svn commit: r249 - trunk/mapbender/http/frames/index.php

[uli at osgeo.org]

Author: uli
Date: 2006-05-11 14:49:07+0000
New Revision: 249

Modified:
   trunk/mapbender/http/frames/index.php

Log:
replace guiID and elementID in attributes and src
use db_prep_query()

Modified: trunk/mapbender/http/frames/index.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/frames/index.php?view=diff&rev=249&p1=trunk/mapbender/http/frames/index.php&p2=trunk/mapbender/http/frames/index.php&r1=248&r2=249
==============================================================================
--- trunk/mapbender/http/frames/index.php	(original)
+++ trunk/mapbender/http/frames/index.php	2006-05-11 14:49:07+0000
@@ -1,6 +1,7 @@
 <?php
-#$Id: index.php,v 1.25 2006/03/09 12:25:36 uli_rothstein Exp $
-#$Header: /cvsroot/mapbender/mapbender/http/frames/index.php,v 1.25 2006/03/09 12:25:36 uli_rothstein Exp $
+# $Id$
+# http://www.mapbender.org/index.php/index.php
+#
 # Copyright (C) 2002 CCGIS
 #
 # This program is free software; you can redistribute it and/or modify
@@ -16,13 +17,17 @@
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
 session_start();
-import_request_variables("PG");
+
 require("../php/mb_validateSession.php");
 $_SESSION["mb_user_gui"] = $_REQUEST["gui_id"];
 require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
+
+$pattern = array('/sessionID/','/guiID/','/elementID/');
+$replacement = array(SID,"guiID=".$_REQUEST["gui_id"]);
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -41,22 +46,26 @@
 ?>
 <title>MB2 - <?php  echo  $_REQUEST["gui_id"];?></title>
 <?php
-	$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = '".$gui_id."' and var_type='file/css'";
-	$res = db_query($sql);
-	$cnt = 0;
-	while($row = db_fetch_array($res)){
+$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = $1 and var_type='file/css'";
+$v = array($_REQUEST["gui_id"]);
+$t = array('s');
+$res = db_prep_query($sql,$v,$t);
+$cnt = 0;
+while($row = db_fetch_array($res)){
 	echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"".$row["var_value"]."\" />\n";
 }
 ?>
 <style type="text/css">
 <!--
 <?php
-	$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = '".$gui_id."' and var_type='text/css'";
-	$res = db_query($sql);
-	$cnt = 0;
-	while($row = db_fetch_array($res)){
-		echo $row["var_value"];
-	}
+$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = $1 and var_type='text/css'";
+$v = array($_REQUEST["gui_id"]);
+$t = array('s');
+$res = db_prep_query($sql,$v,$t);
+$cnt = 0;
+while($row = db_fetch_array($res)){
+	echo $row["var_value"];
+}
 ?>
 -->
 </style>
@@ -70,39 +79,38 @@
 $frame = "";
 /*********************************************/
 
-include("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db($DB,$con);
-
-require_once("../php/mb_validateInput.php");
-$gui = mb_validateInput($_REQUEST["gui_id"]);
-$sql = "SELECT DISTINCT e_mb_mod, e_pos FROM gui_element WHERE e_public = 1 AND fkey_gui_id = '".$gui."' ORDER BY e_pos";
-$res = db_query($sql);
+$sql = "SELECT DISTINCT e_mb_mod FROM gui_element WHERE e_public = 1 AND fkey_gui_id = $1";
+$v = array($_REQUEST["gui_id"]);
+$t = array('s');
+$res = db_prep_query($sql,$v,$t);
 $cnt = 0;
 while($row = db_fetch_array($res)){
 	if($row["e_mb_mod"] != ""){
-		echo "<script type='text/javascript' src='../javascripts/".trim($row["e_mb_mod"])."?gui_id=".$gui."'></script> ";
+		echo "<script type='text/javascript' src='../javascripts/".trim($row["e_mb_mod"])."?gui_id=".$_REQUEST["gui_id"]."'></script> ";
 	}
 	$cnt++;
 }
 ?>
 </head>
 <?php
-$sql = "SELECT * FROM gui_element WHERE e_public = 1 AND fkey_gui_id = '".$gui."' ORDER BY e_pos";
-$res = db_query($sql);
+$sql = "SELECT * FROM gui_element WHERE e_public = 1 AND fkey_gui_id = $1 ORDER BY e_pos";
+$v = array($_REQUEST["gui_id"]);
+$t = array('s');
+$res = db_prep_query($sql,$v,$t);
 $i = 0;
 while(db_fetch_row($res)){
+	$replacement[3] = "elementID=".db_result($res,$i,"e_id");
 	echo "<".db_result($res,$i,"e_element")." ";
 	if(db_result($res,$i,"e_id") != ""){
 		echo " id='".db_result($res,$i,"e_id")."'";
 		echo " name='".db_result($res,$i,"e_id")."'";
 	}
 	if(db_result($res,$i,"e_attributes") != ""){
-		echo " ".stripslashes(preg_replace("/sessionID/",strip_tags(SID),db_result($res,$i,"e_attributes")));
+		echo " ".stripslashes(preg_replace($pattern,$replacement,db_result($res,$i,"e_attributes")));
 	}
 	if(db_result($res,$i,"e_src") != ""){
 		if(db_result($res,$i,"e_closetag") == "iframe" && db_result($res,$i,"e_id") != 'loadData'){
-      		echo " src = '".preg_replace("/sessionID/",strip_tags(SID),db_result($res,$i,"e_src"));
+      		echo " src = '".preg_replace($pattern,$replacement,db_result($res,$i,"e_src"));
 				if(strpos(db_result($res,$i,"e_src"), "?")) {
 					echo "&";
 				}
@@ -112,7 +120,7 @@
       			echo "e_id_css=".db_result($res,$i,"e_id")."&e_id=".db_result($res,$i,"e_id")."'";
 		}
 		else{
-			echo " src = '".preg_replace("/sessionID/",strip_tags(SID),db_result($res,$i,"e_src"))."'";
+			echo " src = '".preg_replace($pattern,$replacement,db_result($res,$i,"e_src"))."'";
 		}
 	}
 	echo " style = '";