$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($naam)."')";
$sql = "INSERT INTO ".Rsys :: getTable("category")." (name) VALUES ('".Database::escape_string($name)."')";
Database::query($sql);
Database::query($sql);
return Database::insert_id();
return Database::insert_id();
}
}
@ -150,7 +150,7 @@ class Rsys {
* @return - boolean True or False
* @return - boolean True or False
*/
*/
function check_category($name, $id=0) {
function check_category($name, $id=0) {
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".Database::escape_string($id)."";
$sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".intval($id)."";
$Result = Database::query($sql);
$Result = Database::query($sql);
return (Database::num_rows($Result) == 0);
return (Database::num_rows($Result) == 0);
}
}
@ -163,7 +163,7 @@ class Rsys {
*/
*/
function edit_category($id, $name) {
function edit_category($id, $name) {
if (Rsys :: check_category($name, $id)) {
if (Rsys :: check_category($name, $id)) {
$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".Database::escape_string($id)."";
$sql = "UPDATE ".Rsys :: getTable("category")." SET name = '".Database::escape_string($name)."' WHERE id =".intval($id)."";
Database::query($sql);
Database::query($sql);
return $id;
return $id;
}
}
@ -177,10 +177,10 @@ class Rsys {
*/
*/
function delete_category($id) {
function delete_category($id) {
$id = intval($id);
$id = intval($id);
$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".Database::escape_string($id)."";
$sql = "SELECT id FROM ".Rsys :: getTable("item")." WHERE category_id=".inval($id)."";
$result = Database::query($sql);
$result = Database::query($sql);
if (Database::num_rows($result) == 0) {
if (Database::num_rows($result) == 0) {
$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".Database::escape_string($id)."";
$sql2 = "DELETE FROM ".Rsys :: getTable("category")." WHERE id =".intval($id)."";
Database::query($sql2);
Database::query($sql2);
return 0;
return 0;
} else {
} else {
@ -200,7 +200,7 @@ class Rsys {
$id = intval($id);
$id = intval($id);
$sql = "SELECT * FROM ".Rsys :: getTable("category");
$sql = "SELECT * FROM ".Rsys :: getTable("category");
if (!empty ($id))
if (!empty ($id))
$sql .= " WHERE id = ".Database::escape_string($id)."";
$sql = "SELECT name FROM ".Rsys :: getTable("item")."
$sql = "SELECT name FROM ".Rsys :: getTable("item")."
WHERE LCASE(name)='".strtolower(Database::escape_string($item))."'
WHERE LCASE(name)='".strtolower(Database::escape_string($item))."'
AND category_id=".Database::escape_string($category)."
AND category_id=".intval($category)."
AND id<>".Database::escape_string($id)."";
AND id<>".intval($id)."";
$Result = Database::query($sql);
$Result = Database::query($sql);
return (Database::num_rows($Result) == 0);
return (Database::num_rows($Result) == 0);
}
}
@ -325,7 +325,7 @@ class Rsys {
*/
*/
function add_item($name, $description, $category, $course = "") {
function add_item($name, $description, $category, $course = "") {
if (Rsys :: check_item($name, $category)) {
if (Rsys :: check_item($name, $category)) {
$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".Database::escape_string($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
$sql = "INSERT INTO ".Rsys :: getTable("item")." (category_id,course_code,name,description,creator) VALUES ('".intval($category)."','".Database::escape_string($course)."','".Database::escape_string($name)."','".Database::escape_string($description)."','".api_get_user_id()."')";
Database::query($sql);
Database::query($sql);
return Database::insert_id();
return Database::insert_id();
}
}
@ -346,8 +346,8 @@ class Rsys {
return false;
return false;
if (!Rsys :: check_item($name, $category, $id))
if (!Rsys :: check_item($name, $category, $id))
return false;
return false;
$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".Database::escape_string($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
$sql = "UPDATE ".Rsys :: getTable("item")." SET category_id='".intval($category)."',course_code='".Database::escape_string($course)."',name='".Database::escape_string($name)."',description='".Database::escape_string($description)."' " .
"WHERE id =".Database::escape_string($id)."";
"WHERE id =".intval($id)."";
Database::query($sql);
Database::query($sql);
return $id;
return $id;
}
}
@ -360,18 +360,18 @@ class Rsys {
function delete_item($id) {
function delete_item($id) {
if (!Rsys :: item_allow($id, 'delete'))
if (!Rsys :: item_allow($id, 'delete'))
return false;
return false;
$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".Database::escape_string($id)."";
$sql = "SELECT id,end_at FROM".Rsys :: getTable('reservation')." WHERE item_id=".intval($id)."";
$result = Database::query($sql);
$result = Database::query($sql);
while ($array = Database::fetch_array($result)) {
while ($array = Database::fetch_array($result)) {
if (Rsys :: mysql_datetime_to_timestamp(date('Y-m-d H:i:s')) <= Rsys :: mysql_datetime_to_timestamp($array[1]))
if (Rsys :: mysql_datetime_to_timestamp(date('Y-m-d H:i:s')) <= Rsys :: mysql_datetime_to_timestamp($array[1]))
$checked = true;
$checked = true;
}
}
if (!$checked) {
if (!$checked) {
$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("item")." WHERE id =".intval($id)."";
Database::query($sql);
Database::query($sql);
$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id =".intval($id)."";
Database::query($sql);
Database::query($sql);
$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".Database::escape_string($id)."";
$sql = "DELETE FROM ".Rsys :: getTable("reservation")." WHERE item_id =".intval($id)."";
Database::query($sql);
Database::query($sql);
return '0';
return '0';
} else {
} else {
@ -403,7 +403,7 @@ class Rsys {
LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id
LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
WHERE i.id='".Database::escape_string($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
WHERE i.id='".intval($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) {
if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) {
$sql .= " AND ca.id = '".Database::escape_string($_GET['cat'])."' ";
$sql .= " AND ca.id = '".intval($_GET['cat'])."' ";
}
}
$from = intval($from);
$from = intval($from);
@ -533,7 +533,7 @@ class Rsys {
* @return - Array The returned rows
* @return - Array The returned rows
*/
*/
function get_table_itemrights($from, $per_page, $column, $direction) {
function get_table_itemrights($from, $per_page, $column, $direction) {
$sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";
$sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC";