Passwords should not be returned over API calls

The calls subscriberUpdateAttributesMultiple and subscriberUpdateAttributes do exactly the same thing.

It is possible to eliminate one of them or add a deprecate warning?

0020235: Rest Api: subscriberUpdateAttributes is not working as per documentation

In file includes/messages.php there is a new method imageAdd(). I'm not entirely sure what its purpose is but there is a hardcoded path

$imageDirectory = "/var/www/phplist/content/c/";

If the purpose of the method is to allow an image file to be uploaded then the destination should be configurable or, simpler, use the existing define UPLOADIMAGES_DIR.

Hi,
I get this error
"No function for provided [cmd] found!" when I try to subscribe an email to phplist.
The command I send is "subscribe".

Anyone can help me?

Hello I've install restapi (enable the 1), but i don't have the setting fields.

phplist 3.3.1

Is it possible to add or change the attributes for a user?

Randomly the API fails to authenticate. It returns false and I have no idea what's causing this, but the code fails to add user to the list. Refresh of the page immediately "solves" the problem because then it works, but it's happening quite often and it's not acceptable for my client.

This is my code (from my own class constructor)

$this->api = new phpListRESTApiClient('http://www.xxxxx.com/mailer/admin/?page=call&pi=restapi', 'admin', 'xxxxxx', 'b2xxxxxxx9');
$connected = $this->api->login();
if (!$connected) {
  throw new RestApiException("Something is wrong with the phpList login!");
}

Is there any way to get more info about this issue? Is it known issue? Any ideas how to solve it?

trying to set up local phpunit processing, I get this error:

6. TestLists::testListGet
   PDOException: SQLSTATE[28000] [1045] Access denied for user 'phplistpassword'@'localhost' (using password: YES)

I guess it wasn't obvious, as you had the user and password being the same (both pl)

A more detailed response stating subscriber was already on list would be better

Hi
I'm using the API to build a submit connector for inserting whole <html> content with campaignAdd() to phplist.
It seems to me that the sender's php curl must escape all quotes. So receiver-side the code is not valid as-is.
In the API (include/campaigns.php) i need to do:
stripslashes($_REQUEST['message'])

Is this something to consider for you DEVs, or am I only doing a bad approach?

Thanks
Best
Manu

Here is what I got:

stdClass Object
(
    [status] => success
    [type] => Campaigns
    [data] => Array
        (
            [0] => stdClass Object
                (
                    [id] => 2
                    [subject] => Happy Birthday
                    [fromfield] => [email protected]
                    [tofield] => 
                    [replyto] => 
                    [message] => ?????
?????
?????
?????

phplist, version 3.2.3
RESTAPI version 3

Got this error when calling "subscribersGet":

{'type': 'Error', 'data': {'message': "SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''100' OFFSET 0' at line 1", 'code': '42000'}, 'status': 'error'}

Correction proposal for subscribers.php:

32c32
<             $limit = $_REQUEST['limit'];

---
>             $limit = intval($_REQUEST['limit']);
35c35
<             $offset = $_REQUEST['offset'];

---
>             $offset = intval($_REQUEST['offset']);

Support for bulk operations see pr ( work in progress )
Thnks.

Example call:

`<?php
$subscribers = [
[
'email' => '[email protected]',
'confirmed' => 1,
'htmlemail' => 1,
'password' => '',
'disabled' => 0,
'foreignkey' => '',
'subscribepage' => 0,
],
[
'email' => '[email protected]',
'confirmed' => 1,
'htmlemail' => 1,
'password' => '',
'disabled' => 0,
'foreignkey' => '',
'subscribepage' => 0,
]

];
$url = 'http://xxxx/lists/admin/?page=call&pi=restapi';

//initialize cUrl for remote content
$c = curl_init();
curl_setopt( $c, CURLOPT_COOKIEFILE, 'phpList_RESTAPI_Helper' );
curl_setopt( $c, CURLOPT_COOKIEJAR, 'phpList_RESTAPI_Helper' );
curl_setopt( $c, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $c, CURLOPT_POST, 1 );

//Call for the session-id via /login
curl_setopt( $c, CURLOPT_URL, $url );
curl_setopt( $c, CURLOPT_POSTFIELDS, 'cmd=login&login=admin&password=xxxx' );
$result = curl_exec( $c );
$result = json_decode( $result );
//Get all lists in phpList via /listsGet
curl_setopt( $c, CURLOPT_URL, $url );
curl_setopt( $c, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $c, CURLOPT_POST, 1 );
curl_setopt( $c, CURLOPT_POSTFIELDS, "cmd=subscriberBulkAdd&subscribers=".urlencode(json_encode($subscribers)) );
$result = curl_exec( $c );
$result = json_decode( $result );

//Now close the cUrl when finished
curl_close( $c );

//Dump all lists in phpList via /listsGet
var_dump( $result->data );`

Calls to campaignUpdate fail with the following
SQLSTATE[HY093]: Invalid parameter number: parameter was not defined

This is because the SQL statement is paramaterized for sendstart but that parameter is never bound. Instead the embargo parameter is bound but never parameterized. I believe the fix is to change sendstart to embargo in the SQL statement.

Perhaps that's why the unit test works on the dev's local machine but not on TravisCI?

Attempting to insert a subscriber with an email address already in the database should result in a graceful exception.

Hi,
I'm running the following command with curl in the terminal, just to test my API:

curl -X post "https:///admin/?page=call&pi=restapi" -d "login=&password=&cmd=login"

However, it returns 400 bad request (and returns html). It doesn't return any json, but a webpage saying 400 bad request.
Any thoughts?
-Michael.

