Skip to content
Snippets Groups Projects
Commit eff26870 authored by Henoch Einbier's avatar Henoch Einbier Committed by Joel Kuder
Browse files

Update rallysystem2.php

-secured PDO queries with bindParam
-$waehrung -> $system['waehrung']
-spelling corrections
parent 38b762ee
Branches
Tags
1 merge request!46Release 3.0
......@@ -6,7 +6,9 @@ if (!isset($_POST['reset'])) $_POST['reset'] = '';
if (!isset($_POST['auswerten'])) $_POST['auswerten'] = '';
$rp = 0;
$sql = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id='" . $_GET['rally'] . "' LIMIT 1");
$sql = sql::$db->prepare("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id = :rally LIMIT 1");
$sql -> bindParam(':rally', $_GET['rally'], PDO::PARAM_STR);
$sql -> execute();
$ralleydaten = $sql->fetch();
// Ralleystand reseten
if ($_POST['reset'] == 'Reseten') {
......@@ -19,9 +21,17 @@ if ($_POST['reset'] == 'Reseten') {
// Ralleystand manuell Auswerten
if (isset($_POST['auswert']) AND $_POST['auswert'] == 'Auswerten') {
$rp = 0;
$sql = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id='" . $_GET['rally'] . "' LIMIT 1");
$ralleydaten = $sql->fetch();
$platz = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallyuser WHERE rally = '" . $ralleydaten['name'] . "' AND ausgezahlt = '0' AND punkte >= '" . $ralleydaten['mindestpunktzhl'] . "' ORDER BY punkte DESC LIMIT " . $ralleydaten['gewinner_anzahl'] . "");
$sql = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id = :rally LIMIT 1");
$sql->bindParam(':rally', $_GET['rally'], PDO::PARAM_INT);
$sql->execute();
$ralleydaten = $sql->fetch();
$platz = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallyuser WHERE rally = :name AND ausgezahlt = '0' AND punkte >= :mindestpunktzhl ORDER BY punkte DESC LIMIT :gewinner_anzahl");
$platz->bindParam(':name', $ralleydaten['name'], PDO::PARAM_STR);
$platz->bindParam(':mindestpunktzhl', $ralleydaten['mindestpunktzhl'], PDO::PARAM_INT);
$platz->bindParam(':gewinner_anzahl', $ralleydaten['gewinner_anzahl'], PDO::PARAM_INT);
$platz->execute();
$x1 = 0;
while ($pa = $platz->fetch() ) {
$x1 ++;
......@@ -32,7 +42,7 @@ if (isset($_POST['auswert']) AND $_POST['auswert'] == 'Auswerten') {
$buchungs_id = create_code(14);
kontobuchung ('+', $buchungssumme, $pa['uid']);
buchungsliste ($buchungs_id, '+' . $buchungssumme, $ralleydaten['name'] . ' (Platz ' . $rp . ')', $pa['uid']);
echo' Die UID ' . $pa['uid'] . ' wahr auf Platz' . $x1 . 'und hatt' . $buchungssumme . ' erhalten <br>';
echo' Die UID ' . $pa['uid'] . ' war auf Platz' . $x1 . 'und hat' . $buchungssumme . ' erhalten <br>';
}
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_rallyuser SET ausgezahlt = ? WHERE rally = ? AND ausgezahlt = ?");
$sql->execute(array( time(), $ralleydaten['name'], '0' ));
......@@ -63,7 +73,9 @@ if (isset($_POST['beschrieb']) AND $_POST['beschrieb'] == 'Speichern') {
$sql = sql::$db->prepare("UPDATE " . _VMS_ . "_rallydaten SET beschrieb = ? WHERE id = ?");
$sql->execute(array($_POST['beschriebf'], $_GET['rally']));
}
$sql = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id='" . $_GET['rally'] . "' LIMIT 1");
$sql = sql::$db->prepare("SELECT * FROM " . _VMS_ . "_rallydaten WHERE id=:rally LIMIT 1");
$sql->bindParam(':rally', $_GET['rally'], PDO::PARAM_INT);
$sql->execute();
$ralleydaten = $sql->fetch();
head($ralleydaten['name'] . "-Rally bearbeiten (html erlaubt!)");
......@@ -520,13 +532,15 @@ Geben Sie hier den prozentualen Anteil vom Gewinn Topf an. <br>(Die Summe aller
<?php
$sql = sql::$db->query("SELECT * FROM " . _VMS_ . "_rallydaten");
$rally = $sql->fetch();
$platz = sql::$db->query('SELECT k.punkte,u.nickname,u.uid FROM '._VMS_.'_rallyuser k LEFT JOIN '._VMS_.'_userdaten u ON u.uid = k.uid WHERE k.rally = "' . $ralleydaten['name'] . '" AND k.ausgezahlt = "0" ORDER BY k.punkte DESC');
$platz = sql::$db->prepare('SELECT k.punkte,u.nickname,u.uid FROM '._VMS_.'_rallyuser k LEFT JOIN '._VMS_.'_userdaten u ON u.uid = k.uid WHERE k.rally = :name AND k.ausgezahlt = "0" ORDER BY k.punkte DESC');
$platz -> bindParam(':name', $ralleydaten['name'] , PDO::PARAM_STR);
$platz -> execute();
$rp = 1;
$gesperrt = explode(',', $ralleydaten['sperruser']);
while ($pa = $platz->fetch() ) {
if (!in_array($pa['uid'], $gesperrt)) {
if ($ralleydaten['gewinner_anzahl'] >= $rp) {
$mg = number_format(($ralleydaten['gewinn_topf'] / 100 * $ralleydaten['p' . $rp]), 2, ',', '.') . ' ' . $waehrung;
$mg = number_format(($ralleydaten['gewinn_topf'] / 100 * $ralleydaten['p' . $rp]), 2, ',', '.') . ' ' . $system['waehrung'];
} else $mg = '---';
if ($pa['punkte'] < $ralleydaten['mindestpunktzhl']) $mindestpunkt = '<span style="color:'.$system['negativ_farbe'].';">Nicht erreicht.</span>';
if ($pa['punkte'] >= $ralleydaten['mindestpunktzhl']) $mindestpunkt = '<span style="color:'.$system['positiv_farbe'].';">Erreicht.</span>';
......
......@@ -2,7 +2,7 @@
menuehead("Usersystem");
echo '&raquo;&nbsp;<a href="?content=/usersystem/liste">Userliste</a><br>
&raquo;&nbsp;<a href="?content=/usersystem/doppelaccis">Doppelaccounts</a><br>
&raquo;&nbsp;<a href="?content=/usersystem/RefSchleifen">RefSchleifen</a><br>';
&raquo;&nbsp;<a href="?content=/usersystem/refschleifen">RefSchleifen</a><br>';
menuefoot();
menuehead("Newssystem");
......
......@@ -132,7 +132,7 @@ function usermail ($an, $betreff, $nachricht, $von) {
</HTML>';
$Header = "MIME-Version: 1.0\n";
$Header .= "Content-type: text/html; charset=iso-8859-1\n";
$Header .= "Content-type: text/html; charset=utf-8\n";
$Header .= "From: ".$von."\n";
return mail($an, $betreff, $html_nachricht, $Header);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment