- Timestamp:
- 02/15/06 23:32:46 (3 years ago)
- Location:
- branches/postgresql
- Files:
-
- 13 modified
- 2 copied
-
admin/channels.php (modified) (13 diffs)
-
admin/config.php (modified) (4 diffs)
-
admin/folders.php (modified) (9 diffs)
-
admin/items.php (modified) (2 diffs)
-
admin/plugins.php (modified) (1 diff)
-
admin/themes.php (modified) (1 diff)
-
admin/users.php (modified) (1 diff)
-
api.php (modified) (5 diffs)
-
constants.php (modified) (1 diff)
-
extlib/MagpieTests (copied) (copied from trunk/rss/extlib/MagpieTests)
-
extlib/MagpieTests/README (copied) (copied from trunk/rss/extlib/MagpieTests/README)
-
feed.php (modified) (4 diffs)
-
init.php (modified) (1 diff)
-
intl/de.php (modified) (3 diffs)
-
util.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/postgresql/admin/channels.php
r1234 r1284 209 209 210 210 echo "</form></div>\n\n\n"; 211 /*212 echo "<pre>\n";213 var_dump($_REQUEST);214 echo "</pre>\n";215 */216 211 } 217 212 … … 247 242 248 243 $label = trim($_REQUEST['new_channel']); 249 $fid = trim( rss_real_escape_string($_REQUEST['add_channel_to_folder']));244 $fid = trim(sanitize($_REQUEST['add_channel_to_folder'], RSS_SANITIZER_SIMPLE_SQL | RSS_SANITIZER_NO_SPACES)); 250 245 list($flabel) = rss_fetch_row(rss_query( 251 246 "select name from " . getTable('folders') . " where id=$fid")); 252 247 253 248 // handle "feed:" urls … … 379 374 380 375 case CST_ADMIN_EDIT_ACTION: 381 $id = $_REQUEST['cid'];376 $id = sanitize($_REQUEST['cid'],RSS_SANITIZER_NUMERIC); 382 377 channel_edit_form($id); 383 378 break; … … 385 380 386 381 case CST_ADMIN_DELETE_ACTION: 387 $id = $_REQUEST['cid'];382 $id = sanitize($_REQUEST['cid'],RSS_SANITIZER_NUMERIC); 388 383 if (array_key_exists(CST_ADMIN_CONFIRMED,$_POST) && $_POST[CST_ADMIN_CONFIRMED] == LBL_ADMIN_YES) { 389 384 $rs = rss_query("select distinct id from " .getTable("item") . " where cid=$id"); … … 402 397 $sql = "delete from " . getTable("channels") ." where id=$id"; 403 398 rss_query($sql); 404 399 405 400 // Delete properties 406 401 deleteProperty($id,'rss.input.allowupdates'); 407 402 408 403 // Invalidate cache 409 404 rss_invalidate_cache(); 410 405 411 406 $ret__ = CST_ADMIN_DOMAIN_CHANNEL; 412 407 } … … 437 432 438 433 if (array_key_exists('opml',$_REQUEST) && strlen(trim($_REQUEST['opml'])) > 7) { 439 $url = trim( $_REQUEST['opml']);434 $url = trim( sanitize($_REQUEST['opml'],RSS_SANITIZER_NO_SPACES) ); 440 435 } 441 436 elseif (array_key_exists('opmlfile',$_FILES) && $_FILES['opmlfile']['tmp_name']) { … … 463 458 464 459 if ($import_opt == CST_ADMIN_OPML_IMPORT_FOLDER) { 465 $opmlfid = rss_real_escape_string($_REQUEST['opml_import_to_folder']);460 $opmlfid = sanitize($_REQUEST['opml_import_to_folder'], RSS_SANITIZER_NUMERIC); 466 461 } else { 467 462 $opmlfid = getRootFolder(); … … 537 532 538 533 case CST_ADMIN_SUBMIT_EDIT: 539 $cid = $_REQUEST['cid'];534 $cid = sanitize($_POST['cid'],RSS_SANITIZER_NUMERIC); 540 535 rss_plugin_hook('rss.plugins.admin.feed.properties.submit', null); 541 $title= rss_real_escape_string(real_strip_slashes($_REQUEST['c_name'])); 542 $url= rss_real_escape_string($_REQUEST['c_url']); 