[Mapbender-commits] r2039 - in tags: . 2.4.4_su/http/classes 2.4.4_su/http/frames 2.4.4_su/http/html 2.4.4_su/http/javascripts 2.4.4_su/http/php

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Tue Jan 29 08:05:41 EST 2008


Author: christoph
Date: 2008-01-29 08:05:41 -0500 (Tue, 29 Jan 2008)
New Revision: 2039

Added:
   tags/2.4.4_su/
   tags/2.4.4_su/http/classes/class_wmc.php
Removed:
   tags/2.4.4_su/http/classes/class_wmc.php
   tags/2.4.4_su/http/html/mod_treefolder_auge.php
   tags/2.4.4_su/http/javascripts/mod_measure4326.php
   tags/2.4.4_su/http/javascripts/transform_coordinatesWGS84.php
Modified:
   tags/2.4.4_su/http/classes/class_gui.php
   tags/2.4.4_su/http/classes/class_log.php
   tags/2.4.4_su/http/classes/class_wfs.php
   tags/2.4.4_su/http/classes/class_wfs_conf.php
   tags/2.4.4_su/http/classes/class_wms.php
   tags/2.4.4_su/http/frames/login.php
   tags/2.4.4_su/http/javascripts/map.php
   tags/2.4.4_su/http/javascripts/mod_addWMSfromList.php
   tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredList.php
   tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredListDB.php
   tags/2.4.4_su/http/javascripts/mod_sandclock2.php
   tags/2.4.4_su/http/javascripts/mod_setPOI2Scale.php
   tags/2.4.4_su/http/javascripts/mod_wfs_SpatialRequest.php
   tags/2.4.4_su/http/javascripts/mod_zoomCoords.php
   tags/2.4.4_su/http/javascripts/mod_zoomFull.php
   tags/2.4.4_su/http/javascripts/mod_zoomOut1.php
   tags/2.4.4_su/http/php/createImageFromText.php
   tags/2.4.4_su/http/php/mb_listWMCs.php
   tags/2.4.4_su/http/php/mod_WMSpreferences.php
   tags/2.4.4_su/http/php/mod_changeEPSG.php
   tags/2.4.4_su/http/php/mod_deleteGUI.php
   tags/2.4.4_su/http/php/mod_deleteWFS.php
   tags/2.4.4_su/http/php/mod_editFilteredGroup.php
   tags/2.4.4_su/http/php/mod_editFilteredUser.php
   tags/2.4.4_su/http/php/mod_editGroup.php
   tags/2.4.4_su/http/php/mod_editGuiWms.php
   tags/2.4.4_su/http/php/mod_editGuiWmsMeta.php
   tags/2.4.4_su/http/php/mod_editUser.php
   tags/2.4.4_su/http/php/mod_editWMS_Metadata.php
   tags/2.4.4_su/http/php/mod_edit_element_vars.php
   tags/2.4.4_su/http/php/mod_edit_metadata.php
   tags/2.4.4_su/http/php/mod_evalArea.php
   tags/2.4.4_su/http/php/mod_gazLayerObj_conf.php
   tags/2.4.4_su/http/php/mod_gazLayerObj_edit.php
   tags/2.4.4_su/http/php/mod_gazetteer_conf.php
   tags/2.4.4_su/http/php/mod_gazetteer_edit.php
   tags/2.4.4_su/http/php/mod_getStyles.php
   tags/2.4.4_su/http/php/mod_loadCapabilitiesList.php
   tags/2.4.4_su/http/php/mod_map1.php
   tags/2.4.4_su/http/php/mod_mapOV.php
   tags/2.4.4_su/http/php/mod_simpleWMSpreferences.php
   tags/2.4.4_su/http/php/mod_treefolderAdmin.php
   tags/2.4.4_su/http/php/mod_treefolderClient.php
   tags/2.4.4_su/http/php/mod_wfs_conf.php
   tags/2.4.4_su/http/php/mod_wfs_edit.php
   tags/2.4.4_su/http/php/mod_wfsrequest.php
   tags/2.4.4_su/http/php/nestedSets.php
Log:
prepared statements and additional parameter checking

Copied: tags/2.4.4_su (from rev 2000, tags/2.4.4)

Modified: tags/2.4.4_su/http/classes/class_gui.php
===================================================================
--- tags/2.4.4/http/classes/class_gui.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_gui.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,4 @@
 <?php
-
 # $Id$
 # http://www.mapbender.org/index.php/class_gui.php
 # Copyright (C) 2002 CCGIS
@@ -19,252 +18,201 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
+
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
 
-class gui{
+/**
+ * GUI is a set of GUI elements and services. 
+ */
+class gui {
 
-	function gui() {
+	public function __construct () {
 	}
 
- 	// CB - returns true if a gui '$gui_id' exists
- 	function guiExists($gui_id){
-		$sql = "SELECT * FROM gui ";
-		$sql .= "WHERE gui_id = $1";
+ 	/**
+ 	 * Checks if a GUI with a given ID exists in the database
+ 	 * 
+ 	 * @param integer $gui_id the ID of the GUI that is being checked
+ 	 * @return boolean true if a gui '$gui_id' exists; else false
+ 	 */
+ 	public function guiExists ($gui_id){
+		$sql = "SELECT * FROM gui WHERE gui_id = $1";
 		$v = array($gui_id);
 		$t = array('s');
 		$res = db_prep_query($sql,$v,$t);
 		$row = db_fetch_array($res);
-		if ($row) return true;
-		else return false;
+		if ($row) {
+			return true;	
+		}
+		return false;
  	}
 
-	// CB - deletes a GUI $guiId and all its links to users, layers etc.
-	function deleteGui ($guiId) {
+	
+	/**
+	 * Deletes a GUI $guiId and all its links to users, layers etc.
+	 * 
+	 * @param Integer $guiId the GUI that is going to be deleted
+	 * @return boolean true if the deletion succeded, else false
+	 */
+	public function deleteGui ($guiId) {
 		$guiList = $guiId;
 
-		$sql = "BEGIN";
-		$res = db_query($sql);
-		if (!$res) {
-			$report .=  "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		$sql = array();
+		$v = array();			
+		$t = array();
 
-		$sql = "DELETE FROM gui WHERE gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push("BEGIN");
+		array_push($v, array());
+		array_push($t, array());
+		
+		array_push($sql, "DELETE FROM gui WHERE gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_element WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_element WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_element_vars WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_element_vars WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_layer WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_layer WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_mb_group WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_mb_group WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_mb_user WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_mb_user WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_treegde WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_treegde WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_wfs WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_wfs WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		$sql = "DELETE FROM gui_wms WHERE fkey_gui_id = $1";
-		$v = array($guiList);
-		$t = array('s');
-		$res = db_prep_query($sql,$v,$t);
-		if (!$res) {
-			$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-			$error = true;
-		}
+		array_push($sql, "DELETE FROM gui_wms WHERE fkey_gui_id = $1");
+		array_push($v, array($guiList));
+		array_push($t, array('s'));
 
-		// if $error is true, the transaction is aborted -> rollback
-		if (!$error) {
-			$sql = "COMMIT";
-			$res = db_query($sql);
+		array_push($sql, "COMMIT");
+		array_push($v, array());
+		array_push($t, array());
+
+		// execute all SQLs
+		for ($i = 0; $i < count($sql); $i++) {
+			$res = db_prep_query($sql[$i], $v[$i], $t[$i]);
+			// if an SQL fails, send a ROLLBACK and return false
 			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
+				db_query("ROLLBACK");
+				return false;
 			}
 		}
-		//if $error is false, the transaction is executed -> commit
-		else {
-			$sql = "ROLLBACK";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
-		}
-		return !$error;
+		return true;
 	}
 
-	// CB - rename a GUI
-	function renameGui ($guiId, $newGuiName) {
-		$error = false;
+	/** Renames the GUI $guiID to $newGUIName
+	 * 
+	 * @param Integer $guiId ID of the GUI
+	 * @param String $newGuiName the new name of the GUI
+	 * @return boolean true if the renaming succeded, else false
+	 */
+	public function renameGui ($guiId, $newGuiName) {
 		if ($this->copyGui($guiId, $newGuiName, true)) {
 			$this->deleteGui($guiId);
+			return true;
 		}
-		else {
-			$error = true;
-		}
-		return !$error;
+		return false;
 	}
 
-	// CB - copies a GUI $guiId and all its links to users, layers etc. to GUI $newGuiName
- 	function copyGui ($guiId, $newGuiName, $withUsers) {
-		$error = false;
+	/**
+	 * 
+ 	 * Copies a GUI $guiId and all its links to users, layers etc. to GUI $newGuiName
+ 	 * 
+	 * @param Integer $guiId ID of the GUI
+	 * @param String $newGuiName the new name of the GUI
+	 * @param boolean $withUsers true if the users, that may access the GUI $guiId, shall have access to the new GUI; else false.
+	 * 
+	 * @return boolean true if the renaming succeded, else false
+	 */ 
+ 	public function copyGui ($guiId, $newGuiName, $withUsers) {
 		$guiList = $guiId;
 		if (!$this->guiExists($newGuiName)) {
-			$sql = "BEGIN";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .=  "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			
+			$sql = array();
+			$v = array();			
+			$t = array();
+						
+			array_push($sql, "BEGIN");
+			array_push($v, array());
+			array_push($t, array());
 
-			$sql = "INSERT INTO gui (gui_id, gui_name, gui_description, gui_public) SELECT '" . $newGuiName . "', '" . $newGuiName . "',gui_description, gui_public FROM gui WHERE gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui (gui_id, gui_name, gui_description, gui_public) SELECT $1, $2, gui_description, gui_public FROM gui WHERE gui_id = $3;");
+			array_push($v, array ($newGuiName, $newGuiName, $guiList));
+			array_push($t, array ("s", "s", "s"));;
+			
+			array_push($sql, "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, e_comment, e_element, e_src, e_attributes, e_left, e_top, e_width, e_height, e_z_index, e_more_styles, e_content, e_closetag, e_js_file, e_mb_mod, e_target, e_requires, e_url) SELECT $1, e_id, e_pos, e_public, e_comment, e_element, e_src, e_attributes, e_left, e_top, e_width, e_height, e_z_index, e_more_styles, e_content, e_closetag, e_js_file, e_mb_mod, e_target, e_requires, e_url FROM gui_element WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
 
-			$sql = "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, e_comment, e_element, e_src, e_attributes, e_left, e_top, e_width, e_height, e_z_index, e_more_styles, e_content, e_closetag, e_js_file, e_mb_mod, e_target, e_requires, e_url) SELECT '" . $newGuiName . "', e_id, e_pos, e_public, e_comment, e_element, e_src, e_attributes, e_left, e_top, e_width, e_height, e_z_index, e_more_styles, e_content, e_closetag, e_js_file, e_mb_mod, e_target, e_requires, e_url FROM gui_element WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui_element_vars (fkey_gui_id, fkey_e_id, var_name, var_value, context, var_type) SELECT $1, fkey_e_id, var_name, var_value, context, var_type FROM gui_element_vars WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
 
-			$sql = "INSERT INTO gui_element_vars (fkey_gui_id, fkey_e_id, var_name, var_value, context, var_type) SELECT '" . $newGuiName . "', fkey_e_id, var_name, var_value, context, var_type FROM gui_element_vars WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui_layer (fkey_gui_id, fkey_layer_id, gui_layer_wms_id, gui_layer_status, gui_layer_selectable, gui_layer_visible, gui_layer_queryable, gui_layer_querylayer, gui_layer_minscale, gui_layer_maxscale, gui_layer_priority, gui_layer_style, gui_layer_wfs_featuretype) SELECT $1, fkey_layer_id, gui_layer_wms_id, gui_layer_status, gui_layer_selectable, gui_layer_visible, gui_layer_queryable, gui_layer_querylayer, gui_layer_minscale, gui_layer_maxscale, gui_layer_priority, gui_layer_style, gui_layer_wfs_featuretype FROM gui_layer WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
 
-			$sql = "INSERT INTO gui_layer (fkey_gui_id, fkey_layer_id, gui_layer_wms_id, gui_layer_status, gui_layer_selectable, gui_layer_visible, gui_layer_queryable, gui_layer_querylayer, gui_layer_minscale, gui_layer_maxscale, gui_layer_priority, gui_layer_style, gui_layer_wfs_featuretype) SELECT '" . $newGuiName . "', fkey_layer_id, gui_layer_wms_id, gui_layer_status, gui_layer_selectable, gui_layer_visible, gui_layer_queryable, gui_layer_querylayer, gui_layer_minscale, gui_layer_maxscale, gui_layer_priority, gui_layer_style, gui_layer_wfs_featuretype FROM gui_layer WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
-
-			$sql = "INSERT INTO gui_mb_group (fkey_gui_id, fkey_mb_group_id, mb_group_type) SELECT '" . $newGuiName . "', fkey_mb_group_id, mb_group_type FROM gui_mb_group WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
-
 			if ($withUsers == true) {
+				/* group of original gui is copied as well */
+				array_push($sql, "INSERT INTO gui_mb_group (fkey_gui_id, fkey_mb_group_id, mb_group_type) SELECT $1, fkey_mb_group_id, mb_group_type FROM gui_mb_group WHERE fkey_gui_id = $2;");
+				array_push($v, array($newGuiName, $guiList));
+				array_push($t, array("s", "s"));
+
 				/* users of original gui are copied as well */
-				$sql = "INSERT INTO gui_mb_user (fkey_gui_id, fkey_mb_user_id, mb_user_type) SELECT '" . $newGuiName . "', fkey_mb_user_id, mb_user_type FROM gui_mb_user WHERE fkey_gui_id = '" . $guiList . "';";
-				$res = db_query($sql);
-				if (!$res) {
-					$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-					$error = true;
-				}
+				array_push($sql = "INSERT INTO gui_mb_user (fkey_gui_id, fkey_mb_user_id, mb_user_type) SELECT $1, fkey_mb_user_id, mb_user_type FROM gui_mb_user WHERE fkey_gui_id = $2;");
+				array_push($v, array($newGuiName, $guiList));
+				array_push($t, array("s", "s"));
 			}
 			else {
 				// users of original gui are not copied, the current user is set as owner 
-				$sql = "INSERT INTO gui_mb_user (fkey_gui_id, fkey_mb_user_id, mb_user_type) VALUES ($1, $2, 'owner')";
-				$v = array($newGuiName, $_SESSION["mb_user_id"]);
-				$t = array('s', 'i');
-				$res = db_prep_query($sql,$v,$t);
-				if (!$res) {
-					$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-					$error = true;
-				}
+				array_push($sql = "INSERT INTO gui_mb_user (fkey_gui_id, fkey_mb_user_id, mb_user_type) VALUES ($1, $2, 'owner')");
+				array_push($v, array($newGuiName, $_SESSION["mb_user_id"]));
+				array_push($t, array('s', 'i'));
 			}
-			$sql = "INSERT INTO gui_treegde (fkey_gui_id, fkey_layer_id, id, lft, rgt, my_layer_title, layer, wms_id) SELECT '" . $newGuiName . "', fkey_layer_id, id, lft, rgt, my_layer_title, layer, wms_id FROM gui_treegde WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui_treegde (fkey_gui_id, fkey_layer_id, id, lft, rgt, my_layer_title, layer, wms_id) SELECT $1, fkey_layer_id, id, lft, rgt, my_layer_title, layer, wms_id FROM gui_treegde WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
 
-			$sql = "INSERT INTO gui_wfs (fkey_gui_id, fkey_wfs_id) SELECT '" . $newGuiName . "', fkey_wfs_id FROM gui_wfs WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui_wfs (fkey_gui_id, fkey_wfs_id) SELECT $1, fkey_wfs_id FROM gui_wfs WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
 
-			$sql = "INSERT INTO gui_wms (fkey_gui_id, fkey_wms_id, gui_wms_position, gui_wms_mapformat, gui_wms_featureinfoformat, gui_wms_exceptionformat, gui_wms_epsg, gui_wms_visible) SELECT '" . $newGuiName . "', fkey_wms_id, gui_wms_position, gui_wms_mapformat, gui_wms_featureinfoformat, gui_wms_exceptionformat, gui_wms_epsg, gui_wms_visible FROM gui_wms WHERE fkey_gui_id = '" . $guiList . "';";
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
+			array_push($sql, "INSERT INTO gui_wms (fkey_gui_id, fkey_wms_id, gui_wms_position, gui_wms_mapformat, gui_wms_featureinfoformat, gui_wms_exceptionformat, gui_wms_epsg, gui_wms_visible) SELECT $1, fkey_wms_id, gui_wms_position, gui_wms_mapformat, gui_wms_featureinfoformat, gui_wms_exceptionformat, gui_wms_epsg, gui_wms_visible FROM gui_wms WHERE fkey_gui_id = $2;");
+			array_push($v, array($newGuiName, $guiList));
+			array_push($t, array("s", "s"));
+			
+			array_push($sql, "COMMIT");
+			array_push($v, array());
+			array_push($t, array());
 
-			// if $error is false, the transaction is executed -> commit
-			if (!$error) {
-				$sql = "COMMIT";
-			} 
-			else {
-				$sql = "ROLLBACK";
+			// execute all SQLs
+			for ($i = 0; $i < count($sql); $i++) {
+				$res = db_prep_query($sql[$i], $v[$i], $t[$i]);
+				// if an SQL fails, send a ROLLBACK and return false
+				if (!$res) {
+					db_query("ROLLBACK");
+					return false;
+				}
 			}
-			$res = db_query($sql);
-			if (!$res) {
-				$report .= "<br><br>" . $sql . "<br><br>" . db_error() . "<br>";
-				$error = true;
-			}
-			return !$error;
+			return true;
 		}
 		else {
 	      echo "<script language='javascript'>";

Modified: tags/2.4.4_su/http/classes/class_log.php
===================================================================
--- tags/2.4.4/http/classes/class_log.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_log.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -23,7 +23,7 @@
 *modul "GET /map/http/ HTTP/1.1"
 */
 
-class log{
+class log {
 	var $dir = "../../log/";
 	var $log_username = true;
 
@@ -32,12 +32,14 @@
 	 * {'file' || 'db'}
 	 */
 	var $logtype = 'db';
+	
+	function log($module,$req,$time_client,$type = ""){
 
-	function log($module,$req,$time_client){
-
 		$this->url = $req;
+		if($type == "")
+			$type = $this->logtype;
 
-		if($this->logtype == "file"){
+		if($type == "file"){
 			if(is_dir($this->dir)){
 				$logfile = $this->dir . "mb_access_" . date("Y_m_d") . ".log";
 				if(!$h = @fopen($logfile,"a")){
@@ -65,42 +67,22 @@
 				}
 			}
 		}
-		else if($this->logtype == 'db'){
+		else if($type == 'db'){
 
 
 			include_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 			$con = db_connect(DBSERVER,OWNER,PW);
 			db_select_db(DB,$con);
 			for($i = 0; $i < count($this->url); $i++){
-				$sql = "INSERT INTO mb_log(";
+				$sql = "INSERT INTO mb_log (";
+				$sql .= "time_client, time_server, time_readable, mb_session, ";
+				$sql .= "gui, module, ip, username, userid, request";
+				$sql .= ") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)";
 
-				$sql .= "time_client,";
-				$sql .= "time_server,";
-				$sql .= "time_readable,";
-				$sql .= "mb_session,";
-				$sql .= "gui,";
-				$sql .= "module,";
-				$sql .= "ip,";
-				$sql .= "username,";
-				$sql .= "userid,";
-				$sql .= "request";
+				$v = array($time_client, strtotime("now"), "[".date("d/M/Y:H:i:s O")."]", SID, $_SESSION["mb_user_gui"], $module, $_SESSION["mb_user_ip"], $_SESSION["mb_user_name"], $_SESSION["mb_user_id"], $this->url[$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+				$res = db_prep_query($sql, $v, $t)or die(db_error());
 
-				$sql .= ") VALUES (";
-
-				$sql .= "'".$time_client."',";
-				$sql .= "'".strtotime("now")."',";
-				$sql .= "'[".date("d/M/Y:H:i:s O")."]',";
-				$sql .= "'".SID."',";
-				$sql .= "'".$_SESSION["mb_user_gui"]."',";
-				$sql .= "'".$module."',";
-				$sql .= "'".$_SESSION["mb_user_ip"]."',";
-				$sql .= "'".$_SESSION["mb_user_name"]."',";
-				$sql .= "'".$_SESSION["mb_user_id"]."',";
-				$sql .= "'".$this->url[$i]."'";
-				$sql .= ")";
-
-				$res = db_query($sql)or die(db_error());
-
 				if(!$res){
 					include_once(dirname(__FILE__)."/class_mb_exception.php");
 					$e = new mb_exception("class_log: Writing table mb_log failed.");

Modified: tags/2.4.4_su/http/classes/class_wfs.php
===================================================================
--- tags/2.4.4/http/classes/class_wfs.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_wfs.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -223,20 +223,14 @@
 
 	# TABLE wfs
 	
-	$sql = "INSERT INTO wfs (wfs_version, wfs_name, wfs_title, wfs_abstract, wfs_getcapabilities, wfs_describefeaturetype, wfs_getfeature, wfs_transaction) ";
-	$sql .= "VALUES(";
-		$sql .= "'" . $this->wfs_version ."', ";
-		$sql .= "'" . db_escape_string(str_replace("'","",$this->wfs_name)) ."', ";
-		$sql .= "'" . db_escape_string(str_replace("'","",$this->wfs_title)) ."', ";
-		$sql .= "'" . db_escape_string(str_replace("'","",$this->wfs_abstract)) .  "', ";
-		$sql .= "'" . $this->wfs_getcapabilities ."', ";
-		$sql .= "'" . $this->wfs_describefeaturetype . "', ";
-		$sql .= "'". $this->wfs_getfeature . "', ";
-		$sql .= "'". $this->wfs_transaction . "'";
-	$sql .= ");";
+	$sql = "INSERT INTO wfs (wfs_version, wfs_name, wfs_title, wfs_abstract, ";
+	$sql .= "wfs_getcapabilities, wfs_describefeaturetype, wfs_getfeature, ";
+	$sql .= "wfs_transaction) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)";
+	$v = array($this->wfs_version, db_escape_string(str_replace("'","",$this->wfs_name)), db_escape_string(str_replace("'","",$this->wfs_title)), db_escape_string(str_replace("'","",$this->wfs_abstract)), $this->wfs_getcapabilities, $this->wfs_describefeaturetype, $this->wfs_getfeature, $this->wfs_transaction);
+	$t = array("s", "s", "s", "s", "s", "s", "s", "s");
 	#echo "sql wfs: <br>".$sql;
 	
-	$res = db_query($sql)or die(db_error());
+	$res = db_prep_query($sql, $v, $t)or die(db_error());
 	
 	$myWFS = db_insert_id($con,'wfs','wfs_id');
 	#echo "<br> myWFS: ".$myWFS;
@@ -244,62 +238,57 @@
 	# TABLE wfs_featuretype
 	
 	for($i=0; $i<count($this->wfs_featuretype); $i++){
-		$sql = "INSERT INTO wfs_featuretype(fkey_wfs_id, featuretype_name, featuretype_title, featuretype_srs) ";
-		$sql .= "VALUES(";
-			$sql .= $myWFS . ",";
-			$sql .= "'".$this->wfs_featuretype[$i]->featuretype_name . "',";
-			$sql .= "'".$this->wfs_featuretype[$i]->featuretype_title."',";
-			$sql .= "'".$this->wfs_featuretype[$i]->featuretype_srs."'";
-		$sql .= ")";
+		$sql = "INSERT INTO wfs_featuretype(fkey_wfs_id, featuretype_name, ";
+		$sql .= "featuretype_title, featuretype_srs) VALUES ($1, $2, $3, $4)";
+		$v = array($myWFS, $this->wfs_featuretype[$i]->featuretype_name, $this->wfs_featuretype[$i]->featuretype_title, $this->wfs_featuretype[$i]->featuretype_srs);
+		$t = array("i", "s", "s", "s");
 		
 		#$res = mysql_query($sql) or $this->cleanDB($myWFS,$sql);
 		
-		$res = db_query($sql) or $this->cleanDB($myWFS,$sql);
+		$res = db_prep_query($sql, $v, $t) or $this->cleanDB($myWFS,$sql);
 
 		
 		# save the id of each featuretype: 
 		$this->wfs_featuretype[$i]->mysql_id = db_insert_id($con,'wfs_featuretype','featuretype_id');
 		
 		for($j=0; $j<count($this->wfs_featuretype[$i]->featuretype_element);$j++){
-			$sql = "INSERT INTO wfs_element(fkey_featuretype_id, element_name,element_type) ";
-			$sql .= "VALUES("; 
-			$sql .= "'" .$this->wfs_featuretype[$i]->mysql_id. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_element[$j]["name"]. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_element[$j]["type"]. "' ";
-			$sql .= ")";
+			$sql = "INSERT INTO wfs_element(fkey_featuretype_id, ";
+			$sql .= "element_name,element_type) VALUES ($1, $2, $3)"; 
+
+			$v = array($this->wfs_featuretype[$i]->mysql_id, $this->wfs_featuretype[$i]->featuretype_element[$j]["name"], $this->wfs_featuretype[$i]->featuretype_element[$j]["type"]);
+			$t = array("s", "s", "s");
 			
-			$res = db_query($sql) or $this->cleanDB($myWFS,$sql);
+			$res = db_prep_query($sql, $v, $t) or $this->cleanDB($myWFS,$sql);
 		}
 
 		for($j=0; $j<count($this->wfs_featuretype[$i]->featuretype_namespace);$j++){
-			$sql = "INSERT INTO wfs_featuretype_namespace(fkey_wfs_id, fkey_featuretype_id, namespace, namespace_location) ";
-			$sql .= "VALUES("; 
-			$sql .= "'" .$myWFS. "',";
-			$sql .= "'" .$this->wfs_featuretype[$i]->mysql_id. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_namespace[$j]["name"]. "', ";
-			$sql .= "'" .$this->wfs_featuretype[$i]->featuretype_namespace[$j]["value"]. "' ";
-			$sql .= ")";
+			$sql = "INSERT INTO wfs_featuretype_namespace (fkey_wfs_id, ";
+			$sql .= "fkey_featuretype_id, namespace, namespace_location) ";
+			$sql .= "VALUES ($1, $2, $3, $4)"; 
+			$v = array($myWFS, $this->wfs_featuretype[$i]->mysql_id, $this->wfs_featuretype[$i]->featuretype_namespace[$j]["name"], $this->wfs_featuretype[$i]->featuretype_namespace[$j]["value"]);
+			$t = array("i", "s", "s", "s"); 
 			
-			$res = db_query($sql) or $this->cleanDB($myWFS,$sql);
+			$res = db_prep_query($sql, $v, $t) or $this->cleanDB($myWFS,$sql);
 		}
 	}
 	
 	# TABLE gui_wfs
 	
 	$sql ="INSERT INTO gui_wfs (fkey_gui_id, fkey_wfs_id)";
-	$sql .= "VALUES(";
-		$sql .= "'" . $gui_id . "', ";
-		$sql .= $myWFS;
-	$sql .= ");";
+	$sql .= "VALUES ($1, $2)";
+	$v = array($gui_id, $myWFS);
+	$t = array("s", "i");
 	
-	$res = db_query($sql) or $this->cleanDB($myWFS,$sql);
+	$res = db_prep_query($sql, $v, $t) or $this->cleanDB($myWFS,$sql);
 }
 function cleanDB($wfsid,$sql){
 	global $DBSERVER,$DB,$OWNER,$PW;
 	$con = db_connect($DBSERVER,$OWNER,$PW);
 	db_select_db($DB,$con);
-	$s = "DELETE FROM wfs WHERE wfs_id = ".$wfsid;
-	$res = db_query($s);
+	$s = "DELETE FROM wfs WHERE wfs_id = $1";
+	$v = array($wfsid);
+	$t = array("i");
+	$res = db_prep_query($s, $v, $t);
 	echo "<br>Error in :".$sql."<br>";
 	echo "<br>Db cleaned.<br>";
 	die;

Modified: tags/2.4.4_su/http/classes/class_wfs_conf.php
===================================================================
--- tags/2.4.4/http/classes/class_wfs_conf.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_wfs_conf.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-# $Id: class_wfs_conf.php 530 2006-06-19 15:08:35Z vera_schulze $
+# $Id$
 # http://www.mapbender.org/index.php/class_wfs_conf.php
 # Copyright (C) 2002 CCGIS 
 #
@@ -91,8 +91,10 @@
 		global $DBSERVER,$DB,$OWNER,$PW;
 		$con = db_connect($DBSERVER,$OWNER,$PW);
 		db_select_db($DB,$con);
-		$sql = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = ".$id;
-		$res = db_query($sql);
+		$sql = "SELECT * FROM wfs_featuretype WHERE fkey_wfs_id = $1";
+		$v = array($id);
+		$t = array("i");
+		$res = db_prep_query($sql, $v, $t);
 		$cnt = 0;
 		while ($row = db_fetch_array($res)){
 			$this->featuretype_id[$cnt] = $row["featuretype_id"];
@@ -118,8 +120,10 @@
 		global $DBSERVER,$DB,$OWNER,$PW;
 		$con = db_connect($DBSERVER,$OWNER,$PW);
 		db_select_db($DB,$con);
-		$sql = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = ".$fid;
-		$res = db_query($sql);
+		$sql = "SELECT * FROM wfs_element WHERE fkey_featuretype_id = $1";
+		$v = array($fid);
+		$t = array("i");
+		$res = db_prep_query($sql, $v, $t);
 		$cnt = 0;
 		while ($row = db_fetch_array($res)){
 			$this->element_id[$cnt] = $row["element_id"];
@@ -142,8 +146,10 @@
 		global $DBSERVER,$DB,$OWNER,$PW;
 		$con = db_connect($DBSERVER,$OWNER,$PW);
 		db_select_db($DB,$con);
-		$sql = "SELECT * FROM wfs_featuretype_namespace WHERE fkey_featuretype_id = ".$fid;
-		$res = db_query($sql);
+		$sql = "SELECT * FROM wfs_featuretype_namespace WHERE fkey_featuretype_id = $1";
+		$v = array($fid);
+		$t = array("i");
+		$res = db_prep_query($sql, $v, $t);
 		$cnt = 0;
 		while ($row = db_fetch_array($res)){
 			$this->namespace_name[$cnt] = $row["namespace"];

