Exemple #1
0
function user_atom()
{
    global $ical_shifts, $user, $DISPLAY_NEWS;
    if (isset($_REQUEST['key']) && preg_match("/^[0-9a-f]{32}\$/", $_REQUEST['key'])) {
        $key = $_REQUEST['key'];
    } else {
        die("Missing key.");
    }
    $user = User_by_api_key($key);
    if ($user === false) {
        die("Unable to find user.");
    }
    if ($user == null) {
        die("Key invalid.");
    }
    if (!in_array('atom', privileges_for_user($user['UID']))) {
        die("No privilege for atom.");
    }
    $news = sql_select("SELECT * FROM `News` " . (empty($_REQUEST['meetings']) ? '' : 'WHERE `Treffen` = 1 ') . "ORDER BY `ID` DESC LIMIT " . sql_escape($DISPLAY_NEWS));
    header('Content-Type: application/atom+xml; charset=utf-8');
    $html = '<?xml version="1.0" encoding="utf-8"?>
  <feed xmlns="http://www.w3.org/2005/Atom">
  <title>Engelsystem</title>
  <id>' . $_SERVER['HTTP_HOST'] . htmlspecialchars(preg_replace('#[&?]key=[a-f0-9]{32}#', '', $_SERVER['REQUEST_URI'])) . '</id>
  <updated>' . date('Y-m-d\\TH:i:sP', $news[0]['Datum']) . "</updated>\n";
    foreach ($news as $news_entry) {
        $html .= "  <entry>\n    <title>" . htmlspecialchars($news_entry['Betreff']) . "</title>\n    <link href=\"" . page_link_to_absolute("news_comments&amp;nid=") . "{$news_entry['ID']}\"/>\n    <id>" . preg_replace('#^https?://#', '', page_link_to_absolute("news")) . "-{$news_entry['ID']}</id>\n    <updated>" . date('Y-m-d\\TH:i:sP', $news_entry['Datum']) . "</updated>\n    <summary type=\"html\">" . htmlspecialchars($news_entry['Text']) . "</summary>\n    </entry>\n";
    }
    $html .= "</feed>";
    header("Content-Length: " . strlen($html));
    echo $html;
    die;
}
Exemple #2
0
function isGeokretInCache($cacheid)
{
    $sql = "SELECT wp_oc, wp_gc, wp_nc,wp_ge,wp_tc FROM caches WHERE cache_id = '" . sql_escape(intval($cacheid)) . "'";
    $cache_record = mysql_fetch_array(mysql_query($sql));
    // get cache waypoint
    $cache_wp = '';
    if ($cache_record['wp_oc'] != '') {
        $cache_wp = $cache_record['wp_oc'];
    } else {
        if ($cache_record['wp_gc'] != '') {
            $cache_wp = $cache_record['wp_gc'];
        } else {
            if ($cache_record['wp_nc'] != '') {
                $cache_wp = $cache_record['wp_nc'];
            } else {
                if ($cache_record['wp_ge'] != '') {
                    $cache_wp = $cache_record['wp_ge'];
                } else {
                    if ($cache_record['wp_tc'] != '') {
                        $cache_wp = $cache_record['wp_tc'];
                    }
                }
            }
        }
    }
    $geokret_sql = "SELECT id FROM gk_item WHERE id IN (SELECT id FROM gk_item_waypoint WHERE wp = '" . sql_escape($cache_wp) . "') AND stateid<>1 AND stateid<>4 AND stateid <>5 AND typeid<>2";
    $geokret_query = sql($geokret_sql);
    if (mysql_num_rows($geokret_query) == 0) {
        // no geokrets in this cache
        return 0;
    } else {
        return 1;
    }
}
Exemple #3
0
/**
* url: /?p=api_key
* Returns api_key for user by basic authentication
* {
*   api_token: "TOKEN"
*  }
*/
function getAPIKey()
{
    header("Content-Type: application/json; charset=utf-8");
    $user = $_SERVER["PHP_AUTH_USER"];
    $password = $_SERVER["PHP_AUTH_PW"];
    if ($user == "" || $password == "") {
        // user is not authenticated
        header("WWW-Authenticate: Basic realm=Authorization Required");