543 $siteurl= rss_real_escape_string($_REQUEST['c_siteurl']); 544 $parent= rss_real_escape_string($_REQUEST['c_parent']); 545 $descr= rss_real_escape_string(real_strip_slashes($_REQUEST['c_descr'])); 546 $icon = rss_real_escape_string($_REQUEST['c_icon']); 547 $priv = (array_key_exists('c_private',$_REQUEST) && $_REQUEST['c_private'] == '1'); 548 $tags = rss_real_escape_string($_REQUEST['c_tags']); 549 $old_priv = ($_REQUEST['old_priv'] == '1'); 550 551 536 // TBD 537 $title= rss_real_escape_string(real_strip_slashes($_POST['c_name'])); 538 $url= rss_real_escape_string($_POST['c_url']); 539 $siteurl= rss_real_escape_string($_POST['c_siteurl']); 540 $parent= rss_real_escape_string($_POST['c_parent']); 541 $descr= rss_real_escape_string(real_strip_slashes($_POST['c_descr'])); 542 $icon = rss_real_escape_string($_POST['c_icon']); 543 $priv = (array_key_exists('c_private',$_POST) && $_POST['c_private'] == '1'); 544 $tags = rss_real_escape_string($_POST['c_tags']); 545 $old_priv = ($_POST['old_priv'] == '1'); 546 547 552 548 // Feed Properties 553 $prop_rss_input_allowupdates = rss_real_escape_string($_ REQUEST['prop_rss_input_allowupdates']);549 $prop_rss_input_allowupdates = rss_real_escape_string($_POST['prop_rss_input_allowupdates']); 554 550 if ($prop_rss_input_allowupdates == 'default') { 555 551 deleteProperty($cid,'rss.input.allowupdates'); 556 552 } else { 557 558 } 559 560 553 setProperty($cid, 'rss.input.allowupdates' , 'feed', ($prop_rss_input_allowupdates == 1)); 554 } 555 556 561 557 if ($priv != $old_priv) { 562 558 $mode = ", mode = mode "; … … 579 575 } 580 576 581 $del = (array_key_exists('c_deleted',$_ REQUEST) && $_REQUEST['c_deleted'] == '1');582 $old_del = ($_ REQUEST['old_del'] == '1');577 $del = (array_key_exists('c_deleted',$_POST) && $_POST['c_deleted'] == '1'); 578 $old_del = ($_POST['old_del'] == '1'); 583 579 if ($del != $old_del) { 584 580 if ($mode == "") { … … 616 612 case CST_ADMIN_MOVE_UP_ACTION: 617 613 case CST_ADMIN_MOVE_DOWN_ACTION: 618 $id = $_REQUEST['cid'];614 $id = sanitize($_REQUEST['cid'],RSS_SANITIZER_NUMERIC); 619 615 $res = rss_query("select parent,position from " . getTable("channels") ." where id=$id"); 620 616 list($parent,$position) = rss_fetch_row($res); … … 673 669 // MOVE TO FOLDER 674 670 if (array_key_exists('me_move_to_folder',$_REQUEST)) { 675 $fid= $_REQUEST['me_folder'];671 $fid= sanitize($_REQUEST['me_folder'],RSS_SANITIZER_NUMERIC); 676 672 $sql = "update " .getTable('channels') . " set parent=$fid where id in $sqlids"; 677 673 rss_query($sql); … … 742 738 echo "<div>\n"; 743 739 echo "\n\n<h2>".LBL_ADMIN_CHANNEL_EDIT_CHANNEL." '$title'</h2>\n"; 744 740 745 741 echo "<form method=\"post\" action=\"" .$_SERVER['PHP_SELF'] ."#fa$cid\" id=\"channeledit\">\n"; 746 742 echo "<fieldset id=\"channeleditfs\">" 747 743 ."<p>"; 748 744 // Item name 749 745 echo "<label for=\"c_name\">". LBL_ADMIN_CHANNEL_NAME ."</label>\n" 750 746 ."<input type=\"text\" id=\"c_name\" name=\"c_name\" value=\"$title\" />" 751 747 ."<input type=\"hidden\" name=\"".CST_ADMIN_DOMAIN."\" value=\"". CST_ADMIN_DOMAIN_CHANNEL."\" />\n" 752 748 ."