Trying to get storeya feed script to work

**Amethyst_fairy** · 17 Jul 2017, 02:38 PM

Could really use some help. Trying to get a google script and honestly even a facebook rss to work. I have replaced all the relevant information in mine including ("localhost","username","password","database") but keep getting xml error. XML Parsing Error: undefined entity
Location: https://www.thedragonskeep.net/storeya_feed.php
Line Number 118419, Column 57: <p>Walking into the Kathmandu production center’s reception you are immediately greeted by a cheerful ‘Namaste’ (‘I Salute the God Within You’) with hands pressed together in a prayerful expression. Proceeding into any of the production halls you’ll be greeted by a complete chorus of the same as dozens of ladies press felt into a variety of shapes, while others stitch, needle and applique to finish hundreds of different styles of decorative items for export.</p>

Is there anyway to program xml santize into this code. Any help would be extremely appreciated. I tried to do the storeya one and get error too but that one just doesn't produce a feed. Code is below.
Thanks
Sandria

-----------------------------------------------------------------------------^

PHP Code:


<?php $conn=mysqli_connect("localhost","username","password","database");

if (mysqli_connect_errno($conn))

{

echo "Failed to connect to MySQL: " . mysqli_connect_error();

}

$q = mysqli_query($conn,"SELECT * FROM zen_products_description");

header("Content-type: text/xml");

echo '<?xml version="1.0"?>

<rss xmlns:g="http://base.google.com/ns/1.0" version="2.0">

<channel>

<title>yourwebsite.com</title>

<link>http://yourwebsite.com</link>

<description>Google Merchant Feed</description>';

while($r = mysqli_fetch_array($q))

{

$theid=htmlentities($r['products_id']);

$q2 = mysqli_query($conn,"SELECT * FROM zen_products WHERE

products_id='$theid' ");

while($r2 = mysqli_fetch_array($q2))

{

$mcid=htmlentities($r2['master_categories_id']);

$qdd4 = mysqli_query($conn,"SELECT categories_name, categories_id FROM

zen_categories_description WHERE categories_id='$mcid' ");

while($ddr4 = mysqli_fetch_array($qdd4))

{

$category=htmlentities($ddr4['categories_name']);

}



$image=htmlentities('https://yourwebsite.com/images/');

$image.=htmlentities($r2['products_image']);

$mid=$r2['manufacturers_id'];

$q3 = mysqli_query($conn,"SELECT * FROM zen_manufacturers WHERE

manufacturers_id='$mid' ");

while($r3 = mysqli_fetch_array($q3))

{

$brand=htmlentities($r3['manufacturers_name']);

}

$gtin=htmlentities($r2['products_model']);

$mpn=htmlentities($r2['products_model']);

$price=htmlentities($r2['products_price']);

if ($r2['products_quantity'] > 0){$availability='in

stock';}else{$availability='out of stock';}

}

$title=htmlentities($r['products_name']);

$link=htmlentities('http://yourwebsite.com/index.php?main_page=product_info&cPath=776&products_id=');

$link.=htmlentities($r['products_id']);

$description=htmlentities($r['products_description']);

$id=htmlentities($r['products_id']);

$condition='new';

echo "<item>

<title>$title</title>

<link>$link</link>

<description>$description</description>

<g:google_product_category>$category</g:google_product_category>

<g:id>$id</g:id>

<g:condition>$condition</g:condition>

<g:price>$price USD</g:price>

<g:availability>$availability</g:availability>

<g:image_link>$image</g:image_link>

<g:gtin>$gtin</g:gtin>

<g:brand>$brand</g:brand>

<g:mpn>$mpn</g:mpn>

<g:product_type>$category</g:product_type>

</item>";} ?></channel> </rss>

Version 1.55e too many plugins to count. Tried google feed but get server time out.

**carlwhat** · 17 Jul 2017, 03:19 PM

right now you feed validates. see:

https://goo.gl/xnWc8k

and the feed ends well before your quoted line number.

i personally prefer this plugin:

https://www.zen-cart.com/downloads.php?do=file&id=1375

i have found bad characters in the description can screw up your feed. and have yet to find a way to fully sanitize them.

but if the w3c validates your feed, then i have found that google will accept it. assuming you are coding to their schema.

good luck.

**Amethyst_fairy** · 17 Jul 2017, 07:01 PM

Thanks trying google merchant feeder with the store_ya zencart script someone edited which is what you checked. Problem is store_ya states no title.

I love google merchant feeder but can't get it to work lately I think I have too many products lol.

Nope even on google merchant feed it is not sensing title. Hmmm.