        header("HTTP/1.1 401 unauthorized");
        echo "{\"error\": \"please send basic auth header\"}";
        die;
    } else {
        // check user
        $foundUser = sql_select("SELECT * FROM `User` WHERE `Nick`='" . sql_escape($user) . "'");
        // find user by username
        if (count($foundUser) == 1) {
            $user = $foundUser[0];
            if (verify_password($password, $user['Passwort'], $user['UID'])) {
                echo "{\"api_token\": \"" . $user["api_key"] . "\"}";
            }
        } else {
            // TODO: handle wrong auth
            header("HTTP/1.1 403 Forbidden");
            echo "{\"error\": \"forbidden\"}";
        }
        die;
    }
}
Exemple #4
0
 private function match_tag_list($s)
 {
     global $database, $config;
     $max_rows = $config->get_int("ext_tagger_tag_max", 30);
     $limit_rows = $config->get_int("ext_tagger_limit", 30);
     $values = array();
     // Match
     $p = strlen($s) == 1 ? " " : "\\_";
     $sq = "%" . $p . sql_escape($s) . "%";
     $match = "concat(?,tag) LIKE ?";
     array_push($values, $p, $sq);
     // Exclude
     //		$exclude = $event->get_arg(1)? "AND NOT IN ".$this->image_tags($event->get_arg(1)) : null;
     // Hidden Tags
     $hidden = $config->get_string('ext-tagger_show-hidden', 'N') == 'N' ? "AND substring(tag,1,1) != '.'" : null;
     $q_where = "WHERE {$match} {$hidden} AND count > 0";
     // FROM based on return count
     $count = $this->count($q_where, $values);
     if ($count > $max_rows) {
         $q_from = "FROM (SELECT * FROM `tags` {$q_where} " . "ORDER BY count DESC LIMIT 0, {$limit_rows}) AS `c_tags`";
         $q_where = null;
         $count = array("max" => $count);
     } else {
         $q_from = "FROM `tags`";
         $count = null;
     }
     $tags = $database->Execute("\n\t\t\tSELECT *\n\t\t\t{$q_from}\n\t\t\t{$q_where}\n\t\t\tORDER BY tag", $values);
     return $this->list_to_xml($tags, "search", $s, $count);
 }
Exemple #5
0
function privileges_for_group($group_id)
{
    $privileges = array();
    $groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`='" . sql_escape($group_id) . "'");
    foreach ($groups_privs as $guest_priv) {
        $privileges[] = $guest_priv['name'];
    }
    return $privileges;
}
function getUsername($userid)
{
    $sql = "SELECT username FROM user WHERE user_id='" . sql_escape(intval($userid)) . "'";
    $query = mysql_query($sql) or die;
    if (mysql_num_rows($query) > 0) {
        return mysql_result($query, 0);
    }
    return null;
}
Exemple #7
0
function articles_delete($id_article)
{
    $sql1 = "DELETE FROM `articles` WHERE `id_article`='%s'";
    $query = sprintf($sql1, sql_escape($id_article));
    $result = mysqli_query(getDbConnect(), $query);
    if (!$result) {
        die(mysqli_error());
    }
    return true;
}
 function processSubscribePageEdit($id)
 {
     if (!empty($_POST['disposable_mailblocker_enable'])) {
         $enabled = 1;
     } else {
         $enabled = 1;
     }
     Sql_Query(sprintf('replace into %s (id,name,data) values(%d,"disposable_mailblocker_enable","%s")', $GLOBALS['tables']["subscribepage_data"], $id, sql_escape($enabled)));
     Sql_Query(sprintf('replace into %s (id,name,data) values(%d,"disposable_mailblocker_text","%s")', $GLOBALS['tables']["subscribepage_data"], $id, sql_escape($_POST['disposable_mailblocker_text'])));
 }
Exemple #9
0
/**
 * Returns room by id.
