[Mapbender-commits] r2038 - branches/2.5/http/php
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Tue Jan 29 07:49:26 EST 2008
Author: christoph
Date: 2008-01-29 07:49:26 -0500 (Tue, 29 Jan 2008)
New Revision: 2038
Modified:
branches/2.5/http/php/mod_changeEPSG.php
branches/2.5/http/php/mod_editWMS_Metadata.php
branches/2.5/http/php/nestedSets.php
Log:
prepared statements / parameter check
Modified: branches/2.5/http/php/mod_changeEPSG.php
===================================================================
--- branches/2.5/http/php/mod_changeEPSG.php 2008-01-29 12:46:00 UTC (rev 2037)
+++ branches/2.5/http/php/mod_changeEPSG.php 2008-01-29 12:49:26 UTC (rev 2038)
@@ -59,60 +59,73 @@
echo "var newExtent = new Array();";
for($i=0; $i < count($arraymapObj); $i++){
$temp = mb_split(",",$arraymapObj[$i]);
- if(SYS_DBTYPE=='pgsql'){
- $con = db_connect($DBSERVER,$OWNER,$PW);
- $sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as minx";
- $resMinx = db_query($sqlMinx);
- $minx = db_result($resMinx,0,"minx");
-
- $sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as miny";
- $resMiny = db_query($sqlMiny);
- $miny = db_result($resMiny,0,"miny");
-
- $sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as maxx";
- $resMaxx =db_query($sqlMaxx);
- $maxx = db_result($resMaxx,0,"maxx");
-
- $sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as maxy";
- $resMaxy = db_query($sqlMaxy);
- $maxy = db_result($resMaxy,0,"maxy");
- }else{
- $con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
- $con = pg_connect($con_string) or die ("Error while connecting database");
-
- $sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as minx";
- $resMinx = pg_query($con,$sqlMinx);
- $minx = pg_fetch_result($resMinx,0,"minx");
-
- $sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as miny";
- $resMiny = pg_query($con,$sqlMiny);
- $miny = pg_fetch_result($resMiny,0,"miny");
-
- $sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as maxx";
- $resMaxx = pg_query($con,$sqlMaxx);
- $maxx = pg_fetch_result($resMaxx,0,"maxx");
-
- $sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as maxy";
- $resMaxy = pg_query($con,$sqlMaxy);
- $maxy = pg_fetch_result($resMaxy,0,"maxy");
- }
- $extenty = $maxy - $miny;
- $extentx = $maxx - $minx;
- $relation_px_x = $temp[6] / $temp[7];
- $relation_px_y = $temp[7] / $temp[6];
- $relation_bbox_x = $extentx / $extenty;
- if($relation_bbox_x <= $relation_px_x){
- $centerx = $minx + ($extentx/2);
- $minx = $centerx - $relation_px_x * $extenty / 2;
- $maxx = $centerx + $relation_px_x * $extenty / 2;
+ // check if parameters are valid geometries to
+ // avoid SQL injections
+
+ $oldEPSG = preg_replace("/EPSG:/","",$temp[1]);
+ $newEPSG = preg_replace("/EPSG:/","",$_REQUEST["newSRS"]);
+
+ if (is_numeric($temp[2]) && is_numeric($temp[3]) && is_numeric($temp[4]) && is_numeric($temp[5]) && is_numeric($oldEPSG) && is_numeric($newEPSG)) {
+
+ if(SYS_DBTYPE=='pgsql'){
+ $con = db_connect($DBSERVER,$OWNER,$PW);
+ $sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as minx";
+ $resMinx = db_query($sqlMinx);
+ $minx = db_result($resMinx,0,"minx");
+
+ $sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as miny";
+ $resMiny = db_query($sqlMiny);
+ $miny = db_result($resMiny,0,"miny");
+
+ $sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxx";
+ $resMaxx = db_query($sqlMaxx);
+ $maxx = db_result($resMaxx,0,"maxx");
+
+ $sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxy";
+ $resMaxy = db_query($sqlMaxy);
+ $maxy = db_result($resMaxy,0,"maxy");
+ }else{
