svn commit: r297 - trunk/mapbender/http/php/mod_user_filteredGroup.php

uli at osgeo.org uli at osgeo.org
Tue May 16 03:27:54 EDT 2006


Author: uli
Date: 2006-05-16 07:27:54+0000
New Revision: 297

Modified:
   trunk/mapbender/http/php/mod_user_filteredGroup.php

Log:
db_prep_query included
verification of user permissions

Modified: trunk/mapbender/http/php/mod_user_filteredGroup.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_user_filteredGroup.php?view=diff&rev=297&p1=trunk/mapbender/http/php/mod_user_filteredGroup.php&p2=trunk/mapbender/http/php/mod_user_filteredGroup.php&r1=296&r2=297
==============================================================================
--- trunk/mapbender/http/php/mod_user_filteredGroup.php	(original)
+++ trunk/mapbender/http/php/mod_user_filteredGroup.php	2006-05-16 07:27:54+0000
@@ -18,14 +18,11 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 import_request_variables("PG");
-session_start();
-
-require_once("mb_validateInput.php");
 require_once("../../conf/mapbender.conf");
-require_once("../classes/class_wms.php"); 
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
@@ -65,10 +62,6 @@
 </head>
 <body>
 <?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
 
 $fieldHeight = 20;
 
@@ -81,17 +74,21 @@
 $logged_user_name=$_SESSION["mb_user_name"];
 $logged_user_id=$_SESSION["mb_user_id"];
 
-/*handle remove, update and insert**************************************************************************************/
+/*handle remove, update and insert*****************************************************************/
 if($insert){
 	if(count($selected_group)>0){
 		for($i=0; $i<count($selected_group); $i++){
 			$exists = false;
-			$sql_insert = "SELECT * from mb_user_mb_group where fkey_mb_user_id = '".$selected_user."' and fkey_mb_group_id = '".$selected_group[$i]."'";
-			$res_insert = db_query($sql_insert);
+			$sql_insert = "SELECT * from mb_user_mb_group where fkey_mb_user_id = $1 and fkey_mb_group_id = $2 ";
+			$v = array($selected_user,$selected_group[$i]);
+			$t = array('i','i');
+			$res_insert = db_prep_query($sql_insert,$v,$t);
 			while(db_fetch_row($res_insert)){$exists = true;}
 			if($exists == false){
-				$sql_insert = "INSERT INTO mb_user_mb_group(fkey_mb_user_id, fkey_mb_group_id) VALUES('$selected_user', '".$selected_group[$i]."');";
-				$res_insert = db_query($sql_insert);
+				$sql_insert = "INSERT INTO mb_user_mb_group(fkey_mb_user_id, fkey_mb_group_id) VALUES($1, $2)";
+				$v = array($selected_user,$selected_group[$i]);
+				$t = array('i','i');
+				$res_insert = db_prep_query($sql_insert,$v,$t);
 			}
 		}
 	}
@@ -99,24 +96,26 @@
 if($remove){
 	if(count($remove_group)>0){
 		for($i=0; $i<count($remove_group); $i++){
-			$sql_remove = "DELETE FROM mb_user_mb_group WHERE fkey_mb_group_id = '".$remove_group[$i]."' and fkey_mb_user_id = '$selected_user'";
-			db_query($sql_remove);
+			$sql_remove = "DELETE FROM mb_user_mb_group WHERE fkey_mb_group_id = $1 and fkey_mb_user_id = $2";
+			$v = array($remove_group[$i],$selected_user);
+			$t = array('i','i');
+			db_prep_query($sql_remove,$v,$t);
 		}
 	}
 }
 
-/*get owner groups  ********************************************************************************************/
-#$sql_group = "SELECT * FROM mb_group ORDER BY mb_group_name";
-$sql_group = "SELECT * FROM mb_group WHERE mb_group_owner='".$logged_user_id."' ORDER BY mb_group_name";
-
-$res_group = db_query($sql_group);
+/*get owner groups  *******************************************************************************/
+$sql_group = "SELECT * FROM mb_group WHERE mb_group_owner = $1 ORDER BY mb_group_name";
+$v = array($logged_user_id);
+$t = array('i');
+$res_group = db_prep_query($sql_group,$v,$t);
 while($row = db_fetch_array($res_group)){
 	$group_id[$cnt_group] = $row["mb_group_id"];
 	$group_name[$cnt_group] = $row["mb_group_name"];
 	$cnt_group++;
 }
 
