54 |
CString SQL; |
CString SQL; |
55 |
|
|
56 |
Person p; |
Person p; |
57 |
//FIX SQL INJECTION |
|
58 |
|
wantInits.Replace("'","\""); |
59 |
|
|
60 |
SQL = "SELECT PersonID, Initialer, Navn, Admin, Pass FROM Person WHERE (Initialer = '" + wantInits + "')"; |
SQL = "SELECT PersonID, Initialer, Navn, Admin, Pass FROM Person WHERE (Initialer = '" + wantInits + "')"; |
61 |
CRecordset rs(&db); |
CRecordset rs(&db); |
62 |
rs.Open(AFX_DB_USE_DEFAULT_TYPE, SQL); |
rs.Open(AFX_DB_USE_DEFAULT_TYPE, SQL); |
63 |
|
|
64 |
if(!rs.IsEOF() ) |
if(!rs.IsEOF() ) |
65 |
{ |
{ |
66 |
rs.GetFieldValue((short)0,id); |
rs.GetFieldValue((short)0,id); |
75 |
p.isadmin = (isadmin == "1"); |
p.isadmin = (isadmin == "1"); |
76 |
p.pass = pass; |
p.pass = pass; |
77 |
} |
} |
78 |
|
|
79 |
return p; |
return p; |
80 |
} |
} |
81 |
|
|
82 |
bool DatabaseLayer::AddPerson(Person NewPerson) |
bool DatabaseLayer::AddPerson(Person NewPerson) |
83 |
{ |
{ |
84 |
CString SQL; |
CString SQL; |
85 |
|
NewPerson.inits.Replace("'","\""); |
86 |
|
NewPerson.name.Replace("'","\""); |
87 |
|
NewPerson.pass.Replace("'","\""); |
88 |
SQL.Format("INSERT into Person(Initialer, Navn, Admin, Pass) VALUES('%s', '%s', '%d', '%s')",NewPerson.inits, NewPerson.name, NewPerson.isadmin, NewPerson.pass); |
SQL.Format("INSERT into Person(Initialer, Navn, Admin, Pass) VALUES('%s', '%s', '%d', '%s')",NewPerson.inits, NewPerson.name, NewPerson.isadmin, NewPerson.pass); |
89 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
90 |
return true; |
return true; |
93 |
bool DatabaseLayer::UpdatePerson(Person ChangePerson) |
bool DatabaseLayer::UpdatePerson(Person ChangePerson) |
94 |
{ |
{ |
95 |
CString SQL; |
CString SQL; |
96 |
|
ChangePerson.inits.Replace("'","\""); |
97 |
|
ChangePerson.name.Replace("'","\""); |
98 |
|
ChangePerson.pass.Replace("'","\""); |
99 |
|
ChangePerson.id.Replace("'","\""); |
100 |
SQL.Format("UPDATE Person SET Initialer = '%s', Navn = '%s', Pass = '%s', Admin = '%d' WHERE PersonID = '%s'", ChangePerson.inits, ChangePerson.name, ChangePerson.pass, ChangePerson.isadmin, ChangePerson.id); |
SQL.Format("UPDATE Person SET Initialer = '%s', Navn = '%s', Pass = '%s', Admin = '%d' WHERE PersonID = '%s'", ChangePerson.inits, ChangePerson.name, ChangePerson.pass, ChangePerson.isadmin, ChangePerson.id); |
101 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
102 |
return true; |
return true; |
105 |
bool DatabaseLayer::DeletePerson(Person RemovePerson) |
bool DatabaseLayer::DeletePerson(Person RemovePerson) |
106 |
{ |
{ |
107 |
CString SQL; |
CString SQL; |
108 |
|
RemovePerson.id.Replace("'","\""); |
109 |
SQL.Format("DELETE FROM Person WHERE PersonID = '%s'", RemovePerson.id); |
SQL.Format("DELETE FROM Person WHERE PersonID = '%s'", RemovePerson.id); |
110 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
111 |
return true; |
return true; |
114 |
bool DatabaseLayer::ReturnEquipment(CString barcode) |
bool DatabaseLayer::ReturnEquipment(CString barcode) |
115 |
{ |
{ |
116 |
CString SQL; |
CString SQL; |
117 |
|
barcode.Replace("'","\""); |
118 |
SQL.Format("UPDATE Udstyr SET Status = '3' WHERE Stregkode= '%s'", barcode); |