<input type=\"hidden\" name=\"action\" value=\"". CST_ADMIN_SUBMIT_EDIT ."\" />\n" 753 749 ."<input type=\"hidden\" name=\"cid\" value=\"$cid\" /></p>\n" 754 750 755 751 756 752 757 753 // RSS URL 758 754 ."<p><label for=\"c_url\">". LBL_ADMIN_CHANNEL_RSS_URL ."</label>\n" … … 832 828 833 829 rss_plugin_hook('rss.plugins.admin.feed.properties', $cid); 834 835 836 830 echo "</fieldset>\n"; 831 832 837 833 // Feed properties 838 834 echo "<fieldset id=\"channeleditpropfs\">"; 839 835 echo "<p>" 840 841 842 843 844 845 846 847 $rss_input_allowupdates_default_value = 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 836 ."<span style=\"float:left;\">Allow Gregarius to look for updates in existing items for this feed?</span>" 837 ."<span style=\"float:right;\">[<a href=\"index.php?domain=config&action=edit&key=rss.input.allowupdates&view=config\">Edit the global option</a>]</span>\n" 838 ." " 839 ."</p>"; 840 841 $rss_input_allowupdates_default_current = getProperty($cid,'rss.input.allowupdates'); 842 843 $rss_input_allowupdates_default_value = 844 $rss_input_allowupdates_default = ("Use global option (" . (getConfig('rss.input.allowupdates')?"Yes":"No") .")"); 845 846 echo "<p id=\"rss_input_allowupdates_options\">" 847 848 ."<input type=\"radio\" " 849 ."id=\"rss_input_allowupdates_yes\" " 850 ."name=\"prop_rss_input_allowupdates\" value=\"1\" " 851 .(($rss_input_allowupdates_default_current === true)?" checked=\"checked\" ":"") 852 ."/>\n" 853 ."<label for=\"rss_input_allowupdates_yes\">Yes</label>\n" 854 855 856 ."<input type=\"radio\" " 857 ."id=\"rss_input_allowupdates_no\" " 858 ."name=\"prop_rss_input_allowupdates\" value=\"0\" " 859 .(($rss_input_allowupdates_default_current === false)?" checked=\"checked\" ":"") 860 ."/>\n" 861 ."<label for=\"rss_input_allowupdates_no\">No</label>" 862 863 864 ."<input type=\"radio\" " 865 ."id=\"rss_input_allowupdates_default\" " 866 ."name=\"prop_rss_input_allowupdates\" value=\"default\" " 867 .(($rss_input_allowupdates_default_current === null)?" checked=\"checked\" ":"") 868 ."/>\n" 869 ."<label for=\"rss_input_allowupdates_default\">$rss_input_allowupdates_default</label>" 870 871 876 872 ."</p>\n"; 877 873 echo "</fieldset>\n"; 878 879 874 875 880 876 echo "<p style=\"clear:both; padding: 1em 0\"><input type=\"submit\" name=\"action_\" value=\"". LBL_ADMIN_SUBMIT_CHANGES ."\" /></p>"; 881 877 882 878 echo "</form></div>\n"; 883 879 } -
branches/postgresql/admin/config.php
r1181 r1284 174 174 break; 175 175 } 176 $key = $_REQUEST['key'];176 $key = sanitize($_REQUEST['key'],RSS_SANITIZER_NO_SPACES|RSS_SANITIZER_SIMPLE_SQL); 177 177 $res = rss_query("select value_,default_,type_ from " .getTable('config') . " where key_='$key'"); 178 178 list($value,$default,$type) = rss_fetch_row($res); … … 223 223 case CST_ADMIN_EDIT_ACTION: 224 224 case 'CST_ADMIN_EDIT_ACTION': 225 $key_ = $_REQUEST['key'];225 $key_ = sanitize($_REQUEST['key'],RSS_SANITIZER_NO_SPACES|RSS_SANITIZER_SIMPLE_SQL); 226 226 $res = rss_query("select * from ". getTable('config') . " where key_ ='$key_'"); 227 227 list($key,$value,$default,$type,$desc,$export) = rss_fetch_row($res); … … 377 377 case