+ $con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
+ $con = pg_connect($con_string) or die ("Error while connecting database");
+
+ $sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as minx";
+ $resMinx = pg_query($con,$sqlMinx);
+ $minx = pg_fetch_result($resMinx,0,"minx");
+
+ $sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as miny";
+ $resMiny = pg_query($con,$sqlMiny);
+ $miny = pg_fetch_result($resMiny,0,"miny");
+
+ $sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxx";
+ $resMaxx = pg_query($con,$sqlMaxx);
+ $maxx = pg_fetch_result($resMaxx,0,"maxx");
+
+ $sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxy";
+ $resMaxy = pg_query($con,$sqlMaxy);
+ $maxy = pg_fetch_result($resMaxy,0,"maxy");
+ }
+ $extenty = $maxy - $miny;
+ $extentx = $maxx - $minx;
+ $relation_px_x = $temp[6] / $temp[7];
+ $relation_px_y = $temp[7] / $temp[6];
+ $relation_bbox_x = $extentx / $extenty;
+
+ if($relation_bbox_x <= $relation_px_x){
+ $centerx = $minx + ($extentx/2);
+ $minx = $centerx - $relation_px_x * $extenty / 2;
+ $maxx = $centerx + $relation_px_x * $extenty / 2;
+ }
+ if($relation_bbox_x > $relation_px_x){
+ $centery = $miny + ($extenty/2);
+ $miny = $centery - $relation_px_y * $extentx / 2;
+ $maxy = $centery + $relation_px_y * $extentx / 2;
+ }
+ echo "newExtent[".$i."] = '".$temp[0].",".$_REQUEST["newSRS"].",".$minx.",".$miny.",".$maxx.",".$maxy."';";
}
- if($relation_bbox_x > $relation_px_x){
- $centery = $miny + ($extenty/2);
- $miny = $centery - $relation_px_y * $extentx / 2;
- $maxy = $centery + $relation_px_y * $extentx / 2;
- }
- echo "newExtent[".$i."] = '".$temp[0].",".$_REQUEST["newSRS"].",".$minx.",".$miny.",".$maxx.",".$maxy."';";
+ else {
+ echo "var e = new parent.Mb_exception('mod_changeEPSG.php: invalid input parameter (p1 = (" . $temp[2] . "," . $temp[3] . "), p2 = (" . $temp[4] . "," . $temp[5] . "), old EPSG: " . $oldEPSG . ", new EPSG: " . $newEPSG . ", ).');";
+ }
}
echo "</script>";
}
Modified: branches/2.5/http/php/mod_editWMS_Metadata.php
===================================================================
--- branches/2.5/http/php/mod_editWMS_Metadata.php 2008-01-29 12:46:00 UTC (rev 2037)
+++ branches/2.5/http/php/mod_editWMS_Metadata.php 2008-01-29 12:49:26 UTC (rev 2038)
@@ -101,51 +101,69 @@
#Update handling
-if(isset($_REQUEST['update_content']) && $_REQUEST['update_content'] == true)
-{
+if (isset($_REQUEST['update_content']) && $_REQUEST['update_content'] == true) {
- $update_wms_sql = "UPDATE wms SET " .
- "wms_title = '".$_REQUEST['wms_title_box']."', " .
- "wms_abstract = '".$_REQUEST['wms_abstract_box']."', " .
- "fees = '".$_REQUEST['fees_box']."', " .
- "accessconstraints = '".$_REQUEST['accessconstraints_box']."', " .
- "contactperson = '".$_REQUEST['contactperson_box']."', " .
- "contactposition = '".$_REQUEST['contactposition_box']."', " .
- "contactorganization = '".$_REQUEST['contactorganization_box']."', " .
- "address = '".$_REQUEST['address_box']."', " .
- "city = '".$_REQUEST['city_box']."', " .
- "stateorprovince = '".$_REQUEST['stateorprovince_box']."', " .
- "postcode = '".$_REQUEST['postcode_box']."', " .
- "country = '".$_REQUEST['country_box']."', " .
- "contactvoicetelephone = '".$_REQUEST['contactvoicetelephone_box']."', " .
- "contactfacsimiletelephone = '".$_REQUEST['contactfacsimiletelephone_box']."', " .
- "contactelectronicmailaddress = '".$_REQUEST['contactelectronicmailaddress_box']."'";
- if (isset($_REQUEST['wms_timestamp_box']) && $_REQUEST['wms_timestamp_box'] <> "")
- {
- $update_wms_sql .= ", " . "wms_timestamp = " .