 *
 * @param $id RID
 */
function Room($id)
{
    $room_source = sql_select("SELECT * FROM `Room` WHERE `RID`='" . sql_escape($id) . "' AND `show` = 'Y'");
    if ($room_source === false) {
        return false;
    }
    if (count($room_source) > 0) {
        return $room_source[0];
    }
    return null;
}
Exemple #10
0
function articles_edit($id_article, $name, $content)
{
    //Безопасность данных от иньекций
    $id_article = (int) $id_article;
    $name = sql_escape($name);
    $content = sql_escape($content);
    //Запрос в бд
    $request = "UPDATE `lesson2` SET `name`='{$name}', `content`='{$content}' WHERE `id`='{$id_article}'";
    //Выполняем запрос
    mysqli_query(getDbConnect(), $request);
}
Exemple #11
0
/** This function sets a usersetting 
 * Only the values of the admin user are taken into account for this
 */
function change_usersetting($sn, $value, $is, $uid)
{
    global $kfm;
    $s = db_fetch_row('SELECT id FROM ' . KFM_DB_PREFIX . 'settings WHERE name="' . sql_escape($sn) . '" and user_id=' . $uid);
    if ($s && count($s)) {
        $kfm->db->query('UPDATE ' . KFM_DB_PREFIX . 'settings SET value="' . sql_escape($value) . '", usersetting=' . $is . ' WHERE name="' . sql_escape($sn) . '" AND user_id=' . $uid);
    } else {
        $sql = 'INSERT INTO ' . KFM_DB_PREFIX . 'settings (name, value, user_id, usersetting) VALUES ("' . sql_escape($sn) . '","' . sql_escape($value) . '", ' . $uid . ',' . sql_escape($is) . ')';
        $kfm->db->query($sql);
    }
}
Exemple #12
0
function remove_watch($cache_id, $user_id)
{
    //remove watch
    sql('DELETE FROM cache_watches WHERE cache_id=\'' . sql_escape($cache_id) . '\' AND user_id=\'' . sql_escape($user_id) . '\'');
    //remove from caches
    $rs = sql('SELECT watcher FROM caches WHERE cache_id=\'' . sql_escape($cache_id) . '\'');
    if (mysql_num_rows($rs) > 0) {
        $record = mysql_fetch_array($rs);
        sql('UPDATE caches SET watcher=\'' . ($record['watcher'] - 1) . '\' WHERE cache_id=\'' . sql_escape($cache_id) . '\'');
    }
}
/**
 * Get a shift type by id.
 *
 * @param int $shifttype_id          
 */
function ShiftType($shifttype_id)
{
    $shifttype = sql_select("SELECT * FROM `ShiftTypes` WHERE `id`='" . sql_escape($shifttype_id) . "'");
    if ($shifttype === false) {
        return false;
    }
    if ($shifttype == null) {
        return null;
    }
    return $shifttype[0];
}
function sql_validate_value($var, $conn)
{
    if (is_null($var)) {
        return 'NULL';
    } else {
        if (is_string($var)) {
            return "'" . sql_escape($var, $conn) . "'";
        } else {
            return is_bool($var) ? intval($var) : $var;
        }
    }
}
/**
 * TODO: use validation functions, return new message id
 * TODO: global $user con not be used in model!
 * send message
 *
 * @param $id User
 *          ID of Reciever
 * @param $text Text
 *          of Message
 */
function Message_send($id, $text)
{
    global $user;
    $text = preg_replace("/([^\\p{L}\\p{P}\\p{Z}\\p{N}\n]{1,})/ui", '', strip_tags($text));
    $to = preg_replace("/([^0-9]{1,})/ui", '', strip_tags($id));
    if ($text != "" && is_numeric($to) && sql_num_query("SELECT * FROM `User` WHERE `UID`='" . sql_escape($to) . "' AND NOT `UID`='" . sql_escape($user['UID']) . "' LIMIT 1") > 0) {
        sql_query("INSERT INTO `Messages` SET `Datum`='" . sql_escape(time()) . "', `SUID`='" . sql_escape($user['UID']) . "', `RUID`='" . sql_escape($to) . "', `Text`='" . sql_escape($text) . "'");
        return true;
    } else {
        return false;
    }
}
Exemple #16
0
function flushToDB($table, $pks, $val)
{
    $cb = new coordinate_batch();
    $cb->openGK();
    for ($n = 0; $n < count($val); $n++) {
        $cb->writeGK($val[$n]['X1'], $val[$n]['Y1']);
        $cb->writeGK($val[$n]['X2'], $val[$n]['Y2']);
    }
    $coords = $cb->analyseOutput();