Deleted: tags/2.4.4_su/http/classes/class_wmc.php
===================================================================
--- tags/2.4.4/http/classes/class_wmc.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_wmc.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,715 +0,0 @@
-<?php
-# $Id: class_wmc.php 645 2006-12-08 12:58:39Z christoph $
-# http://www.mapbender.org/index.php/class_wmc.php
-# Copyright (C) 2002 CCGIS 
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-require_once("../../conf/mapbender.conf");
-require_once("../classes/class_wms.php");
-require_once("../classes/class_mb_exception.php");
-require_once("../classes/class_administration.php");
-
-function sepNameSpace($s){
-	$c = strpos($s,":"); 
-	if($c>0)return substr($s,$c+1);
-	return $s;
-}
-class wmc {
-
-		var $wmc_id;
-		var $wmc_version;
-		var $wmc_windowWidth;
-		var $wmc_windowHeight;
-		var $wmc_bBox_SRS;
-		var $wmc_bBox_minx;
-		var $wmc_bBox_maxx;
-		var $wmc_bBox_miny;
-		var $wmc_bBox_maxy;
-		var $wmc_name;
-		var $wmc_title;
-		var $wmc_abstract;
-		var $wmc_logourl;
-		var $wmc_logourl_format;
-		var $wmc_logourl_type;
-		var $wmc_logourl_width;
-		var $wmc_logourl_height;
-		var $wmc_descriptionurl;
-		var $wmc_descriptionurl_format;
-		var $wmc_descriptionurl_type;
-		var $wmc_keyword = array();
-		var $wmc_contactposition;
-		var $wmc_contactvoicetelephone;
-		var $wmc_contactemail;
-		var $wmc_contactfacsimiletelephone;
-		var $wmc_contactperson;
-		var $wmc_contactorganization;
-		var $wmc_contactaddresstype;
-		var $wmc_contactaddress;
-		var $wmc_contactcity;
-		var $wmc_contactstateorprovince;
-		var $wmc_contactpostcode;
-		var $wmc_contactcountry;
-					
-		var $wmc_wms_title = array();
-		var $wmc_layer_queryable = array();
-		var $wmc_layer_querylayer = array();
-		var $wmc_layer_hidden = array();
-		var $wmc_wms_id = array();
-		var $wmc_wms_service = array();
-		var $wmc_wms_version = array();
-		var $wmc_layer_id = array();
-		var $wmc_layer_title = array();
-		var $wmc_layer_name = array();
-		var $wmc_layer_abstract = array();
-		var $wmc_layer_srs = array();
-		var $wmc_wms_serviceURL = array();
-		var $wmc_layer_format_current = array();
-		var $wmc_layer_dataurl = array();
-		var $wmc_layer_metadataurl = array();
-		var $wmc_layer_minscale = array();
-		var $wmc_layer_maxscale = array();
-		var $wmc_layer_format = array();
-		var $wmc_layer_style_current = array();
-		var $wmc_layer_style_name = array();
-		var $wmc_layer_style_title = array();
-		var $wmc_layer_style_legendurl = array();
-		var $wmc_layer_style_legendurl_width = array();
-		var $wmc_layer_style_legendurl_height = array();
-		var $wmc_layer_style_legendurl_format = array();
-		var $wmc_layer_style_legendurl_type = array();
-		var $wmc_layer_style_sld_url = array();
-		var $wmc_layer_style_sld_type = array();
-		var $wmc_layer_style_sld_title = array();
-		var $wmc_wms_count = 0;
-			
-	function wmc() {	
-	} 
-	
-	function getTitle() {
-		return $this->wmc_title;
-	}
-	
-	function getNumberOfWms () {
-		return $this->wmc_wms_count;
-	}
-
-	function createObjFromWMC_id($wmc_id){
-		
-		$con = db_connect(DBSERVER,OWNER,PW);
-		db_select_db(DB, $con);
-		
-		$sql = "SELECT wmc FROM mb_user_wmc WHERE wmc_id = $1";
-		$v = array($wmc_id);
-		$t = array("s");
-		$res = db_prep_query($sql, $v, $t);
-		$wmc = db_fetch_array($res);
-		$this->createObjFromWMC_xml($wmc[0]);
-	
-	}
-
-	function createObjFromWMC_xml($data){
-		$values = NULL;
-		$tags = NULL;
-		$parser = xml_parser_create(CHARSET);
-		xml_parser_set_option($parser,XML_OPTION_CASE_FOLDING,0);
-		xml_parser_set_option($parser,XML_OPTION_SKIP_WHITE,1);
-		xml_parser_set_option($parser,XML_OPTION_TARGET_ENCODING,CHARSET);
-		xml_parse_into_struct($parser,$data,$values,$tags);
-		$code = xml_get_error_code ($parser);
-		if ($code) {
-			$line = xml_get_current_line_number($parser); 
-			$mb_exception = new mb_exception(xml_error_string($code) .  " in line " . $line);
-			return false;
-		}
-		xml_parser_free($parser);
-		
-		$section = NULL;
-		$format = NULL;
-		$cnt_format = 0;
-		$parent = array();
-		$myParent = array();
-		$cnt_layer = -1;
-		$request = NULL; 
-		$layer_style = array();
-		$cnt_style = -1;
-		$extension = false;
-		
-		$general = false;
-		$layerlist = false;
-		$layer = false;
-		$formatlist = false;
-		$metadataurl = false;
-		$dataurl = false;
-		$stylelist = false;
-		
-		foreach ($values as $element) {
-			if(strtoupper($element[tag]) == "VIEWCONTEXT" && $element[type] == "open"){
-					$this->wmc_id = $element[attributes]["id"];
-					$this->wmc_version = $element[attributes]["version"];
-			}
-			if(strtoupper($element[tag]) == "GENERAL" && $element[type] == "open"){
-			   $general = true;
-			}
-			if(strtoupper($element[tag]) == "LAYERLIST" && $element[type] == "open"){
-			   $layerlist = true;
-			}
-			if ($general) {
-				if(strtoupper($element[tag]) == "WINDOW"){
-					$this->wmc_windowWidth = $element[attributes]["width"];
-					$this->wmc_windowHeight = $element[attributes]["height"];
-				}
-				if(strtoupper($element[tag]) == "BOUNDINGBOX"){
-					$this->wmc_bBox_SRS = $element[attributes]["SRS"];
-					$this->wmc_bBox_minx = $element[attributes]["minx"];
-					$this->wmc_bBox_miny = $element[attributes]["miny"];
-					$this->wmc_bBox_maxx = $element[attributes]["maxx"];
-					$this->wmc_bBox_maxy = $element[attributes]["maxy"];
-				}
-				if(strtoupper($element[tag]) == "NAME"){
-					$this->wmc_name = $element[value];
-				}
-				if(strtoupper($element[tag]) == "TITLE"){
-					$this->wmc_title = $element[value];
-				}
-				if(strtoupper($element[tag]) == "ABSTRACT"){
-					$this->wmc_abstract = $element[value];
-				}
-				if(strtoupper($element[tag]) == "CONTACTINFORMATION" && $element['type'] == "open"){
-					$contactinformation = true;
-				}
-				if ($contactinformation) {
-					if(strtoupper($element[tag]) == "CONTACTPOSITION"){
-						$this->wmc_contactposition = $element[value];
-					}
-					if(strtoupper($element[tag]) == "CONTACTVOICETELEPHONE"){
-						$this->wmc_contactvoicetelephone = $element[value];
-					}
-					if(strtoupper($element[tag]) == "CONTACTFACSIMILETELEPHONE"){
-						$this->wmc_contactfacsimiletelephone = $element[value];
-					}
-					if(strtoupper($element[tag]) == "CONTACTELECTRONICMAILADDRESS"){
-						$this->wmc_contactemail = $element[value];
-					}
-					if(strtoupper($element[tag]) == "CONTACTPERSONPRIMARY" && $element['type'] == "open"){
-						$contactpersonprimary = true;
-					}
-					if ($contactpersonprimary) {
-						if(strtoupper($element[tag]) == "CONTACTPERSON"){
-							$this->wmc_contactperson = $element[value];
-						}
-						if(strtoupper($element[tag]) == "CONTACTORGANIZATION"){
-							$this->wmc_contactorganization = $element[value];
-						}
-						if(strtoupper($element[tag]) == "CONTACTPERSONPRIMARY" && $element['type'] == "close"){
-							$contactpersonprimary = false;
-						}
-					}
-					if(strtoupper($element[tag]) == "CONTACTADDRESS" && $element['type'] == "open"){
-						$contactaddress = true;
-					}
-					if ($contactaddress) {
-						if(strtoupper($element[tag]) == "ADDRESSTYPE"){
-							$this->wmc_contactaddresstype = $element[value];
-						}
-						if(strtoupper($element[tag]) == "ADDRESS"){
-							$this->wmc_contactaddress = $element[value];
-						}
-						if(strtoupper($element[tag]) == "CITY"){
-							$this->wmc_contactcity = $element[value];
-						}
-						if(strtoupper($element[tag]) == "STATEORPROVINCE"){
-							$this->wmc_contactstateorprovince = $element[value];
-						}
-						if(strtoupper($element[tag]) == "POSTCODE"){
-							$this->wmc_contactpostcode = $element[value];
-						}
-						if(strtoupper($element[tag]) == "COUNTRY"){
-							$this->wmc_contactcountry = $element[value];
-						}
-						if(strtoupper($element[tag]) == "CONTACTADDRESS" && $element['type'] == "close"){
-							$contactaddress = false;
-						}
-					}
-				}
-				if(strtoupper($element[tag]) == "LOGOURL" && $element['type'] == "open"){
-					$logourl = true;
-					$this->wmc_logourl_width = $element[attributes]["width"];
-					$this->wmc_logourl_height = $element[attributes]["height"];
-					$this->wmc_logourl_format = $element[attributes]["format"];
-				}
-				if ($logourl) {
-					if(strtoupper($element[tag]) == "LOGOURL" && $element['type'] == "close"){
-						$logourl = false;
-					}
-					if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-						$this->wmc_logourl_type = $element[attributes]["xlink:type"];
-						$this->wmc_logourl = $element[attributes]["xlink:href"];
-					}
-				}
-				if(strtoupper($element[tag]) == "DESCRIPTIONURL" && $element['type'] == "open"){
-					$descriptionurl = true;
-					$this->wmc_descriptionurl_format = $element[attributes]["format"];
-				}
-				if ($descriptionurl) {
-					if(strtoupper($element[tag]) == "DESCRIPTIONURL" && $element['type'] == "close"){
-						$descriptionurl = false;
-					}
-					if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-						$this->wmc_descriptionurl_type = $element[attributes]["xlink:type"];
-						$this->wmc_descriptionurl = $element[attributes]["xlink:href"];
-					}
-				}
-				if(strtoupper($element[tag]) == "KEYWORDLIST" && $element['type'] == "open"){
-					$keywordlist = true;
-				}
-				if ($keywordlist) {
-					if(strtoupper($element[tag]) == "KEYWORDLIST" && $element['type'] == "close"){
-						$keywordlist = false;
-						$cnt_keyword = -1;
-					}
-					if(strtoupper($element[tag]) == "KEYWORD"){
-						$cnt_keyword++;
-						$this->wmc_keyword[$cnt_keyword] = $element[value];
-					}
-				}
-						
-				if(strtoupper($element[tag]) == "GENERAL" && $element['type'] == "close"){
-		   			$general = false;
-			 	}
-			}
-			if ($layerlist) {
-				if(strtoupper($element[tag]) == "LAYERLIST" && $element['type'] == "close"){
-				   $layerlist = false;
-				}
-				if(strtoupper($element[tag]) == "LAYER" && $element[type] == "open"){
-					 $cnt_layer++;
-					 $this->wmc_layer_queryable[$cnt_layer] = $element[attributes]["queryable"];
-					 $this->wmc_layer_hidden[$cnt_layer] = $element[attributes]["hidden"];
-					 $layer = true;
-      		 		 $cnt_epsg = 0;
-				}
-				if ($layer) {
-					if(strtoupper($element[tag]) == "LAYER" && $element[type] == "close"){
-						$layer = false;
-					}
-					 if ($formatlist) {
-						 if(strtoupper($element[tag]) == "FORMAT"){
-						 	$cnt_format++;
-						 	$this->wmc_layer_format_current[$cnt_layer][$cnt_format] = $element[attributes]["current"];
-						 	$this->wmc_layer_format[$cnt_layer][$cnt_format] = $element[value];
-						 }
-						 if(strtoupper($element[tag]) == "FORMATLIST" && $element[type] == "close"){
-							 $formatlist = false;
-						 }
-					 }
-					 elseif ($metadataurl) {
-						 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-							$this->wmc_layer_metadataurl[$cnt_layer] = $element[attributes]["xlink:href"];
-						 }
-						 if(strtoupper($element[tag]) == "METADATAURL" && $element[type] == "close"){
-							$metadataurl = false;
-						 }
-					 }
-					 elseif ($dataurl) {
-						 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-						 	$this->wmc_layer_dataurl[$cnt_layer] = $element[attributes]["xlink:href"];
-						 }
-						 if(strtoupper($element[tag]) == "DATAURL" && $element[type] == "close"){
-							 $dataurl = false;
-						 }
-					 }
-					 elseif ($stylelist) {
-						 if(strtoupper($element[tag]) == "STYLE" && $element[type] == "open"){
-						 	$cnt_style++;
-						 	$style = true;
-						 	$this->wmc_layer_style_current[$cnt_layer][$cnt_style] = $element[attributes]["current"];
-						 }
-						 if ($style) {
-							 if(strtoupper($element[tag]) == "STYLE" && $element[type] == "close"){
-							 	$style = false;
-							 }
-							 if(strtoupper($element[tag]) == "SLD" && $element[type] == "open"){
-							 	$sld = true;
-							 }
-							 if ($sld) {
-								 if(strtoupper($element[tag]) == "SLD" && $element[type] == "close"){
-								 	$sld = false;
-								 }
-								 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-								 	$this->wmc_layer_style_sld_type[$cnt_layer][$cnt_style] = $element[attributes]["xlink:type"];
-								 	$this->wmc_layer_style_sld_url[$cnt_layer][$cnt_style] = $element[attributes]["xlink:href"];
-								 }
-								 if(strtoupper($element[tag]) == "TITLE"){
-								 	$this->wmc_layer_style_sld_title[$cnt_layer][$cnt_style] = $element[value];
-								 }
-							 }
-							 else {
-								 if(strtoupper($element[tag]) == "NAME"){
-								 	$this->wmc_layer_style_name[$cnt_layer][$cnt_style] = $element[value];
-								 }
-								 if(strtoupper($element[tag]) == "TITLE"){
-								 	$this->wmc_layer_style_title[$cnt_layer][$cnt_style] = $element[value];
-								 }
-								 if(strtoupper($element[tag]) == "LEGENDURL" && $element[type] == "open"){
-								 	$legendurl = true;
-								 	$this->wmc_layer_style_legendurl_width[$cnt_layer][$cnt_style] = $element[attributes]["width"];
-								 	$this->wmc_layer_style_legendurl_height[$cnt_layer][$cnt_style] = $element[attributes]["height"];
-								 	$this->wmc_layer_style_legendurl_format[$cnt_layer][$cnt_style] = $element[attributes]["format"];
-								 }
-								 if ($legendurl) {
-									 if(strtoupper($element[tag]) == "LEGENDURL" && $element[type] == "close"){
-									 	$legendurl = false;
-									 }
-									 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-									 	$this->wmc_layer_style_legendurl_type[$cnt_layer][$cnt_style] = $element[attributes]["xlink:type"];
-									 	$this->wmc_layer_style_legendurl[$cnt_layer][$cnt_style] = $element[attributes]["xlink:href"];
-									 }
-								 }
-							 }
-						 }
-						 if(strtoupper($element[tag]) == "STYLELIST" && $element[type] == "close"){
-							 $stylelist = false;
-						 }
-					 }
-					 else {
-						 if(strtoupper($element[tag]) == "SERVER" && $element[type] == "open"){
-						 	 $server = true;
-						 	 $this->wmc_wms_service[$cnt_layer] = $element[attributes]["service"];
-						 	 $this->wmc_wms_version[$cnt_layer] = $element[attributes]["version"];
-						 	 $this->wmc_wms_title[$cnt_layer] = $element[attributes]["title"];
-						 }
-						 if ($server) {
-							 if(strtoupper($element[tag]) == "SERVER" && $element[type] == "close"){
-							 	 $server = false;
-							 }
-							 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
-						 		 $this->wmc_wms_serviceURL[$cnt_layer] = $element[attributes]["xlink:href"];
-							 }
-						 }
-						 if(strtoupper($element[tag]) == "NAME"){
-					 		 $this->wmc_layer_name[$cnt_layer] = $element[value];
-						 }
-						 if(strtoupper($element[tag]) == "TITLE"){
-					 		 $this->wmc_layer_title[$cnt_layer] = $element[value];
-						 }
-						 if(strtoupper($element[tag]) == "ABSTRACT"){
-					 		 $this->wmc_layer_abstract[$cnt_layer] = $element[value];
-						 }
-						 if(strtoupper($element[tag]) == "SRS"){
-							 $epsgArray = explode(" ", $element[value]);						 	
-					 		 
-					 		 for ($c = 0 ; $c < count($epsgArray) ; $c ++) {
-						 		 $this->wmc_layer_srs[$cnt_layer][$cnt_epsg] = $epsgArray[$c];
-								 $cnt_epsg++;
-					 		 }
-						 }
-						 if (strtoupper($element[tag]) == "EXTENSION" && $element[type] == "open") {
-						 	$extension = true;
-						 }
-						 if (strtoupper($element[tag]) == "EXTENSION" && $element[type] == "close") {
-						 	$extension = false;
-						 }
-						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "SCALEHINT"){
-					 		 $this->wmc_layer_minscale[$cnt_layer] = $element[attributes]["min"];
-					 		 $this->wmc_layer_maxscale[$cnt_layer] = $element[attributes]["max"];
-						 }
-						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "LAYER_ID"){
-					 		 $this->wmc_layer_id[$cnt_layer] = $element[value];
-						 }
-						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "WMS_ID"){
-					 		 $this->wmc_wms_id[$cnt_layer] = $element[value];
-						 }
-						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "QUERYLAYER"){
-					 		 $this->wmc_layer_querylayer[$cnt_layer] = $element[value];
-						 }
-						 if(strtoupper(sepNameSpace($element[tag])) == "METADATAURL" && $element[type] == "open"){
-							 $metadataurl = true;
-						 }
-						 if(strtoupper(sepNameSpace($element[tag])) == "DATAURL" && $element[type] == "open"){
-							 $dataurl = true;
-						 }
-						 if(strtoupper(sepNameSpace($element[tag])) == "FORMATLIST" && $element[type] == "open"){
-							 $formatlist = true;
-							 $cnt_format = -1;
-						 }
-						 if(strtoupper(sepNameSpace($element[tag])) == "STYLELIST" && $element[type] == "open"){
-							 $stylelist = true;
-							 $cnt_style = -1;
-						 }
-					 }
-				}
-			}
-		}
-		return true;
-	}
-
-	function createJsObjFromWMC($target, $mapObj, $action){
-		$wmc_string = "";
-		$validActions = array("load", "merge", "append");
-		if (!in_array($action, $validActions)) {
-			$wmc_string .= "alert('invalid action: ".$action."');";			
-		}
-		else {
-			$wmc_string .= "var index = " . $target . "getMapObjIndexByName('" . $mapObj . "');\n";
-			if ($action == "load") {
-				// delete all previous wms
-				$wmc_string .= "while(" . $target . "mb_mapObj[index].wms.length > 0){" . $target . "mb_mapObjremoveWMS(index,0);}";
-				$wmc_string .= $target . "deleteWmsObject();\n";
-			}
-			if ($action == "merge") {
-				$wmc_string .= "var wms_exists = false;\n";				// true if this wms exists in the mapObj
-				$wmc_string .= "var current_wms_index = null;\n";		// if wms_exists: index of the wms in the map obj; else: null
-				$wmc_string .= "var layer_exists = false;\n";			// true if this layer exists in an existing wms of the mapObj
-				$wmc_string .= "var current_layer_index = null;\n";		// if layer_exists: index of the layer of the wms in the mapObj; else: null
-			}
-			$new_wms = "";
-			$cnt_wms = -1;
-			$added_wms = array();
-			
-			// for all layers in wmc, find individual wms...
-			for ($i = 0; $i < count($this->wmc_layer_title); $i++) {
-				$current_wms = $this->wmc_wms_serviceURL[$i];
-				// ...this is something like 'for every wms'
-				if (!in_array($current_wms , $added_wms)) {
-					$layerlist = "";
-					$querylayerlist = "";
-					$srs_array = array();
-		
-					if ($action == "merge") {
-						$wmc_string .= "wms_exists = false;\n";
-						$wmc_string .= "current_wms_index = null;\n";
-						$wmc_string .= "for (var m=0; m < " . $target . "mb_mapObj[index].wms.length; m++) {\n";
-						$wmc_string .= "\tif ('" . $this->wmc_wms_serviceURL[$i] . "' ==  " . $target . "mb_mapObj[index].wms[m].wms_getmap) {\n";
-						$wmc_string .= "\t\twms_exists = true;\n";
-						$wmc_string .= "\t\tcurrent_wms_index = m;\n";
-						$wmc_string .= "\t}\n";
-						$wmc_string .= "}\n";
-						$wmc_string .= "if (!wms_exists) {\n";
-					}				
-					 
-					$mywms = new wms();
-			
-			  		if(!$this->wmc_layer_title[$i] || $this->wmc_layer_title[$i] == ""){
-						echo "alert('Error: no valid capabilities-document !!');\n";
-						die; exit;
-					}
-
-					for($j=0;$j<count($this->wmc_layer_format[$i]);$j++){
-						if ($this->wmc_layer_format_current[$i][$j] == 1) {
-							$wms_data_format = $this->wmc_layer_format[$i][$j];
-						}
-					}
-					// add wms
-					$wmc_string .= "\t" . $target . "add_wms('','".
-						$this->wmc_wms_version[$i] ."','".
-						$this->wmc_wms_title[$i] ."','".
-						$this->wmc_layer_abstract[$i] ."','".
-						$this->wmc_wms_serviceURL[$i] ."','" .
-						$this->wmc_wms_serviceURL[$i] ."','" .
-						$this->wmc_layer_style_legendurl[$i][0] ."','','". 
-						$wms_data_format ."','text/html','application/vnd.ogc.se_xml','". 
-						$this->wmc_bBox_SRS ."','1');\n";
-		
-					$added_wms[count($added_wms)] = $current_wms;
-					$cnt_wms++;
-					$cnt_layers = 0;
-					$cnt_query_layers = 0;
-					if ($action == "merge") {
-						$wmc_string .= "}\n";
-					}
-	
-					// add epsg
-					$wmc_string .= $target . "wms_addSRS('". 
-						$this->wmc_bBox_SRS ."','". 
-						$this->wmc_bBox_minx ."','". 
-						$this->wmc_bBox_miny ."','". 
-						$this->wmc_bBox_maxx ."','". 
-						$this->wmc_bBox_maxy ."','". 
-						"');\n";
-
-					// for each layer...
-					for ($ii = 0; $ii < count($this->wmc_layer_title); $ii++) {
-						$layer_wms = $this->wmc_wms_serviceURL[$ii];
-						// ... of this wms
-						if ($current_wms == $layer_wms) {
-							
-							// add format (FIXME: is this working?)
-							$z = count($this->wmc_layer_format[$ii]);
-							for($j=0;$j<$z;$j++){
-								$wmc_string .= $target . "wms_add_data_type_format('map','". $this->wmc_layer_format[$ii][$j] ."');\n";
-							}
-							
-							if ($cnt_layers == 0) {
-								if ($action == "merge") {
-									$wmc_string .= "if (!wms_exists) {\n\t";
-								} 
-								// add parent layer
-								$wmc_string .= $target . "wms_add_layer('','".$this->wmc_layer_id[$i]."','','". $this->wmc_wms_title[$i] ."','','0','0','0','0','','".$this->wmc_wms_id[$i]."','1','1','1','0','0','0','0');\n";
-								if ($action == "merge") {
-									$wmc_string .= "}\n";
-								} 
-							}
-	
-							$cnt_layers++;
-							
-							if ($action == "merge") {
-								$wmc_string .= "if (wms_exists) {\n";
-								
-								// check if this layer already exists in this wms
-								$wmc_string .= "\tlayer_exists = false;\n";
-								$wmc_string .= "\tcurrent_layer_index = null;\n";
-								$wmc_string .= "\tfor (var m=0; m < " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer.length; m++) {\n";
-								$wmc_string .= "\t\tif ('" . $this->wmc_layer_name[$ii] . "' ==  " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[m].layer_name) {\n";
-								$wmc_string .= "\t\t\tlayer_exists = true;\n";
-								$wmc_string .= "\t\t\tcurrent_layer_index = m;\n";
-								$wmc_string .= "\t\t}\n";
-								$wmc_string .= "\t}\n"; 
-		
-								$wmc_string .= "\tif (layer_exists) {\n";
-								// check if the visibility or the queryability are different to the existing layer
-								$wmc_string .= "\t\tif (" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_visible != '" . intval(!$this->wmc_layer_hidden[$ii]) . "'";
-								$wmc_string .= " || " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_querylayer != '" . $this->wmc_layer_queryable[$ii] . "') {\n";
-		
-								// if yes, update the visibility and queryability
-								$wmc_string .= "\t\t\t" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_visible = " . intval(!$this->wmc_layer_hidden[$ii]) . ";\n"; 
-								$wmc_string .= "\t\t\t" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_querylayer = " . $this->wmc_layer_queryable[$ii] . ";\n"; 
-								$wmc_string .= "\t\t}\n";
-								$wmc_string .= "\t}\n"; 
-								$wmc_string .= "}\n"; 
-								$wmc_string .= "\telse {\n";
-							} 
-
-							// add layer
-							$wmc_string .= "\t" . $target . "wms_add_layer('0','". 
-								$this->wmc_layer_id[$ii] . "','". 
-								$this->wmc_layer_name[$ii] . "','". 
-								$this->wmc_layer_title[$ii] ."','". 
-								$this->wmc_layer_dataurl[$ii] . "','". 
-								intval($cnt_layers) ."','". 
-								$this->wmc_layer_queryable[$ii] ."','".
-								$this->wmc_layer_minscale[$ii]  ."','". 
-								$this->wmc_layer_maxscale[$ii]  ."','". 
-								$this->wmc_layer_metadataurl[$ii] ."','". 
-								$this->wmc_wms_id[$ii] ."','1','1','". 
-								intval(!$this->wmc_layer_hidden[$ii]) ."','". 
-								$this->wmc_layer_queryable[$ii] ."','". 
-								$this->wmc_layer_querylayer[$ii] ."','".
-								$this->wmc_layer_minscale[$ii]  ."','". 
-								$this->wmc_layer_maxscale[$ii]  ."');\n";
-	
-							if ($action == "merge") {
-								$wmc_string .= "\t}\n";
-							} 
-												
-							// if layer is queryable, add it to querylayerlist
-							if ($this->wmc_layer_queryable[$ii]) {
-								$cnt_query_layers++;
-								if (!in_array($this->wmc_layer_name[$ii], explode(",",$querylayerlist))) {
-									if ($querylayerlist == "") {$querylayerlist = $this->wmc_layer_name[$ii];} else {$querylayerlist .= "," . $this->wmc_layer_name[$ii];} 
-								}
-							}
-							// if layer is visible, add it to layerlist 
-							if (intval(!$this->wmc_layer_hidden[$ii]) && !in_array($this->wmc_layer_name[$ii], explode(",",$layerlist))) {
-								if ($layerlist == "") {$layerlist = $this->wmc_layer_name[$ii];} else {$layerlist .= "," . $this->wmc_layer_name[$ii];}
-							}
-	
-							// add layer style (FIXME: is this working?)
-							for($j=0; $j<count($this->wmc_layer_style_name[$ii]);$j++){
-								$wmc_string .= $target . "wms_addLayerStyle('".$this->wmc_layer_style_name[$ii][$j] ."','".$this->wmc_layer_style_title[$ii][$j] ."','".$j."','".$cnt_layers."', '" . $this->wmc_layer_style_legendurl[$ii][$j] . "', '" . $this->wmc_layer_style_legendurl_format[$ii][$j] . "');\n";
-							}
-						}
-					}
-					// add wms to mapObj with all layers and querylayers
-					if ($action == "merge") {
-						$wmc_string .= "if (!wms_exists) {\n";
-					} 
-					$wmc_string .= $target. "mb_mapObjaddWMSwithLayers('" . $mapObj . "', '" . $layerlist . "', '" . $querylayerlist . "');\n";
-					if ($action == "merge") {
-						$wmc_string .= "}\n";
-						$wmc_string .= "else {\n";
-						$wmc_string .= $target. "mb_mapObj[index].layers[current_wms_index] = \"" . $layerlist . "\";\n";
-						$wmc_string .= $target. "mb_mapObj[index].querylayers[current_wms_index] = \"" . $querylayerlist . "\";\n";
-						$wmc_string .= "}\n";
-					}
-				}
-			}
-			$wmc_string .= "var old_mapObj = ".$target."cloneObject(".$target."mb_mapObj);\n";
-			$wmc_string .= $target . "deleteMapObj();\n";
-			$wmc_string .= "for (var i=0; i<old_mapObj.length; i++) {\n";
-			$wmc_string .= "\tif (old_mapObj[i].frameName != 'overview') {\n";
-			$wmc_string .= "\t\t" . $target . "mb_registerMapObj(old_mapObj[i].frameName, old_mapObj[i].elementName, null, " . $this->wmc_windowWidth . ", " . $this->wmc_windowHeight . ");\n"; 
-			$wmc_string .= "\t\t" . $target . "document.getElementById(old_mapObj[i].frameName).style.width = " . $this->wmc_windowWidth . ";\n";
-			$wmc_string .= "\t\t" . $target . "document.getElementById(old_mapObj[i].frameName).style.height = " . $this->wmc_windowHeight . ";\n";
-			$wmc_string .= "\t}\n";
-			$wmc_string .= "\telse {\n";
-			$wmc_string .= "\t\tvar found = false;\n";
-			$wmc_string .= "\t\tfor (var j=0; j < " . $target . "wms.length && found == false; j++) {\n";
-			$wmc_string .= "\t\t\tif (" . $target . "wms[j].wms_getmap == old_mapObj[i].wms[0].wms_getmap) {\n";
-			$wmc_string .= "\t\t\t\t" . $target . "mb_registerMapObj('overview', old_mapObj[i].elementName, j, old_mapObj[i].width,  old_mapObj[i].height);\n"; 
-			$wmc_string .= "\t\t\t\tfound = true;\n"; 
-			$wmc_string .= "\t\t\t}\n";
-			$wmc_string .= "\t\t}\n";
-			$wmc_string .= "\t\tif (!found) {\n";
-			$wmc_string .= "\t\t\t" . $target . "mb_registerMapObj('overview', old_mapObj[i].elementName, 0, old_mapObj[i].width,  old_mapObj[i].height);\n"; 
-			$wmc_string .= "\t\t}\n";
-			$wmc_string .= "\t}\n";
-			$wmc_string .= "}\n";
-			
-			$sql = "SELECT minx, miny, maxx, maxy FROM layer_epsg WHERE fkey_layer_id = $1 AND epsg = $2 LIMIT 1";
-			$v = array($this->wmc_layer_id[0], $this->wmc_bBox_SRS);
-			$t = array('i', 's');
-			$res = db_prep_query($sql, $v, $t);
-			$row = db_fetch_array($res);
-			if ($row["minx"] && $row["miny"] && $row["maxx"] && $row["maxy"]) {
-				$ov_bbox = array($row["minx"],$row["miny"],$row["maxx"],$row["maxy"]);
-			}
-			else if ($this->wmc_layer_id[0] && $this->wmc_bBox_SRS){
-				$ov_bbox = array($this->wmc_bBox_minx, $this->wmc_bBox_miny, $this->wmc_bBox_maxx, $this->wmc_bBox_maxy);
-			}
-			else {
-				$ov_bbox = array();
-			}
-			$wmc_string .= "for (var i=0; i<old_mapObj.length; i++) {\n";
-			$wmc_string .= "\tif (old_mapObj[i].frameName != 'overview') {\n";
-			$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
-			$wmc_string .= $this->wmc_bBox_minx .",".$this->wmc_bBox_miny .",";
-			$wmc_string .= $this->wmc_bBox_maxx .",".$this->wmc_bBox_maxy.");\n";
-			$wmc_string .= "\t}\n";
-			$wmc_string .= "\telse {\n";
-			if (count($ov_bbox)>0) {
-//				$wmc_string .= "alert('found bbox for ov: ".implode(',',$ov_bbox)."');";
-				$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
-				$wmc_string .= $ov_bbox[0] .",".$ov_bbox[1] .",";
-				$wmc_string .= $ov_bbox[2] .",".$ov_bbox[3] .");\n";
-			}
-			else {
-//				$wmc_string .= "alert('no bbox found for ov: old bbox ".$this->wmc_bBox_minx." etc');";
-				$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
-				$wmc_string .= $this->wmc_bBox_minx .",".$this->wmc_bBox_miny .",";
-				$wmc_string .= $this->wmc_bBox_maxx .",".$this->wmc_bBox_maxy.");\n";
-//				$wmc_string .= "\t\tvar ov_index = " . $target . "getMapObjIndexByName('overview');\n";
-//				$wmc_string .= "\t\t" . $target . "mb_mapObj[ov_index].extent = old_mapObj[i].extent;\n"; 
-			}
-			$wmc_string .= "\t}\n";
-			$wmc_string .= "\t". $target . "setMapRequest(old_mapObj[i].frameName);\n";
-			$wmc_string .= "}\n";
-			$wmc_string .= $target . "mb_execloadWmsSubFunctions();\n";
-		}
-		return $wmc_string;
-	}
-} 
-// end class
-?>

Copied: tags/2.4.4_su/http/classes/class_wmc.php (from rev 2025, tags/2.4.4/http/classes/class_wmc.php)
===================================================================
--- tags/2.4.4_su/http/classes/class_wmc.php	                        (rev 0)
+++ tags/2.4.4_su/http/classes/class_wmc.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -0,0 +1,715 @@
+<?php
+# $Id: class_wmc.php 645 2006-12-08 12:58:39Z christoph $
+# http://www.mapbender.org/index.php/class_wmc.php
+# Copyright (C) 2002 CCGIS 
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+require_once("../../conf/mapbender.conf");
+require_once("../classes/class_wms.php");
+require_once("../classes/class_mb_exception.php");
+require_once("../classes/class_administration.php");
+
+function sepNameSpace($s){
+	$c = strpos($s,":"); 
+	if($c>0)return substr($s,$c+1);
+	return $s;
+}
+class wmc {
+
+		var $wmc_id;
+		var $wmc_version;
+		var $wmc_windowWidth;
+		var $wmc_windowHeight;
+		var $wmc_bBox_SRS;
+		var $wmc_bBox_minx;
+		var $wmc_bBox_maxx;
+		var $wmc_bBox_miny;
+		var $wmc_bBox_maxy;
+		var $wmc_name;
+		var $wmc_title;
+		var $wmc_abstract;
+		var $wmc_logourl;
+		var $wmc_logourl_format;
+		var $wmc_logourl_type;
+		var $wmc_logourl_width;
+		var $wmc_logourl_height;
+		var $wmc_descriptionurl;
+		var $wmc_descriptionurl_format;
+		var $wmc_descriptionurl_type;
+		var $wmc_keyword = array();
+		var $wmc_contactposition;
+		var $wmc_contactvoicetelephone;
+		var $wmc_contactemail;
+		var $wmc_contactfacsimiletelephone;
+		var $wmc_contactperson;
+		var $wmc_contactorganization;
+		var $wmc_contactaddresstype;
+		var $wmc_contactaddress;
+		var $wmc_contactcity;
+		var $wmc_contactstateorprovince;
+		var $wmc_contactpostcode;
+		var $wmc_contactcountry;
+					
+		var $wmc_wms_title = array();
+		var $wmc_layer_queryable = array();
+		var $wmc_layer_querylayer = array();
+		var $wmc_layer_hidden = array();
+		var $wmc_wms_id = array();
+		var $wmc_wms_service = array();
+		var $wmc_wms_version = array();
+		var $wmc_layer_id = array();
+		var $wmc_layer_title = array();
+		var $wmc_layer_name = array();
+		var $wmc_layer_abstract = array();
+		var $wmc_layer_srs = array();
+		var $wmc_wms_serviceURL = array();
+		var $wmc_layer_format_current = array();
+		var $wmc_layer_dataurl = array();
+		var $wmc_layer_metadataurl = array();
+		var $wmc_layer_minscale = array();
+		var $wmc_layer_maxscale = array();
+		var $wmc_layer_format = array();
+		var $wmc_layer_style_current = array();
+		var $wmc_layer_style_name = array();
+		var $wmc_layer_style_title = array();
+		var $wmc_layer_style_legendurl = array();
+		var $wmc_layer_style_legendurl_width = array();
+		var $wmc_layer_style_legendurl_height = array();
+		var $wmc_layer_style_legendurl_format = array();
+		var $wmc_layer_style_legendurl_type = array();
+		var $wmc_layer_style_sld_url = array();
+		var $wmc_layer_style_sld_type = array();
+		var $wmc_layer_style_sld_title = array();
+		var $wmc_wms_count = 0;
+			
+	function wmc() {	
+	} 
+	
+	function getTitle() {
+		return $this->wmc_title;
+	}
+	
+	function getNumberOfWms () {
+		return $this->wmc_wms_count;
+	}
+
+	function createObjFromWMC_id($wmc_id){
+		
+		$con = db_connect(DBSERVER,OWNER,PW);
+		db_select_db(DB, $con);
+		
+		$sql = "SELECT wmc FROM mb_user_wmc WHERE wmc_id = $1";
+		$v = array($wmc_id);
+		$t = array("s");
+		$res = db_prep_query($sql, $v, $t);
+		$wmc = db_fetch_array($res);
+		$this->createObjFromWMC_xml($wmc[0]);
+	
+	}
+
+	function createObjFromWMC_xml($data){
+		$values = NULL;
+		$tags = NULL;
+		$parser = xml_parser_create(CHARSET);
+		xml_parser_set_option($parser,XML_OPTION_CASE_FOLDING,0);
+		xml_parser_set_option($parser,XML_OPTION_SKIP_WHITE,1);
+		xml_parser_set_option($parser,XML_OPTION_TARGET_ENCODING,CHARSET);
+		xml_parse_into_struct($parser,$data,$values,$tags);
+		$code = xml_get_error_code ($parser);
+		if ($code) {
+			$line = xml_get_current_line_number($parser); 
+			$mb_exception = new mb_exception(xml_error_string($code) .  " in line " . $line);
+			return false;
+		}
+		xml_parser_free($parser);
+		
+		$section = NULL;
+		$format = NULL;
+		$cnt_format = 0;
+		$parent = array();
+		$myParent = array();
+		$cnt_layer = -1;
+		$request = NULL; 
+		$layer_style = array();
+		$cnt_style = -1;
+		$extension = false;
+		
+		$general = false;
+		$layerlist = false;
+		$layer = false;
+		$formatlist = false;
+		$metadataurl = false;
+		$dataurl = false;
+		$stylelist = false;
+		
+		foreach ($values as $element) {
+			if(strtoupper($element[tag]) == "VIEWCONTEXT" && $element[type] == "open"){
+					$this->wmc_id = $element[attributes]["id"];
+					$this->wmc_version = $element[attributes]["version"];
+			}
+			if(strtoupper($element[tag]) == "GENERAL" && $element[type] == "open"){
+			   $general = true;
+			}
+			if(strtoupper($element[tag]) == "LAYERLIST" && $element[type] == "open"){
+			   $layerlist = true;
+			}
+			if ($general) {
+				if(strtoupper($element[tag]) == "WINDOW"){
+					$this->wmc_windowWidth = $element[attributes]["width"];
+					$this->wmc_windowHeight = $element[attributes]["height"];
+				}
+				if(strtoupper($element[tag]) == "BOUNDINGBOX"){
+					$this->wmc_bBox_SRS = $element[attributes]["SRS"];
+					$this->wmc_bBox_minx = $element[attributes]["minx"];
+					$this->wmc_bBox_miny = $element[attributes]["miny"];
+					$this->wmc_bBox_maxx = $element[attributes]["maxx"];
+					$this->wmc_bBox_maxy = $element[attributes]["maxy"];
+				}
+				if(strtoupper($element[tag]) == "NAME"){
+					$this->wmc_name = $element[value];
+				}
+				if(strtoupper($element[tag]) == "TITLE"){
+					$this->wmc_title = $element[value];
+				}
+				if(strtoupper($element[tag]) == "ABSTRACT"){
+					$this->wmc_abstract = $element[value];
+				}
+				if(strtoupper($element[tag]) == "CONTACTINFORMATION" && $element['type'] == "open"){
+					$contactinformation = true;
+				}
+				if ($contactinformation) {
+					if(strtoupper($element[tag]) == "CONTACTPOSITION"){
+						$this->wmc_contactposition = $element[value];
+					}
+					if(strtoupper($element[tag]) == "CONTACTVOICETELEPHONE"){
+						$this->wmc_contactvoicetelephone = $element[value];
+					}
+					if(strtoupper($element[tag]) == "CONTACTFACSIMILETELEPHONE"){
+						$this->wmc_contactfacsimiletelephone = $element[value];
+					}
+					if(strtoupper($element[tag]) == "CONTACTELECTRONICMAILADDRESS"){
+						$this->wmc_contactemail = $element[value];
+					}
+					if(strtoupper($element[tag]) == "CONTACTPERSONPRIMARY" && $element['type'] == "open"){
+						$contactpersonprimary = true;
+					}
+					if ($contactpersonprimary) {
+						if(strtoupper($element[tag]) == "CONTACTPERSON"){
+							$this->wmc_contactperson = $element[value];
+						}
+						if(strtoupper($element[tag]) == "CONTACTORGANIZATION"){
+							$this->wmc_contactorganization = $element[value];
+						}
+						if(strtoupper($element[tag]) == "CONTACTPERSONPRIMARY" && $element['type'] == "close"){
+							$contactpersonprimary = false;
+						}
+					}
+					if(strtoupper($element[tag]) == "CONTACTADDRESS" && $element['type'] == "open"){
+						$contactaddress = true;
+					}
+					if ($contactaddress) {
+						if(strtoupper($element[tag]) == "ADDRESSTYPE"){
+							$this->wmc_contactaddresstype = $element[value];
+						}
+						if(strtoupper($element[tag]) == "ADDRESS"){
+							$this->wmc_contactaddress = $element[value];
+						}
+						if(strtoupper($element[tag]) == "CITY"){
+							$this->wmc_contactcity = $element[value];
+						}
+						if(strtoupper($element[tag]) == "STATEORPROVINCE"){
+							$this->wmc_contactstateorprovince = $element[value];
+						}
+						if(strtoupper($element[tag]) == "POSTCODE"){
+							$this->wmc_contactpostcode = $element[value];
+						}
+						if(strtoupper($element[tag]) == "COUNTRY"){
+							$this->wmc_contactcountry = $element[value];
+						}
+						if(strtoupper($element[tag]) == "CONTACTADDRESS" && $element['type'] == "close"){
+							$contactaddress = false;
+						}
+					}
+				}
+				if(strtoupper($element[tag]) == "LOGOURL" && $element['type'] == "open"){
+					$logourl = true;
+					$this->wmc_logourl_width = $element[attributes]["width"];
+					$this->wmc_logourl_height = $element[attributes]["height"];
+					$this->wmc_logourl_format = $element[attributes]["format"];
+				}
+				if ($logourl) {
+					if(strtoupper($element[tag]) == "LOGOURL" && $element['type'] == "close"){
+						$logourl = false;
+					}
+					if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+						$this->wmc_logourl_type = $element[attributes]["xlink:type"];
+						$this->wmc_logourl = $element[attributes]["xlink:href"];
+					}
+				}
+				if(strtoupper($element[tag]) == "DESCRIPTIONURL" && $element['type'] == "open"){
+					$descriptionurl = true;
+					$this->wmc_descriptionurl_format = $element[attributes]["format"];
+				}
+				if ($descriptionurl) {
+					if(strtoupper($element[tag]) == "DESCRIPTIONURL" && $element['type'] == "close"){
+						$descriptionurl = false;
+					}
+					if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+						$this->wmc_descriptionurl_type = $element[attributes]["xlink:type"];
+						$this->wmc_descriptionurl = $element[attributes]["xlink:href"];
+					}
+				}
+				if(strtoupper($element[tag]) == "KEYWORDLIST" && $element['type'] == "open"){
+					$keywordlist = true;
+				}
+				if ($keywordlist) {
+					if(strtoupper($element[tag]) == "KEYWORDLIST" && $element['type'] == "close"){
+						$keywordlist = false;
+						$cnt_keyword = -1;
+					}
+					if(strtoupper($element[tag]) == "KEYWORD"){
+						$cnt_keyword++;
+						$this->wmc_keyword[$cnt_keyword] = $element[value];
+					}
+				}
+						
+				if(strtoupper($element[tag]) == "GENERAL" && $element['type'] == "close"){
+		   			$general = false;
+			 	}
+			}
+			if ($layerlist) {
+				if(strtoupper($element[tag]) == "LAYERLIST" && $element['type'] == "close"){
+				   $layerlist = false;
+				}
+				if(strtoupper($element[tag]) == "LAYER" && $element[type] == "open"){
+					 $cnt_layer++;
+					 $this->wmc_layer_queryable[$cnt_layer] = $element[attributes]["queryable"];
+					 $this->wmc_layer_hidden[$cnt_layer] = $element[attributes]["hidden"];
+					 $layer = true;
+      		 		 $cnt_epsg = 0;
+				}
+				if ($layer) {
+					if(strtoupper($element[tag]) == "LAYER" && $element[type] == "close"){
+						$layer = false;
+					}
+					 if ($formatlist) {
+						 if(strtoupper($element[tag]) == "FORMAT"){
+						 	$cnt_format++;
+						 	$this->wmc_layer_format_current[$cnt_layer][$cnt_format] = $element[attributes]["current"];
+						 	$this->wmc_layer_format[$cnt_layer][$cnt_format] = $element[value];
+						 }
+						 if(strtoupper($element[tag]) == "FORMATLIST" && $element[type] == "close"){
+							 $formatlist = false;
+						 }
+					 }
+					 elseif ($metadataurl) {
+						 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+							$this->wmc_layer_metadataurl[$cnt_layer] = $element[attributes]["xlink:href"];
+						 }
+						 if(strtoupper($element[tag]) == "METADATAURL" && $element[type] == "close"){
+							$metadataurl = false;
+						 }
+					 }
+					 elseif ($dataurl) {
+						 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+						 	$this->wmc_layer_dataurl[$cnt_layer] = $element[attributes]["xlink:href"];
+						 }
+						 if(strtoupper($element[tag]) == "DATAURL" && $element[type] == "close"){
+							 $dataurl = false;
+						 }
+					 }
+					 elseif ($stylelist) {
+						 if(strtoupper($element[tag]) == "STYLE" && $element[type] == "open"){
+						 	$cnt_style++;
+						 	$style = true;
+						 	$this->wmc_layer_style_current[$cnt_layer][$cnt_style] = $element[attributes]["current"];
+						 }
+						 if ($style) {
+							 if(strtoupper($element[tag]) == "STYLE" && $element[type] == "close"){
+							 	$style = false;
+							 }
+							 if(strtoupper($element[tag]) == "SLD" && $element[type] == "open"){
+							 	$sld = true;
+							 }
+							 if ($sld) {
+								 if(strtoupper($element[tag]) == "SLD" && $element[type] == "close"){
+								 	$sld = false;
+								 }
+								 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+								 	$this->wmc_layer_style_sld_type[$cnt_layer][$cnt_style] = $element[attributes]["xlink:type"];
+								 	$this->wmc_layer_style_sld_url[$cnt_layer][$cnt_style] = $element[attributes]["xlink:href"];
+								 }
+								 if(strtoupper($element[tag]) == "TITLE"){
+								 	$this->wmc_layer_style_sld_title[$cnt_layer][$cnt_style] = $element[value];
+								 }
+							 }
+							 else {
+								 if(strtoupper($element[tag]) == "NAME"){
+								 	$this->wmc_layer_style_name[$cnt_layer][$cnt_style] = $element[value];
+								 }
+								 if(strtoupper($element[tag]) == "TITLE"){
+								 	$this->wmc_layer_style_title[$cnt_layer][$cnt_style] = $element[value];
+								 }
+								 if(strtoupper($element[tag]) == "LEGENDURL" && $element[type] == "open"){
+								 	$legendurl = true;
+								 	$this->wmc_layer_style_legendurl_width[$cnt_layer][$cnt_style] = $element[attributes]["width"];
+								 	$this->wmc_layer_style_legendurl_height[$cnt_layer][$cnt_style] = $element[attributes]["height"];
+								 	$this->wmc_layer_style_legendurl_format[$cnt_layer][$cnt_style] = $element[attributes]["format"];
+								 }
+								 if ($legendurl) {
+									 if(strtoupper($element[tag]) == "LEGENDURL" && $element[type] == "close"){
+									 	$legendurl = false;
+									 }
+									 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+									 	$this->wmc_layer_style_legendurl_type[$cnt_layer][$cnt_style] = $element[attributes]["xlink:type"];
+									 	$this->wmc_layer_style_legendurl[$cnt_layer][$cnt_style] = $element[attributes]["xlink:href"];
+									 }
+								 }
+							 }
+						 }
+						 if(strtoupper($element[tag]) == "STYLELIST" && $element[type] == "close"){
+							 $stylelist = false;
+						 }
+					 }
+					 else {
+						 if(strtoupper($element[tag]) == "SERVER" && $element[type] == "open"){
+						 	 $server = true;
+						 	 $this->wmc_wms_service[$cnt_layer] = $element[attributes]["service"];
+						 	 $this->wmc_wms_version[$cnt_layer] = $element[attributes]["version"];
+						 	 $this->wmc_wms_title[$cnt_layer] = $element[attributes]["title"];
+						 }
+						 if ($server) {
+							 if(strtoupper($element[tag]) == "SERVER" && $element[type] == "close"){
+							 	 $server = false;
+							 }
+							 if(strtoupper($element[tag]) == "ONLINERESOURCE"){
+						 		 $this->wmc_wms_serviceURL[$cnt_layer] = $element[attributes]["xlink:href"];
+							 }
+						 }
+						 if(strtoupper($element[tag]) == "NAME"){
+					 		 $this->wmc_layer_name[$cnt_layer] = $element[value];
+						 }
+						 if(strtoupper($element[tag]) == "TITLE"){
+					 		 $this->wmc_layer_title[$cnt_layer] = $element[value];
+						 }
+						 if(strtoupper($element[tag]) == "ABSTRACT"){
+					 		 $this->wmc_layer_abstract[$cnt_layer] = $element[value];
+						 }
+						 if(strtoupper($element[tag]) == "SRS"){
+							 $epsgArray = explode(" ", $element[value]);						 	
+					 		 
+					 		 for ($c = 0 ; $c < count($epsgArray) ; $c ++) {
+						 		 $this->wmc_layer_srs[$cnt_layer][$cnt_epsg] = $epsgArray[$c];
+								 $cnt_epsg++;
+					 		 }
+						 }
+						 if (strtoupper($element[tag]) == "EXTENSION" && $element[type] == "open") {
+						 	$extension = true;
+						 }
+						 if (strtoupper($element[tag]) == "EXTENSION" && $element[type] == "close") {
+						 	$extension = false;
+						 }
+						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "SCALEHINT"){
+					 		 $this->wmc_layer_minscale[$cnt_layer] = $element[attributes]["min"];
+					 		 $this->wmc_layer_maxscale[$cnt_layer] = $element[attributes]["max"];
+						 }
+						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "LAYER_ID"){
+					 		 $this->wmc_layer_id[$cnt_layer] = $element[value];
+						 }
+						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "WMS_ID"){
+					 		 $this->wmc_wms_id[$cnt_layer] = $element[value];
+						 }
+						 if($extension == true && strtoupper(sepNameSpace($element[tag])) == "QUERYLAYER"){
+					 		 $this->wmc_layer_querylayer[$cnt_layer] = $element[value];
+						 }
+						 if(strtoupper(sepNameSpace($element[tag])) == "METADATAURL" && $element[type] == "open"){
+							 $metadataurl = true;
+						 }
+						 if(strtoupper(sepNameSpace($element[tag])) == "DATAURL" && $element[type] == "open"){
+							 $dataurl = true;
+						 }
+						 if(strtoupper(sepNameSpace($element[tag])) == "FORMATLIST" && $element[type] == "open"){
+							 $formatlist = true;
+							 $cnt_format = -1;
+						 }
+						 if(strtoupper(sepNameSpace($element[tag])) == "STYLELIST" && $element[type] == "open"){
+							 $stylelist = true;
+							 $cnt_style = -1;
+						 }
+					 }
+				}
+			}
+		}
+		return true;
+	}
+
+	function createJsObjFromWMC($target, $mapObj, $action){
+		$wmc_string = "";
+		$validActions = array("load", "merge", "append");
+		if (!in_array($action, $validActions)) {
+			$wmc_string .= "alert('invalid action: ".$action."');";			
+		}
+		else {
+			$wmc_string .= "var index = " . $target . "getMapObjIndexByName('" . $mapObj . "');\n";
+			if ($action == "load") {
+				// delete all previous wms
+				$wmc_string .= "while(" . $target . "mb_mapObj[index].wms.length > 0){" . $target . "mb_mapObjremoveWMS(index,0);}";
+				$wmc_string .= $target . "deleteWmsObject();\n";
+			}
+			if ($action == "merge") {
+				$wmc_string .= "var wms_exists = false;\n";				// true if this wms exists in the mapObj
+				$wmc_string .= "var current_wms_index = null;\n";		// if wms_exists: index of the wms in the map obj; else: null
+				$wmc_string .= "var layer_exists = false;\n";			// true if this layer exists in an existing wms of the mapObj
+				$wmc_string .= "var current_layer_index = null;\n";		// if layer_exists: index of the layer of the wms in the mapObj; else: null
+			}
+			$new_wms = "";
+			$cnt_wms = -1;
+			$added_wms = array();
+			
+			// for all layers in wmc, find individual wms...
+			for ($i = 0; $i < count($this->wmc_layer_title); $i++) {
+				$current_wms = $this->wmc_wms_serviceURL[$i];
+				// ...this is something like 'for every wms'
+				if (!in_array($current_wms , $added_wms)) {
+					$layerlist = "";
+					$querylayerlist = "";
+					$srs_array = array();
+		
+					if ($action == "merge") {
+						$wmc_string .= "wms_exists = false;\n";
+						$wmc_string .= "current_wms_index = null;\n";
+						$wmc_string .= "for (var m=0; m < " . $target . "mb_mapObj[index].wms.length; m++) {\n";
+						$wmc_string .= "\tif ('" . $this->wmc_wms_serviceURL[$i] . "' ==  " . $target . "mb_mapObj[index].wms[m].wms_getmap) {\n";
+						$wmc_string .= "\t\twms_exists = true;\n";
+						$wmc_string .= "\t\tcurrent_wms_index = m;\n";
+						$wmc_string .= "\t}\n";
+						$wmc_string .= "}\n";
+						$wmc_string .= "if (!wms_exists) {\n";
+					}				
+					 
+					$mywms = new wms();
+			
+			  		if(!$this->wmc_layer_title[$i] || $this->wmc_layer_title[$i] == ""){
+						echo "alert('Error: no valid capabilities-document !!');\n";
+						die; exit;
+					}
+
+					for($j=0;$j<count($this->wmc_layer_format[$i]);$j++){
+						if ($this->wmc_layer_format_current[$i][$j] == 1) {
+							$wms_data_format = $this->wmc_layer_format[$i][$j];
+						}
+					}
+					// add wms
+					$wmc_string .= "\t" . $target . "add_wms('','".
+						$this->wmc_wms_version[$i] ."','".
+						$this->wmc_wms_title[$i] ."','".
+						$this->wmc_layer_abstract[$i] ."','".
+						$this->wmc_wms_serviceURL[$i] ."','" .
+						$this->wmc_wms_serviceURL[$i] ."','" .
+						$this->wmc_layer_style_legendurl[$i][0] ."','','". 
+						$wms_data_format ."','text/html','application/vnd.ogc.se_xml','". 
+						$this->wmc_bBox_SRS ."','1');\n";
+		
+					$added_wms[count($added_wms)] = $current_wms;
+					$cnt_wms++;
+					$cnt_layers = 0;
+					$cnt_query_layers = 0;
+					if ($action == "merge") {
+						$wmc_string .= "}\n";
+					}
+	
+					// add epsg
+					$wmc_string .= $target . "wms_addSRS('". 
+						$this->wmc_bBox_SRS ."','". 
+						$this->wmc_bBox_minx ."','". 
+						$this->wmc_bBox_miny ."','". 
+						$this->wmc_bBox_maxx ."','". 
+						$this->wmc_bBox_maxy ."','". 
+						"');\n";
+
+					// for each layer...
+					for ($ii = 0; $ii < count($this->wmc_layer_title); $ii++) {
+						$layer_wms = $this->wmc_wms_serviceURL[$ii];
+						// ... of this wms
+						if ($current_wms == $layer_wms) {
+							
+							// add format (FIXME: is this working?)
+							$z = count($this->wmc_layer_format[$ii]);
+							for($j=0;$j<$z;$j++){
+								$wmc_string .= $target . "wms_add_data_type_format('map','". $this->wmc_layer_format[$ii][$j] ."');\n";
+							}
+							
+							if ($cnt_layers == 0) {
+								if ($action == "merge") {
+									$wmc_string .= "if (!wms_exists) {\n\t";
+								} 
+								// add parent layer
+								$wmc_string .= $target . "wms_add_layer('','".$this->wmc_layer_id[$i]."','','". $this->wmc_wms_title[$i] ."','','0','0','0','0','','".$this->wmc_wms_id[$i]."','1','1','1','0','0','0','0');\n";
+								if ($action == "merge") {
+									$wmc_string .= "}\n";
+								} 
+							}
+	
+							$cnt_layers++;
+							
+							if ($action == "merge") {
+								$wmc_string .= "if (wms_exists) {\n";
+								
+								// check if this layer already exists in this wms
+								$wmc_string .= "\tlayer_exists = false;\n";
+								$wmc_string .= "\tcurrent_layer_index = null;\n";
+								$wmc_string .= "\tfor (var m=0; m < " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer.length; m++) {\n";
+								$wmc_string .= "\t\tif ('" . $this->wmc_layer_name[$ii] . "' ==  " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[m].layer_name) {\n";
+								$wmc_string .= "\t\t\tlayer_exists = true;\n";
+								$wmc_string .= "\t\t\tcurrent_layer_index = m;\n";
+								$wmc_string .= "\t\t}\n";
+								$wmc_string .= "\t}\n"; 
+		
+								$wmc_string .= "\tif (layer_exists) {\n";
+								// check if the visibility or the queryability are different to the existing layer
+								$wmc_string .= "\t\tif (" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_visible != '" . intval(!$this->wmc_layer_hidden[$ii]) . "'";
+								$wmc_string .= " || " . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_querylayer != '" . $this->wmc_layer_queryable[$ii] . "') {\n";
+		
+								// if yes, update the visibility and queryability
+								$wmc_string .= "\t\t\t" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_visible = " . intval(!$this->wmc_layer_hidden[$ii]) . ";\n"; 
+								$wmc_string .= "\t\t\t" . $target . "mb_mapObj[index].wms[current_wms_index].objLayer[current_layer_index].gui_layer_querylayer = " . $this->wmc_layer_queryable[$ii] . ";\n"; 
+								$wmc_string .= "\t\t}\n";
+								$wmc_string .= "\t}\n"; 
+								$wmc_string .= "}\n"; 
+								$wmc_string .= "\telse {\n";
+							} 
+
+							// add layer
+							$wmc_string .= "\t" . $target . "wms_add_layer('0','". 
+								$this->wmc_layer_id[$ii] . "','". 
+								$this->wmc_layer_name[$ii] . "','". 
+								$this->wmc_layer_title[$ii] ."','". 
+								$this->wmc_layer_dataurl[$ii] . "','". 
+								intval($cnt_layers) ."','". 
+								$this->wmc_layer_queryable[$ii] ."','".
+								$this->wmc_layer_minscale[$ii]  ."','". 
+								$this->wmc_layer_maxscale[$ii]  ."','". 
+								$this->wmc_layer_metadataurl[$ii] ."','". 
+								$this->wmc_wms_id[$ii] ."','1','1','". 
+								intval(!$this->wmc_layer_hidden[$ii]) ."','". 
+								$this->wmc_layer_queryable[$ii] ."','". 
+								$this->wmc_layer_querylayer[$ii] ."','".
+								$this->wmc_layer_minscale[$ii]  ."','". 
+								$this->wmc_layer_maxscale[$ii]  ."');\n";
+	
+							if ($action == "merge") {
+								$wmc_string .= "\t}\n";
+							} 
+												
+							// if layer is queryable, add it to querylayerlist
+							if ($this->wmc_layer_queryable[$ii]) {
+								$cnt_query_layers++;
+								if (!in_array($this->wmc_layer_name[$ii], explode(",",$querylayerlist))) {
+									if ($querylayerlist == "") {$querylayerlist = $this->wmc_layer_name[$ii];} else {$querylayerlist .= "," . $this->wmc_layer_name[$ii];} 
+								}
+							}
+							// if layer is visible, add it to layerlist 
+							if (intval(!$this->wmc_layer_hidden[$ii]) && !in_array($this->wmc_layer_name[$ii], explode(",",$layerlist))) {
+								if ($layerlist == "") {$layerlist = $this->wmc_layer_name[$ii];} else {$layerlist .= "," . $this->wmc_layer_name[$ii];}
+							}
+	
+							// add layer style (FIXME: is this working?)
+							for($j=0; $j<count($this->wmc_layer_style_name[$ii]);$j++){
+								$wmc_string .= $target . "wms_addLayerStyle('".$this->wmc_layer_style_name[$ii][$j] ."','".$this->wmc_layer_style_title[$ii][$j] ."','".$j."','".$cnt_layers."', '" . $this->wmc_layer_style_legendurl[$ii][$j] . "', '" . $this->wmc_layer_style_legendurl_format[$ii][$j] . "');\n";
+							}
+						}
+					}
+					// add wms to mapObj with all layers and querylayers
+					if ($action == "merge") {
+						$wmc_string .= "if (!wms_exists) {\n";
+					} 
+					$wmc_string .= $target. "mb_mapObjaddWMSwithLayers('" . $mapObj . "', '" . $layerlist . "', '" . $querylayerlist . "');\n";
+					if ($action == "merge") {
+						$wmc_string .= "}\n";
+						$wmc_string .= "else {\n";
+						$wmc_string .= $target. "mb_mapObj[index].layers[current_wms_index] = \"" . $layerlist . "\";\n";
+						$wmc_string .= $target. "mb_mapObj[index].querylayers[current_wms_index] = \"" . $querylayerlist . "\";\n";
+						$wmc_string .= "}\n";
+					}
+				}
+			}
+			$wmc_string .= "var old_mapObj = ".$target."cloneObject(".$target."mb_mapObj);\n";
+			$wmc_string .= $target . "deleteMapObj();\n";
+			$wmc_string .= "for (var i=0; i<old_mapObj.length; i++) {\n";
+			$wmc_string .= "\tif (old_mapObj[i].frameName != 'overview') {\n";
+			$wmc_string .= "\t\t" . $target . "mb_registerMapObj(old_mapObj[i].frameName, old_mapObj[i].elementName, null, " . $this->wmc_windowWidth . ", " . $this->wmc_windowHeight . ");\n"; 
+			$wmc_string .= "\t\t" . $target . "document.getElementById(old_mapObj[i].frameName).style.width = " . $this->wmc_windowWidth . ";\n";
+			$wmc_string .= "\t\t" . $target . "document.getElementById(old_mapObj[i].frameName).style.height = " . $this->wmc_windowHeight . ";\n";
+			$wmc_string .= "\t}\n";
+			$wmc_string .= "\telse {\n";
+			$wmc_string .= "\t\tvar found = false;\n";
+			$wmc_string .= "\t\tfor (var j=0; j < " . $target . "wms.length && found == false; j++) {\n";
+			$wmc_string .= "\t\t\tif (" . $target . "wms[j].wms_getmap == old_mapObj[i].wms[0].wms_getmap) {\n";
+			$wmc_string .= "\t\t\t\t" . $target . "mb_registerMapObj('overview', old_mapObj[i].elementName, j, old_mapObj[i].width,  old_mapObj[i].height);\n"; 
+			$wmc_string .= "\t\t\t\tfound = true;\n"; 
+			$wmc_string .= "\t\t\t}\n";
+			$wmc_string .= "\t\t}\n";
+			$wmc_string .= "\t\tif (!found) {\n";
+			$wmc_string .= "\t\t\t" . $target . "mb_registerMapObj('overview', old_mapObj[i].elementName, 0, old_mapObj[i].width,  old_mapObj[i].height);\n"; 
+			$wmc_string .= "\t\t}\n";
+			$wmc_string .= "\t}\n";
+			$wmc_string .= "}\n";
+			
+			$sql = "SELECT minx, miny, maxx, maxy FROM layer_epsg WHERE fkey_layer_id = $1 AND epsg = $2 LIMIT 1";
+			$v = array($this->wmc_layer_id[0], $this->wmc_bBox_SRS);
+			$t = array('i', 's');
+			$res = db_prep_query($sql, $v, $t);
+			$row = db_fetch_array($res);
+			if ($row["minx"] && $row["miny"] && $row["maxx"] && $row["maxy"]) {
+				$ov_bbox = array($row["minx"],$row["miny"],$row["maxx"],$row["maxy"]);
+			}
+			else if ($this->wmc_layer_id[0] && $this->wmc_bBox_SRS){
+				$ov_bbox = array($this->wmc_bBox_minx, $this->wmc_bBox_miny, $this->wmc_bBox_maxx, $this->wmc_bBox_maxy);
+			}
+			else {
+				$ov_bbox = array();
+			}
+			$wmc_string .= "for (var i=0; i<old_mapObj.length; i++) {\n";
+			$wmc_string .= "\tif (old_mapObj[i].frameName != 'overview') {\n";
+			$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
+			$wmc_string .= $this->wmc_bBox_minx .",".$this->wmc_bBox_miny .",";
+			$wmc_string .= $this->wmc_bBox_maxx .",".$this->wmc_bBox_maxy.");\n";
+			$wmc_string .= "\t}\n";
+			$wmc_string .= "\telse {\n";
+			if (count($ov_bbox)>0) {
+//				$wmc_string .= "alert('found bbox for ov: ".implode(',',$ov_bbox)."');";
+				$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
+				$wmc_string .= $ov_bbox[0] .",".$ov_bbox[1] .",";
+				$wmc_string .= $ov_bbox[2] .",".$ov_bbox[3] .");\n";
+			}
+			else {
+//				$wmc_string .= "alert('no bbox found for ov: old bbox ".$this->wmc_bBox_minx." etc');";
+				$wmc_string .= "\t\t".$target."mb_calculateExtent(old_mapObj[i].frameName, ";
+				$wmc_string .= $this->wmc_bBox_minx .",".$this->wmc_bBox_miny .",";
+				$wmc_string .= $this->wmc_bBox_maxx .",".$this->wmc_bBox_maxy.");\n";
+//				$wmc_string .= "\t\tvar ov_index = " . $target . "getMapObjIndexByName('overview');\n";
+//				$wmc_string .= "\t\t" . $target . "mb_mapObj[ov_index].extent = old_mapObj[i].extent;\n"; 
+			}
+			$wmc_string .= "\t}\n";
+			$wmc_string .= "\t". $target . "setMapRequest(old_mapObj[i].frameName);\n";
+			$wmc_string .= "}\n";
+			$wmc_string .= $target . "mb_execloadWmsSubFunctions();\n";
+		}
+		return $wmc_string;
+	}
+} 
+// end class
+?>

Modified: tags/2.4.4_su/http/classes/class_wms.php
===================================================================
--- tags/2.4.4/http/classes/class_wms.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/classes/class_wms.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -94,7 +94,7 @@
 		xml_parser_set_option($parser,XML_OPTION_CASE_FOLDING,0);
 		xml_parser_set_option($parser,XML_OPTION_SKIP_WHITE,1);
 		xml_parser_set_option($parser,XML_OPTION_TARGET_ENCODING,CHARSET);
-		xml_parse_into_struct($parser,$this->wms_getcapabilities_doc,$values,$tags);
+		xml_parse_into_struct($parser,$data,$values,$tags);
 
 		$code = xml_get_error_code($parser);
 		if ($code) {
@@ -1340,7 +1340,12 @@
 		while($row = db_fetch_array($res)){	
 			unset($mySubmit);
 			$myGUI[$cnt] = $row["fkey_gui_id"];
-			$sql = "UPDATE gui_wms SET ";		
+			
+			$sql = "UPDATE gui_wms SET ";
+			$v = array();
+			$t = array();
+			$paramCount = 0;		
+
 			for($i=0; $i<count($this->data_type); $i++){
 				# gui_wms_mapformat
 				if(strtolower($this->data_type[$i]) == "map" && strtolower($this->data_format[$i]) == strtolower($row["gui_wms_mapformat"])){
@@ -1356,17 +1361,26 @@
 				}
 			}
 			if(!$myMapFormat){
-				$sql .= "gui_wms_mapformat = '".$this->gui_wms_mapformat."' ";
+				$paramCount++;
+				$sql .= "gui_wms_mapformat = $" . $paramCount . " ";
 				$mySubmit = true;
+				array_push($v, $this->gui_wms_mapformat);
+				array_push($t, "s");
 			}
 			if(!$myFeatureInfoFormat){
 				if($mySubmit){ $sql .= ",";}
-				$sql .= "gui_wms_featureinfoformat = '".$this->gui_wms_featureinfoformat."' ";
+				$paramCount++;
+				$sql .= "gui_wms_featureinfoformat = $" . $paramCount . " ";
+				array_push($v, $this->gui_wms_featureinfoformat);
+				array_push($t, "s");
 				$mySubmit = true;
 			}
 			if(!$myExceptionFormat){
 				if($mySubmit){ $sql .= ",";}
-				$sql .= "gui_wms_exceptionformat = '".$this->gui_wms_exceptionformat."' ";
+				$paramCount++;
+				$sql .= "gui_wms_exceptionformat = $" . $paramCount ." ";
+				array_push($v, $this->gui_wms_exceptionformat);
+				array_push($t, "s");
 				$mySubmit = true;
 			}
 				
@@ -1378,12 +1392,30 @@
 			}
 			if(!$myGUI_EPSG){
 				if($mySubmit){ $sql .= ",";}
-				$sql .= "gui_wms_epsg = '".$this->gui_wms_epsg."' ";
+				$paramCount++;
+				$sql .= "gui_wms_epsg = $" . $paramCount . " ";
+				array_push($v, $this->gui_wms_epsg);
+				array_push($t, "s");
 				$mySubmit = true;
 			}
-			$sql .= " WHERE fkey_gui_id = '".$row["fkey_gui_id"]."' AND fkey_wms_id = " . $myWMS;
+			$paramCount++;
+			$sql .= " WHERE fkey_gui_id = $" . $paramCount . " ";
+			array_push($v, $row["fkey_gui_id"]);
+			array_push($t, "s");
+
+			$paramCount++;
+			$sql .= "AND fkey_wms_id = $" . $paramCount;
+			array_push($v, $myWMS);
+			array_push($t, "i");
 			if($mySubmit){
-				$this->transaction($sql);
+				$res = db_prep_query($sql,$v,$t);
+				if(!$res){
+					db_rollback();	
+					echo "<pre>".$sql."</pre><br> <br><p>";
+				 	echo db_error(); 
+				 	echo "<br /> UPDATE ERROR -> KILL PROCESS AND ROLLBACK....................no update<br><br>";
+					$e = new mb_exception("class_wms.php: transaction: Transaction aborted, rollback.");
+				}
 			}
 			$cnt++;
 		}	
@@ -1399,26 +1431,7 @@
 	function getCapabilitiesDoc() {
 		return $this->wms_getcapabilities_doc;
 	}
-	function transaction($sql){
-		#echo "<hr>". $sql;
-		$ok = db_query($sql);
-		if(!$ok){
-			echo "<pre>".$sql."</pre><br> <br><p>";
-			$error = db_error();
-			$sql = "ROLLBACK";
-			$res = db_query($sql);
-			if(SYS_DBTYPE=="pgsql")
-				{
-					$sql = "SET AUTOCOMMIT=0";
-				}
-				else
-				{
-				 	$sql = "SET AUTOCOMMIT=1";
-				}
-		 	echo $error; 
-		 	echo "<br /> UPDATE ERROR -> KILL PROCESS AND ROLLBACK....................no update<br><br>";
-			}
-	}
+
 	/**
 	* creatObjfromDB
 	*

Modified: tags/2.4.4_su/http/frames/login.php
===================================================================
--- tags/2.4.4/http/frames/login.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/frames/login.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-# $Id: login.php 76 2006-08-15 12:25:34Z heuser $
+# $Id$
 # Copyright (C) 2002 CCGIS 
 #
 # This program is free software; you can redistribute it and/or modify
@@ -152,8 +152,10 @@
 	}	
 	if($_SESSION["mb_user_id"]){
 		if($row["mb_user_login_count"] < $loginMax){
-			$sql_del_cnt =  "UPDATE mb_user SET mb_user_login_count = 0 WHERE mb_user_id = " . $_SESSION['mb_user_id'];
-			db_query($sql_del_cnt);
+			$sql_del_cnt =  "UPDATE mb_user SET mb_user_login_count = 0 WHERE mb_user_id = $1";
+			$v = array($_SESSION['mb_user_id']);
+			$t = array("i");
+			db_prep_query($sql_del_cnt, $v, $t);
 			require_once(dirname(__FILE__)."/../php/mb_getGUIs.php");
 			$arrayGUIs = mb_getGUIs($row["mb_user_id"]);
 			$_SESSION["mb_user_guis"] = $arrayGUIs;