- "'".guessTimestamp($_REQUEST['wms_timestamp_box'])."' ";
- }
- $update_wms_sql .= "WHERE wms_id = '".$_REQUEST['wms_id']."'";
- $res_update_wms_sql = db_query($update_wms_sql);
- while(list($key,$val) = each($_REQUEST))
+ $update_wms_sql = "UPDATE wms SET ";
+ $update_wms_sql .= "wms_title = $1, wms_abstract = $2, fees = $3, ";
+ $update_wms_sql .= "accessconstraints = $4, contactperson = $5, ";
+ $update_wms_sql .= "contactposition = $6, contactorganization = $7, ";
+ $update_wms_sql .= "address = $8, city = $9, stateorprovince = $10, ";
+ $update_wms_sql .= "postcode = $11, country = $12, ";
+ $update_wms_sql .= "contactvoicetelephone = $13, ";
+ $update_wms_sql .= "contactfacsimiletelephone = $14, ";
+ $update_wms_sql .= "contactelectronicmailaddress = $15 ";
+
+ $v = array();
+ array_push($v, $_REQUEST['wms_title_box']);
+ array_push($v, $_REQUEST['wms_abstract_box']);
+ array_push($v, $_REQUEST['fees_box']);
+ array_push($v, $_REQUEST['accessconstraints_box']);
+ array_push($v, $_REQUEST['contactperson_box']);
+ array_push($v, $_REQUEST['contactposition_box']);
+ array_push($v, $_REQUEST['contactorganization_box']);
+ array_push($v, $_REQUEST['address_box']);
+ array_push($v, $_REQUEST['city_box']);
+ array_push($v, $_REQUEST['stateorprovince_box']);
+ array_push($v, $_REQUEST['postcode_box']);
+ array_push($v, $_REQUEST['country_box']);
+ array_push($v, $_REQUEST['contactvoicetelephone_box']);
+ array_push($v, $_REQUEST['contactfacsimiletelephone_box']);
+ array_push($v, $_REQUEST['contactelectronicmailaddress_box']);
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+
+ if (isset($_REQUEST['wms_timestamp_box']) && $_REQUEST['wms_timestamp_box'] <> "") {
+ $update_wms_sql .= ", wms_timestamp = $16 ";
+ array_push($v, guessTimestamp($_REQUEST['wms_timestamp_box']));
+ array_push($t, "s");
+
+ $update_wms_sql .= "WHERE wms_id = $17";
+ }
+ else {
+ $update_wms_sql .= "WHERE wms_id = $16";
+ }
+ array_push($v, $_REQUEST['wms_id']);
+ array_push($t, "s");
+
+ $res_update_wms_sql = db_prep_query($update_wms_sql, $v, $t);
+
+ while(list($key,$val) = each($_REQUEST))
{
if(preg_match("/___/", $key))
{
$myKey = explode("___", $key);
$layer_id = preg_replace("/L_/","",$myKey[0]);
- if($myKey[1]=="layer_abstract")
- {
- $layer_sql = "UPDATE layer SET layer_abstract = '$val' " .
- "WHERE layer_id = $layer_id AND fkey_wms_id = '".$_REQUEST['wms_id']."'";
- $res_keyword_sql = db_query($layer_sql);
+ if($myKey[1]=="layer_abstract") {
+ $layer_sql = "UPDATE layer SET layer_abstract = $1 ";
+ $layer_sql .= "WHERE layer_id = $2 AND fkey_wms_id = $3";
+ $v = array($val, $layer_id, $_REQUEST['wms_id']);
+ $t = array("s", "i", "s");
+ $res_keyword_sql = db_prep_query($layer_sql, $v, $t);
}
- if($myKey[1]=="layer_keywords")
- {
+ if($myKey[1]=="layer_keywords") {
#Get all keywords depending on the given layer after user modification
$keywords = explode(",",$val);
#delete all blanks from the keywords list
- for($j = 0; $j < count($keywords); $j++)
- {
+ for ($j = 0; $j < count($keywords); $j++) {
$word = $keywords[$j];
$word = trim($word);
$keywords[$j] = $word;
@@ -155,9 +173,12 @@
$keyword_sql = "SELECT keyword_id, keyword FROM keyword, layer_keyword, layer " .
