mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-07-19 16:02:15 +00:00
XSS Lücke geschlossen
This commit is contained in:
@@ -20,39 +20,29 @@
|
||||
* Rudolf Hangl < rudolf.hangl@technikum-wien.at >
|
||||
* Gerald Simane-Sequens < gerald.simane-sequens@technikum-wien.at >
|
||||
*/
|
||||
/* @date 27.10.2005
|
||||
@brief Zeigt die Daten aus der tbl_lvinfo an
|
||||
|
||||
@edit 08-11-2006 Versionierung wurde entfernt. Alle eintraege werden jetzt im WS2007
|
||||
abgespeichert
|
||||
03-02-2006 Anpassung an die neue Datenbank
|
||||
/*
|
||||
* Lehrveranstaltungsfeedback
|
||||
*/
|
||||
require_once('../../../config/cis.config.inc.php');
|
||||
require_once('../../../include/basis_db.class.php');
|
||||
require_once('../../../include/functions.inc.php');
|
||||
require_once('../../../include/studiensemester.class.php');
|
||||
require_once('../../../include/lehrveranstaltung.class.php');
|
||||
require_once('../../../include/feedback.class.php');
|
||||
require_once('../../../include/phrasen.class.php');
|
||||
|
||||
require_once('../../../config/cis.config.inc.php');
|
||||
// ------------------------------------------------------------------------------------------
|
||||
// Datenbankanbindung
|
||||
// ------------------------------------------------------------------------------------------
|
||||
require_once('../../../include/basis_db.class.php');
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Herstellen der Datenbankverbindung');
|
||||
|
||||
require_once('../../../include/functions.inc.php');
|
||||
require_once('../../../include/studiensemester.class.php');
|
||||
require_once('../../../include/lehrveranstaltung.class.php');
|
||||
require_once('../../../include/feedback.class.php');
|
||||
require_once('../../../include/phrasen.class.php');
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Herstellen der Datenbankverbindung');
|
||||
|
||||
$sprache = getSprache();
|
||||
$p = new phrasen($sprache);
|
||||
|
||||
$user = get_uid();
|
||||
if(check_lektor($user))
|
||||
$is_lector=true;
|
||||
if(!isset($_GET['lvid']) || !is_numeric($_GET['lvid']))
|
||||
die($p->t('global/fehlerBeiDerParameteruebergabe'));
|
||||
$sprache = getSprache();
|
||||
$p = new phrasen($sprache);
|
||||
|
||||
$user = get_uid();
|
||||
|
||||
if(!isset($_GET['lvid']) || !is_numeric($_GET['lvid']))
|
||||
die($p->t('global/fehlerBeiDerParameteruebergabe'));
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
|
||||
"http://www.w3.org/TR/html4/loose.dtd">
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||
@@ -68,14 +58,13 @@
|
||||
$feedback_message=$_POST['feedback_message'];
|
||||
if(isset($_POST['feedback_subject']))
|
||||
$feedback_subject=$_POST['feedback_subject'];
|
||||
|
||||
echo '<form accept-charset="UTF-8" method="POST" action="feedback.php?lvid='.$db->convert_html_chars($lvid).'" enctype="multipart/form-data">';
|
||||
?>
|
||||
|
||||
<table class="tabcontent">
|
||||
<tr>
|
||||
<td width="3%"> </td>
|
||||
<?php
|
||||
echo '<form accept-charset="UTF-8" method="POST" action="feedback.php?lvid='.$lvid.'" enctype="multipart/form-data">';
|
||||
?>
|
||||
<td width="97%">
|
||||
<table class="tabcontent">
|
||||
<tr>
|
||||
@@ -86,13 +75,23 @@
|
||||
else
|
||||
die($lv_obj->errormsg);
|
||||
?>
|
||||