Deleted: tags/2.4.4_su/http/html/mod_treefolder_auge.php
===================================================================
--- tags/2.4.4/http/html/mod_treefolder_auge.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/html/mod_treefolder_auge.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,787 +0,0 @@
-<?php
-session_start();
-require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-$gui_id = $_SESSION["mb_user_gui"];
-
-$eye_on = '../img/eye_on.gif';
-$eye_off = '../img/eye_off.gif';
-$info_on = '../img/info_on.gif';
-$info_off ='../img/info_off.gif';
-$no_info ='../img/no_info.gif';
-
-?>
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
-<HTML>
-<HEAD>
-<META NAME="Generator" CONTENT="Cosmo Create 1.0.3">
-<?php
-echo '<meta http-equiv="Content-Type" content="text/html; charset='.CHARSET.'">';	
-?>
-<TITLE>Treefolder Eyes</TITLE>
-<?php
- include '../include/dyn_css.php';
-?>
-<script language='JavaScript'>
-function pop_up(name)
-{
-	window.open(name,"METADATEN","width=310,height=400,left=0,top=0");
-}
-</script>
-<?php
-echo "<script language='JavaScript'>";
-   
-   import_request_variables("PG");
-   
-   require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
-   $con = db_connect($DBSERVER,$OWNER,$PW);
-   db_select_db(DB,$con);
-   $sql = "SELECT e_target FROM gui_element WHERE e_id = '".$_REQUEST['e_id_css']."' AND fkey_gui_id = '".$_SESSION["mb_user_gui"]."'";
-   
-   $res = db_query($sql);
-   $e_target = db_result($res,0,"e_target");
-   
-   echo "mod_treeGDE_map = '".$e_target."';";   
-echo "</script>";
-
-$sql = "select var_name,var_value from gui_element_vars where fkey_gui_id='".$_SESSION["mb_user_gui"]."' and fkey_e_id='".$_REQUEST['e_id_css']."' and var_type = 'img';";
-  
-   $res = db_query($sql);
-$img["folder_off"] ='../img/tree/folder_off_new.gif';
-$img["folder_on"] ='../img/tree/folder_on_new.gif';
-while($row = db_fetch_array($res))
-{
-$img[$row['var_name']] = $row['var_value'];
-}
-
-?>
-  <SCRIPT language="JavaScript1.2">
-  <!--  
-  /*
-   * sitemap.js 1.31 05/02/2000
-   *  - Opera 5
-   *
-   * sitemap.js 1.3 27/11/2000
-   *  - Netscape 6
-   *
-   * sitemap.js 1.2 20/05/2000
-   *  - split array tree into arrays for each element old tree
-   *  - no mory type flag, an folder is an entry which has sons
-   *  - a folder can have an link
-   *  - while initing an default layers is shown 
-   *
-   * sitemap.js 1.1 20/10/1999
-   *  - showTree only updates and init layers new which have been really changed
-   *  - add deep to knot entry
-   *  - substitute knotDeep[ id ] w/ tree[ id2treeIndex[ id ] ].deep
-   *  - add alignment to img and a &nbsp; at the beginning of eyery line
-   *  - add a fake img for bookmarks on top panel
-   *
-   * sitemap.js 1.02 14/10/1999
-   *  - fix bug in initStyles
-   *
-   * sitemap.js 1.01 06/10/1999
-   *  - fix bug in knotDeep for Netscape 4.00-4.0.5
-   *
-   * sitemap.js 1.0 20/09/1999
-   *
-   * Javascript function for displaying hierarchic directory structures with
-   * the ability to collapse and expand directories.
-   *
-   * Copyright (c) 1999 Polzin GmbH, Duesseldorf. All Rights Reserved.
-   * Author: Lutz Eymers <ixtab at polzin.com>
-   * Download: http://www.polzin.com/inet/fset_inet.phtml?w=goodies
-   *
-   * Permission to use, copy, modify, and distribute this software
-   * and its documentation for any purposes and without fee
-   * is hereby granted provided that this copyright notice
-   * appears in all copies. 
-   *
-   * Of course, this software is provided "as is" without express or implied
-   * warranty of any kind.
-   *
-   */
-  
-  parent.mb_registerSubFunctions("window.frames['treeGDE'].mod_treeGDE()");
-
-function mod_treeGDE(){
-  /**/
-	var ind = parent.getMapObjIndexByName(mod_treeGDE_map);
-	//if(ind == false){ alert("error, no mapobject specified");}
-	for(var i=0; i<document.getElementsByTagName("input").length; i++){
-		//wms_title,layer_shortname,{visible | querylayer}
-		var myID = document.getElementsByTagName("input")[i].id;
-		var arrayID = document.getElementsByTagName("input")[i].id.split("###");
-		//var ind = parent.getMapObjIndexByName(mod_treeGDE_map);
-		var wms_ind = parent.getWMSIndexByTitle(mod_treeGDE_map,arrayID[0]);
-		if(arrayID[2] == "visible"){
-			var arrayLayer = parent.mb_mapObj[ind].layers[wms_ind].split(",");
-			var isOn = false;
-			for(var ii=0; ii<arrayLayer.length; ii++){
-				if(arrayID[1] == arrayLayer[ii]){isOn = true;}
-			}
-			if(isOn == true){ document.getElementById(myID).checked = true;}
-			if(isOn == false){ document.getElementById(myID).checked = false;}
-		}
-		if(arrayID[2] == "querylayer"){
-			//nothing to do at this time
-		}
-	}
-    /*consider scalhints*/
-	for(var i=0; i<parent.mb_mapObj.length; i++){
-		var scale = parseInt(parent.mb_getScale(mod_treeGDE_map));
-		if(parent.mb_mapObj[i].frameName == mod_treeGDE_map){ 
-			for(var ii=0; ii<parent.mb_mapObj[i].wms.length; ii++){
-				for(var iii=1; iii<parent.mb_mapObj[i].wms[ii].objLayer.length; iii++){
-					if(document.getElementById(parent.mb_mapObj[i].wms[ii].wms_title+"_"+parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_name)){
-						if(scale < parseInt(parent.mb_mapObj[i].wms[ii].objLayer[iii].gui_layer_minscale) && parseInt(parent.mb_mapObj[i].wms[ii].objLayer[iii].gui_layer_minscale) != 0){                    
-							document.getElementById(parent.mb_mapObj[i].wms[ii].wms_title+"_"+parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_name).style.color = '#999999';                
-						}
-						else if(scale > parseInt(parent.mb_mapObj[i].wms[ii].objLayer[iii].gui_layer_maxscale) && parseInt(parent.mb_mapObj[i].wms[ii].objLayer[iii].gui_layer_maxscale) != 0){
-							document.getElementById(parent.mb_mapObj[i].wms[ii].wms_title+"_"+parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_name).style.color = '#999999';
-						}
-						else{
-							document.getElementById(parent.mb_mapObj[i].wms[ii].wms_title+"_"+parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_name).style.color = '#000000';
-						}
-					}                   
-				}
-			}
-		}
-	}
-} 
-  window.onError=null;
-
-  var idx=0
-  var treeId = new Array();
-  var treeP_id = new Array();
-  var treeIsOn = new Array();
-  var treeTyp = new Array();
-  var treeName = new Array();
-  var treeUrl = new Array();
-  var treeWasOn = new Array();
-  var treeDeep = new Array();
-  var treeLastY = new Array();
-  var treeIsShown = new Array();
-  var treeSelectable = new Array();
-  var treeVisible = new Array();
-  var treeQueryable = new Array();
-  var treeQuerylayer = new Array();
-  var treeWMS = new Array();
-  var treeShortname = new Array();
-
-  function Note( id,p_id,name,url,selectable,visible,queryable,querylayer,wms,shortname) {
-    treeId[ idx ] = id
-    treeP_id[ idx ] = p_id
-    treeIsOn[ idx ] = false
-    treeTyp[ idx ] = 'f'
-    treeName[ idx ] = name
-    treeUrl[ idx ] = url 
-    treeWasOn[ idx ] = false
-    treeDeep[ idx ] = 0
-    treeLastY[ idx ] = 0
-    treeIsShown[ idx ] = false
-    treeSelectable[ idx ] = selectable
-    treeVisible[ idx ] = visible
-    treeQueryable[ idx ] = queryable
-    treeQuerylayer[ idx ] = querylayer
-    treeWMS[ idx ] = wms
-    treeShortname[ idx ] = shortname
-    idx++
-  }
-
-  function initDiv ( )
-  {
-    if ( isDOM || isDomIE )
-    {
-      divPrefix='<DIV CLASS="sitemap" style="position:absolute; left:0; top:0; visibility:hidden;" ID="sitemap'
-      divInfo='<DIV CLASS="sitemap" style="position:absolute; visibility:visible" ID="sitemap'
-    }
-    else
-    {
-      divPrefix='<DIV CLASS="sitemap" ID="sitemap'
-      divInfo='<DIV CLASS="sitemap" ID="sitemap'
-    }
-    //document.writeln( divInfo +  'info">Bitte haben Sie etwas Geduld.<BR>&nbsp;<BR>Es werden die Eintr&auml;ge aus<BR>&nbsp;<BR>der Datenbank initialisiert.</DIV> ' );
-    for ( var i=1; i<idx; i++ )
-    {
-      // linked Name ? 
- 
-      
-      if ( treeUrl[i] != '' ){
-      	if(treeVisible[i] != 1){ 
-        linkedName = '<a href="#" onclick="changevalue('+ i +')"><input type=hidden id="treeWMS['+i+']" value=0><img name="bild'+ i +'" id="test" border=0 src="'+images[1]+'" alt="'+images_text[1]+'"></A>';
-	}
-	else
-	{
-	linkedName = '<a href="#" onclick="changevalue('+ i +')"><input type=hidden id="treeWMS['+i+']" value=1><img name="bild'+ i +'" id="test" border=0  src="'+images[2]+'" alt="'+images_text[2]+'"></A>';
-	}
-
-        //linkedName += "<input id='"+treeWMS[i]+"###"+treeShortname[i]+"###visible' type='checkbox' ";
-         //if(treeVisible[i] == '1'){ linkedName += "checked ";}
-         //if(treeSelectable[i] != '1'){ linkedName += "disabled ";}
-        //linkedName += "onClick = 'if(this.checked){parent.handleSelectedLayer(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\",\""+treeShortname[i]+"\",\"visible\",1);parent.setSingleMapRequest(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\");}";
-        //linkedName += "else{parent.handleSelectedLayer(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\",\""+treeShortname[i]+"\",\"visible\",0);parent.setSingleMapRequest(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\");}'";
-        //linkedName += '>';
-        
-        
-        //no checkbox for the query
-        <?php
-            if(isset($_REQUEST["noquerycheckbox"])){
-	            $nocheck = $_REQUEST["noquerycheckbox"];
-            }
-            else{
-	            $nocheck = false;
-            }
-            echo "var noquerycheck  = ".$nocheck.";";
-         ?>
-        ///evudb/images/mapbender/button_gray/query_off.gif
-        ///evudb/images/mapbender/button_gray/query_on.gif
-        if (noquerycheck==false || noquerycheck==0){
-            if(treeQuerylayer[i] == '1' && treeVisible[i] == 1){
-            	//Info aktiv
-            	//alert('info aktiv');
-            	linkedName += '&nbsp;<a href="#" onclick="changeinfo('+ i +')"><input type=hidden id="'+treeWMS[i]+'###'+treeShortname[i]+'###querylayer" value=1><img name="query'+ i +'" id="query'+i+'" border=0  src="'+qimages[2]+'" alt="'+qimages_text[2]+'"></A>';
-            }
-            else
-            {
-            	//alert(treeQueryable[i] + ' ' + treeShortname[i]);
-            	if(treeQueryable[i] == '1')
-			{
-				//Info verfügbar
-				if (treeVisible[i] ==1)
-				{
-					// Info aktivierbar
-					linkedName += '&nbsp;<a href="#" onclick="changeinfo('+ i +')"><input type=hidden id="'+treeWMS[i]+'###'+treeShortname[i]+'###querylayer" value=0><img name="query'+ i +'" id="query'+i+'" border=0  src="'+qimages[1]+'" alt="'+qimages_text[1]+'"></A>';	
-				}
-				else
-				{
-					// Info nicht aktivierbar
-					linkedName += '&nbsp;<a href="#" onclick="changeinfo('+ i +')"><input type=hidden id="'+treeWMS[i]+'###'+treeShortname[i]+'###querylayer" value=0><img name="query'+ i +'" id="query'+i+'" border=0  src="'+qimages[3]+'" alt="'+qimages_text[3]+'"></A>';
-				}
-			}
-			else
-			{
-				//Info nicht verfügbar verfügbar --> kein Image
-					//linkedName += '&nbsp;<input type=hidden id="'+treeWMS[i]+'###'+treeShortname[i]+'###querylayer" value=-1><img name="query'+ i +'" id="query'+i+'" border=0  src="<?php echo $no_info;?>" alt="keine Informationen verfügbar">';	
-			}
-            }
-            //linkedName += "<input id='"+treeWMS[i]+"###"+treeShortname[i]+"###querylayer' type='checkbox' ";
-            //if(treeQuerylayer[i] == '1' && treeVisible[i] == 1){ linkedName += "checked ";}
-            //if(treeQueryable[i] != '1' || treeVisible[i] != 1){ linkedName += "disabled ";}
-            //linkedName += "onClick = 'if(this.checked){parent.handleSelectedLayer(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\",\""+treeShortname[i]+"\",\"querylayer\",1);}";
-            //linkedName += "else{parent.handleSelectedLayer(\""+mod_treeGDE_map+"\",\""+treeWMS[i]+"\",\""+treeShortname[i]+"\",\"querylayer\",0);}'";
-            //linkedName += '>';
-        }
-        
-       
-       //no legendlink for the layername
-       <?php
-            if(isset($_REQUEST["nolink"])){
-	            $nolegendlink = $_REQUEST["nolink"];
-            }
-            else{
-	            $nolegendlink = false;
-            }
-            echo "var nolink  = ".$nolegendlink.";";
-       ?>
-       
-      
-        //linkedName += '<A id="'+treeWMS[i]+'_'+treeShortname[i]+'"  HREF="' + treeUrl[i] + '" TARGET="' + defaultTarget + '"><IMG SRC="../img/tree/1w.gif" BORDER="0" WIDTH="3">' + treeName[i] + '</A>';
-        
-        linkedName += '<A id="'+treeWMS[i]+'_'+treeShortname[i];
-        if (nolink==0 || nolink==false){
-           linkedName += '"  HREF="' + treeUrl[i];
-        }
-        linkedName +='" TARGET="' + defaultTarget + '"><IMG SRC="../img/tree/1w.gif" BORDER="0" WIDTH="3">' + treeName[i] + '</A>';
-       
-       
-      }  
-      else
-        linkedName =  '<IMG SRC="../img/tree/1w.gif" BORDER="0" WIDTH="3">' + treeName[i]
-      // don't link folder icon if node has no sons
-      if ( i == idx-1 || treeP_id[i+1] != treeId[i] ) {
-        if ( treeDeep[ i ] == 0 )
-          folderImg = '<IMG ALIGN="BOTTOM" SRC="../img/tree/file_empty.gif" BORDER="0" HEIGHT="16" WIDTH="1" HSPACE="0">'
-        else
-          folderImg = ''
-      } else {
-        folderImg = '<A  HREF="javascript:sitemapClick(' + treeId[i] + ')"><IMG ALIGN="BOTTOM" SRC="<?php echo $img["folder_off"];?>" BORDER="0" NAME="folder' + treeId[i] + '" HEIGHT="16" WIDTH="30" HSPACE="0"></A>'
-      }
-      // which type of file icon should be displayed?
-      if ( treeP_id[i] != 0 )
-      {
-        if ( lastEntryInFolder( treeId[i] ) )
-          fileImg = '<IMG ALIGN="BOTTOM" SRC="../img/tree/file_last.gif" BORDER="0" NAME="file'
-            + treeId[i] + '" HEIGHT="16" WIDTH="30" HSPACE="0">'  
-        else    
-          fileImg = '<IMG ALIGN="BOTTOM" SRC="../img/tree/file.gif" BORDER="0" NAME="file'
-            + treeId[i] + '" HEIGHT="16" WIDTH="30" HSPACE="0">'  
-      }
-      else
-        fileImg = ''
-      // traverse parents up to root and show vertical lines if parent 
-      // is not the last entry on this layer
-      verticales = ''
-      for( var act_id=treeId[i] ; treeDeep[ id2treeIndex[ act_id ] ] > 1;  )
-      {  
-        act_id = treeP_id[ id2treeIndex[ act_id ]]
-        if ( lastEntryInFolder( act_id ) )
-        {
-          verticales = '<IMG ALIGN="BOTTOM" SRC="../img/tree/file_empty.gif" BORDER="0" HEIGHT="16" WIDTH="30" HSPACE="0">' + verticales
-        }
-        else
-        {
-          verticales = '<IMG ALIGN="BOTTOM" SRC="../img/tree/file_vert.gif" BORDER="0" HEIGHT="16" WIDTH="30" HSPACE="0">' + verticales
-        }
-      }
-
-      
-      document.writeln( divPrefix + treeId[i] + '"><NOBR>&nbsp;' + verticales + fileImg + folderImg + linkedName + '</NOBR></DIV>'
-      )  
-    }
-  }
-
-	var i = 1 ;
-	images = new Array;
-	qimages = new Array;
-	images_text = new Array;
-	qimages_text = new Array;
-	images[1] = '<?php echo $eye_off;?>';
-	images[2] = '<?php echo $eye_on;?>';
-	qimages[1] = '<?php echo $info_off;?>';
-	qimages[2] = '<?php echo $info_on;?>';
-	qimages[3] = '<?php echo $no_info;?>';
-	images_text[1] = 'klicken Sie hier um den Layer zu aktivieren';
-	images_text[2] = 'klicken Sie hier um den Layer zu deaktivieren';
-	qimages_text[1] = 'klicken Sie hier um die Informationen zu aktivieren';
-	qimages_text[2] = 'klicken Sie hier um die Informationen zu deaktivieren';
-	qimages_text[3] = 'Informationen momentan nicht verfügbar';
-	
-	function changevalue(id){
-		var info = document.getElementById('query'+ id) ;
-		var layer = document.getElementById('bild' + id) ;
-		var wert = document.getElementById('treeWMS['+id+']');
-		var query = document.getElementById(treeWMS[id]+'###'+treeShortname[id]+'###querylayer');
-		//alert(wert.value);
-		if(wert.value == 1){ //war sichtbar
-			// Layer war sichtbar --> deaktivieren
-			layer.src = images[1];
-			layer.alt = images_text[1];
-			//if(treeQuerylayer[id] == 1){
-			//Infobutton aendern, wenn Info abfragbar
-			if(treeQueryable[id] == '1')
-			{
-				info.src = qimages[3];
-				info.alt = qimages_text[3];
-				// Info deaktivieren
-				query.value = 0 ; // Ausschalten der Abfrage wenn nicht sichtbar
-				query.checked = false;
-				query.disabled = true;
-				parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'querylayer',0); // Info disabled
-			}
-			wert.value=0;
-			//alert(wert.value);
-			// Anzeige des Layers deaktivieren
-			parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'visible',0);
-			parent.setSingleMapRequest(mod_treeGDE_map,treeWMS[id]);
-			
-			
-			
-		}
-		else
-		{
-			// Layer war nicht sichtbar --> aktivieren
-			layer.src = images[2];
-			layer.alt = images_text[2]
-			wert.value=1;
-			//alert(wert.value);
-			// Anzeige des Layers aktivieren
-			parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'visible',1);
-			parent.setSingleMapRequest(mod_treeGDE_map,treeWMS[id]);
-			// evtl. Info aktivieren und Button aendern
-			if(treeQueryable[id] == '1')
-			{
-				if (treeQuerylayer[id] == 1)
-				{
-					//Info aktivieren
-					info.src = qimages[2];	
-					info.alt = qimages_text[2];
-					parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'querylayer',1);
-					query.value = 1;
-					query.disabled = false;
-				}
-				else
-				{
-					//Info aktivierbar
-					info.src = qimages[1];	
-					info.alt = qimages_text[1];
-					query.value = 0;
-					query.disabled = false;
-					
-				}
-			}
-		}
-	
-	}
-	
-	function changeinfo(id)
-	{
-		var info = document.getElementById('query'+ id) ;
-		var wert = document.getElementById('treeWMS['+id+']');
-		var query = document.getElementById(treeWMS[id]+'###'+treeShortname[id]+'###querylayer');
-			//"'+treeWMS[i]+'###'+treeShortname[i]+'###querylayer"
-			// alert(query.value);
-			//alert(layer.src == '../img/orangeball.gif');
-				//alert(wert.value);
-		if(query.value == 1)
-		{ //war sichtbar
-			// Info war aktiviert --> deaktivieren
-			info.src = qimages[1];
-			info.alt = qimages_text[1];
-			parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'querylayer',0);
-	                
-			query.value = 0 ; // Ausschalten der Abfrage wenn nicht sichtbar
-			//query.checked = false; //<--wozu?
-			query.disabled = true;
-		}
-		else
-		{
-			// Info war deaktiviert --> aktivieren
-			if(wert.value == 1)
-			{
-				info.src = qimages[2];
-				info.alt = qimages_text[2];
-				query.value=1;
-		
-				//alert(wert.value);
-				parent.handleSelectedLayer(mod_treeGDE_map,treeWMS[id],treeShortname[id],'querylayer',1);
-				//if(treeQuerylayer[id] == 1){	
-				//query.checked = false; //<--wozu?
-				query.disabled = false;
-				//}
-			}
-		}
-		
-	}
-  function initStyles ( )
-  {
-    document.writeln( '<STYLE TYPE="text/css">' + "\n" + '<!--' )
-    for ( var i=1,y=y0; i<idx; i++ )
-    {  
-      document.writeln( '#sitemap' + treeId[i] + ' {POSITION: absolute; VISIBILITY: hidden;}' )
-      if ( treeIsOn[ id2treeIndex[ treeP_id[i] ] ] )
-        y += deltaY
-    }
-    document.writeln( '#sitemapinfo {POSITION: absolute; VISIBILITY: visible;}' )
-    document.writeln( '//-->' + "\n" + '</STYLE>' )
-  }
-
-
-
-  function sitemapClick( id )
-  {
-    var i = id2treeIndex[ id ]
-
-    if ( treeIsOn[ i ] )
-    // close directory
-    {
-      // mark node as invisible
-      treeIsOn[ i ]=false
-      // mark all sons as invisible
-      actDeep = treeDeep[ i ]
-      for( var j=i+1; j<idx && treeDeep[j] > actDeep; j++ )
-      {
-        treeWasOn[ j ] = treeIsOn[ j ]
-        treeIsOn[ j ]=false
-      }
-      gif_off( id )
-    }
-    else
-    // open directory
-    { 
-      treeIsOn[ i ]=true
-      // remember and restore old status
-      actDeep = treeDeep[ i ]
-      for( var j=i+1; j<idx && treeDeep[j] > actDeep; j++ )
-      {
-        treeIsOn[ j ] = treeWasOn[ j ]
-      }
-      gif_on( id )
-    }
-    showTree()
-  }
-
-  function knotDeep( id )
-  {
-    var deep=0
-    while ( true )
-      if ( treeP_id[ id2treeIndex[id] ] == 0 )
-        return deep
-      else
-      {
-        ++deep
-        id = treeP_id[ id2treeIndex[id] ]
-      }
-    return deep  
-  }
-
-  function initTree( id )
-  {
-    treeIsOn[ id2treeIndex[id] ] = true
-    if ( treeTyp[ id2treeIndex[id] ] != 'b' )
-      gif_on( id ) 
-    while ( treeP_id[ id2treeIndex[id] ] != 0 )
-    {
-      id = treeP_id[ id2treeIndex[id] ]
-      treeIsOn[ id2treeIndex[id] ] = true
-      if ( treeTyp[ id2treeIndex[id] ] != 'b' )
-        gif_on( id ) 
-    }
-  }
-
-  function lastEntryInFolder( id )
-  {
-    var i = id2treeIndex[id]
-    if ( i == idx-1 )
-      return true
-    if ( treeTyp[i] == 'b' )
-    {
-      if ( treeP_id[i+1] != treeP_id[i] )
-        return true
-      else 
-        return false
-    }
-    else
-    {
-      var actDeep = treeDeep[i]
-      for( var j=i+1; j<idx && treeDeep[j] > actDeep ; j++ )
-      ;
-      if ( j<idx && treeDeep[j] == actDeep )
-        return false
-      else
-        return true
-    }
-  }
-
-  function showTree()
-  {
-    for( var i=1, y=y0, x=x0; i<idx; i++ )
-    {
-      if ( treeIsOn[ id2treeIndex[ treeP_id[i] ] ] )
-      {
-        // show current node
-        if ( !(y == treeLastY[i] && treeIsShown[i] ) )
-        {
-          showLayer( "sitemap"+ treeId[i] ) 
-          setyLayer( "sitemap"+ treeId[i], y )
-          treeIsShown[i] = true
-        } 
-        treeLastY[i] = y
-        y += deltaY
-      }
-      else
-      {
-        // hide current node and all sons
-        if ( treeIsShown[ i ] )
-        {
-          hideLayer( "sitemap"+ treeId[i] ) 
-          treeIsShown[i] = false
-        }
-      }
-    }
-  }
-
-  function initIndex() {
-    for( var i=0; i<idx; i++ )
-      id2treeIndex[ treeId[i] ] = i
-  }
-
-  function gif_name (name, width, height) {
-    this.on = new Image (width, height);
-    this.on.src = '<?echo $img["folder_on"];?>';
-    this.off = new Image (width, height);
-    this.off.src = '<?echo $img["folder_off"]?>';
-  }
-
-  function load_gif (name, width, height) {
-    gif_name [name] = new gif_name (name,width,height);
-  }
-
-  function load_all () {
-    load_gif ('folder',30,16)
-    file_last = new Image( 30,16 )
-    file_last.src = "../img/tree/file_last.gif"
-    file_middle = new Image( 30,16 )
-    file_middle.src = "../img/tree/file.gif"
-    file_vert = new Image( 30,16 )
-    file_vert.src = "../img/tree/file_vert.gif"
-    file_empty = new Image( 30,16 )
-    file_empty = "../img/tree/file_empty.gif"
-  }
-
-  function gif_on ( id ) {
-    eval("document['folder" + id + "'].src = gif_name['folder'].on.src")
-  }
-
-  function gif_off ( id ) {
-    eval("document['folder" + id + "'].src = gif_name['folder'].off.src")
-  }
- 
-  // global configuration
-  var deltaX = 30
-  var deltaY = 16
-  var x0 = 5
-  var y0 = 5
-  var defaultTarget = 'examplemain'
-
-  var browserName = navigator.appName;
-  var browserVersion = parseInt(navigator.appVersion);
-  var isIE = false;
-  var isNN = false;
-  var isDOM = false;
-  var isDomIE = false;
-  var isDomNN = false;
-  var layerok = false;
-
-  var isIE = browserName.indexOf("Microsoft Internet Explorer" )==-1?false:true;
-  var isNN = browserName.indexOf("Netscape")==-1?false:true;
-  var isOpera = browserName.indexOf("Opera")==-1?false:true;
-  var isDOM = document.getElementById?true:false;
-  var isDomNN = document.layers?true:false;
-  var isDomIE = document.all?true:false;
-
-  if ( isNN && browserVersion>=4 ) layerok=true;
-  if ( isIE && browserVersion>=4 ) layerok=true;
-  if ( isOpera && browserVersion>=5 ) layerok=true;
-
-    
-  function hideLayer(layerName) {
-    if (isDOM)
-      document.getElementById(layerName).style.visibility="hidden"
-    else if (isDomIE)
-      document.all[layerName].style.visibility="hidden";
-    else if (isDomNN) 
-      document.layers[layerName].visibility="hidden";
-  }
-
-  function showLayer(layerName) {
-    if (isDOM)
-      document.getElementById(layerName).style.visibility="visible"
-    else if (isDomIE)
-      document.all[layerName].style.visibility="visible";
-    else if (isDomNN)
-      document.layers[layerName].visibility="visible";
-  }
-
-  function setyLayer(layerName, y) {
-    if (isDOM)
-      document.getElementById(layerName).style.top=y
-    else if (isDomIE)
-      document.all[layerName].style.top=y;
-    else if (isDomNN)
-      document.layers[layerName].top=y;
-  }
-
-  var id2treeIndex = new Array()
-
-  // the structure is easy to understand with a simple example
-  // p_id is the id of the parent
-  // E0                                      ( id=0,p_id=-1 )
-  //          E11                            ( id=1,p_id=0)
-  //                     E111                ( id=2,p_id=1 )
-  //                     E112                ( id=3,p_id=1 )
-  //          E12                            ( id=4,p_id=0 )
-  //                     E121                ( id=5,p_id=4 ) 
-  //          E13                            ( id=6,p_id=0 ) 
-  //                     E131                ( id=7,p_id=6 ) 
-  //                                 E1311   ( id=8,p_id=7 ) 
-  //                     E132                ( id=9,p_id=6 ) 
-  // this is a multinary tree structure which is easy to
-  // populate with database data :)
-function initArray(){
-	var parentObj = 0;
-	if(parent.mb_mapObj.length == 0){ window.setTimeout("initArray()",100); }    
-	else if(parent.mb_mapObj.length > 0){
-		Note(0,-1,'','');
-		for(var i=0; i<parent.mb_mapObj.length; i++){
-			if(parent.mb_mapObj[i].frameName == mod_treeGDE_map){ 
-				for(var ii=0; ii<parent.mb_mapObj[i].wms.length; ii++){
-					if(parent.mb_mapObj[i].wms[ii].gui_wms_visible == '1'){
-						for(var iii=0; iii<parent.mb_mapObj[i].wms[ii].objLayer.length; iii++){          
-							var temp = parent.mb_mapObj[i].wms[ii].objLayer[iii];     
-							if(parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_parent == ""){                    
-								//alert((parseInt(temp.layer_id)+1) + " , " +0 + " , " +temp.layer_title + " , " +'');
-								Note((parseInt(temp.layer_id)+1),0,temp.layer_title,'','','','','');
-								parentObj = temp.layer_id+1;                  
-							}
-							if(parent.mb_mapObj[i].wms[ii].objLayer[iii].layer_parent == "0"){
-								
-								if(temp.gui_layer_selectable == '1' || temp.gui_layer_queryable == '1'){
-								
-									Note((parseInt(temp.layer_id)+1),parentObj,temp.layer_title,'../metadata/metadata.php?wms_id='+parseInt(parent.mb_mapObj[i].wms[ii].wms_id)+'&gui_layer_wms_id='+temp.gui_layer_wms_id+'&layer_name='+temp.layer_name,temp.gui_layer_selectable,temp.gui_layer_visible,temp.gui_layer_queryable,temp.gui_layer_querylayer,parent.mb_mapObj[i].wms[ii].wms_title,temp.layer_name);
-								      //Note((parseInt(temp.layer_id)+1),parentObj,temp.layer_title,'dasdf',temp.gui_layer_selectable,temp.gui_layer_visible,temp.gui_layer_queryable,temp.gui_layer_querylayer,parent.mb_mapObj[i].wms[ii].wms_title,temp.layer_name);
-								}
-							}
-						}
-					}
-				}
-			}
-		}
-		//Note(22,1,'willi','adfasd');
-		treeTyp[0] = 'f'
-		treeIsOn[0] = true
-		treeWasOn[0] = true
-	}       
-} 
-  function initArray_()
-  {
-    Note(0,-1,'','')	  
-    Note(1,0,'Tutorials','')	  	  
-    Note(8,1,'HTML','')
-    Note(10,8,'SelfHtml','http://www.teamone.de/selfaktuell/') 
-	  Note(9,1,'willi','')
-    Note(100,9,'SelfHtml','http://www.teamone.de/selfaktuell/')       
-	  Note(3,1,'JavaScript','')
-    Note(4,3, 'Netscape Guide 1.3','http://developer.netscape.com/docs/manuals/js/client/jsguide/index.htm')
-    Note(7,3, 'Introduction to Javascript','http://rummelplatz.uni-mannheim.de/~skoch/js/script.htm')	  
-    Note(12,1, 'Perl','')
-    Note(14,12, 'Perl Tutorial','http://www.awu.id.ethz.ch/~didi/perl/perl_start.html')
-    Note(13,1,'SQL','')
-    Note(15,13, 'Introduction to SQL','http://w3.one.net/~jhoffman/sqltut.htm')
-	  Note(111,1, 'Introduction to SQL','http://w3.one.net/~jhoffman/sqltut.htm')
-    Note(2,0, 'Reference Manuals','')
-    Note(11,2, 'HTML Version 3.2 Referenz','http://www.cls-online.de/htmlref/index.htm')
-    Note(6,2,'Netscape Reference 1.3','http://developer.netscape.com/docs/manuals/js/client/jsref/index.htm')
-    Note(17,2,'PHP Manual','http://www.php.net/manual/html/')	  
-    treeTyp[0] = 'f'
-    treeIsOn[0] = true
-    treeWasOn[0] = true
-  }
-
-  var idx=0
-  initArray()
-  initIndex()
-  load_all()
-  for( i=1; i<idx; i++ )
-  {
-    treeDeep[i] = knotDeep( treeId[i] )
-    if ( treeDeep[i] == 0 )
-      treeIsShown[i] = true
-  }
-  if ( isDomNN )
-    initStyles();
-  //-->  
-  </SCRIPT>
-</HEAD>
-<BODY VLINK="#000000" ALINK="#000000" LINK="#000000" BGCOLOR="#ffffff" TEXT="#000000"
- onLoad="if (layerok) showTree();mod_treeGDE();"
- MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN="0" TOPMARGIN="0">
-<SCRIPT language="JavaScript1.2">
-<!--
-  initDiv()
-  //hideLayer("sitemapinfo")
-//-->
-</SCRIPT>
-</BODY>
-</HTML>

Modified: tags/2.4.4_su/http/javascripts/map.php
===================================================================
--- tags/2.4.4/http/javascripts/map.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/map.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -41,8 +41,11 @@
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
 
-$mb_sql = "SELECT DISTINCT e_js_file, e_id, e_src, e_target, e_pos FROM gui_element WHERE e_public = 1 AND fkey_gui_id = '".$_REQUEST["gui_id"]."' ORDER BY e_pos";
-$mb_res = db_query($mb_sql);
+$mb_sql = "SELECT DISTINCT e_js_file, e_id, e_src, e_target, e_pos ";
+$mb_sql .= "FROM gui_element WHERE e_public = 1 AND fkey_gui_id = $1 ORDER BY e_pos";
+$v = array($_REQUEST["gui_id"]);
+$t = array("s");
+$mb_res = db_prep_query($mb_sql, $v, $t);
 //$mb_cnt = 0;
 while($row_js = db_fetch_array($mb_res)){
 	if($row_js["e_js_file"] != ""){

Modified: tags/2.4.4_su/http/javascripts/mod_addWMSfromList.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_addWMSfromList.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_addWMSfromList.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-# $Id: mod_addWMSfromList.php 76 2006-08-15 12:25:34Z heuser $
+# $Id$
 # http://www.mapbender.org/index.php/mod_addWMSfromList.php
 # Copyright (C) 2002 CCGIS 
 #
@@ -110,14 +110,18 @@
 $arrayGuis=mb_getGUIs($logged_user_id);
 
 $sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
-
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui .= ",";}
-	$sql_gui .= "'".$arrayGuis[$i]."'";
+$v = $arrayGuis;
+$t = array();
+for ($i = 1; $i <= count($arrayGuis); $i++){
+	if ($i > 1) { 
+		$sql_gui .= ",";
+	}
+	$sql_gui .= "$" . $i;
+	array_push($t, "s");
 }
 $sql_gui.= ") ORDER BY gui_name";
 
-$res_gui = db_query($sql_gui);
+$res_gui = db_prep_query($sql_gui, $v, $t);
 while($row = db_fetch_array($res_gui)){
 	$gui_id[$cnt_gui] = $row["gui_id"];
 	$gui_name[$cnt_gui] = $row["gui_name"];
@@ -127,14 +131,18 @@
 
 /*get allocated wms from allocated gui  ********************************************************************************************/								 
 $sql_gui_wms = "SELECT DISTINCT fkey_wms_id FROM gui_wms WHERE fkey_gui_id IN (";
-
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui_wms .= ",";}
-	$sql_gui_wms .= "'".$arrayGuis[$i]."'";
+$v = $arrayGuis;
+$t = array();
+for ($i = 1; $i <= count($arrayGuis); $i++){
+	if ($i > 1) { 
+		$sql_gui_wms .= ",";
+	}
+	$sql_gui_wms .= "$".$i;
+	array_push($t, "s");
 }
 $sql_gui_wms.= ") ORDER BY fkey_wms_id";
 
-$res_gui_wms = db_query($sql_gui_wms);
+$res_gui_wms = db_prep_query($sql_gui_wms, $v, $t);
 while($row = db_fetch_array($res_gui_wms)){
 	$fkey_gui_id[$cnt_gui_wms] = $row["fkey_gui_id"];
 	$fkey_wms_id[$cnt_gui_wms] = $row["fkey_wms_id"];
@@ -144,15 +152,19 @@
 
 /*get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 $sql_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities,wms_version FROM wms WHERE wms_id IN (";
-
-for($i=0; $i<count($fkey_wms_id); $i++){
-	if($i>0){ $sql_wms .= ",";}
-	$sql_wms .= "'".$fkey_wms_id[$i]."'";
+$v = $fkey_wms_id;
+$t = array();
+for ($i = 1; $i <= count($fkey_wms_id); $i++){
+	if ($i > 1) { 
+		$sql_wms .= ",";
+	}
+	$sql_wms .= "$" . $i;
+	array_push($t, "s");
 }
 #$sql_wms.= ") ORDER BY wms_id";
 $sql_wms.= ") ORDER BY wms_title";
 
-$res_wms = db_query($sql_wms);
+$res_wms = db_prep_query($sql_wms, $v, $t);
 while($row = db_fetch_array($res_wms)){
 	$wms_title[$cnt_wms] = $row["wms_title"];
 	$wms_abstract[$cnt_wms] = $row["wms_abstract"];

Modified: tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredList.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_addWMSfromfilteredList.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredList.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -247,14 +247,20 @@
 
 $arrayGuis=mb_getGUIs($logged_user_id);
 $sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
+$v = $arrayGuis;
+$t = array();
 
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui .= ",";}
-	$sql_gui .= "'".$arrayGuis[$i]."'";
+for ($i = 1; $i <= count($arrayGuis); $i++){
+	if ($i > 1) { 
+		$sql_gui .= ",";
+	}
+	$sql_gui .= "$" . $i;
+	array_push($t, "s");
 }
 $sql_gui.= ") ORDER BY gui_name";
 
-$res_gui = db_query($sql_gui);
+
+$res_gui = db_prep_query($sql_gui, $v, $t);
 				while($row = db_fetch_array($res_gui)){
 					$gui_id[$cnt_gui] = $row["gui_id"];
 					$gui_name[$cnt_gui] = $row["gui_name"];
@@ -266,14 +272,18 @@
 				 
 /*get allocated wms from allocated gui  ********************************************************************************************/								 
 $sql_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id IN (";
-
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui_wms .= ",";}
-	$sql_gui_wms .= "'".$arrayGuis[$i]."'";
+$v = $arrayGuis;
+$t = array();
+for ($i = 1; $i <= count($arrayGuis); $i++){
+	if ($i > 1) { 
+		$sql_gui_wms .= ",";
+	}
+	$sql_gui_wms .= "$".$i;
+	array_push($t, "s");
 }
 $sql_gui_wms.= ") ORDER BY fkey_wms_id";
 
-$res_gui_wms = db_query($sql_gui_wms);
+$res_gui_wms = db_prep_query($sql_gui_wms, $v, $t);
 while($row = db_fetch_array($res_gui_wms)){
 				$fkey_gui_id[$cnt_gui_wms] = $row["fkey_gui_id"];
 	$fkey_wms_id[$cnt_gui_wms] = $row["fkey_wms_id"];
@@ -283,14 +293,18 @@
 
 /*get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 $sql_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_version FROM wms WHERE wms_id IN (";
-
-for($i=0; $i<count($fkey_wms_id); $i++){
-	if($i>0){ $sql_wms .= ",";}
-	$sql_wms .= "'".$fkey_wms_id[$i]."'";
+$v = $fkey_wms_id;
+$t = array();
+for ($i = 1; $i <= count($fkey_wms_id); $i++){
+	if ($i > 1) { 
+		$sql_wms .= ",";
+	}
+	$sql_wms .= "$".$i;
+	array_push($t, "s");
 }
 $sql_wms.= ") ORDER BY wms_title";
 
-$res_wms = db_query($sql_wms);
+$res_wms = db_prep_query($sql_wms, $v, $t);
 				while($row = db_fetch_array($res_wms)){
 					$wms_title[$cnt_wms] = $row["wms_title"];
 					$wms_abstract[$cnt_wms] = $row["wms_abstract"];
@@ -324,8 +338,10 @@
 #if (isset($show_group_wms))
 if (!empty($show_group_wms)){
 	/*get gui goup   ********************************************************************************************/
-	$sql_gui_mb_group = "SELECT fkey_gui_id, fkey_mb_group_id FROM gui_mb_group WHERE fkey_mb_group_id='".$show_group_wms."'";
-	$res_gui_mb_group = db_query($sql_gui_mb_group);
+	$sql_gui_mb_group = "SELECT fkey_gui_id, fkey_mb_group_id FROM gui_mb_group WHERE fkey_mb_group_id=$1";
+	$v = array($show_group_wms);
+	$t = array("s");
+	$res_gui_mb_group = db_prep_query($sql_gui_mb_group, $v, $t);
 
 				while($row = db_fetch_array($res_gui_mb_group)){
 					$group_gui_id[$cnt_gui_mb_group] = $row["fkey_gui_id"];
@@ -339,13 +355,18 @@
 	/*get group gui WMS  ********************************************************************************************/
 	if(count($group_gui_id)>0)	{								 
 		$sql_fkey_group_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id IN (";
-		for($i=0; $i<count($group_gui_id); $i++){
-			if($i>0){ $sql_fkey_group_gui_wms .= ",";}
-			$sql_fkey_group_gui_wms .= "'".$group_gui_id[$i]."'";
+		$v = $group_gui_id;
+		$t = array();
+		for ($i = 1; $i <= count($group_gui_id); $i++){
+			if ($i > 1) { 
+				$sql_fkey_group_gui_wms .= ",";
+			}
+			$sql_fkey_group_gui_wms .= "$".$i;
+			array_push($t, "s");
 		}
 		$sql_fkey_group_gui_wms.=  ") ORDER BY fkey_wms_id";
 		
-		$res_fkey_group_gui_wms = db_query($sql_fkey_group_gui_wms);
+		$res_fkey_group_gui_wms = db_prep_query($sql_fkey_group_gui_wms, $v, $t);
 		while($row = db_fetch_array($res_fkey_group_gui_wms)){
 			$fkey_group_gui_gui_id[$cnt_fkey_group_gui_wms] = $row["fkey_gui_id"];
 			$fkey_group_gui_wms_id[$cnt_fkey_group_gui_wms] = $row["fkey_wms_id"];
@@ -358,14 +379,18 @@
 		/*group: get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 		if(count($fkey_group_gui_wms_id)>0){
 			$sql_group_gui_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_version FROM wms WHERE wms_id IN (";
-		  
-			for($i=0; $i<count($fkey_group_gui_wms_id); $i++){
-				if($i>0){ $sql_group_gui_wms .= ",";}
-				$sql_group_gui_wms .= "'".$fkey_group_gui_wms_id[$i]."'";
+			$v = $fkey_group_gui_wms_id;
+			$t = array();
+			for ($i = 1; $i <= count($fkey_group_gui_wms_id); $i++){
+				if ($i > 1) { 
+					$sql_group_gui_wms .= ",";
+				}
+				$sql_group_gui_wms .= "$".$i;
+				array_push($t, "s");
 			}
 			$sql_group_gui_wms.= ") ORDER BY wms_title";
 		  
-			$res_group_gui_wms = db_query($sql_group_gui_wms);
+			$res_group_gui_wms = db_prep_query($sql_group_gui_wms, $v, $t);
 			while($row = db_fetch_array($res_group_gui_wms)){
 				$group_wms_title[$cnt_group_gui_wms] = $row["wms_title"];
 				$group_wms_abstract[$cnt_group_gui_wms] = $row["wms_abstract"];
@@ -383,8 +408,10 @@
 	#if ($show_group_wms > 0)
 	if ($cnt_group_gui_wms > 0){
 		/*get goup name for showing in the table ********************************************************************************************/								 
-		$sql_group_name = "SELECT mb_group_id, mb_group_name FROM mb_group WHERE mb_group_id ='".$show_group_wms."'";   
-		$res_group_name = db_query($sql_group_name);
+		$sql_group_name = "SELECT mb_group_id, mb_group_name FROM mb_group WHERE mb_group_id = $1";   
+		$v = array($show_group_wms);
+		$t = array("s");
+		$res_group_name = db_prep_query($sql_group_name, $v, $t);
 		while($row = db_fetch_array($res_group_name)){
 			$group_name_table[$cnt_group_name] = $row["mb_group_name"];
 			$my_group_id_table[$cnt_group_name] = $row["mb_group_id"];
@@ -426,10 +453,12 @@
 /*show gui wms  ********************************************************************************************/
 if (!empty($show_gui_wms)){
 	/*get group gui WMS  ********************************************************************************************/								 
-	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id ='".$show_gui_wms."'";
+	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id = $1";
+	$v = array($show_gui_wms);
+	$t = array("s");
 	#$sql_fkey_show_gui_wms.= ") ORDER BY fkey_wms_id";
 
-	$res_fkey_show_gui_wms = db_query($sql_fkey_show_gui_wms);
+	$res_fkey_show_gui_wms = db_prep_query($sql_fkey_show_gui_wms, $v, $t);
 	while($row = db_fetch_array($res_fkey_show_gui_wms)){
 		$fkey_show_gui_gui_id[$cnt_fkey_show_gui_wms] = $row["fkey_gui_id"];
 		$fkey_show_gui_wms_id[$cnt_fkey_show_gui_wms] = $row["fkey_wms_id"];
@@ -441,14 +470,18 @@
 	/*gui: get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 	if(count($fkey_show_gui_wms_id)>0){
 		$sql_show_gui_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_id, wms_version FROM wms WHERE wms_id IN (";
-
-		for($i=0; $i<count($fkey_show_gui_wms_id); $i++){
-			if($i>0){ $sql_show_gui_wms .= ",";}
-			$sql_show_gui_wms .= "'".$fkey_show_gui_wms_id[$i]."'";
+		$v = $fkey_show_gui_wms_id;
+		$t = array();
+		for ($i = 1; $i <= count($fkey_show_gui_wms_id); $i++){
+			if ($i > 1) { 
+				$sql_show_gui_wms .= ",";
+			}
+			$sql_show_gui_wms .= "$".$i;
+			array_push($t, "s");
 		}
 		$sql_show_gui_wms.= ") ORDER BY wms_title";
 
-		$res_show_gui_wms = db_query($sql_show_gui_wms);
+		$res_show_gui_wms = db_prep_query($sql_show_gui_wms, $v, $t);
 		while($row = db_fetch_array($res_show_gui_wms)){
 			$gui_wms_id[$cnt_show_gui_wms] = $row["wms_id"];
 			$gui_wms_title[$cnt_show_gui_wms] = $row["wms_title"];
@@ -466,8 +499,10 @@
 
 	if ($cnt_show_gui_wms > 0){
 	/*get selected gui name for table caption ********************************************************************************************/  
-	$sql_gui_table = "SELECT * FROM gui WHERE gui_id ='".$show_gui_wms."'";       
-	$res_gui_table = db_query($sql_gui_table);
+	$sql_gui_table = "SELECT * FROM gui WHERE gui_id = $1";       
+	$v = array($show_gui_wms);
+	$t = array("s");
+	$res_gui_table = db_prep_query($sql_gui_table, $v, $t);
 		while($row = db_fetch_array($res_gui_table)){
 			$gui_id_table[$cnt_gui_table] = $row["gui_id"];
 			$gui_name_table[$cnt_gui_table] = $row["gui_name"];							
@@ -513,10 +548,11 @@
 /*show gui wms  ********************************************************************************************/
 if (!empty($show_gui_configured_wms)){
 	/*get group gui WMS  ********************************************************************************************/								 
-	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id ='".$show_gui_configured_wms."'";
+	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id = $1";
 	#$sql_fkey_show_gui_wms.= ") ORDER BY fkey_wms_id";
-
-	$res_fkey_show_gui_wms = db_query($sql_fkey_show_gui_wms);
+	$v = array($show_gui_configured_wms);
+	$t = array("s");
+	$res_fkey_show_gui_wms = db_prep_query($sql_fkey_show_gui_wms, $v, $t);
 	while($row = db_fetch_array($res_fkey_show_gui_wms)){
 		$fkey_show_gui_gui_id[$cnt_fkey_show_gui_wms] = $row["fkey_gui_id"];
 		$fkey_show_gui_wms_id[$cnt_fkey_show_gui_wms] = $row["fkey_wms_id"];
@@ -528,14 +564,18 @@
 	/*gui: get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 	if(count($fkey_show_gui_wms_id)>0){
 		$sql_show_gui_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_id, wms_version FROM wms WHERE wms_id IN (";
-
-		for($i=0; $i<count($fkey_show_gui_wms_id); $i++){
-			if($i>0){ $sql_show_gui_wms .= ",";}
-			$sql_show_gui_wms .= "'".$fkey_show_gui_wms_id[$i]."'";
+		$v = $fkey_show_gui_wms_id;
+		$t = array();
+		for ($i = 1; $i <= count($fkey_show_gui_wms_id); $i++){
+			if ($i > 1) { 
+				$sql_show_gui_wms .= ",";
+			}
+			$sql_show_gui_wms .= "$".$i;
+			array_push($t, "s");
 		}
 		$sql_show_gui_wms.= ") ORDER BY wms_title";
 
