diff --git a/web/skins/classic/views/event.php b/web/skins/classic/views/event.php index db0aa6543..721e7b18e 100644 --- a/web/skins/classic/views/event.php +++ b/web/skins/classic/views/event.php @@ -27,13 +27,15 @@ if ( !canView( 'Events' ) ) $eid = validInt( $_REQUEST['eid'] ); $fid = !empty($_REQUEST['fid'])?validInt($_REQUEST['fid']):1; -if ( $user['MonitorIds'] ) - $midSql = " and MonitorId in (".join( ",", preg_split( '/["\'\s]*,["\'\s]*/', dbEscape($user['MonitorIds']) ) ).")"; -else - $midSql = ''; +$sql = 'SELECT E.*,M.Name AS MonitorName,M.Width,M.Height,M.DefaultRate,M.DefaultScale FROM Events AS E INNER JOIN Monitors AS M ON E.MonitorId = M.Id WHERE E.Id = ?'; +$sql_values = array( $eid ); -$sql = 'SELECT E.*,M.Name AS MonitorName,M.DefaultRate,M.DefaultScale FROM Events AS E INNER JOIN Monitors AS M ON E.MonitorId = M.Id WHERE E.Id = ?'.$midSql; -$event = dbFetchOne( $sql, NULL, array($eid) ); +if ( $user['MonitorIds'] ) { + $monitor_ids = explode( ',', $user['MonitorIds'] ); + $sql .= ' AND MonitorId IN (' .implode( ',', array_fill(0,count($monitor_ids),'?') ) . ')'; + $sql_values = array_merge( $sql_values, $monitor_ids ); +} +$event = dbFetchOne( $sql, NULL, $sql_values ); if ( isset( $_REQUEST['rate'] ) ) $rate = validInt($_REQUEST['rate']); diff --git a/web/skins/classic/views/events.php b/web/skins/classic/views/events.php index 9c4a5a299..59403c76b 100644 --- a/web/skins/classic/views/events.php +++ b/web/skins/classic/views/events.php @@ -32,7 +32,7 @@ if ( !empty($_REQUEST['execute']) ) $countSql = 'SELECT count(E.Id) AS EventCount FROM Monitors AS M INNER JOIN Events AS E ON (M.Id = E.MonitorId) WHERE'; $eventsSql = 'SELECT E.Id,E.MonitorId,M.Name AS MonitorName,M.DefaultScale,E.Name,E.Width,E.Height,E.Cause,E.Notes,E.StartTime,E.Length,E.Frames,E.AlarmFrames,E.TotScore,E.AvgScore,E.MaxScore,E.Archived FROM Monitors AS M INNER JOIN Events AS E on (M.Id = E.MonitorId) WHERE'; if ( $user['MonitorIds'] ) { - $user_monitor_ids = " M.Id in (".join( ",", preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) ).")"; + $user_monitor_ids = ' M.Id in ('.$user['MonitorIds'].')'; $countSql .= $user_monitor_ids; $eventsSql .= $user_monitor_ids; } else { diff --git a/web/skins/classic/views/timeline.php b/web/skins/classic/views/timeline.php index a0e9d01f9..eefa830d5 100644 --- a/web/skins/classic/views/timeline.php +++ b/web/skins/classic/views/timeline.php @@ -147,7 +147,7 @@ $eventsSql = "select E.Id,E.Name,E.StartTime,E.EndTime,E.Length,E.Frames,E.MaxSc if ( !empty($user['MonitorIds']) ) { - $monFilterSql = " and M.Id in (".join( ",", preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) ).")"; + $monFilterSql = ' AND M.Id IN ('.$user['MonitorIds'].')'; $rangeSql .= $monFilterSql; $eventsSql .= $monFilterSql; diff --git a/web/skins/classic/views/video.php b/web/skins/classic/views/video.php index e1db10329..05ee55afb 100644 --- a/web/skins/classic/views/video.php +++ b/web/skins/classic/views/video.php @@ -24,13 +24,17 @@ if ( !canView( 'Events' ) ) return; } -if ( !empty($user['MonitorIds']) ) - $midSql = " and MonitorId in (".join( ",", preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) ).")"; -else - $midSql = ''; +$eid = validInt($_REQUEST['eid']); -$sql = 'SELECT E.*,M.Name AS MonitorName,M.DefaultRate,M.DefaultScale FROM Events AS E INNER JOIN Monitors AS M ON E.MonitorId = M.Id WHERE E.Id = ?'.$midSql; -$event = dbFetchOne( $sql, NULL, array( $_REQUEST['eid'] ) ); +$sql = 'SELECT E.*,M.Name AS MonitorName,M.DefaultRate,M.DefaultScale FROM Events AS E INNER JOIN Monitors AS M ON E.MonitorId = M.Id WHERE E.Id = ?'; +$sql_values = array( $eid ); + +if ( $user['MonitorIds'] ) { + $monitor_ids = explode( ',', $user['MonitorIds'] ); + $sql .= ' AND MonitorId IN (' .implode( ',', array_fill(0,count($monitor_ids),'?') ) . ')'; + $sql_values = array_merge( $sql_values, $monitor_ids ); +} +$event = dbFetchOne( $sql, NULL, $sql_values ); if ( isset( $_REQUEST['rate'] ) ) $rate = validInt($_REQUEST['rate']);