[Mapbender-commits] r1980 - in branches/2.5/http: classes php

Thu Jan 17 08:37:27 EST 2008

Author: christoph
Date: 2008-01-17 08:37:27 -0500 (Thu, 17 Jan 2008)
New Revision: 1980

Modified:
   branches/2.5/http/classes/class_log.php
   branches/2.5/http/classes/class_metadata.php
   branches/2.5/http/classes/class_wfs.php
   branches/2.5/http/classes/class_wfs_conf.php
   branches/2.5/http/php/mb_listKMLs.php
   branches/2.5/http/php/mb_listWMCs.php
   branches/2.5/http/php/mod_deleteGUI.php
   branches/2.5/http/php/mod_deleteWFS.php
   branches/2.5/http/php/mod_wfs_conf.php
   branches/2.5/http/php/mod_wfs_edit.php
Log:
prepared statements

Modified: branches/2.5/http/classes/class_log.php
===================================================================

--- branches/2.5/http/classes/class_log.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/classes/class_log.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -23,7 +23,7 @@
 *modul "GET /map/http/ HTTP/1.1"
 */
 
-class log{
+class log {
 	var $dir = "../../log/";
 	var $log_username = true;
 
@@ -72,35 +72,15 @@
 			$con = db_connect(DBSERVER,OWNER,PW);
 			db_select_db(DB,$con);
 			for($i = 0; $i < count($this->url); $i++){
-				$sql = "INSERT INTO mb_log(";
+				$sql = "INSERT INTO mb_log (";
+				$sql .= "time_client, time_server, time_readable, mb_session, ";
+				$sql .= "gui, module, ip, username, userid, request";
+				$sql .= ") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)";
 
-				$sql .= "time_client,";
-				$sql .= "time_server,";
-				$sql .= "time_readable,";
-				$sql .= "mb_session,";
-				$sql .= "gui,";
-				$sql .= "module,";
-				$sql .= "ip,";
-				$sql .= "username,";
-				$sql .= "userid,";
-				$sql .= "request";
+				$v = array($time_client, strtotime("now"), "[".date("d/M/Y:H:i:s O")."]", SID, $_SESSION["mb_user_gui"], $_SESSION["mb_user_ip"], $_SESSION["mb_user_name"], $_SESSION["mb_user_id"], $this->url[$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s");
+				$res = db_prep_query($sql, $v, $t)or die(db_error());
 
-				$sql .= ") VALUES (";
-
-				$sql .= "'".$time_client."',";
-				$sql .= "'".strtotime("now")."',";
-				$sql .= "'[".date("d/M/Y:H:i:s O")."]',";
-				$sql .= "'".SID."',";
-				$sql .= "'".$_SESSION["mb_user_gui"]."',";
-				$sql .= "'".$module."',";
-				$sql .= "'".$_SESSION["mb_user_ip"]."',";
-				$sql .= "'".$_SESSION["mb_user_name"]."',";
-				$sql .= "'".$_SESSION["mb_user_id"]."',";
-				$sql .= "'".$this->url[$i]."'";
-				$sql .= ")";
-
-				$res = db_query($sql)or die(db_error());
-
 				if(!$res){
 					include_once(dirname(__FILE__)."/class_mb_exception.php");
 					$e = new mb_exception("class_log: Writing table mb_log failed.");

Modified: branches/2.5/http/classes/class_metadata.php
===================================================================
--- branches/2.5/http/classes/class_metadata.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/classes/class_metadata.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -178,8 +178,7 @@
 	/* set categories as array */
 		function set_categories(){
 			$sql = "SELECT * FROM md_topic_category ";
-		
-			$sql .= " ORDER BY md_topic_category_id";
+			$sql .= "ORDER BY md_topic_category_id";
 			
 			$res = db_query($sql);
 			$this->cat[0] = array();
@@ -212,10 +211,10 @@
 		}
 
 	/*
-	 * replace german letters (for example ä => ae)
+	 * replace german letters (for example ï¿½ => ae)
 	 */
 	function replaceChars($text){
-	$search = array( "ä",  "ö",  "ü",  "Ä",  "Ö",  "Ü",  "ß");
+	$search = array( "ï¿½",  "ï¿½",  "ï¿½",  "ï¿½",  "ï¿½",  "ï¿½",  "ï¿½");
 	$repwith = array("ae", "oe", "ue", "AE", "OE", "UE", "ss");
 	
 	if(CHARSET=="UTF-8")
@@ -400,7 +399,7 @@
 		$sql .= " ORDER BY load_count DESC";
 		