PHP Code:


<?php
require('includes/application_top.php');
header('Content-Type: application/rss+xml;charset=UTF-8');
ob_end_clean();

function encodeIfNeeded($text) {
    if('utf-8' != strtolower(CHARSET)) {
        $text = iconv(CHARSET, 'UTF-8', $text);
    }
    return $text;
}

function replace_problem_characters($text) {
    $formattags = array("&");     
    $replacevals = array("&");
    $text = str_replace($formattags, $replacevals, $text);
    $in[] = '@&(amp|#038);@i'; $out[] = '&';
    $in[] = '@&(#036);@i'; $out[] = '$';
    $in[] = '@&(quot);@i'; $out[] = '"';
    $in[] = '@&(#039);@i'; $out[] = '\'';
    $in[] = '@&(nbsp|#160);@i'; $out[] = ' ';
    $in[] = '@&(hellip|#8230);@i'; $out[] = '...';
    $in[] = '@&(copy|#169);@i'; $out[] = '(c)';
    $in[] = '@&(trade|#129);@i'; $out[] = '(tm)';
    $in[] = '@&(lt|#60);@i'; $out[] = '<';
    $in[] = '@&(gt|#62);@i'; $out[] = '>';
    $in[] = '@&(laquo);@i'; $out[] = '«';
    $in[] = '@&(raquo);@i'; $out[] = '»';
    $in[] = '@&(deg);@i'; $out[] = '°';
    $in[] = '@&(mdash);@i'; $out[] = '—';
    $in[] = '@&(reg);@i'; $out[] = '®';
    $in[] = '@&(–);@i'; $out[] = '-';
    $text = preg_replace($in, $out, $text);
    return $text;
}

function strip_html_tags($str) {
// $document should contain an HTML document.
// This will remove HTML tags, javascript sections
// and white space. It will also convert some
// common HTML entities to their text equivalent.

    $search = array ("'<script[^>]*?>.*?</script>'si",  // Strip out javascript
                     "'<[/!]*?[^<>]*?>'si",          // Strip out HTML tags
                     //"'([rn])[s]+'",                // Strip out white space
                     "'&(quot|#34);'i",                // Replace HTML entities
                     // "'&(amp|#38);'i",
                     "'&(lt|#60);'i",
                     "'&(gt|#62);'i",
                     "'&(nbsp|#160);'i",
                     "'&(iexcl|#161);'i",
                     "'&(cent|#162);'i",
                     "'&(pound|#163);'i",
                     "'&(copy|#169);'i",
                     "'&#(d+);'e");                    // evaluate as php
    
    $replace = array ("",
                     "",
                     //"\1",
                     "\"",
                     "&",
                     "<",
                     ">",
                     " ",
                     chr(160),
                     chr(161),
                     chr(162),
                     chr(163),
                     chr(169),
                     "chr(\1)");
    
    return preg_replace($search, $replace, $str);
}


echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
?>
<rss xmlns:g="http://base.google.com/ns/1.0" version="2.0">
<channel>
<?php
echo '<title>Catalog Feed</title>'. "\n";

// $store=mysqli_fetch_assoc(mysqli_query($db->link,"select  * from ".DB_PREFIX."configuration where  configuration_key='STORE_NAME'")); // in this "section" of code, $store  is not even used and therefore there is no need to perform this query.  If it was needed, then:
// $store=$db->Execute("select * from ".TABLE_CONFIGURATION." where configuration_key='STORE_NAME'"); // or if just need the value associated to that key:
// $store = zen_get_configuration_key_value('STORE_NAME');

?><link><?php echo zen_href_link(FILENAME_DEFAULT); ?></link>
<description>Catalog Feed generated by StoreYa.com 2.1</description>
<?php

// * NOTICE OF LICENSE
// *
// * This source file is the property of StoreYa Feed LTD. and a part of its patent pending technology.
// * Using this file is allowed only for the purpose of importing web stores onto Facebook using the service of StoreYa Feed LTD.
// * Do NOT copy/edit/change this file or use it to any service other than the above.

//$admin=mysqli_fetch_assoc(mysqli_query($db->link, "select * from ".DB_PREFIX."admin limit 0,1")); // The variable $admin is also not used in this "section" of code and reveals/provides access to information about the first admin record (admin_id, admin_name, admin_email, the encrypted password(s), etc... and could help lead to a security problem down the line.
// $admin= $db->Execute("select * from ".TABLE_ADMIN." limit 0,1");

?><lastBuildDate><?php echo date('m/d/Y H:is'); ?></lastBuildDate>
<?php
//echo '<copyright>Copyright '.date('Y').', '.$_SERVER['HTTP_HOST'].'</copyright>'. "\n";

if (isset($_GET['language_id'])) {
  $lng = new language();
  if (isset($_GET['language_id']) && zen_not_null($_GET['language_id'])) {
    $lng->language['id'] = (int)$_GET['language_id'];
  } else {
    if (LANGUAGE_DEFAULT_SELECTOR=='Browser') {
      $lng->get_browser_language();
    } else {
      $lng->set_language(DEFAULT_LANGUAGE);
    }
  }
  $language_id = (zen_not_null($lng->language['id']) ? $lng->language['id'] : 1);
} else {
  $language_id = $_SESSION['languages_id'];
}

