mirror of
https://github.com/FH-Complete/FHC-Core.git
synced 2026-07-19 16:02:15 +00:00
Sicherheitslücken im LV-Plan behoben
This commit is contained in:
@@ -1,4 +1,25 @@
|
||||
<?php
|
||||
/* Copyright (C) 2009 Technikum-Wien
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
|
||||
* Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at>,
|
||||
* Rudolf Hangl <rudolf.hangl@technikum-wien.at> and
|
||||
* Gerald Simane-Sequens <gerald.simane@technikum-wien.at>.
|
||||
*/
|
||||
/****************************************************************************
|
||||
* Script: stpl_detail.php
|
||||
* Descr: Das Script dient zur Detailanzeige eines Eintrags im Stundenplan.
|
||||
@@ -9,17 +30,20 @@
|
||||
* Update: 11.11.2004 von Christian Paminger
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
require_once('../../../config/cis.config.inc.php');
|
||||
require_once('../../../include/ort.class.php');
|
||||
require_once('../../../include/functions.inc.php');
|
||||
require_once('../../../include/datum.class.php');
|
||||
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Oeffnen der Datenbankverbindung');
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Oeffnen der Datenbankverbindung');
|
||||
|
||||
// Variablen uebernehmen
|
||||
if (isset($_GET['type']))
|
||||
$type=$_GET['type'];
|
||||
else
|
||||
$type='';
|
||||
|
||||
if (isset($_GET['datum']))
|
||||
$datum=$_GET['datum'];
|
||||
if (isset($_GET['stunde']))
|
||||
@@ -33,6 +57,12 @@ if (isset($_GET['stg_kz']))
|
||||
if (isset($_GET['sem']))
|
||||
$sem=$_GET['sem'];
|
||||
|
||||
if($sem!='' && !is_numeric($sem))
|
||||
die('Semester ist ungueltig');
|
||||
|
||||
if($stunde!='' && !is_numeric($stunde))
|
||||
die('Stunde ist ungueltig');
|
||||
|
||||
if (isset($_GET['ver']))
|
||||
$ver=$_GET['ver'];
|
||||
|
||||
@@ -41,6 +71,9 @@ if (isset($_GET['grp']))
|
||||
if (isset($_GET['gruppe_kurzbz']))
|
||||
$gruppe_kurzbz=$_GET['gruppe_kurzbz'];
|
||||
|
||||
$datum_obj = new datum();
|
||||
if(!$datum_obj->checkDatum($datum))
|
||||
die('Datum ist ungueltig');
|
||||
|
||||
$stsem = getStudiensemesterFromDatum($datum);
|
||||
//Stundenplan
|
||||
@@ -49,18 +82,21 @@ $sql_query.=", (SELECT count(*) FROM public.tbl_studentlehrverband
|
||||
WHERE studiengang_kz=vw_stundenplan.studiengang_kz AND semester=vw_stundenplan.semester
|
||||
AND (verband=vw_stundenplan.verband OR vw_stundenplan.verband is null OR trim(vw_stundenplan.verband)='')
|
||||
AND (gruppe=vw_stundenplan.gruppe OR vw_stundenplan.gruppe is null OR trim(vw_stundenplan.gruppe)='')
|
||||
AND studiensemester_kurzbz='$stsem') as anzahl_lvb
|
||||
AND studiensemester_kurzbz='".addslashes($stsem)."') as anzahl_lvb
|
||||
, (SELECT count(*) FROM public.tbl_benutzergruppe
|
||||
WHERE gruppe_kurzbz=vw_stundenplan.gruppe_kurzbz AND studiensemester_kurzbz='$stsem') as anzahl_grp";
|
||||
WHERE gruppe_kurzbz=vw_stundenplan.gruppe_kurzbz AND studiensemester_kurzbz='".addslashes($stsem)."') as anzahl_grp";
|
||||
$sql_query.=' FROM (campus.vw_stundenplan JOIN lehre.tbl_lehrfach USING (lehrfach_id)) JOIN campus.vw_mitarbeiter USING (uid)';
|
||||
$sql_query.=" WHERE datum='$datum' AND stunde=$stunde";
