From a654a595b8642b62a18af16248fc0c44d9a8ea46 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 30 Nov 2005 09:28:53 +0100 Subject: [PATCH] xml-import: fix escaping issues --- functions.php | 8 ++++++++ xml-import.php | 27 ++++++++++++++------------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/functions.php b/functions.php index c0368e22a..99f71fd51 100644 --- a/functions.php +++ b/functions.php @@ -795,4 +795,12 @@ return date("Y/m/d"); } } + + function sql_bool_to_string($s) { + if ($s == "t" || $s == "1") { + return "true"; + } else { + return "false"; + } + } ?> diff --git a/xml-import.php b/xml-import.php index 5ba27f1ae..dee462368 100644 --- a/xml-import.php +++ b/xml-import.php @@ -34,14 +34,15 @@ function import_article($link, $data) { - print "Processing article " . $data["title"] . "
"; + print "Processing article ".$data["title"]. + " (".$data["feed_title"].")
"; $owner_uid = $_SESSION["uid"]; db_query($link, "BEGIN"); $result = db_query($link, "SELECT id FROM ttrss_feeds WHERE feed_url = '". - $data["feed_url"] . "' AND owner_uid = '$owner_uid'"); + db_escape_string($data["feed_url"]) . "' AND owner_uid = '$owner_uid'"); if (db_num_rows($result) == 0) { return false; @@ -56,14 +57,14 @@ print "Not found, adding base entry...
"; - $entry_title = $data["title"]; - $entry_guid = $data["guid"]; - $entry_link = $data["link"]; - $updated = $data["updated"]; - $date_entered = $data["date_entered"]; - $entry_content = $data["content"]; + $entry_title = db_escape_string($data["title"]); + $entry_guid = db_escape_string($data["guid"]); + $entry_link = db_escape_string($data["link"]); + $updated = db_escape_string($data["updated"]); + $date_entered = db_escape_string($data["date_entered"]); + $entry_content = db_escape_string($data["content"]); $content_hash = "SHA1:" . sha1(strip_tags($entry_content)); - $entry_comments = $data["comments"]; + $entry_comments = db_escape_string($data["comments"]); $result = db_query($link, "INSERT INTO ttrss_entries @@ -103,9 +104,9 @@ if (db_num_rows($result) == 0) { print "User table entry not found, creating...
"; - $unread = $data["unread"]; - $marked = $data["marked"]; - $last_read = $data["last_read"]; + $unread = sql_bool_to_string(db_escape_string($data["unread"])); + $marked = sql_bool_to_string(db_escape_string($data["marked"])); + $last_read = db_escape_string($data["last_read"]); if (!$last_read) { $last_read_qpart = 'NULL'; @@ -116,7 +117,7 @@ $result = db_query($link, "INSERT INTO ttrss_user_entries (ref_id, owner_uid, feed_id, unread, marked, last_read) - VALUES ('$entry_id', '$owner_uid', '$feed_id', '$unread', '$marked', + VALUES ('$entry_id', '$owner_uid', '$feed_id', $unread, $marked, $last_read_qpart)"); } else {