    for ($n = 0; $n < count($pks); $n++) {
        sql("UPDATE `bfn_wgs84`.`" . sql_escape($table) . "` SET `x1`='&1', `x2`='&2', `y1`='&3', `y2`='&4' \r\n\t\t            WHERE `GID`='&5' AND `ESEQ`='&6' AND `SEQ`='&7'", $coords[$n * 2]['lon'], $coords[$n * 2 + 1]['lon'], $coords[$n * 2]['lat'], $coords[$n * 2 + 1]['lat'], $pks[$n]['GID'], $pks[$n]['ESEQ'], $pks[$n]['SEQ']);
    }
}
Exemple #17
0
function admin_getpaypaltransactions($currency = false, $from = false, $to = false)
{
    $qu = sql_exec("select xid,min(time) as time," . "subtract_money('',sum_money(change)) as change " . "from transaction_log where " . "xid in (select xid from transaction_log where " . "(account like 'anon-deposits:%' or " . "account like 'deposits:%' or " . "account like 'subscription-payments:%' or " . "account like 'withdrawals:%')" . ($currency === false ? "" : " and change like '%" . sql_escape($currency) . "'") . ($from === false ? "" : " and time >= " . intval($from)) . ($to === false ? "" : " and time < " . intval($to)) . ") and (account like 'anon-deposits:%' or " . "account like 'deposits:%' or " . "account='paypal-fee' or " . "account like 'subscription-payments:%' or " . "account like 'withdrawals:%') " . "group by xid order by xid");
    if ($qu === false) {
        return private_dberr();
    }
    $transactions = array();
    for ($i = 0; $i < sql_numrows($qu); $i++) {
        $row = sql_fetch_array($qu, $i);
        $transactions[intval($row["xid"])] = array("xid" => intval($row["xid"]), "time" => intval($row["time"]), "change" => "{$row['change']}");
    }
    return array(0, $transactions);
}
Exemple #18
0
function sql_filter()
{
    if (!($args = func_get_args())) {
        return false;
    }
    $sql = array_shift($args);
    $count_args = count($args);
    $sql = str_replace('%', '[!]', $sql);
    if (!$count_args || $count_args < 1) {
        return str_replace('[!]', '%', $sql);
    }
    if ($count_args == 1 && is_array($args[0])) {
        $args = $args[0];
    }
    $_args = array();
    foreach ($args as $i => $arg) {
        if (strpos($arg, '/***/') !== false) {
            $_args[$i] = $arg;
        } else {
            $_args[$i] = sql_escape($arg);
        }
    }
    $args = $_args;
    foreach ($args as $i => $row) {
        if (strpos($row, 'addquotes') !== false) {
            $e_row = explode(',', $row);
            array_shift($e_row);
            foreach ($e_row as $j => $jr) {
                $e_row[$j] = "'" . $jr . "'";
            }
            $args[$i] = implode(',', $e_row);
        }
    }
    array_unshift($args, str_replace(w('?? ?'), w("%s '%s'"), $sql));
    // Conditional deletion of lines if input is zero
    if (strpos($args[0], '-- ') !== false) {
        $e_sql = explode("\n", $args[0]);
        $matches = 0;
        foreach ($e_sql as $i => $row) {
            $e_sql[$i] = str_replace('-- ', '', $row);
            if (strpos($row, '%s')) {
                $matches++;
            }
            if (strpos($row, '-- ') !== false && !$args[$matches]) {
                unset($e_sql[$i], $args[$matches]);
            }
        }
        $args[0] = implode($e_sql);
    }
    return str_replace('[!]', '%', hook('sprintf', $args));
}
function auth_user()
{
    global $usr, $login;
    $login->verify();
    if ($login->userid != 0) {
        //set up $usr array
        $usr['userid'] = $login->userid;
        $usr['email'] = sqlValue("SELECT `email` FROM `user` WHERE `user_id`='" . sql_escape($login->userid) . "'", '');
        $usr['username'] = $login->username;
    } else {
        $usr = false;
    }
    return;
}
 /**
  *	Get Cookie Value
  *	Get the value from cookie
  *
  *	@param	string	Cookie name
  *	@return	mixed
  */
 public static function GetCookie($name)
 {
     self::checkValues();
     if (isset($_COOKIE[self::$prefix . str_replace(".", "_", $name)])) {
