[Mapbender-commits] r1993 - branches/2.5/http/php
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Sun Jan 20 09:12:55 EST 2008
Author: christoph
Date: 2008-01-20 09:12:55 -0500 (Sun, 20 Jan 2008)
New Revision: 1993
Modified:
branches/2.5/http/php/mod_editGuiWmsMeta.php
branches/2.5/http/php/mod_edit_metadata.php
branches/2.5/http/php/mod_gazetteer_conf.php
branches/2.5/http/php/mod_gazetteer_edit.php
Log:
prepared statements
Modified: branches/2.5/http/php/mod_editGuiWmsMeta.php
===================================================================
--- branches/2.5/http/php/mod_editGuiWmsMeta.php 2008-01-20 10:59:05 UTC (rev 1992)
+++ branches/2.5/http/php/mod_editGuiWmsMeta.php 2008-01-20 14:12:55 UTC (rev 1993)
@@ -143,7 +143,7 @@
$sql.= " WHERE layer_id = $7;";
$v = array($_REQUEST["layer_meta_datum"], $_REQUEST["layer_meta_lieferant"], $_REQUEST["layer_meta_quelle"], $_REQUEST["layer_meta_ansprechpartner"], $_REQUEST["layer_meta_lieferant_basis"], $_REQUEST["layer_meta_copyright"], $layer_id);
$t = array("s", "s", "s", "s", "s", "s", "i");
- $res = db_query($sql);
+ $res = db_prep_query($sql, $v, $t);
}
}
Modified: branches/2.5/http/php/mod_edit_metadata.php
===================================================================
--- branches/2.5/http/php/mod_edit_metadata.php 2008-01-20 10:59:05 UTC (rev 1992)
+++ branches/2.5/http/php/mod_edit_metadata.php 2008-01-20 14:12:55 UTC (rev 1993)
@@ -112,45 +112,72 @@
# handle database updates etc.....
if(isset($mySave) && ($mySave == '1' || $mySave == '2')) {
if ($mySave == '1'){
- $sql_vars = "SELECT * FROM gui_element_vars WHERE fkey_e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
- $res_vars = db_query($sql_vars);
+ $sql_vars = "SELECT * FROM gui_element_vars WHERE fkey_e_id = $1 AND fkey_gui_id = $2";
+ $v = array($e_id, $guiList1);
+ $t = array("s", "s");
+ $res_vars = db_prep_query($sql_vars, $v, $t);
//$rows = db_fetch_array($res_vars);
- if($SYS_DBTYPE=='pgsql')
- {
- $sql[0] = "SET AUTOCOMMIT=1";
- }
- else
- {
- $sql[0] = "SET AUTOCOMMIT=0";
- }
- $sql[1] = "BEGIN";
- $sql[2] = "DELETE FROM gui_element WHERE e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
+ $sql = array();
+ $v = array();
+ $t = array();
+ if ($SYS_DBTYPE == "pgsql") {
+ $sql[0] = "SET AUTOCOMMIT=1";
+ $v[0] = array();
+ $t[0] = array();
+ }
+ else {
+ $sql[0] = "SET AUTOCOMMIT=0";
+ $v[0] = array();
+ $t[0] = array();
+ }
+ $sql[1] = "BEGIN";
+ $v[1] = array();
+ $t[1] = array();
+
+ $sql[2] = "DELETE FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+ $v[2] = array($e_id, $guiList1);
+ $t[2] = array("s", "s");
+ if($e_left < 1){$e_left = "NULL";}
+ if($e_top < 1){$e_top = "NULL";}
+ if($e_width < 1){$e_width = "NULL";}
+ if($e_height < 1){$e_height = "NULL";}
+ if($e_z_index < 1){$e_z_index = "NULL";}
- if($e_left < 1){$e_left = "NULL";}
- if($e_top < 1){$e_top = "NULL";}
- if($e_width < 1){$e_width = "NULL";}
- if($e_height < 1){$e_height = "NULL";}