<td class='ContentHeader'><font class='ContentHeader'> <?php echo $short_name; ?> - Feedback
|
||||
<td class='ContentHeader'><font class='ContentHeader'> <?php echo $db->convert_html_chars($short_name); ?> - Feedback
|
||||
an:
|
||||
<?php
|
||||
$qry = "SELECT studiensemester_kurzbz FROM lehre.tbl_lehreinheit JOIN public.tbl_studiensemester USING(studiensemester_kurzbz) WHERE lehrveranstaltung_id='$lvid' ORDER BY ende DESC LIMIT 1";
|
||||
$qry = "SELECT
|
||||
studiensemester_kurzbz
|
||||
FROM lehre.tbl_lehreinheit
|
||||
JOIN public.tbl_studiensemester USING(studiensemester_kurzbz)
|
||||
WHERE lehrveranstaltung_id=".$db->db_add_param($lvid, FHC_INTEGER)." ORDER BY ende DESC LIMIT 1";
|
||||
|
||||
$result = $db->db_query($qry);
|
||||
$row = $db->db_fetch_object($result);
|
||||
$qry = "SELECT distinct vorname, nachname, uid FROM campus.vw_mitarbeiter, lehre.tbl_lehreinheit, lehre.tbl_lehreinheitmitarbeiter WHERE uid=mitarbeiter_uid AND tbl_lehreinheit.lehreinheit_id=tbl_lehreinheitmitarbeiter.lehreinheit_id AND lehrveranstaltung_id='$lvid' AND studiensemester_kurzbz='$row->studiensemester_kurzbz'";
|
||||
$qry = "SELECT distinct vorname, nachname, uid
|
||||
FROM campus.vw_mitarbeiter, lehre.tbl_lehreinheit, lehre.tbl_lehreinheitmitarbeiter
|
||||
WHERE uid=mitarbeiter_uid AND tbl_lehreinheit.lehreinheit_id=tbl_lehreinheitmitarbeiter.lehreinheit_id
|
||||
AND lehrveranstaltung_id=".$db->db_add_param($lvid)."
|
||||
AND studiensemester_kurzbz=".$db->db_add_param($row->studiensemester_kurzbz);
|
||||
|
||||
if(!$result=$db->db_query($qry))
|
||||
die('Fehler beim Auslesen der Lektoren');
|
||||
$rows = $db->db_num_rows($result);
|
||||
@@ -113,25 +112,9 @@
|
||||
<br>
|
||||
<p><b><?php echo $p->t('global/betreff');?>: </b>
|
||||
<?php
|
||||
if(isset($edit_id) && $edit_id != "" && !isset($edit_break))
|
||||
{
|
||||
$fb_obj = new feedback();
|
||||
if($fb_obj->load($edit_id))
|
||||
{
|
||||
echo '<input type="text" name="feedback_subject" value="'.$fb_obj->betreff.'" size="54"><br>';
|
||||
echo '<textarea rows="7" name="feedback_message" cols="47">'.$fb_obj->text.'</textarea><br>';
|
||||
echo '<input type="submit" value="'.$p->t('global/aendern').'" name="edit_feedback"> ';
|
||||
echo '<input type="submit" value="'.$p->t('global/abbrechen').'" name="edit_break">';
|
||||
}
|
||||
else
|
||||
echo $fb_obj->errormsg.'<br>';
|
||||
}
|
||||
else
|
||||
{
|
||||
echo '<input type="text" name="feedback_subject" size="54"><br>';
|
||||
echo '<textarea rows="7" name="feedback_message" cols="47"></textarea><br>';
|
||||
echo '<input type="submit" value="'.$p->t('global/abschicken').'" name="send_feedback">';
|
||||
}
|
||||
echo '<input type="text" name="feedback_subject" size="54"><br>';
|
||||
echo '<textarea rows="7" name="feedback_message" cols="47"></textarea><br>';
|
||||
echo '<input type="submit" value="'.$p->t('global/abschicken').'" name="send_feedback">';
|
||||
?>
|
||||
|
||||
<input type="reset" value="<?php echo $p->t('global/zuruecksetzen');?>" name="reset_message">
|
||||
@@ -139,38 +122,18 @@
|
||||
<?php
|
||||
if(isset($feedback_message) && $feedback_message != "")
|
||||
{
|
||||
if(isset($edit_feedback))
|
||||
{
|
||||
$fb_obj = new feedback();
|
||||
$fb_obj->betreff = $feedback_subject;
|
||||