 		
-		//Beschränkung
+		//Beschrï¿½nkung
 		$lim = $this->limit;
 		$overLimit = $lim+1;
 		$sql .= " LIMIT ".$overLimit;
@@ -599,13 +598,13 @@
 							$tmp_layer_pos = $member -> getAttribute('layer_pos');
 						    	    
 						    /*
-						     * Wiederfinden des Members über die Attribute
+						     * Wiederfinden des Members ï¿½ber die Attribute
 						     */   
 							if ($this->cat[$i]['member'][$ii]['wms_id'] == $tmp_wms_id){
 								
 								if ($this->cat[$i]['member'][$ii]['layer_parent'] == $tmp_layer_pos){
 									$sub = "true";
-									$member->appendChild($m);	// dem member $member wird ein weiteres member $m hinzugefügt
+									$member->appendChild($m);	// dem member $member wird ein weiteres member $m hinzugefï¿½gt
 									break;
 									
 								} else {
@@ -665,7 +664,7 @@
 				$epsg_text = $this->doc->createTextNode($equalEPSG);
 				$epsg->appendChild($epsg_text);
 				
-				// Länderkennung
+				// Lï¿½nderkennung
 				$state = $this->doc->createElement('federalstate');
 				$m->appendChild($state);
 				
@@ -690,7 +689,7 @@
 				$last_monitoring_text = $this->doc->createTextNode($lastMonitoring);
 				$last_monitoring->appendChild($last_monitoring_text);
 				
-				// Verfügbarkeit - Prozentzahl
+				// Verfï¿½gbarkeit - Prozentzahl
 				$availability = $this->doc->createElement('availability');
 				$m->appendChild($availability);
 				
@@ -930,7 +929,7 @@
 			$epsg_text = $this->doc->createTextNode($equalEPSG);
 			$epsg->appendChild($epsg_text);
 			
-			// Länderkennung
+			// Lï¿½nderkennung
 			$state = $this->doc->createElement('federalstate');
 			$m->appendChild($state);
 			
@@ -1082,7 +1081,7 @@
 	
 		$last_date = date("d.m.Y - H:i", $last_timestamp);
 	
-//		Vorrübergehend auskommentiert da keine aktuellen (auf Timestamp basierten) Daten vorliegen
+//		Vorrï¿½bergehend auskommentiert da keine aktuellen (auf Timestamp basierten) Daten vorliegen
 //		$sql = "SELECT upload_id as time, status FROM mb_monitor WHERE fkey_wms_id=$1 AND upload_id > ".$last_timestamp;
 
 		$sql = "SELECT upload_id as time, status FROM mb_monitor WHERE fkey_wms_id=$1";

Modified: branches/2.5/http/classes/class_wfs.php
===================================================================
--- branches/2.5/http/classes/class_wfs.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/classes/class_wfs.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -321,8 +321,10 @@
 	// if it might exist, update it
 	if ($wfs_exists) {
 		// but check first if it really exists in the database
-		$sql = "SELECT * FROM wfs WHERE wfs_id = ".$this->wfs_id.";";
-		$res = db_query($sql);	
+		$sql = "SELECT * FROM wfs WHERE wfs_id = $1;";
+		$v = array($this->wfs_id);
+		$t = array("i");
+		$res = db_prep_query($sql, $v, $t);	
 		if($res){
 			$this->updateWfs();
 		}
@@ -337,8 +339,10 @@
 	}
 
 	# delete featuretypes from DB that does not exist and find the ids
-	$sql = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = ".$this->wfs_id.";";
-	$res_ft = db_query($sql);
+	$sql = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = $1;";
+	$v = array($this->wfs_id);
+	$t = array("i");
+	$res_ft = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while(db_fetch_row($res_ft)){
 		$found = false;
@@ -391,9 +395,10 @@
 		}
 		