|
||||
$sql_query.=" WHERE datum='".addslashes($datum)."' AND stunde='".addslashes($stunde)."'";
|
||||
if ($type=='lektor')
|
||||
$sql_query.=" AND vw_stundenplan.uid='$pers_uid' ";
|
||||
$sql_query.=" AND vw_stundenplan.uid='".addslashes($pers_uid)."' ";
|
||||
elseif ($type=='ort')
|
||||
$sql_query.=" AND vw_stundenplan.ort_kurzbz='$ort_kurzbz' ";
|
||||
$sql_query.=" AND vw_stundenplan.ort_kurzbz='".addslashes($ort_kurzbz)."' ";
|
||||
else
|
||||
{
|
||||
$sql_query.=' AND vw_stundenplan.studiengang_kz='.$stg_kz.' AND (vw_stundenplan.semester='.$sem;
|
||||
if($stg_kz=='' || $sem=='')
|
||||
die('Fehlerhafte Parameteruebergabe');
|
||||
|
||||
$sql_query.=" AND vw_stundenplan.studiengang_kz='".addslashes($stg_kz)."' AND (vw_stundenplan.semester='".addslashes($sem)."'";
|
||||
if ($type=='student')
|
||||
$sql_query.=' OR vw_stundenplan.semester='.($sem+1);
|
||||
$sql_query.=')';
|
||||
@@ -80,14 +116,14 @@ $erg_stpl=$db->db_query($sql_query);
|
||||
$num_rows_stpl=$db->db_num_rows($erg_stpl);
|
||||
|
||||
//Reservierungen
|
||||
$sql_query="SELECT vw_reservierung.*, vw_mitarbeiter.titelpre, vw_mitarbeiter.vorname,vw_mitarbeiter.nachname FROM campus.vw_reservierung, campus.vw_mitarbeiter WHERE datum='$datum' AND stunde=$stunde";
|
||||
$sql_query="SELECT vw_reservierung.*, vw_mitarbeiter.titelpre, vw_mitarbeiter.vorname,vw_mitarbeiter.nachname FROM campus.vw_reservierung, campus.vw_mitarbeiter WHERE datum='".addslashes($datum)."' AND stunde='".addslashes($stunde)."'";
|
||||
if (isset($ort_kurzbz))
|
||||
$sql_query.=" AND vw_reservierung.ort_kurzbz='$ort_kurzbz'";
|
||||
$sql_query.=" AND vw_reservierung.ort_kurzbz='".addslashes($ort_kurzbz)."'";
|
||||
if ($type=='lektor')
|
||||
$sql_query.=" AND vw_reservierung.uid='$pers_uid' ";
|
||||
$sql_query.=" AND vw_reservierung.uid='".addslashes($pers_uid)."' ";
|
||||
$sql_query.=" AND vw_reservierung.uid=vw_mitarbeiter.uid";
|
||||
if ($type=='verband' || $type=='student')
|
||||
$sql_query.=" AND studiengang_kz='$stg_kz' AND (semester='$sem' OR semester=0 OR semester IS NULL)";
|
||||
$sql_query.=" AND studiengang_kz='".addslashes($stg_kz)."' AND (semester='".addslashes($sem)."' OR semester=0 OR semester IS NULL)";
|
||||
$sql_query.=' ORDER BY titel LIMIT 100';
|
||||
//echo $sql_query.'<BR>';
|
||||
$erg_repl=$db->db_query($sql_query);
|
||||
@@ -102,8 +138,8 @@ $num_rows_repl=$db->db_num_rows($erg_repl);
|
||||
</head>
|
||||
<body id="inhalt">
|
||||
<H2>Lehrveranstaltungsplan ⇒ Details</H2>
|
||||
Datum: <?php echo $datum; ?><BR>
|
||||
Stunde: <?php echo $stunde; ?><BR><BR>
|
||||
Datum: <?php echo htmlentities($datum); ?><BR>
|
||||
Stunde: <?php echo htmlentities($stunde); ?><BR><BR>
|
||||
|
||||
<table class="stdplan">
|
||||
<?php
|
||||
|
||||
@@ -1,3 +1,26 @@
|
||||
<?php
|
||||
/* Copyright (C) 2009 Technikum-Wien
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Authors: Christian Paminger <christian.paminger@technikum-wien.at>,
|
||||
* Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at>,
|
||||
* Rudolf Hangl <rudolf.hangl@technikum-wien.at> and
|
||||
* Gerald Simane-Sequens <gerald.simane@technikum-wien.at>.