$prdqry= $db->Execute("select p.products_id,p.products_price,p.products_price_sorter,p.products_image,pd.products_name,pd.products_description,pd.products_url from ".TABLE_PRODUCTS." p,".TABLE_PRODUCTS_DESCRIPTION." pd where p.products_status='1' and p.products_id=pd.products_id and pd.language_id=".(int)$language_id." order by p.products_id ");
while(!$prdqry->EOF)
{
    $row = $prdqry->fields;
?><item>
    <title><?php echo strip_html_tags(replace_problem_characters(encodeIfNeeded($row['products_name']))); ?></title>
    <link><?php echo htmlentities(zen_href_link(zen_get_info_page((int)$row['products_id']), 'products_id='.(int)$row['products_id'])); ?></link>
    <description><?php echo htmlspecialchars(strip_html_tags(replace_problem_characters(encodeIfNeeded($row['products_description'])))); ?></description>    <g:image_link><?php echo HTTP_SERVER.DIR_WS_IMAGES.$row['products_image']; ?></g:image_link>
    <g:id><?php echo $row['products_id']; ?></g:id>
    <g:price><?php echo $row['products_price']; ?></g:price>
    <g:sale_price><?php echo $row['products_price_sorter']; ?></g:sale_price>
<?php
    $catqry=$db->Execute("select categories_name from ".TABLE_CATEGORIES_DESCRIPTION ." cd,".TABLE_PRODUCTS_TO_CATEGORIES." ptc where cd.language_id=".(int)$language_id." and ptc.categories_id=cd.categories_id and ptc.products_id=".(int)$row['products_id']); 
    while(!$catqry->EOF)
    {
       $catrow=$catqry->fields;
?>     <g:product_type><?php echo strip_html_tags(replace_problem_characters(encodeIfNeeded($catrow['categories_name']))); ?></g:product_type>
<?php
      $catqry->MoveNext();
    }
    ?></item>
<?php
    $prdqry->MoveNext();
}
?></channel>
</rss>

https://www.zen-cart.com/showthread....79#post1331679

**Amethyst_fairy** · 18 Jul 2017, 01:07 AM

OMG you were right so far google merchant has take the original feed and was able to get the store ya to take it too. All I did was add ?language_id=1 that someone recommended in the storeya feed. I was able to get original code to work with google so far even with xml error.

googlefeed.php?language_id=1

**carlwhat** · 18 Jul 2017, 01:24 AM

Originally Posted by Amethyst_fairy

OMG you were right ......someone recommended in the storeya feed.........

uh..... i made that recommendation in the storeya feed.

i would carefully look at your code and some of the recommendations there. the language_id, at a minimum should be cast to an integer. else someone could easily do an sql injection, and do some real damage to your database, ie dropping tables. the storeya code has some serious security flaws.

at a minimum:

Code:

if($_GET['language_id']=='')
{
$language_id=$_SESSION['language_id'];
}
else
$language_id=(int)$_GET['language_id'];

good luck! glad you are making some progress.

**mc12345678** · 19 Jul 2017, 03:53 AM

Originally Posted by carlwhat

uh..... i made that recommendation in the storeya feed.

i would carefully look at your code and some of the recommendations there. the language_id, at a minimum should be cast to an integer. else someone could easily do an sql injection, and do some real damage to your database, ie dropping tables. the storeya code has some serious security flaws.

at a minimum:

Code:

if($_GET['language_id']=='')
{
$language_id=$_SESSION['language_id'];
}
else
$language_id=(int)$_GET['language_id'];

good luck! glad you are making some progress.

I'm perhaps making a huge assumption that the above posts haven't been placed together/moderated to appear as a cohesive conversation (though if so there certainly were some liberties taken in piecing together the quoted post), if it was all pieced together then I support the statement that the code that has actually been provided by Storeya (as posted by at least one Storeya user) is prone to malicious use.

However, as "assembled" above (whether properly in context or not), I ask to please identify the serious security flaws in the code incorporated above in post #3 by Amethyst Fairy that has been identified as associated with the Storeya code or process.

**Amethyst_fairy** · 19 Jul 2017, 04:28 PM

So, What happened was working on both feeds trying to get them to work. Still having trouble. But why both conversations got merged was because when carlwhat checked feed for errors was the store_ya feed which showed no errors how it got all com-jumbled as am working on two different things hoping that one will work lol. Trying to get the language addition above to work.
Thanks
Sandria