diff --git a/include/entwicklungsteam.class.php b/include/entwicklungsteam.class.php index bcc2e5dcd..3944c5416 100644 --- a/include/entwicklungsteam.class.php +++ b/include/entwicklungsteam.class.php @@ -69,7 +69,7 @@ class entwicklungsteam extends basis_db //laden des Datensatzes $qry = "SELECT * FROM bis.tbl_entwicklungsteam JOIN bis.tbl_besqual USING(besqualcode) - WHERE mitarbeiter_uid='".addslashes($mitarbeiter_uid)."' AND studiengang_kz='$studiengang_kz'"; + WHERE mitarbeiter_uid=".$this->db_add_param($mitarbeiter_uid)." AND studiengang_kz=".$this->db_add_param($studiengang_kz, FHC_INTEGER).";"; if($this->db_query($qry)) { @@ -115,7 +115,7 @@ class entwicklungsteam extends basis_db } $qry = "DELETE FROM bis.tbl_entwicklungsteam - WHERE mitarbeiter_uid = '".addslashes($mitarbeiter_uid)."' AND studiengang_kz='$studiengang_kz';"; + WHERE mitarbeiter_uid = ".$this->db_add_param($mitarbeiter_uid)." AND studiengang_kz=".$this->db_add_param($studiengang_kz, FHC_INTEGER).";"; if($this->db_query($qry)) { @@ -172,16 +172,16 @@ class entwicklungsteam extends basis_db //Neuen Datensatz anlegen $qry = "INSERT INTO bis.tbl_entwicklungsteam (mitarbeiter_uid, studiengang_kz, besqualcode, beginn, ende, updateamum, updatevon, insertamum, insertvon, ext_id) VALUES (". - $this->addslashes($this->mitarbeiter_uid).', '. - $this->addslashes($this->studiengang_kz).', '. - $this->addslashes($this->besqualcode).', '. - $this->addslashes($this->beginn).', '. - $this->addslashes($this->ende).', '. - $this->addslashes($this->updateamum).', '. - $this->addslashes($this->updatevon).', '. - $this->addslashes($this->insertamum).', '. - $this->addslashes($this->insertvon).', '. - $this->addslashes($this->ext_id).');'; + $this->db_add_param($this->mitarbeiter_uid).', '. + $this->db_add_param($this->studiengang_kz, FHC_INTEGER).', '. + $this->db_add_param($this->besqualcode, FHC_INTEGER).', '. + $this->db_add_param($this->beginn).', '. + $this->db_add_param($this->ende).', '. + $this->db_add_param($this->updateamum).', '. + $this->db_add_param($this->updatevon).', '. + $this->db_add_param($this->insertamum).', '. + $this->db_add_param($this->insertvon).', '. + $this->db_add_param($this->ext_id, FHC_INTEGER).');'; } else @@ -191,14 +191,14 @@ class entwicklungsteam extends basis_db //Bestehenden Datensatz aktualisieren $qry= "UPDATE bis.tbl_entwicklungsteam SET". - " besqualcode=".$this->addslashes($this->besqualcode).",". - " beginn=".$this->addslashes($this->beginn).",". - " studiengang_kz=".$this->addslashes($this->studiengang_kz).",". - " ende=".$this->addslashes($this->ende).",". - " updateamum=".$this->addslashes($this->updateamum).",". - " updatevon=".$this->addslashes($this->updatevon).",". - " ext_id=".$this->addslashes($this->ext_id). - " WHERE mitarbeiter_uid='".addslashes($this->mitarbeiter_uid)."' AND studiengang_kz='$this->studiengang_kz_old'"; + " besqualcode=".$this->db_add_param($this->besqualcode, FHC_INTEGER).",". + " beginn=".$this->db_add_param($this->beginn).",". + " studiengang_kz=".$this->db_add_param($this->studiengang_kz, FHC_INTEGER).",". + " ende=".$this->db_add_param($this->ende).",". + " updateamum=".$this->db_add_param($this->updateamum).",". + " updatevon=".$this->db_add_param($this->updatevon).",". + " ext_id=".