diff --git a/cis/private/pers_in_grp.php b/cis/private/pers_in_grp.php index e0c98097f..b44b8db0d 100644 --- a/cis/private/pers_in_grp.php +++ b/cis/private/pers_in_grp.php @@ -46,55 +46,55 @@ $gruppe_kurzbz = $_GET['grp']; $gruppe = new gruppe($gruppe_kurzbz); -echo ' - +echo ' - + - - - - - - + + + + + ' . $p->t('mailverteiler/personenImVerteiler') . ' '; -$qry = "SELECT - uid, vorname, nachname - FROM - campus.vw_benutzer - JOIN - tbl_benutzergruppe USING (uid) - WHERE - gruppe_kurzbz='" . addslashes($gruppe_kurzbz) . "'"; +$qry = "SELECT + uid, vorname, nachname + FROM + campus.vw_benutzer + JOIN + tbl_benutzergruppe USING (uid) + WHERE + gruppe_kurzbz=".$db->db_add_param($gruppe_kurzbz); + // Fuer den Studiengang EWU wird zusaetzlich das aktuelle Studiensemester ermittelt if ($gruppe->studiengang_kz == 10005 && mb_stripos($gruppe_kurzbz,'EWU') === 0) { $qry .= " AND (studiensemester_kurzbz IS NULL - OR studiensemester_kurzbz IN ('" . addslashes($stsem) . "','" . addslashes($ss_nearest_to_akt) . "'))"; + OR studiensemester_kurzbz IN (".$db->db_add_param($stsem).",".$db->db_add_param($ss_nearest_to_akt)."))"; } else { $qry .= " AND (studiensemester_kurzbz IS NULL - OR studiensemester_kurzbz='" . addslashes($stsem) . "')"; + OR studiensemester_kurzbz=".$db->db_add_param($stsem).")"; } - $qry .= " ORDER BY + $qry .= " ORDER BY nachname, vorname"; if ($result = $db->db_query($qry)) { @@ -109,7 +109,6 @@ echo ''; -// $sql_query = "SELECT vornamen AS vn,nachname AS nn,a.uid as uid FROM public.tbl_personmailgrp AS a, public.tbl_person AS b WHERE a.uid=b.uid AND a.mailgrp_kurzbz='$grp' ORDER BY nachname"; if ($result = $db->db_query($qry)) { while ($row = $db->db_fetch_object($result)) @@ -125,4 +124,4 @@ echo '
' . $p->t('global/mail') . '
'; -?> \ No newline at end of file +?> diff --git a/cis/private/stud_in_grp.php b/cis/private/stud_in_grp.php index 02344264d..8854ebc11 100644 --- a/cis/private/stud_in_grp.php +++ b/cis/private/stud_in_grp.php @@ -17,7 +17,6 @@ * * Authors: Andreas Oesterreicher */ - require_once('../../config/cis.config.inc.php'); require_once('../../include/basis_db.class.php'); require_once('../../include/phrasen.class.php'); @@ -26,27 +25,30 @@ require_once('../../include/functions.inc.php'); $sprache = getSprache(); $p = new phrasen($sprache); -echo ' +if(!$uid = get_uid()) + die($p->t('global/fehlerBeimErmittelnDerUID')); + +echo ' - + - - - - - - + + + + + @@ -56,45 +58,60 @@ echo 't('global/fehlerBeimOeffnenDerDatenbankverbindung')); -if(!isset($_GET['kz'])) - die($p->t('global/fehlerBeiDerParameteruebergabe')); +if (!isset($_GET['kz'])) + die($p->t('global/fehlerBeiDerParameteruebergabe')); - if(isset($_GET['all'])) +if (isset($_GET['all'])) { - $qry = "SELECT vorname, nachname, uid FROM campus.vw_student WHERE aktiv=true AND studiengang_kz='".addslashes($_GET['kz'])."' AND semester<10 AND semester>0 ORDER BY nachname, vorname"; + $qry = "SELECT + vorname, nachname, uid + FROM + campus.vw_student + WHERE + aktiv=true + AND studiengang_kz=".