svn commit: r342 - trunk/mapbender/http/php/mod_gui_owner.php
uli at osgeo.org
uli at osgeo.org
Wed May 24 09:37:08 EDT 2006
Author: uli
Date: 2006-05-24 13:37:08+0000
New Revision: 342
Modified:
trunk/mapbender/http/php/mod_gui_owner.php
Log:
validation of permissions
prepared statements included
Modified: trunk/mapbender/http/php/mod_gui_owner.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_gui_owner.php?view=diff&rev=342&p1=trunk/mapbender/http/php/mod_gui_owner.php&p2=trunk/mapbender/http/php/mod_gui_owner.php&r1=341&r2=342
==============================================================================
--- trunk/mapbender/http/php/mod_gui_owner.php (original)
+++ trunk/mapbender/http/php/mod_gui_owner.php 2006-05-24 13:37:08+0000
@@ -18,8 +18,11 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
require_once("../../conf/mapbender.conf");
-require_once("../php/mb_validateSession.php");
+$con = db_connect(DBSERVER,OWNER,PW);
+db_select_db(DB,$con);
+require_once("../php/mb_validatePermission.php");
import_request_variables("PG");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
@@ -61,9 +64,6 @@
</head>
<body>
<?php
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
$fieldHeight = 20;
@@ -80,15 +80,21 @@
if(count($selected_user)>0 && count($selected_gui)>0){
for($i=0; $i<count($selected_user); $i++){
$exists = false;
- $sql_insert = "SELECT * from gui_mb_user where fkey_gui_id = '".$selected_gui."' and fkey_mb_user_id = '".$selected_user[$i]."'";
- $res_insert = db_query($sql_insert);
+ $sql_insert = "SELECT * from gui_mb_user where fkey_gui_id = $1 and fkey_mb_user_id = $2";
+ $v = array($selected_gui,$selected_user[$i]);
+ $t = array('s','i');
+ $res_insert = db_prep_query($sql_insert,$v,$t);
while(db_fetch_row($res_insert)){$exists = true;}
if($exists == false){
- $sql_insert = "INSERT INTO gui_mb_user(fkey_gui_id, fkey_mb_user_id) VALUES('$selected_gui', '".$selected_user[$i]."');";
- $res_insert = db_query($sql_insert);
+ $sql_insert = "INSERT INTO gui_mb_user(fkey_gui_id, fkey_mb_user_id) VALUES($1, $2)";
+ $v = array($selected_gui,$selected_user[$i]);
+ $t = array('s','i');
+ $res_insert = db_prep_query($sql_insert,$v,$t);
}
- $sql_set_owner = "UPDATE gui_mb_user SET mb_user_type = 'owner' WHERE fkey_gui_id = '".$selected_gui."' AND fkey_mb_user_id = ".$selected_user[$i];
- $res_set_owner = db_query($sql_set_owner);
+ $sql_set_owner = "UPDATE gui_mb_user SET mb_user_type = 'owner' WHERE fkey_gui_id = $1 AND fkey_mb_user_id = $2";
+ $v = array($selected_gui,$selected_user[$i]);
+ $t = array('s','i');
+ $res_set_owner = db_prep_query($sql_set_owner,$v,$t);
}
}
@@ -96,9 +102,10 @@
if($remove){
if(count($remove_user)>0){
for($i=0; $i<count($remove_user); $i++){
- $sql_remove = "DELETE FROM gui_mb_user WHERE fkey_mb_user_id = '".$remove_user[$i]."' and fkey_gui_id = '$selected_gui'";
- $sql_remove = "UPDATE gui_mb_user SET mb_user_type = '' WHERE fkey_gui_id = '".$selected_gui."' AND fkey_mb_user_id = ".$remove_user[$i];
- db_query($sql_remove);
+ $sql_remove = "UPDATE gui_mb_user SET mb_user_type = '' WHERE fkey_gui_id = $1 AND fkey_mb_user_id = $2";
+ $v = array($selected_gui,$remove_user[$i]);
+ $t = array('s','i');
+ db_prep_query($sql_remove,$v,$t);
}
}
}
@@ -109,13 +116,17 @@
$admin = new administration();
$ownguis = $admin->getGuisByOwner($_SESSION["mb_user_id"]);
if (count($ownguis)>0){
+ $v = array();
+ $t = array();
$sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
for($i=0; $i<count($ownguis); $i++){
if($i>0){ $sql_gui .= ",";}
- $sql_gui .= "'".$ownguis[$i]."'";
+ $sql_gui .= "$".($i+1);
+ array_push($v,$ownguis[$i]);
+ array_push($t,'s');
}
$sql_gui .= ") ORDER BY gui_name";
- $res_gui = db_query($sql_gui);
+ $res_gui = db_prep_query($sql_gui,$v,$t);
while($row = db_fetch_array($res_gui)){
$gui_id_array[$cnt_gui] = $row["gui_id"];
$gui_name[$cnt_gui] = $row["gui_name"];
@@ -134,12 +145,12 @@
/*get all user from selected gui******************************************************************************/
$sql_gui_mb_user = "SELECT mb_user.mb_user_id, mb_user.mb_user_name, gui_mb_user.fkey_gui_id FROM gui_mb_user ";
$sql_gui_mb_user .= "INNER JOIN mb_user ON gui_mb_user.fkey_mb_user_id = mb_user.mb_user_id ";
-$sql_gui_mb_user .= "WHERE gui_mb_user.fkey_gui_id= '";
-
-if(!$selected_gui){$sql_gui_mb_user .= $gui_id_array[0];}
-if($selected_gui){$sql_gui_mb_user .= $selected_gui;}
-$sql_gui_mb_user .= "' AND gui_mb_user.mb_user_type = 'owner' ORDER BY mb_user.mb_user_name";
-$res_gui_mb_user = db_query($sql_gui_mb_user);
+$sql_gui_mb_user .= "WHERE gui_mb_user.fkey_gui_id = $1";
+$sql_gui_mb_user .= " AND gui_mb_user.mb_user_type = 'owner' ORDER BY mb_user.mb_user_name";
+if(!$selected_gui){$v = array($gui_id_array[0]);}
+if($selected_gui){$v = array($selected_gui);}
+$t = array('s');
+$res_gui_mb_user = db_prep_query($sql_gui_mb_user,$v,$t);
while($row = db_fetch_array($res_gui_mb_user)){
$user_id_gui[$cnt_gui_user] = $row["mb_user_id"];
$user_name_gui[$cnt_gui_user] = $row["mb_user_name"];
@@ -148,7 +159,7 @@
/*INSERT HTML*/
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>";
+echo "<form name='form1' action='" . $self."' method='post'>";
/*insert projects in selectbox*************************************************************************************/
echo "<div class='text1'>GUI: </div>";
More information about the Mapbender_commits
mailing list