LBL_ADMIN_SUBMIT_CHANGES: 378 378 case 'LBL_ADMIN_SUBMIT_CHANGES': 379 $key = $_REQUEST['key'];380 $type = $_REQUEST['type'];381 $value = rss_real_escape_string($_REQUEST['value']);379 $key = sanitize($_POST['key'],RSS_SANITIZER_NO_SPACES|RSS_SANITIZER_SIMPLE_SQL); 380 $type = sanitize($_POST['type'],RSS_SANITIZER_CHARACTERS); 381 $value = sanitize($_POST['value'], RSS_SANITIZER_SIMPLE_SQL); 382 382 383 383 switch ($key) { … … 473 473 default: 474 474 rss_error('Ooops, unknown config type: ' . $type, RSS_ERROR_ERROR,true); 475 var_dump($_REQUEST);475 //var_dump($_REQUEST); 476 476 break; 477 477 } -
branches/postgresql/admin/folders.php
r1267 r1284 164 164 } 165 165 166 if (isset($_REQUEST['fid'])) { 167 $fid = sanitize($_REQUEST['fid'],RSS_SANITIZER_NUMERIC); 168 } 169 166 170 $ret__ = CST_ADMIN_DOMAIN_FOLDER; 167 171 switch ($__action__) { 168 172 169 173 case CST_ADMIN_EDIT_ACTION: 170 folder_edit($ _REQUEST['fid']);174 folder_edit($fid); 171 175 $ret__ = CST_ADMIN_DOMAIN_NONE; 172 176 break; 173 177 174 178 case CST_ADMIN_DELETE_ACTION: 175 $id = $_REQUEST['fid']; 176 assert(is_numeric($id)); 177 178 if ($id == 0) { 179 180 181 if ($fid == 0) { 179 182 rss_error(LBL_ADMIN_ERROR_CANT_DELETE_HOME_FOLDER, RSS_ERROR_ERROR,true); 180 183 break; … … 182 185 183 186 if (array_key_exists(CST_ADMIN_CONFIRMED,$_POST) && $_POST[CST_ADMIN_CONFIRMED] == LBL_ADMIN_YES) { 184 $sql = "delete from " . getTable("folders") ." where id=$ id";187 $sql = "delete from " . getTable("folders") ." where id=$fid"; 185 188 rss_query($sql); 186 $sql = "update " . getTable("channels") ." set parent=" . getRootFolder() . " where parent=$ id";189 $sql = "update " . getTable("channels") ." set parent=" . getRootFolder() . " where parent=$fid"; 187 190 rss_query($sql); 188 191 } … … 191 194 } 192 195 else { 193 list($fname) = rss_fetch_row(rss_query("select name from " .getTable("folders") ." where id = $ id"));196 list($fname) = rss_fetch_row(rss_query("select name from " .getTable("folders") ." where id = $fid")); 194 197 195 198 echo "<form class=\"box\" method=\"post\" action=\"" .$_SERVER['PHP_SELF'] ."\">\n" … … 199 202 ."<p><input type=\"submit\" name=\"".CST_ADMIN_CONFIRMED."\" value=\"". LBL_ADMIN_NO ."\"/>\n" 200 203 ."<input type=\"submit\" name=\"".CST_ADMIN_CONFIRMED."\" value=\"". LBL_ADMIN_YES ."\"/>\n" 201 ."<input type=\"hidden\" name=\"fid\" value=\"$ id\"/>\n"204 ."<input type=\"hidden\" name=\"fid\" value=\"$fid\"/>\n" 202 205 ."<input type=\"hidden\" name=\"".CST_ADMIN_DOMAIN."\" value=\"".CST_ADMIN_DOMAIN_FOLDER."\"/>\n" 203 206 ."<input type=\"hidden\" name=\"action\" value=\"". CST_ADMIN_DELETE_ACTION ."\"/>\n" … … 208 211 209 212 case CST_ADMIN_SUBMIT_EDIT: 210 $id = $_REQUEST['fid']; 211 213 // TBD 212 214 $new_label = rss_real_escape_string($_REQUEST['f_name']); 213 if (is_numeric($ id) && strlen($new_label) > 0) {215 if (is_numeric($fid) && strlen($new_label) > 0) { 214 216 215 217 $res = rss_query("select count(*) as cnt from " . getTable("folders") ." where name='$new_label'"); … … 219 221 break; 220 222 } 221 rss_query("update " .getTable("folders") ." set name='$new_label' where id=$ id");223 