$db->db_add_param($_GET['kz'])." + AND semester<10 + AND semester>0 + ORDER BY nachname, vorname"; } else { - $qry = "SELECT vorname, nachname, uid FROM campus.vw_student WHERE aktiv=true AND studiengang_kz='".addslashes($_GET['kz'])."'"; + $qry = "SELECT + vorname, nachname, uid + FROM + campus.vw_student + WHERE + aktiv=true + AND studiengang_kz=".$db->db_add_param($_GET['kz']); - if(isset($_GET['sem'])) - $qry.=" AND semester='".addslashes($_GET['sem'])."'"; + if (isset($_GET['sem'])) + $qry.=" AND semester=".$db->db_add_param($_GET['sem']); - if(isset($_GET['verband'])) - $qry.=" AND verband='".addslashes($_GET['verband'])."'"; + if (isset($_GET['verband'])) + $qry.=" AND verband=".$db->db_add_param($_GET['verband']); - if(isset($_GET['grp'])) - $qry.=" AND gruppe='".addslashes($_GET['grp'])."'"; + if (isset($_GET['grp'])) + $qry.=" AND gruppe=".$db->db_add_param($_GET['grp']); $qry.= ' ORDER BY nachname, vorname'; } -if($result=$db->db_query($qry)) +if ($result = $db->db_query($qry)) { echo '

'.$row=$db->db_num_rows($result).' '.$p->t('mailverteiler/personen'); } echo ' - - - - - - '; + + + + + + '; -if($result=$db->db_query($qry)) +if ($result = $db->db_query($qry)) { - while($row=$db->db_fetch_object($result)) + while ($row = $db->db_fetch_object($result)) { echo ""; echo " "; @@ -109,4 +126,4 @@ else echo '
'.$p->t('global/nachname').''.$p->t('global/vorname').''.$p->t('global/mail').'
'.$p->t('global/nachname').''.$p->t('global/vorname').''.$p->t('global/mail').'
$row->nachname
'; -?> \ No newline at end of file +?> diff --git a/cms/image.php b/cms/image.php index c67058a88..9fbcfeb67 100644 --- a/cms/image.php +++ b/cms/image.php @@ -26,9 +26,9 @@ if (!$db = new basis_db()) if(isset($_GET['src']) && $_GET['src']=='flag' && isset($_GET['sprache'])) { - $qry = "SELECT flagge as bild FROM public.tbl_sprache WHERE sprache='".addslashes($_GET['sprache'])."'"; + $qry = "SELECT flagge as bild FROM public.tbl_sprache WHERE sprache=".$db->db_add_param($_GET['sprache']); } -else +else die('Unkown type'); //Header fuer Bild schicken @@ -38,5 +38,3 @@ $row = $db->db_fetch_object($result); //base64 zurueckwandeln und ausgeben echo base64_decode($row->bild); ?> - - diff --git a/cms/menu/menu_addon_urlaub.inc.php b/cms/menu/menu_addon_urlaub.inc.php index 3321e3f47..48b217a1c 100644 --- a/cms/menu/menu_addon_urlaub.inc.php +++ b/cms/menu/menu_addon_urlaub.inc.php @@ -49,7 +49,7 @@ class menu_addon_urlaub extends menu_addon if($untergebene!='') $untergebene.=','; - $untergebene.="'".addslashes($u_uid)."'"; + $untergebene.="'".$this->db_escape($u_uid)."'"; } $rechte = new benutzerberechtigung(); @@ -62,7 +62,7 @@ class menu_addon_urlaub extends menu_addon { if($untergebene!='') $untergebene.=','; - $untergebene.="'".addslashes($row->uid)."'"; + $untergebene.="'".$this->db_escape($row->uid)."'"; } }