summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/cancelgame.php2
-rw-r--r--include/db.php41
-rw-r--r--include/functions.php32
-rw-r--r--include/game.php64
-rw-r--r--include/openid.php9
-rw-r--r--include/preferences.php66
-rw-r--r--include/user.php2
7 files changed, 109 insertions, 107 deletions
diff --git a/include/cancelgame.php b/include/cancelgame.php
index d9b69b3..02b5a06 100644
--- a/include/cancelgame.php
+++ b/include/cancelgame.php
@@ -49,7 +49,7 @@ $gameid = DB_get_gameid_by_hash($me);
$myname = DB_get_name('hash',$me);
/* check if game really is old enough to be canceled */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid) );
if(time()-strtotime($r[0]) > 60*60*24*30) /* = 1 month */
{
/* email to all players */
diff --git a/include/db.php b/include/db.php
index 493b93d..f9eb07a 100644
--- a/include/db.php
+++ b/include/db.php
@@ -802,7 +802,7 @@ function DB_get_PREF($myid)
/* get all preferences */
$r = DB_query('SELECT pref_key, value FROM User_Prefs'.
- " WHERE user_id='$myid' " );
+ " WHERE user_id=".DB_quote_smart($myid) );
while($pref = DB_fetch_array($r) )
{
switch($pref[0])
@@ -864,7 +864,7 @@ function DB_get_RULES($gameid)
{
$r = DB_query_array("SELECT * FROM Rulesets".
" LEFT JOIN Game ON Game.ruleset=Rulesets.id ".
- " WHERE Game.id='$gameid'" );
+ " WHERE Game.id=".DB_quote_smart($gameid) );
$RULES['dullen'] = $r[2];
$RULES['schweinchen'] = $r[3];
@@ -878,7 +878,7 @@ function DB_get_email_pref_by_hash($hash)
{
$r = DB_query_array("SELECT value FROM Hand".
" LEFT JOIN User_Prefs ON Hand.user_id=User_Prefs.user_id".
- " WHERE hash='$hash' AND pref_key='email'" );
+ " WHERE hash=".DB_quote_smart($hash)." AND pref_key='email'" );
if($r)
{
if($r[0]=="emailaddict")
@@ -893,7 +893,7 @@ function DB_get_email_pref_by_hash($hash)
function DB_get_email_pref_by_uid($uid)
{
$r = DB_query_array("SELECT value FROM User_Prefs ".
- " WHERE user_id='$uid' AND pref_key='email'" );
+ " WHERE user_id=".DB_quote_smart($uid)." AND pref_key='email'" );
if($r)
{
if($r[0]=="emailaddict")
@@ -928,7 +928,7 @@ function DB_get_unused_randomnumbers($userstr)
function DB_get_number_of_passwords_recovery($user)
{
$r = DB_query_array("SELECT COUNT(*) FROM Recovery ".
- " WHERE user_id=$user ".
+ " WHERE user_id=".DB_quote_smart($user).
" AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date".
" GROUP BY user_id " );
if($r)
@@ -955,7 +955,7 @@ function DB_get_card_name($card)
if($card==0)
return 'backside';
- $r = DB_query_array("SELECT strength,suite FROM Card WHERE id='$card'");
+ $r = DB_query_array("SELECT strength,suite FROM Card WHERE id=".DB_quote_smart($card));
if($r)
return $r[0]." of ".$r[1];
@@ -970,7 +970,7 @@ function DB_get_current_playid($gameid)
if(!$trick) return -1;
- $r = DB_query_array("SELECT id FROM Play WHERE trick_id='$trick' ORDER BY create_date DESC LIMIT 1");
+ $r = DB_query_array("SELECT id FROM Play WHERE trick_id=".DB_quote_smart($trick)." ORDER BY create_date DESC LIMIT 1");
if($r)
return $r[0];
@@ -980,7 +980,7 @@ function DB_get_current_playid($gameid)
function DB_get_call_by_hash($hash)
{
- $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$hash'");
+ $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($hash));
if($r)
return $r[0];
@@ -994,7 +994,7 @@ function DB_get_partner_call_by_hash($hash)
if($partner)
{
- $r = DB_query_array("SELECT point_call FROM Hand WHERE hash='$partner'");
+ $r = DB_query_array("SELECT point_call FROM Hand WHERE hash=".DB_quote_smart($partner));
if($r)
return $r[0];
@@ -1008,7 +1008,8 @@ function DB_get_partner_hash_by_hash($hash)
$gameid = DB_get_gameid_by_hash($hash);
$party = DB_get_party_by_hash($hash);
- $r = DB_query_array("SELECT hash FROM Hand WHERE game_id='$gameid' AND party='$party' AND hash<>'$hash'");
+ $r = DB_query_array("SELECT hash FROM Hand WHERE game_id=".DB_quote_smart($gameid).