rss_query("update " .getTable("folders") ." set name='$new_label' where id=$fid"); 222 224 } 223 225 break; … … 225 227 case LBL_ADMIN_ADD: 226 228 case 'LBL_ADMIN_ADD': 227 $label= $_REQUEST['new_folder'];229 $label=sanitize($_REQUEST['new_folder'],RSS_SANITIZER_SIMPLE_SQL); 228 230 assert(strlen($label) > 0); 229 231 create_folder($label); … … 232 234 case CST_ADMIN_MOVE_UP_ACTION: 233 235 case CST_ADMIN_MOVE_DOWN_ACTION: 234 $id = $_REQUEST['fid']; 235 236 if ($id == 0) { 236 237 if ($fid == 0) { 237 238 return; 238 239 } 239 240 240 $res = rss_query("select position from " .getTable("folders") ." where id=$ id");241 $res = rss_query("select position from " .getTable("folders") ." where id=$fid"); 241 242 list($position) = rss_fetch_row($res); 242 243 243 244 $sql = "select id, position from " .getTable("folders") 244 ." where id != $ id order by abs($position-position) limit 2";245 ." where id != $fid order by abs($position-position) limit 2"; 245 246 246 247 $res = rss_query($sql); … … 268 269 // right, lets! 269 270 if ($switch_with_position != $position) { 270 rss_query( "update " . getTable("folders") ." set position = $switch_with_position where id=$ id" );271 rss_query( "update " . getTable("folders") ." set position = $switch_with_position where id=$fid" ); 271 272 rss_query( "update " . getTable("folders") ." set position = $position where id=$switch_with_id" ); 272 273 } -
branches/postgresql/admin/items.php
r1262 r1284 69 69 list($cnt) = rss_fetch_row($req); 70 70 71 $prune_older = (int) $_REQUEST['prune_older']; 72 //$prune_keep = (int) $_REQUEST['prune_keep']; 71 $prune_older = sanitize( $_REQUEST['prune_older'], RSS_SANITIZER_NUMERIC); 73 72 if (array_key_exists('prune_older',$_REQUEST) && 74 73 strlen($_REQUEST['prune_older']) && … … 166 165 $to_trash = array(); 167 166 foreach ($cids as $cid => $ids) { 168 169 170 171 172 173 $cacheIds = array(); 174 167 $rsCache = rss_query("select itemsincache from " . getTable('channels') . " where id=$cid"); 168 list($idString) = rss_fetch_row($rsCache); 169 if ($idString) { 170 $cacheIds = unserialize($idString); 171 } else { 172 $cacheIds = array(); 173 } 175 174 foreach ($ids as $iid) { 176 175 //echo "examining: $iid (cid $cid) ->"; -
branches/postgresql/admin/plugins.php
r1181 r1284 179 179 return; 180 180 } 181 // TBD 181 182 $plugin_filename = $_REQUEST['plugin_name']; 182 183 $plugin_filename = str_replace("%2F", "/", $plugin_filename); -
branches/postgresql/admin/themes.php
r1181 r1284 36 36 37 37 if (isset($_GET['theme']) && array_key_exists($_GET['theme'],$themes)) { 38 $sql = "update " . getTable('config') . " set value_ = '". $_GET['theme']."'" 38 $active_theme = sanitize($_GET['theme'], RSS_SANITIZER_SIMPLE_SQL |RSS_SANITIZER_NO_SPACES); 39 40 $sql = "update " . getTable('config') . " set value_ = '$active_theme'" 39 41 ." where key_='rss.output.theme'"; 40 42 rss_query($sql); 41 $active_theme = $_GET['theme'];43 42 44 rss_invalidate_cache(); 43 45 } else { -
branches/postgresql/admin/users.php