|
||||
*/
|
||||
?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
|
||||
<HTML>
|
||||
<HEAD>
|
||||
@@ -36,22 +59,20 @@
|
||||
* Update: 15.11.2004 von Christian Paminger
|
||||
*****************************************************************************/
|
||||
|
||||
|
||||
|
||||
//$type='ort';
|
||||
//$ort_kurzbz='EDV6.08';
|
||||
//$datum=1102260015;
|
||||
|
||||
require_once('../../../config/cis.config.inc.php');
|
||||
//require_once('../../../include/globals.inc.php');
|
||||
require_once('../../../include/functions.inc.php');
|
||||
require_once('../../../include/wochenplan.class.php');
|
||||
require_once('../../../include/reservierung.class.php');
|
||||
require_once('../../../include/benutzerberechtigung.class.php');
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Oeffnen der Datenbankverbindung');
|
||||
|
||||
$uid=get_uid();
|
||||
|
||||
if (!$db = new basis_db())
|
||||
die('Fehler beim Oeffnen der Datenbankverbindung');
|
||||
|
||||
$uid=get_uid();
|
||||
|
||||
// Deutsche Umgebung
|
||||
//$loc_de=setlocale(LC_ALL, 'de_AT@euro', 'de_AT','de_DE@euro', 'de_DE');
|
||||
@@ -135,9 +156,9 @@ elseif (check_lektor($uid))
|
||||
$user='lektor';
|
||||
else
|
||||
{
|
||||
//die("Cannot set usertype!");
|
||||
die("Fehler: Ihr User wurde nicht gefunden!");
|
||||
//GastAccountHack
|
||||
$user='student';
|
||||
//$user='student';
|
||||
}
|
||||
|
||||
// User bestimmen
|
||||
@@ -146,8 +167,6 @@ if (!isset($type))
|
||||
if (!isset($pers_uid))
|
||||
$pers_uid=$uid;
|
||||
|
||||
//echo $uid.':'.$user_uid;
|
||||
#var_dump($_GET);
|
||||
if (isset($_POST['reserve']))
|
||||
$reserve=$_POST['reserve'];
|
||||
else if (isset($_GET['reserve']))
|
||||
@@ -172,21 +191,25 @@ if (isset($reserve) && ($user=='lektor' || $raumres))
|
||||
if (isset($_REQUEST[$var]))
|
||||
{
|
||||
$datum_res=$_REQUEST[$var];
|
||||
#$datum_res=$datum_obj->formatDatum($datum_res);
|
||||
//echo $datum_res;
|
||||
$query="SELECT * FROM campus.tbl_reservierung where ort_kurzbz='$ort_kurzbz' and datum='$datum_res' and stunde='$stunde'";
|
||||
if(!$suchen_std=$db->db_query($query))
|
||||
die($db->db_last_error());
|
||||
$gef=$db->db_num_rows($suchen_std);
|
||||
if (!$gef)
|
||||
|
||||
$reservierung = new reservierung();
|
||||
|
||||
if(!$reservierung->isReserviert($ort_kurzbz, $datum_res, $stunde))
|
||||
{
|
||||
$query="INSERT INTO campus.tbl_reservierung
|
||||
(datum, uid, ort_kurzbz, stunde, beschreibung, titel, studiengang_kz )
|
||||
VALUES
|
||||
('$datum_res', '$uid', '$ort_kurzbz', $stunde, '".$_REQUEST['beschreibung']."', '".$_REQUEST['titel']."', 0)"; // semester, verband, gruppe, gruppe_kurzbz,
|
||||
//echo $query;
|
||||
if(!($erg=$db->db_query($query)))
|
||||
echo $db->db_last_error();
|
||||
$reservierung = new reservierung();
|
||||
|
||||
$reservierung->datum = $datum_res;
|
||||
$reservierung->uid = $uid;
|
||||
$reservierung->ort_kurzbz = $ort_kurzbz;
|
||||
$reservierung->stunde = $stunde;
|
||||
$reservierung->beschreibung = $_REQUEST['beschreibung'];
|
||||
$reservierung->titel = $_REQUEST['titel'];
|
||||
$reservierung->studiengang_kz='0';
|
||||
|
||||
if(!$reservierung->save(true))
|
||||
{
|
||||
echo $reservierung->errormsg;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -45,12 +45,20 @@ function crlf()
|
||||
return $crlf;
|
||||
}
|
||||
|
||||
function check_uid($uid)
|
||||
{
|
||||
if(ctype_alnum($uid) && mb_strlen($uid)<=32)
|
||||
return true;
|
||||
else
|
||||
return false;
|
||||
}
|
||||
|
||||
function check_lektor($uid)
|
||||
{
|
||||
$db = new basis_db();
|
||||
|
||||
// uid von View 'Lektor' holen
|
||||
$sql_query="SELECT mitarbeiter_uid FROM public.tbl_mitarbeiter WHERE mitarbeiter_uid='$uid'";
|
||||
$sql_query="SELECT mitarbeiter_uid FROM public.tbl_mitarbeiter WHERE mitarbeiter_uid='".addslashes($uid)."'";
|
||||
//echo $sql_query;
|
||||
if($db->db_query($sql_query))
|
||||
{
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
* Rudolf Hangl <rudolf.hangl@technikum-wien.at>.