+ " AND party=".DB_quote_smart($party)." AND hash<>".DB_quote_smart($hash));
if($r)
return $r[0];
@@ -1019,22 +1020,22 @@ function DB_get_partner_hash_by_hash($hash)
function DB_format_gameid($gameid)
{
/* get session and create date */
- $r = DB_query_array("SELECT session, create_date FROM Game WHERE id='$gameid' ");
+ $r = DB_query_array("SELECT session, create_date FROM Game WHERE id=".DB_quote_smart($gameid));
$session = $r[0];
$date = $r[1];
/* get number of game */
$r = DB_query_array("SELECT SUM(TIME_TO_SEC(TIMEDIFF(create_date, '$date'))<=0) ".
" FROM Game".
- " WHERE session='$session' ");
+ " WHERE session=".DB_quote_smart($session));
return $session.'.'.$r[0];
}
function DB_get_reminder($user,$gameid)
{
$r = DB_query_array("SELECT COUNT(*) FROM Reminder ".
- " WHERE user_id=$user ".
- " AND game_id=$gameid ".
+ " WHERE user_id=".DB_quote_smart($user).
+ " AND game_id=".DB_quote_smart($gameid).
" AND DATE_SUB(CURDATE(),INTERVAL 1 DAY) <= create_date".
" GROUP BY user_id " );
if($r)
@@ -1073,11 +1074,11 @@ function DB_get_gameids_of_finished_games_by_session($session)
" GROUP BY Game.id");
else /* return games in a session */
$queryresult = DB_query_array_all("SELECT Game.id,SUM(IF(STRCMP(Score.party,'re'),-1,1)),Game.type FROM Game ".
- " LEFT JOIN Score on game_id=Game.id".
- " WHERE session=$session ".
- " AND status='gameover' ".
- " GROUP BY Game.id".
- " ORDER BY Game.create_date ASC");
+ " LEFT JOIN Score on game_id=Game.id".
+ " WHERE session=".DB_quote_smart($session).
+ " AND status='gameover' ".
+ " GROUP BY Game.id".
+ " ORDER BY Game.create_date ASC");
return $queryresult;
}
@@ -1085,7 +1086,7 @@ function DB_get_gameids_of_finished_games_by_session($session)
function DB_get_card_value_by_cardid($id)
{
$r = DB_query_array("SELECT points FROM Card ".
- " WHERE id=$id ");
+ " WHERE id=".DB_quote_smart($id));
if($r)
return $r[0];
diff --git a/include/functions.php b/include/functions.php
index 191823d..3142b02 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -998,10 +998,10 @@ function display_table_begin ()
" Hand.hash, ".
" User.timezone, ".
" User.email ".
- "FROM Hand ".
- "LEFT JOIN User ON User.id=Hand.user_id ".
- "WHERE Hand.game_id='".$gameid."' ".
- "ORDER BY position ASC");
+ " FROM Hand".
+ " LEFT JOIN User ON User.id=Hand.user_id".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
+ " ORDER BY position ASC");
$row0 = DB_fetch_array($result);
$row1 = DB_fetch_array($result);
@@ -1032,10 +1032,10 @@ function display_table_end ()
" Hand.hash, ".
" User.timezone, ".
" User.email ".
- "FROM Hand ".
- "LEFT JOIN User ON User.id=Hand.user_id ".
- "WHERE Hand.game_id='".$gameid."' ".
- "ORDER BY position ASC");
+ " FROM Hand".
+ " LEFT JOIN User ON User.id=Hand.user_id".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
+ " ORDER BY position ASC");
$row0 = DB_fetch_array($result);
$row1 = DB_fetch_array($result);
@@ -1231,16 +1231,16 @@ function display_user_menu($id, $skiphash=NULL)
if($skiphash)
$result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand".