 		//delete featuretype elements from db and find the ids
-		$sql = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = ".$this->wfs_featuretype[$i]->featuretype_id.";";
-		//echo $sql."<br />";
-		$res_el = db_query($sql);
+		$sql = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = $1;";
+		$v = array($this->wfs_featuretype[$i]->featuretype_id);
+		$t = array("i");
+		$res_el = db_prep_query($sql, $v, $t);
 		$cnt = 0;
 		while(db_fetch_row($res_el)){
 			$found = false;
@@ -420,43 +425,53 @@
 		for($j=0; $j<count($this->wfs_featuretype[$i]->featuretype_element);$j++){
 			if(!$this->wfs_featuretype[$i]->featuretype_element[$j]["id"]){
 				$sql = "INSERT INTO wfs_element(fkey_featuretype_id, element_name,element_type) ";
-				$sql .= "VALUES("; 
-				$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_id. "', ";
-				$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_element[$j]["name"]. "', ";
-				$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_element[$j]["type"]. "' ";
-				$sql .= ");";
-				//echo $sql."<br />";
-				$res = db_query($sql);
+				$sql .= "VALUES($1, $2, $3);";
+				
+				$v = array($this->wfs_featuretype[$i]->featuretype_id, $this->wfs_featuretype[$i]->featuretype_element[$j]["name"], $this->wfs_featuretype[$i]->featuretype_element[$j]["type"]);
+				$t = array("s", "s", "s");
+				$res = db_prep_query($sql, $v, $t);
 				if(!$res){db_rollback();$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");return;}
 			}
 			else{
-				$sql = "UPDATE wfs_element SET element_type = '".$this->wfs_featuretype[$i]->featuretype_element[$j]["type"]."' ";
-				$sql .= "WHERE element_id = ".$this->wfs_featuretype[$i]->featuretype_element[$j]["id"]." AND ";
-				$sql .= "fkey_featuretype_id = ".$this->wfs_featuretype[$i]->featuretype_id.";";
-				//echo $sql."<br />";
-				$res = db_query($sql);
-				if(!$res){db_rollback();$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");return;}
+				$sql = "UPDATE wfs_element SET element_type = $1 ";
+				$sql .= "WHERE element_id = $2 AND ";
+				$sql .= "fkey_featuretype_id = $3;";
+				$v = array($this->wfs_featuretype[$i]->featuretype_element[$j]["type"], $this->wfs_featuretype[$i]->featuretype_element[$j]["id"], $this->wfs_featuretype[$i]->featuretype_id);
+				$t = array("s", "i", "i");
+				$res = db_prep_query($sql, $v, $t);
+				if (!$res) {
+					db_rollback();
+					$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");
+					return;
+				}
 			}
 		}
 
 		$sql = "DELETE FROM wfs_featuretype_namespace WHERE ";
-		$sql .= "fkey_wfs_id = ".$this->wfs_id." AND ";
-		$sql .= "fkey_featuretype_id = ".$this->wfs_featuretype[$i]->featuretype_id.";";
-		//echo $sql."<br />";
-		$res = db_query($sql);
-		if(!$res){db_rollback();$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");return;}
+		$sql .= "fkey_wfs_id = $1 AND fkey_featuretype_id = $2";
+		$v = array($this->wfs_id, $this->wfs_featuretype[$i]->featuretype_id);
+		$t = array("i", "i");
+		$res = db_prep_query($sql, $v, $t);
+		if (!$res) {
+			db_rollback();
+			$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");
+			return;
+		}
 				
 		for($j=0; $j<count($this->wfs_featuretype[$i]->featuretype_namespace);$j++){
-			$sql = "INSERT INTO wfs_featuretype_namespace(fkey_wfs_id, fkey_featuretype_id, namespace, namespace_location) ";
-			$sql .= "VALUES("; 
-			$sql .= "'" .$this->wfs_id. "',";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_id. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_namespace[$j]["name"]. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_namespace[$j]["value"]. "' ";
-			$sql .= ");";
-			//echo $sql."<br />";
-			$res = db_query($sql);
-			if(!$res){db_rollback();$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");return;}
+			$sql = "INSERT INTO wfs_featuretype_namespace ";
+			$sql .= "(fkey_wfs_id, fkey_featuretype_id, namespace, namespace_location) ";
+			$sql .= "VALUES ($1, $2, $3, $4);"; 
+
+			$v = array($this->wfs_id, $this->wfs_featuretype[$i]->featuretype_id, $this->wfs_featuretype[$i]->featuretype_namespace[$j]["name"], $this->wfs_featuretype[$i]->featuretype_namespace[$j]["value"]);
+			$t = array("s", "s", "s", "s");
+			$res = db_prep_query($sql, $v, $t);
+
+			if (!$res) {
+				db_rollback();
+				$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");
+				return;
+			}
 		}
 	}
 	
