svn commit: r341 - trunk/mapbender/http/php/mod_user_filteredGui.php
uli at osgeo.org
uli at osgeo.org
Wed May 24 09:26:03 EDT 2006
Author: uli
Date: 2006-05-24 13:26:03+0000
New Revision: 341
Modified:
trunk/mapbender/http/php/mod_user_filteredGui.php
Log:
validation of permissions
prepared statements included
Modified: trunk/mapbender/http/php/mod_user_filteredGui.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_user_filteredGui.php?view=diff&rev=341&p1=trunk/mapbender/http/php/mod_user_filteredGui.php&p2=trunk/mapbender/http/php/mod_user_filteredGui.php&r1=340&r2=341
==============================================================================
--- trunk/mapbender/http/php/mod_user_filteredGui.php (original)
+++ trunk/mapbender/http/php/mod_user_filteredGui.php 2006-05-24 13:26:03+0000
@@ -20,11 +20,14 @@
import_request_variables("PG");
session_start();
$gui_id = $_SESSION["mb_user_gui"];
-//require_once("mb_validateInput.php");
+
require_once("../../conf/mapbender.conf");
-require_once("../classes/class_wms.php");
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
db_select_db(DB,$con);
+require_once("mb_validatePermission.php");
+require_once("../classes/class_wms.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
+
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
@@ -92,12 +95,16 @@
if(count($selected_gui)>0){
for($i=0; $i<count($selected_gui); $i++){
$exists = false;
- $sql_insert = "SELECT * from gui_mb_user where fkey_mb_user_id = '".$selected_user."' and fkey_gui_id = '".$selected_gui[$i]."'";
- $res_insert = db_query($sql_insert);
+ $sql_insert = "SELECT * from gui_mb_user where fkey_mb_user_id = $1 and fkey_gui_id = $2";
+ $v = array($selected_user,$selected_gui[$i]);
+ $t = array('i','s');
+ $res_insert = db_prep_query($sql_insert,$v,$t);
while(db_fetch_row($res_insert)){$exists = true;}
if($exists == false){
- $sql_insert = "INSERT INTO gui_mb_user(fkey_mb_user_id, fkey_gui_id) VALUES('$selected_user', '".$selected_gui[$i]."');";
- $res_insert = db_query($sql_insert);
+ $sql_insert = "INSERT INTO gui_mb_user(fkey_mb_user_id, fkey_gui_id) VALUES($1, $2)";
+ $v = array($selected_user,$selected_gui[$i]);
+ $t = array('i','s');
+ $res_insert = db_prep_query($sql_insert,$v,$t);
}
}
}
@@ -105,8 +112,10 @@
if($remove){
if(count($remove_gui)>0){
for($i=0; $i<count($remove_gui); $i++){
- $sql_remove = "DELETE FROM gui_mb_user WHERE fkey_gui_id = '".$remove_gui[$i]."' and fkey_mb_user_id = '$selected_user'";
- db_query($sql_remove);
+ $sql_remove = "DELETE FROM gui_mb_user WHERE fkey_gui_id = $1 and fkey_mb_user_id = $2";
+ $v = array($remove_gui[$i],$selected_user);
+ $t = array('s','i');
+ db_prep_query($sql_remove,$v,$t);
}
}
}
@@ -128,15 +137,18 @@
$arrayGuis=mb_getGUIs($logged_user_id);
$sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
-
+$v = array();
+$t = array();
for($i=0; $i<count($arrayGuis); $i++){
if($i>0){ $sql_gui .= ",";}
- $sql_gui .= "'".$arrayGuis[$i]."'";
+ $sql_gui .= "$".($i+1);
+ array_push($v,$arrayGuis[$i]);
+ array_push($t,'s');
}
$sql_gui.= ") ORDER BY gui_name";
-$res_gui = db_query($sql_gui);
+$res_gui = db_prep_query($sql_gui,$v,$t);
while($row = db_fetch_array($res_gui)){
$gui_id_array[$cnt_gui] = $row["gui_id"];
$gui_name[$cnt_gui] = $row["gui_name"];
@@ -148,11 +160,11 @@
/*get allocated gui from logged_user******************************************************************************/
$sql_logged_user_mb_gui = "SELECT gui.gui_id, gui.gui_name, gui_mb_user.fkey_mb_user_id FROM gui_mb_user ";
$sql_logged_user_mb_gui .= "INNER JOIN gui ON gui_mb_user.fkey_gui_id = gui.gui_id ";
-$sql_logged_user_mb_gui .= "WHERE gui_mb_user.fkey_mb_user_id='".$logged_user_id."'";
+$sql_logged_user_mb_gui .= "WHERE gui_mb_user.fkey_mb_user_id = $1";
$sql_logged_user_mb_gui .= " ORDER BY gui.gui_name";
-
-
-$res_logged_user_mb_all_gui = db_query($sql_logged_user_mb_gui);
+$v = array($logged_user_id);
+$t = array('i');
+$res_logged_user_mb_all_gui = db_prep_query($sql_logged_user_mb_gui,$v,$t);
while($roe = db_fetch_array($res_logged_user_mb_all_gui)){
$gui_id_logged_user[$cnt_gui_logged_user] = $row["gui_id"];
$gui_name_logged_user[$cnt_gui_logged_user] = $row["gui_name"];
@@ -160,19 +172,25 @@
}
/*get allocated gui from selected_user******************************************************************************/
+$v = array();
+$t = array();
+$c = 2;
$sql_user_mb_gui = "SELECT gui.gui_id, gui.gui_name, gui_mb_user.fkey_mb_user_id FROM gui_mb_user ";
$sql_user_mb_gui .= "INNER JOIN gui ON gui_mb_user.fkey_gui_id = gui.gui_id ";
-$sql_user_mb_gui .= "WHERE gui_mb_user.fkey_mb_user_id=";
-if(!$selected_user){$sql_user_mb_gui .= $user_id[0];}
-if($selected_user){$sql_user_mb_gui .= $selected_user;}
+$sql_user_mb_gui .= "WHERE gui_mb_user.fkey_mb_user_id = $1";
+if(!$selected_user){array_push($v,$user_id[0]);}
+if($selected_user){array_push($v,$selected_user);}
+array_push($t,'i');
$sql_user_mb_gui .= " AND gui.gui_id IN(";
for($i=0; $i<count($arrayGuis); $i++){
if($i>0){ $sql_user_mb_gui .= ",";}
- $sql_user_mb_gui .= "'".$arrayGuis[$i]."'";
+ $sql_user_mb_gui .= "$".$c;
+ array_push($v,$arrayGuis[$i]);
+ array_push($t,'s');
+ $c++;
}
$sql_user_mb_gui .= ") ORDER BY gui.gui_name";
-
-$res_user_mb_gui = db_query($sql_user_mb_gui);
+$res_user_mb_gui = db_prep_query($sql_user_mb_gui,$v,$t);
while($row = db_fetch_array($res_user_mb_gui)){
$gui_id_user[$cnt_gui_user] = $row["gui_id"];
$gui_name_user[$cnt_gui_user] = $row["gui_name"];
@@ -180,7 +198,7 @@
}
/*INSERT HTML*/
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."&e_id_css=".$_REQUEST["e_id_css"]."' method='post'>";
+echo "<form name='form1' action='" . $self ."' method='post'>";
/*insert all user in selectbox*************************************************************************************/
echo "<div class='text1'>USER: </div>";
More information about the Mapbender_commits
mailing list