- if($e_z_index < 1){$e_z_index = "NULL";}
- $sql[3] = "INSERT INTO gui_element(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
- $sql[3] .= "VALUES ('".$guiList1."','".$e_id."','".$e_pos."','".$e_public."','".db_escape_string($e_comment)."','".$e_element."','".$e_src."','".db_escape_string($e_attributes)."',".$e_left.",".$e_top.",".$e_width.",".$e_height.",".$e_z_index.",'".$e_more_styles."','".db_escape_string($e_content)."','".$e_closetag."','".$e_js_file."','".$e_mb_mod."','".$e_target."','".$e_requires."')";
-
+ $sql[3] = "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, ";
+ $sql[3] .= "e_comment, e_element, e_src, e_attributes, e_left, e_top, ";
+ $sql[3] .= "e_width, e_height, e_z_index, e_more_styles, e_content, ";
+ $sql[3] .= "e_closetag, e_js_file, e_mb_mod, e_target, e_requires) ";
+ $sql[3] .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, ";
+ $sql[3] .= "$13, $14, $15, $16, $17, $18, $19, $20)";
+ $v[3] = array($guiList1, $e_id, $e_pos, $e_public, db_escape_string($e_comment), $e_element, $e_src, db_escape_string($e_attributes), $e_left, $e_top, $e_width, $e_height, $e_z_index, $e_more_styles, db_escape_string($e_content), $e_closetag, $e_js_file, $e_mb_mod, $e_target, $e_requires);
+ $t[3] = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
}
# mySave == 2 <=> just save GUI description
elseif ($mySave == '2') {
- if($SYS_DBTYPE=='pgsql')
- {
- $sql[0] = "SET AUTOCOMMIT=1";
- }
- else
- {
- $sql[0] = "SET AUTOCOMMIT=0";
+ $sql = array();
+ $v = array();
+ $t = array();
+ if ($SYS_DBTYPE == "pgsql") {
+ $sql[0] = "SET AUTOCOMMIT=1";
+ $v[0] = array();
+ $t[0] = array();
}
- $sql[1] = "BEGIN";
- $sql[3] = "UPDATE gui SET gui_description = '". $guiDesc."' WHERE gui_id ='".$guiId."'";
- }
- foreach ($sql as $mysql){
- $res = db_query($mysql);
+ else {
+ $sql[0] = "SET AUTOCOMMIT=0";
+ $v[0] = array();
+ $t[0] = array();
+ }
+ $sql[1] = "BEGIN";
+ $v[1] = array();
+ $t[1] = array();
+
+ $sql[2] = "UPDATE gui SET gui_description = $1 WHERE gui_id = $2";
+ $v[2] = array($guiDesc, $guiId);
+ $t[2] = array("s", "s");
+ }
+ for ($i = 0; $i < count($sql); $i++) {
+ $res = db_prep_query($sql[$i], $v[$i], $t[$i]);
if(!$res){break;}
}
if($res){
@@ -161,19 +188,25 @@
$res = db_query( "ROLLBACK");
$res = db_query( "SET AUTOCOMMIT=1");
}
- if(isset($sql_vars)){//sicherstellen das keine Element_Vars gelöscht wurden
+ if(isset($sql_vars)){//sicherstellen das keine Element_Vars gel�scht wurden
while($row = db_fetch_array($res_vars)){
- $securesql = "INSERT INTO gui_element_vars (fkey_gui_id,fkey_e_id,var_name,var_value,context,type) VALUES ('".$guiList1."','".$e_id."','".$row["var_name"]."','".$row["var_value"]."','".$row["context"]."','".$row["type"]."');";
- //echo $securesql."<BR>";
- $secureinsert = db_query($securesql);
- }
- }
+ $securesql = "INSERT INTO gui_element_vars (fkey_gui_id, ";
+ $securesql .= "fkey_e_id, var_name, var_value, context,type) ";
+ $securesql .= "VALUES ($1, $2, $3, $4, $5, $6)";