|
||||
*/
|
||||
require_once(dirname(__FILE__).'/basis_db.class.php');
|
||||
require_once(dirname(__FILE__).'/datum.class.php');
|
||||
|
||||
class reservierung extends basis_db
|
||||
{
|
||||
@@ -130,10 +131,9 @@ class reservierung extends basis_db
|
||||
|
||||
if($this->new)
|
||||
{
|
||||
$qry = 'INSERT INTO campus.tbl_reservierung (reservierung_id, ort_kurzbz, studiengang_kz, uid, stunde, datum, titel,
|
||||
$qry = 'INSERT INTO campus.tbl_reservierung (ort_kurzbz, studiengang_kz, uid, stunde, datum, titel,
|
||||
beschreibung, semester, verband, gruppe, gruppe_kurzbz)
|
||||
VALUES('.$this->addslashes($this->reservierung_id).','.
|
||||
$this->addslashes($this->ort_kurzbz).','.
|
||||
VALUES('.$this->addslashes($this->ort_kurzbz).','.
|
||||
$this->addslashes($this->studiengang_kz).','.
|
||||
$this->addslashes($this->uid).','.
|
||||
$this->addslashes($this->stunde).','.
|
||||
@@ -198,5 +198,48 @@ class reservierung extends basis_db
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Prueft ob ein Raum reserviert ist
|
||||
*
|
||||
* @param $ort_kurzbz
|
||||
* @param $datum
|
||||
* @param $stunde
|
||||
* @return boolean
|
||||
*/
|
||||
public function isReserviert($ort_kurzbz, $datum, $stunde)
|
||||
{
|
||||
if(!is_numeric($stunde))
|
||||
{
|
||||
$this->errormsg='Stunde muss eine gueltige Zahl sein';
|
||||
return false;
|
||||
}
|
||||
|
||||
$datum_obj = new Datum();
|
||||
if(!$datum_obj->checkDatum($datum))
|
||||
{
|
||||
$this->errormsg='Datum hat ein ungueltiges Format';
|
||||
return false;
|
||||
}
|
||||
|
||||
$qry = "SELECT * FROM campus.tbl_reservierung
|
||||
WHERE
|
||||
ort_kurzbz='".addslashes($ort_kurzbz)."' AND
|
||||
datum='".addslashes($datum)."' AND
|
||||
stunde='".addslashes($stunde)."'";
|
||||
if($result = $this->db_query($qry))
|
||||
{
|
||||
if($this->db_num_rows($result)>0)
|
||||
return true;
|
||||
else
|
||||
return false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->errormsg='Fehler beim Ermitteln der Reservierungen';
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
?>
|
||||
@@ -195,9 +195,9 @@ class wochenplan extends basis_db
|
||||
{
|
||||
$this->link.='&pers_uid='.$this->pers_uid; //Link erweitern
|
||||
if ($this->type=='student')
|
||||
$sql_query="SELECT uid, titelpre, titelpost, nachname, vorname, vornamen, studiengang_kz, semester, verband, gruppe FROM campus.vw_student WHERE uid='$this->pers_uid'";
|
||||
$sql_query="SELECT uid, titelpre, titelpost, nachname, vorname, vornamen, studiengang_kz, semester, verband, gruppe FROM campus.vw_student WHERE uid='".addslashes($this->pers_uid)."'";
|
||||
else
|
||||
$sql_query="SELECT uid, titelpre, titelpost, nachname, vorname, vornamen FROM campus.vw_mitarbeiter WHERE uid='$this->pers_uid'";
|
||||
$sql_query="SELECT uid, titelpre, titelpost, nachname, vorname, vornamen FROM campus.vw_mitarbeiter WHERE uid='".addslashes($this->pers_uid)."'";
|
||||
//echo $sql_query;
|
||||
if (!$this->db_query($sql_query))
|
||||
{
|
||||