         $value = $_COOKIE[self::$prefix . str_replace(".", "_", $name)];
         if (substr($value, 0, 2) == "a:") {
             return sql_escape(unserialize(stripslashes(urldecode($value))));
         } else {
             return sql_escape(stripslashes(urldecode($value)));
         }
     } else {
         return FALSE;
     }
 }
Exemple #21
0
function _add_index($table, $cols, $type = "INDEX")
{
    $table = sql_escape($table);
    $cols = array_map('sql_escape', $cols);
    $type = sql_escape($type);
    if (sql_num_query("SHOW INDEX FROM `" . $table . "` WHERE `Key_name` = '" . $cols[0] . "'") == 0) {
        sql_query("ALTER TABLE `" . $table . "` ADD " . $type . " (`" . implode($cols, '`,`') . "`)");
        global $applied;
        $applied = true;
        return true;
    } else {
        return false;
    }
}
function get_logtype_names()
{
    global $locale, $opt;
    if (!isset($locale)) {
        $locale = $opt['template']['locale'];
    }
    $log_types = array();
    $rs = sql("SELECT `log_types`.`id`,\n\t\t                  IFNULL(`sys_trans_text`.`text`,`log_types`.`en`) AS `type_name`\n\t\t             FROM `log_types`\n            LEFT JOIN `sys_trans_text` ON `sys_trans_text`.`trans_id` = `log_types`.`trans_id` AND `sys_trans_text`.`lang`='" . sql_escape($locale) . "'");
    while ($r = sql_fetch_array($rs)) {
        $log_types[$r['id']] = $r['type_name'];
    }
    sql_free_result($rs);
    return $log_types;
}
 public function run()
 {
     global $opt;
     $known_ids = [];
     foreach ($opt['db']['slaves'] as $k => $v) {
         $this->check_slave($k);
         $known_ids[] = "'" . sql_escape($k) . "'";
     }
     if (count($known_ids) > 0) {
         sql("DELETE FROM `sys_repl_slaves` WHERE `id` NOT IN (" . implode(',', $known_ids) . ")");
     } else {
         sql("DELETE FROM `sys_repl_slaves`");
     }
     // now, clean up sys_repl_exclude
     sql("DELETE FROM `sys_repl_exclude` WHERE `datExclude`<DATE_SUB(NOW(), INTERVAL '&1' SECOND)", $opt['db']['slave']['max_behind']);
 }
Exemple #24
0
function admin_news()
{
    global $user;
    if (!isset($_GET["action"])) {
        redirect(page_link_to("news"));
    } else {
        $html = '<div class="col-md-12"><h1>' . _("Edit news entry") . '</h1>' . msg();
        if (isset($_REQUEST['id']) && preg_match("/^[0-9]{1,11}\$/", $_REQUEST['id'])) {
            $id = $_REQUEST['id'];
        } else {
            return error("Incomplete call, missing News ID.", true);
        }
        $news = sql_select("SELECT * FROM `News` WHERE `ID`='" . sql_escape($id) . "' LIMIT 1");
        if (count($news) > 0) {
            switch ($_REQUEST["action"]) {
                default:
                    redirect(page_link_to('news'));
                case 'edit':
                    list($news) = $news;
                    $user_source = User($news['UID']);
                    if ($user_source === false) {
                        engelsystem_error("Unable to load user.");
                    }
                    $html .= form(array(form_info(_("Date"), date("Y-m-d H:i", $news['Datum'])), form_info(_("Author"), User_Nick_render($user_source)), form_text('eBetreff', _("Subject"), $news['Betreff']), form_textarea('eText', _("Message"), $news['Text']), form_checkbox('eTreffen', _("Meeting"), $news['Treffen'] == 1, 1), form_submit('submit', _("Save"))), page_link_to('admin_news&action=save&id=' . $id));
                    $html .= '<a class="btn btn-danger" href="' . page_link_to('admin_news&action=delete&id=' . $id) . '"><span class="glyphicon glyphicon-trash"></span> ' . _("Delete") . '</a>';
                    break;
                case 'save':
                    list($news) = $news;
