svn commit: r309 - trunk/mapbender/http/php/mod_editFilteredGroup.php

uli at osgeo.org uli at osgeo.org
Tue May 16 06:23:49 EDT 2006 

Author: uli
Date: 2006-05-16 10:23:48+0000
New Revision: 309

Modified:
   trunk/mapbender/http/php/mod_editFilteredGroup.php   (contents, props changed)

Log:
db_prep_query included
verification of user permissions

Modified: trunk/mapbender/http/php/mod_editFilteredGroup.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_editFilteredGroup.php?view=diff&rev=309&p1=trunk/mapbender/http/php/mod_editFilteredGroup.php&p2=trunk/mapbender/http/php/mod_editFilteredGroup.php&r1=308&r2=309
==============================================================================
--- trunk/mapbender/http/php/mod_editFilteredGroup.php	(original)
+++ trunk/mapbender/http/php/mod_editFilteredGroup.php	2006-05-16 10:23:48+0000
@@ -1,6 +1,7 @@
 <?php
-# $Id: mod_editFilteredGroup.php,v 1.12 2006/03/09 11:16:28 uli_rothstein Exp $
-# $Header: /cvsroot/mapbender/mapbender/http/php/mod_editFilteredGroup.php,v 1.12 2006/03/09 11:16:28 uli_rothstein Exp $
+# $Id$
+# http://www.mapbender.org/index.php/Administration
+#
 # Copyright (C) 2002 CCGIS 
 #
 # This program is free software; you can redistribute it and/or modify
@@ -17,12 +18,12 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-require_once("../php/mb_validateSession.php");
 import_request_variables("PG");
 require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -72,39 +73,49 @@
 
 #delete
 if($action == 'delete'){
-   $sql = "DELETE FROM mb_group WHERE mb_group_id = " . $selected_group;
-   $res = db_query($sql);
-   $selected_group = 'new';
+	$sql = "DELETE FROM mb_group WHERE mb_group_id = $1";
+	$v = array($selected_group);
+	$t = array('i');
+	$res = db_prep_query($sql,$v,$t);
+	$selected_group = 'new';
 }
 
 #save
 if($action == 'save'){
-   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = '".$name."' ";
-   $res = db_query($sql);
-   if(db_fetch_row($res)){
-      echo "<script language='JavaScript'>alert('groupname must be unique!');</script>";
-   }
-   else{
-     $sql = "Insert INTO mb_group (mb_group_name, mb_group_owner, mb_group_description) VALUES ";
-     $sql.= "('".$name."', ".$owner_id.",'".$description."');";
-     $res = db_query($sql);
-     $selected_group = db_insert_id($res,"mb_group","mb_group_id");
-   }
+	$sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = $1 ";
+	$v = array($name);
+	$t = array('s');
+	$res = db_prep_query($sql,$v,$t);
+	if(db_fetch_row($res)){
+		echo "<script language='JavaScript'>alert('groupname must be unique!');</script>";
+	}
+	else{
+		$sql = "Insert INTO mb_group (mb_group_name, mb_group_owner, mb_group_description) VALUES ";
+		$sql.= "($1, $2, $3);";
+		$v = array($name,$owner_id,$description);
+		$t = array('s','i','s');
+		$res = db_prep_query($sql,$v,$t);
+		$selected_group = db_insert_id($res,"mb_group","mb_group_id");
+	}
 }
 
 #update
 if($action == 'update'){
-   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = '".$name."' AND mb_group_id <> ".$selected_group;
-   $res = db_query($sql);
-   if(db_fetch_row($res)){
-      echo "<script language='JavaScript'>alert('Groupname must be unique!');</script>";
-   }
-   else{
-     $sql = "UPDATE mb_group SET mb_group_name ='".$name."'";
-     $sql.=", mb_group_description = '".$description."'";
-     $sql.=" where mb_group_id = " . $selected_group;
-     $res = db_query($sql);
-   }
+	$sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = $1 AND mb_group_id <> $2";
+	$v = array($name,$selected_group);
+	$t = array('s','i');
+	$res = db_prep_query($sql,$v,$t);
+	if(db_fetch_row($res)){
+		echo "<script language='JavaScript'>alert('Groupname must be unique!');</script>";
+	}
+	else{
+		$sql = "UPDATE mb_group SET mb_group_name = $1";
+		$sql.=", mb_group_description = $2";
+		$sql.=" where mb_group_id = $3";
+		$v = array($name,$description,$selected_group);
+		$t = array('s','s','i');
+		$res = db_prep_query($sql,$v,$t);
+	}
 }
 if (!isset($name) || $selected_group == 'new'){
   $name = "";
@@ -124,39 +135,45 @@
       echo "Group: ";
    echo "</td>";
 echo "<td>";
-   echo "<select name='selected_group' onchange='submit()'>";
-   echo "<option value='new'>NEW...</option>";
-   $sql = "SELECT mb_group_name,mb_group_id FROM mb_group ";
-   if(isset($myGroup)){ $sql .= "WHERE mb_group_owner = ".$_SESSION["mb_user_id"];}
-   $sql .= " ORDER BY mb_group_name ";
-   $res = db_query($sql);
-   $count=0;
-   while($row = db_fetch_array($res)){
-	 	echo "<option value='".$row["mb_group_id"]."' ";
+echo "<select name='selected_group' onchange='submit()'>";
+	echo "<option value='new'>NEW...</option>";
+	$sql = "SELECT mb_group_name,mb_group_id FROM mb_group ";
+	if(isset($myGroup)){ 
+		$sql .= "WHERE mb_group_owner = ".$_SESSION["mb_user_id"];
+	}
+	$sql .= " ORDER BY mb_group_name ";
+	$res = db_query($sql);
+	$count=0;
+	while($row = db_fetch_array($res)){
+		echo "<option value='".$row["mb_group_id"]."' ";
 		if($selected_group && $selected_group == $row["mb_group_id"]){
-         echo "selected";
-      }
-      echo ">".$row["mb_group_name"]."</option>";
+			echo "selected";
+		}
+		echo ">".$row["mb_group_name"]."</option>";
 		$count++;
-   }
-   echo "</select>";
-   echo "</td>";
+	}
+	echo "</select>";
+	echo "</td>";
 echo "</tr>";
 
 
 if(isset($selected_group) && $selected_group != 0){
-   $sql = "SELECT * FROM mb_group WHERE mb_group_id = ".$selected_group." ORDER BY mb_group_name ";
-   $res = db_query($sql);
-   if($row = db_fetch_array($res)){
-      $name = $row["mb_group_name"];
-      $owner_id = $row["mb_group_owner"];
-      $description = $row["mb_group_description"];
-   }
-   $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = " . $owner_id;
-   $res = db_query($sql);
-   if($row = db_fetch_array($res)){
-      $owner_name = $row["mb_user_name"];
-   }
+	$sql = "SELECT * FROM mb_group WHERE mb_group_id = $1 ORDER BY mb_group_name ";
+	$v = array($selected_group);
+	$t = array('i');
+	$res = db_prep_query($sql,$v,$t);
+	if($row = db_fetch_array($res)){
+		$name = $row["mb_group_name"];
+		$owner_id = $row["mb_group_owner"];
+		$description = $row["mb_group_description"];
+	}
+	$sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = $1";
+	$v = array($owner_id);
+	$t = array('i');
+	$res = db_prep_query($sql,$v,$t);
+	if($row = db_fetch_array($res)){
+		$owner_name = $row["mb_user_name"];
+	}
 }
 #name
 echo "<tr>";

More information about the Mapbender_commits mailing list