@@ -464,13 +479,16 @@
 	
 	if($gui_id){
 		$sql ="INSERT INTO gui_wfs (fkey_gui_id, fkey_wfs_id)";
-		$sql .= "VALUES(";
-			$sql .= "'" . $gui_id . "', ";
-			$sql .= $this->wfs_id;
-		$sql .= ");";
-		//echo $sql."<br />";
-		$res = db_query($sql);
-		if(!$res){db_rollback();$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");return;}
+		$sql .= "VALUES($1, $2);";
+		$v = array($gui_id, $this->wfs_id);
+		$t = array("s", "i");
+		$res = db_prep_query($sql);
+
+		if (!$res) {
+			db_rollback();
+			$e = new mb_exception("Error while saving WFS to DB. Rollback performed.");
+			return;
+		}
 	}
 	
 	//echo "Successfully saved!<br />";
@@ -616,8 +634,10 @@
 	$con = db_connect($DBSERVER,$OWNER,$PW);
 	db_select_db($DB,$con);
 
-	$sql = "SELECT * FROM wfs WHERE wfs_id = ".$wfs_id.";";
-	$res = db_query($sql);
+	$sql = "SELECT * FROM wfs WHERE wfs_id = $1;";
+	$v = array($wfs_id);
+	$t = array("i");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while(db_fetch_row($res)){
 		$this->wfs_id = db_result($res, $cnt, "wfs_id");
@@ -636,8 +656,10 @@
 		$this->wfs_owner = db_result($res, $cnt, "wfs_owner");
 		$this->wfs_timestamp = db_result($res, $cnt, "wfs_timestamp");
 		
-		$sql_fe = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = '" . $this->wfs_id . "' ORDER BY featuretype_id";
-		$res_fe = db_query($sql_fe);
+		$sql_fe = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = $1 ORDER BY featuretype_id";
+		$v = array($this->wfs_id);
+		$t = array("i");
+		$res_fe = db_prep_query($sql_fe, $v, $t);
 		$cnt_fe = 0;
 		while(db_fetch_row($res_fe)){
 			$c = count($this->wfs_featuretype);
@@ -647,8 +669,10 @@
 			$this->wfs_featuretype[$c]->featuretype_abstract = db_result($res_fe, $cnt_fe, "featuretype_abstract");
 			$this->wfs_featuretype[$c]->featuretype_srs = db_result($res_fe, $cnt_fe, "featuretype_srs");
 			
-			$sql_el = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = ". db_result($res_fe, $cnt_fe, "featuretype_id")." ORDER BY element_id";
-			$res_el = db_query($sql_el);
+			$sql_el = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = $1 ORDER BY element_id";
+			$v = array(db_result($res_fe, $cnt_fe, "featuretype_id"));
+			$t = array("i");
+			$res_el = db_prep_query($sql_el, $v, $t);
 			$cnt_el = 0;
 			while(db_fetch_row($res_el)){
 				$z = count($this->wfs_featuretype[$c]->featuretype_element);
@@ -656,8 +680,10 @@
 				$this->wfs_featuretype[$c]->featuretype_element[$z]["type"] = db_result($res_el, $cnt_el, "element_type");
 				$cnt_el++;
 			}
-			$sql_ns = "SELECT * FROM wfs_featuretype_namespace WHERE fkey_featuretype_id = ". db_result($res_fe, $cnt_fe, "featuretype_id")." ORDER BY namespace";
-			$res_ns = db_query($sql_ns);
+			$sql_ns = "SELECT * FROM wfs_featuretype_namespace WHERE fkey_featuretype_id = $1 ORDER BY namespace";
+			$v = array(db_result($res_fe, $cnt_fe, "featuretype_id"));
+			$t = array("i");
+			$res_ns = db_prep_query($sql_ns, $v, $t);
 			$cnt_ns = 0;
 			while(db_fetch_row($res_ns)){
 				$z = count($this->wfs_featuretype[$c]->featuretype_namespace);