                    sql_query("UPDATE `News` SET \n              `Datum`='" . sql_escape(time()) . "', \n              `Betreff`='" . sql_escape($_POST["eBetreff"]) . "', \n              `Text`='" . sql_escape($_POST["eText"]) . "', \n              `UID`='" . sql_escape($user['UID']) . "', \n              `Treffen`='" . sql_escape($_POST["eTreffen"]) . "' \n              WHERE `ID`='" . sql_escape($id) . "'");
                    engelsystem_log("News updated: " . $_POST["eBetreff"]);
                    success(_("News entry updated."));
                    redirect(page_link_to("news"));
                    break;
                case 'delete':
                    list($news) = $news;
                    sql_query("DELETE FROM `News` WHERE `ID`='" . sql_escape($id) . "' LIMIT 1");
                    engelsystem_log("News deleted: " . $news['Betreff']);
                    success(_("News entry deleted."));
                    redirect(page_link_to("news"));
                    break;
            }
        } else {
            return error("No News found.", true);
        }
    }
    return $html . '</div>';
}
Exemple #25
0
function admin_free()
{
    global $privileges;
    $search = "";
    if (isset($_REQUEST['search'])) {
        $search = strip_request_item('search');
    }
    $angeltypesearch = "";
    if (empty($_REQUEST['angeltype'])) {
        $_REQUEST['angeltype'] = '';
    } else {
        $angeltypesearch = " INNER JOIN `UserAngelTypes` ON (`UserAngelTypes`.`angeltype_id` = '" . sql_escape($_REQUEST['angeltype']) . "' AND `UserAngelTypes`.`user_id` = `User`.`UID`";
        if (isset($_REQUEST['confirmed_only'])) {
            $angeltypesearch .= " AND `UserAngelTypes`.`confirm_user_id`";
        }
        $angeltypesearch .= ") ";
    }
    $angel_types_source = sql_select("SELECT `id`, `name` FROM `AngelTypes` ORDER BY `name`");
    $angel_types = array('' => 'alle Typen');
    foreach ($angel_types_source as $angel_type) {
        $angel_types[$angel_type['id']] = $angel_type['name'];
    }
    $users = sql_select("\n      SELECT `User`.* \n      FROM `User` \n      {$angeltypesearch} \n      LEFT JOIN `ShiftEntry` ON `User`.`UID` = `ShiftEntry`.`UID` \n      LEFT JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID` AND `Shifts`.`start` < '" . sql_escape(time()) . "' AND `Shifts`.`end` > '" . sql_escape(time()) . "') \n      WHERE `User`.`Gekommen` = 1 AND `Shifts`.`SID` IS NULL \n      GROUP BY `User`.`UID` \n      ORDER BY `Nick`");
    $free_users_table = array();
    if ($search == "") {
        $tokens = array();
    } else {
        $tokens = explode(" ", $search);
    }
    foreach ($users as $usr) {
        if (count($tokens) > 0) {
            $match = false;
            $index = join("", $usr);
            foreach ($tokens as $t) {
                if (stristr($index, trim($t))) {
                    $match = true;
                    break;
                }
            }
            if (!$match) {
                continue;
            }
        }
        $free_users_table[] = array('name' => User_Nick_render($usr), 'shift_state' => User_shift_state_render($usr), 'handy' => $usr['Handy'], 'telefon' => $usr['Telefon'], 'email' => $usr['email'], 'kommentar' => $usr['kommentar'], 'actions' => in_array('admin_user', $privileges) ? button(page_link_to('admin_user') . '&amp;id=' . $usr['UID'], _("edit"), 'btn-xs') : '');
    }
    return page_with_title(admin_free_title(), array(form(array(div('row', array(div('col-md-4', array(form_text('search', _("Search"), $search))), div('col-md-4', array(form_select('angeltype', _("Angeltype"), $angel_types, $_REQUEST['angeltype']))), div('col-md-2', array(form_checkbox('confirmed_only', _("Only confirmed"), isset($_REQUEST['confirmed_only'])))), div('col-md-2', array(form_submit('submit', _("Search")))))))), table(array('name' => _("Nick"), 'shift_state' => '', 'handy' => _("Mobile"), 'telefon' => _("Phone"), 'email' => _("E-Mail"), 'kommentar' => _("add. Info"), 'actions' => ''), $free_users_table)));