$fb_obj->text = $feedback_message;
|
||||
$fb_obj->feedback_id = $edit_id;
|
||||
$fb_obj->datum = date('Y-m-d');
|
||||
$fb_obj->uid = $user;
|
||||
$fb_obj->lehrveranstaltung_id = $lvid;
|
||||
$fb_obj->new = false;
|
||||
$fb_obj = new feedback();
|
||||
$fb_obj->betreff = $feedback_subject;
|
||||
$fb_obj->text = $feedback_message;
|
||||
$fb_obj->datum = date('Y-m-d');
|
||||
$fb_obj->uid = $user;
|
||||
$fb_obj->lehrveranstaltung_id = $lvid;
|
||||
$fb_obj->new = true;
|
||||
|
||||
if($fb_obj->save())
|
||||
echo "<script language=\"JavaScript\">document.location = document.location + \"&message_sent=true\"</script>";
|
||||
else
|
||||
echo $fb_obj->errormsg."<br>";
|
||||
}
|
||||
|
||||
if(!isset($edit_id) && !isset($edit_break) && !isset($edit_feedback))
|
||||
{
|
||||
$fb_obj = new feedback();
|
||||
$fb_obj->betreff = $feedback_subject;
|
||||
$fb_obj->text = $feedback_message;
|
||||
$fb_obj->datum = date('Y-m-d');
|
||||
$fb_obj->uid = $user;
|
||||
$fb_obj->lehrveranstaltung_id = $lvid;
|
||||
$fb_obj->new = true;
|
||||
|
||||
if($fb_obj->save())
|
||||
echo "<script language=\"JavaScript\">document.location = document.location + \"&message_sent=true\"</script>";
|
||||
else
|
||||
echo $fb_obj->errormsg." save<br>";
|
||||
}
|
||||
if($fb_obj->save())
|
||||
echo "<script language=\"JavaScript\">document.location = document.location + \"&message_sent=true\"</script>";
|
||||
else
|
||||
echo $fb_obj->errormsg." save<br>";
|
||||
}
|
||||
|
||||
if(isset($message_sent) && $message_sent == true)
|
||||
@@ -185,7 +148,7 @@
|
||||
|
||||
foreach($fb_obj->result as $row)
|
||||
{
|
||||
$sql_query = "SELECT vorname, nachname FROM campus.vw_benutzer WHERE uid='$row->uid'";
|
||||
$sql_query = "SELECT vorname, nachname FROM campus.vw_benutzer WHERE uid=".$db->db_add_param($row->uid);
|
||||
|
||||
if($result_person = $db->db_query($sql_query))
|
||||
{
|
||||
@@ -193,16 +156,12 @@
|
||||
{
|
||||
|
||||
echo '<tr>';
|
||||
echo ' <td class="ContentHeader" width="90%"><font class="ContentHeader"><strong> '.$row->betreff.'</font></td>';
|
||||
//echo ' <td class="ContentHeader" width="30%"><font class="ContentHeader"> </font></td>'; //'.$row_pers->vorname.' '.$row_pers->nachname.'
|
||||
echo ' <td class="ContentHeader" align="right"><font class="ContentHeader">'.$row->datum.'</font></td>';
|
||||
echo ' <td class="ContentHeader" width="90%"><font class="ContentHeader"><strong> '.$db->convert_html_chars($row->betreff).'</strong></font></td>';
|
||||
echo ' <td class="ContentHeader" align="right"><font class="ContentHeader">'.$db->convert_html_chars($row->datum).'</font></td>';
|
||||
|
||||
echo '</tr>';
|
||||
echo '<tr>';
|
||||
echo ' <td class="MarkLine" colspan=2>'.nl2br($row->text).'</td>';
|
||||
//echo ' <td class="MarkLine"> </td>';
|
||||
//echo ' <td class="MarkLine" colspan=2> </td>';
|
||||
//echo ' <td class="MarkLine"> </td>';
|
||||
echo ' <td class="MarkLine" colspan=2>'.nl2br($db->convert_html_chars($row->text)).'</td>';
|
||||
echo '</tr>';
|
||||
echo '<tr>';
|
||||
echo ' <td> </td>';
|
||||
@@ -216,9 +175,8 @@
|
||||
echo $p->t('global/fehleraufgetreten').' '.$fb_obj->errormsg;
|
||||
?>
|
||||
</td>
|
||||
</form>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
||||
Reference in New Issue
Block a user