+ $v = array($guiList1, $e_id, $row["var_name"], $row["var_value"], $row["context"], $row["type"]);
+ $t = array("s", "s", "s", "s", "s", "s");
+ //echo $securesql."<BR>";
+ $secureinsert = db_prep_query($securesql, $v, $t);
+ }
+ }
if(!$res){break;}
}
if(isset($myDelete) && $myDelete == '1'){
- $sql = "DELETE FROM gui_element WHERE e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
- $res = db_query($sql);
+ $sql = "DELETE FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+ $v = array($e_id, $guiList1);
+ $t = array("s", "s");
+ $res = db_prep_query($sql, $v, $t);
$e_id = ""; $e_pos = ""; $e_public = ""; $e_comment = ""; $e_element = "";
$e_src = ""; $e_attributes = ""; $e_left = ""; $e_top = ""; $e_width = ""; $e_height = ""; $e_z_index = "";
$e_more_styles = ""; $e_content = ""; $e_closetag = ""; $e_js_file = ""; $e_mb_mod = ""; $e_target = ""; $e_requires = "";
@@ -185,33 +218,47 @@
echo "</script>";
}
if(isset($all) && $all == '1'){
- $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."'";
- $res = db_query($sql);
+ $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1";
+ $v = array($guiList2);
+ $t = array("s");
+ $res = db_prep_query($sql, $v, $t);
$cnt = 0;
while(db_fetch_row($res)){
- $sql_del = "DELETE FROM gui_element WHERE fkey_gui_id = '".$guiList1."' AND e_id = '".db_result($res,$cnt,"e_id")."'";
- $res_del = db_query($sql_del);
+ $sql_del = "DELETE FROM gui_element WHERE fkey_gui_id = $1 AND e_id = $2";
+ $v = array($guiList1, db_result($res,$cnt,"e_id"));
+ $t = array("s", "s");
+ $res_del = db_prep_query($sql_del, $v, $t);
if(db_result($res,$cnt,"e_left") == ""){$myleft = 'NULL';} else{$myleft = db_result($res,$cnt,"e_left");}
if(db_result($res,$cnt,"e_top") == ""){$mytop = 'NULL';} else{$mytop = db_result($res,$cnt,"e_top");}
if(db_result($res,$cnt,"e_width") == ""){$mywidth = 'NULL';} else{$mywidth = db_result($res,$cnt,"e_width");}
if(db_result($res,$cnt,"e_height") == ""){$myheight = 'NULL';} else{$myheight = db_result($res,$cnt,"e_height");}
if(db_result($res,$cnt,"e_z_index") == ""){$my_z_index = 'NULL';} else{$my_z_index = db_result($res,$cnt,"e_z_index");}
- $sql_ins = "INSERT INTO gui_element(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
- $sql_ins .= "VALUES ('".$guiList1."','".db_result($res,$cnt,"e_id")."','".db_result($res,$cnt,"e_pos")."','".db_result($res,$cnt,"e_public")."','".db_escape_string(db_result($res,$cnt,"e_comment"))."','".db_result($res,$cnt,"e_element")."','".db_result($res,$cnt,"e_src")."','".db_escape_string(db_result($res,$cnt,"e_attributes"))."',".$myleft.",";
- $sql_ins .= $mytop.",".$mywidth.",".$myheight.",".$my_z_index.",'".db_result($res,$cnt,"e_more_styles")."','".db_escape_string(db_result($res,$cnt,"e_content"))."','".db_result($res,$cnt,"e_closetag")."','".db_result($res,$cnt,"e_js_file")."','".db_result($res,$cnt,"e_mb_mod")."','".db_result($res,$cnt,"e_target")."','".db_result($res,$cnt,"e_requires")."')";
-
- $res_ins = db_query($sql_ins);