-		$res_show_gui_wms = db_query($sql_show_gui_wms);
+		$res_show_gui_wms = db_prep_query($sql_show_gui_wms, $v, $t);
 		while($row = db_fetch_array($res_show_gui_wms)){
 			$gui_wms_id[$cnt_show_gui_wms] = $row["wms_id"];
 			$gui_wms_title[$cnt_show_gui_wms] = $row["wms_title"];
@@ -553,8 +593,10 @@
 
 	if ($cnt_show_gui_wms > 0){
 	/*get selected gui name for table caption ********************************************************************************************/  
-	$sql_gui_table = "SELECT * FROM gui WHERE gui_id ='".$show_gui_configured_wms."'";       
-	$res_gui_table = db_query($sql_gui_table);
+	$sql_gui_table = "SELECT * FROM gui WHERE gui_id = $1";
+	$v = array($show_gui_configured_wms);
+	$t = array("s");       
+	$res_gui_table = db_prep_query($sql_gui_table, $v, $t);
 		while($row = db_fetch_array($res_gui_table)){
 			$gui_id_table[$cnt_gui_table] = $row["gui_id"];
 			$gui_name_table[$cnt_gui_table] = $row["gui_name"];							

Modified: tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredListDB.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_addWMSfromfilteredListDB.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_addWMSfromfilteredListDB.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-# $Id: mod_addWMSfromfilteredList.php 1274 2007-04-25 07:01:08Z christoph $
+# $Id$
 # http://www.mapbender.org/index.php/mod_addWMSfromfilteredList.php
 # Copyright (C) 2002 CCGIS 
 #
@@ -101,14 +101,18 @@
 
 $arrayGuis=mb_getGUIs($logged_user_id);
 $sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
-
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui .= ",";}
-	$sql_gui .= "'".$arrayGuis[$i]."'";
+$v = $arrayGuis;
+$t = array();
+for ($i = 1; $i <= count($arrayGuis); $i++){
+	if ($i > 1) { 
+		$sql_gui .= ",";
+	}
+	$sql_gui .= "$" . $i;
+	array_push($t, "s");
 }
 $sql_gui.= ") ORDER BY gui_name";
 
-$res_gui = db_query($sql_gui);
+$res_gui = db_prep_query($sql_gui, $v, $t);
 				while($row = db_fetch_array($res_gui)){
 					$gui_id[$cnt_gui] = $row["gui_id"];
 					$gui_name[$cnt_gui] = $row["gui_name"];
@@ -120,14 +124,18 @@
 				 
 /*get allocated wms from allocated gui  ********************************************************************************************/								 
 $sql_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id IN (";
-
-for($i=0; $i<count($arrayGuis); $i++){
-	if($i>0){ $sql_gui_wms .= ",";}
-	$sql_gui_wms .= "'".$arrayGuis[$i]."'";
+$v = $arrayGuis;
+$t = array();
+for ($i = 1; $i <= count($arrayGuis); $i++) {
+	if ($i > 1) { 
+		$sql_gui_wms .= ",";
+	}
+	$sql_gui_wms .= "$".$i;
+	array_push($t, "s");
 }
 $sql_gui_wms.= ") ORDER BY fkey_wms_id";
 
-$res_gui_wms = db_query($sql_gui_wms);
+$res_gui_wms = db_prep_query($sql_gui_wms, $v, $t);
 while($row = db_fetch_array($res_gui_wms)){
 				$fkey_gui_id[$cnt_gui_wms] = $row["fkey_gui_id"];
 	$fkey_wms_id[$cnt_gui_wms] = $row["fkey_wms_id"];
@@ -137,14 +145,18 @@
 
 /*get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 $sql_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_version FROM wms WHERE wms_id IN (";
-
-for($i=0; $i<count($fkey_wms_id); $i++){
-	if($i>0){ $sql_wms .= ",";}
-	$sql_wms .= "'".$fkey_wms_id[$i]."'";
+$v = $fkey_wms_id;
+$t = array();
+for ($i = 1; $i <= count($fkey_wms_id); $i++){
+	if ($i > 1) { 
+		$sql_wms .= ",";
+	}
+	$sql_wms .= "$" . $i;
+	array_push($t, "s");
 }
 $sql_wms.= ") ORDER BY wms_title";
 
-$res_wms = db_query($sql_wms);
+$res_wms = db_prep_query($sql_wms, $v, $t);
 				while($row = db_fetch_array($res_wms)){
 					$wms_title[$cnt_wms] = $row["wms_title"];
 					$wms_abstract[$cnt_wms] = $row["wms_abstract"];
@@ -181,10 +193,12 @@
 	echo "<input type='button' class='wms_button' name='wms2' value='" . $selectOtherGuiText . "' onclick = 'mod_show_gui()'></td>";
 
 	/*get group gui WMS  ********************************************************************************************/								 
-	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id ='".$wms_show."'";
+	$sql_fkey_show_gui_wms = "SELECT DISTINCT fkey_wms_id, fkey_gui_id FROM gui_wms WHERE fkey_gui_id = $1";
 	#$sql_fkey_show_gui_wms.= ") ORDER BY fkey_wms_id";
 
-	$res_fkey_show_gui_wms = db_query($sql_fkey_show_gui_wms);
+	$v = array($wms_show);
+	$t = array("s");
+	$res_fkey_show_gui_wms = db_prep_query($sql_fkey_show_gui_wms, $v, $t);
 	while($row = db_fetch_array($res_fkey_show_gui_wms)){
 		$fkey_show_gui_gui_id[$cnt_fkey_show_gui_wms] = $row["fkey_gui_id"];
 		$fkey_show_gui_wms_id[$cnt_fkey_show_gui_wms] = $row["fkey_wms_id"];
@@ -196,14 +210,18 @@
 	/*gui: get allocated wms-Abstract and wms-Capabilities from allocated gui  ********************************************************************************************/								 
 	if(count($fkey_show_gui_wms_id)>0){
 		$sql_show_gui_wms = "SELECT DISTINCT wms_title, wms_abstract, wms_getcapabilities, wms_id, wms_version FROM wms WHERE wms_id IN (";
-
-		for($i=0; $i<count($fkey_show_gui_wms_id); $i++){
-			if($i>0){ $sql_show_gui_wms .= ",";}
-			$sql_show_gui_wms .= "'".$fkey_show_gui_wms_id[$i]."'";
+		$v = $fkey_show_gui_wms_id;
+		$t = array();
+		for ($i = 1; $i <= count($fkey_show_gui_wms_id); $i++){
+			if ($i > 1) { 
+				$sql_show_gui_wms .= ",";
+			}
+			$sql_show_gui_wms .= "$".$i;
+			array_push($t, "s");
 		}
 		$sql_show_gui_wms.= ") ORDER BY wms_title";
 
-		$res_show_gui_wms = db_query($sql_show_gui_wms);
+		$res_show_gui_wms = db_prep_query($sql_show_gui_wms, $v, $t);
 		while($row = db_fetch_array($res_show_gui_wms)){
 			$gui_wms_id[$cnt_show_gui_wms] = $row["wms_id"];
 			$gui_wms_title[$cnt_show_gui_wms] = $row["wms_title"];
@@ -221,8 +239,10 @@
 
 	if ($cnt_show_gui_wms > 0){
 	/*get selected gui name for table caption ********************************************************************************************/  
-	$sql_gui_table = "SELECT * FROM gui WHERE gui_id ='".$wms_show."'";       
-	$res_gui_table = db_query($sql_gui_table);
+	$sql_gui_table = "SELECT * FROM gui WHERE gui_id = $1";
+	$v = array($wms_show);
+	$t = array("s");       
+	$res_gui_table = db_prep_query($sql_gui_table, $v, $t);
 		while($row = db_fetch_array($res_gui_table)){
 			$gui_id_table[$cnt_gui_table] = $row["gui_id"];
 			$gui_name_table[$cnt_gui_table] = $row["gui_name"];							

Deleted: tags/2.4.4_su/http/javascripts/mod_measure4326.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_measure4326.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_measure4326.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,251 +0,0 @@
-<?php
-# $Id: mod_measure.php 267 2006-05-12 12:16:01Z vera_schulze $
-# http://www.mapbender.org/index.php/mod_measure.php
-# Copyright (C) 2002 CCGIS 
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-require_once("../../conf/mapbender.conf");
-
-$gui_id = $_REQUEST["gui_id"];
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
-$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'measure' AND fkey_gui_id = $1";
-$v = array($gui_id);
-$t = array('s');
-$res = db_prep_query($sql, $v, $t);
-$cnt = 0;
-while($row = db_fetch_array($res)){ 
-	$e_src = $row["e_src"];
-	$e_target = $row["e_target"];
-	$cnt++;
-}
-if($cnt > 1){
-	echo "alert('measure: ID not unique!');";
-}
-echo "var mod_measure_target = '".$e_target."';";
-
-require_once("ajax_jquery.js");
-$e_id_css = "measure";
-include '../include/dyn_js.php';
-?>
-
-var mod_measure_color1 = "white";
-var mod_measure_color2 = "black";
-var mod_measure_font = "Arial, Helvetica, sans-serif";
-var mod_measure_fontsize = "9px";
-var mod_measure_basepoint = "#8a2be2";
-var mod_measure_linepoint = "#ff00ff";
-var mod_measure_bg = "";
-var mod_measure_pgsql = true;
-
-var mod_measure_win = null;
-
-var mod_measure_elName = "measure";
-var mod_measure_frameName = "";
-var mod_measure_epsg;
-var mod_measure_width;
-var mod_measure_height;
-var dist = false;
-var mod_measure_RX = new Array();
-var mod_measure_RY = new Array();
-var mod_measure_Dist = new Array();
-var mod_measure_TotalDist = new Array();
-var mod_measureSubFunctions = new Array();
-
-var mod_measure_img_on = new Image(); mod_measure_img_on.src = "<?php  echo preg_replace("/_off/","_on",$e_src);  ?>";
-var mod_measure_img_off = new Image(); mod_measure_img_off.src = "<?php  echo $e_src;  ?>";
-var mod_measure_img_over = new Image(); mod_measure_img_over.src = "<?php  echo preg_replace("/_off/","_over",$e_src);  ?>";
-
-function init_mod_measure(ind){
-	mb_button[ind] = document.getElementById(mod_measure_elName);
-	mb_button[ind].img_over = mod_measure_img_over.src;
-	mb_button[ind].img_on = mod_measure_img_on.src;
-	mb_button[ind].img_off = mod_measure_img_off.src;
-	mb_button[ind].status = 0;
-	mb_button[ind].elName = mod_measure_elName;
-	mb_button[ind].fName = mod_measure_frameName;
-	mb_button[ind].go = new Function ("mod_measure_go()");
-	mb_button[ind].stop = new Function ("mod_measure_disable()");
-	var ind = getMapObjIndexByName(mod_measure_target);
-	mod_measure_width = mb_mapObj[ind].width;
-	mod_measure_height = mb_mapObj[ind].height;
-	mod_measure_epsg = mb_mapObj[ind].epsg;
-	mb_registerSubFunctions("drawDashedLine()");
-	mb_registerPanSubElement("measuring");
-}
-function register_measureSubFunctions(stringFunction){
-	mod_measureSubFunctions[mod_measureSubFunctions.length] = stringFunction;
-}
-function mod_measure_go(){
-	var el = window.frames[mod_measure_target].document;
-	el.onmousedown = mod_measure_start;
-	//el.onmousemove = mod_measure_run;
-	var measureSub = "";
-	for(var i=0; i<mod_measureSubFunctions.length; i++){
-		measureSub += eval(mod_measureSubFunctions[i]);
-	}   
-	writeTag(mod_measure_target,"measure_sub",measureSub);
-}
-function mod_measure_disable(){
-	var el = window.frames[mod_measure_target].document; 
-	el.onmousedown = null;
-	el.onmousemove = null;
-	writeTag(mod_measure_target,"measure_display","");
-	writeTag(mod_measure_target,"measure_sub","");
-}
-function mod_measure_timeout(){
-	var el = window.frames[mod_measure_target].document; 
-	el.onmousedown = null;
-	el.ondblclick = null;
-	el.onmousemove = null;
-}
-function mod_measure_disableTimeout(){
-	var el = window.frames[mod_measure_target].document;
-	el.onmousedown = mod_measure_start;
-	//el.onmousemove = mod_measure_run;
-}
-function use_dist() {
-    if(dist != false){
-        mod_measure_Dist[mod_measure_Dist.length] = dist;
-		var totalDist = mod_measure_TotalDist[mod_measure_TotalDist.length-1] + dist;
-       	mod_measure_TotalDist[mod_measure_TotalDist.length] = Math.round(totalDist * 100)/100;
-        
-      } 
-      drawDashedLine(); 
-      dist = false;
-}
-function mod_measure_start(e){
-	mb_getMousePos(e,mod_measure_target);
-	var realWorldPos = my_makeClickPos2RealWorldPos(mod_measure_target,clickX,clickY);
-    
-	mod_measure_RX[mod_measure_RX.length] = realWorldPos[0];
-	mod_measure_RY[mod_measure_RY.length] = realWorldPos[1];
-       
-     if(mod_measure_RX.length > 1){
-	 
-     convert_coords(mod_measure_RX[mod_measure_RX.length-2],mod_measure_RY[mod_measure_RY.length-2],mod_measure_RX[mod_measure_RX.length-1],mod_measure_RY[mod_measure_RY.length-1],inputEPSG);         
-	}
-	else{
-		mod_measure_Dist[mod_measure_Dist.length] = 0;
-		mod_measure_TotalDist[mod_measure_TotalDist.length] = 0;
-        drawDashedLine();
-	}
-}
-function drawDashedLine(){
-	var str_mPoints = "<div style='position:absolute;left:0px;top:0px' ><img src='"+mb_trans.src+"' width='"+mod_measure_width+"' height='0'></div>";
-	str_mPoints += "<div style='position:absolute;left:0px;top:0px' ><img src='"+mb_trans.src+"' width='0' height='"+mod_measure_height+"'></div>";
-	for(var i=0; i<mod_measure_RX.length; i++){
-		var pos = makeRealWorld2mapPos(mod_measure_target,mod_measure_RX[i],mod_measure_RY[i]);
-		str_mPoints += "<div style='font-size:1px;position:absolute;top:"+(pos[1]-2)+"px;left:"+(pos[0]-2)+"px;width:4px;height:4px;background-color:"+mod_measure_basepoint+"'></div>";
-		if(i>0){
-			str_mPoints += "<div  style='font-family:"+mod_measure_font+";font-size:"+mod_measure_fontsize+";color:"+mod_measure_color1+";";
-			if(mod_measure_bg != ""){
-				str_mPoints += "background-color:"+mod_measure_bg+";";
-			}
-			str_mPoints += "position:absolute;top:"+(pos[1] + 3)+"px;left:"+(pos[0]+3)+"px;z-index:20'>"+mod_measure_TotalDist[i]+"</div>";
-			str_mPoints += "<div  style='font-family:"+mod_measure_font+";font-size:"+mod_measure_fontsize+";color:"+mod_measure_color2+";position:absolute;top:"+(pos[1] + 4)+"px;left:"+(pos[0]+4)+"px;z-index:21'>"+mod_measure_TotalDist[i]+"</div>";
-		}
-	}
-	if(mod_measure_RX.length>1){
-		for(var k=1; k<mod_measure_RX.length; k++){
-			var pos0 = makeRealWorld2mapPos(mod_measure_target,mod_measure_RX[k], mod_measure_RY[k]);
-			var pos1 = makeRealWorld2mapPos(mod_measure_target,mod_measure_RX[k-1], mod_measure_RY[k-1]);
-          
-			str_mPoints += evaluateDashes(pos1[0],pos1[1],pos0[0],pos0[1],k);
-		}
-	}
-	writeTag(mod_measure_target,"measuring",str_mPoints);
-}
-function evaluateDashes(x1,y1,x2,y2,count){
-	var str_dashedLine = "";
-	var s = 10;
-	var d = Math.sqrt(Math.pow((y1-y2),2) + Math.pow((x1-x2),2)) ;
-	var n = Math.round(d/s);
-	var s_x =  (x2 - x1)/n;
-	var s_y =  (y2 - y1)/n;
-	for(var i=1; i<n; i++){
-		var x = Math.round(x1 + i * s_x)-2;
-		var y = Math.round(y1 + i * s_y)-2;
-		if(x >= 0 && x <= mod_measure_width && y >= 0 && y <= mod_measure_height){
-			str_dashedLine += "<div style='font-size:1px;position:absolute;top:"+y+"px;left:"+x+"px;width:4px;height:4px;background-color:"+mod_measure_linepoint+"'></div>";
-		}
-	}
-	str_dashedLine += "<div style='font-family:"+mod_measure_font+";font-size:"+mod_measure_fontsize+";color:"+mod_measure_color1+";";
-	if(mod_measure_bg != ""){
-		str_dashedLine += "background-color:"+mod_measure_bg+";";
-	}   
-	str_dashedLine += "position:absolute;top:"+(Math.round(y1 + (y2-y1)/2 +3))+"px;left:"+(Math.round(x1 + (x2-x1)/2 +3))+"px'>"+mod_measure_Dist[count]+"</div>";
-	str_dashedLine += "<div style='font-family:"+mod_measure_font+";font-size:"+mod_measure_fontsize+";color:"+mod_measure_color2+";position:absolute;top:"+(Math.round(y1 + (y2-y1)/2 + 4))+"px;left:"+(Math.round(x1 + (x2-x1)/2+4))+"px'>"+mod_measure_Dist[count]+"</div>";
-	return str_dashedLine;
-}
-function mod_measure_close(){
-	if(mod_measure_RX.length < 3 || (mod_measure_RX[mod_measure_RX.length-1] == mod_measure_RX[0] && mod_measure_RY[mod_measure_RY.length-1] == mod_measure_RY[0])){return;}
-	mod_measure_RX[mod_measure_RX.length] = mod_measure_RX[0];
-	mod_measure_RY[mod_measure_RY.length] = mod_measure_RY[0];
-	if(mod_measure_RX.length > 1){
-		// circumference
-        convert_coords(mod_measure_RX[mod_measure_RX.length-2],mod_measure_RY[mod_measure_RY.length-2],mod_measure_RX[mod_measure_RX.length-1],mod_measure_RY[mod_measure_RY.length-1],inputEPSG);   
-	}
-	else{
-		mod_measure_Dist[mod_measure_Dist.length] = 0;
-		mod_measure_TotalDist[mod_measure_TotalDist.length] = 0;
-        drawDashedLine();
-	}
-}
-function mod_measure_delete(){
-	mod_measure_RX = new Array();
-	mod_measure_RY = new Array();
-    mod_measure_Dist = new Array();
-	mod_measure_TotalDist = new Array();
-    dist = false;
-    writeTag(mod_measure_target,"measuring","");
-	writeTag(mod_measure_target,"measure_display","");
-}
-function my_makeClickPos2RealWorldPos(frameName, myClickX, myClickY) {
-	var ind = getMapObjIndexByName(frameName);
-	var width = parseInt(mb_mapObj[ind].width);
-	var height = parseInt(mb_mapObj[ind].height);
-	var arrayBBox = mb_mapObj[ind].extent.split(",");
-	var minX = parseFloat(arrayBBox[0]);
-	var minY = parseFloat(arrayBBox[1]);
-	var maxX = parseFloat(arrayBBox[2]);
-	var maxY = parseFloat(arrayBBox[3]);
-	var xtentx = maxX - minX;
-	var xtenty =  maxY - minY;
-	var posX = parseFloat(minX + (myClickX / width) * xtentx);
-	var posY = parseFloat(maxY - (myClickY / height) * xtenty);
-	return new Array(posX, posY);
-}
-function convert_coords(x1,y1,x2,y2,inputEPSG){
-
-      $.post(
-    	// zielurl
-        '../javascripts/transform_coordinatesWGS84.php',
-        // parameter fuer diese datei
-        {
-        	'x1'      : x1,
-            'y1'      : y1,
-			'x2'      : x2,
-			'y2'      : y2,  
-            'inputEPSG' :  inputEPSG      
-        },
-        // callback function
-        function(xml){
-            dist = Math.round(parseFloat(xml));   
-            use_dist();   
-        }
-     );
-}
\ No newline at end of file

Modified: tags/2.4.4_su/http/javascripts/mod_sandclock2.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_sandclock2.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_sandclock2.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -25,7 +25,7 @@
 $sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'sandclock2' AND fkey_gui_id = $1";
 $v = array($gui_id);
 $t = array('s');
-$res = db_query($sql, $v, $t);
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){ 
 	$e_target = db_result($res,0,"e_target");

Modified: tags/2.4.4_su/http/javascripts/mod_setPOI2Scale.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_setPOI2Scale.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_setPOI2Scale.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -21,8 +21,10 @@
 include("../../conf/mapbender.conf");
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$sql = "SELECT e_target FROM gui_element WHERE e_id = 'setPOI2Scale' AND fkey_gui_id = '".$gui_id."'";
-$res = db_query($sql);
+$sql = "SELECT e_target FROM gui_element WHERE e_id = 'setPOI2Scale' AND fkey_gui_id = $1";
+$v = array($gui_id);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 
 while($row = db_fetch_array($res)){ 

Modified: tags/2.4.4_su/http/javascripts/mod_wfs_SpatialRequest.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_wfs_SpatialRequest.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_wfs_SpatialRequest.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-#$Id: mod_wfs_spatialRequest.php,v 1.4 2006/03/08 15:26:26 c_baudson Exp $
+#$Id$
 #$Header: /cvsroot/mapbender/mapbender/http/javascripts/mod_wfs_spatialRequest.php,v 1.4 2006/03/08 15:26:26 c_baudson Exp $
 # Copyright (C) 2002 CCGIS 
 #
@@ -33,8 +33,10 @@
 include("../../conf/" . $wfs_conf_filename);
 
 include '../include/dyn_js.php';
-$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'setSpatialRequest' AND fkey_gui_id = '".$gui_id."'";
-$res = db_query($sql);
+$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'setSpatialRequest' AND fkey_gui_id = $1";
+$v = array($gui_id);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){ 
    $e_src = $row["e_src"];

Modified: tags/2.4.4_su/http/javascripts/mod_zoomCoords.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_zoomCoords.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_zoomCoords.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,5 +1,5 @@
 <?php
-#$Id: mod_zoomCoords.php 76 2006-08-15 12:25:34Z heuser $
+#$Id$
 #$Header: /cvsroot/mapbender/mapbender/http/javascripts/mod_zoomCoords.php,v 1.10 2006/03/09 08:57:13 uli_rothstein Exp $
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 session_start();
@@ -70,8 +70,10 @@
 
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$sql = "SELECT e_target FROM gui_element WHERE e_id = 'zoomCoords' AND fkey_gui_id = '".$_SESSION["mb_user_gui"]."'";
-$res = db_query($sql);
+$sql = "SELECT e_target FROM gui_element WHERE e_id = 'zoomCoords' AND fkey_gui_id = $1";
+$v = array($_SESSION["mb_user_gui"]);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){
    $e_target = $row["e_target"];

Modified: tags/2.4.4_su/http/javascripts/mod_zoomFull.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_zoomFull.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_zoomFull.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,12 +1,14 @@
 <?php
-#$Id: mod_zoomFull.php 76 2006-08-15 12:25:34Z heuser $
+#$Id$
 #$Header: /cvsroot/mapbender/mapbender/http/javascripts/mod_zoomFull.php,v 1.8 2005/09/13 18:16:42 bjoern_heuser Exp $
 $gui_id = $_REQUEST["gui_id"];
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'zoomFull' AND fkey_gui_id = '".$gui_id."'";
-$res = db_query($sql);
+$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'zoomFull' AND fkey_gui_id = $1";
+$v = array($gui_id);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){ 
    $e_src = $row["e_src"];

Modified: tags/2.4.4_su/http/javascripts/mod_zoomOut1.php
===================================================================
--- tags/2.4.4/http/javascripts/mod_zoomOut1.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/mod_zoomOut1.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,13 +1,15 @@
 <?php
-#$Id: mod_zoomOut1.php 76 2006-08-15 12:25:34Z heuser $
+#$Id$
 #$Header: /cvsroot/mapbender/mapbender/http/javascripts/mod_zoomOut1.php,v 1.8 2005/09/13 18:16:42 bjoern_heuser Exp $
 
 $gui_id = $_REQUEST["gui_id"];
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'zoomOut1' AND fkey_gui_id = '".$gui_id."'";
-$res = db_query($sql);
+$sql = "SELECT e_src, e_target FROM gui_element WHERE e_id = 'zoomOut1' AND fkey_gui_id = $1";
+$v = array($gui_id);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){ 
    $e_src = $row["e_src"];

Deleted: tags/2.4.4_su/http/javascripts/transform_coordinatesWGS84.php
===================================================================
--- tags/2.4.4/http/javascripts/transform_coordinatesWGS84.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/javascripts/transform_coordinatesWGS84.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -1,49 +0,0 @@
-<?php
-# $Id: mod_measure.php 267 2006-05-12 12:16:01Z vera_schulze $
-# http://www.mapbender.org/index.php/mod_measure.php
-# Copyright (C) 2002 CCGIS 
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-require_once("../../conf/mapbender.conf");
-
-$DBSERVER = '192.168.0.100';
-$OWNER = "admin";
-$PW = "&see5Toxu?";  
-
-$con = pg_connect('host=' . $DBSERVER . ' user=' . $OWNER . ' password=' . $PW . ' dbname=merlin');
-
-
-
-$sql_pointA = "SELECT X(transform(GeometryFromText('POINT(".$_POST['x1']." ".$_POST['y1'].")',4326),".$_POST['inputEPSG'].")) as minx, Y(transform(GeometryFromText('POINT(".$_POST['x1']." ".$_POST['y1'].")',4326),".$_POST['inputEPSG'].")) as miny;";
-
-$resA = db_query($sql_pointA);
-$recA = pg_fetch_array($resA);
-
-$sql_pointB = "SELECT X(transform(GeometryFromText('POINT(".$_POST['x2']." ".$_POST['y2'].")',4326),".$_POST['inputEPSG'].")) as maxx, Y(transform(GeometryFromText('POINT(".$_POST['x2']." ".$_POST['y2'].")',4326),".$_POST['inputEPSG'].")) as maxy;";
-
-$resB = db_query($sql_pointB);
-$recB = pg_fetch_array($resB);
-
-$sql_dist = "SELECT distance('POINT(".$recA['minx']." ".$recA['miny']. ")','POINT(" . $recB['maxx']." ". $recB['maxy'].")') as dist;";
-$res_dist = db_query($sql_dist);
-$rec_dist = pg_fetch_array($res_dist);
-
-echo $rec_dist['dist'];
-#echo $recA['minx']. "," . $recA['miny'] . "," . $recB['maxx']. "," . $recB['maxy']. "," .$rec_dist['dist'];
-
-
-
-?>

Modified: tags/2.4.4_su/http/php/createImageFromText.php
===================================================================
--- tags/2.4.4/http/php/createImageFromText.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/createImageFromText.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -23,7 +23,7 @@
 
 $text_x = 4;
 $text_y = 0;
-$rect_w = 7 * mb_strlen($text) + $text_x;
+$rect_w = 7 * strlen($text) + $text_x;
 $rect_h = 14 + $text_y;
 
 $im = ImageCreate($rect_w, $rect_h);

Modified: tags/2.4.4_su/http/php/mb_listWMCs.php
===================================================================
--- tags/2.4.4/http/php/mb_listWMCs.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mb_listWMCs.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -98,8 +98,10 @@
 }
 
 function getTarget($gui_id) {
-	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadwmc' AND fkey_gui_id = '".$gui_id."'";
-	$res = db_query($sql);
+	$sql = "SELECT e_requires, e_target FROM gui_element WHERE e_id = 'loadwmc' AND fkey_gui_id = $1";
+	$v = array($gui_id);
+	$t = array("s");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while($row = db_fetch_array($res)){ 
 		$e_target = $row["e_target"];

Modified: tags/2.4.4_su/http/php/mod_WMSpreferences.php
===================================================================
--- tags/2.4.4/http/php/mod_WMSpreferences.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_WMSpreferences.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -62,8 +62,10 @@
 </STYLE>
 <?php
 
-$sql = "SELECT * FROM gui_element WHERE e_id = 'WMS_preferences' AND fkey_gui_id = '".$_SESSION["mb_user_gui"]."'";
-$res = db_query($sql);
+$sql = "SELECT * FROM gui_element WHERE e_id = 'WMS_preferences' AND fkey_gui_id = $1";
+$v = array($_SESSION["mb_user_gui"]);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 $vis = "";
 $wmsid = "";
@@ -79,8 +81,10 @@
 echo "var mod_WMSpreferences_target2 = '".trim($target[1])."';";
 echo "</script>";
 
-$sql_visible = "SELECT * FROM gui_wms WHERE fkey_gui_id = '".$_SESSION["mb_user_gui"]."'"; 
-$res_visible = db_query($sql_visible); 
+$sql_visible = "SELECT * FROM gui_wms WHERE fkey_gui_id = $1";
+$v = array($_SESSION["mb_user_gui"]);
+$t = array("s"); 
+$res_visible = db_prep_query($sql_visible, $v, $t); 
 $cnt_visible = 0; 
 
 while($row = db_fetch_array($res_visible)){

Modified: tags/2.4.4_su/http/php/mod_changeEPSG.php
===================================================================
--- tags/2.4.4/http/php/mod_changeEPSG.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_changeEPSG.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -53,66 +53,79 @@
 
 # transform coordinates
 if(isset($_REQUEST["srs"])){
-	require_once("../../conf/mapbender.conf");
+	require_once(dirname(__FILE__) . "/../../conf/mapbender.conf");
 	$arraymapObj = split("###", $_REQUEST["srs"]);
 	echo "<script type='text/javascript'>";
 	echo "var newExtent = new Array();";
 	for($i=0; $i < count($arraymapObj); $i++){
 		$temp = split(",",$arraymapObj[$i]);
-		if(SYS_DBTYPE=='pgsql'){
-			$con = db_connect($DBSERVER,$OWNER,$PW);
-			$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as minx";
-			$resMinx = db_query($sqlMinx);
-			$minx = db_result($resMinx,0,"minx");
-			
-			$sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as miny";
-			$resMiny = db_query($sqlMiny);
-			$miny = db_result($resMiny,0,"miny");
-			
-			$sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as maxx";
-			$resMaxx =db_query($sqlMaxx);
-			$maxx = db_result($resMaxx,0,"maxx");
-			
-			$sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as maxy";
-			$resMaxy = db_query($sqlMaxy);
-			$maxy = db_result($resMaxy,0,"maxy");
-		}else{
-			$con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
-			$con = pg_connect($con_string) or die ("Error while connecting database");
-			
-			$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as minx";
-			$resMinx = pg_query($con,$sqlMinx);
-			$minx = pg_fetch_result($resMinx,0,"minx");
-			
-			$sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as miny";
-			$resMiny = pg_query($con,$sqlMiny);
-			$miny = pg_fetch_result($resMiny,0,"miny");
-			
-			$sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as maxx";
-			$resMaxx = pg_query($con,$sqlMaxx);
-			$maxx = pg_fetch_result($resMaxx,0,"maxx");
-			
-			$sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".str_replace("EPSG:","",$temp[1])."),".str_replace("EPSG:","",$_REQUEST["newSRS"]).")) as maxy";
-			$resMaxy = pg_query($con,$sqlMaxy);
-			$maxy = pg_fetch_result($resMaxy,0,"maxy");
-		}
-		$extenty = $maxy - $miny;
-		$extentx = $maxx - $minx;
-		$relation_px_x = $temp[6] / $temp[7];
-		$relation_px_y = $temp[7] / $temp[6];
-		$relation_bbox_x = $extentx / $extenty;
 
-		if($relation_bbox_x <= $relation_px_x){
-			$centerx = $minx + ($extentx/2);
-			$minx = $centerx - $relation_px_x * $extenty / 2;
-			$maxx = $centerx + $relation_px_x * $extenty / 2;
+		// check if parameters are valid geometries to 
+		// avoid SQL injections
+
+		$oldEPSG = preg_replace("/EPSG:/","",$temp[1]);
+		$newEPSG = preg_replace("/EPSG:/","",$_REQUEST["newSRS"]);
+		 
+		if (is_numeric($temp[2]) && is_numeric($temp[3]) && is_numeric($temp[4]) && is_numeric($temp[5]) && is_numeric($oldEPSG) && is_numeric($newEPSG)) {
+		
+			if(SYS_DBTYPE=='pgsql'){
+				$con = db_connect($DBSERVER,$OWNER,$PW);
+				$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as minx";
+				$resMinx = db_query($sqlMinx);
+				$minx = db_result($resMinx,0,"minx");
+				
+				$sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as miny";
+				$resMiny = db_query($sqlMiny);
+				$miny = db_result($resMiny,0,"miny");
+				
+				$sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxx";
+				$resMaxx = db_query($sqlMaxx);
+				$maxx = db_result($resMaxx,0,"maxx");
+				
+				$sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxy";
+				$resMaxy = db_query($sqlMaxy);
+				$maxy = db_result($resMaxy,0,"maxy");
+			}else{
+				$con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
+				$con = pg_connect($con_string) or die ("Error while connecting database");
+				
+				$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as minx";
+				$resMinx = pg_query($con,$sqlMinx);
+				$minx = pg_fetch_result($resMinx,0,"minx");
+				
+				$sqlMiny = "SELECT Y(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".$oldEPSG."),".$newEPSG.")) as miny";
+				$resMiny = pg_query($con,$sqlMiny);
+				$miny = pg_fetch_result($resMiny,0,"miny");
+				
+				$sqlMaxx = "SELECT X(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxx";
+				$resMaxx = pg_query($con,$sqlMaxx);
+				$maxx = pg_fetch_result($resMaxx,0,"maxx");
+				
+				$sqlMaxy = "SELECT Y(transform(GeometryFromText('POINT(".$temp[4]." ".$temp[5].")',".$oldEPSG."),".$newEPSG.")) as maxy";
+				$resMaxy = pg_query($con,$sqlMaxy);
+				$maxy = pg_fetch_result($resMaxy,0,"maxy");
+			}
+			$extenty = $maxy - $miny;
+			$extentx = $maxx - $minx;
+			$relation_px_x = $temp[6] / $temp[7];
+			$relation_px_y = $temp[7] / $temp[6];
+			$relation_bbox_x = $extentx / $extenty;
+	
+			if($relation_bbox_x <= $relation_px_x){
+				$centerx = $minx + ($extentx/2);
+				$minx = $centerx - $relation_px_x * $extenty / 2;
+				$maxx = $centerx + $relation_px_x * $extenty / 2;
+			}
+			if($relation_bbox_x > $relation_px_x){
+				$centery = $miny + ($extenty/2);
+				$miny = $centery - $relation_px_y * $extentx / 2;
+				$maxy = $centery + $relation_px_y * $extentx / 2;
+			}
+			echo "newExtent[".$i."] = '".$temp[0].",".$_REQUEST["newSRS"].",".$minx.",".$miny.",".$maxx.",".$maxy."';";
 		}
-		if($relation_bbox_x > $relation_px_x){
-			$centery = $miny + ($extenty/2);
-			$miny = $centery - $relation_px_y * $extentx / 2;
-			$maxy = $centery + $relation_px_y * $extentx / 2;
-		}
-		echo "newExtent[".$i."] = '".$temp[0].",".$_REQUEST["newSRS"].",".$minx.",".$miny.",".$maxx.",".$maxy."';";
+		else {
+			echo "var e = new parent.Mb_exception('mod_changeEPSG.php: invalid input parameter (p1 = (" . $temp[2] . "," . $temp[3] . "), p2 = (" . $temp[4] . "," . $temp[5] . "), old EPSG: " . $oldEPSG . ", new EPSG: " . $newEPSG . ", ).');";
+		}		
 	}
 	echo "</script>";
 }

Modified: tags/2.4.4_su/http/php/mod_deleteGUI.php
===================================================================
--- tags/2.4.4/http/php/mod_deleteGUI.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_deleteGUI.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -65,12 +65,13 @@
 
 ###delete
 if($guiList){
-	 $sql = "DELETE FROM gui WHERE gui_id = '".$guiList."'";
-	 $res = db_query($sql);
+	 $sql = "DELETE FROM gui WHERE gui_id = $1";
+	 $v = array($guiList);
+	 $t = array("s");
+	 $res = db_prep_query($sql, $v, $t);
 }
 
-$sql_gui = "SELECT * FROM gui ";
-$sql_gui .= " ORDER BY gui_name";
+$sql_gui = "SELECT * FROM gui ORDER BY gui_name";
 $res_gui = db_query($sql_gui);
 $cnt_gui = 0;
 

Modified: tags/2.4.4_su/http/php/mod_deleteWFS.php
===================================================================
--- tags/2.4.4/http/php/mod_deleteWFS.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_deleteWFS.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -76,12 +76,13 @@
 