-/*get all user **********************************************************************************************/
+/*get all user ************************************************************************************/
 $sql_user = "SELECT * FROM mb_user ORDER BY mb_user_name";
 $res_user = db_query($sql_user);
 while($row = db_fetch_array($res_user)){
@@ -125,16 +124,20 @@
 	$cnt_user++;
 }
 
-/*get owner group from selected_user******************************************************************************/
+/*get owner group from selected_user***************************************************************/
+$v = array();
+$t = array();
 $sql_user_mb_group = "SELECT mb_group.mb_group_id, mb_group.mb_group_name, mb_user_mb_group.fkey_mb_user_id FROM mb_user_mb_group ";
 $sql_user_mb_group .= "INNER JOIN mb_group ON mb_user_mb_group.fkey_mb_group_id = mb_group.mb_group_id ";
-$sql_user_mb_group .= "WHERE mb_user_mb_group.fkey_mb_user_id='";
-
-if(!$selected_user){$sql_user_mb_group .= $user_id[0];}
-if($selected_user){$sql_user_mb_group .= $selected_user;}
-$sql_user_mb_group .= "' AND mb_group.mb_group_owner = '".$logged_user_id."'";
+$sql_user_mb_group .= "WHERE mb_user_mb_group.fkey_mb_user_id = $1 ";
+if(!$selected_user){array_push($v,$user_id[0]);}
+if($selected_user){array_push($v,$selected_user);}
+array_push($t,'i');
+$sql_user_mb_group .= " AND mb_group.mb_group_owner = $2 ";
+array_push($v,$logged_user_id);
+array_push($t,'i');
 $sql_user_mb_group .= " ORDER BY mb_group.mb_group_name";
-$res_user_mb_group = db_query($sql_user_mb_group);
+$res_user_mb_group = db_prep_query($sql_user_mb_group,$v,$t);
 while($row = db_fetch_array($res_user_mb_group)){
 	$group_id_user[$cnt_group_user] = $row["mb_group_id"];
 	$group_name_user[$cnt_group_user] =  $row["mb_group_name"];
@@ -142,9 +145,9 @@
 }
 
 /*INSERT HTML*/
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."&e_id_css=".$_REQUEST["e_id_css"]."' method='post'>";
+echo "<form name='form1' action='" . $self ."' method='post'>";
 
-/*insert all user in selectbox*************************************************************************************/
+/*insert all user in selectbox*********************************************************************/
 echo "<div class='text1'>USER: </div>";
 echo "<select style='background:#ffffff' class='select1' name='selected_user' onChange='submit()' size='10'>";
 for($i=0; $i<$cnt_user; $i++){
@@ -156,7 +159,7 @@
 }
 echo "</select>";
 
-/*insert all group in selectbox**************************************************************************/
+/*insert all group in selectbox********************************************************************/
 echo "<div class='text2'>GROUP:</div>";
 echo "<select style='background:#ffffff' class='select2' multiple='multiple' name='selected_group[]' size='$fieldHeight' >";
 for($i=0; $i<$cnt_group; $i++){
@@ -164,7 +167,7 @@
 }
 echo "</select>";
 
-/*Button****************************************************************************************************/
+/*Button*******************************************************************************************/
 
 echo "<div class='button1'><input type='button'  value='==>' onClick='validate(\"insert\")'></div>";
 echo "<input type='hidden' name='insert'>";
@@ -172,7 +175,7 @@
 echo "<div class='button2'><input type='button' value='<==' onClick='validate(\"remove\")'></div>";
 echo "<input type='hidden' name='remove'>";
 
-/*insert user_group_dependence in selectbox**************************************************/
+/*insert user_group_dependence in selectbox********************************************************/
 echo "<div class='text3'>SELECTED GROUP:</div>";
 echo "<select style='background:#ffffff' class='select3' multiple='multiple' name='remove_group[]' size='$fieldHeight' >";
 for($i=0; $i<$cnt_group_user; $i++){




More information about the Mapbender_commits mailing list