mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-06-01 12:19:28 +00:00
Corrected Escaping
This commit is contained in:
Andreas Österreicher
@@ -46,11 +46,10 @@ $gruppe_kurzbz = $_GET['grp'];
|
||||
|
||||
$gruppe = new gruppe($gruppe_kurzbz);
|
||||
|
||||
echo '
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
echo '<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||
<meta charset="UTF-8">
|
||||
<link href="../../skin/style.css.php" rel="stylesheet" type="text/css">
|
||||
<link rel="stylesheet" href="../../skin/tablesort.css" type="text/css"/>
|
||||
<link rel="stylesheet" type="text/css" href="../../skin/jquery-ui-1.9.2.custom.min.css">
|
||||
@@ -81,17 +80,18 @@ $qry = "SELECT
|
||||
JOIN
|
||||
tbl_benutzergruppe USING (uid)
|
||||
WHERE
|
||||
gruppe_kurzbz='" . addslashes($gruppe_kurzbz) . "'";
|
||||
gruppe_kurzbz=".$db->db_add_param($gruppe_kurzbz);
|
||||
|
||||
// Fuer den Studiengang EWU wird zusaetzlich das aktuelle Studiensemester ermittelt
|
||||
if ($gruppe->studiengang_kz == 10005 && mb_stripos($gruppe_kurzbz,'EWU') === 0)
|
||||
{
|
||||
$qry .= " AND (studiensemester_kurzbz IS NULL
|
||||
OR studiensemester_kurzbz IN ('" . addslashes($stsem) . "','" . addslashes($ss_nearest_to_akt) . "'))";
|
||||
OR studiensemester_kurzbz IN (".$db->db_add_param($stsem).",".$db->db_add_param($ss_nearest_to_akt)."))";
|
||||
}
|
||||
else
|
||||
{
|
||||
$qry .= " AND (studiensemester_kurzbz IS NULL
|
||||
OR studiensemester_kurzbz='" . addslashes($stsem) . "')";
|
||||
OR studiensemester_kurzbz=".$db->db_add_param($stsem).")";
|
||||
}
|
||||
|
||||
$qry .= " ORDER BY
|
||||
@@ -109,7 +109,6 @@ echo '<table class="tablesorter" id="table">
|
||||
<th>' . $p->t('global/mail') . '</th>
|
||||
</tr></thead><tbody>';
|
||||
|
||||
// $sql_query = "SELECT vornamen AS vn,nachname AS nn,a.uid as uid FROM public.tbl_personmailgrp AS a, public.tbl_person AS b WHERE a.uid=b.uid AND a.mailgrp_kurzbz='$grp' ORDER BY nachname";
|
||||
if ($result = $db->db_query($qry))
|
||||
{
|
||||
while ($row = $db->db_fetch_object($result))
|
||||
|
||||
@@ -17,7 +17,6 @@
|
||||
*
|
||||
* Authors: Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at>
|
||||
*/
|
||||
|
||||
require_once('../../config/cis.config.inc.php');
|
||||
require_once('../../include/basis_db.class.php');
|
||||
require_once('../../include/phrasen.class.php');
|
||||
@@ -26,10 +25,13 @@ require_once('../../include/functions.inc.php');
|
||||
$sprache = getSprache();
|
||||
$p = new phrasen($sprache);
|
||||
|
||||
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
if(!$uid = get_uid())
|
||||
die($p->t('global/fehlerBeimErmittelnDerUID'));
|
||||
|
||||
echo '<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||
<meta charset="UTF-8">
|
||||
<link href="../../skin/style.css.php" rel="stylesheet" type="text/css">
|
||||
<link rel="stylesheet" href="../../skin/tablesort.css" type="text/css"/>
|
||||
<link rel="stylesheet" type="text/css" href="../../skin/jquery-ui-1.9.2.custom.min.css">
|
||||
@@ -61,20 +63,35 @@ if(!isset($_GET['kz']))
|
||||
|
||||
if (isset($_GET['all']))
|
||||
{
|
||||
$qry = "SELECT vorname, nachname, uid FROM campus.vw_student WHERE aktiv=true AND studiengang_kz='".addslashes($_GET['kz'])."' AND semester<10 AND semester>0 ORDER BY nachname, vorname";
|
||||
$qry = "SELECT
|
||||
vorname, nachname, uid
|
||||
FROM
|
||||
campus.vw_student
|
||||
WHERE
|
||||
aktiv=true
|
||||
AND studiengang_kz=".$db->db_add_param($_GET['kz'])."
|
||||
AND semester<10
|
||||
AND semester>0
|
||||
ORDER BY nachname, vorname";
|
||||
}
|
||||
else
|
||||
{
|
||||
$qry = "SELECT vorname, nachname, uid FROM campus.vw_student WHERE aktiv=true AND studiengang_kz='".addslashes($_GET['kz'])."'";
|
||||
$qry = "SELECT
|
||||
vorname, nachname, uid
|
||||
FROM
|
||||
campus.vw_student
|
||||
WHERE
|
||||
aktiv=true
|
||||
AND studiengang_kz=".$db->db_add_param($_GET['kz']);
|
||||
|
||||
if (isset($_GET['sem']))
|
||||
$qry.=" AND semester='".addslashes($_GET['sem'])."'";
|
||||
$qry.=" AND semester=".$db->db_add_param($_GET['sem']);
|
||||
|
||||
if (isset($_GET['verband']))
|
||||
$qry.=" AND verband='".addslashes($_GET['verband'])."'";
|
||||
$qry.=" AND verband=".$db->db_add_param($_GET['verband']);
|
||||
|
||||
if (isset($_GET['grp']))
|
||||
$qry.=" AND gruppe='".addslashes($_GET['grp'])."'";
|
||||
$qry.=" AND gruppe=".$db->db_add_param($_GET['grp']);
|
||||
|
||||
$qry.= ' ORDER BY nachname, vorname';
|
||||
}
|
||||
|
||||
+1
-3
@@ -26,7 +26,7 @@ if (!$db = new basis_db())
|
||||
|
||||
if(isset($_GET['src']) && $_GET['src']=='flag' && isset($_GET['sprache']))
|
||||
{
|
||||
$qry = "SELECT flagge as bild FROM public.tbl_sprache WHERE sprache='".addslashes($_GET['sprache'])."'";
|
||||
$qry = "SELECT flagge as bild FROM public.tbl_sprache WHERE sprache=".$db->db_add_param($_GET['sprache']);
|
||||
}
|
||||
else
|
||||
die('Unkown type');
|
||||
@@ -38,5 +38,3 @@ $row = $db->db_fetch_object($result);
|
||||
//base64 zurueckwandeln und ausgeben
|
||||
echo base64_decode($row->bild);
|
||||
?>
|
||||
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ class menu_addon_urlaub extends menu_addon
|
||||
if($untergebene!='')
|
||||
$untergebene.=',';
|
||||
|
||||
$untergebene.="'".addslashes($u_uid)."'";
|
||||
$untergebene.="'".$this->db_escape($u_uid)."'";
|
||||
}
|
||||
|
||||
$rechte = new benutzerberechtigung();
|
||||
@@ -62,7 +62,7 @@ class menu_addon_urlaub extends menu_addon
|
||||
{
|
||||
if($untergebene!='')
|
||||
$untergebene.=',';
|
||||
$untergebene.="'".addslashes($row->uid)."'";
|
||||
$untergebene.="'".$this->db_escape($row->uid)."'";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user