public function responseMsg() { require "modules/function.php"; $mysql = mysqlcon(); //get post data, May be due to the different environments $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; /* $myfile = fopen("testfile2.txt", "w"); fwrite($myfile,$postStr); fclose($myfile);*/ //extract post data if (!empty($postStr)) { /* libxml_disable_entity_loader is to prevent XML eXternal Entity Injection, the best way is to check the validity of xml by yourself */ libxml_disable_entity_loader(true); $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $keyword = trim($postObj->Content); $type = trim($postObj->MsgType); if ($type == 'text') { $time = time(); $textTpl = "<xml>\r\n\t\t\t\t\t\t\t\t<ToUserName><![CDATA[%s]]></ToUserName>\r\n\t\t\t\t\t\t\t\t<FromUserName><![CDATA[%s]]></FromUserName>\r\n\t\t\t\t\t\t\t\t<CreateTime>%s</CreateTime>\r\n\t\t\t\t\t\t\t\t<MsgType><![CDATA[%s]]></MsgType>\r\n\t\t\t\t\t\t\t\t<Content><![CDATA[%s]]></Content>\r\n\t\t\t\t\t\t\t\t<FuncFlag>0</FuncFlag>\r\n\t\t\t\t\t\t\t</xml>"; if (!empty($keyword)) { $msgType = "text"; $contentStr = getanswer($mysql, $fromUsername, $keyword); $resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr); echo $resultStr; chatlog($mysql, $fromUsername, $keyword, $contentStr); } else { echo "Input something..."; } } else { ob_clean(); echo "success"; chatlog($mysql, $fromUsername, $postStr, "success"); exit(0); } } else { ob_clean(); echo "success"; exit(0); } }
<?php ob_start(); session_start(); include getenv("DOCUMENT_ROOT") . "/include/config.php"; include getenv("DOCUMENT_ROOT") . "/include/functions.php"; include getenv("DOCUMENT_ROOT") . "/lang/russian.php"; mysqlcon(); include "chklogin.php"; $pagename = $adminlang['editblock']; if ($_GET["action"] == 'del') { $idt = $_GET["id"]; print "<br><h2>" . $adminlang['editblock'] . "</h2><br>" . $adminlang['delblock_chk'] . "<br><br> <a href='editblock.php?action=tdel&id={$idt}'>" . $lang['yes'] . "</a> <a href='editblock.php'>" . $lang['no'] . "</a>"; exit; } if (!empty($_POST['name'])) { if (empty($_POST['name'])) { die("<br><h2>" . $adminlang['editblock'] . "</h2><br>" . $adminlang['addcat_empty']); } $name = htmlspecialchars($_POST['name']); $name = iconv("utf-8", "windows-1251", $name); $file = htmlspecialchars($_POST['file']); $file = iconv("utf-8", "windows-1251", $file); $pos = htmlspecialchars($_POST['pos']); $pos = iconv("utf-8", "windows-1251", $pos); $ids = $_POST['sid']; $q = mysql_query("SELECT * FROM blocks WHERE id='" . _filter($ids) . "' AND mod_id='0'"); if (mysql_num_rows($q) == 0) { $send = mysql_query("UPDATE blocks SET name ='" . _filter($name) . "', position = '" . _filter($pos) . "' WHERE id='" . $ids . "'"); } else { $send = mysql_query("UPDATE blocks SET name ='" . _filter($name) . "', file = '" . _filter($file) . "', position = '" . _filter($pos) . "' WHERE id='" . _filter($ids) . "'");