From 8b7395bb64506180f9b7a76b00948cd4f3cb9de3 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Thu, 13 Oct 2005 02:05:47 +0100 Subject: [PATCH] escape data on OPML import (take 2) --- db.php | 10 ++++++++++ opml.php | 11 +++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/db.php b/db.php index 5db48273c..44187db0f 100644 --- a/db.php +++ b/db.php @@ -41,6 +41,16 @@ function db_escape_string($s) { } } +/* I hate MySQL :( */ + +function db_escape_string_2($s, $link) { + if (DB_TYPE == "pgsql") { + return pg_escape_string($s); + } else { + return mysql_real_escape_string($s, $link); + } +} + function db_query($link, $query) { if (DB_TYPE == "pgsql") { $result = pg_query($link, $query); diff --git a/opml.php b/opml.php index e8c9c9b79..bcfa31700 100644 --- a/opml.php +++ b/opml.php @@ -46,12 +46,19 @@ } } + /* this is suboptimal */ + + $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); + + if (!$link) return; + + $title = db_escape_string_2($title, $link); + $url = db_escape_string_2($url, $link); + if (!$title || !$url) return; print "Feed $title ($url)... "; - $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); - $result = db_query($link, "SELECT id FROM ttrss_feeds WHERE title = '$title' OR feed_url = '$url'");