svn commit: r346 - trunk/mapbender/http/php/mod_editGroup.php

Wed May 24 11:05:57 EDT 2006

Author: uli
Date: 2006-05-24 15:05:57+0000
New Revision: 346

Modified:
   trunk/mapbender/http/php/mod_editGroup.php

Log:
validation of permissions
prepared statements included

Modified: trunk/mapbender/http/php/mod_editGroup.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_editGroup.php?view=diff&rev=346&p1=trunk/mapbender/http/php/mod_editGroup.php&p2=trunk/mapbender/http/php/mod_editGroup.php&r1=345&r2=346
==============================================================================

--- trunk/mapbender/http/php/mod_editGroup.php	(original)
+++ trunk/mapbender/http/php/mod_editGroup.php	2006-05-24 15:05:57+0000
@@ -1,6 +1,7 @@
 <?php
-# $Id: mod_editGroup.php,v 1.12 2006/03/09 11:05:14 uli_rothstein Exp $
-# $Header: /cvsroot/mapbender/mapbender/http/php/mod_editGroup.php,v 1.12 2006/03/09 11:05:14 uli_rothstein Exp $
+# $Id$
+# http://www.mapbender.org/index.php/Administration
+#
 # Copyright (C) 2002 CCGIS 
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,12 +19,12 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 session_start();
-require_once("../php/mb_validateSession.php");
 import_request_variables("PG");
 require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
+$con = db_connect(DBSERVER,OWNER,PW);
 db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
+require_once("../php/mb_validatePermission.php");
+$self = $PHP_SELF . "?".SID."&guiID=".$_REQUEST["guiID"]."&elementID=".$_REQUEST["elementID"];
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -70,44 +71,50 @@
 </head>
 <body>
 <?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-
 #delete
 if($action == 'delete'){
-   $sql = "DELETE FROM mb_group WHERE mb_group_id = " . $selected_group;
-   $res = db_query($sql);
+   $sql = "DELETE FROM mb_group WHERE mb_group_id = $1";
+   $v = array( $selected_group);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    $selected_group = 'new';
 }
 
 #save
 if($action == 'save'){
-   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = '".$name."' ";
-   $res = db_query($sql);
+   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = $1 ";
+   $v = array($name);
+   $t = array('s');
+   $res = db_prep_query($sql,$v,$t);
    if(db_fetch_row($res)){
       echo "<script language='JavaScript'>alert('groupname must be unique!');</script>";
    }
    else{
      $sql = "Insert INTO mb_group (mb_group_name, mb_group_owner, mb_group_description) VALUES ";
-     $sql.= "('".$name."', ".$owner_id.",'".$description."');";
-     $res = db_query($sql);
+     $sql.= "($1, $2,$3);";
+     $v = array($name,$owner_id,$description);
+     $t = array('s','i','s');
+     $res = db_prep_query($sql,$v,$t);
      $selected_group = db_insert_id($res,"mb_group","mb_group_id");
    }
 }
 
 #update
 if($action == 'update'){
-   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = '".$name."' AND mb_group_id <> ".$selected_group;
-   $res = db_query($sql);
+   $sql = "SELECT mb_group_id FROM mb_group WHERE mb_group_name = $1 AND mb_group_id <> $2";
+   $v = array($name,$selected_group);
+   $t = array('s','i');
+   $res = db_prep_query($sql,$v,$t);
    if(db_fetch_row($res)){
       echo "<script language='JavaScript'>alert('Groupname must be unique!');</script>";
    }
    else{
-     $sql = "UPDATE mb_group SET mb_group_name ='".$name."'";
-     $sql.=", mb_group_description = '".$description."'";
-     $sql.=" where mb_group_id = " . $selected_group;
-     $res = db_query($sql);
+     $sql = "UPDATE mb_group SET mb_group_name = $1";
+     $sql.=", mb_group_description = $2";
+     $sql.=" where mb_group_id = $3";
+     $v = array($name,$description,$selected_group);
+     $t = array('s','s','i');
+     $res = db_prep_query($sql,$v,$t);
    }
 }
 if (!isset($name) || $selected_group == 'new'){
@@ -119,7 +126,7 @@
 
 /*HTML*****************************************************************************************************/
 
-echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>";
+echo "<form name='form1' action='" . $self ."' method='post'>";
 echo "<table border='0'>";
 #User
 echo "<tr>";
@@ -148,15 +155,19 @@
 
 
 if(isset($selected_group) && $selected_group != 0){
-   $sql = "SELECT * FROM mb_group WHERE mb_group_id = ".$selected_group." ORDER BY mb_group_name ";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM mb_group WHERE mb_group_id = $1 ORDER BY mb_group_name ";
+   $v = array($selected_group);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    if($row = db_fetch_array($res)){
       $name = $row["mb_group_name"];
       $owner_id = $row["mb_group_owner"];
       $description = $row["mb_group_description"];
    }
-   $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = " . $owner_id;
-   $res = db_query($sql);
+   $sql = "SELECT mb_user_name FROM mb_user WHERE mb_user_id = $1";
+   $v = array($owner_id);
+   $t = array('i');
+   $res = db_prep_query($sql,$v,$t);
    if($row = db_fetch_array($res)){
       $owner_name = $row["mb_user_name"];
    }