r1181 r1284 28 28 29 29 function set_admin_pass($uname=null,$pass=null) { 30 $sql = "select count(*) from " . getTable('users') 31 ." where password != '' and ulevel >=99"; 32 list($adminexists) = rss_fetch_row(rss_query($sql)); 33 if ($adminexists) { 34 die('Oops. Admin already exists!'); 35 } 36 30 37 if ($uname && $pass) { 31 38 rss_query( "update " . getTable('users') . " set uname='$uname', " -
branches/postgresql/api.php
r1267 r1284 1 1 <?php 2 ############################################################################### 3 # Gregarius - A PHP based RSS aggregator. 4 # Copyright (C) 2003 - 2006 Marco Bonetti 5 # 6 ############################################################################### 7 # This program is free software and open source software; you can redistribute 8 # it and/or modify it under the terms of the GNU General Public License as 9 # published by the Free Software Foundation; either version 2 of the License, 10 # or (at your option) any later version. 11 # 12 # This program is distributed in the hope that it will be useful, but WITHOUT 13 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 14 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 15 # more details. 16 # 17 # You should have received a copy of the GNU General Public License along 18 # with this program; if not, write to the Free Software Foundation, Inc., 19 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit 20 # http://www.gnu.org/licenses/gpl.html 21 # 22 ############################################################################### 23 # E-mail: mbonetti at gmail dot com 24 # Web page: http://gregarius.net/ 25 # 26 ############################################################################### 27 2 28 require_once('core.php'); 3 29 rss_bootstrap(); … … 7 33 switch ($_REQUEST['method']) { 8 34 case 'update': 9 $uc = getUnreadCount(null,null);35 $uc = getUnreadCount(null,null); 10 36 die("|$uc||"); 11 37 break; … … 17 43 $date = (isset($_REQUEST['d'])?$_REQUEST['d']:null); 18 44 $markread = (isset($_REQUEST['n']) && $_REQUEST['n'] == '1'); 45 46 $cid = sanitize($cid,RSS_SANITIZER_NUMERIC); 47 $date = sanitize($date,RSS_SANITIZER_NUMERIC); 48 19 49 blGetItems($cid,$date,$markread); 20 50 break; … … 93 123 function blGetItems($cid,$date,$markread) { 94 124 if (hidePrivate()) { 95 header('HTTP/1.x 401 Not Authorized'); 125 header('HTTP/1.x 401 Not Authorized'); 96 126 exit(); 97 127 } 98 128 99 129 if (!$cid) { 100 header ('HTTP/1.x 403 Forbidden'); 130 header ('HTTP/1.x 403 Forbidden'); 101 131 exit(); 102 132 } … … 114 144 115 145 if (rss_num_rows($rs) == 0) { 116 header('HTTP/1.x 304 Not Modified'); 146 header('HTTP/1.x 304 Not Modified'); 117 147 exit(); 118 148 } -
branches/postgresql/constants.php
r1181 r1284 158 158 define ('ITEM_SORT_HINT_MIXED', 0x02); 159 159 160 161 162 // Sanitizer constants 163 define ('RSS_SANITIZER_SIMPLE_SQL', 0x01); 164 define ('RSS_SANITIZER_NO_SPACES', 0x02); 165 define ('RSS_SANITIZER_NUMERIC', 0x04); 166 define ('RSS_SANITIZER_CHARACTERS',0x08); 167 160 168 // Profiling 161 169 // - The profiling information is "html commented out" at the end of every html page 162 170 //define('PROFILING', 1); 163 171 //define('PROFILING_DB', 1); 172 164 173 ?> -
branches/postgresql/feed.php
r1267