+ $sql_ins = "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, ";
+ $sql_ins .= "e_comment, e_element, e_src, e_attributes, e_left, e_top, ";
+ $sql_ins .= "e_width, e_height, e_z_index, e_more_styles, e_content, ";
+ $sql_ins .= "e_closetag, e_js_file, e_mb_mod, e_target, e_requires) ";
+ $sql_ins .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, ";
+ $sql_ins .= "$10, $11, $12, $13, $14, $15, $16, $17, $18, $19);";
+ $v = array($guiList1, db_result($res,$cnt,"e_id"), db_result($res,$cnt,"e_pos"), db_result($res,$cnt,"e_public"), db_escape_string(db_result($res,$cnt,"e_comment")), db_result($res,$cnt,"e_element"), db_result($res,$cnt,"e_src"), db_escape_string(db_result($res,$cnt,"e_attributes")), $myleft, $mytop, $mywidth, $myheight, $my_z_index, db_result($res,$cnt,"e_more_styles"), db_escape_string(db_result($res,$cnt,"e_content")), db_result($res,$cnt,"e_closetag"), db_result($res,$cnt,"e_js_file"), db_result($res,$cnt,"e_mb_mod"), db_result($res,$cnt,"e_target"), db_result($res,$cnt,"e_requires"));
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
+
+ $res_ins = db_prep_query($sql_ins, $v, $t);
if(!$res_ins){echo db_error($con); }
$cnt++;
}
- $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = '".$guiList2."'";
- $res = db_query($sql);
+ $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = $1";
+ $v = array($guiList2);
+ $t = array("s");
+ $res = db_prep_query($sql, $v, $t);
$cnt = 0;
while(db_fetch_row($res)){
- $sql_ins2 = "INSERT INTO gui_element_vars(fkey_gui_id,fkey_e_id,var_name,var_value,context,type) ";
- $sql_ins2 .= "VALUES ('".$guiList1."','".db_result($res,$cnt,"fkey_e_id")."','".db_result($res,$cnt,"var_name")."','".db_escape_string(db_result($res,$cnt,"var_value"))."','".db_escape_string(db_result($res,$cnt,"context"))."','".db_result($res,$cnt,"type")."')";
- $res_ins2 = db_query($sql_ins2);
+ $sql_ins2 = "INSERT INTO gui_element_vars (fkey_gui_id, fkey_e_id, ";
+ $sql_ins2 .= "var_name, var_value, context, type) VALUES (";
+ $sql_ins2 .= "$1, $2, $3, $4, $5, $6);";
+ $v = array($guiList1, db_result($res,$cnt,"fkey_e_id"), db_result($res,$cnt,"var_name"), db_escape_string(db_result($res,$cnt,"var_value")), db_escape_string(db_result($res,$cnt,"context")), db_result($res,$cnt,"type"));
+ $t = array("s", "s", "s", "s", "s", "s");
+ $res_ins2 = db_prep_query($sql_ins2, $v, $t);
if(!$res_ins2){echo db_error($connect); }
$cnt++;
@@ -223,8 +270,10 @@
echo "<script language='javascript'>";
echo "var guiIDs = new Array();";
if(isset($guiList1)){
- $sql = "SELECT e_id FROM gui_element WHERE fkey_gui_id = '".$guiList1."'";
- $res = db_query($sql);
+ $sql = "SELECT e_id FROM gui_element WHERE fkey_gui_id = $1";
+ $v = array($guiList1);
+ $t = array("s");
+ $res = db_prep_query($sql, $v, $t);
$cnt = 0;
while(db_fetch_row($res)){
echo "guiIDs[".$cnt."] = '".db_result($res,$cnt,"e_id")."'; ";
@@ -313,14 +362,20 @@
$permguis = $admin->getGuisByPermission($_SESSION["mb_user_id"],true);
echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>\n";
-$sql = "SELECT * from gui WHERE gui.gui_id IN(";
-for($i=0; $i<count($ownguis); $i++){
- if($i>0){ $sql .= ",";}
- $sql .= "'".$ownguis[$i]."'";
+$sql = "SELECT * from gui WHERE gui.gui_id IN (";
+$v = $ownguis;
+$t = array();
+
+for ($i = 1; $i <= count($ownguis); $i++) {
+ if ($i > 1) {
+ $sql .= ",";
+ }
+ $sql .= "$" . $i;
+ array_push($t, "s");
}
$sql .= ")";
//echo $sql;
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
$count=0;
while(db_fetch_row($res)){
$gui_id_own[$count]=db_result($res,$count,"gui_id");
@@ -330,13 +385,19 @@
}
-$sql = "SELECT * from gui WHERE gui.gui_id IN(";
-for($i=0; $i<count($permguis); $i++){
- if($i>0){ $sql .= ",";}
- $sql .= "'".$permguis[$i]."'";
+$sql = "SELECT * from gui WHERE gui.gui_id IN (";
+$v = $permguis;
+$t = array();
+
+for ($i = 1; $i <= count($permguis); $i++){
+ if ($i > 1) {
+ $sql .= ",";
+ }
+ $sql .= "$" . $i;
+ array_push($t, "s");
}
$sql .= ")";
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
$count=0;
while($row = db_fetch_array($res)){
$gui_id_perm[$count]= $row["gui_id"];
@@ -413,8 +474,10 @@
else{
echo "<div class='guiList2_header'>Templates</div>\n";
}
- $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."' ORDER BY e_id";
- $res = db_query($sql);
+ $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1 ORDER BY e_id";
+ $v = array($guiList2);
+ $t = array("s");
+ $res = db_prep_query($sql, $v, $t);
$cnt = 0;
echo "<div class='myElements'>\n<table>\n";
@@ -440,8 +503,10 @@
#Formular:
echo "<table class='myForm'>\n";
if(isset($myElement)){
- $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."' AND e_id = '".$myElement."'";
- $res = db_query($sql);
+ $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1 AND e_id = $2";
+ $v = array($guiList2, $myElement);
+ $t = array("s", "s");
+ $res = db_prep_query($sql, $v, $t);
if(db_fetch_row($res)){
echo "<tr><td>ID: </td><td><input type='text' class='textfield' name='e_id' value='".db_result($res,0,"e_id")."'></td></tr>\n";
echo "<tr><td>Position: </td><td><input type='text' class='textfield' name='e_pos' value='".db_result($res,0,"e_pos")."'></td></tr>\n";
Modified: branches/2.5/http/php/mod_gazetteer_conf.php
===================================================================
--- branches/2.5/http/php/mod_gazetteer_conf.php 2008-01-20 10:59:05 UTC (rev 1992)
+++ branches/2.5/http/php/mod_gazetteer_conf.php 2008-01-20 14:12:55 UTC (rev 1993)
@@ -72,36 +72,22 @@
$con = db_connect($DBSERVER,$OWNER,$PW);
db_select_db($DB,$con);
- $sql = "INSERT INTO gazetteer (gazetteer_abstract,fkey_wfs_id,fkey_featuretype_id,g_label,g_label_id,g_button,g_button_id,g_style,g_buffer,g_res_style,g_use_wzgraphics) VALUES(";
- $sql .= "'".$_REQUEST["gazetteer_abstract"]."',";
- $sql .= "'".$_REQUEST["wfs"]."',";
- $sql .= "'".$_REQUEST["featuretype"]."',";
- $sql .= "'".$_REQUEST["g_label"]."',";
- $sql .= "'".$_REQUEST["g_label_id"]."',";
