OPML not working

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
Thomas

OPML not working

Postby Thomas » 18 Sep 2005, 15:26

i'm trying to import opml, and nothing happends,... maybe a lake of error message ?

(using last version)

everything else works fine (or look like it work fine!)

Thomas

Thomas

Fixed in opml.php

Postby Thomas » 18 Sep 2005, 15:44

Old code :

Code: Select all

function startElement($parser, $name, $attrs) {

      if ($name == "OUTLINE") {
         $title = db_escape_string($attrs['TEXT']);
         $url = db_escape_string($attrs['XMLURL']);

         if (!$title || !$url) return;

         print "Feed <b>$title</b> ($url)... ";


in opml (well, opml I'm using), title is in title attribute

Code: Select all

   function startElement($parser, $name, $attrs) {

      if ($name == "OUTLINE") {
         $title = ($attrs['TEXT']);
         $url = ($attrs['XMLURL']);         
         if (!$title){
            $title = ($attrs['TITLE']);
         }
         if (!$title || !$url) return;

         print "Feed <b>$title</b> ($url)... ";


I also removed db_escape_string because it raises errors

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Postby fox » 18 Sep 2005, 21:15

Fixed. I'm not sure about db_escape_string though - what errors did it produce?

Thomas

Postby Thomas » 18 Sep 2005, 21:40

Warning: mysql_real_escape_string(): Access denied for user 'httpd'@'localhost' (using password: NO) in /home/www/8a32cce4cd2ab0f86fbc2bb73e90a5b0/web/tt/db.php on line 23

Warning: mysql_real_escape_string(): A link to the server could not be established in /home/www/8a32cce4cd2ab0f86fbc2bb73e90a5b0/web/tt/db.php on line 23

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Postby fox » 18 Sep 2005, 22:17

Holy shit, why does it want server connection to escape a string. I think I hate MySQL and PHP even more now.

Guest

Postby Guest » 21 Oct 2005, 21:13

fox wrote:Holy shit, why does it want server connection to escape a string.


Because it takes "into account the current character set of the connection":
http://au3.php.net/manual/en/function.m ... string.php

The fact that it does this takes the effort out of finding out the encoding of both your script and the database. If your not doing something similar in other databases then chances are that your scripts are vulnerable. I personally wouldn't like to be the person attempting to hack your system using that exploit, however I sure it's easy for some.

And btw, you don't have to provide the link. "If the link identifier is not specified, the last link opened by mysql_connect() is assumed"

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Postby fox » 21 Oct 2005, 23:41

I see your point, although I can't figure actual exploit right now, but it's interesting how pg_escape_string() manages to escape strings without connecting to server. Well, it's not like anybody could blame PHP for any API consistency anyway...


Return to “Support”

Who is online

Users browsing this forum: No registered users and 9 guests