public function responseMsg()
{
require "modules/function.php";
$mysql = mysqlcon();
//get post data, May be due to the different environments
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
/* $myfile = fopen("testfile2.txt", "w");
fwrite($myfile,$postStr);
fclose($myfile);*/
//extract post data
if (!empty($postStr)) {
/* libxml_disable_entity_loader is to prevent XML eXternal Entity Injection,
the best way is to check the validity of xml by yourself */
libxml_disable_entity_loader(true);
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
$keyword = trim($postObj->Content);
$type = trim($postObj->MsgType);
if ($type == 'text') {
$time = time();
$textTpl = "<xml>\r\n\t\t\t\t\t\t\t\t<ToUserName><![CDATA[%s]]></ToUserName>\r\n\t\t\t\t\t\t\t\t<FromUserName><![CDATA[%s]]></FromUserName>\r\n\t\t\t\t\t\t\t\t<CreateTime>%s</CreateTime>\r\n\t\t\t\t\t\t\t\t<MsgType><![CDATA[%s]]></MsgType>\r\n\t\t\t\t\t\t\t\t<Content><![CDATA[%s]]></Content>\r\n\t\t\t\t\t\t\t\t<FuncFlag>0</FuncFlag>\r\n\t\t\t\t\t\t\t</xml>";
if (!empty($keyword)) {
$msgType = "text";
$contentStr = getanswer($mysql, $fromUsername, $keyword);
$resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr);
echo $resultStr;
chatlog($mysql, $fromUsername, $keyword, $contentStr);
} else {
echo "Input something...";
}
} else {
ob_clean();
echo "success";
chatlog($mysql, $fromUsername, $postStr, "success");
exit(0);
}
} else {
ob_clean();
echo "success";
exit(0);
}
}
<?php
ob_start();
session_start();
include getenv("DOCUMENT_ROOT") . "/include/config.php";
include getenv("DOCUMENT_ROOT") . "/include/functions.php";
include getenv("DOCUMENT_ROOT") . "/lang/russian.php";
mysqlcon();
include "chklogin.php";
$pagename = $adminlang['editblock'];
if ($_GET["action"] == 'del') {
$idt = $_GET["id"];
print "<br><h2>" . $adminlang['editblock'] . "</h2><br>" . $adminlang['delblock_chk'] . "<br><br> <a href='editblock.php?action=tdel&id={$idt}'>" . $lang['yes'] . "</a> <a href='editblock.php'>" . $lang['no'] . "</a>";
exit;
}
if (!empty($_POST['name'])) {
if (empty($_POST['name'])) {
die("<br><h2>" . $adminlang['editblock'] . "</h2><br>" . $adminlang['addcat_empty']);
}
$name = htmlspecialchars($_POST['name']);
$name = iconv("utf-8", "windows-1251", $name);
$file = htmlspecialchars($_POST['file']);
$file = iconv("utf-8", "windows-1251", $file);
$pos = htmlspecialchars($_POST['pos']);
$pos = iconv("utf-8", "windows-1251", $pos);
$ids = $_POST['sid'];
$q = mysql_query("SELECT * FROM blocks WHERE id='" . _filter($ids) . "' AND mod_id='0'");
if (mysql_num_rows($q) == 0) {
$send = mysql_query("UPDATE blocks SET name ='" . _filter($name) . "', position = '" . _filter($pos) . "' WHERE id='" . $ids . "'");
} else {
$send = mysql_query("UPDATE blocks SET name ='" . _filter($name) . "', file = '" . _filter($file) . "', position = '" . _filter($pos) . "' WHERE id='" . _filter($ids) . "'");
