_query($qry)) { if($row = $this->db_fetch_object()) @@ -366,7 +366,7 @@ class gebiet extends basis_db SELECT level, punkte, count(*) as anzahl FROM ( SELECT level, sum(punkte) as punkte FROM testtool.tbl_frage JOIN testtool.tbl_vorschlag USING(frage_id) - WHERE punkte>0 AND not demo AND gebiet_id='".addslashes($gebiet_id)."' + WHERE punkte>0 AND not demo AND gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." GROUP BY frage_id, level) as a GROUP BY level, punkte ) as b GROUP BY level) as c @@ -418,12 +418,12 @@ class gebiet extends basis_db $obj->bezeichnung = $row->bezeichnung; $obj->beschreibung = $row->beschreibung; $obj->zeit = $row->zeit; - $obj->multipleresponse = ($row->multipleresponse=='t'?true:false); - $obj->kategorien = ($row->kategorien=='t'?true:false); + $obj->multipleresponse = $this->db_parse_bool($row->multipleresponse); + $obj->kategorien = $this->db_parse_bool($row->kategorien); $obj->maxfragen = $row->maxfragen; - $obj->zufallfrage = ($row->zufallfrage=='t'?true:false); - $obj->zufallvorschlag = ($row->zufallvorschlag=='t'?true:false); - $obj->levelgleichverteilung = ($row->levelgleichverteilung=='t'?true:false); + $obj->zufallfrage = $this->db_parse_bool($row->zufallfrage); + $obj->zufallvorschlag = $this->db_parse_bool($row->zufallvorschlag); + $obj->levelgleichverteilung = $this->db_parse_bool($row->levelgleichverteilung); $obj->maxpunkte = $row->maxpunkte; $obj->level_start = $row->level_start; $obj->level_sprung_ab = $row->level_sprung_ab; @@ -460,7 +460,7 @@ class gebiet extends basis_db { $qry = "SELECT sum(punkte) as max FROM testtool.tbl_vorschlag JOIN testtool.tbl_frage USING(frage_id) - WHERE gebiet_id='".addslashes($gebiet_id)."' AND punkte>0 AND NOT demo"; + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND punkte>0 AND NOT demo"; if($this->maxfragen!='' && $this->maxfragen>0) $qry.=" LIMIT $this->maxfragen"; } @@ -475,12 +475,12 @@ class gebiet extends basis_db SELECT level, punkte, count(*) as anz, (SELECT count(*) FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."') as fragengesamt + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER).") as fragengesamt FROM testtool.tbl_frage JOIN testtool.tbl_vorschlag USING(frage_id) WHERE - gebiet_id='".addslashes($gebiet_id)."' + gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND NOT demo GROUP BY level, punkte ) a @@ -497,12 +497,12 @@ class gebiet extends basis_db SELECT level, punkte, count(*) as anz, (SELECT count(*) FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."') as fragengesamt + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER).") as fragengesamt FROM testtool.tbl_frage JOIN testtool.tbl_vorschlag USING(frage_id) WHERE - gebiet_id='".addslashes($gebiet_id)."' + gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND NOT demo GROUP BY level, punkte ) a @@ -519,7 +519,7 @@ class gebiet extends basis_db ( SELECT level, frage_id, sum(punkte) as punkte FROM testtool.tbl_frage JOIN testtool.tbl_vorschlag USING(frage_id) - WHERE gebiet_id='".addslashes($gebiet_id)."' AND punkte>0 AND level>='$this->level_start' AND NOT demo + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND punkte>0 AND level>=".$this->db_add_param($this->level_start)." AND NOT demo GROUP BY level, frage_id ) as a GROUP by level, punkte ORDER BY level"; diff --git a/include/pruefling.class.php b/include/pruefling.class.php index 0f239d073..5b3b55f21 100644 --- a/include/pruefling.class.php +++ b/include/pruefling.class.php @@ -54,7 +54,7 @@ class pruefling extends basis_db */ public function load($pruefling_id) { - $qry = "SELECT * FROM testtool.tbl_pruefling WHERE pruefling_id='".addslashes($pruefling_id)."'"; + $qry = "SELECT * FROM testtool.tbl_pruefling WHERE pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -76,7 +76,7 @@ class pruefling extends basis_db } else { - $this->errormsg = "Fehler beim Laden: $qry"; + $this->errormsg = "Fehler beim Laden"; return false; } } @@ -106,21 +106,21 @@ class pruefling extends basis_db if($this->new) //Wenn new true ist dann ein INSERT absetzen ansonsten ein UPDATE { $qry = 'BEGIN;INSERT INTO testtool.tbl_pruefling (studiengang_kz, idnachweis, registriert, prestudent_id, semester) VALUES('. - $this->addslashes($this->studiengang_kz).",". - $this->addslashes($this->idnachweis).",". - $this->addslashes($this->registriert).",". - $this->addslashes($this->prestudent_id).",". - $this->addslashes($this->semester).");"; + $this->db_add_param($this->studiengang_kz).",". + $this->db_add_param($this->idnachweis).",". + $this->db_add_param($this->registriert).",". + $this->db_add_param($this->prestudent_id).",". + $this->db_add_param($this->semester).");"; } else { $qry = 'UPDATE testtool.tbl_pruefling SET'. - ' studiengang_kz='.$this->addslashes($this->studiengang_kz).','. - ' idnachweis='.$this->addslashes($this->idnachweis).','. - ' registriert='.$this->addslashes($this->registriert).','. - ' semester='.$this->addslashes($this->semester).','. - ' prestudent_id='.$this->addslashes($this->prestudent_id). - " WHERE pruefling_id='".addslashes($this->pruefling_id)."';"; + ' studiengang_kz='.$this->db_add_param($this->studiengang_kz, FHC_INTEGER).','. + ' idnachweis='.$this->db_add_param($this->idnachweis).','. + ' registriert='.$this->db_add_param($this->registriert).','. + ' semester='.$this->db_add_param($this->semester).','. + ' prestudent_id='.$this->db_add_param($this->prestudent_id, FHC_INTEGER). + " WHERE pruefling_id=".$this->db_add_param($this->pruefling_id, FHC_INTEGER, false).";"; } if($this->db_query($qry)) @@ -158,7 +158,7 @@ class pruefling extends basis_db else { $this->db_query('ROLLBACK'); - $this->errormsg = 'Fehler beim Speichern der Frage:'.$qry; + $this->errormsg = 'Fehler beim Speichern der Frage'; return false; } } @@ -171,7 +171,7 @@ class pruefling extends basis_db */ public function getPruefling($prestudent_id) { - $qry = "SELECT * FROM testtool.tbl_pruefling WHERE prestudent_id='".addslashes($prestudent_id)."'"; + $qry = "SELECT * FROM testtool.tbl_pruefling WHERE prestudent_id=".$this->db_add_param($prestudent_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -187,13 +187,13 @@ class pruefling extends basis_db } else { - $this->errormsg = "Kein Eintrag gefunden fuer $prestudent_id"; + $this->errormsg = "Kein Eintrag gefunden"; return false; } } else { - $this->errormsg = "Fehler beim Laden: $qry"; + $this->errormsg = "Fehler beim Laden"; return false; } } @@ -217,7 +217,7 @@ class pruefling extends basis_db $min_level = 0; $qry = "SELECT max(level) as max, min(level) as min FROM testtool.tbl_frage - WHERE gebiet_id='".addslashes($gebiet_id)."'"; + WHERE gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER); if($this->db_query($qry)) { @@ -247,8 +247,8 @@ class pruefling extends basis_db JOIN testtool.tbl_antwort USING(vorschlag_id) JOIN testtool.tbl_frage USING(frage_id) WHERE - tbl_frage.gebiet_id='".addslashes($gebiet_id)."' AND - tbl_pruefling_frage.pruefling_id='".addslashes($pruefling_id)."' AND + tbl_frage.gebiet_id=".$this->db_add_param($gebiet_id, FHC_INTEGER)." AND + tbl_pruefling_frage.pruefling_id=".$this->db_add_param($pruefling_id, FHC_INTEGER)." AND tbl_antwort.pruefling_id = tbl_pruefling_frage.pruefling_id ORDER BY tbl_pruefling_frage.nummer ASC"; @@ -315,7 +315,7 @@ class pruefling extends basis_db public function getReihungstestErgebnis($prestudent_id) { $qry = "SELECT * FROM testtool.vw_auswertung - WHERE prestudent_id='".addslashes($prestudent_id)."'"; + WHERE prestudent_id=".$this->db_add_param($prestudent_id, FHC_INTEGER); $ergebnis=0;