svn commit: r222 - trunk/mapbender/http/php/mod_group_user.php

Wed May 10 10:43:55 EDT 2006

Author: uli
Date: 2006-05-10 14:43:54+0000
New Revision: 222

Modified:
   trunk/mapbender/http/php/mod_group_user.php

Log:
db_prep_query included
verification of user permissions

Modified: trunk/mapbender/http/php/mod_group_user.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_group_user.php?view=diff&rev=222&p1=trunk/mapbender/http/php/mod_group_user.php&p2=trunk/mapbender/http/php/mod_group_user.php&r1=221&r2=222
==============================================================================

--- trunk/mapbender/http/php/mod_group_user.php	(original)
+++ trunk/mapbender/http/php/mod_group_user.php	2006-05-10 14:43:54+0000
@@ -17,13 +17,12 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-session_start();
 import_request_variables("PG");
-require_once("../php/mb_validateSession.php");
 require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -61,10 +60,6 @@
 </head>
 <body>
 <?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
 
 $fieldHeight = 20;
 
@@ -80,12 +75,17 @@
 	if(count($selected_user)>0){
 		for($i=0; $i<count($selected_user); $i++){
 			$exists = false;
-			$sql_insert = "SELECT * from mb_user_mb_group where fkey_mb_group_id = '".$selected_group."' and fkey_mb_user_id = '".$selected_user[$i]."'";
-			$res_insert = db_query($sql_insert);
+			$sql = "SELECT * from mb_user_mb_group where fkey_mb_group_id = $1 and fkey_mb_user_id = $2";
+			$v = array($selected_group,$selected_user[$i]);
+			$t = array('i','i');
+			$res_insert = db_prep_query($sql,$v,$t);
 			while(db_fetch_row($res_insert)){$exists = true;}
 			if($exists == false){
-				$sql_insert = "INSERT INTO mb_user_mb_group(fkey_mb_group_id, fkey_mb_user_id) VALUES('$selected_group', '".$selected_user[$i]."');";
-				$res_insert = db_query($sql_insert);
+				$sql = "INSERT INTO mb_user_mb_group(fkey_mb_group_id, fkey_mb_user_id) ";
+				$sql .= "VALUES($1, $2);";
+				$v = array($selected_group,$selected_user[$i]);
+				$t = array('i','i');
+				$res = db_prep_query($sql,$v,$t);
 			}
 		}
 	}
@@ -93,8 +93,11 @@
 if($remove){
 	if(count($remove_user)>0){
 		for($i=0; $i<count($remove_user); $i++){
-			$sql_remove = "DELETE FROM mb_user_mb_group WHERE fkey_mb_user_id = '".$remove_user[$i]."' and fkey_mb_group_id = '$selected_group'";
-			db_query($sql_remove);
+			$sql_remove = "DELETE FROM mb_user_mb_group WHERE ";
+			$sql_remove .= "fkey_mb_user_id = $1 and fkey_mb_group_id = $2";
+			$v = array($remove_user[$i],$selected_group);
+			$t = array('i','i');
+			db_prep_query($sql_remove,$v,$t);
 		}
 	}
 }
@@ -121,12 +124,13 @@
 /*get all user from selected group******************************************************************************/
 $sql_mb_user_mb_group = "SELECT mb_user.mb_user_id, mb_user.mb_user_name, mb_user_mb_group.fkey_mb_group_id FROM mb_user_mb_group ";
 $sql_mb_user_mb_group .= "INNER JOIN mb_user ON mb_user_mb_group.fkey_mb_user_id = mb_user.mb_user_id ";
-$sql_mb_user_mb_group .= "WHERE mb_user_mb_group.fkey_mb_group_id= '";
+$sql_mb_user_mb_group .= "WHERE mb_user_mb_group.fkey_mb_group_id= $1 ";
+$sql_mb_user_mb_group .= " ORDER BY mb_user.mb_user_name";
+
+if(!$selected_group){$v = array($group_id[0]);}
+if($selected_group){$v = array($selected_group);}
 
-if(!$selected_group){$sql_mb_user_mb_group .= $group_id[0];}
-if($selected_group){$sql_mb_user_mb_group .= $selected_group;}
-$sql_mb_user_mb_group .= "' ORDER BY mb_user.mb_user_name";
-$res_mb_user_mb_group = db_query($sql_mb_user_mb_group);
+$res_mb_user_mb_group = db_prep_query($sql_mb_user_mb_group,$v,$t);
 while($row = db_fetch_array($res_mb_user_mb_group)){
 	$user_id_group[$cnt_group_user] = $row["mb_user_id"];
 	$user_name_group[$cnt_group_user] =  $row["mb_user_name"];
@@ -135,7 +139,7 @@
 
 
 /*INSERT HTML*/
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."&e_id_css=".$_REQUEST["e_id_css"]."' method='post'>";
+echo "<form name='form1' action='" . $self . "' method='post'>";
 
 /*insert projects in selectbox*************************************************************************************/
 echo "<div class='text1'>GROUP: </div>";