Modified: branches/2.5/http/classes/class_wfs_conf.php
===================================================================
--- branches/2.5/http/classes/class_wfs_conf.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/classes/class_wfs_conf.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -155,6 +155,8 @@
 									"featuretype_name" => $featuretype_name,
 									"featuretype_id" => $featuretype_srs,
 									"wfs_getfeature" => $row["wfs_getfeature"],
+									"wfs_describefeaturetype" => $row["wfs_describefeaturetype"],
+									"wfs_transaction" => $row["wfs_transaction"],
 									"element" => $elementArray
 									);
 			

Modified: branches/2.5/http/php/mb_listKMLs.php
===================================================================
--- branches/2.5/http/php/mb_listKMLs.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mb_listKMLs.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -101,8 +101,10 @@
 }
 
 function getTarget($gui_id) {
-	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadkml' AND fkey_gui_id = '".$gui_id."'";
-	$res = db_query($sql);
+	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadkml' AND fkey_gui_id = $1";
+	$v = array($gui_id);
+	$t = array("s");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while($row = db_fetch_array($res)){ 
 		$e_target = $row["e_target"];

Modified: branches/2.5/http/php/mb_listWMCs.php
===================================================================
--- branches/2.5/http/php/mb_listWMCs.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mb_listWMCs.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -98,8 +98,10 @@
 }
 
 function getTarget($gui_id) {
-	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadwmc' AND fkey_gui_id = '".$gui_id."'";
-	$res = db_query($sql);
+	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadwmc' AND fkey_gui_id = $1";
+	$v = array($gui_id);
+	$t = array("s");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while($row = db_fetch_array($res)){ 
 		$e_target = $row["e_target"];

Modified: branches/2.5/http/php/mod_deleteGUI.php
===================================================================
--- branches/2.5/http/php/mod_deleteGUI.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mod_deleteGUI.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -65,12 +65,13 @@
 
 ###delete
 if($guiList){
-	 $sql = "DELETE FROM gui WHERE gui_id = '".$guiList."'";
-	 $res = db_query($sql);
+	 $sql = "DELETE FROM gui WHERE gui_id = $1";
+	 $v = array($guiList);
+	 $t = array("s");
+	 $res = db_prep_query($sql, $v, $t);
 }
 
-$sql_gui = "SELECT * FROM gui ";
-$sql_gui .= " ORDER BY gui_name";
+$sql_gui = "SELECT * FROM gui ORDER BY gui_name";
 $res_gui = db_query($sql_gui);
 $cnt_gui = 0;
 

Modified: branches/2.5/http/php/mod_deleteWFS.php
===================================================================
--- branches/2.5/http/php/mod_deleteWFS.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mod_deleteWFS.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -76,12 +76,13 @@
 
 ###delete
 if($wfsList){
-	 $sql = "DELETE FROM wfs WHERE wfs_id = '".$wfsList."'";
-	 $res = db_query($sql);
+	 $sql = "DELETE FROM wfs WHERE wfs_id = $1";
+	 $v = array($wfsList);
+	 $t = array("i");
+	 $res = db_prep_query($sql, $v, $t);
 }
 
-$sql_wfs = "SELECT * FROM wfs ";
-$sql_wfs .= " ORDER BY wfs_id";
+$sql_wfs = "SELECT * FROM wfs ORDER BY wfs_id";
 $res_wfs = db_query($sql_wfs);
 $cnt_wfs = 0;
 

Modified: branches/2.5/http/php/mod_wfs_conf.php
===================================================================
--- branches/2.5/http/php/mod_wfs_conf.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mod_wfs_conf.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -90,66 +90,81 @@
 
         db_select_db($DB,$con);
 