@@ -221,12 +221,17 @@ class wochenplan extends basis_db
|
||||
$this->grp = $row->gruppe;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->errormsg='User nicht gefunden';
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
//ortdaten ermitteln
|
||||
if ($this->type=='ort')
|
||||
{
|
||||
$sql_query="SELECT bezeichnung, ort_kurzbz, planbezeichnung, ausstattung, max_person FROM public.tbl_ort WHERE ort_kurzbz='$this->ort_kurzbz'";
|
||||
$sql_query="SELECT bezeichnung, ort_kurzbz, planbezeichnung, ausstattung, max_person FROM public.tbl_ort WHERE ort_kurzbz='".addslashes($this->ort_kurzbz)."'";
|
||||
//echo $sql_query;
|
||||
if (!$this->db_query($sql_query))
|
||||
$this->errormsg=$this->db_last_error();
|
||||
@@ -244,7 +249,7 @@ class wochenplan extends basis_db
|
||||
// Studiengangsdaten ermitteln
|
||||
if ($this->type=='student' || $this->type=='verband')
|
||||
{
|
||||
$sql_query="SELECT bezeichnung, kurzbz, kurzbzlang, typ FROM public.tbl_studiengang WHERE studiengang_kz=$this->stg_kz";
|
||||
$sql_query="SELECT bezeichnung, kurzbz, kurzbzlang, typ FROM public.tbl_studiengang WHERE studiengang_kz='".addslashes($this->stg_kz)."'";
|
||||
//echo $sql_query;
|
||||
if(!($this->db_query($sql_query)))
|
||||
die($this->db_last_error());
|
||||
@@ -1121,32 +1126,32 @@ class wochenplan extends basis_db
|
||||
$raumtyp=array_unique($raumtyp);
|
||||
$rtype='';
|
||||
foreach ($raumtyp as $r)
|
||||
$rtype.=" OR raumtyp_kurzbz='$r'";
|
||||
$rtype.=" OR raumtyp_kurzbz='".addslashes($r)."'";
|
||||
$rtype=mb_substr($rtype,3);
|
||||
//Lektor
|
||||
$lektor=array_unique($lektor);
|
||||
$lkt='';
|
||||
foreach ($lektor as $l)
|
||||
$lkt.=" OR uid='$l'";
|
||||
$lkt.=" OR uid='".addslashes($l)."'";
|
||||
$lkt=mb_substr($lkt,3);
|
||||
// Einheiten
|
||||
$gruppe=array_unique($gruppe);
|
||||
$gruppen='';
|
||||
foreach ($gruppe as $g)
|
||||
if ($g!='')
|
||||
$gruppen.=" OR gruppe_kurzbz='$g'";
|
||||
$gruppen.=" OR gruppe_kurzbz='".addslashes($g)."'";
|
||||
//$gruppen=mb_substr($gruppen,3);
|
||||
//Lehrverband
|
||||
//$lehrverband=array_unique($lehrverband);
|
||||
$lvb='';
|
||||
foreach ($lehrverband as $l)
|
||||
{
|
||||
$lvb.=' OR (studiengang_kz='.$l->stg_kz.' AND semester='.$l->sem;
|
||||
$lvb.=" OR (studiengang_kz='".addslashes($l->stg_kz)."' AND semester='".addslashes($l->sem)."'";
|
||||
if ($l->ver!='' && $l->ver!=' ' && $l->ver!=null)
|
||||
{
|
||||
$lvb.=" AND (verband='$l->ver' OR verband IS NULL OR verband='')";
|
||||
$lvb.=" AND (verband='".addslashes($l->ver)."' OR verband IS NULL OR verband='')";
|
||||
if ($l->grp!='' && $l->grp!=' ' && $l->grp!=null)
|
||||
$lvb.=" AND (gruppe='$l->grp' OR gruppe IS NULL OR gruppe='')";
|
||||
$lvb.=" AND (gruppe='".addslashes($l->grp)."' OR gruppe IS NULL OR gruppe='')";
|
||||
}
|
||||
//if ($gruppen=='')
|
||||
// $lvb.=' AND gruppe_kurzbz IS NULL';
|
||||
@@ -1175,8 +1180,8 @@ class wochenplan extends basis_db
|
||||
}
|
||||
// Stundenplanabfrage bauen (Wo ist Kollision?)