SQL.Format("UPDATE Udstyr SET Status = '3' WHERE Stregkode= '%s'", barcode); |
119 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
120 |
|
|
128 |
bool DatabaseLayer::CheckoutEquipment(Person CheckPersID, Equipment CheckEquip, int Numdays) |
bool DatabaseLayer::CheckoutEquipment(Person CheckPersID, Equipment CheckEquip, int Numdays) |
129 |
{ |
{ |
130 |
CString SQL; |
CString SQL; |
131 |
|
CheckEquip.barcode.Replace("'","\""); |
132 |
|
CheckPersID.id.Replace("'","\""); |
133 |
SQL.Format("UPDATE Udstyr SET Status = '1' WHERE Stregkode = '%s' ", CheckEquip.barcode); |
SQL.Format("UPDATE Udstyr SET Status = '1' WHERE Stregkode = '%s' ", CheckEquip.barcode); |
134 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
135 |
SQL.Format("INSERT INTO Udlån (PersonID, Stregkode, Startdato, Antaldage) VALUES( '%s','%s', GetDate(),'%d')", CheckPersID.id, CheckEquip.barcode, Numdays); |
SQL.Format("INSERT INTO Udlån (PersonID, Stregkode, Startdato, Antaldage) VALUES( '%s','%s', GetDate(),'%d')", CheckPersID.id, CheckEquip.barcode, Numdays); |
140 |
bool DatabaseLayer::EquipmentReservation(CString barcode, Person CheckPerson) |
bool DatabaseLayer::EquipmentReservation(CString barcode, Person CheckPerson) |
141 |
{ |
{ |
142 |
CString SQL; |
CString SQL; |
143 |
|
CheckPerson.id.Replace("'","\""); |
144 |
|
barcode.Replace("'","\""); |
145 |
SQL.Format("INSERT INTO Resevation (PersonID, Stregkode, Startdato) VALUES( '%s','%s', GetDate())", CheckPerson.id, barcode); |
SQL.Format("INSERT INTO Resevation (PersonID, Stregkode, Startdato) VALUES( '%s','%s', GetDate())", CheckPerson.id, barcode); |
146 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
147 |
checkReservations(barcode); |
checkReservations(barcode); |
151 |
bool DatabaseLayer::UpdateEquipment(Equipment CheckEquip) |
bool DatabaseLayer::UpdateEquipment(Equipment CheckEquip) |
152 |
{ |
{ |
153 |
CString SQL; |
CString SQL; |
154 |
|
CheckEquip.name.Replace("'","\""); |
155 |
|
CheckEquip.description.Replace("'","\""); |
156 |
|
CheckEquip.placement.Replace("'","\""); |
157 |
|
CheckEquip.status.Replace("'","\""); |
158 |
|
CheckEquip.barcode.Replace("'","\""); |
159 |
SQL.Format("UPDATE Udstyr SET Navn = '%s', Beskrivelse = '%s', Placering = '%s', Status = '%s' WHERE Stregkode = '%s'", CheckEquip.name, CheckEquip.description, CheckEquip.placement, CheckEquip.status, CheckEquip.barcode); |
SQL.Format("UPDATE Udstyr SET Navn = '%s', Beskrivelse = '%s', Placering = '%s', Status = '%s' WHERE Stregkode = '%s'", CheckEquip.name, CheckEquip.description, CheckEquip.placement, CheckEquip.status, CheckEquip.barcode); |
160 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
161 |
return true; |
return true; |
164 |
bool DatabaseLayer::AddEquipment(Equipment AddEquip) |
bool DatabaseLayer::AddEquipment(Equipment AddEquip) |
165 |
{ |
{ |
166 |
CString SQL; |
CString SQL; |
167 |
|
AddEquip.barcode.Replace("'","\""); |
168 |
|
AddEquip.name.Replace("'","\""); |
169 |
|
AddEquip.description.Replace("'","\""); |
170 |
|
AddEquip.placement.Replace("'","\""); |
171 |