"WHERE keyword.keyword_id = layer_keyword.fkey_keyword_id " .
"AND layer_keyword.fkey_layer_id = layer.layer_id " .
- "AND layer.fkey_wms_id = '".$_REQUEST['wms_id']."'" .
- "AND layer.layer_id = $layer_id";
- $res_keyword_sql = db_query($keyword_sql);
+ "AND layer.fkey_wms_id = $1 " .
+ "AND layer.layer_id = $2";
+
+ $v = array($_REQUEST['wms_id'], $layer_id);
+ $t = array("s", "i");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
while($keyword_row = db_fetch_array($res_keyword_sql))
{
$keyword = $keyword_row['keyword'];
@@ -171,19 +192,25 @@
#echo "1c: Keyword nicht in User Liste: Keyword: ", $keyword, ";<br>";
#Deleting reference to the keyword from the layer_keyword table.
$keyword_sql = "DELETE FROM layer_keyword " .
- "WHERE fkey_layer_id = $layer_id " .
- "AND fkey_keyword_id = $keyword_id";
- db_query($keyword_sql);
+ "WHERE fkey_layer_id = $1 " .
+ "AND fkey_keyword_id = $2";
+ $v = array($layer_id, $keyword_id);
+ $t = array("i", "i");
+ db_prep_query($keyword_sql, $v, $t);
#Checking, if the keyword is in use by any layer
$layer_sql = "SELECT * FROM layer_keyword " .
- "WHERE fkey_keyword_id = $keyword_id";
- $res_layer_sql = db_query($layer_sql);
+ "WHERE fkey_keyword_id = $1";
+ $v = array($keyword_id);
+ $t = array("i");
+ $res_layer_sql = db_prep_query($layer_sql, $v, $t);
if(!($row = db_fetch_array($res_layer_sql)))
{
#If keyword will not longer be in use, delete it from keyword table
$keyword_sql = "DELETE FROM keyword " .
- "WHERE keyword_id = $keyword_id";
- db_query($keyword_sql);
+ "WHERE keyword_id = $1";
+ $v = array($keyword_id);
+ $t = array("i");
+ db_prep_query($keyword_sql, $v, $t);
}
}
#Keyword exists in the database and in the user data
@@ -211,8 +238,10 @@
$keyword = trim($keywords[$i]);
#Check, if the keyword is exsiting in the database
$keyword_sql = "SELECT keyword_id FROM keyword " .
- "WHERE UPPER(keyword) = UPPER('$keyword')";
- $res_keyword_sql = db_query($keyword_sql);
+ "WHERE UPPER(keyword) = UPPER($1)";
+ $v = array($keyword);
+ $t = array("s");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
$keyword_row = db_fetch_array($res_keyword_sql);
#Keyword exists in the database
if($keyword_row != null)
@@ -223,10 +252,15 @@
#Keyword does not exist in the database
else
{
- $keyword_sql = "INSERT INTO keyword (keyword) VALUES ('$keyword')";
- $res_keyword_sql = db_query($keyword_sql);
- $keyword_sql = "SELECT keyword_id FROM keyword WHERE keyword = '$keyword'";
- $res_keyword_sql = db_query($keyword_sql);
+ $keyword_sql = "INSERT INTO keyword (keyword) VALUES ($1)";
+ $v = array($keyword);
+ $t = array("s");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
+
+ $keyword_sql = "SELECT keyword_id FROM keyword WHERE keyword = $1";
+ $v = array($keyword);
+ $t = array("s");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
$keyword_row = db_fetch_array($res_keyword_sql);
if($keyword_row != null)
{
@@ -236,8 +270,10 @@
}
#Inserting the reference between layer and keyword in the layer_keyword table
$keyword_sql = "INSERT INTO layer_keyword (fkey_layer_id, fkey_keyword_id) " .