" LEFT JOIN Game On Hand.game_id=Game.id".
- " WHERE Hand.user_id='$id'".
- " AND Hand.hash!='$skiphash'".
+ " WHERE Hand.user_id=".DB_quote_smart($id).
+ " AND Hand.hash!=".DB_quote_smart($skiphash).
" AND ( Game.player='$id' OR ISNULL(Game.player) )".
" AND ( Game.status='pre' OR Game.status='play' )".
" ORDER BY Game.session" );
else
$result = DB_query("SELECT Hand.hash,Hand.game_id,Game.player from Hand".
" LEFT JOIN Game On Hand.game_id=Game.id".
- " WHERE Hand.user_id='$id'".
- " AND ( Game.player='$id' OR ISNULL(Game.player) )".
+ " WHERE Hand.user_id=".DB_quote_smart($id).
+ " AND ( Game.player=".DB_quote_smart($id)." OR ISNULL(Game.player) )".
" AND ( Game.status='pre' OR Game.status='play' )".
" ORDER BY Game.session" );
@@ -1294,7 +1294,7 @@ function generate_score_table($session)
/* get player id from the first game */
$result = DB_query("SELECT user_id from Hand".
- " WHERE Hand.game_id=".$gameids[0][0]);
+ " WHERE Hand.game_id=".DB_quote_smart($gameids[0][0]));
while( $r = DB_fetch_array($result))
$player[$r[0]] = 0;
@@ -1578,7 +1578,7 @@ function check_vacation($userid)
{
/* get start date */
$result = DB_query_array("SELECT value FROM User_Prefs".
- " WHERE user_id='$userid' AND pref_key='vacation start'" );
+ " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation start'" );
if($result)
$start = $result[0];
else
@@ -1586,7 +1586,7 @@ function check_vacation($userid)
/* get end date */
$result = DB_query_array("SELECT value FROM User_Prefs".
- " WHERE user_id='$userid' AND pref_key='vacation stop'" );
+ " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation stop'" );
if($result)
$stop = $result[0];
else
@@ -1594,7 +1594,7 @@ function check_vacation($userid)
/* get comment */
$result = DB_query_array("SELECT value FROM User_Prefs".
- " WHERE user_id='$userid' AND pref_key='vacation comment'" );
+ " WHERE user_id=".DB_quote_smart($userid)." AND pref_key='vacation comment'" );
if($result)
$comment = $result[0];
else
diff --git a/include/game.php b/include/game.php
index b339c03..0ca2454 100644
--- a/include/game.php
+++ b/include/game.php
@@ -184,7 +184,7 @@ if( myisset('call') )
/* get time from the last action of the game */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid));
$gameend = time() - strtotime($r[0]);
/* handle comments in case player didn't play a card, allow comments a week after the end of the game */
@@ -398,11 +398,11 @@ switch($mystatus)
if(!( $mygametype == 'solo' && $mygamesolo == 'silent') )
echo " <li onclick=\"hl(0);\" class=\"old\"><a href=\"#\">Pre</a></li>\n";
- $result = DB_query('SELECT Trick.id '.
- 'FROM Trick '.
- "WHERE Trick.game_id='".$gameid."' ".
- 'GROUP BY Trick.id '.
- 'ORDER BY Trick.id ASC');
+ $result = DB_query('SELECT Trick.id'.
+ ' FROM Trick'.
+ " WHERE Trick.game_id=".DB_quote_smart($gameid).
+ ' GROUP BY Trick.id'.
+ ' ORDER BY Trick.id ASC');
$trickNR = 1;
$lasttrick = DB_get_max_trickid($gameid);
@@ -945,7 +945,7 @@ switch($mystatus)
if($exchange >0)
{
$result = DB_query("UPDATE Hand_Card SET hand_id='$partnerhand'".