SQL.Format("INSERT into Udstyr(Stregkode, Navn, Beskrivelse, Placering, Status) VALUES('%s', '%s', '%s', '%s', '%s')",AddEquip.barcode, AddEquip.name, AddEquip.description, AddEquip.placement, "3"); |
SQL.Format("INSERT into Udstyr(Stregkode, Navn, Beskrivelse, Placering, Status) VALUES('%s', '%s', '%s', '%s', '%s')",AddEquip.barcode, AddEquip.name, AddEquip.description, AddEquip.placement, "3"); |
172 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
173 |
return true; |
return true; |
209 |
|
|
210 |
CString SQL; |
CString SQL; |
211 |
|
|
212 |
|
wantBarcode.Replace("'","\""); |
213 |
|
|
214 |
Equipment e; |
Equipment e; |
215 |
|
|
216 |
SQL.Format("SELECT Stregkode,Navn,Udstyr.Beskrivelse,Placering,Status.Beskrivelse FROM Udstyr INNER JOIN Status ON Udstyr.Status = Status.StatusID Where (Stregkode = '%s')", wantBarcode); |
SQL.Format("SELECT Stregkode,Navn,Udstyr.Beskrivelse,Placering,Status.Beskrivelse FROM Udstyr INNER JOIN Status ON Udstyr.Status = Status.StatusID Where (Stregkode = '%s')", wantBarcode); |
237 |
bool DatabaseLayer::DeleteEquipment(Equipment DelEquip) |
bool DatabaseLayer::DeleteEquipment(Equipment DelEquip) |
238 |
{ |
{ |
239 |
CString SQL; |
CString SQL; |
240 |
|
DelEquip.barcode.Replace("'","\""); |
241 |
SQL.Format("DELETE FROM Udstyr WHERE Stregkode = '%s'", DelEquip.barcode); |
SQL.Format("DELETE FROM Udstyr WHERE Stregkode = '%s'", DelEquip.barcode); |
242 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
243 |
return true; |
return true; |
249 |
{ |
{ |
250 |
vector<Equipment> buffer; |
vector<Equipment> buffer; |
251 |
|
|
252 |
|
barcode.Replace("'","\""); |
253 |
|
name.Replace("'","\""); |
254 |
|
inits.Replace("'","\""); |
255 |
|
|
256 |
//here are the wanted equipments found through 3 seperate queries - I could also |
//here are the wanted equipments found through 3 seperate queries - I could also |
257 |
//find them all in one query where I joined the 3 selects via a UNION |
//find them all in one query where I joined the 3 selects via a UNION |
258 |
CString SQL; |
CString SQL; |
389 |
void DatabaseLayer::checkReservations(CString barcode) |
void DatabaseLayer::checkReservations(CString barcode) |
390 |
{ |
{ |
391 |
CString scount,status; |
CString scount,status; |
392 |
|
barcode.Replace("'","\""); |
393 |
CString SQL = "SELECT count(*) FROM Resevation WHERE Resevation.Stregkode = '" + barcode + "'"; |
CString SQL = "SELECT count(*) FROM Resevation WHERE Resevation.Stregkode = '" + barcode + "'"; |
394 |
CRecordset rs(&db); |
CRecordset rs(&db); |
395 |
rs.Open(AFX_DB_USE_DEFAULT_TYPE,SQL); |
rs.Open(AFX_DB_USE_DEFAULT_TYPE,SQL); |
415 |
//Developed by Torben H. Nielsen |
//Developed by Torben H. Nielsen |
416 |
bool DatabaseLayer::DeleteReservation(CString barcode, CString resid) |
bool DatabaseLayer::DeleteReservation(CString barcode, CString resid) |
417 |
{ |
{ |
418 |
|
barcode.Replace("'","\""); |
419 |
|
resid.Replace("'","\""); |
420 |
CString SQL = "DELETE FROM Resevation WHERE resevationid = " + resid; |
CString SQL = "DELETE FROM Resevation WHERE resevationid = " + resid; |
421 |
db.ExecuteSQL(SQL); |
db.ExecuteSQL(SQL); |
422 |
checkReservations(barcode); |
checkReservations(barcode); |