-        $sql = "INSERT INTO wfs_conf (wfs_conf_abstract,wfs_conf_description,fkey_wfs_id,fkey_featuretype_id,g_label,g_label_id,g_button,g_button_id,g_style,g_buffer,g_res_style,g_use_wzgraphics) VALUES(";
-        $sql .= "'".$_REQUEST["wfs_conf_abstract"]."',";
-        $sql .= "'".$_REQUEST["wfs_conf_description"]."',";
-        $sql .= "'".$_REQUEST["wfs"]."',";
-        $sql .= "'".$_REQUEST["featuretype"]."',";
-        $sql .= "'".$_REQUEST["g_label"]."',";
-        $sql .= "'".$_REQUEST["g_label_id"]."',";
-        $sql .= "'".$_REQUEST["g_button"]."',";
-        $sql .= "'".$_REQUEST["g_button_id"]."',";
-        $sql .= "'".$_REQUEST["g_style"]."',";
-        $sql .= "'".$_REQUEST["g_buffer"]."',";
-        $sql .= "'".$_REQUEST["g_res_style"]."',";        
-        if(!empty($_REQUEST["g_use_wzgraphics"])){
+        $sql = "INSERT INTO wfs_conf (";
+        $sql .= "wfs_conf_abstract, wfs_conf_description, fkey_wfs_id, ";
+        $sql .= "fkey_featuretype_id, g_label, g_label_id, g_button, ";
+        $sql .= "g_button_id, g_style, g_buffer, g_res_style, g_use_wzgraphics";
+		$sql .= ") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, ";
+        if (!empty($_REQUEST["g_use_wzgraphics"])) {
 			$sql .= "'1'";
-		}else{$sql .= "'0'";}
+		}
+		else {
+			$sql .= "'0'";
+		}
         $sql .= "); ";
+        
+		$v = array($_REQUEST["wfs_conf_abstract"], $_REQUEST["wfs_conf_description"], $_REQUEST["wfs"], $_REQUEST["featuretype"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"]);
+		$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+        $res = db_prep_query($sql, $v, $t);
+        
+        $wfsID = db_insert_id($con,'wfs_conf','wfs_conf_id');
 
-        $res = db_query($sql);
-        $wfsID = db_insert_id($con,'wfs_conf','wfs_conf_id');
-        for($i=0; $i<$_REQUEST["num"]; $i++){
+        for ($i = 0; $i < $_REQUEST["num"]; $i++){
                 $sql = "INSERT INTO wfs_conf_element (fkey_wfs_conf_id,f_id,f_search,f_pos,f_style_id,f_toupper,f_label,f_label_id,f_show,f_respos,f_edit,f_form_element_html,f_mandatory,f_auth_varname,f_show_detail) VALUES(";
-                $sql .= "'".$wfsID."',";
-                $sql .= "'".$_REQUEST["f_id".$i]."',";
-                if(!empty($_REQUEST["f_search".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_pos".$i]."',";
-                $sql .= "'".$_REQUEST["f_style_id".$i]."',";                
-				if(!empty($_REQUEST["f_toupper".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}				
-                $sql .= "'".$_REQUEST["f_label".$i]."',";
-                $sql .= "'".$_REQUEST["f_label_id".$i]."',";
-                if(!empty($_REQUEST["f_show".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_respos".$i]."'";
-				$sql .= ",";
-                if(!empty($_REQUEST["f_edit".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_form_element_html".$i]."',";
-                if(!empty($_REQUEST["f_mandatory".$i])){
+                $sql .= "$1, $2, ";
+                if (!empty($_REQUEST["f_search".$i])) {
                 	$sql .= "'1'";
-                }else{$sql .= "'0'";}
-                $sql .= ", ";
-                $sql .= "'".$_REQUEST["f_auth_varname".$i];
-                $sql .= ",";
-              	if(!empty($_REQUEST["f_show_detail".$i])){
+                }
+                else {
+                	$sql .= "'0'";
+                }
+                $sql .= ", $3, $4, ";
+				if (!empty($_REQUEST["f_toupper".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0'";
+                }				
+                $sql .= ",$5, $6, ";
+                if (!empty($_REQUEST["f_show".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0',";
+                }
+                $sql .= ", $7, ";
+                if (!empty($_REQUEST["f_edit".$i])) {
+                	$sql .= "'1'";
+                } 
+                else {
+                	$sql .= "'0'";
+                }
+                $sql .= ",$8, ";
+                if (!empty($_REQUEST["f_mandatory".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0'";
+                }
+                $sql .= ", $9, ";
+              	if (!empty($_REQUEST["f_show_detail".$i])) {
             		$sql .= "'1'";
-                }else{$sql .= "'0'";}
-				 $sql .= "); ";
+                }
+                else {
+                	$sql .= "'0'";
+                }
+				$sql .= "); ";
 
