Fix management of user groups

- Make sure database prefix is applied on all queries
thexerteproject · Nov 24, 2021 · 2e65bcd · 2e65bcd
1 parent 49d3a2f
commit 2e65bcd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/website_code/php/management/add_member.php b/website_code/php/management/add_member.php
@@ -33,17 +33,20 @@
 
 //returns an insert query to add a list of login_ids to a group
 function add_members_to_group($login_ids, $group_id){
+    global $xerte_toolkits_site;
 
+    $prefix = $xerte_toolkits_site->database_table_prefix;
     $entries = array();
     foreach($login_ids as $login_id){
         $entries[] = "(" . $login_id . ", ". $group_id . ")";
     }
 
-    return "INSERT INTO " . $xerte_toolkits_site->database_table_prefix . "user_group_members (login_id, group_id) VALUES " . implode(', ', $entries);
+    return "INSERT INTO {$prefix}user_group_members (login_id, group_id) VALUES " . implode(', ', $entries);
 
 }
 
 if(is_user_admin()){
+    $prefix = $xerte_toolkits_site->database_table_prefix;
 
     $login_ids= $_POST['login_id'];
     $group_id = $_POST['group_id'];
@@ -52,7 +55,7 @@ function add_members_to_group($login_ids, $group_id){
     $database_id = database_connect("member list connected","member list failed");
 
     $params = array( $group_id);
-    $query = "SELECT * FROM " . $xerte_toolkits_site->database_table_prefix . "user_group_members WHERE group_id=? AND login_id in (" . $logins . ")";
+    $query = "SELECT * FROM {$prefix}user_group_members WHERE group_id=? AND login_id in (" . $logins . ")";
     $exists = db_query($query, $params);
 
     $existing_arr = [];

diff --git a/website_code/php/management/get_group_members.php b/website_code/php/management/get_group_members.php
@@ -32,18 +32,21 @@
 require_once("management_library.php");
 
 function get_group_members($group_id){
+    global $xerte_toolkits_site;
+
+    $prefix = $xerte_toolkits_site->database_table_prefix;
 
     if (is_null($group_id) or $group_id=="") {
         return false;
     }
     $database_id = database_connect("member list connected","member list failed");
 
-    $query="select * from " . $xerte_toolkits_site->database_table_prefix . "logindetails, user_group_members WHERE logindetails.login_id=user_group_members.login_id AND user_group_members.group_id=? ORDER BY logindetails.surname";
+    $query="select * from {$prefix}logindetails ld, {$prefix}user_group_members ugm WHERE ld.login_id=ugm.login_id AND ugm.group_id=? ORDER BY ld.surname";
 
     $query_response = db_query($query, array($group_id));
 
     //get selected group name:
-    $group = db_query_one("SELECT * FROM " . $xerte_toolkits_site->database_table_prefix . "user_groups WHERE group_id=?", array($group_id));
+    $group = db_query_one("SELECT * FROM {$prefix}user_groups WHERE group_id=?", array($group_id));
     echo "<h2>" . USER_GROUPS_MANAGEMENT_GROUP_MEMBERS . $group['group_name'] . ".</h2>";
 
     $membercount = count($query_response);