- $sql .= "'".$_REQUEST["g_button"]."',";
- $sql .= "'".$_REQUEST["g_button_id"]."',";
- $sql .= "'".$_REQUEST["g_style"]."',";
- $sql .= "'".$_REQUEST["g_buffer"]."',";
- $sql .= "'".$_REQUEST["g_res_style"]."',";
- $sql .= $_REQUEST["g_use_wzgraphics"];
- $sql .= "); ";
-
- $res = db_query($sql);
+ $sql = "INSERT INTO gazetteer (gazetteer_abstract, fkey_wfs_id, ";
+ $sql .= "fkey_featuretype_id, g_label, g_label_id, g_button, ";
+ $sql .= "g_button_id, g_style, g_buffer, g_res_style, g_use_wzgraphics) ";
+ $sql .= "VALUES($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11);";
+ $v = array($_REQUEST["gazetteer_abstract"], $_REQUEST["wfs"], $_REQUEST["featuretype"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["g_use_wzgraphics"]);
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "i");
+ $res = db_prep_query($sql, $v, $t);
$wfsID = db_insert_id($con);
for($i=0; $i<count($_REQUEST["f_id"]); $i++){
- $sql = "INSERT INTO gazetteer_element (fkey_gazetteer_id,f_id,f_search,f_pos,f_style_id,f_toupper,f_label,f_label_id,f_show,f_respos) VALUES(";
- $sql .= "'".$wfsID."',";
- $sql .= "'".$_REQUEST["f_id"][$i]."',";
- $sql .= "'".$_REQUEST["f_search"][$i]."',";
- $sql .= "'".$_REQUEST["f_pos"][$i]."',";
- $sql .= "'".$_REQUEST["f_style_id"][$i]."',";
- $sql .= "'".$_REQUEST["f_toupper"][$i]."',";
- $sql .= "'".$_REQUEST["f_label"][$i]."',";
- $sql .= "'".$_REQUEST["f_label_id"][$i]."',";
- $sql .= "'".$_REQUEST["f_show"][$i]."',";
- $sql .= "'".$_REQUEST["f_respos"][$i]."'";
- $sql .= "); ";
- $res = db_query($sql);
+ $sql = "INSERT INTO gazetteer_element (fkey_gazetteer_id, ";
+ $sql .= "f_id, f_search, f_pos, f_style_id, f_toupper, f_label, ";
+ $sql .= "f_label_id, f_show, f_respos) VALUES (";
+ $sql .= "$1, $2, $3, $4, $5, $6, $7, $8, $9, $10);";
+ $v = array($wfsID, $_REQUEST["f_id"][$i], $_REQUEST["f_search"][$i], $_REQUEST["f_pos"][$i], $_REQUEST["f_style_id"][$i], $_REQUEST["f_toupper"][$i], $_REQUEST["f_label"][$i], $_REQUEST["f_label_id"][$i], $_REQUEST["f_show"][$i], $_REQUEST["f_respos"][$i]);
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+ $res = db_prep_query($sql, $v, $t);
}
}
Modified: branches/2.5/http/php/mod_gazetteer_edit.php
===================================================================
--- branches/2.5/http/php/mod_gazetteer_edit.php 2008-01-20 10:59:05 UTC (rev 1992)
+++ branches/2.5/http/php/mod_gazetteer_edit.php 2008-01-20 14:12:55 UTC (rev 1993)
@@ -56,31 +56,34 @@
if(isset($_REQUEST["save"])){
$sql = "UPDATE gazetteer SET ";
- $sql .= "gazetteer_abstract = '".$_REQUEST["gazetteer_abstract"]."',";
- $sql .= "g_label = '".$_REQUEST["g_label"]."',";
- $sql .= "g_label_id = '".$_REQUEST["g_label_id"]."',";
- $sql .= "g_button = '".$_REQUEST["g_button"]."',";
- $sql .= "g_button_id = '".$_REQUEST["g_button_id"]."',";
- $sql .= "g_style = '".$_REQUEST["g_style"]."',";
- $sql .= "g_buffer = '".$_REQUEST["g_buffer"]."',";
- $sql .= "g_res_style = '".$_REQUEST["g_res_style"]."',";