 ###delete
 if($wfsList){
-	 $sql = "DELETE FROM wfs WHERE wfs_id = '".$wfsList."'";
-	 $res = db_query($sql);
+	 $sql = "DELETE FROM wfs WHERE wfs_id = $1";
+	 $v = array($wfsList);
+	 $t = array("i");
+	 $res = db_prep_query($sql, $v, $t);
 }
 
-$sql_wfs = "SELECT * FROM wfs ";
-$sql_wfs .= " ORDER BY wfs_id";
+$sql_wfs = "SELECT * FROM wfs ORDER BY wfs_id";
 $res_wfs = db_query($sql_wfs);
 $cnt_wfs = 0;
 

Modified: tags/2.4.4_su/http/php/mod_editFilteredGroup.php
===================================================================
--- tags/2.4.4/http/php/mod_editFilteredGroup.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editFilteredGroup.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -138,11 +138,15 @@
 echo "<select name='selected_group' onchange='submit()'>";
 	echo "<option value='new'>NEW...</option>";
 	$sql = "SELECT mb_group_name,mb_group_id FROM mb_group ";
+	$v = array();
+	$t = array();
 	if(isset($myGroup)){ 
-		$sql .= "WHERE mb_group_owner = ".$_SESSION["mb_user_id"];
+		$sql .= "WHERE mb_group_owner = $1";
+		array_push($v, $_SESSION["mb_user_id"]);
+		array_push($t, "i");
 	}
 	$sql .= " ORDER BY mb_group_name ";
-	$res = db_query($sql);
+	$res = db_prep_query($sql, $v, $t);
 	$count=0;
 	while($row = db_fetch_array($res)){
 		echo "<option value='".$row["mb_group_id"]."' ";

Modified: tags/2.4.4_su/http/php/mod_editFilteredUser.php
===================================================================
--- tags/2.4.4/http/php/mod_editFilteredUser.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editFilteredUser.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -185,9 +185,15 @@
    echo "<select name='selected_user' onchange='submit()'>";
    echo "<option value='new'>NEW...</option>";
    $sql = "SELECT mb_user_name,mb_user_id FROM mb_user ";
-   if(isset($myUser)){ $sql .= "WHERE mb_user_owner = ".$_SESSION["mb_user_id"];}
-   $sql .= " ORDER BY mb_user_name ";
-   $res = db_query($sql);
+	$v = array();
+	$t = array();
+	if (isset($myUser)) { 
+		$sql .= "WHERE mb_user_owner = $1";
+		array_push($v, $_SESSION["mb_user_id"]);
+		array_push($t, "i");
+	}
+	$sql .= " ORDER BY mb_user_name ";
+	$res = db_prep_query($sql, $v, $t);
    $count=0;
    while($row = db_fetch_array($res)){
 	 	echo "<option value='".$row["mb_user_id"]."' ";

Modified: tags/2.4.4_su/http/php/mod_editGroup.php
===================================================================
--- tags/2.4.4/http/php/mod_editGroup.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editGroup.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -136,9 +136,15 @@
    echo "<select name='selected_group' onchange='submit()'>";
    echo "<option value='new'>NEW...</option>";
    $sql = "SELECT mb_group_name,mb_group_id FROM mb_group ";
-   if(isset($myGroup)){ $sql .= "WHERE mb_group_owner = ".$_SESSION["mb_user_id"];}
+   $v = array();
+   $t = array();
+   if (isset($myGroup)) { 
+		$sql .= "WHERE mb_group_owner = $1";
+		array_push($v, $_SESSION["mb_user_id"]);
+		array_push($t, "i");
+   }
    $sql .= " ORDER BY mb_group_name ";
-   $res = db_query($sql);
+   $res = db_prep_query($sql, $v, $t);
    $count=0;
    while($row = db_fetch_array($res)){
 	 	echo "<option value='".$row["mb_group_id"]."' ";

Modified: tags/2.4.4_su/http/php/mod_editGuiWms.php
===================================================================
--- tags/2.4.4/http/php/mod_editGuiWms.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editGuiWms.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -592,7 +592,7 @@
   echo "<td style='background:lightgrey'><input type='text' size='2' name='L_".$layer_id[$i]."___layer_id' value='".$layer_id[$i]."' readonly></td>";
   echo "<td><input type='text' size='1' name='L_".$layer_id[$i]."___layer_parent' value='".$layer_parent[$i]."' readonly></td>";
   echo "<td style='background:lightgrey'><input type='text' size='7' value='".$layer_name[$i]."' readonly></td>";
-  echo "<td><input type='text' name='".$layer_title[$i]."' size='12' value='".$layer_title[$i]."' ></td>";
+  echo "<td><input type='text' name='".$layer_title[$i]."' size='12' value='".$layer_title[$i]."' readonly></td>";
 
   echo "<td style='background:lightgrey'><input name='L_".$layer_id[$i]."___gui_layer_status' type='checkbox' ";
   if($gui_layer_status[$i] == 1){ echo "checked";}

Modified: tags/2.4.4_su/http/php/mod_editGuiWmsMeta.php
===================================================================
--- tags/2.4.4/http/php/mod_editGuiWmsMeta.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editGuiWmsMeta.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -134,19 +134,23 @@
       $function = $_REQUEST["function"];
       
       if ( $function = "update" ) {
-         $sql = "UPDATE layer SET layer_meta_datum = '".$_REQUEST["layer_meta_datum"]."'";
-         $sql.= ", layer_meta_lieferant       = '".$_REQUEST["layer_meta_lieferant"]."'";
-         $sql.= ", layer_meta_quelle          = '".$_REQUEST["layer_meta_quelle"]."'";
-         $sql.= ", layer_meta_ansprechpartner = '".$_REQUEST["layer_meta_ansprechpartner"]."'";
-         $sql.= ", layer_meta_lieferant_basis = '".$_REQUEST["layer_meta_lieferant_basis"]."'";
-         $sql.= ", layer_meta_copyright       = '".$_REQUEST["layer_meta_copyright"]."'";
-         $sql.= " WHERE layer_id = ".$layer_id.";";
-         $res = db_query($sql);
+         $sql = "UPDATE layer SET layer_meta_datum = $1, ";
+         $sql.= "layer_meta_lieferant = $2, ";
+         $sql.= "layer_meta_quelle = $3, ";
+         $sql.= "layer_meta_ansprechpartner = $4, ";
+         $sql.= "layer_meta_lieferant_basis = $5, ";
+         $sql.= "layer_meta_copyright = $6 ";
+         $sql.= " WHERE layer_id = $7;";
+         $v = array($_REQUEST["layer_meta_datum"], $_REQUEST["layer_meta_lieferant"], $_REQUEST["layer_meta_quelle"], $_REQUEST["layer_meta_ansprechpartner"], $_REQUEST["layer_meta_lieferant_basis"], $_REQUEST["layer_meta_copyright"], $layer_id);
+         $t = array("s", "s", "s", "s", "s", "s", "i");
+         $res = db_prep_query($sql, $v, $t);
       }
    }
    
-   $sql = "SELECT * FROM layer WHERE layer_id = '".$layer_id."';";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM layer WHERE layer_id = $1;";
+   $v = array($layer_id);
+   $t = array("i");
+   $res = db_prep_query($sql, $v, $t);
    
    if ( db_fetch_row($res, 0) ) { 	
    	  echo "         <h3>Editieren von Metadaten</h3>\n";  

Modified: tags/2.4.4_su/http/php/mod_editUser.php
===================================================================
--- tags/2.4.4/http/php/mod_editUser.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editUser.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -200,9 +200,15 @@
    echo "<select name='selected_user' onchange='submit()'>";
    echo "<option value='new'>NEW...</option>";
    $sql = "SELECT mb_user_name,mb_user_id FROM mb_user ";
-   if(isset($myUser)){ $sql .= "WHERE mb_user_owner = ".$_SESSION["mb_user_id"];}
+   $v = array();
+   $t = array();
+	if (isset($myUser)) { 
+   		$sql .= "WHERE mb_user_owner = $1";
+   		array_push($v, $_SESSION["mb_user_id"]);
+   		array_push($t, "i");
+   	}
    $sql .= " ORDER BY mb_user_name ";
-   $res = db_query($sql);
+   $res = db_prep_query($sql, $v, $t);
    $count=0;
    while($row = db_fetch_array($res)){
 	 	echo "<option value='".$row["mb_user_id"]."' ";
@@ -339,5 +345,18 @@
 ?>
 <input type='hidden' name='action' value=''>
 </form>
+<script type="text/javascript">
+<!--
+var user=[];
+<?php
+for($i=0; $i<$cnt_user; $i++){
+	echo "user[".($i)."]=[];\n";
+	echo "user[".($i)."]['id']='" . $user_id[$i]  . "';\n";
+	echo "user[".($i)."]['name']='" . $user_name[$i]  . "';\n";
+	echo "user[".($i)."]['email']='" . $user_email[$i]  . "';\n";
+}
+?>
+// -->
+</script>
 </body>
 </html>
\ No newline at end of file

Modified: tags/2.4.4_su/http/php/mod_editWMS_Metadata.php
===================================================================
--- tags/2.4.4/http/php/mod_editWMS_Metadata.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_editWMS_Metadata.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -77,15 +77,15 @@
 function guessTimestamp($timestr) 
 {
 	
-     if (strstr($timestr, '.'))
+     if (strpos($timestr, '.'))
      {
         list($day, $month, $year) = explode(".", $timestr);
      }
-     elseif (strstr($timestr, '/'))
+     elseif (strpos($timestr, '/'))
      {
         list($month, $day, $year) = explode("/", $timestr);
      }
-     elseif (strstr($timestr, '-'))
+     elseif (strpos($timestr, '-'))
      {
         list($year, $month, $day) = explode("-", $timestr);
      }
@@ -101,51 +101,69 @@
 
 #Update handling
 
-if(isset($_REQUEST['update_content']) && $_REQUEST['update_content'] == true)
-{
+if (isset($_REQUEST['update_content']) && $_REQUEST['update_content'] == true) {
 	
-            $update_wms_sql = "UPDATE wms SET " . 
-                      "wms_title = '".$_REQUEST['wms_title_box']."', " .
-                      "wms_abstract = '".$_REQUEST['wms_abstract_box']."', " . 
-                      "fees = '".$_REQUEST['fees_box']."', " .
-                      "accessconstraints = '".$_REQUEST['accessconstraints_box']."', " .
-                      "contactperson = '".$_REQUEST['contactperson_box']."', " .
-                      "contactposition = '".$_REQUEST['contactposition_box']."', " .
-                      "contactorganization = '".$_REQUEST['contactorganization_box']."', " .
-                      "address = '".$_REQUEST['address_box']."', " .
-                      "city = '".$_REQUEST['city_box']."', " .
-                      "stateorprovince = '".$_REQUEST['stateorprovince_box']."', " .
-                      "postcode = '".$_REQUEST['postcode_box']."', " .
-                      "country = '".$_REQUEST['country_box']."', " .
-                      "contactvoicetelephone = '".$_REQUEST['contactvoicetelephone_box']."', " .
-                      "contactfacsimiletelephone = '".$_REQUEST['contactfacsimiletelephone_box']."', " .
-                      "contactelectronicmailaddress = '".$_REQUEST['contactelectronicmailaddress_box']."'";
-                      if (isset($_REQUEST['wms_timestamp_box']) && $_REQUEST['wms_timestamp_box'] <> "")
-                      {
-                            $update_wms_sql .= ", " . "wms_timestamp = " .
-                            "'".guessTimestamp($_REQUEST['wms_timestamp_box'])."' ";
-                      }
-   $update_wms_sql .= "WHERE wms_id = '".$_REQUEST['wms_id']."'";
-    $res_update_wms_sql = db_query($update_wms_sql);
-     while(list($key,$val) = each($_REQUEST))
+	$update_wms_sql = "UPDATE wms SET "; 
+	$update_wms_sql .= "wms_title = $1, wms_abstract = $2, fees = $3, ";
+	$update_wms_sql .= "accessconstraints = $4, contactperson = $5, ";
+	$update_wms_sql .= "contactposition = $6, contactorganization = $7, ";
+	$update_wms_sql .= "address = $8, city = $9, stateorprovince = $10, ";
+	$update_wms_sql .= "postcode = $11, country = $12, ";
+	$update_wms_sql .= "contactvoicetelephone = $13, ";
+	$update_wms_sql .= "contactfacsimiletelephone = $14, ";
+	$update_wms_sql .= "contactelectronicmailaddress = $15 ";
+
+	$v = array();
+	array_push($v, $_REQUEST['wms_title_box']);
+	array_push($v, $_REQUEST['wms_abstract_box']);
+	array_push($v, $_REQUEST['fees_box']);
+	array_push($v, $_REQUEST['accessconstraints_box']);
+	array_push($v, $_REQUEST['contactperson_box']);
+	array_push($v, $_REQUEST['contactposition_box']);
+	array_push($v, $_REQUEST['contactorganization_box']);
+	array_push($v, $_REQUEST['address_box']);
+	array_push($v, $_REQUEST['city_box']);
+	array_push($v, $_REQUEST['stateorprovince_box']);
+	array_push($v, $_REQUEST['postcode_box']);
+	array_push($v, $_REQUEST['country_box']);
+	array_push($v, $_REQUEST['contactvoicetelephone_box']);
+	array_push($v, $_REQUEST['contactfacsimiletelephone_box']);
+	array_push($v, $_REQUEST['contactelectronicmailaddress_box']);
+	$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+
+	if (isset($_REQUEST['wms_timestamp_box']) && $_REQUEST['wms_timestamp_box'] <> "") {
+        $update_wms_sql .= ", wms_timestamp = $16 ";
+		array_push($v, guessTimestamp($_REQUEST['wms_timestamp_box']));
+		array_push($t, "s");
+
+		$update_wms_sql .= "WHERE wms_id = $17";
+	}
+	else {
+		$update_wms_sql .= "WHERE wms_id = $16";
+	}
+	array_push($v, 	$_REQUEST['wms_id']);
+	array_push($t, "s");
+
+    $res_update_wms_sql = db_prep_query($update_wms_sql, $v, $t);
+
+    while(list($key,$val) = each($_REQUEST))
     {
         if(preg_match("/___/", $key))
         {
             $myKey = explode("___", $key);
-            $layer_id = str_replace("L_","",$myKey[0]);
-            if($myKey[1]=="layer_abstract")
-            {
-                $layer_sql = "UPDATE layer SET layer_abstract = '$val' " .
-                             "WHERE layer_id = $layer_id AND fkey_wms_id = '".$_REQUEST['wms_id']."'";  
-                $res_keyword_sql = db_query($layer_sql);
+            $layer_id = preg_replace("/L_/","",$myKey[0]);
+            if($myKey[1]=="layer_abstract") {
+				$layer_sql = "UPDATE layer SET layer_abstract = $1 ";
+				$layer_sql .= "WHERE layer_id = $2 AND fkey_wms_id = $3";  
+                $v = array($val, $layer_id, $_REQUEST['wms_id']);
+                $t = array("s", "i", "s");
+                $res_keyword_sql = db_prep_query($layer_sql, $v, $t);
             }
-            if($myKey[1]=="layer_keywords")
-            {
+            if($myKey[1]=="layer_keywords") {
                 #Get all keywords depending on the given layer after user modification
                 $keywords  = explode(",",$val);
                 #delete all blanks from the keywords list
-                for($j = 0; $j < count($keywords); $j++)
-                {
+                for ($j = 0; $j < count($keywords); $j++) {
                     $word = $keywords[$j];
                     $word = trim($word);
                     $keywords[$j] = $word;
@@ -155,9 +173,12 @@
                 $keyword_sql = "SELECT keyword_id, keyword FROM keyword, layer_keyword, layer " .
                                "WHERE keyword.keyword_id = layer_keyword.fkey_keyword_id " .
                                "AND layer_keyword.fkey_layer_id = layer.layer_id " .
-                               "AND layer.fkey_wms_id = '".$_REQUEST['wms_id']."'" .
-                               "AND layer.layer_id = $layer_id";
-                $res_keyword_sql = db_query($keyword_sql);
+                               "AND layer.fkey_wms_id = $1 " .
+                               "AND layer.layer_id = $2";
+                
+                $v = array($_REQUEST['wms_id'], $layer_id); 
+                $t = array("s", "i");
+                $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
                 while($keyword_row = db_fetch_array($res_keyword_sql))
                 {
                     $keyword = $keyword_row['keyword'];
@@ -171,19 +192,25 @@
                         #echo "1c: Keyword nicht in User Liste: Keyword: ", $keyword, ";<br>";
                         #Deleting reference to the keyword from the layer_keyword table.
                         $keyword_sql = "DELETE FROM layer_keyword " .
-                                       "WHERE fkey_layer_id = $layer_id " .
-                                       "AND fkey_keyword_id = $keyword_id";
-                        db_query($keyword_sql);
+                                       "WHERE fkey_layer_id = $1 " .
+                                       "AND fkey_keyword_id = $2";
+                        $v = array($layer_id, $keyword_id);
+                        $t = array("i", "i");
+                        db_prep_query($keyword_sql, $v, $t);
                         #Checking, if the keyword is in use by any layer
                         $layer_sql = "SELECT * FROM layer_keyword " .
-                                       "WHERE fkey_keyword_id = $keyword_id";
-                        $res_layer_sql = db_query($layer_sql);
+                                       "WHERE fkey_keyword_id = $1";
+                        $v = array($keyword_id);
+                        $t = array("i");
+                        $res_layer_sql = db_prep_query($layer_sql, $v, $t);
                         if(!($row = db_fetch_array($res_layer_sql)))
                         {
                             #If keyword will not longer be in use, delete it from keyword table
                             $keyword_sql = "DELETE FROM keyword " .
-                                           "WHERE keyword_id = $keyword_id";
-                            db_query($keyword_sql);
+                                           "WHERE keyword_id = $1";
+                            $v = array($keyword_id);
+                            $t = array("i");
+                            db_prep_query($keyword_sql, $v, $t);
                         }
                     }
                     #Keyword exists in the database and in the user data
@@ -211,8 +238,10 @@
                         $keyword = trim($keywords[$i]);
                         #Check, if the keyword is exsiting in the database
                         $keyword_sql = "SELECT keyword_id FROM keyword " .
-                                       "WHERE UPPER(keyword) = UPPER('$keyword')";
-                        $res_keyword_sql = db_query($keyword_sql);
+                                       "WHERE UPPER(keyword) = UPPER($1)";
+                        $v = array($keyword);
+                        $t = array("s");
+                        $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
                         $keyword_row = db_fetch_array($res_keyword_sql);
                         #Keyword exists in the database
                         if($keyword_row != null)
@@ -223,10 +252,15 @@
                         #Keyword does not exist in the database
                         else
                         {
-                            $keyword_sql = "INSERT INTO keyword (keyword) VALUES ('$keyword')";
-                            $res_keyword_sql = db_query($keyword_sql);
-                            $keyword_sql = "SELECT keyword_id FROM keyword WHERE keyword = '$keyword'";
-                            $res_keyword_sql = db_query($keyword_sql);
+                            $keyword_sql = "INSERT INTO keyword (keyword) VALUES ($1)";
+                            $v = array($keyword);
+                            $t = array("s");
+                            $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
+                            
+                            $keyword_sql = "SELECT keyword_id FROM keyword WHERE keyword = $1";
+                            $v = array($keyword);
+                            $t = array("s");
+                            $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
                             $keyword_row = db_fetch_array($res_keyword_sql);
                             if($keyword_row != null)
                             {
@@ -236,8 +270,10 @@
                         }
                         #Inserting the reference between layer and keyword in the layer_keyword table
                         $keyword_sql = "INSERT INTO layer_keyword (fkey_layer_id, fkey_keyword_id) " .
-                                       "VALUES ('$layer_id', '$keyword_id')";
-                        $res_keyword_sql = db_query($keyword_sql);
+                                       "VALUES ($1, $2)";
+                        $v = array($layer_id, $keyword_id);
+                        $t = array("s", "s");
+                        $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
                     }
                 }
                 #Delete all elements from array
@@ -253,8 +289,10 @@
 if(isset($_REQUEST['delete_preview']) && $_REQUEST['delete_preview']=='1'
 	&& isset($_REQUEST['layer_id']))
 {
-    $preview_sql = "DELETE FROM layer_preview WHERE fkey_layer_id = ".$_REQUEST['layer_id']."";
-    $res_preview_sql = db_query($preview_sql);
+    $preview_sql = "DELETE FROM layer_preview WHERE fkey_layer_id = $1";
+    $v = array($_REQUEST['layer_id']);
+    $t = array("s");
+    $res_preview_sql = db_prep_query($preview_sql, $v, $t);
     die("Preview has been deleted!</body></html>");
 }
 ?>
@@ -277,8 +315,10 @@
 {
 
     #Querying information from wms data table 
-    $wms_sql = "SELECT wms_id, wms_title FROM wms WHERE wms_owner = ".$_SESSION["mb_user_id"]. " ORDER BY wms_title";
-    $res_wms_sql = db_query($wms_sql);
+    $wms_sql = "SELECT wms_id, wms_title FROM wms WHERE wms_owner = $1 ORDER BY wms_title";
+    $v = array($_SESSION["mb_user_id"]);
+    $t = array("i");
+    $res_wms_sql = db_prep_query($wms_sql, $v, $t);
     #wms-selection
 
     $selectBox = "";
@@ -321,8 +361,10 @@
 
 if(isset($wms_id) == true && $wms_id <>0)
 { 
-	$selected_wms_sql = "SELECT * FROM wms WHERE wms_id = '".$wms_id."'";
-    $res_selected_wms_sql = db_query($selected_wms_sql);
+	$selected_wms_sql = "SELECT * FROM wms WHERE wms_id = $1";
+	$v = array($wms_id);
+	$t = array("s");
+    $res_selected_wms_sql = db_prep_query($selected_wms_sql, $v, $t);
     $selected_row = db_fetch_array($res_selected_wms_sql);
 
 ?>
@@ -400,9 +442,11 @@
     
 <?php
    
-    $layer_sql = "SELECT * FROM layer WHERE layer.fkey_wms_id = '".$wms_id."'" .
+    $layer_sql = "SELECT * FROM layer WHERE layer.fkey_wms_id = $1" .
                  " ORDER BY layer_pos";
-    $res_layer_sql = db_query($layer_sql);
+    $v = array($wms_id);
+    $t = array("s");
+    $res_layer_sql = db_prep_query($layer_sql, $v, $t);
     
     while($layer_row = db_fetch_array($res_layer_sql))
     {
@@ -419,9 +463,11 @@
         $keyword_sql = "SELECT keyword FROM keyword, layer_keyword, layer " .
                        "WHERE keyword.keyword_id = layer_keyword.fkey_keyword_id " .
                        "AND layer_keyword.fkey_layer_id = layer.layer_id " .
-                       "AND layer.fkey_wms_id = '".$wms_id."' " .
-                       "AND layer.layer_id = ".$layer_row['layer_id']."";
-        $res_keyword_sql = db_query($keyword_sql);
+                       "AND layer.fkey_wms_id = $1 " .
+                       "AND layer.layer_id = $2";
+        $v = array($wms_id, $layer_row['layer_id']);
+        $t = array("s", "i");
+        $res_keyword_sql = db_prep_query($keyword_sql, $v, $t);
         $keywordList = "";
         $seperator = "";
         while($keyword_row = db_fetch_array($res_keyword_sql))

Modified: tags/2.4.4_su/http/php/mod_edit_element_vars.php
===================================================================
--- tags/2.4.4/http/php/mod_edit_element_vars.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_edit_element_vars.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -110,13 +110,20 @@
 <?php
 # handle database updates etc.....
 if(isset($mySave) && $mySave == '1'){
-   if($SYS_DBTYPE=='pgsql'){
-   $sql[0] = "SET AUTOCOMMIT=1;";}
-   else{
-   $sql[0] = "SET AUTOCOMMIT=0;shit happens";
-   }
-   $sql[1] = "BEGIN;";
-   $sql[2] = "DELETE FROM gui_element_vars WHERE fkey_e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."' and ....";
+	if ($SYS_DBTYPE=='pgsql') { 
+		$sql[0] = "SET AUTOCOMMIT=1;";
+	}
+	else {
+		$sql[0] = "SET AUTOCOMMIT=0;shit happens";
+	}
+	$v[0] = array();
+	$t[0] = array();
+	$sql[1] = "BEGIN;";
+	$v[1] = array();
+	$t[1] = array();
+	$sql[2] = "DELETE FROM gui_element_vars WHERE fkey_e_id = $1 AND fkey_gui_id = $2";
+	$v[2] = array($e_id, $guiList1);
+	$t[2] = array("s", "s");
 
 
    if($e_left < 1){$e_left = "NULL";}
@@ -124,25 +131,32 @@
    if($e_width < 1){$e_width = "NULL";}
    if($e_height < 1){$e_height = "NULL";}
    if($e_z_index < 1){$e_z_index = "NULL";}
-   $sql[3] = "INSERT INTO gui_element_vars(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
-   $sql[3] .= "VALUES ('".$guiList1."','".$e_id."','".$e_pos."','".$e_public."','".db_escape_string($e_comment)."','".$e_element."','".$e_src."','".db_escape_string($e_attributes)."',".$e_left.",".$e_top.",".$e_width.",".$e_height.",".$e_z_index.",'".$e_more_styles."','".$e_content."','".$e_closetag."','".$e_js_file."','".$e_mb_mod."','".$e_target."','".$e_requires."')";
+	$sql[3] = "INSERT INTO gui_element_vars ";
+	$sql[3] .= "(fkey_gui_id, e_id, e_pos, e_public, e_comment, e_element, e_src, ";
+	$sql[3] .= "e_attributes, e_left, e_top, e_width, e_height, e_z_index, ";
+	$sql[3] .= "e_more_styles, e_content, e_closetag, e_js_file, e_mb_mod, e_target, ";
+	$sql[3] .= "e_requires) ";
+	$sql[3] .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20)";
+	$v[3] = array($guiList1, $e_id, $e_pos, $e_public, db_escape_string($e_comment), $e_element, $e_src, db_escape_string($e_attributes), $e_left, $e_top, $e_width, $e_height, $e_z_index, $e_more_styles, $e_content, $e_closetag, $e_js_file, $e_mb_mod, $e_target, $e_requires);
+	$t[3] = array("s", "s", "i", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
    #echo $sql[3];
-   foreach ($sql as $mysql){
-      $res = db_query($mysql);
-      if(!$res){echo $mysql; break;}
+   for ($i = 0; $i < count($sql); $i++) {
+      $res = db_prep_query($sql[$i], $v[$i], $t[$i]);
    }
    if($res){
-		$res = db_query( "COMMIT");
+      $res = db_query( "COMMIT");
       $res = db_query( "SET AUTOCOMMIT=1");
    }
    else{
       $res = db_query( "ROLLBACK");
       $res = db_query( "SET AUTOCOMMIT=1");
    }
- }
+}
 if(isset($myDelete) && $myDelete == '1'){
-   $sql = "DELETE FROM gui_element_vars WHERE fkey_e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."' AND var_name='".$var_name."'";
-   $res = db_query($sql);
+   $sql = "DELETE FROM gui_element_vars WHERE fkey_e_id = $1 AND fkey_gui_id = $2 AND var_name= $3";
+   $v = array($e_id, $guiList1, $var_name);
+   $t = array("s", "s", "s");
+   $res = db_prep_query($sql, $v, $t);
    $e_id = ""; $e_pos = ""; $e_public = ""; $e_comment = ""; $e_element = "";
    $e_src = ""; $e_attributes = ""; $e_left = ""; $e_top = ""; $e_width = ""; $e_height = ""; $e_z_index = "";
    $e_more_styles = ""; $e_content = ""; $e_closetag = ""; $e_js_file = ""; $e_mb_mod = ""; $e_target = ""; $e_requires = "";
@@ -154,24 +168,37 @@
    echo "</script>";
 }
 if(isset($all) && $all == '1'){
-   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = '".$guiList2."' AND fkey_e_id = '".$e_id."' and var_name='".$var_name."' ;";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = $1 AND fkey_e_id = $2 and var_name= $3;";
+   $v = array($guiList2, $e_id, $var_name);
+   $t = array("s", "s", "s");
+   $res = db_prep_query($sql, $v, $t);
    $cnt = 0;
    while(db_fetch_row($res)){
-      $sql_del = "DELETE FROM gui_element_vars WHERE fkey_gui_id = '".$guiList1."' AND fkey_e_id = '".db_result($res,$cnt,"fkey_e_id")."'  and var_name='".$var_name."' ";
-      $res_del = db_query($sql_del);
+      $sql_del = "DELETE FROM gui_element_vars WHERE fkey_gui_id = $1 AND fkey_e_id = $2 and var_name= $3";
+      $v = array($guiList1, db_result($res,$cnt,"fkey_e_id"), $var_name);
+      $t = array("s", "s", "s");
+      $res_del = db_prep_query($sql_del, $v, $t);
       if(db_result($res,$cnt,"e_left") == ""){$myleft = 'NULL';} else{$myleft = db_result($res,$cnt,"e_left");}
       if(db_result($res,$cnt,"e_top") == ""){$mytop = 'NULL';} else{$mytop = db_result($res,$cnt,"e_top");}
       if(db_result($res,$cnt,"e_width") == ""){$mywidth = 'NULL';} else{$mywidth = db_result($res,$cnt,"e_width");}
       if(db_result($res,$cnt,"e_height") == ""){$myheight = 'NULL';} else{$myheight = db_result($res,$cnt,"e_height");}
       if(db_result($res,$cnt,"e_z_index") == ""){$my_z_index = 'NULL';} else{$my_z_index = db_result($res,$cnt,"e_z_index");}
 
-      $sql_ins = "INSERT INTO gui_element_vars(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
-      $sql_ins .= "VALUES ('".$guiList1."','".db_result($res,$cnt,"e_id")."','".db_result($res,$cnt,"e_pos")."','".db_result($res,$cnt,"e_public")."','".db_escape_string(db_result($res,$cnt,"e_comment"))."','".db_result($res,$cnt,"e_element")."','".db_result($res,$cnt,"e_src")."','".db_escape_string(db_result($res,$cnt,"e_attributes"))."',".$myleft.",";
-      $sql_ins .= $mytop.",".$mywidth.",".$myheight.",".$my_z_index.",'".db_result($res,$cnt,"e_more_styles")."','".db_escape_string(db_result($res,$cnt,"e_content"))."','".db_result($res,$cnt,"e_closetag")."','".db_result($res,$cnt,"e_js_file")."','".db_result($res,$cnt,"e_mb_mod")."','".db_result($res,$cnt,"e_target")."','".db_result($res,$cnt,"e_requires")."')";
+      $sql_ins = "INSERT INTO gui_element_vars ";
+      $sql_ins .= "(fkey_gui_id, e_id, e_pos,e_public, e_comment, e_element, ";
+      $sql_ins .= "e_src, e_attributes, e_left, e_top, e_width, e_height, ";
+      $sql_ins .= "e_z_index, e_more_styles, e_content, e_closetag, e_js_file, ";
+      $sql_ins .= "e_mb_mod, e_target, e_requires) ";
+      $sql_ins .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, ";
+      $sql_ins .= "$10, $11, $12, $13, $14, $15, $16, $17, $18, ";
+      $sql_ins .= "$19, $20)";
+      $v = array($guiList1, db_result($res,$cnt,"e_id"), db_result($res,$cnt,"e_pos"), db_result($res,$cnt,"e_public"), db_escape_string(db_result($res,$cnt,"e_comment")), db_result($res,$cnt,"e_element"), db_result($res,$cnt,"e_src"), db_escape_string(db_result($res,$cnt,"e_attributes")), $myleft, $mytop, $mywidth, $myheight, $my_z_index, db_result($res,$cnt,"e_more_styles"), db_escape_string(db_result($res,$cnt,"e_content")), db_result($res,$cnt,"e_closetag"), db_result($res,$cnt,"e_js_file"), db_result($res,$cnt,"e_mb_mod"), db_result($res,$cnt,"e_target"), db_result($res,$cnt,"e_requires"));
+      $t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
 
-      $res_ins = db_query($sql_ins);
-      if(!$res_ins){echo db_error($connect); }
+      $res_ins = db_prep_query($sql_ins, $v, $t);
+      if (!$res_ins) {
+      	echo db_error($connect); 
+      }
       $cnt++;
    }
 }
@@ -179,8 +206,10 @@
 echo "<script language='javascript'>";
 echo "var varIDs = new Array();";
 if(isset($guiList1)){
-   $sql = "SELECT var_name FROM gui_element_vars WHERE  fkey_gui_id = '".$guiList1."' AND fkey_e_id = '".$e_id."'";
-   $res = db_query($sql);
+   $sql = "SELECT var_name FROM gui_element_vars WHERE fkey_gui_id = $1 AND fkey_e_id = $2";
+   $v = array($guiList1, $e_id);
+   $t = array("s", "s");
+   $res = db_prep_query($sql, $v, $t);
    $cnt = 0;
    while(db_fetch_row($res)){
       echo  "varIDs[".$cnt."] = '".db_result($res,$cnt,"var_name")."'; ";
@@ -284,8 +313,10 @@
 if(isset($guiList1)){
    echo "<div class='guiList2_header'>Templates</div>";
 
-   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = '".$guiList1."' AND fkey_e_id='".$e_id."'";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = $1 AND fkey_e_id = $2";
+   $v = array($guiList1, $e_id);
+   $t = array("s", "s");
+   $res = db_prep_query($sql, $v, $t);
    $cnt = 0;
    echo "<div class='myElements'><table>";
    while($row = db_fetch_array($res)){
@@ -303,9 +334,11 @@
 #Formular:
 echo "<table class='myForm'>";
 if(isset($guiList1) && isset($var_name)){
-   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = '".$guiList1."' AND fkey_e_id = '".$e_id."' AND var_name='".$var_name."'";
+   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = $1 AND fkey_e_id = '".$e_id."' AND var_name = $2";
+   $v = array($guiList1, $var_name);
+   $t = array("s", "s");
    //echo $sql;
-   $res = db_query($sql);
+   $res = db_prep_query($sql, $v, $t);
    if($row = db_fetch_array($res)){
       echo "<tr><td>ID: </td><td><input type='text' class='textfield' readonly name='e_id' value='".$e_id."'></td></tr>";
       echo "<tr><td>Var Type: </td><td><input type='text' class='textfield' name='type' value='".$row["type"]."'></td></tr>";

Modified: tags/2.4.4_su/http/php/mod_edit_metadata.php
===================================================================
--- tags/2.4.4/http/php/mod_edit_metadata.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_edit_metadata.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -112,45 +112,71 @@
 # handle database updates etc.....
 if(isset($mySave) && ($mySave == '1' || $mySave == '2')) {
    if ($mySave == '1'){
-   	$sql_vars = "SELECT * FROM gui_element_vars WHERE fkey_e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
-   	 $res_vars = db_query($sql_vars);
+   	$sql_vars = "SELECT * FROM gui_element_vars WHERE fkey_e_id = $1 AND fkey_gui_id = $2";
+   	$v = array($e_id, $guiList1);
+   	$t = array("s", "s");
+   	$res_vars = db_prep_query($sql_vars, $v, $t);
    	 //$rows = db_fetch_array($res_vars);
-   	if($SYS_DBTYPE=='pgsql')
-   		{
-	   	$sql[0] = "SET AUTOCOMMIT=1";
-	 	}
-	  else
-	 	{
-	 	$sql[0] = "SET AUTOCOMMIT=0";
-		}
-	   $sql[1] = "BEGIN";
-	   $sql[2] = "DELETE FROM gui_element WHERE e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
+	$sql = array();
+	$v = array();
+	$t = array();
+	if ($SYS_DBTYPE == "pgsql") {
+		$sql[0] = "SET AUTOCOMMIT=1";
+		$v[0] = array();
+		$t[0] = array();
+	}
+	else {
+		$sql[0] = "SET AUTOCOMMIT=0";
+		$v[0] = array();
+		$t[0] = array();
+	}
+	$sql[1] = "BEGIN";
+	$v[1] = array();
+	$t[1] = array();
+	
+	$sql[2] = "DELETE FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+	$v[2] = array($e_id, $guiList1);
+	$t[2] = array("s", "s");
 