}
function user_questions()
{
    global $user;
    if (!isset($_REQUEST['action'])) {
        $open_questions = sql_select("SELECT * FROM `Questions` WHERE `AID` IS NULL AND `UID`='" . sql_escape($user['UID']) . "'");
        $answered_questions = sql_select("SELECT * FROM `Questions` WHERE NOT `AID` IS NULL AND `UID`='" . sql_escape($user['UID']) . "'");
        foreach ($answered_questions as &$question) {
            $answer_user_source = User($question['AID']);
            if ($answer_user_source === false) {
                engelsystem_error(_("Unable to load user."));
            }
            $question['answer_user'] = User_Nick_render($answer_user_source);
        }
        return Questions_view($open_questions, $answered_questions, page_link_to("user_questions") . '&action=ask');
    } else {
        switch ($_REQUEST['action']) {
            case 'ask':
                $question = strip_request_item_nl('question');
                if ($question != "") {
                    $result = sql_query("INSERT INTO `Questions` SET `UID`='" . sql_escape($user['UID']) . "', `Question`='" . sql_escape($question) . "'");
                    if ($result === false) {
                        engelsystem_error(_("Unable to save question."));
                    }
                    success(_("You question was saved."));
                    redirect(page_link_to("user_questions"));
                } else {
                    return page_with_title(questions_title(), array(error(_("Please enter a question!"), true)));
                }
                break;
            case 'delete':
                if (isset($_REQUEST['id']) && preg_match("/^[0-9]{1,11}\$/", $_REQUEST['id'])) {
                    $id = $_REQUEST['id'];
                } else {
                    return error(_("Incomplete call, missing Question ID."), true);
                }
                $question = sql_select("SELECT * FROM `Questions` WHERE `QID`='" . sql_escape($id) . "' LIMIT 1");
                if (count($question) > 0 && $question[0]['UID'] == $user['UID']) {
                    sql_query("DELETE FROM `Questions` WHERE `QID`='" . sql_escape($id) . "' LIMIT 1");
                    redirect(page_link_to("user_questions"));
                } else {
                    return page_with_title(questions_title(), array(error(_("No question found."), true)));
                }
                break;
        }
    }
}
Exemple #27
0
function kfm_api_getDirectoryId($address)
{
    global $kfmdb;
    $arr = explode('/', $address);
    $curdir = 1;
    if ($arr[count($arr) - 1] == '' && count($arr) > 1) {
        array_pop($arr);
    }
    foreach ($arr as $n) {
        $r = db_fetch_row("select id from " . KFM_DB_PREFIX . "directories where parent=" . $curdir . " and name='" . sql_escape($n) . "'");
        if ($r === false || !count($r)) {
            return 0;
        }
        $curdir = $r['id'];
    }
    return $curdir;
}
Exemple #28
0
 function get($name)
 {
     if (isset($this->vars[$name])) {
         return $this->vars[$name];
     }
     $res = db_fetch_row("SELECT varvalue FROM " . KFM_DB_PREFIX . "session_vars WHERE session_id=" . $this->id . " and varname='" . sql_escape($name) . "'");
     if (count($res)) {
         $ret = json_decode('[' . stripslashes($res['varvalue']) . ']', true);
         if (count($ret)) {
             $ret = $ret[0];
         } else {
             $ret = '';
         }
         $this->vars[$name] = $ret;
         return $ret;
     }
     return null;
 }
Exemple #29
0
function user_ical()
{
    global $ical_shifts, $user;
    if (isset($_REQUEST['key']) && preg_match("/^[0-9a-f]{32}\$/", $_REQUEST['key'])) {
        $key = $_REQUEST['key'];
    } else {
        die("Missing key.");
    }
    $user = User_by_api_key($key);
    if ($user === false) {