- $sql .= "g_use_wzgraphics = ".$_REQUEST["g_use_wzgraphics"];
- $sql .= " WHERE gazetteer_id = ".$_REQUEST["gaz"].";";
- $res = db_query($sql);
+ $sql .= "gazetteer_abstract = $1, ";
+ $sql .= "g_label = $2, ";
+ $sql .= "g_label_id = $3, ";
+ $sql .= "g_button = $4, ";
+ $sql .= "g_button_id = $5, ";
+ $sql .= "g_style = $6, ";
+ $sql .= "g_buffer = $7, ";
+ $sql .= "g_res_style = $8, ";
+ $sql .= "g_use_wzgraphics = $9 ";
+ $sql .= "WHERE gazetteer_id = $10;";
+ $v = array($_REQUEST["gazetteer_abstract"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["g_use_wzgraphics"], $_REQUEST["gaz"]);
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i");
+ $res = db_prep_query($sql, $v, $t);
for($i=0; $i<count($_REQUEST["f_id"]); $i++){
$sql = "UPDATE gazetteer_element SET ";
- $sql .= "f_search = '".$_REQUEST["f_search"][$i]."',";
- $sql .= "f_pos = '".$_REQUEST["f_pos"][$i]."',";
- $sql .= "f_style_id = '".$_REQUEST["f_style_id"][$i]."',";
- $sql .= "f_toupper = '".$_REQUEST["f_toupper"][$i]."',";
- $sql .= "f_label = '".$_REQUEST["f_label"][$i]."',";
- $sql .= "f_label_id = '".$_REQUEST["f_label_id"][$i]."',";
- $sql .= "f_show = '".$_REQUEST["f_show"][$i]."',";
- $sql .= "f_respos = '".$_REQUEST["f_respos"][$i]."'";
- $sql .= " WHERE fkey_gazetteer_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_id"][$i].";";
-
- $res = db_query($sql);
+ $sql .= "f_search = $1, ";
+ $sql .= "f_pos = $2, ";
+ $sql .= "f_style_id = $3, ";
+ $sql .= "f_toupper = $4, ";
+ $sql .= "f_label = $5, ";
+ $sql .= "f_label_id = $6, ";
+ $sql .= "f_show = $7, ";
+ $sql .= "f_respos = $8 ";
+ $sql .= "WHERE fkey_gazetteer_id = $9 AND f_id = $10;";
+ $v = array($_REQUEST["f_search"][$i], $_REQUEST["f_pos"][$i], $_REQUEST["f_style_id"][$i], $_REQUEST["f_toupper"][$i], $_REQUEST["f_label"][$i], $_REQUEST["f_label_id"][$i], $_REQUEST["f_show"][$i], $_REQUEST["f_respos"][$i], $_REQUEST["gaz"], $_REQUEST["f_id"][$i]);
+ $t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i");
+ $res = db_prep_query($sql, $v, $t);
}
}
@@ -110,8 +113,10 @@
/* configure elements */
if(isset($_REQUEST["gaz"])){
- $sql = "SELECT * FROM gazetteer WHERE gazetteer_id = ".$_REQUEST["gaz"];
- $res = db_query($sql);
+ $sql = "SELECT * FROM gazetteer WHERE gazetteer_id = $1";
+ $v = array($_REQUEST["gaz"]);
+ $t = array("i");
+ $res = db_prep_query($sql, $v, $t);
if($row = db_fetch_array($res)){
echo "<table>";
echo "<tr><td>GazetterID:</td><td>".$row["gazetteer_id"]."</td></tr>" ;
@@ -132,9 +137,11 @@
/* set element options */
$sql = "SELECT * FROM gazetteer_element ";
$sql .= "JOIN wfs_element ON gazetteer_element.f_id = wfs_element.element_id ";
- $sql .= "WHERE fkey_gazetteer_id = ".$_REQUEST["gaz"];
+ $sql .= "WHERE fkey_gazetteer_id = $1";
+ $v = array($_REQUEST["gaz"]);
+ $t = array("i");
echo $sql;
- $res = db_query($sql);
+ $res = db_prep_query($sql, $v, $t);
echo "<table border='1'>";
echo "<tr>";
More information about the Mapbender_commits
mailing list