|
||||
$sql_query="SELECT DISTINCT datum, stunde FROM $stpl_view
|
||||
WHERE datum>='$this->datum_begin' AND datum<'$this->datum_end' AND
|
||||
($lkt $gruppen OR ($lvb) ) AND unr!=$unr"; //AND unr!=$unr"
|
||||
WHERE datum>='".addslashes($this->datum_begin)."' AND datum<'".addslashes($this->datum_end)."' AND
|
||||
($lkt $gruppen OR ($lvb) ) AND unr!='".addslashes($unr)."'";
|
||||
//echo $sql_query;
|
||||
if(!$this->db_query($sql_query))
|
||||
die($this->db_last_error());
|
||||
@@ -1191,12 +1196,12 @@ class wochenplan extends basis_db
|
||||
|
||||
// Stundenplanabfrage bauen (Wo ist besetzt?)
|
||||
$sql_query="SELECT DISTINCT datum, stunde, ort_kurzbz FROM $stpl_view
|
||||
WHERE datum>='$this->datum_begin' AND datum<'$this->datum_end' AND unr!=$unr";
|
||||
WHERE datum>='".addslashes($this->datum_begin)."' AND datum<'".addslashes($this->datum_end)."' AND unr!='".addslashes($unr)."'";
|
||||
//echo $sql_query; NATURAL JOIN tbl_ortraumtyp AND ($rtype) "
|
||||
|
||||
// Reservierungen beruecksichtigen
|
||||
$sql_query.=" UNION SELECT DISTINCT datum, stunde, ort_kurzbz FROM campus.tbl_reservierung
|
||||
WHERE datum>='$this->datum_begin' AND datum<'$this->datum_end' ";
|
||||
WHERE datum>='".addslashes($this->datum_begin)."' AND datum<'".addslashes($this->datum_end)."' ";
|
||||
|
||||
if(!$this->db_query($sql_query))
|
||||
die($this->db_last_error());
|
||||
@@ -1260,7 +1265,7 @@ class wochenplan extends basis_db
|
||||
$sql_query='SELECT *, (planstunden-verplant::smallint) AS offenestunden FROM '.$lva_stpl_view.' WHERE';
|
||||
$lvas='';
|
||||
foreach ($lva_id as $id)
|
||||
$lvas.=' OR lehreinheit_id='.$id;
|
||||
$lvas.=" OR lehreinheit_id='".addslashes($id)."'";
|
||||
$lvas=mb_substr($lvas,3);
|
||||
$sql_query.=$lvas;
|
||||
//$this->errormsg.=$sql_query;
|
||||
@@ -1358,16 +1363,16 @@ class wochenplan extends basis_db
|
||||
$raumtyp=array_unique($raumtyp);
|
||||
$rtype='';
|
||||
foreach ($raumtyp as $r)
|
||||
$rtype.=" OR raumtyp_kurzbz='$r'";
|
||||
$rtype.=" OR raumtyp_kurzbz='".addslashes($r)."'";
|
||||
$raumtypalt=array_unique($raumtypalt);
|
||||
foreach ($raumtypalt as $r)
|
||||
$rtype.=" OR raumtyp_kurzbz='$r'";
|
||||
$rtype.=" OR raumtyp_kurzbz='".addslashes($r)."'";
|
||||
$rtype=mb_substr($rtype,3);
|
||||
//Lektor
|
||||
$lektor=array_unique($lektor);
|
||||
$lkt='';
|
||||
foreach ($lektor as $l)
|
||||
$lkt.=" OR mitarbeiter_uid='$l'";
|
||||
$lkt.=" OR mitarbeiter_uid='".addslashes($l)."'";
|
||||
$lkt=mb_substr($lkt,3);
|
||||
//Dummy Lektor kollidiert nicht
|
||||
$lkt='(('.$lkt.") AND mitarbeiter_uid!='_DummyLektor')";
|
||||
@@ -1377,7 +1382,7 @@ class wochenplan extends basis_db
|
||||
{
|
||||
$gruppe=array_unique($gruppe);
|
||||