-                $res = db_query($sql);
+				$v = array($wfsID, $_REQUEST["f_id".$i], $_REQUEST["f_pos".$i], $_REQUEST["f_style_id".$i], $_REQUEST["f_label".$i], $_REQUEST["f_label_id".$i], $_REQUEST["f_respos".$i], $_REQUEST["f_form_element_html".$i], $_REQUEST["f_auth_varname".$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s");
+                $res = db_prep_query($sql, $v, $t);
         }
         if (isset($_REQUEST["f_geom"])) {
-	        $sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 1";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$wfsID." AND f_id = ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+	        $sql = "UPDATE wfs_conf_element SET f_geom = 1 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id = $2;";
+	        $v = array($wfsID, $_REQUEST["f_geom"]);
+	        $t = array("i", "i");
+			$res = db_prep_query($sql, $v, $t);
         }
 		echo "<script language='javascript'>";
 		echo "document.location.href = 'mod_wfs_edit.php?gaz=".$wfsID."';";

Modified: branches/2.5/http/php/mod_wfs_edit.php
===================================================================
--- branches/2.5/http/php/mod_wfs_edit.php	2008-01-17 11:22:22 UTC (rev 1979)
+++ branches/2.5/http/php/mod_wfs_edit.php	2008-01-17 13:37:27 UTC (rev 1980)
@@ -56,89 +56,99 @@
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db($DB,$con);
 
-if(isset($_REQUEST["save"])){
+if (isset($_REQUEST["save"])) {
 
         $sql = "UPDATE wfs_conf SET ";
-        $sql .= "wfs_conf_abstract = '".$_REQUEST["wfs_conf_abstract"]."',";
-        $sql .= "wfs_conf_description = '".$_REQUEST["wfs_conf_description"]."',";
-        $sql .= "g_label = '".$_REQUEST["g_label"]."',";
-        $sql .= "g_label_id = '".$_REQUEST["g_label_id"]."',";
-        $sql .= "g_button = '".$_REQUEST["g_button"]."',";
-        $sql .= "g_button_id = '".$_REQUEST["g_button_id"]."',";
-        $sql .= "g_style = '".$_REQUEST["g_style"]."',";
-        $sql .= "g_buffer = '".$_REQUEST["g_buffer"]."',";
-        $sql .= "g_res_style = '".$_REQUEST["g_res_style"]."',";
-        $sql .= "g_use_wzgraphics = ";
-        if(!empty($_REQUEST["g_use_wzgraphics"])){
-        	$sql .= '1';
-        }else{$sql .= '0';}
-        $sql .= " WHERE wfs_conf_id = ".$_REQUEST["gaz"].";";
+        $sql .= "wfs_conf_abstract = $1, wfs_conf_description = $2, g_label = $3, ";
+        $sql .= "g_label_id = $4, g_button = $5, g_button_id = $6, g_style = $7, ";
+        $sql .= "g_buffer = $8, g_res_style = $9, g_use_wzgraphics = ";
+        if (!empty($_REQUEST["g_use_wzgraphics"])) {
+        	$sql .= "1";
+        }
+        else {
+        	$sql .= "0";
+        }
+        $sql .= " WHERE wfs_conf_id = $10;";
         
-        $res = db_query($sql);
+        $v = array($_REQUEST["wfs_conf_abstract"], $_REQUEST["wfs_conf_description"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["gaz"]);
+        $t = array("s", "s", "s", "s", "s", "s", "s", "i", "s", "i");
+        $res = db_prep_query($sql, $v, $t);
 		        
 		if (isset($_REQUEST["f_geom"])) {
-	        $sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 1";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+	        $sql = "UPDATE wfs_conf_element SET f_geom = 1 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id = $2;";
+	        $v = array($_REQUEST["gaz"], $_REQUEST["f_geom"]);
+	        $t = array("i", "s");
+			$res = db_prep_query($sql);
 			
-			$sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 0";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id <>  ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+			$sql = "UPDATE wfs_conf_element SET f_geom = 0 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id <> $2;";
+	        $v = array($_REQUEST["gaz"], $_REQUEST["f_geom"]);
+	        $t = array("i", "s");
+			$res = db_prep_query($sql);
 		}
 		else {
-			$sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 0";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"].";";
-			$res = db_query($sql);
+			$sql = "UPDATE wfs_conf_element SET f_geom = 0 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1;";
+	        $v = array($_REQUEST["gaz"]);
+	        $t = array("i");
+			$res = db_prep_query($sql);
 		}
 		