$this->db_add_param($this->ext_id, FHC_INTEGER). + " WHERE mitarbeiter_uid=".$this->db_add_param($this->mitarbeiter_uid)." AND studiengang_kz=".$this->db_add_param($this->studiengang_kz_old, FHC_INTEGER).";"; } if($this->db_query($qry)) @@ -221,10 +221,12 @@ class entwicklungsteam extends basis_db { //laden des Datensatzes $qry = "SELECT * FROM bis.tbl_entwicklungsteam JOIN bis.tbl_besqual USING(besqualcode) - WHERE mitarbeiter_uid='".addslashes($mitarbeiter_uid)."'"; + WHERE mitarbeiter_uid=".$this->db_add_param($mitarbeiter_uid); if($studiengang_kz!=null) - $qry.=" AND studiengang_kz='".addslashes($studiengang_kz)."'"; + $qry.=" AND studiengang_kz=".$this->db_add_param($studiengang_kz); + + $qry.=";"; if($this->db_query($qry)) { @@ -265,7 +267,7 @@ class entwicklungsteam extends basis_db public function exists($mitarbeiter_uid,$studiengang_kz) { $qry = "SELECT count(*) as anzahl FROM bis.tbl_entwicklungsteam - WHERE mitarbeiter_uid='".addslashes($mitarbeiter_uid)."' AND studiengang_kz='".addslashes($studiengang_kz)."'"; + WHERE mitarbeiter_uid=".$this->db_add_param($mitarbeiter_uid)." AND studiengang_kz=".$this->db_add_param($studiengang_kz, FHC_INTEGER).";"; if($this->db_query($qry)) { diff --git a/include/feedback.class.php b/include/feedback.class.php index f4a377aee..d0f2f01f7 100644 --- a/include/feedback.class.php +++ b/include/feedback.class.php @@ -58,7 +58,7 @@ class feedback extends basis_db return false; } - $qry = "SELECT * FROM campus.tbl_feedback WHERE feedback_id='$feedback_id'"; + $qry = "SELECT * FROM campus.tbl_feedback WHERE feedback_id=".$this->db_add_param($feedback_id, FHC_INTEGER).";"; if($this->db_query($qry)) { @@ -121,7 +121,7 @@ class feedback extends basis_db return false; } - $qry = "SELECT * FROM campus.tbl_feedback WHERE lehrveranstaltung_id='$lehrveranstaltung_id'"; + $qry = "SELECT * FROM campus.tbl_feedback WHERE lehrveranstaltung_id=".$this->db_add_param($lehrveranstaltung_id, FHC_INTEGER).";"; if($this->db_query($qry)) { @@ -162,20 +162,20 @@ class feedback extends basis_db if($this->new) { $qry = 'INSERT INTO campus.tbl_feedback (betreff, text, datum, uid, lehrveranstaltung_id) - VALUES('.$this->addslashes($this->betreff).','. - $this->addslashes($this->text).','. - $this->addslashes($this->datum).','. - $this->addslashes($this->uid).','. - $this->addslashes($this->lehrveranstaltung_id).');'; + VALUES('.$this->db_add_param($this->betreff).','. + $this->db_add_param($this->text).','. + $this->db_add_param($this->datum).','. + $this->db_add_param($this->uid).','. + $this->db_add_param($this->lehrveranstaltung_id, FHC_INTEGER).');'; } else { $qry = 'UPDATE campus.tbl_feedback SET'. - ' betreff='.$this->addslashes($this->betreff).','. - ' text='.$this->addslashes($this->text).','. - ' datum='.$this->addslashes($this->datum).','. - ' uid='.$this->addslashes($this->uid). - " WHERE feedback_id='".addslashes($this->feedback_id)."'"; + ' betreff='.$this->db_add_param($this->betreff).','. + ' text='.$this->db_add_param($this->text).','. + ' datum='.$this->db_add_param($this->datum).','. + ' uid='.$this->db_add_param($this->uid). + " WHERE feedback_id=".$this->db_add_param($this->feedback_id, FHC_INTEGER).";"; } if($this->db_query($qry))