Das Schreiben in den Table whos_online scheitert, wenn ...

    man über Google kommt und im Suchbegriff ein Hochkomma (hier im Begriff: men's) vorkommt! Es wird eine Meldung ausgeworfen, dass man sich an den Admin wenden soll. Siehe hier:

    Zitat

    SQL Fehler [256] (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's%20harvest%20hat&source=web&cd=4&ved=0CGwQFjAD&url=http%3A%2F%2Fwww.meinedomain.' at line 1

    Query: update whos_online set customer_id = '1', full_name = 'Hans Wurst', ip_address = '123.456.789.00', time_last_click = '1341488549', last_page_url = '/Beanies-Caps/Caps/HippyTree-Harvest-Hat-Charcoal.html', http_referer = 'http://www.google.de/url?sa=t&rct=j…iFDnuQ_WpU6AA8A' , user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2' where session_id = '4cec625d29u43lca5irgt928q0'

    Beim Aufruf der Datei Beanies-Caps/Caps/HippyTree-Harvest-Hat-Charcoal.html , PHP 5.3.2-1ubuntu4.15 (Linux)

    Die Abfrage wurde abgebrochen, kontaktieren Sie den Administrator…

    Das MUSS unbedingt abfangen und die Query gequotet werden!

    Fragen oder weitere Ausführungen gerne per PN :)

    Gruss,
    Coasthouse

    hhm .. damit geht noch viel mehr würd ich sagen! ;)

    hier unsere angepasste inc/xtc_update_whos_online.inc.php

    <?php
    /* -----------------------------------------------------------------------------------------
    $Id: xtc_update_whos_online.inc.php,v 1.1 2010/09/08 10:55:03 akausch Exp $

    XT-Commerce - community made shopping
    http://www.xt-commerce.com

    Copyright (c) 2003 XT-Commerce
    -----------------------------------------------------------------------------------------
    based on:
    (c) 2000-2001 The Exchange Project (earlier name of osCommerce)
    (c) 2002-2003 osCommerce(whos_online.php,v 1.8 2003/02/21); http://www.oscommerce.com
    (c) 2003 nextcommerce (xtc_update_whos_online.inc.php,v 1.4 2003/08/13); http://www.nextcommerce.org

    Released under the GNU General Public License
    ---------------------------------------------------------------------------------------*/

    function xtc_update_whos_online() {


    if (isset($_SESSION['customer_id'])) {
    $wo_customer_id = intval($_SESSION['customer_id']);

    $customer_query = xtc_db_query("select customers_firstname, customers_lastname from " . TABLE_CUSTOMERS . " where customers_id = '" . intval($_SESSION['customer_id']) . "'");
    $customer = xtc_db_fetch_array($customer_query);

    $wo_full_name = addslashes($customer['customers_firstname'] . ' ' . $customer['customers_lastname']);

    } else {

    $wo_customer_id = '';
    $wo_full_name = 'Gast';

    }

    $wo_session_id = xtc_session_id();
    $wo_ip_address = getenv('REMOTE_ADDR');

    if($aktuelle_datei)
    $wo_last_page_url = $aktuelle_datei;
    else
    $wo_last_page_url = addslashes(getenv('REQUEST_URI'));

    $wo_referer = $_SERVER['HTTP_REFERER'];
    $useragent_referer = $_SERVER['HTTP_USER_AGENT'];
    $current_time = time();

    //stspi
    update_admin_stat();

    /*
    $xx_mins_ago = ($current_time - 900);

    // remove entries that have expired
    xtc_db_query("delete from " . TABLE_WHOS_ONLINE . " where time_last_click < '" . $xx_mins_ago . "'");
    */
    //END stspi

    $stored_customer_query = xtc_db_query("select count(*) as count from " . TABLE_WHOS_ONLINE . " where session_id = '" . $wo_session_id . "'");
    $stored_customer = xtc_db_fetch_array($stored_customer_query);

    // @t10: use shop default to prevent injection
    $wo_full_name = xtc_db_prepare_input($wo_full_name);
    $wo_ip_address = xtc_db_prepare_input($wo_ip_address);
    $wo_last_page_url = xtc_db_prepare_input($wo_last_page_url);
    $wo_referer = xtc_db_prepare_input($wo_referer);
    $useragent_referer = xtc_db_prepare_input($useragent_referer);


    if ($stored_customer['count'] > 0) {
    xtc_db_query("update " . TABLE_WHOS_ONLINE . " set
    customer_id = '" . $wo_customer_id . "',
    full_name = '" . $wo_full_name . "',
    ip_address = '" . $wo_ip_address . "',
    time_last_click = '" . $current_time . "',
    last_page_url = '" . $wo_last_page_url . "',
    http_referer = '". $wo_referer . "' ,
    user_agent = '". $useragent_referer . "'
    where session_id = '" . $wo_session_id . "'");

    } else {

    xtc_db_query("insert into " . TABLE_WHOS_ONLINE . " (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, http_referer, user_agent)
    values ('" . $wo_customer_id . "', '" . $wo_full_name . "', '" . $wo_session_id . "', '" . $wo_ip_address . "', '" . $current_time . "', '" . $current_time . "',
    '" . $wo_last_page_url . "', '" . $wo_referer . "', '" . $useragent_referer . "')");