-
 	   if($e_left < 1){$e_left = "NULL";}
 	   if($e_top < 1){$e_top = "NULL";}
 	   if($e_width < 1){$e_width = "NULL";}
 	   if($e_height < 1){$e_height = "NULL";}
 	   if($e_z_index < 1){$e_z_index = "NULL";}
-	   $sql[3] = "INSERT INTO gui_element(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
-	   $sql[3] .= "VALUES ('".$guiList1."','".$e_id."','".$e_pos."','".$e_public."','".db_escape_string($e_comment)."','".$e_element."','".$e_src."','".db_escape_string($e_attributes)."',".$e_left.",".$e_top.",".$e_width.",".$e_height.",".$e_z_index.",'".$e_more_styles."','".db_escape_string($e_content)."','".$e_closetag."','".$e_js_file."','".$e_mb_mod."','".$e_target."','".$e_requires."')";
-
+	$sql[3] = "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, ";
+	$sql[3] .= "e_comment, e_element, e_src, e_attributes, e_left, e_top, ";
+	$sql[3] .= "e_width, e_height, e_z_index, e_more_styles, e_content, ";
+	$sql[3] .= "e_closetag, e_js_file, e_mb_mod, e_target, e_requires) ";
+	$sql[3] .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, ";
+	$sql[3] .= "$13, $14, $15, $16, $17, $18, $19, $20)";
+	$v[3] = array($guiList1, $e_id, $e_pos, $e_public, db_escape_string($e_comment), $e_element, $e_src, db_escape_string($e_attributes), $e_left, $e_top, $e_width, $e_height, $e_z_index, $e_more_styles, db_escape_string($e_content), $e_closetag, $e_js_file, $e_mb_mod, $e_target, $e_requires);
+	$t[3] = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
    }
    # mySave == 2 <=> just save GUI description
    elseif ($mySave == '2') {
-	   if($SYS_DBTYPE=='pgsql')
-   		{
-	   	$sql[0] = "SET AUTOCOMMIT=1";
-	 	}
-	  else
-	 	{
-	 	$sql[0] = "SET AUTOCOMMIT=0";
+		$sql = array();
+		$v = array();
+		$t = array();
+		if ($SYS_DBTYPE == "pgsql") {
+			$sql[0] = "SET AUTOCOMMIT=1";
+			$v[0] = array();
+			$t[0] = array();
 		}
-	   $sql[1] = "BEGIN";
-	   $sql[3] = "UPDATE gui SET gui_description = '". $guiDesc."' WHERE gui_id ='".$guiId."'";
-   }
-   foreach ($sql as $mysql){
-      $res = db_query($mysql);
+		else {
+			$sql[0] = "SET AUTOCOMMIT=0";
+			$v[0] = array();
+			$t[0] = array();
+		}
+		$sql[1] = "BEGIN";
+		$v[1] = array();
+		$t[1] = array();
+
+		$sql[2] = "UPDATE gui SET gui_description = $1 WHERE gui_id = $2";
+		$v[2] = array($guiDesc, $guiId);
+		$t[2] = array("s", "s");
+	}
+	for ($i = 0; $i < count($sql); $i++) {
+      $res = db_prep_query($sql[$i], $v[$i], $t[$i]);
       if(!$res){break;}
    }
    if($res){
@@ -161,19 +187,25 @@
       $res = db_query( "ROLLBACK");
       $res = db_query( "SET AUTOCOMMIT=1");
    }
-   if(isset($sql_vars)){//sicherstellen das keine Element_Vars gelöscht wurden
+   if(isset($sql_vars)){//sicherstellen das keine Element_Vars gel�scht wurden
    	 while($row =  db_fetch_array($res_vars)){
-     			$securesql = "INSERT INTO gui_element_vars (fkey_gui_id,fkey_e_id,var_name,var_value,context,type) VALUES ('".$guiList1."','".$e_id."','".$row["var_name"]."','".$row["var_value"]."','".$row["context"]."','".$row["type"]."');";
-     			//echo $securesql."<BR>";
-     			$secureinsert = db_query($securesql);
-     		}
-   }
+			$securesql = "INSERT INTO gui_element_vars (fkey_gui_id, ";
+			$securesql .= "fkey_e_id, var_name, var_value, context,type) ";
+			$securesql .= "VALUES ($1, $2, $3, $4, $5, $6)";
+			$v = array($guiList1, $e_id, $row["var_name"], $row["var_value"], $row["context"], $row["type"]);
+			$t = array("s", "s", "s", "s", "s", "s");
+			//echo $securesql."<BR>";
+			$secureinsert = db_prep_query($securesql, $v, $t);
+		}
+	}
       if(!$res){break;}
 
 }
 if(isset($myDelete) && $myDelete == '1'){
-   $sql = "DELETE FROM gui_element WHERE e_id = '".$e_id."' AND fkey_gui_id = '".$guiList1."'";
-   $res = db_query($sql);
+   $sql = "DELETE FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+   $v = array($e_id, $guiList1);
+   $t = array("s", "s");
+   $res = db_prep_query($sql, $v, $t);
    $e_id = ""; $e_pos = ""; $e_public = ""; $e_comment = ""; $e_element = "";
    $e_src = ""; $e_attributes = ""; $e_left = ""; $e_top = ""; $e_width = ""; $e_height = ""; $e_z_index = "";
    $e_more_styles = ""; $e_content = ""; $e_closetag = ""; $e_js_file = ""; $e_mb_mod = ""; $e_target = ""; $e_requires = "";
@@ -185,33 +217,47 @@
    echo "</script>";
 }
 if(isset($all) && $all == '1'){
-   $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."'";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1";
+   $v = array($guiList2);
+   $t = array("s");
+   $res = db_prep_query($sql, $v, $t);
    $cnt = 0;
    while(db_fetch_row($res)){
-      $sql_del = "DELETE FROM gui_element WHERE fkey_gui_id = '".$guiList1."' AND e_id = '".db_result($res,$cnt,"e_id")."'";
-      $res_del = db_query($sql_del);
+      $sql_del = "DELETE FROM gui_element WHERE fkey_gui_id = $1 AND e_id = $2";
+      $v = array($guiList1, db_result($res,$cnt,"e_id"));
+      $t = array("s", "s");
+      $res_del = db_prep_query($sql_del, $v, $t);
       if(db_result($res,$cnt,"e_left") == ""){$myleft = 'NULL';} else{$myleft = db_result($res,$cnt,"e_left");}
       if(db_result($res,$cnt,"e_top") == ""){$mytop = 'NULL';} else{$mytop = db_result($res,$cnt,"e_top");}
       if(db_result($res,$cnt,"e_width") == ""){$mywidth = 'NULL';} else{$mywidth = db_result($res,$cnt,"e_width");}
       if(db_result($res,$cnt,"e_height") == ""){$myheight = 'NULL';} else{$myheight = db_result($res,$cnt,"e_height");}
       if(db_result($res,$cnt,"e_z_index") == ""){$my_z_index = 'NULL';} else{$my_z_index = db_result($res,$cnt,"e_z_index");}
 
-      $sql_ins = "INSERT INTO gui_element(fkey_gui_id,e_id,e_pos,e_public,e_comment,e_element,e_src,e_attributes,e_left,e_top,e_width,e_height,e_z_index,e_more_styles,e_content,e_closetag,e_js_file,e_mb_mod,e_target,e_requires) ";
-      $sql_ins .= "VALUES ('".$guiList1."','".db_result($res,$cnt,"e_id")."','".db_result($res,$cnt,"e_pos")."','".db_result($res,$cnt,"e_public")."','".db_escape_string(db_result($res,$cnt,"e_comment"))."','".db_result($res,$cnt,"e_element")."','".db_result($res,$cnt,"e_src")."','".db_escape_string(db_result($res,$cnt,"e_attributes"))."',".$myleft.",";
-      $sql_ins .= $mytop.",".$mywidth.",".$myheight.",".$my_z_index.",'".db_result($res,$cnt,"e_more_styles")."','".db_escape_string(db_result($res,$cnt,"e_content"))."','".db_result($res,$cnt,"e_closetag")."','".db_result($res,$cnt,"e_js_file")."','".db_result($res,$cnt,"e_mb_mod")."','".db_result($res,$cnt,"e_target")."','".db_result($res,$cnt,"e_requires")."')";
-
-      $res_ins = db_query($sql_ins);
+      $sql_ins = "INSERT INTO gui_element (fkey_gui_id, e_id, e_pos, e_public, ";
+      $sql_ins .= "e_comment, e_element, e_src, e_attributes, e_left, e_top, ";
+      $sql_ins .= "e_width, e_height, e_z_index, e_more_styles, e_content, ";
+      $sql_ins .= "e_closetag, e_js_file, e_mb_mod, e_target, e_requires) ";
+      $sql_ins .= "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, ";
+      $sql_ins .= "$10, $11, $12, $13, $14, $15, $16, $17, $18, $19);";
+      $v = array($guiList1, db_result($res,$cnt,"e_id"), db_result($res,$cnt,"e_pos"), db_result($res,$cnt,"e_public"), db_escape_string(db_result($res,$cnt,"e_comment")), db_result($res,$cnt,"e_element"), db_result($res,$cnt,"e_src"), db_escape_string(db_result($res,$cnt,"e_attributes")), $myleft, $mytop, $mywidth, $myheight, $my_z_index, db_result($res,$cnt,"e_more_styles"), db_escape_string(db_result($res,$cnt,"e_content")), db_result($res,$cnt,"e_closetag"), db_result($res,$cnt,"e_js_file"), db_result($res,$cnt,"e_mb_mod"), db_result($res,$cnt,"e_target"), db_result($res,$cnt,"e_requires"));
+      $t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i", "i", "i", "i", "s", "s", "s", "s", "s", "s", "s");
+		
+      $res_ins = db_prep_query($sql_ins, $v, $t);
       if(!$res_ins){echo db_error($con); }
       $cnt++;
    }
-   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = '".$guiList2."'";
-      $res = db_query($sql);
+   $sql = "SELECT * FROM gui_element_vars WHERE fkey_gui_id = $1";
+   $v = array($guiList2);
+   $t = array("s");
+      $res = db_prep_query($sql, $v, $t);
    	$cnt = 0;
        while(db_fetch_row($res)){
-      $sql_ins2 = "INSERT INTO gui_element_vars(fkey_gui_id,fkey_e_id,var_name,var_value,context,type) ";
-      $sql_ins2 .= "VALUES ('".$guiList1."','".db_result($res,$cnt,"fkey_e_id")."','".db_result($res,$cnt,"var_name")."','".db_escape_string(db_result($res,$cnt,"var_value"))."','".db_escape_string(db_result($res,$cnt,"context"))."','".db_result($res,$cnt,"type")."')";
-      $res_ins2 = db_query($sql_ins2);
+      $sql_ins2 = "INSERT INTO gui_element_vars (fkey_gui_id, fkey_e_id, ";
+      $sql_ins2 .= "var_name, var_value, context, type) VALUES (";
+      $sql_ins2 .= "$1, $2, $3, $4, $5, $6);";
+      $v = array($guiList1, db_result($res,$cnt,"fkey_e_id"), db_result($res,$cnt,"var_name"), db_escape_string(db_result($res,$cnt,"var_value")), db_escape_string(db_result($res,$cnt,"context")), db_result($res,$cnt,"type"));
+      $t = array("s", "s", "s", "s", "s", "s");
+      $res_ins2 = db_prep_query($sql_ins2, $v, $t);
       if(!$res_ins2){echo db_error($connect); }
 
       $cnt++;
@@ -223,8 +269,10 @@
 echo "<script language='javascript'>";
 echo "var guiIDs = new Array();";
 if(isset($guiList1)){
-   $sql = "SELECT e_id FROM gui_element WHERE  fkey_gui_id = '".$guiList1."'";
-   $res = db_query($sql);
+   $sql = "SELECT e_id FROM gui_element WHERE  fkey_gui_id = $1";
+   $v = array($guiList1);
+   $t = array("s");
+   $res = db_prep_query($sql, $v, $t);
    $cnt = 0;
    while(db_fetch_row($res)){
       echo  "guiIDs[".$cnt."] = '".db_result($res,$cnt,"e_id")."'; ";
@@ -313,14 +361,20 @@
 $permguis = $admin->getGuisByPermission($_SESSION["mb_user_id"],true);
 echo "<form name='form1' action='" . $PHP_SELF . "?".SID."' method='post'>\n";
 
-$sql = "SELECT * from gui WHERE gui.gui_id IN(";
-for($i=0; $i<count($ownguis); $i++){
-	if($i>0){ $sql .= ",";}
-	$sql .= "'".$ownguis[$i]."'";
+$sql = "SELECT * from gui WHERE gui.gui_id IN (";
+$v = $ownguis;
+$t = array();
+
+for ($i = 1; $i <= count($ownguis); $i++) {
+	if ($i > 1) {
+		$sql .= ",";
+	}
+	$sql .= "$" . $i;
+	array_push($t, "s");
 }
 $sql .= ")";
 //echo $sql;
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
 $count=0;
 while(db_fetch_row($res)){
 	$gui_id_own[$count]=db_result($res,$count,"gui_id");
@@ -330,13 +384,19 @@
 }
 
 
-$sql = "SELECT * from gui WHERE gui.gui_id IN(";
-for($i=0; $i<count($permguis); $i++){
-	if($i>0){ $sql .= ",";}
-	$sql .= "'".$permguis[$i]."'";
+$sql = "SELECT * from gui WHERE gui.gui_id IN (";
+$v = $permguis;
+$t = array();
+
+for ($i = 1; $i <= count($permguis); $i++){
+	if ($i > 1) { 
+		$sql .= ",";
+	}
+	$sql .= "$" . $i;
+	array_push($t, "s");
 }
 $sql .= ")";
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
 $count=0;
 while($row = db_fetch_array($res)){
 	$gui_id_perm[$count]= $row["gui_id"];
@@ -413,8 +473,10 @@
 	else{
 		echo "<div class='guiList2_header'>Templates</div>\n";
 	}
-	$sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."' ORDER BY e_id";
-	$res = db_query($sql);
+	$sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1 ORDER BY e_id";
+	$v = array($guiList2);
+	$t = array("s");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 
 	echo "<div class='myElements'>\n<table>\n";
@@ -440,8 +502,10 @@
 #Formular:
 echo "<table class='myForm'>\n";
 if(isset($myElement)){
-   $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = '".$guiList2."' AND e_id = '".$myElement."'";
-   $res = db_query($sql);
+   $sql = "SELECT * FROM gui_element WHERE fkey_gui_id = $1 AND e_id = $2";
+   $v = array($guiList2, $myElement);
+   $t = array("s", "s");
+   $res = db_prep_query($sql, $v, $t);
    if(db_fetch_row($res)){
       echo "<tr><td>ID: </td><td><input type='text' class='textfield' name='e_id' value='".db_result($res,0,"e_id")."'></td></tr>\n";
       echo "<tr><td>Position: </td><td><input type='text' class='textfield' name='e_pos' value='".db_result($res,0,"e_pos")."'></td></tr>\n";

Modified: tags/2.4.4_su/http/php/mod_evalArea.php
===================================================================
--- tags/2.4.4/http/php/mod_evalArea.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_evalArea.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -20,6 +20,7 @@
 include '../include/dyn_css.php';
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 require_once(dirname(__FILE__)."/../classes/class_administration.php");
+require_once(dirname(__FILE__)."/../classes/class_mb_exception.php");
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
@@ -61,55 +62,71 @@
 $posY = explode (",", $y);
 
 
-if(SYS_DBTYPE=='pgsql'){
-	if(count($posX) > 3){
-	  $sql = "SELECT area2d(GeometryFromText('MULTIPOLYGON(((";
-	  for($i=0; $i<count($posX); $i++){
-	  	if($i>0){$sql .= ",";}
-	  	$sql .= $posX[$i] . " " . $posY[$i];
-	  }
-	  $sql .= ")))',".rawurldecode($epsg).")) as myArea";
-	  $res = db_query($sql);
-	  if($row = db_fetch_array($res)){
-	     echo "Fl&auml;che: ".round($row[0]*100)/100 . " m<sup>2</sup>";
-	  }
+// check if parameters are valid geometries to 
+// avoid SQL injections
+$regExp = "/\d(,\d)*/";
+if (preg_match($regExp, $x) && preg_match($regExp, $y)) {
+
+	if(SYS_DBTYPE=='pgsql'){
+		if (count($posX) > 3) {
+			$sql = "SELECT area2d(GeometryFromText('MULTIPOLYGON(((";
+			for ($i = 0; $i < count($posX); $i++) {
+				if ($i > 0) {
+					$sql .= ",";
+				}
+				$sql .= $posX[$i] . " " . $posY[$i];
+			}
+			$sql .= ")))',".rawurldecode($epsg).")) as myArea";
+	
+			// the input parameters are valid
+			$res = db_query($sql);
+			if($row = db_fetch_array($res)){
+				echo "Fl&auml;che: ".round($row[0]*100)/100 . " m<sup>2</sup>";
+			}
+		}
+		else{
+			echo "Fl&auml;che: 0 m<sup>2</sup>";
+		}
+	}else{
+		#echo "Fl�chenberechnung f�r MySQL liegt derzeit nicht vor<br></sup>";
+		#$con = db_connect($GEOS_DBSERVER,$GEOS_PORT,$GEOS_OWNER,$GEOS_PW);
+		#db_select_db($GEOS_DBSERVER,$con);
+		$con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
+		
+		$con = pg_connect($con_string) or die ("Error while connecting database");
+		
+		
+		if(count($posX) > 3){
+		  $sql = "SELECT area2d(GeometryFromText('MULTIPOLYGON(((";
+		  $i==0;
+		  for($i=0; $i<count($posX); $i++){
+		  	if($i>0){$sql .= ",";}
+		  	$sql .= $posX[$i] . " " . $posY[$i];
+		  }
+		  $sql .= ")))',".rawurldecode($epsg).")) as myArea";
+		  $res = pg_query($con,$sql);
+		  
+		  $cnt = 0;
+		  while(pg_fetch_row($res)){
+		  	 $area = pg_fetch_result($res,$cnt,0);
+		     echo "Fl&auml;che: ".round($area*100)/100 . " m<sup>2</sup>";
+		     $cnt++;
+		  }
+		}
+		else{
+		   echo "Fl&auml;che: 0 m<sup>2</sup>";
+		}
 	}
-	else{
-	   echo "Fl&auml;che: 0 m<sup>2</sup>";
-	}
-}else{
-	#echo "Flächenberechnung für MySQL liegt derzeit nicht vor<br></sup>";
-	#$con = db_connect($GEOS_DBSERVER,$GEOS_PORT,$GEOS_OWNER,$GEOS_PW);
-	#db_select_db($GEOS_DBSERVER,$con);
-	$con_string = "host=$GEOS_DBSERVER port=$GEOS_PORT dbname=$GEOS_DB user=$GEOS_OWNER password=$GEOS_PW";
 	
-	$con = pg_connect($con_string) or die ("Error while connecting database");
-	
-	
-	if(count($posX) > 3){
-	  $sql = "SELECT area2d(GeometryFromText('MULTIPOLYGON(((";
-	  $i==0;
-	  for($i=0; $i<count($posX); $i++){
-	  	if($i>0){$sql .= ",";}
-	  	$sql .= $posX[$i] . " " . $posY[$i];
-	  }
-	  $sql .= ")))',".rawurldecode($epsg).")) as myArea";
-	  $res = pg_query($con,$sql);
-	  
-	  $cnt = 0;
-	  while(pg_fetch_row($res)){
-	  	 $area = pg_fetch_result($res,$cnt,0);
-	     echo "Fl&auml;che: ".round($area*100)/100 . " m<sup>2</sup>";
-	     $cnt++;
-	  }
-	}
-	else{
-	   echo "Fl&auml;che: 0 m<sup>2</sup>";
-	}
+	echo "<br>";
+	echo "Umfang: ". $length . " m";
+} 
+else {
+	$e = new mb_exception("mod_evalArea.php: invalid input geometry; coordinates not float values.");
+	echo "Fl&auml;che: 0 m<sup>2</sup>";
 }
 
-echo "<br>";
-echo "Umfang: ". $length . " m";
+
 #Centroid(geometry)
 /*
 $sql = "SELECT Centroid(GeometryFromText('MULTIPOLYGON(((";

Modified: tags/2.4.4_su/http/php/mod_gazLayerObj_conf.php
===================================================================
--- tags/2.4.4/http/php/mod_gazLayerObj_conf.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_gazLayerObj_conf.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -76,9 +76,11 @@
 	$con = db_connect($DBSERVER,$OWNER,$PW);
 	db_select_db(DB,$con);
 	
-	$sql = "UPDATE gui_layer SET gui_layer_wfs_featuretype = '".$_REQUEST["myWFS"]."' ";
-	$sql .= "WHERE fkey_gui_id='".$_REQUEST["gui"]."' AND fkey_layer_id=".$_REQUEST["layer"];
-	$res = db_query($sql);
+	$sql = "UPDATE gui_layer SET gui_layer_wfs_featuretype = $1 ";
+	$sql .= "WHERE fkey_gui_id = $2 AND fkey_layer_id = $3";
+	$v = array($_REQUEST["myWFS"], $_REQUEST["gui"], $_REQUEST["layer"]);
+	$t = array("s", "s", "i");
+	$res = db_prep_query($sql, $v, $t);
 	echo "layer is connected with: ".$_REQUEST["myWFS"];
 	die();
 }

Modified: tags/2.4.4_su/http/php/mod_gazLayerObj_edit.php
===================================================================
--- tags/2.4.4/http/php/mod_gazLayerObj_edit.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_gazLayerObj_edit.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -54,29 +54,34 @@
 if(isset($_REQUEST["save"])){
 	
 	$sql = "UPDATE gazetteer SET ";
-	$sql .= "gazetteer_abstract = '".$_REQUEST["gazetteer_abstract"]."',";
-	$sql .= "g_label = '".$_REQUEST["g_label"]."',";
-	$sql .= "g_label_id = '".$_REQUEST["g_label_id"]."',";
-	$sql .= "g_button = '".$_REQUEST["g_button"]."',";
-	$sql .= "g_button_id = '".$_REQUEST["g_button_id"]."',";
-	$sql .= "g_style = '".$_REQUEST["g_style"]."',";
-	$sql .= "g_buffer = '".$_REQUEST["g_buffer"]."'";	
-	$sql .= " WHERE gazetteer_id = ".$_REQUEST["fkey_gazetteer_id"].";";
+	$sql .= "gazetteer_abstract = $1, ";
+	$sql .= "g_label = $2, ";
+	$sql .= "g_label_id = $3, ";
+	$sql .= "g_button = $4, ";
+	$sql .= "g_button_id = $5, ";
+	$sql .= "g_style = $6, ";
+	$sql .= "g_buffer = $7 ";	
+	$sql .= "WHERE gazetteer_id = $8;";
 	
-	$res = db_query($sql);		
+	$v = array($_REQUEST["gazetteer_abstract"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["fkey_gazetteer_id"]);
+	$t = array("s", "s", "s", "s", "s", "s", "s", "i");
+	$res = db_prep_query($sql, $v, $t);		
 
-	for($i=0; $i<count($_REQUEST["f_id"]); $i++){
+	for ($i = 0; $i < count($_REQUEST["f_id"]); $i++){
 		$sql = "UPDATE gazetteer_element SET ";		
-		$sql .= "f_search = '".$_REQUEST["f_search"][$i]."',";
-		$sql .= "f_pos = '".$_REQUEST["f_pos"][$i]."',";
-		$sql .= "f_style_id = '".$_REQUEST["f_style_id"][$i]."',";
-		$sql .= "f_label = '".$_REQUEST["f_label"][$i]."',";
-		$sql .= "f_label_id = '".$_REQUEST["f_label_id"][$i]."',";
-		$sql .= "f_show = '".$_REQUEST["f_show"][$i]."',";
-		$sql .= "f_respos = '".$_REQUEST["f_respos"][$i]."'";
-		$sql .= " WHERE fkey_gazetteer_id = ".$_REQUEST["fkey_gazetteer_id"]." AND f_id = ".$_REQUEST["f_id"][$i].";";
+		$sql .= "f_search = $1, ";
+		$sql .= "f_pos = $2, ";
+		$sql .= "f_style_id = $3, ";
+		$sql .= "f_label = $4, ";
+		$sql .= "f_label_id = $5, ";
+		$sql .= "f_show = $6, ";
+		$sql .= "f_respos = $7 ";
+		$sql .= "WHERE fkey_gazetteer_id = $8 AND f_id = $9;";
 		
-		$res = db_query($sql);
+		$v = array($_REQUEST["f_search"][$i], $_REQUEST["f_pos"][$i], $_REQUEST["f_style_id"][$i], $_REQUEST["f_label"][$i], $_REQUEST["f_label_id"][$i], $_REQUEST["f_show"][$i], $_REQUEST["f_respos"][$i], $_REQUEST["fkey_gazetteer_id"], $_REQUEST["f_id"][$i]);
+		$t = array("s", "s", "s", "s", "s", "s", "s", "i", "i");
+		
+		$res = db_prep_query($sql, $v, $t);
 	}		
 }
 
@@ -92,8 +97,10 @@
 
 /* configure elements */
 if(isset($_REQUEST["fkey_gazetteer_id"])){
-	$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = ".$_REQUEST["fkey_gazetteer_id"];
-	$res = db_query($sql);
+	$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = $1";
+	$v = array($_REQUEST["fkey_gazetteer_id"]);
+	$t = array("i");
+	$res = db_prep_query($sql, $v, $t);
 	if($row = db_fetch_array($res)){	
 		echo "<table>";
 		echo "<tr><td>ID:</td><td>".$row["gazetteer_id"]."</td></tr>" ;
@@ -110,8 +117,10 @@
 	/* set element options */
 	$sql = "SELECT * FROM gazetteer_element ";
 	$sql .= "JOIN wfs_element ON gazetteer_element.f_id = wfs_element.element_id ";
-	$sql .= "WHERE fkey_gazetteer_id = ".$_REQUEST["fkey_gazetteer_id"];
-	$res = db_query($sql);
+	$sql .= "WHERE fkey_gazetteer_id = $1";
+	$v = array($_REQUEST["fkey_gazetteer_id"]);
+	$t = array("i");
+	$res = db_prep_query($sql, $v, $t);
 	
 	echo "<table border='1'>";
 	echo "<tr>";

Modified: tags/2.4.4_su/http/php/mod_gazetteer_conf.php
===================================================================
--- tags/2.4.4/http/php/mod_gazetteer_conf.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_gazetteer_conf.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -72,36 +72,22 @@
 	$con = db_connect($DBSERVER,$OWNER,$PW);
 	db_select_db($DB,$con);
 	
-	$sql = "INSERT INTO gazetteer (gazetteer_abstract,fkey_wfs_id,fkey_featuretype_id,g_label,g_label_id,g_button,g_button_id,g_style,g_buffer,g_res_style,g_use_wzgraphics) VALUES(";
-	$sql .= "'".$_REQUEST["gazetteer_abstract"]."',";
-	$sql .= "'".$_REQUEST["wfs"]."',";
-	$sql .= "'".$_REQUEST["featuretype"]."',";
-	$sql .= "'".$_REQUEST["g_label"]."',";
-	$sql .= "'".$_REQUEST["g_label_id"]."',";
-	$sql .= "'".$_REQUEST["g_button"]."',";
-	$sql .= "'".$_REQUEST["g_button_id"]."',";
-	$sql .= "'".$_REQUEST["g_style"]."',";	
-	$sql .= "'".$_REQUEST["g_buffer"]."',";	
-	$sql .= "'".$_REQUEST["g_res_style"]."',";
-	$sql .= $_REQUEST["g_use_wzgraphics"];
-	$sql .= "); ";
-	
-	$res = db_query($sql);		
+	$sql = "INSERT INTO gazetteer (gazetteer_abstract, fkey_wfs_id, ";
+	$sql .= "fkey_featuretype_id, g_label, g_label_id, g_button, ";
+	$sql .= "g_button_id, g_style, g_buffer, g_res_style, g_use_wzgraphics) ";
+	$sql .= "VALUES($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11);";
+	$v = array($_REQUEST["gazetteer_abstract"], $_REQUEST["wfs"], $_REQUEST["featuretype"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["g_use_wzgraphics"]);
+	$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s", "i");
+	$res = db_prep_query($sql, $v, $t);		
 	$wfsID = db_insert_id($con);
 	for($i=0; $i<count($_REQUEST["f_id"]); $i++){
-		$sql = "INSERT INTO gazetteer_element (fkey_gazetteer_id,f_id,f_search,f_pos,f_style_id,f_toupper,f_label,f_label_id,f_show,f_respos) VALUES(";
-		$sql .= "'".$wfsID."',";
-		$sql .= "'".$_REQUEST["f_id"][$i]."',";
-		$sql .= "'".$_REQUEST["f_search"][$i]."',";
-		$sql .= "'".$_REQUEST["f_pos"][$i]."',";
-		$sql .= "'".$_REQUEST["f_style_id"][$i]."',";
-		$sql .= "'".$_REQUEST["f_toupper"][$i]."',";		
-		$sql .= "'".$_REQUEST["f_label"][$i]."',";
-		$sql .= "'".$_REQUEST["f_label_id"][$i]."',";
-		$sql .= "'".$_REQUEST["f_show"][$i]."',";
-		$sql .= "'".$_REQUEST["f_respos"][$i]."'";
-		$sql .= "); ";
-		$res = db_query($sql);
+		$sql = "INSERT INTO gazetteer_element (fkey_gazetteer_id, ";
+		$sql .= "f_id, f_search, f_pos, f_style_id, f_toupper, f_label, ";
+		$sql .= "f_label_id, f_show, f_respos) VALUES (";
+		$sql .= "$1, $2, $3, $4, $5, $6, $7, $8, $9, $10);";
+		$v = array($wfsID, $_REQUEST["f_id"][$i], $_REQUEST["f_search"][$i], $_REQUEST["f_pos"][$i], $_REQUEST["f_style_id"][$i], $_REQUEST["f_toupper"][$i], $_REQUEST["f_label"][$i], $_REQUEST["f_label_id"][$i], $_REQUEST["f_show"][$i], $_REQUEST["f_respos"][$i]);
+		$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+		$res = db_prep_query($sql, $v, $t);
 	}		
 }
 

Modified: tags/2.4.4_su/http/php/mod_gazetteer_edit.php
===================================================================
--- tags/2.4.4/http/php/mod_gazetteer_edit.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_gazetteer_edit.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -56,31 +56,34 @@
 if(isset($_REQUEST["save"])){
 	
 	$sql = "UPDATE gazetteer SET ";
-	$sql .= "gazetteer_abstract = '".$_REQUEST["gazetteer_abstract"]."',";
-	$sql .= "g_label = '".$_REQUEST["g_label"]."',";
-	$sql .= "g_label_id = '".$_REQUEST["g_label_id"]."',";
-	$sql .= "g_button = '".$_REQUEST["g_button"]."',";
-	$sql .= "g_button_id = '".$_REQUEST["g_button_id"]."',";
-	$sql .= "g_style = '".$_REQUEST["g_style"]."',";
-	$sql .= "g_buffer = '".$_REQUEST["g_buffer"]."',";	
-	$sql .= "g_res_style = '".$_REQUEST["g_res_style"]."',";
-	$sql .= "g_use_wzgraphics = ".$_REQUEST["g_use_wzgraphics"];
-	$sql .= " WHERE gazetteer_id = ".$_REQUEST["gaz"].";";
-	$res = db_query($sql);		
+	$sql .= "gazetteer_abstract = $1, ";
+	$sql .= "g_label = $2, ";
+	$sql .= "g_label_id = $3, ";
+	$sql .= "g_button = $4, ";
+	$sql .= "g_button_id = $5, ";
+	$sql .= "g_style = $6, ";
+	$sql .= "g_buffer = $7, ";	
+	$sql .= "g_res_style = $8, ";
+	$sql .= "g_use_wzgraphics = $9 ";
+	$sql .= "WHERE gazetteer_id = $10;";
+	$v = array($_REQUEST["gazetteer_abstract"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["g_use_wzgraphics"], $_REQUEST["gaz"]);
+	$t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i");
+	$res = db_prep_query($sql, $v, $t);		
 
 	for($i=0; $i<count($_REQUEST["f_id"]); $i++){
 		$sql = "UPDATE gazetteer_element SET ";		
-		$sql .= "f_search = '".$_REQUEST["f_search"][$i]."',";
-		$sql .= "f_pos = '".$_REQUEST["f_pos"][$i]."',";
-		$sql .= "f_style_id = '".$_REQUEST["f_style_id"][$i]."',";
-		$sql .= "f_toupper = '".$_REQUEST["f_toupper"][$i]."',";
-		$sql .= "f_label = '".$_REQUEST["f_label"][$i]."',";
-		$sql .= "f_label_id = '".$_REQUEST["f_label_id"][$i]."',";
-		$sql .= "f_show = '".$_REQUEST["f_show"][$i]."',";
-		$sql .= "f_respos = '".$_REQUEST["f_respos"][$i]."'";
-		$sql .= " WHERE fkey_gazetteer_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_id"][$i].";";
-		
-		$res = db_query($sql);
+		$sql .= "f_search = $1, ";
+		$sql .= "f_pos = $2, ";
+		$sql .= "f_style_id = $3, ";
+		$sql .= "f_toupper = $4, ";
+		$sql .= "f_label = $5, ";
+		$sql .= "f_label_id = $6, ";
+		$sql .= "f_show = $7, ";
+		$sql .= "f_respos = $8 ";
+		$sql .= "WHERE fkey_gazetteer_id = $9 AND f_id = $10;";
+		$v = array($_REQUEST["f_search"][$i], $_REQUEST["f_pos"][$i], $_REQUEST["f_style_id"][$i], $_REQUEST["f_toupper"][$i], $_REQUEST["f_label"][$i], $_REQUEST["f_label_id"][$i], $_REQUEST["f_show"][$i], $_REQUEST["f_respos"][$i], $_REQUEST["gaz"], $_REQUEST["f_id"][$i]);
+		$t = array("s", "s", "s", "s", "s", "s", "s", "s", "i", "i");
+		$res = db_prep_query($sql, $v, $t);		
 	}		
 }
 
@@ -110,8 +113,10 @@
 
 /* configure elements */
 if(isset($_REQUEST["gaz"])){
-	$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = ".$_REQUEST["gaz"];
-	$res = db_query($sql);
+	$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = $1";
+	$v = array($_REQUEST["gaz"]);
+	$t = array("i");
+	$res = db_prep_query($sql, $v, $t);
 	if($row = db_fetch_array($res)){	
 		echo "<table>";
 		echo "<tr><td>GazetterID:</td><td>".$row["gazetteer_id"]."</td></tr>" ;
@@ -132,9 +137,11 @@
 	/* set element options */
 	$sql = "SELECT * FROM gazetteer_element ";
 	$sql .= "JOIN wfs_element ON gazetteer_element.f_id = wfs_element.element_id ";
-	$sql .= "WHERE fkey_gazetteer_id = ".$_REQUEST["gaz"];
+	$sql .= "WHERE fkey_gazetteer_id = $1";
+	$v = array($_REQUEST["gaz"]);
+	$t = array("i");
 	echo $sql;
-	$res = db_query($sql);
+	$res = db_prep_query($sql, $v, $t);
 	
 	echo "<table border='1'>";
 	echo "<tr>";

Modified: tags/2.4.4_su/http/php/mod_getStyles.php
===================================================================
--- tags/2.4.4/http/php/mod_getStyles.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_getStyles.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -81,7 +81,7 @@
 {
    global $proxy_name,$proxy_port,$proxy_cont,$proxy_user,$proxy_pass;
 //echo $proxy_user;
-   $proxy_fp = fsockopen($proxy_name, $proxy_port) or die ("Fehler beim öffnen der Verbindung zum Proxy");
+   $proxy_fp = fsockopen($proxy_name, $proxy_port) or die ("Fehler beim �ffnen der Verbindung zum Proxy");
    if (!$proxy_fp)    {return false;}
       $headers = "GET $proxy_url HTTP/1.0\r\nHost: $proxy_name\r\n";
    $headers .= 'Proxy-Authorization: ' . 'Basic ' . base64_encode($proxy_user . ':' . $proxy_pass)."\r\nConnection: Keep-Alive\r\n\r\n";
@@ -126,9 +126,12 @@
 	@fclose($style_xml);
 	fclose($style_file);
 	#include(dirname(__FILE__)."/../../conf/www.conf");
-	$sql = "UPDATE wms SET wms_filter = '".str_replace(basename($login),$style_filename,$login)."' WHERE wms_id = ". $wmsList;
+	$pattern = "/" . basename($login) . "/";
+	$sql = "UPDATE wms SET wms_filter = $1 WHERE wms_id = $2";
+	$v = array(preg_replace($pattern,$style_filename,$login), $wmsList);
+	$t = array("s", "i");
 	echo $sql;
-	db_query($sql) or die("unable to change filter!");	
+	db_prep_query($sql, $v, $t) or die("unable to change filter!");	
 }
 ###
 
@@ -141,8 +144,10 @@
 	# getStyle - Request:
 	if($wmsList && $row["wms_id"] == $wmsList){
 		$getStyle = $row["wms_getmap"]."&VERSION=1.1.1&REQUEST=getStyles&SERVICE=WMS&LAYERS=";
-		$sql_style = "SELECT layer_name FROM layer WHERE fkey_wms_id = " . $wmsList;
-		$res_style = db_query($sql_style);
+		$sql_style = "SELECT layer_name FROM layer WHERE fkey_wms_id = $1";
+		$v = array($wmsList);
+		$t = array("i");
+		$res_style = db_prep_query($sql_style, $v, $t);
 	
 		$cnt_style = 0;
 		while($row2 = db_fetch_array($res_style)){

Modified: tags/2.4.4_su/http/php/mod_loadCapabilitiesList.php
===================================================================
--- tags/2.4.4/http/php/mod_loadCapabilitiesList.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_loadCapabilitiesList.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -154,8 +154,10 @@
 		$cnt++;
 	}
 
-	$sql = "SELECT * FROM gui_layer WHERE fkey_gui_id = '".$guiID."' AND gui_layer_wms_id = ".$wmsID;
-	$res = db_query($sql);
+	$sql = "SELECT * FROM gui_layer WHERE fkey_gui_id = $1 AND gui_layer_wms_id = $2";
+	$v = array($guiID, $wmsID);
+	$t = array("s", "i");
+	$res = db_prep_query($sql, $v, $t);
 	$cnt = 0;
 	while($row = db_fetch_array($res)){
 		$sql_ins = "INSERT INTO gui_layer (fkey_gui_id,fkey_layer_id,gui_layer_wms_id,gui_layer_status,gui_layer_selectable,";
@@ -180,12 +182,17 @@
 	echo"<br>";
 	 
 	$sql = "SELECT * FROM gui WHERE gui_id IN (";
-	for($i=0; $i<count($ownguis); $i++){
-		if($i>0){ $sql .= ",";}
-		$sql .= "'".$ownguis[$i]."'";
+	$v = $ownguis;
+	$t = array();
+	for ($i = 1; $i <= count($ownguis); $i++){
+		if ($i > 1) { 
+			$sql .= ",";
+		}
+		$sql .= "$".$i;
+		array_push($t, "s");
 	}
 	$sql .= ") ORDER BY gui_name";	
-	$res = db_query($sql);
+	$res = db_prep_query($sql, $v, $t);
 	$count=0;
 	echo"<select size='8' name='guiList' style='width:200px' onClick='submit()'>";
 	while($row = db_fetch_array($res)){
@@ -236,12 +243,17 @@
 	echo"<div class='text1'>Load WMS</div>";
 	$sql = "SELECT DISTINCT wms.wms_id,wms.wms_title,wms.wms_abstract,wms.wms_owner FROM gui_wms JOIN wms ON ";
 	$sql .= "wms.wms_id = gui_wms.fkey_wms_id WHERE gui_wms.fkey_gui_id IN(";
-	for($i=0; $i<count($arrayGUIs); $i++){
-		if($i>0){$sql .= ",";}
-		$sql .= "'".$arrayGUIs[$i]."'";
+	$v = $arrayGUIs;
+	$t = array();
+	for ($i = 1; $i <= count($arrayGUIs); $i++){
+		if ($i > 1) {
+			$sql .= ",";
+		}
+		$sql .= "$" . $i;
+		array_push($t, "s");
 	}
 	$sql .= ") ORDER BY wms.wms_title";
-	$res = db_query($sql);
+	$res = db_prep_query($sql, $v, $t);
 	echo "<select class='select1' name='wmsID' size='20' onchange='submit()'>";
 	$cnt = 0;
 	while($row = db_fetch_array($res)){
@@ -263,8 +275,10 @@
 	
 	if(isset($wmsID)){
 		echo "<div class='text2'>FROM:</div>";
-		$sql = "SELECT * from gui_wms WHERE fkey_wms_id ='".$wmsID."' ORDER BY fkey_gui_id";
-		$res = db_query($sql);
+		$sql = "SELECT * from gui_wms WHERE fkey_wms_id = $1 ORDER BY fkey_gui_id";
+		$v = array($wmsID);
+		$t = array("s");
+		$res = db_prep_query($sql, $v, $t);
 		echo "<select class='select2' name='guiID' size='20' onchange='load()'>";
 		$cnt = 0;
 		while($row = db_fetch_array($res)){