        die("Unable to find user.");
    }
    if ($user == null) {
        die("Key invalid.");
    }
    if (!in_array('ical', privileges_for_user($user['UID']))) {
        die("No privilege for ical.");
    }
    if (isset($_REQUEST['export']) && $_REQUEST['export'] == 'user_shifts') {
        require_once realpath(__DIR__ . '/user_shifts.php');
        view_user_shifts();
    } else {
        $ical_shifts = sql_select("\n        SELECT `ShiftTypes`.`name`, `Shifts`.*, `Room`.`Name` as `room_name`\n        FROM `ShiftEntry`\n        INNER JOIN `Shifts` ON (`ShiftEntry`.`SID` = `Shifts`.`SID`)\n        JOIN `ShiftTypes` ON (`ShiftTypes`.`id` = `Shifts`.`shifttype_id`)\n        INNER JOIN `Room` ON (`Shifts`.`RID` = `Room`.`RID`)\n        WHERE `UID`='" . sql_escape($user['UID']) . "'\n        ORDER BY `start`");
    }
    header("Content-Type: text/calendar; charset=utf-8");
    $html = "BEGIN:VCALENDAR\r\nVERSION:2.0\r\nPRODID:-//-//Engelsystem//DE\r\nCALSCALE:GREGORIAN\r\n";
    foreach ($ical_shifts as $shift) {
        $html .= "BEGIN:VEVENT\r\n";
        $html .= "UID:" . md5($shift['start'] . $shift['end'] . $shift['name']) . "\r\n";
        $html .= "SUMMARY:" . str_replace("\n", "\\n", $shift['name']) . " (" . str_replace("\n", "\\n", $shift['title']) . ")\r\n";
        if (isset($shift['Comment'])) {
            $html .= "DESCRIPTION:" . str_replace("\n", "\\n", $shift['Comment']) . "\r\n";
        }
        $html .= "DTSTART;TZID=Europe/Berlin:" . date("Ymd\\THis", $shift['start']) . "\r\n";
        $html .= "DTEND;TZID=Europe/Berlin:" . date("Ymd\\THis", $shift['end']) . "\r\n";
        $html .= "LOCATION:" . $shift['room_name'] . "\r\n";
        $html .= "END:VEVENT\r\n";
    }
    $html .= "END:VCALENDAR\r\n";
    $html = trim($html, "\n");
    header("Content-Length: " . strlen($html));
    echo $html;
    die;
}
function importGns($filename, $dblink)
{
    echo "Importing '{$filename}'...\n";
    $file = fopen($filename, "r");
    $cnt = 0;
    while ($line = fgets($file, 4096)) {
        if ($cnt++ == 0) {
            // skip first line
            continue;
        }
        $gns = mb_split("\t", $line);
        sql("INSERT IGNORE INTO gns_locations SET\n\t\t\t\t\trc = '" . sql_escape($gns[0]) . "',\n\t\t\t\t\tufi = '" . sql_escape($gns[1]) . "',\n\t\t\t\t\tuni = '" . sql_escape($gns[2]) . "',\n\t\t\t\t\tlat = '" . sql_escape($gns[3]) . "',\n\t\t\t\t\tlon = '" . sql_escape($gns[4]) . "',\n\t\t\t\t\tdms_lat = '" . sql_escape($gns[5]) . "',\n\t\t\t\t\tdms_lon = '" . sql_escape($gns[6]) . "',\n\t\t\t\t\tutm = '" . sql_escape($gns[7]) . "',\n\t\t\t\t\tjog = '" . sql_escape($gns[8]) . "',\n\t\t\t\t\tfc = '" . sql_escape($gns[9]) . "',\n\t\t\t\t\tdsg = '" . sql_escape($gns[10]) . "',\n\t\t\t\t\tpc = '" . sql_escape($gns[11]) . "',\n\t\t\t\t\tcc1 = '" . sql_escape($gns[12]) . "',\n\t\t\t\t\tadm1 = '" . sql_escape($gns[13]) . "',\n\t\t\t\t\tadm2 = _utf8'" . sql_escape($gns[14]) . "',\n\t\t\t\t\tdim = '" . sql_escape($gns[15]) . "',\n\t\t\t\t\tcc2 = '" . sql_escape($gns[16]) . "',\n\t\t\t\t\tnt = '" . sql_escape($gns[17]) . "',\n\t\t\t\t\tlc = '" . sql_escape($gns[18]) . "',\n\t\t\t\t\tSHORT_FORM = _utf8'" . sql_escape($gns[19]) . "',\n\t\t\t\t\tGENERIC = _utf8'" . sql_escape($gns[20]) . "',\n\t\t\t\t\tSORT_NAME = _utf8'" . sql_escape($gns[21]) . "',\n\t\t\t\t\tFULL_NAME = _utf8'" . sql_escape($gns[22]) . "',\n\t\t\t\t\tFULL_NAME_ND = _utf8'" . sql_escape($gns[23]) . "',\n\t\t\t\t\tMOD_DATE = '" . sql_escape($gns[24]) . "'");
    }
    fclose($file);
    echo "{$cnt} Records imported\n";
    // ein paar Querschläger gleich korrigieren ...
    sql("UPDATE gns_locations SET full_name='Zeluce' WHERE uni=100528 LIMIT 1");
    sql("UPDATE gns_locations SET full_name='Zitaraves' WHERE uni=-2780984 LIMIT 1");
    sql("UPDATE gns_locations SET full_name='Zvabek' WHERE uni=105075 LIMIT 1");
}