From: Andrew Dolgov <fox@bah.spb.su>
Date: Thu, 13 Oct 2005 01:05:47 +0000 (+0100)
Subject: escape data on OPML import (take 2)
X-Git-Tag: 1.0.7~66
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=8b7395bb64506180f9b7a76b00948cd4f3cb9de3;p=tt-rss.git

escape data on OPML import (take 2)
---

diff --git a/db.php b/db.php
index 5db48273..44187db0 100644
--- a/db.php
+++ b/db.php
@@ -41,6 +41,16 @@ function db_escape_string($s) {
 	}
 }
 
+/* I hate MySQL :( */
+
+function db_escape_string_2($s, $link) {
+	if (DB_TYPE == "pgsql") {	
+		return pg_escape_string($s);
+	} else {
+		return mysql_real_escape_string($s, $link);
+	}
+}
+
 function db_query($link, $query) {
 	if (DB_TYPE == "pgsql") {
 		$result = pg_query($link, $query);
diff --git a/opml.php b/opml.php
index e8c9c9b7..bcfa3170 100644
--- a/opml.php
+++ b/opml.php
@@ -46,12 +46,19 @@
 				}
 			}
 
+			/* this is suboptimal */
+
+			$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
+
+			if (!$link) return;
+
+			$title = db_escape_string_2($title, $link);
+			$url = db_escape_string_2($url, $link);
+
 			if (!$title || !$url) return;
 
 			print "Feed <b>$title</b> ($url)... ";
 
-			$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
-
 			$result = db_query($link, "SELECT id FROM ttrss_feeds WHERE
 				title = '$title' OR feed_url = '$url'");