Modified: tags/2.4.4_su/http/php/mod_map1.php
===================================================================
--- tags/2.4.4/http/php/mod_map1.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_map1.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -37,8 +37,10 @@
 
 <title>mod_map1</title>
 <?php
-$sql = "SELECT e_width, e_height FROM gui_element WHERE e_id = 'mapframe1' AND fkey_gui_id = '".$_SESSION["mb_user_gui"]."'";
-$res = db_query($sql);
+$sql = "SELECT e_width, e_height FROM gui_element WHERE e_id = 'mapframe1' AND fkey_gui_id = $1";
+$v = array($_SESSION["mb_user_gui"]);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){
    $e_width = $row["e_width"];

Modified: tags/2.4.4_su/http/php/mod_mapOV.php
===================================================================
--- tags/2.4.4/http/php/mod_mapOV.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_mapOV.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -45,8 +45,10 @@
 ?>
 <?php
 $gui_id = $_SESSION["mb_user_gui"];
-$sql = "SELECT e_width,e_height, e_target FROM gui_element WHERE e_id = 'overview' AND fkey_gui_id = '".$gui_id."'";
-$res = db_query($sql);
+$sql = "SELECT e_width,e_height, e_target FROM gui_element WHERE e_id = 'overview' AND fkey_gui_id = $1";
+$v = array($gui_id);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 echo "<script type='text/javascript'>";
 while($row = db_fetch_array($res)){ 

Modified: tags/2.4.4_su/http/php/mod_simpleWMSpreferences.php
===================================================================
--- tags/2.4.4/http/php/mod_simpleWMSpreferences.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_simpleWMSpreferences.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -76,8 +76,10 @@
 <?php
 $con = db_connect($DBSERVER,$OWNER,$PW);
 db_select_db(DB,$con);
-$sql = "SELECT * FROM gui_element WHERE e_id = 'WMS_preferences' AND fkey_gui_id = '".$_SESSION["mb_user_gui"]."'";
-$res = db_query($sql);
+$sql = "SELECT * FROM gui_element WHERE e_id = 'WMS_preferences' AND fkey_gui_id = $1";
+$v = array($_SESSION["mb_user_gui"]);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while($row = db_fetch_array($res)){
    $e_target = $row["e_target"];

Modified: tags/2.4.4_su/http/php/mod_treefolderAdmin.php
===================================================================
--- tags/2.4.4/http/php/mod_treefolderAdmin.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_treefolderAdmin.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -434,21 +434,28 @@
   // this is a multinary tree structure which is easy to
   // populate with database data :)
 <?php
-$sql = "SELECT id FROM gui_treegde WHERE fkey_gui_id = '".$guiList."'";
-$res = db_query($sql);
+$sql = "SELECT id FROM gui_treegde WHERE fkey_gui_id = $1";
+// $v and $t will be re-used below!
+$v = array($guiList);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 if(!db_fetch_row($res)){
-	$sql = "INSERT INTO gui_treegde(fkey_gui_id, my_layer_title,lft,rgt,layer) VALUES('".$guiList."', 'new','1','4','')";
-	db_query($sql);
-	$sql = "INSERT INTO gui_treegde(fkey_gui_id,my_layer_title,lft,rgt,layer) VALUES('".$guiList."','new','2','3','')";
-	db_query($sql);      
+	$sql = "INSERT INTO gui_treegde(fkey_gui_id, my_layer_title,lft,rgt,layer) VALUES($1, 'new','1','4','')";
+	//using $v and $t fom above
+	db_prep_query($sql, $v, $t);
+	$sql = "INSERT INTO gui_treegde(fkey_gui_id,my_layer_title,lft,rgt,layer) VALUES($1,'new','2','3','')";
+	//using $v and $t fom above
+	db_prep_query($sql, $v, $t);
 }
-
+	
 $sql = "SELECT n.wms_id, n.id, n.my_layer_title, n.lft, n.rgt, n.layer, COUNT(*) AS level1, ((n.rgt - n.lft -1)/2) AS offspring ";
 $sql .= "FROM gui_treegde as n, gui_treegde as p WHERE n.lft BETWEEN p.lft AND p.rgt ";
-$sql .= " AND n.fkey_gui_id = '".$guiList."' AND p.fkey_gui_id = '".$guiList."' ";
+$sql .= " AND n.fkey_gui_id = $1 AND p.fkey_gui_id = $2 ";
 $sql .= " GROUP BY n.wms_id, n.lft, n.my_layer_title,  ((n.rgt - n.lft -1)/2) , n.id, n.rgt, n.layer ORDER BY n.lft;";
 #echo $sql;
-$res = db_query($sql);
+$v = array($guiList, $guiList);
+$t = array("s", "s");
+$res = db_prep_query($sql, $v, $t);
 	echo "function initArray(){";
 	echo "Note(0,-1,'','');";
 	$cnt = 0;

Modified: tags/2.4.4_su/http/php/mod_treefolderClient.php
===================================================================
--- tags/2.4.4/http/php/mod_treefolderClient.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_treefolderClient.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -78,8 +78,10 @@
     // -->
     </STYLE>
 <?php
-$sql = "SELECT e_target FROM gui_element WHERE e_id = 'treeConfGDE' AND fkey_gui_id = '".$guiList."'";
-$res = db_query($sql);
+$sql = "SELECT e_target FROM gui_element WHERE e_id = 'treeConfGDE' AND fkey_gui_id = $1";
+$v = array($guiList);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 while(db_fetch_row($res)){ 
 	$e_target = db_result($res,0,"e_target");
@@ -548,21 +550,27 @@
   // this is a multinary tree structure which is easy to
   // populate with database data :)
 <?php
-$sql = "SELECT id FROM gui_treegde WHERE fkey_gui_id = '".$guiList."'";
-$res = db_query($sql);
+$sql = "SELECT id FROM gui_treegde WHERE fkey_gui_id = $1";
+// $v and $t will be re-used below!
+$v = array($guiList);
+$t = array("s");
+$res = db_prep_query($sql, $v, $t);
 if(!db_fetch_row($res)){
-	$sql = "INSERT INTO gui_treegde(fkey_gui_id, my_layer_title,lft,rgt,layer) VALUES('".$guiList."', 'new','1','4','')";
-	db_query($sql);
-	$sql = "INSERT INTO gui_treegde(fkey_gui_id,my_layer_title,lft,rgt,layer) VALUES('".$guiList."','new','2','3','')";
-	db_query($sql);      
+	$sql = "INSERT INTO gui_treegde(fkey_gui_id, my_layer_title,lft,rgt,layer) VALUES($1, 'new','1','4','')";
+	//using $v and $t fom above
+	db_prep_query($sql, $v, $t);
+	$sql = "INSERT INTO gui_treegde(fkey_gui_id,my_layer_title,lft,rgt,layer) VALUES($1,'new','2','3','')";
+	//using $v and $t fom above
+	db_prep_query($sql, $v, $t);
 }
 
 $sql = "SELECT n.wms_id, n.id, n.my_layer_title, n.lft, n.rgt, n.layer, COUNT(*) AS level1, ((n.rgt - n.lft -1)/2) AS offspring ";
 $sql .= "FROM gui_treegde as n, gui_treegde as p WHERE n.lft BETWEEN p.lft AND p.rgt ";
-$sql .= " AND n.fkey_gui_id = '".$guiList."' AND p.fkey_gui_id = '".$guiList."' ";
+$sql .= " AND n.fkey_gui_id = $1 AND p.fkey_gui_id = $2 ";
 $sql .= " GROUP BY n.wms_id, n.lft, n.my_layer_title,  ((n.rgt - n.lft -1)/2) , n.id, n.rgt, n.layer ORDER BY n.lft";
-
-$res = db_query($sql);
+$v = array($guiList, $guiList);
+$t = array("s", "s");
+$res = db_prep_query($sql, $v, $t);
 	echo "function initArray(){";
 	echo "Note(0,-1,'','');";
 	$cnt = 0;

Modified: tags/2.4.4_su/http/php/mod_wfs_conf.php
===================================================================
--- tags/2.4.4/http/php/mod_wfs_conf.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_wfs_conf.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -89,62 +89,74 @@
 
         db_select_db($DB,$con);
 
-        $sql = "INSERT INTO wfs_conf (wfs_conf_abstract,fkey_wfs_id,fkey_featuretype_id,g_label,g_label_id,g_button,g_button_id,g_style,g_buffer,g_res_style,g_use_wzgraphics) VALUES(";
-        $sql .= "'".$_REQUEST["wfs_conf_abstract"]."',";
-        $sql .= "'".$_REQUEST["wfs"]."',";
-        $sql .= "'".$_REQUEST["featuretype"]."',";
-        $sql .= "'".$_REQUEST["g_label"]."',";
-        $sql .= "'".$_REQUEST["g_label_id"]."',";
-        $sql .= "'".$_REQUEST["g_button"]."',";
-        $sql .= "'".$_REQUEST["g_button_id"]."',";
-        $sql .= "'".$_REQUEST["g_style"]."',";
-        $sql .= "'".$_REQUEST["g_buffer"]."',";
-        $sql .= "'".$_REQUEST["g_res_style"]."',";        
-        if(!empty($_REQUEST["g_use_wzgraphics"])){
+        $sql = "INSERT INTO wfs_conf (";
+        $sql .= "wfs_conf_abstract, fkey_wfs_id, ";
+        $sql .= "fkey_featuretype_id, g_label, g_label_id, g_button, ";
+        $sql .= "g_button_id, g_style, g_buffer, g_res_style, g_use_wzgraphics";
+		$sql .= ") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, ";
+        if (!empty($_REQUEST["g_use_wzgraphics"])) {
 			$sql .= "'1'";
-		}else{$sql .= "'0'";}
+		}
+		else {
+			$sql .= "'0'";
+		}
         $sql .= "); ";
+        
+		$v = array($_REQUEST["wfs_conf_abstract"], $_REQUEST["wfs"], $_REQUEST["featuretype"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"]);
+		$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s", "s");
+        $res = db_prep_query($sql, $v, $t);
+        
+        $wfsID = db_insert_id($con,'wfs_conf','wfs_conf_id');
 
-        $res = db_query($sql);
-        $wfsID = db_insert_id($con,'wfs_conf','wfs_conf_id');
-        for($i=0; $i<$_REQUEST["num"]; $i++){
+        for ($i = 0; $i < $_REQUEST["num"]; $i++){
                 $sql = "INSERT INTO wfs_conf_element (fkey_wfs_conf_id,f_id,f_search,f_pos,f_style_id,f_toupper,f_label,f_label_id,f_show,f_respos,f_edit,f_form_element_html,f_mandatory) VALUES(";
-                $sql .= "'".$wfsID."',";
-                $sql .= "'".$_REQUEST["f_id".$i]."',";
-                if(!empty($_REQUEST["f_search".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_pos".$i]."',";
-                $sql .= "'".$_REQUEST["f_style_id".$i]."',";                
-				if(!empty($_REQUEST["f_toupper".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}				
-                $sql .= "'".$_REQUEST["f_label".$i]."',";
-                $sql .= "'".$_REQUEST["f_label_id".$i]."',";
-                if(!empty($_REQUEST["f_show".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_respos".$i]."'";
-				$sql .= ",";
-                if(!empty($_REQUEST["f_edit".$i])){
-                	$sql .= "'1',";
-                }else{$sql .= "'0',";}
-                $sql .= "'".$_REQUEST["f_form_element_html".$i]."',";
-                if(!empty($_REQUEST["f_mandatory".$i])){
+                $sql .= "$1, $2, ";
+                if (!empty($_REQUEST["f_search".$i])) {
                 	$sql .= "'1'";
-                }else{$sql .= "'0'";}
-//                $sql .= ", ";
-//                $sql .= "'".addslashes($_REQUEST["f_auth_varname".$i]);
-//				$sql .= "'";
-                $sql .= "); ";
+                }
+                else {
+                	$sql .= "'0'";
+                }
+                $sql .= ", $3, $4, ";
+				if (!empty($_REQUEST["f_toupper".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0'";
+                }				
+                $sql .= ",$5, $6, ";
+                if (!empty($_REQUEST["f_show".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0',";
+                }
+                $sql .= ", $7, ";
+                if (!empty($_REQUEST["f_edit".$i])) {
+                	$sql .= "'1'";
+                } 
+                else {
+                	$sql .= "'0'";
+                }
+                $sql .= ",$8, ";
+                if (!empty($_REQUEST["f_mandatory".$i])) {
+                	$sql .= "'1'";
+                }
+                else {
+                	$sql .= "'0'";
+                }
+ 				$sql .= "); ";
 
-                $res = db_query($sql);
+				$v = array($wfsID, $_REQUEST["f_id".$i], $_REQUEST["f_pos".$i], $_REQUEST["f_style_id".$i], $_REQUEST["f_label".$i], $_REQUEST["f_label_id".$i], $_REQUEST["f_respos".$i], $_REQUEST["f_form_element_html".$i], $_REQUEST["f_auth_varname".$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "s", "s");
+                $res = db_prep_query($sql, $v, $t);
         }
         if (isset($_REQUEST["f_geom"])) {
-	        $sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 1";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$wfsID." AND f_id = ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+	        $sql = "UPDATE wfs_conf_element SET f_geom = 1 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id = $2;";
+	        $v = array($wfsID, $_REQUEST["f_geom"]);
+	        $t = array("i", "i");
+			$res = db_prep_query($sql, $v, $t);
         }
 		
 		echo "<script language='javascript'>";
@@ -271,8 +283,7 @@
                 echo "<td><input name='f_respos".$i."' type='text' size='1' value='0'></td>";
                 echo "<td><input name='f_mandatory".$i."' type='checkbox'></td>";
                 echo "<td><input name='f_edit".$i."' type='checkbox'></td>";
-                echo "<td><textarea name='f_form_element_html".$cnt."' cols='15' rows='1' ></textarea></td>";
-//                echo "<td><input name='f_auth_varname".$cnt."' type='text' size='8' value='".$row["f_auth_varname"]."'></td>";
+                echo "<td><textarea name='f_form_element_html".$i."' cols='15' rows='1' ></textarea></td>";
                 echo "</tr>";
         }
         echo "</table>";

Modified: tags/2.4.4_su/http/php/mod_wfs_edit.php
===================================================================
--- tags/2.4.4/http/php/mod_wfs_edit.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_wfs_edit.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -58,78 +58,89 @@
 if(isset($_REQUEST["save"])){
 
         $sql = "UPDATE wfs_conf SET ";
-        $sql .= "wfs_conf_abstract = '".$_REQUEST["wfs_conf_abstract"]."',";
-        $sql .= "g_label = '".$_REQUEST["g_label"]."',";
-        $sql .= "g_label_id = '".$_REQUEST["g_label_id"]."',";
-        $sql .= "g_button = '".$_REQUEST["g_button"]."',";
-        $sql .= "g_button_id = '".$_REQUEST["g_button_id"]."',";
-        $sql .= "g_style = '".$_REQUEST["g_style"]."',";
-        $sql .= "g_buffer = '".$_REQUEST["g_buffer"]."',";
-        $sql .= "g_res_style = '".$_REQUEST["g_res_style"]."',";
-        $sql .= "g_use_wzgraphics = ";
-        if(!empty($_REQUEST["g_use_wzgraphics"])){
-        	$sql .= '1';
-        }else{$sql .= '0';}
-        $sql .= " WHERE wfs_conf_id = ".$_REQUEST["gaz"].";";
+        $sql .= "wfs_conf_abstract = $1, g_label = $2, ";
+        $sql .= "g_label_id = $3, g_button = $4, g_button_id = $5, g_style = $6, ";
+        $sql .= "g_buffer = $7, g_res_style = $8, g_use_wzgraphics = ";
+        if (!empty($_REQUEST["g_use_wzgraphics"])) {
+        	$sql .= "1";
+        }
+        else {
+        	$sql .= "0";
+        }
+        $sql .= " WHERE wfs_conf_id = $9;";
         
-        $res = db_query($sql);
+        $v = array($_REQUEST["wfs_conf_abstract"], $_REQUEST["g_label"], $_REQUEST["g_label_id"], $_REQUEST["g_button"], $_REQUEST["g_button_id"], $_REQUEST["g_style"], $_REQUEST["g_buffer"], $_REQUEST["g_res_style"], $_REQUEST["gaz"]);
+        $t = array("s", "s", "s", "s", "s", "s", "s", "i", "s", "i");
+        $res = db_prep_query($sql, $v, $t);
 		        
 		if (isset($_REQUEST["f_geom"])) {
-	        $sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 1";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+	        $sql = "UPDATE wfs_conf_element SET f_geom = 1 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id = $2;";
+	        $v = array($_REQUEST["gaz"], $_REQUEST["f_geom"]);
+	        $t = array("i", "s");
+			$res = db_prep_query($sql);
 			
-			$sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 0";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id <>  ".$_REQUEST["f_geom"].";";
-			$res = db_query($sql);
+			$sql = "UPDATE wfs_conf_element SET f_geom = 0 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1 AND f_id <> $2;";
+	        $v = array($_REQUEST["gaz"], $_REQUEST["f_geom"]);
+	        $t = array("i", "s");
+			$res = db_prep_query($sql);
 		}
 		else {
-			$sql = "UPDATE wfs_conf_element SET ";
-	        $sql .= "f_geom = 0";
-	        $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"].";";
-			$res = db_query($sql);
+			$sql = "UPDATE wfs_conf_element SET f_geom = 0 ";
+	        $sql .= "WHERE fkey_wfs_conf_id = $1;";
+	        $v = array($_REQUEST["gaz"]);
+	        $t = array("i");
+			$res = db_prep_query($sql);
 		}
 		
         for($i=0; $i<$_REQUEST["num"]; $i++){
         	
-                $sql = "UPDATE wfs_conf_element SET ";
-                $sql .= "f_search = '";
-                if(!empty($_REQUEST["f_search".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-                $sql .= "',";
-                $sql .= "f_pos = '".$_REQUEST["f_pos".$i]."',";
-                $sql .= "f_style_id = '".$_REQUEST["f_style_id".$i]."',";
+                $sql = "UPDATE wfs_conf_element SET f_search = '";
+                if (!empty($_REQUEST["f_search".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+                $sql .= "', f_pos = $1, f_style_id = $2,";
                 $sql .= "f_toupper = '" ;
-                if(!empty($_REQUEST["f_toupper".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-                $sql .= "',";
-                $sql .= "f_label = '".$_REQUEST["f_label".$i]."',";
-                $sql .= "f_label_id = '".$_REQUEST["f_label_id".$i]."',";
+                if (!empty($_REQUEST["f_toupper".$i])) {
+                	$sql .= "1";
+                }
+                else { 
+                	$sql .= "0";
+                }
+                $sql .= "',f_label = $3, f_label_id = $4,";
                 $sql .= "f_show = '";
-                if(!empty($_REQUEST["f_show".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-				$sql .= "',";
-                $sql .= "f_respos = '".$_REQUEST["f_respos".$i]."' ";
-				$sql .= ",";
+                if (!empty($_REQUEST["f_show".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "',f_respos = $5,";
                 $sql .= "f_edit = '";
-                if(!empty($_REQUEST["f_edit".$i])){
-                	$sql .= '1';
-                }else{$sql .= '0';}
-				$sql .= "',";
-                $sql .= "f_form_element_html = '".addslashes($_REQUEST["f_form_element_html".$i]);
-				$sql .= "',";
+                if (!empty($_REQUEST["f_edit".$i])) {
+                	$sql .= "1";
+                }
+                else {
+                	$sql .= "0";
+                }
+				$sql .= "', f_form_element_html = $6,";
                 $sql .= "f_mandatory = '";
-                if(!empty($_REQUEST["f_mandatory".$i])){
+                if (!empty($_REQUEST["f_mandatory".$i])) {
                 	$sql .= "1";
-                }else{$sql .= "0";}
+                }
+                else {
+                	$sql .= "0";
+                }
 				$sql .= "'";
-                $sql .= " WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." AND f_id = ".$_REQUEST["f_id".$i].";";
-                $res = db_query($sql);
+				$sql .= " WHERE fkey_wfs_conf_id = $8 AND f_id = $9;";
+
+				$v = array($_REQUEST["f_pos".$i], $_REQUEST["f_style_id".$i], $_REQUEST["f_label".$i], $_REQUEST["f_label_id".$i], $_REQUEST["f_respos".$i], addslashes($_REQUEST["f_form_element_html".$i]), $_REQUEST["f_auth_varname".$i], $_REQUEST["gaz"], $_REQUEST["f_id".$i]);
+				$t = array("s", "s", "s", "s", "s", "s", "s", "i", "s");
+                $res = db_prep_query($sql, $v, $t);
         }
 }
 
@@ -164,9 +175,11 @@
 }
 
 /* configure elements */
-if(isset($_REQUEST["gaz"])){
-        $sql = "SELECT * FROM wfs_conf WHERE wfs_conf_id = ".$_REQUEST["gaz"];
-        $res = db_query($sql);
+if (isset($_REQUEST["gaz"])) {
+        $sql = "SELECT * FROM wfs_conf WHERE wfs_conf_id = $1";
+        $v = array($_REQUEST["gaz"]);
+        $t = array("i");
+        $res = db_prep_query($sql, $v, $t);
         if($row = db_fetch_array($res)){
                 echo "<table>";
                 echo "<tr><td>GazetterID:</td><td>".$row["wfs_conf_id"]."</td></tr>" ;
@@ -187,9 +200,10 @@
         /* set element options */
         $sql = "SELECT * FROM wfs_conf_element ";
         $sql .= "JOIN wfs_element ON wfs_conf_element.f_id = wfs_element.element_id ";
-        $sql .= "WHERE fkey_wfs_conf_id = ".$_REQUEST["gaz"]." ORDER BY f_id";
-
-        $res = db_query($sql);
+        $sql .= "WHERE fkey_wfs_conf_id = $1 ORDER BY f_id";
+		$v = array($_REQUEST["gaz"]);
+		$t = array("i");
+        $res = db_prep_query($sql, $v, $t);
 		
         echo "<table border='1'>";
         echo "<tr valign = bottom>";

Modified: tags/2.4.4_su/http/php/mod_wfsrequest.php
===================================================================
--- tags/2.4.4/http/php/mod_wfsrequest.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/mod_wfsrequest.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -32,8 +32,8 @@
 $sql .= "WHERE wfs_conf.wfs_conf_id = $1";
 
 $v = array($_REQUEST['wfs_conf_id']);
-$t = array('i');
-$res = db_prep_query($sql,$v,$t);
+$t = array("i");
+$res = db_prep_query($sql, $v, $t);
 if($row = db_fetch_array($res)){
         $g_res_style  = $row["g_res_style"];
         
@@ -45,8 +45,8 @@
 $sql .= "WHERE wfs_conf_element.fkey_wfs_conf_id = $1 ";
 $sql .= "AND wfs_conf_element.f_show = 1 ORDER BY wfs_conf_element.f_respos;";
 $v = array($_REQUEST['wfs_conf_id']);
-$t = array('i');
-$res = db_prep_query($sql,$v,$t);
+$t = array("i");
+$res = db_prep_query($sql, $v, $t);
 $col = array();
 $cnt = 0;
 while($row = db_fetch_array($res)){

Modified: tags/2.4.4_su/http/php/nestedSets.php
===================================================================
--- tags/2.4.4/http/php/nestedSets.php	2008-01-21 09:19:43 UTC (rev 2000)
+++ tags/2.4.4_su/http/php/nestedSets.php	2008-01-29 13:05:41 UTC (rev 2039)
@@ -58,16 +58,16 @@
 	if(value == 'insert'){
 		/*
 		if(document.forms[0].title.value == ''){alert("Bitte geben Sie einen Titel an."); permission = false; return;}
-		if(document.forms[0].left.value == ''){alert("Wählen Sie eine Position."); permission = false; return;}
+		if(document.forms[0].left.value == ''){alert("W�hlen Sie eine Position."); permission = false; return;}
       	*/
       	if(document.forms[0].title.value == ''){alert("Please insert a title."); permission = false; return;}
 		if(document.forms[0].left.value == ''){alert("Please choose a position."); permission = false; return;}
       
-      if(document.forms[0].wmsList.selectedIndex > 0 && document.forms[0].layer.selectedIndex == 0){alert("Wählen Sie einen Layer."); permission = false; return;}
+      if(document.forms[0].wmsList.selectedIndex > 0 && document.forms[0].layer.selectedIndex == 0){alert("W�hlen Sie einen Layer."); permission = false; return;}
 		if(permission == true){document.forms[0].action.value = "insert"; document.forms[0].submit();}
 	}
 	if(value == 'delete'){
-		//permission = confirm("Soll das Objekt mit Inhalten gelöscht werden?");
+		//permission = confirm("Soll das Objekt mit Inhalten gel�scht werden?");
 		permission = confirm("Do you want to delete the object and the content of the object?");
 		if(permission == true){
 		document.forms[0].action.value = "delete"; 
@@ -77,7 +77,7 @@
 	if(value == 'update'){
 		/*
 		if(document.forms[0].title.value == ''){alert("Bitte geben Sie einen Titel an."); permission = false; return;}
-		if(document.forms[0].left.value == ''){alert("Bitte wählen Sie eine Position."); permission = false; return;}
+		if(document.forms[0].left.value == ''){alert("Bitte w�hlen Sie eine Position."); permission = false; return;}
 		*/
 		
 		if(document.forms[0].title.value == ''){alert("Please fill in a labeling."); permission = false; return;}
@@ -87,10 +87,10 @@
 	}
 	if(value == 'add'){
 		/*
-		if(document.forms[0].left.value == ''){alert("Bitte wählen Sie eine Position."); permission = false; return;}
-		if(document.forms[0].guiList.selectedIndex == 0){alert("Bitte wählen Sie eine GUI."); permission = false; return;}
-		if(document.forms[0].wmsList.selectedIndex == 0){alert("Bitte wählen Sie einen WMS."); permission = false; return;}
-		if(document.forms[0].layer.selectedIndex == 0){alert("Bitte wählen Sie eine Ebene."); permission = false; return;}
+		if(document.forms[0].left.value == ''){alert("Bitte w�hlen Sie eine Position."); permission = false; return;}
+		if(document.forms[0].guiList.selectedIndex == 0){alert("Bitte w�hlen Sie eine GUI."); permission = false; return;}
+		if(document.forms[0].wmsList.selectedIndex == 0){alert("Bitte w�hlen Sie einen WMS."); permission = false; return;}
+		if(document.forms[0].layer.selectedIndex == 0){alert("Bitte w�hlen Sie eine Ebene."); permission = false; return;}
 		*/
 		
 		if(document.forms[0].left.value == ''){alert("Please fill in a position."); permission = false; return;}
@@ -116,26 +116,31 @@
 }
 if(isset($action) && $action == "insert"){
 	$temp = explode("###", $layer);
-	$sql = "SELECT rgt FROM gui_treegde WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
-	$res = db_query($sql);
+	$sql = "SELECT rgt FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $1";
+	$v = array($left, $guiList);
+	$t = array("i", "s");
+	$res = db_prep_query($sql, $v, $t);
 	if($pos == 'in'){$left = $left + 1;}
 	else if($pos == 'hinter'){$left = db_result($res,0,"rgt") + 1;}
 	else{ $left = $left + 2;}
-	$sql = "UPDATE gui_treegde SET rgt=rgt+2 WHERE rgt >=". $left." AND fkey_gui_id = '".$guiList."'";
-	db_query($sql);
-	$sql = "UPDATE gui_treegde SET lft=lft+2 WHERE lft >=".$left." AND fkey_gui_id = '".$guiList."'";
-	db_query($sql);
-	$sql = "INSERT INTO gui_treegde(fkey_gui_id, fkey_layer_id, lft,rgt, my_layer_title, layer, wms_id) VALUES(";
-		$sql .= "'".$guiList."', ";
-		$sql .= "'".$temp[0]."', ";	
-		$sql .= $left.", ";
-		$sql .= ($left+1).", ";
-		$sql .= "'".$name."', ";
-		$sql .= "'".$temp[1]."', ";
-		$sql .= "'".$wmsList."'";
-		$sql .= ")";
-		#echo $sql . "<br>";		
-	db_query($sql);
+	
+	$sql = "UPDATE gui_treegde SET rgt=rgt+2 WHERE rgt >= $1 AND fkey_gui_id = $2";
+	$v = array($left, $guiList);
+	$t = array("i", "s");
+	db_prep_query($sql, $v, $t);
+	
+	$sql = "UPDATE gui_treegde SET lft=lft+2 WHERE lft >= $1 AND fkey_gui_id = $2";
+	$v = array($left, $guiList);
+	$t = array("i", "s");
+	db_prep_query($sql, $v, $t);
+
+	$sql = "INSERT INTO gui_treegde(fkey_gui_id, fkey_layer_id, lft,rgt, ";
+	$sql .= "my_layer_title, layer, wms_id) VALUES($1, $2, $3, $4, $5, $6, $7)";
+		#echo $sql . "<br>";
+	$v = array($guiList, $temp[0], $left, ($left+1), $name, $temp[1], $wmsList);
+	$t = array("s", "s", "i", "i", "s", "s", "s");		
+	db_prep_query($sql, $v, $t);
+
 	/*
 	if($layer == ""){
 		$left = $left + 1;
@@ -152,53 +157,79 @@
 }
 if(isset($action) && $action == "delete"){	
 	if($left){
-		$sql = "SELECT rgt FROM gui_treegde WHERE lft =". $left." AND fkey_gui_id = '".$guiList."'";
-		$res = db_query($sql);
+		$sql = "SELECT rgt FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $2";
+		$v = array($left, $guiList);
+		$t = array("i", "s");
+		$res = db_prep_query($sql, $v, $t);
 		$right = db_result($res,0,"rgt");
-		$sql = "DELETE FROM gui_treegde WHERE lft BETWEEN ".$left." and ".$right." AND fkey_gui_id = '".$guiList."'";
-		db_query($sql);
-		$sql = "UPDATE gui_treegde SET lft=lft-((".$right."-".$left."+1)) WHERE lft>".$right." AND fkey_gui_id = '".$guiList."'";
-		db_query($sql);
-		$sql = "UPDATE gui_treegde SET rgt=rgt-((".$right."-".$left."+1)) WHERE rgt>".$right." AND fkey_gui_id = '".$guiList."'";
-		db_query($sql);
+		
+		$sql = "DELETE FROM gui_treegde WHERE lft BETWEEN $1 and $2 AND fkey_gui_id = $3";
+		$v = array($left, $right, $guiList);
+		$t = array("i", "i", "s");
+		db_prep_query($sql, $v, $t);
+
+		$sql = "UPDATE gui_treegde SET lft=lft-(($1 - $2 + 1)) WHERE lft > $3 AND fkey_gui_id = $4";
+		$v = array($right, $left, $right, $guiList);
+		$t = array("i", "i", "i", "s");
+		db_prep_query($sql, $v, $t);
+
+		$sql = "UPDATE gui_treegde SET rgt=rgt-(($1 - $2 + 1)) WHERE rgt > $3 AND fkey_gui_id = $4";
+		$v = array($right, $left, $right, $guiList);
+		$t = array("i", "i", "i", "s");
+		db_prep_query($sql, $v, $t);
 	}
 }
 if(isset($action) && $action == "update"){
 	$temp = explode("###", $layer);
 	$sql = "UPDATE gui_treegde SET ";
-	$sql .= "my_layer_title = '".$name."', ";
-	$sql .= "fkey_layer_id = '".$temp[0]."', ";
-	$sql .= "layer = '".$temp[1]."', ";
-	$sql .= "wms_id = '" . $wmsList."'";
-	$sql .= " WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
-	db_query($sql);
+	$sql .= "my_layer_title = $1, ";
+	$sql .= "fkey_layer_id = $2, ";
+	$sql .= "layer = $3, ";
+	$sql .= "wms_id = $4";
+	$sql .= " WHERE lft = $5 AND fkey_gui_id = $6";
+	$v = array($name, $temp[0], $temp[1], $wmsList, $left, $guiList);
+	$t = array("s", "s", "s", "s", "i", "s");
+	db_prep_query($sql, $v, $t);
 }
 if(isset($action) && $action == "add"){
 	$temp = explode("###", $layer);
 	
-	$sql_val = "SELECT * FROM gui_treegde WHERE lft =". $left." AND fkey_gui_id = '".$guiList."'";
-	$res_val = db_query($sql_val);
+	$sql_val = "SELECT * FROM gui_treegde WHERE lft = $1 AND fkey_gui_id = $2";
+	$v = array($left, $guiList);
+	$t = array("i", "s");
+	$res = db_prep_query($sql_val, $v, $t);
 	
 	$sql = "UPDATE gui_treegde SET ";
+	$sql .= "fkey_layer_id = $1, layer = $2, wms_id =  $3 ";
+	$sql .= "WHERE lft = $4 AND fkey_gui_id = $5";
 	
-	$sql .= "fkey_layer_id = ";
-	$sql .= "'";
-	if(db_result($res_val, 0, "fkey_layer_id") != ''){ $sql .= db_result($res_val, 0, "fkey_layer_id") . ","; }
-	$sql .=  $temp[0] . "', ";
+	$v = array();
+	$t = array("s", "s", "s", "i", "s");	
+
+	if (db_result($res_val, 0, "fkey_layer_id") != '') {
+		array_push($v, db_result($res_val, 0, "fkey_layer_id") . "," . $temp[0]);
+	}
+	else {
+		array_push($v, $temp[0]);
+	}
 	
-	$sql .= "layer = ";
-	$sql .= "'";
-	if(db_result($res_val, 0, "layer") != ''){ $sql .= db_result($res_val, 0, "layer") . ","; }
-	$sql .= $temp[1] . "', ";
+	if (db_result($res_val, 0, "layer") != '') {
+		array_push($v, db_result($res_val, 0, "layer") . "," . $temp[1]);
+	}
+	else {
+		array_push($v, $temp[1]);
+	}
 	
-	$sql .= "wms_id = ";
-	$sql .= "'";
-	if(db_result($res_val, 0, "wms_id") != ''){ $sql .= db_result($res_val, 0, "wms_id") . ","; }
-	$sql .= $wmsList . "' ";
-	
-	$sql .= " WHERE lft = ".$left." AND fkey_gui_id = '".$guiList."'";
-	#echo $sql . "<br>";
-	db_query($sql);
+	if (db_result($res_val, 0, "wms_id") != '') {
+		array_push($v, db_result($res_val, 0, "wms_id") . "," . $wmsList);
+	}
+	else {
+		array_push($v, $wmsList);
+	}
+
+	array_push($v, $left);	
+	array_push($v, $guiList);	
+	db_prep_query($sql, $v, $t);
 }
 ?>
 <br />
@@ -228,14 +259,19 @@
 $admin = new administration();
 $ownguis = $admin->getGuisByOwner($_SESSION["mb_user_id"],true);
 
-$sql = "SELECT * FROM gui WHERE gui_id IN ("; for($i=0; 
-$i<count($ownguis); $i++){
-				if($i>0){ $sql .= ",";}
-				$sql .= "'".$ownguis[$i]."'";
-				}
+$sql = "SELECT * FROM gui WHERE gui_id IN ("; 
+$v = $ownguis;
+$t = array();
+for ($i = 1; $i <= count($ownguis); $i++){
+	if ($i > 1) { 
+		$sql .= ",";
+	}
+	$sql .= "$" . $i;
+	array_push($t, "s");
+}
 $sql .= ") ORDER BY gui_name";
 
-$res = db_query($sql);
+$res = db_prep_query($sql, $v, $t);
 $cnt = 0;
 echo "<select class='guiList' size='10' name='guiList' class='guiList'  onchange='document.forms[0].submit()'>";
 echo "<option value=''>GUI ...</option>";
@@ -265,9 +301,11 @@
 	if(isset($guiList) && $guiList != ""){
 		$sql = "SELECT gui_wms.fkey_wms_id, wms.wms_title FROM gui_wms ";
 		$sql .= "INNER JOIN wms ON gui_wms.fkey_wms_id = wms.wms_id  ";
-		$sql .= "WHERE gui_wms.fkey_gui_id = '" . $guiList . "' ";
+		$sql .= "WHERE gui_wms.fkey_gui_id = $1 ";
 		$sql .= "ORDER BY wms.wms_title";
-		$res = db_query($sql);
+		$v = array($guiList);
+		$t = array("s");
+		$res = db_prep_query($sql, $v, $t);
 		$cnt = 0;
 		while($row = db_fetch_array($res)){
 			echo "<option value='".$row["fkey_wms_id"]."' ";
@@ -293,9 +331,11 @@
 	if(isset($wmsList) && $wmsList != ""){
 		$sql_l = "SELECT gui_layer.fkey_layer_id, layer.layer_name, layer.layer_title FROM gui_layer ";
 		$sql_l .= "LEFT JOIN layer ON gui_layer.fkey_layer_id = layer.layer_id ";
-		$sql_l .= "WHERE gui_layer.gui_layer_wms_id = " . $wmsList . " AND layer.layer_parent = '0' AND gui_layer.fkey_gui_id = '".$guiList."'";
+		$sql_l .= "WHERE gui_layer.gui_layer_wms_id = $1 AND layer.layer_parent = '0' AND gui_layer.fkey_gui_id = $2";
 		$sql_l .= " ORDER BY layer.layer_title";
-		$res_l = db_query($sql_l);
+		$v = array($wmsList, $guiList);
+		$t = array("i", "s");
+		$res_l = db_prep_query($sql_l, $v, $t);
 		$cnt = 0;
 		while($row = db_fetch_array($res_l)){
 			echo "<option value='".$row["fkey_layer_id"]."###".$row["layer_name"]."'>";



More information about the Mapbender_commits mailing list