- "VALUES ('$layer_id', '$keyword_id')";
- $res_keyword_sql = db_query($keyword_sql);
+ "VALUES ($1, $2)";
+ $v = array($layer_id, $keyword_id);
+ $t = array("s", "s");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
}
}
#Delete all elements from array
@@ -253,8 +289,10 @@
if(isset($_REQUEST['delete_preview']) && $_REQUEST['delete_preview']=='1'
&& isset($_REQUEST['layer_id']))
{
- $preview_sql = "DELETE FROM layer_preview WHERE fkey_layer_id = ".$_REQUEST['layer_id']."";
- $res_preview_sql = db_query($preview_sql);
+ $preview_sql = "DELETE FROM layer_preview WHERE fkey_layer_id = $1";
+ $v = array($_REQUEST['layer_id']);
+ $t = array("s");
+ $res_preview_sql = db_prep_query($preview_sql, $v, $t);
die("Preview has been deleted!</body></html>");
}
?>
@@ -277,8 +315,10 @@
{
#Querying information from wms data table
- $wms_sql = "SELECT wms_id, wms_title FROM wms WHERE wms_owner = ".$_SESSION["mb_user_id"]. " ORDER BY wms_title";
- $res_wms_sql = db_query($wms_sql);
+ $wms_sql = "SELECT wms_id, wms_title FROM wms WHERE wms_owner = $1 ORDER BY wms_title";
+ $v = array($_SESSION["mb_user_id"]);
+ $t = array("i");
+ $res_wms_sql = db_prep_query($wms_sql, $v, $t);
#wms-selection
$selectBox = "";
@@ -321,8 +361,10 @@
if(isset($wms_id) == true && $wms_id <>0)
{
- $selected_wms_sql = "SELECT * FROM wms WHERE wms_id = '".$wms_id."'";
- $res_selected_wms_sql = db_query($selected_wms_sql);
+ $selected_wms_sql = "SELECT * FROM wms WHERE wms_id = $1";
+ $v = array($wms_id);
+ $t = array("s");
+ $res_selected_wms_sql = db_prep_query($selected_wms_sql, $v, $t);
$selected_row = db_fetch_array($res_selected_wms_sql);
?>
@@ -400,9 +442,11 @@
<?php
- $layer_sql = "SELECT * FROM layer WHERE layer.fkey_wms_id = '".$wms_id."'" .
+ $layer_sql = "SELECT * FROM layer WHERE layer.fkey_wms_id = $1" .
" ORDER BY layer_pos";
- $res_layer_sql = db_query($layer_sql);
+ $v = array($wms_id);
+ $t = array("s");
+ $res_layer_sql = db_prep_query($layer_sql, $v, $t);
while($layer_row = db_fetch_array($res_layer_sql))
{
@@ -419,9 +463,11 @@
$keyword_sql = "SELECT keyword FROM keyword, layer_keyword, layer " .
"WHERE keyword.keyword_id = layer_keyword.fkey_keyword_id " .
"AND layer_keyword.fkey_layer_id = layer.layer_id " .
- "AND layer.fkey_wms_id = '".$wms_id."' " .
- "AND layer.layer_id = ".$layer_row['layer_id']."";
- $res_keyword_sql = db_query($keyword_sql);
+ "AND layer.fkey_wms_id = $1 " .
+ "AND layer.layer_id = $2";
+ $v = array($wms_id, $layer_row['layer_id']);
+ $t = array("s", "i");
+ $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
$keywordList = "";
$seperator = "";
while($keyword_row = db_fetch_array($res_keyword_sql))
Modified: branches/2.5/http/php/nestedSets.php
===================================================================
--- branches/2.5/http/php/nestedSets.php 2008-01-29 12:46:00 UTC (rev 2037)
+++ branches/2.5/http/php/nestedSets.php 2008-01-29 12:49:26 UTC (rev 2038)
@@ -58,16 +58,16 @@
if(value == 'insert'){
/*
if(document.forms[0].title.value == ''){alert("Bitte geben Sie einen Titel an."); permission = false; return;}
- if(document.forms[0].left.value == ''){alert("Wählen Sie eine Position."); permission = false; return;}
+ if(document.forms[0].left.value == ''){alert("W�hlen Sie eine Position."); permission = false; return;}
*/
if(document.forms[0].title.value == ''){alert("Please insert a title."); permission = false; return;}
