source: trunk/feed.php @ 4918

Last change on this file since 4918 was 4743, checked in by plg, 15 years ago

merge r4742 from branch 2.0 to trunk

bug 1391 fixed: prevent from SQL injection

  • Property svn:eol-style set to LF
File size: 6.6 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24define('PHPWG_ROOT_PATH','./');
25include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
26include_once(PHPWG_ROOT_PATH.'include/functions_notification.inc.php');
27
28// +-----------------------------------------------------------------------+
29// |                               functions                               |
30// +-----------------------------------------------------------------------+
31
32/**
33 * creates a Unix timestamp (number of seconds since 1970-01-01 00:00:00
34 * GMT) from a MySQL datetime format (2005-07-14 23:01:37)
35 *
36 * @param string mysql datetime format
37 * @return int timestamp
38 */
39function mysqldt_to_ts($mysqldt)
40{
41  $date = explode_mysqldt($mysqldt);
42  return mktime($date['hour'], $date['minute'], $date['second'],
43                $date['month'], $date['day'], $date['year']);
44}
45
46/**
47 * creates an ISO 8601 format date (2003-01-20T18:05:41+04:00) from Unix
48 * timestamp (number of seconds since 1970-01-01 00:00:00 GMT)
49 *
50 * function copied from Dotclear project http://dotclear.net
51 *
52 * @param int timestamp
53 * @return string ISO 8601 date format
54 */
55function ts_to_iso8601($ts)
56{
57  $tz = date('O',$ts);
58  $tz = substr($tz, 0, -2).':'.substr($tz, -2);
59  return date('Y-m-d\\TH:i:s',$ts).$tz;
60}
61
62// +-----------------------------------------------------------------------+
63// |                            initialization                             |
64// +-----------------------------------------------------------------------+
65
66check_input_parameter('feed', $_GET['feed'], false, '/^[0-9a-z]{50}$/i');
67
68$feed_id= isset($_GET['feed']) ? $_GET['feed'] : '';
69$image_only=isset($_GET['image_only']);
70
71// echo '<pre>'.generate_key(50).'</pre>';
72if ( !empty($feed_id) )
73{
74  $query = '
75SELECT user_id,
76       last_check
77  FROM '.USER_FEED_TABLE.'
78  WHERE id = \''.$feed_id.'\'
79;';
80  $feed_row = pwg_db_fetch_assoc(pwg_query($query));
81  if ( empty($feed_row) )
82  {
83    page_not_found('Unknown/missing feed identifier');
84  }
85  if ($feed_row['user_id']!=$user['id'])
86  { // new user
87    $user = build_user( $feed_row['user_id'], true );
88  }
89}
90else
91{
92  $image_only = true;
93  if (!is_a_guest())
94  {// auto session was created - so switch to guest
95    $user = build_user( $conf['guest_id'], true );
96  }
97}
98
99// Check the status now after the user has been loaded
100check_status(ACCESS_GUEST);
101
102list($dbnow) = pwg_db_fetch_row(pwg_query('SELECT NOW();'));
103
104include_once(PHPWG_ROOT_PATH.'include/feedcreator.class.php');
105
106set_make_full_url();
107
108$rss = new UniversalFeedCreator();
109$rss->encoding=get_pwg_charset();
110$rss->title = $conf['gallery_title'];
111$rss->title.= ' (as '.stripslashes($user['username']).')';
112
113$rss->link = $conf['gallery_url'];
114
115// +-----------------------------------------------------------------------+
116// |                            Feed creation                              |
117// +-----------------------------------------------------------------------+
118
119$news = array();
120if (!$image_only)
121{
122  $news = news($feed_row['last_check'], $dbnow, true, true);
123
124  if (count($news) > 0)
125  {
126    $item = new FeedItem();
127    $item->title = sprintf(l10n('New on %s'), format_date($dbnow) );
128    $item->link = $conf['gallery_url'];
129
130    // content creation
131    $item->description = '<ul>';
132    foreach ($news as $line)
133    {
134      $item->description.= '<li>'.$line.'</li>';
135    }
136    $item->description.= '</ul>';
137    $item->descriptionHtmlSyndicated = true;
138
139    $item->date = mysqldt_to_ts($dbnow);
140    $item->author = $conf['rss_feed_author'];
141    $item->guid= sprintf('%s', $dbnow);;
142
143    $rss->addItem($item);
144
145    $query = '
146UPDATE '.USER_FEED_TABLE.'
147  SET last_check = \''.$dbnow.'\'
148  WHERE id = \''.$feed_id.'\'
149;';
150    pwg_query($query);
151  }
152}
153
154if ( !empty($feed_id) and empty($news) )
155{// update the last check from time to time to avoid deletion by maintenance tasks
156  if ( !isset($feed_row['last_check'])
157    or time()-mysqldt_to_ts($feed_row['last_check']) > 30*24*3600 )
158  {
159    $query = '
160UPDATE '.USER_FEED_TABLE.'
161  SET last_check = '.pwg_db_get_recent_period_expression(-15, $dbnow).'
162  WHERE id = \''.$feed_id.'\'
163;';
164    pwg_query($query);
165  }
166}
167
168$dates = get_recent_post_dates_array($conf['recent_post_dates']['RSS']);
169
170foreach($dates as $date_detail)
171{ // for each recent post date we create a feed item
172  $item = new FeedItem();
173  $date = $date_detail['date_available'];
174  $item->title = get_title_recent_post_date($date_detail);
175  $item->link = make_index_url(
176        array(
177          'chronology_field' => 'posted',
178          'chronology_style'=> 'monthly',
179          'chronology_view' => 'calendar',
180          'chronology_date' => explode('-', substr($date,0,10) )
181        )
182      );
183
184  $item->description .=
185    '<a href="'.make_index_url().'">'.$conf['gallery_title'].'</a><br> ';
186
187  $item->description .= get_html_description_recent_post_date($date_detail);
188
189  $item->descriptionHtmlSyndicated = true;
190
191  $item->date = mysqldt_to_ts($date);
192  $item->author = $conf['rss_feed_author'];
193  $item->guid= sprintf('%s', 'pics-'.$date);;
194
195  $rss->addItem($item);
196}
197
198$fileName= $conf['local_data_dir'].'/tmp';
199mkgetdir($fileName); // just in case
200$fileName.='/feed.xml';
201// send XML feed
202echo $rss->saveFeed('RSS2.0', $fileName, true);
203?>
Note: See TracBrowser for help on using the repository browser.