svn commit: r311 - trunk/mapbender/http/php/mod_deleteFilteredGUI.php

uli at osgeo.org uli at osgeo.org
Tue May 16 07:33:46 EDT 2006 

Author: uli
Date: 2006-05-16 11:33:46+0000
New Revision: 311

Modified:
   trunk/mapbender/http/php/mod_deleteFilteredGUI.php   (contents, props changed)

Log:
db_prep_query included
verification of user permissions

Modified: trunk/mapbender/http/php/mod_deleteFilteredGUI.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_deleteFilteredGUI.php?view=diff&rev=311&p1=trunk/mapbender/http/php/mod_deleteFilteredGUI.php&p2=trunk/mapbender/http/php/mod_deleteFilteredGUI.php&r1=310&r2=311
==============================================================================
--- trunk/mapbender/http/php/mod_deleteFilteredGUI.php	(original)
+++ trunk/mapbender/http/php/mod_deleteFilteredGUI.php	2006-05-16 11:33:46+0000
@@ -17,16 +17,16 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-session_start();
-require_once("../../conf/mapbender.conf");
-require_once("../php/mb_validateSession.php");
-$con = db_connect($DBSERVER,$OWNER,$PW);
 import_request_variables("PG");
+require_once("../../conf/mapbender.conf");
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
+
 require_once("../classes/class_administration.php");
 $admin = new administration();
 $ownguis = $admin->getGuisByOwner($_SESSION["mb_user_id"]);
-$gui_id = $_SESSION["mb_user_gui"];
 ?>
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
@@ -61,20 +61,26 @@
 <?php
 ###delete
 if($del){
-$sql = "DELETE FROM gui WHERE gui_id = '".$guiList."'";
-$res = db_query($sql);
+$sql = "DELETE FROM gui WHERE gui_id = $1";
+$v = array($guiList);
+$t = array('s');
+$res = db_prep_query($sql,$v,$t);
 }
 ###
 if(count($ownguis)>0){
+	$v = array();
+	$t = array();
 	$sql = "SELECT * from gui WHERE gui.gui_id IN(";
 	for($i=0; $i<count($ownguis); $i++){
 		if($i>0){ $sql .= ",";}
-		$sql .= "'".$ownguis[$i]."'";
+		$sql .= "$".($i+1);
+		array_push($v,$ownguis[$i]);
+		array_push($t,'s');
 	}
 	$sql .= ") order by gui_id";
-	$res = db_query($sql);
+	$res = db_prep_query($sql,$v,$t);
 	$cnt = 0;
-	echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>";
+	echo "<form name='form1' action='" . $self ."' method='post'>";
 	echo "<select class='guiList' size='20' name='guiList' class='guiList' onchange='document.form1.guiList.value = this.value;submit()'>";
 	while($row = db_fetch_array($res)){
 		$guivalue = $row["gui_id"];
@@ -95,8 +101,10 @@
 	{
 		echo "<p class = 'wmsList'>";
 		// Show description
-		$sql = "SELECT gui_description FROM gui WHERE gui_id = '".$guiList."'";
-		$res = db_query($sql);
+		$sql = "SELECT gui_description FROM gui WHERE gui_id = $1";
+		$v = array($guiList);
+		$t = array('s');
+		$res = db_prep_query($sql,$v,$t);
 		
 		echo "<b>Description:</b><br><br>";
 		
@@ -115,8 +123,10 @@
 		
 		
 		// Show users
-		$sql = "SELECT mb_user_name FROM mb_user, gui_mb_user WHERE fkey_mb_user_id = mb_user_id AND fkey_gui_id = '".$guiList."'";
-		$res = db_query($sql);
+		$sql = "SELECT mb_user_name FROM mb_user, gui_mb_user WHERE fkey_mb_user_id = mb_user_id AND fkey_gui_id = $1";
+		$v = array($guiList);
+		$t = array('s');
+		$res = db_prep_query($sql,$v,$t);
 		
 		echo "<br><br><b>Users using this GUI</b><br><br>";
 	
@@ -132,8 +142,10 @@
 	
 	
 		// Show groups
-		$sql = "SELECT mb_group_name FROM mb_group, gui_mb_group WHERE fkey_mb_group_id = mb_group_id AND fkey_gui_id = '".$guiList."'";
-		$res = db_query($sql);
+		$sql = "SELECT mb_group_name FROM mb_group, gui_mb_group WHERE fkey_mb_group_id = mb_group_id AND fkey_gui_id = $1";
+		$v = array($guiList);
+		$t = array('s');
+		$res = db_prep_query($sql,$v,$t);
 		
 		echo "<br><br><b>Groups using this GUI</b><br><br>";
 	
@@ -149,8 +161,10 @@
 	
 	
 		// Show list of WMS exclusive to this GUI
-		$sql = "SELECT wms_id, wms_title FROM wms, gui_wms WHERE fkey_wms_id = wms_id AND fkey_gui_id = '".$guiList."'";
-		$res = db_query($sql);
+		$sql = "SELECT wms_id, wms_title FROM wms, gui_wms WHERE fkey_wms_id = wms_id AND fkey_gui_id = $1";
+		$v = array($guiList);
+		$t = array('s');
+		$res = db_prep_query($sql,$v,$t);
 		
 		echo "<br><br><b>List of WMS exclusive to this GUI</b><br><br>";
 	
@@ -162,8 +176,10 @@
 			$wmsid =  $row["wms_id"];
 			
 			// Check how many GUIs use current WMS
-			$sql2 = "SELECT COUNT(fkey_wms_id) FROM gui_wms WHERE fkey_wms_id = '".$wmsid."'";
-			$res2 = db_query($sql2);
+			$sql2 = "SELECT COUNT(fkey_wms_id) FROM gui_wms WHERE fkey_wms_id = $1";
+			$v = array($wmsid);
+			$t = array('i');
+			$res2 = db_prep_query($sql2,$v,$t);
 			
 			// Display if only selected GUI uses current WMS
 			if (db_result($res2,0,0) == 1){

More information about the Mapbender_commits mailing list