if(document.forms[0].left.value == ''){alert("Please choose a position."); permission = false; return;}
- if(document.forms[0].wmsList.selectedIndex > 0 && document.forms[0].layer.selectedIndex == 0){alert("Wählen Sie einen Layer."); permission = false; return;}
+ if(document.forms[0].wmsList.selectedIndex > 0 && document.forms[0].layer.selectedIndex == 0){alert("W�hlen Sie einen Layer."); permission = false; return;}
if(permission == true){document.forms[0].action.value = "insert"; document.forms[0].submit();}
}
if(value == 'delete'){
- //permission = confirm("Soll das Objekt mit Inhalten gelöscht werden?");
+ //permission = confirm("Soll das Objekt mit Inhalten gel�scht werden?");
permission = confirm("Do you want to delete the object and the content of the object?");
if(permission == true){
document.forms[0].action.value = "delete";
@@ -77,7 +77,7 @@
if(value == 'update'){
/*
if(document.forms[0].title.value == ''){alert("Bitte geben Sie einen Titel an."); permission = false; return;}
- if(document.forms[0].left.value == ''){alert("Bitte wählen Sie eine Position."); permission = false; return;}
+ if(document.forms[0].left.value == ''){alert("Bitte w�hlen Sie eine Position."); permission = false; return;}
*/
if(document.forms[0].title.value == ''){alert("Please fill in a labeling."); permission = false; return;}
@@ -87,10 +87,10 @@
}
if(value == 'add'){
/*
- if(document.forms[0].left.value == ''){alert("Bitte wählen Sie eine Position."); permission = false; return;}
- if(document.forms[0].guiList.selectedIndex == 0){alert("Bitte wählen Sie eine GUI."); permission = false; return;}
- if(document.forms[0].wmsList.selectedIndex == 0){alert("Bitte wählen Sie einen WMS."); permission = false; return;}
- if(document.forms[0].layer.selectedIndex == 0){alert("Bitte wählen Sie eine Ebene."); permission = false; return;}
+ if(document.forms[0].left.value == ''){alert("Bitte w�hlen Sie eine Position."); permission = false; return;}
+ if(document.forms[0].guiList.selectedIndex == 0){alert("Bitte w�hlen Sie eine GUI."); permission = false; return;}
+ if(document.forms[0].wmsList.selectedIndex == 0){alert("Bitte w�hlen Sie einen WMS."); permission = false; return;}
+ if(document.forms[0].layer.selectedIndex == 0){alert("Bitte w�hlen Sie eine Ebene."); permission = false; return;}
*/
if(document.forms[0].left.value == ''){alert("Please fill in a position."); permission = false; return;}
@@ -116,26 +116,31 @@
}
if(isset($action) && $action == "insert"){
$temp = explode("###", $layer);
- $sql = "SELECT rgt FROM gui_treegde WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
- $res = db_query($sql);
+ $sql = "SELECT rgt FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $1";
+ $v = array($left, $guiList);
+ $t = array("i", "s");
+ $res = db_prep_query($sql, $v, $t);
if($pos == 'in'){$left = $left + 1;}
else if($pos == 'hinter'){$left = db_result($res,0,"rgt") + 1;}
else{ $left = $left + 2;}
- $sql = "UPDATE gui_treegde SET rgt=rgt+2 WHERE rgt >=". $left." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
- $sql = "UPDATE gui_treegde SET lft=lft+2 WHERE lft >=".$left." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
- $sql = "INSERT INTO gui_treegde(fkey_gui_id, fkey_layer_id, lft,rgt, my_layer_title, layer, wms_id) VALUES(";
- $sql .= "'".$guiList."', ";
- $sql .= "'".$temp[0]."', ";
- $sql .= $left.", ";
- $sql .= ($left+1).", ";
- $sql .= "'".$name."', ";