foreach ($gruppe as $g)
|
||||
$gruppen.=" OR gruppe_kurzbz='$g'";
|
||||
$gruppen.=" OR gruppe_kurzbz='".addslashes($g)."'";
|
||||
//$gruppen=mb_substr($gruppen,3);
|
||||
}
|
||||
//Lehrverband
|
||||
@@ -1385,12 +1390,12 @@ class wochenplan extends basis_db
|
||||
$lvb='';
|
||||
foreach ($lehrverband as $l)
|
||||
{
|
||||
$lvb.=' OR (studiengang_kz='.$l->stg_kz.' AND semester='.$l->sem;
|
||||
$lvb.=" OR (studiengang_kz='".addslashes($l->stg_kz)."' AND semester='".addslashes($l->sem)."'";
|
||||
if ($l->ver!='' && $l->ver!=' ' && $l->ver!=null)
|
||||
{
|
||||
$lvb.=" AND (verband='$l->ver' OR verband IS NULL OR verband='' OR verband=' ')";
|
||||
$lvb.=" AND (verband='".addslashes($l->ver)."' OR verband IS NULL OR verband='' OR verband=' ')";
|
||||
if ($l->grp!='' && $l->grp!=' ' && $l->grp!=null)
|
||||
$lvb.=" AND (gruppe='$l->grp' OR gruppe IS NULL OR gruppe='' OR gruppe=' ')";
|
||||
$lvb.=" AND (gruppe='".addslashes($l->grp)."' OR gruppe IS NULL OR gruppe='' OR gruppe=' ')";
|
||||
}
|
||||
if ($gruppen=='')
|
||||
$lvb.=' AND gruppe_kurzbz IS NULL';
|
||||
@@ -1446,12 +1451,11 @@ class wochenplan extends basis_db
|
||||
|
||||
// Stundenplanabfrage bauen (Wo ist Kollision?)
|
||||
$sql_query="SELECT DISTINCT datum, stunde FROM $stpl_table
|
||||
WHERE datum>='$datum_begin' AND datum<'$datum_end' AND
|
||||
WHERE datum>='".addslashes($datum_begin)."' AND datum<'".addslashes($datum_end)."' AND
|
||||
($lkt $gruppen OR ($lvb) )";
|
||||
if (is_numeric($unr))
|
||||
$sql_query.=" AND unr!=$unr";
|
||||
//$this->errormsg.=htmlspecialchars($sql_query);
|
||||
//return false;
|
||||
$sql_query.=" AND unr!='".addslashes($unr)."'";
|
||||
|
||||
if(!$this->db_query($sql_query))
|
||||
{
|
||||
$this->errormsg = $this->db_last_error().$sql_query;
|
||||
@@ -1471,14 +1475,14 @@ class wochenplan extends basis_db
|
||||
// Stundenplanabfrage bauen (Wo ist besetzt?)
|
||||
$sql_query="SELECT DISTINCT datum, stunde, ort_kurzbz FROM $stpl_view
|
||||
JOIN public.tbl_ortraumtyp USING (ort_kurzbz)
|
||||
WHERE datum>='$datum_begin' AND datum<'$datum_end' AND
|
||||
WHERE datum>='".addslashes($datum_begin)."' AND datum<'".addslashes($datum_end)."' AND
|
||||
($rtype)";
|
||||
if (is_numeric($unr))
|
||||
$sql_query.=" AND unr!=$unr";
|
||||
$sql_query.=" AND unr!='".addslashes($unr)."'";
|
||||
|
||||
// Reservierungen beruecksichtigen
|
||||
$sql_query.=" UNION SELECT distinct datum, stunde, ort_kurzbz FROM campus.tbl_reservierung
|
||||
WHERE datum>='$datum_begin' AND datum<'$datum_end'";
|
||||
WHERE datum>='".addslashes($datum_begin)."' AND datum<'".addslashes($datum_end)."'";
|
||||
|
||||
if(!$this->db_query($sql_query))
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user