From d94ea09940394f205197291334ff5468a3a7994b Mon Sep 17 00:00:00 2001
From: Walter Hupfeld <Walter.Hupfeld@gmx.de>
Date: Fri, 15 Mar 2024 21:57:30 +0100
Subject: [PATCH] fix

---
 admin/index.php             | 13 +++++++------
 ajax/ajax_location_push.php | 29 ++++++++++++++++++-----------
 index.php                   |  4 +++-
 lib/functions.php           |  5 +++--
 4 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 504e3b0..a8e1d46 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -3,9 +3,9 @@
  * Ideenmelder
  * Autor: Walter Hupfeld, Hamm
  * E-Mail: info@hupfeld-software.de
- * Version: 1.0
+ * Version: 3.0
  * Datum: 18.05.2021
- * zuletzte bearbeitet: 21.02.2024
+ * zuletzte bearbeitet: 15.03.2024
  ******************************** */
 
     session_start();
@@ -33,12 +33,13 @@
         }
         $numDelete = (int)$_GET['delid'];
 
-        if ($superAmdin) {
-            $stmt = $db->prepare("DELETE FROM location WHERE id = :id AND district=:district");}
+        if ($boolSuperAdmin) {
+            $stmt = $db->prepare("DELETE FROM location WHERE id = :id");}
         else {
-            $stmt = $db->prepare("DELETE FROM location WHERE id = :id AND district=:district");}
+            $stmt = $db->prepare("DELETE FROM location WHERE id = :id AND district=:district");
+            $stmt->bindValue(":district",$strDistrict);
+        }
         $stmt->bindValue(":id",$numDelete);
-        $stmt->bindValue(":district",$strDistrict);
         $stmt->execute();
 
         $stmt = $db->prepare("DELETE FROM comment WHERE loc_id= :loc_id");
diff --git a/ajax/ajax_location_push.php b/ajax/ajax_location_push.php
index 2938bd3..e962beb 100644
--- a/ajax/ajax_location_push.php
+++ b/ajax/ajax_location_push.php
@@ -5,6 +5,8 @@ require_once("../config.php");
 require_once("../lib/functions.php");
 require_once("../lib/geocoding.php");
 
+$allowed_extensions = array("jpg", "jpeg", "png", "gif");
+
 $strUsername  = htmlentities(trim($_POST['username']));
 $strUsername = addslashes($strUsername);
 $strAge       = (isset($_POST['ext_age'])) ? $_POST['ext_age'] : "";
@@ -23,21 +25,26 @@ if (empty($strUsername) || empty($numLng) || empty($numLat)) {
     die("not valid!"); 
 }
 
+
 if ($boolUpload && !empty($_FILES['uploadfile']['name'])) {
-    $uploadfile = $uploaddir . basename($_FILES['uploadfile']['name']);
-    $fileinfo = @getimagesize($_FILES["uploadfile"]["tmp_name"]);
+    $file=$_FILES['uploadfile'];
+    $uploadfile = $uploaddir . basename($file['name']);
+    $fileinfo = @getimagesize($file["tmp_name"]);
     if (!empty($fileinfo)) {
         //$info=read_gps_location($_FILES["uploadfile"]["tmp_name"]);
-        $i=1;
-        while (file_exists($uploadfile)) {
-            $uploadfile=$uploaddir.$i."_".basename($_FILES['uploadfile']['name']);
-            $i++;
+        $file_extension = pathinfo($file["name"], PATHINFO_EXTENSION);
+        if (!in_array(strtolower($file_extension), $allowed_extensions)) {
+            echo "Invalid file type. Please upload only jpg, jpeg, png, or gif images.";
+                exit();
         }
-        if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile)) {
-            $filename=$_FILES['uploadfile']['name'];
-            $filesize=$_FILES['uploadfile']['size'];
-            $filetype=$_FILES['uploadfile']['type'];
-            //echo "Filetype: ".$filetype;
+        $strNewfilename = uniqid("", true) . "." . $file_extension;
+        while (file_exists($uploaddir . $strNewfilename)) {
+            $strNewfilename = uniqid("", true) . "." . $file_extension;
+        }        
+        if (move_uploaded_file($file['tmp_name'], $uploaddir.$strNewfilename)) {
+            $filename=$strNewfilename;//$file['name'];
+            $filesize=$file['size'];
+            $filetype=$file['type'];   
             $boolUploadOk = true;
         } else {
             die("Upload failed with error code " . $_FILES['file']['error']);
diff --git a/index.php b/index.php
index 92ea058..490c203 100644
--- a/index.php
+++ b/index.php
@@ -72,13 +72,15 @@
     <script src="js/leaflet.ajax.js"></script>
     <script src="js/leaflet.awesome-markers.js"></script>
     <script src="js/leaflet.snogylop.js"></script>
-   
+    <script src="js/jquery.fancybox.min.js"></script>   
 
     <link rel="stylesheet" href="css/font-awesome.min.css">
     <link rel="stylesheet" href="css/bootstrap.min.css" />
     <link rel="stylesheet" href="css/leaflet.css" />
     <link rel="stylesheet" href="css/leaflet.awesome-markers.css" />
     <link rel="stylesheet" href="css/style.css" />
+    <link rel="stylesheet" href="css/jquery.fancybox.min.css" />
+
     
     <title><?=$strTitle?></title>
 </head>
diff --git a/lib/functions.php b/lib/functions.php
index a4f01bb..d21f8a5 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -28,18 +28,19 @@ function generate_tooltip_description($row) {
     $topic = $row['topic'];
     $numDatum= strtotime($row['created_at']);
     $datum= date("d.m.Y",$numDatum);
+    $strDefect= $arrDefect[$row['defect']];
 
 
     $strDescription = "<strong>Anmerkung zu ".$arrTopic[$topic]."</strong><br>";
     if ($boolUpload && isset($row['filename']) && $boolShow) {
-        $strDescription .= "<a href=\'images/".$row['filename']."\' data-lightbox=\'radweg".$id."\'>";
+        $strDescription .= "<a href=\'images/".$row['filename']."\'  data-fancybox data-caption=\'".$strDefect."\'>";
         $strDescription .= "<img src=\'images/".$row['filename']."\' style=\'width:200px;\' /></a><br>";
     }
     $strDescription .= nl2br2($description);
     $strDescription .= ($boolShow) ? "<br> - ".$row['username']." (".$datum.")":"<br>".$datum;
     if ($boolDefect) {
         if ($row['defect']>=0) { //Hindernis kann nicht leer sein
-            $strDescription .= "<br><em>" . $arrDefect[$row['defect']] ."</em>";
+            $strDescription .= "<br><em>" . $strDefect ."</em>";
         }
     }
     if ($boolRating) {