    }

    }


    //stspi
    function update_admin_stat(){


    $year = date('Y', time());
    $month = date('m', time());
    $day = date('d', time());

    //-> check for first day of month

    //-> check if day == 2 allready exists
    $last_day_query = xtc_db_query ("select max(day) as last_day from " .
    TABLE_ADMIN_STAT_MONTH
    );
    $last_day_info = xtc_db_fetch_array($last_day_query);
    if ((int)$last_day_info['last_day'] > $day) {
    //-> and delete it all, last month
    xtc_db_query("delete from " . TABLE_ADMIN_STAT_MONTH . " WHERE day > " . $day);
    } //-> if ($first_day_info['day2'] > 0) {


    $current_time = time();
    $xx_mins_ago = ($current_time - 900);
    // select entries that have expired
    $expired_quey = xtc_db_query("select
    customer_id,
    http_referer,
    session_id from " .
    TABLE_WHOS_ONLINE . "
    where time_last_click < '" . $xx_mins_ago . "'");
    while ($expired_info = xtc_db_fetch_array($expired_quey)){
    //-> the year *****************************************************************
    $check_year_query = xtc_db_query("select
    whos_online_id, count from " .
    TABLE_ADMIN_STAT_YEAR . "
    where year = " . (int)$year . "
    and month = " . (int)$month . "
    and referer_url = '" .
    $expired_info['http_referer'] . "'");

    $check_year_info = xtc_db_fetch_array($check_year_query);

    if (xtc_db_num_rows($check_year_query) > 0){
    //-> this referer allready exists in this year
    xtc_db_query("update " . TABLE_ADMIN_STAT_YEAR . "
    set count = " .
    ((int)$check_year_info['count'] + 1) . "
    where whos_online_id = " .
    (int)$check_year_info['whos_online_id']
    );
    }else{ //-> if (xtc_db_num_rows($check_year_query) < 1){
    //-> check if we have a new year
    $new_year_query = xtc_db_query( "select
    year from " . TABLE_ADMIN_STAT_YEAR . "
    where year = " . (int)$year
    );
    if ( xtc_db_num_rows($new_year_query) < 1) {
    //-> first entry in a new year
    xtc_db_query("delete from " . TABLE_ADMIN_STAT_MONTH);
    }
    //-> new referer or new year
    xtc_db_query("insert into " . TABLE_ADMIN_STAT_YEAR . "
    (year, month, referer_url, count) VALUES (" .
    (int)$year . ", " .
    (int)$month . ", '" .
    $expired_info['http_referer'] . "', " .
    1 . ")"
    );

    }//-> else if (xtc_db_num_rows($check_year_query) < 1){
    //-> the month **************************************************************
    $check_month_query = xtc_db_query("select
    whos_online_id, count from " .
    TABLE_ADMIN_STAT_MONTH . "
    where day = " . (int)$day . "
    and referer_url = '" . $expired_info['http_referer'] . "'");

    $check_month_info = xtc_db_fetch_array($check_month_query);

    if (xtc_db_num_rows($check_month_query) > 0){
    //-> referer allready exists this month
    xtc_db_query("update " . TABLE_ADMIN_STAT_MONTH . "
    set count = " .
    ((int)$check_month_info['count'] + 1) . "
    where whos_online_id = " .
    (int)$check_month_info['whos_online_id']
    );
    }else{ //- if (sizeof($check_month_info) > 0){
    //-> new referer this month
    xtc_db_query("insert into " . TABLE_ADMIN_STAT_MONTH . "
    (day, referer_url, count) VALUES (" .
    (int)$day . ", '" .
    $expired_info['http_referer'] . "', " .
    1 . ")"
    );
    } //- else if (sizeof($check_month_info) > 0){
    //-> delete the row **********************************************************
    xtc_db_query("delete from " .
    TABLE_WHOS_ONLINE . "
    where session_id = '" .
    $expired_info ['session_id'] . "'"
    );
    } //-> while
    }//-> function update_admin_stat(){

    ?>

    Bitte testen und Feedback geben, wir gucken uns das nochmal in Ruhe an , sieht aber auf den ersten Blick so aus, als wär das nochmal ne nette Lücke die am besten alle mal zumachen...

    So, hatte nur kurz Zeit um das zu Testen. Die Datei die du geschickt hast, hatte dasselbe Ergebnis zur Folge. Ich habe mir jetzt erstmal hiermit geholfen:

    (Zeile 39ff):

    $wo_referer = htmlspecialchars($_SERVER['HTTP_REFERER'],ENT_QUOTES);
    $useragent_referer = htmlspecialchars($_SERVER['HTTP_USER_AGENT'],ENT_QUOTES);

    Cheers,
    Coasthouse

    Ist vorgemerkt. Das mit der Filterung ist in der v2.2 Ein Zusatz zum Inputfilter. Mal schauen, wie es sich mit der 2.1 verträgt.

    <p>Wir geben nur Anregungen und Hilfestellung auf Basis unserer Erfahrung, keine Rechtshilfe!<br>\m/('_')\m/</p>