         for($i=0; $i<$_REQUEST["num"]; $i++){
         	
-                $sql = "UPDATE wfs_conf_element SET ";
-                $sql .= "f_search = '";
-                if(!empty($_REQUEST["f_search".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-                $sql .= "',";
-                $sql .= "f_pos = '".$_REQUEST["f_pos".$i]."',";
-                $sql .= "f_style_id = '".$_REQUEST["f_style_id".$i]."',";
+                $sql = "UPDATE wfs_conf_element SET f_search = '";
+                if (!empty($_REQUEST["f_search".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+                $sql .= "', f_pos = $1, f_style_id = $2,";
                 $sql .= "f_toupper = '" ;
-                if(!empty($_REQUEST["f_toupper".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-                $sql .= "',";
-                $sql .= "f_label = '".$_REQUEST["f_label".$i]."',";
-                $sql .= "f_label_id = '".$_REQUEST["f_label_id".$i]."',";
+                if (!empty($_REQUEST["f_toupper".$i])) {
+                	$sql .= "1";
+                }
+                else { 
+                	$sql .= "0";
+                }
+                $sql .= "',f_label = $3, f_label_id = $4,";
                 $sql .= "f_show = '";
-                if(!empty($_REQUEST["f_show".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-				$sql .= "',";
-                $sql .= "f_respos = '".$_REQUEST["f_respos".$i]."' ";
-				$sql .= ",";
+                if (!empty($_REQUEST["f_show".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "',f_respos = $5,";
                 $sql .= "f_edit = '";
-                if(!empty($_REQUEST["f_edit".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-				$sql .= "',";
-                $sql .= "f_form_element_html = '".addslashes($_REQUEST["f_form_element_html".$i]);
-				$sql .= "',";
+                if (!empty($_REQUEST["f_edit".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "', f_form_element_html = $6,";
                 $sql .= "f_mandatory = '";
-                if(!empty($_REQUEST["f_mandatory".$i])){
+                if (!empty($_REQUEST["f_mandatory".$i])) {
                 	$sql .= "1";
-                }else{$sql .= "0";}
-				$sql .= "'";
-                $sql .= ", ";
-                $sql .= "f_auth_varname = '".$_REQUEST["f_auth_varname".$i];
-                $sql .= "',";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "', f_auth_varname = $7,";
                 $sql .= "f_show_detail = '";
-                if(!empty($_REQUEST["f_show_detail".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-				$sql .= "' WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_id".$i].";";
-                $res = db_query($sql);
+                if (!empty($_REQUEST["f_show_detail".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "' WHERE fkey_wfs_conf_id = $8 AND f_id = $9;";
+
+				$v = array($_REQUEST["f_pos".$i], $_REQUEST["f_style_id".$i], $_REQUEST["f_label".$i], $_REQUEST["f_label_id".$i], $_REQUEST["f_respos".$i], addslashes($_REQUEST["f_form_element_html".$i]), $_REQUEST["f_auth_varname".$i], $_REQUEST["gaz"], $_REQUEST["f_id".$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "i", "s");
+                $res = db_prep_query($sql, $v, $t);
         }
 }
 
@@ -175,9 +185,11 @@
 }
 
 /* configure elements */
-if(isset($_REQUEST["gaz"])){
-        $sql = "SELECT * FROM wfs_conf WHERE wfs_conf_id = ".$_REQUEST["gaz"];
-        $res = db_query($sql);
+if (isset($_REQUEST["gaz"])) {
+        $sql = "SELECT * FROM wfs_conf WHERE wfs_conf_id = $1";
+        $v = array($_REQUEST["gaz"]);
+        $t = array("i");
+        $res = db_prep_query($sql, $v, $t);
         if($row = db_fetch_array($res)){
                 echo "<table>";
                 echo "<tr><td>GazetterID:</td><td>".$row["wfs_conf_id"]."</td></tr>" ;
@@ -199,9 +211,10 @@
         /* set element options */
         $sql = "SELECT * FROM wfs_conf_element ";
         $sql .= "JOIN wfs_element ON wfs_conf_element.f_id = wfs_element.element_id ";
-        $sql .= "WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." ORDER BY f_id";
-
-        $res = db_query($sql);
+        $sql .= "WHERE fkey_wfs_conf_id = $1 ORDER BY f_id";
+		$v = array($_REQUEST["gaz"]);
+		$t = array("i");
+        $res = db_prep_query($sql, $v, $t);
 		
         echo "<table border='1'>";
         echo "<tr valign = bottom>";