- " WHERE hand_id='$myhand' AND card_id=".DB_quote_smart($exchange));
+ " WHERE hand_id=".DB_quote_smart($myhand)." AND card_id=".DB_quote_smart($exchange));
DB_add_exchanged_card(DB_quote_smart($exchange),$myhand,$partnerhand);
};
}
@@ -1100,7 +1100,7 @@ switch($mystatus)
DB_add_exchanged_card($card,$userhand,$myhand);
/* copy trump from player A to B */
- $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id='$userhand' AND card_id<'27'" );
+ $result = DB_query("UPDATE Hand_Card SET hand_id='$myhand' WHERE hand_id=".DB_quote_smart($userhand)." AND card_id<'27'" );
/* reload cards */
$mycards = DB_get_hand($me);
@@ -1290,20 +1290,20 @@ switch($mystatus)
$result = DB_query('SELECT Hand_Card.card_id as card,'.
' Hand.position as position,'.
' Play.sequence as sequence, '.
- ' Trick.id, '.
+ ' Trick.id,'.
" GROUP_CONCAT(CONCAT('<span>',User.fullname,': ',Comment.comment,'</span>')".
" SEPARATOR '\n' ), ".
- ' Play.create_date, '.
- ' Hand.user_id '.
- 'FROM Trick '.
- 'LEFT JOIN Play ON Trick.id=Play.trick_id '.
- 'LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id '.
- 'LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id '.
- 'LEFT JOIN Comment ON Play.id=Comment.play_id '.
- 'LEFT JOIN User On User.id=Comment.user_id '.
- "WHERE Trick.game_id='".$gameid."' ".
- 'GROUP BY Trick.id, sequence '.
- 'ORDER BY Trick.id, sequence ASC');
+ ' Play.create_date,'.
+ ' Hand.user_id'.
+ ' FROM Trick'.
+ ' LEFT JOIN Play ON Trick.id=Play.trick_id'.
+ ' LEFT JOIN Hand_Card ON Play.hand_card_id=Hand_Card.id'.
+ ' LEFT JOIN Hand ON Hand_Card.hand_id=Hand.id'.
+ ' LEFT JOIN Comment ON Play.id=Comment.play_id'.
+ ' LEFT JOIN User On User.id=Comment.user_id'.
+ " WHERE Trick.game_id=".DB_quote_smart($gameid).
+ ' GROUP BY Trick.id, sequence'.
+ ' ORDER BY Trick.id, sequence ASC');
$trickNR = 0;
$lasttrick = DB_get_max_trickid($gameid);
@@ -1457,7 +1457,7 @@ switch($mystatus)
DB_update_game_timestamp($gameid);
/* mark card as played */
- DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id='$handid' AND card_id=".
+ DB_query("UPDATE Hand_Card SET played='true' WHERE hand_id=".DB_quote_smart($handid)." AND card_id=".
DB_quote_smart($card));
/* get trick id or start new trick */
@@ -1623,7 +1623,7 @@ switch($mystatus)
*/
if($winner>0)
- DB_query("UPDATE Trick SET winner='$winner' WHERE id='$trickid'");
+ DB_query("UPDATE Trick SET winner='$winner' WHERE id=".DB_quote_smart($trickid));
else
$messages[] = "ERROR during scoring";
@@ -1717,7 +1717,7 @@ switch($mystatus)
' LEFT JOIN Play ON Trick.id=Play.trick_id'.
' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
- " WHERE Hand.game_id='$gameid'".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
' GROUP BY User.fullname' );
$email_message = _("The game is over. Thanks for playing :)")."\n";
$email_message .= _("Final score:")."\n";
@@ -1730,7 +1730,7 @@ switch($mystatus)
' LEFT JOIN Play ON Trick.id=Play.trick_id'.
' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
- " WHERE Hand.game_id='$gameid'".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
' GROUP BY Hand.party' );
$email_message .= "\n"._("Totals:")."\n";
$re = 0;
@@ -1910,7 +1910,7 @@ switch($mystatus)
$Tpoint = 0;
$email_message .= " "._("Points Re:")." \n";
$queryresult = DB_query('SELECT score FROM Score '.
- " WHERE game_id=$gameid AND party='re'");
+ " WHERE game_id=".DB_quote_smart($gameid)." AND party='re'");
while($r = DB_fetch_array($queryresult) )
{
$email_message .= ' '.$r[0]."\n";
@@ -1918,7 +1918,7 @@ switch($mystatus)
}
$email_message .= " "._("Points Contra:")." \n";
$queryresult = DB_query('SELECT score FROM Score '.
- " WHERE game_id=$gameid AND party='contra'");
+ " WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'");
while($r = DB_fetch_array($queryresult) )
{
$email_message .= ' '.$r[0]."\n";
@@ -1975,7 +1975,7 @@ switch($mystatus)
' LEFT JOIN Play ON Trick.id=Play.trick_id'.
' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
- " WHERE Hand.game_id='$gameid'".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
' GROUP BY User.fullname' );
while( $r = DB_fetch_array($result))
echo ' <div class="card'.($r[3]-1)."\">\n".
@@ -1989,27 +1989,27 @@ switch($mystatus)
' LEFT JOIN Play ON Trick.id=Play.trick_id'.
' LEFT JOIN Hand_Card ON Hand_Card.id=Play.hand_card_id'.
' LEFT JOIN Card ON Card.id=Hand_Card.card_id'.
- " WHERE Hand.game_id='$gameid'".
+ " WHERE Hand.game_id=".DB_quote_smart($gameid).
' GROUP BY Hand.party' );
echo " <div class=\"total\">\n Totals:<br />\n";
while( $r = DB_fetch_array($result))
echo ' '.$r[0].' '.$r[1]."<br />\n";
$queryresult = DB_query('SELECT timediff(mod_date,create_date) '.
- " FROM Game WHERE id='$gameid'");
+ " FROM Game WHERE id=".DB_quote_smart($gameid));
$r = DB_fetch_array($queryresult);
echo ' <p>This game took '.$r[0]." hours.</p>\n";
echo " <div class=\"re\">\n Points Re: <br />\n";
$queryresult = DB_query('SELECT score FROM Score '.
- " WHERE game_id=$gameid AND party='re'");
+ " WHERE game_id=".DB_quote_smart($gameid)." AND party='re'");
while($r = DB_fetch_array($queryresult) )
echo ' '.$r[0]."<br />\n";
echo " </div>\n";
echo " <div class=\"contra\">\n Points Contra: <br />\n";
$queryresult = DB_query('SELECT score FROM Score '.
- " WHERE game_id=$gameid AND party='contra'");
+ " WHERE game_id=".DB_quote_smart($gameid)." AND party='contra'");
while($r = DB_fetch_array($queryresult) )
echo ' '.$r[0]."<br />\n";
echo " </div>\n";
@@ -2293,7 +2293,7 @@ if($commentCall != '')
echo "<div class=\"gameinfo\">\n";
/* get time from the last action of the game */
-$r = DB_query_array("SELECT mod_date from Game WHERE id='$gameid' " );
+$r = DB_query_array("SELECT mod_date from Game WHERE id=".DB_quote_smart($gameid));
$gameend = time() - strtotime($r[0]);
/* comment box */
diff --git a/include/openid.php b/include/openid.php
index 16c59f4..14024b8 100644
--- a/include/openid.php
+++ b/include/openid.php
@@ -142,22 +142,23 @@ function DB_GetUserId($openid_url)
function DB_GetOpenIDsByUser($user_id)
{
- return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id = '$user_id'");
+ return DB_query_array_all("SELECT openid_url FROM user_openids WHERE user_id =".DB_quote_smart($user_id));
}
function DB_AttachOpenID($openid_url, $user_id)
{
- DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", '$user_id')");
+ DB_query("INSERT INTO user_openids VALUES (".DB_quote_smart(OpenIDUrlEncode($openid_url)).", ".DB_quote_smart($user_id).")");
}
function DB_DetachOpenID($openid_url, $user_id)
{
- DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url))." AND user_id = '$user_id'");
+ DB_query("DELETE FROM user_openids WHERE openid_url = ".DB_quote_smart(OpenIDUrlEncode($openid_url)).
+ " AND user_id = ".DB_quote_smart($user_id));
}
function DB_DetachOpenIDsByUser($user_id)
{
- DB_query("DELETE FROM user_openids WHERE user_id = '$user_id'");
+ DB_query("DELETE FROM user_openids WHERE user_id = ".DB_quote_smart($user_id));
}
?> \ No newline at end of file
diff --git a/include/preferences.php b/include/preferences.php
index 5aafcd3..f0b33da 100644
--- a/include/preferences.php
+++ b/include/preferences.php
@@ -92,11 +92,11 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
if($_REQUEST['vacation_start'] == $_REQUEST['vacation_stop'])
{
$result = DB_query("DELETE FROM User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation start'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
$result = DB_query("DELETE FROM User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
$result = DB_query("DELETE FROM User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
$changed_vacation = 1;
}
/* change in database if format is ok */
@@ -106,12 +106,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
if($vacation_start!=$PREF['vacation_start'])
{
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation start'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_start).