- $sql .= "'".$temp[1]."', ";
- $sql .= "'".$wmsList."'";
- $sql .= ")";
- #echo $sql . "<br>";
- db_query($sql);
+
+ $sql = "UPDATE gui_treegde SET rgt=rgt+2 WHERE rgt >= $1 AND fkey_gui_id = $2";
+ $v = array($left, $guiList);
+ $t = array("i", "s");
+ db_prep_query($sql, $v, $t);
+
+ $sql = "UPDATE gui_treegde SET lft=lft+2 WHERE lft >= $1 AND fkey_gui_id = $2";
+ $v = array($left, $guiList);
+ $t = array("i", "s");
+ db_prep_query($sql, $v, $t);
+
+ $sql = "INSERT INTO gui_treegde(fkey_gui_id, fkey_layer_id, lft,rgt, ";
+ $sql .= "my_layer_title, layer, wms_id) VALUES($1, $2, $3, $4, $5, $6, $7)";
+ #echo $sql . "<br>";
+ $v = array($guiList, $temp[0], $left, ($left+1), $name, $temp[1], $wmsList);
+ $t = array("s", "s", "i", "i", "s", "s", "s");
+ db_prep_query($sql, $v, $t);
+
/*
if($layer == ""){
$left = $left + 1;
@@ -152,53 +157,79 @@
}
if(isset($action) && $action == "delete"){
if($left){
- $sql = "SELECT rgt FROM gui_treegde WHERE lft =". $left." AND fkey_gui_id = '".$guiList."'";
- $res = db_query($sql);
+ $sql = "SELECT rgt FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $2";
+ $v = array($left, $guiList);
+ $t = array("i", "s");
+ $res = db_prep_query($sql, $v, $t);
$right = db_result($res,0,"rgt");
- $sql = "DELETE FROM gui_treegde WHERE lft BETWEEN ".$left." and ".$right." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
- $sql = "UPDATE gui_treegde SET lft=lft-((".$right."-".$left."+1)) WHERE lft>".$right." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
- $sql = "UPDATE gui_treegde SET rgt=rgt-((".$right."-".$left."+1)) WHERE rgt>".$right." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
+
+ $sql = "DELETE FROM gui_treegde WHERE lft BETWEEN $1 and $2 AND fkey_gui_id = $3";
+ $v = array($left, $right, $guiList);
+ $t = array("i", "i", "s");
+ db_prep_query($sql, $v, $t);
+
+ $sql = "UPDATE gui_treegde SET lft=lft-(($1 - $2 + 1)) WHERE lft > $3 AND fkey_gui_id = $4";
+ $v = array($right, $left, $right, $guiList);
+ $t = array("i", "i", "i", "s");
+ db_prep_query($sql, $v, $t);
+
+ $sql = "UPDATE gui_treegde SET rgt=rgt-(($1 - $2 + 1)) WHERE rgt > $3 AND fkey_gui_id = $4";
+ $v = array($right, $left, $right, $guiList);
+ $t = array("i", "i", "i", "s");
+ db_prep_query($sql, $v, $t);
}
}
if(isset($action) && $action == "update"){
$temp = explode("###", $layer);
$sql = "UPDATE gui_treegde SET ";
- $sql .= "my_layer_title = '".$name."', ";
- $sql .= "fkey_layer_id = '".$temp[0]."', ";
- $sql .= "layer = '".$temp[1]."', ";
- $sql .= "wms_id = '" . $wmsList."'";
- $sql .= " WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
- db_query($sql);
+ $sql .= "my_layer_title = $1, ";
+ $sql .= "fkey_layer_id = $2, ";
+ $sql .= "layer = $3, ";
+ $sql .= "wms_id = $4";
+ $sql .= " WHERE lft = $5 AND fkey_gui_id = $6";
+ $v = array($name, $temp[0], $temp[1], $wmsList, $left, $guiList);
+ $t = array("s", "s", "s", "s", "i", "s");
+ db_prep_query($sql, $v, $t);
}
if(isset($action) && $action == "add"){
$temp = explode("###", $layer);
- $sql_val = "SELECT * FROM gui_treegde WHERE lft =". $left." AND fkey_gui_id = '".$guiList."'";
- $res_val = db_query($sql_val);
+ $sql_val = "SELECT * FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $2";
+ $v = array($left, $guiList);
+ $t = array("i", "s");
+ $res = db_prep_query($sql_val, $v, $t);
$sql = "UPDATE gui_treegde SET ";
+ $sql .= "fkey_layer_id = $1, layer = $2, wms_id = $3 ";
+ $sql .= "WHERE lft = $4 AND fkey_gui_id = $5";
- $sql .= "fkey_layer_id = ";
- $sql .= "'";
- if(db_result($res_val, 0, "fkey_layer_id") != ''){ $sql .= db_result($res_val, 0, "fkey_layer_id") . ","; }
- $sql .= $temp[0] . "', ";
+ $v = array();
+ $t = array("s", "s", "s", "i", "s");
+
+ if (db_result($res_val, 0, "fkey_layer_id") != '') {
+ array_push($v, db_result($res_val, 0, "fkey_layer_id") . "," . $temp[0]);
+ }
+ else {
+ array_push($v, $temp[0]);
+ }
- $sql .= "layer = ";
- $sql .= "'";
- if(db_result($res_val, 0, "layer") != ''){ $sql .= db_result($res_val, 0, "layer") . ","; }
- $sql .= $temp[1] . "', ";
+ if (db_result($res_val, 0, "layer") != '') {
+ array_push($v, db_result($res_val, 0, "layer") . "," . $temp[1]);
+ }
+ else {
+ array_push($v, $temp[1]);
+ }
- $sql .= "wms_id = ";
- $sql .= "'";
- if(db_result($res_val, 0, "wms_id") != ''){ $sql .= db_result($res_val, 0, "wms_id") . ","; }
- $sql .= $wmsList . "' ";
-
- $sql .= " WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
- #echo $sql . "<br>";
- db_query($sql);
+ if (db_result($res_val, 0, "wms_id") != '') {
+ array_push($v, db_result($res_val, 0, "wms_id") . "," . $wmsList);
+ }
+ else {
+ array_push($v, $wmsList);
+ }
+
+ array_push($v, $left);
+ array_push($v, $guiList);
+ db_prep_query($sql, $v, $t);
}
?>
<br />
@@ -228,14 +259,19 @@
$admin = new administration();
$ownguis = $admin->getGuisByOwner($_SESSION["mb_user_id"],true);
-$sql = "SELECT * FROM gui WHERE gui_id IN ("; for($i=0;
-$i<count($ownguis); $i++){
- if($i>0){ $sql .= ",";}
- $sql .= "'".$ownguis[$i]."'";
- }
+$sql = "SELECT * FROM gui WHERE gui_id IN (";
+$v = $ownguis;
+$t = array();
+for ($i = 1; $i <= count($ownguis); $i++){
+ if ($i > 1) {
+ $sql .= ",";
+ }
+ $sql .= "$" . $i;
+ array_push($t, "s");
+}
$sql .= ") ORDER BY gui_name";
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
$cnt = 0;
echo "<select class='guiList' size='10' name='guiList' class='guiList' onchange='document.forms[0].submit()'>";
echo "<option value=''>GUI ...</option>";
@@ -265,9 +301,11 @@
if(isset($guiList) && $guiList != ""){
$sql = "SELECT gui_wms.fkey_wms_id, wms.wms_title FROM gui_wms ";
$sql .= "INNER JOIN wms ON gui_wms.fkey_wms_id = wms.wms_id ";
- $sql .= "WHERE gui_wms.fkey_gui_id = '" . $guiList . "' ";
+ $sql .= "WHERE gui_wms.fkey_gui_id = $1 ";
$sql .= "ORDER BY wms.wms_title";
- $res = db_query($sql);
+ $v = array($guiList);
+ $t = array("s");
+ $res = db_prep_query($sql, $v, $t);
$cnt = 0;
while($row = db_fetch_array($res)){
echo "<option value='".$row["fkey_wms_id"]."' ";
@@ -293,9 +331,11 @@
if(isset($wmsList) && $wmsList != ""){
$sql_l = "SELECT gui_layer.fkey_layer_id, layer.layer_name, layer.layer_title FROM gui_layer ";
$sql_l .= "LEFT JOIN layer ON gui_layer.fkey_layer_id = layer.layer_id ";
- $sql_l .= "WHERE gui_layer.gui_layer_wms_id = " . $wmsList . " AND layer.layer_parent = '0' AND gui_layer.fkey_gui_id = '".$guiList."'";
+ $sql_l .= "WHERE gui_layer.gui_layer_wms_id = $1 AND layer.layer_parent = '0' AND gui_layer.fkey_gui_id = $2";
$sql_l .= " ORDER BY layer.layer_title";
- $res_l = db_query($sql_l);
+ $v = array($wmsList, $guiList);
+ $t = array("i", "s");
+ $res_l = db_prep_query($sql_l, $v, $t);
$cnt = 0;
while($row = db_fetch_array($res_l)){
echo "<option value='".$row["fkey_layer_id"]."###".$row["layer_name"]."'>";
More information about the Mapbender_commits
mailing list