- " WHERE user_id='$myid' AND pref_key='vacation start'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation start'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation start',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation start',".
DB_quote_smart($vacation_start).")");
$changed_vacation = 1;
@@ -121,12 +121,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
if($vacation_stop!=$PREF['vacation_stop'])
{
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_stop).
- " WHERE user_id='$myid' AND pref_key='vacation stop'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation stop'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation stop',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation stop',".
DB_quote_smart($vacation_stop).")");
$changed_vacation = 1;
@@ -136,12 +136,12 @@ if(myisset('vacation_start','vacation_stop','vacation_comment') &&
if($vacation_comment!=$PREF['vacation_comment'])
{
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($vacation_comment).
- " WHERE user_id='$myid' AND pref_key='vacation comment'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='vacation comment'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','vacation comment',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'vacation comment',".
DB_quote_smart($vacation_comment).")");
$changed_vacation = 1;
@@ -167,12 +167,12 @@ if(myisset("cards"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='cardset'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($cards).
- " WHERE user_id='$myid' AND pref_key='cardset'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='cardset'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','cardset',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'cardset',".
DB_quote_smart($cards).")");
$changed_cards = 1;
}
@@ -185,12 +185,12 @@ if(myisset("notify"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='email'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($notify).
- " WHERE user_id='$myid' AND pref_key='email'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='email'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','email',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'email',".
DB_quote_smart($notify).")");
$changed_notify=1;
}
@@ -203,12 +203,12 @@ if(myisset("digest"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='digest'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($digest).
- " WHERE user_id='$myid' AND pref_key='digest'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='digest'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','digest',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'digest',".
DB_quote_smart($digest).")");
$changed_digest=1;
}
@@ -221,12 +221,12 @@ if(myisset("autosetup"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='autosetup'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($autosetup).
- " WHERE user_id='$myid' AND pref_key='autosetup'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='autosetup'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','autosetup',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'autosetup',".
DB_quote_smart($autosetup).")");
$changed_autosetup=1;
}
@@ -239,12 +239,12 @@ if(myisset("sorting"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='sorting'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($sorting).
- " WHERE user_id='$myid' AND pref_key='sorting'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='sorting'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','sorting',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'sorting',".
DB_quote_smart($sorting).")");
$changed_sorting=1;
}
@@ -257,12 +257,12 @@ if(myisset("open_for_games"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='open for games'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($openforgames).
- " WHERE user_id='$myid' AND pref_key='open for games'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='open for games'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','open for games',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'open for games',".
DB_quote_smart($openforgames).")");
$changed_openforgames=1;
}
@@ -319,12 +319,12 @@ if(myisset("language"))
{
/* check if we already have an entry for the user, if so change it, if not create new one */
$result = DB_query("SELECT * from User_Prefs".
- " WHERE user_id='$myid' AND pref_key='language'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" );
if( DB_fetch_array($result))
$result = DB_query("UPDATE User_Prefs SET value=".DB_quote_smart($language).
- " WHERE user_id='$myid' AND pref_key='language'" );
+ " WHERE user_id=".DB_quote_smart($myid)." AND pref_key='language'" );
else
- $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,'$myid','language',".
+ $result = DB_query("INSERT INTO User_Prefs VALUES(NULL,".DB_quote_smart($myid).",'language',".
DB_quote_smart($language).")");
$changed_language = 1;
}
diff --git a/include/user.php b/include/user.php
index 546ea8d..65544f5 100644
--- a/include/user.php
+++ b/include/user.php
@@ -160,7 +160,7 @@ else
" G.session".
" FROM Hand".
" LEFT JOIN Game G ON G.id=Hand.game_id".
- " WHERE user_id='$myid'".
+ " WHERE user_id=".DB_quote_smart($myid).
" ORDER BY G.session,G.create_date" );
/* sort into active and passive sessions */