Deleting the same subscriber twice via the API should return true then false

I don't like the namespace "Rapi". Feels very 8.3 dos like shortness.

Any objections to change the namespace to something more descriptive, like phpListRestApi?

Hi--thank you for the very useful plugin!

Quick question: We are trying to insert new subscribers from another source.
To accomplish this I pull a list of new email addresses (from other system) then use a foreach loop to check whether each address is in the database (subscriberFindByEmail()) . If I limit the query to under about 50 addresses, the results returned are accurate (empty for not in system, ID if they are). Once we do more than 50 or so, even the addresses that are already in the system return an empty result. It this simply a limitation of the system, or is there something I can add or adjust allow larger loops (up to about 200 addresses). Thank you for your help

Hi,
I can't understand why.. I used all 14 parameters in the right sequence. Any suggestion? I used the RESTAPI master v3

used this code

public function campaignUpdate($id, $subject, $fromfield, $replyto, $message, $textmessage, $footer = '', $status = 'draft', $sendformat = 'HTML', $template, $embargo,  $rsstemplate = '', $owner = 0, $htmlformatted)
    {
        //Post Data	
		$post_params = array(
            'id'          => $id,
            'subject'     => $subject,
            'fromfield'   => $fromfield,
            'replyto'     => $replyto,
            'message'     => $message,
            'textmessage' => $textmessage,
            'footer'  => $footer,
            'status' => $status,
            'sendformat'  => $sendformat,
            'template'    => $template,
            'embargo'     => $embargo,
            'rsstemplate' => $rsstemplate,
            'owner' => $owner,
            'htmlformatted ' => $htmlformatted
        );
        $result = $this->callAPI('campaignUpdate', $post_params);
        return $result;
    }

Thank's a lot!

Common::select('Subscriber', 'SELECT * FROM ' . $GLOBALS['tables']['user'] . " WHERE email = :email;", $params, true); at ~105 in subscribers.php doesn't work.

Please extend RestApi to get campaigns statistics for opens and clicks

{ "status": "error", "type": "Error", "data": { "code": "42000", "message": "SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''5' OFFSET 0' at line 1" } }
Similar issue to #30

I sent a new HTML message to phpList using the messageAdd API command (via cUrl) but I've found out that quotes and double quotes have been escaped.

So I tried a simple cUrl request using as content this string:

This is a "double" and 'single' quotes test

After a succesfull API call, I've checked the db and I've see something like that (table phplist_message, column message):

This is a "double" and 'single' quotes test

That's my sending code:

    $response = json_decode($this->callAPI($this->method, $this->url, array(
        'password' => $this->pass,
        'login' => $this->user,
        'cmd' => 'messageAdd',
        'subject' => $subject,
        'fromfield' => $from,
        'replyto' => '',
        'message' => $content,
        'textmessage' => '',
        'footer' => 'If you want to unsubscribe, please use [UNSUBSCRIBE]',
        'status' => 'draft',
        'sendformat' => 'HTML',
        'template' => '4',
        'embargo' => '',
        'rsstemplate' => null,
        'owner' => '2',
        'htmlformatted' => '1'
    )));

Both machines (the sending one with PHP 5.5.9 and the receiving one with PHP 5.3.29) have magic quotes disabled (I've double checked multiple times); the incoming request to the receiving machine is correct, without any escaping.

Everything is pretty fine if I open the message preview; the problems start when I try to edit that message: the WYSIWYG editor seems to not be able to understand an escaped double quote, thus destroying all the message's HTML.

I might be missing something obvious but the plugin appears to have changed from something that worked reasonably well to a work in progress that cannot be used - it cannot be installed through phplist and then looking at the code seems to have partly-completed changes.

Hello!

First of all thanks for your great work!
I am implementing PHPList for our company and we want to use the Rest API for different pages.
Is it possible to send out the standard confirmation mail the User added via subscriberAdd? I added the subscriber with confirmed = 0 but no mail was sent out.

Thanks a lot!

Alex

Could we have the method that get the specify campaign? (by id or something)

No effects on campaigns list when setting the parameters order_by and order for command campaignsGet

listMessageAdd should update on duplicate key instead of returning an error.

[body] => {"status":"error","type":"Error","data":{"code":"23000","message":"SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '384-15' for key 'messageid'"}}

Simple fix:

 $sql = "INSERT INTO " . $GLOBALS['table_prefix'] . "listmessage (messageid, listid, entered) VALUES (:message_id, :list_id, now()) ON DUPLICATE KEY UPDATE list_id=:list_id;";

When creating a new campaign via the REST API, HTML message links get mangled with triple backslashes. The textmessage links are not affected(they work just fine). I've confirmed this by creating a campaign via the web UI, then creating a similar campaign via the REST API, and comparing the raw data in mysql.

In the constructor there is some code to strip slashes from $_GET etc. This is in the wrong place. The constructor of each enabled plugin is called on every page access, not just when that plugin is being used. So removing slashes from $_GET etc is likely to break parts of phplist that are expecting slashes to be present.

Probably need to remove slashes only when one of the plugin's own pages is being used, in the files main.php or call.php.

The test for get_magic_quotes_gpc() might not be sufficient. In file magic_quotes.php, phplist tests ini_get() instead but I don't know how that might provide a different result.

There is already a stripSlashesArray() function in magic_quotes.php, that can be used instead of defining a new function.

The Authentication section of structure.md documentation is no longer accurate as an authentication handler hook is now used for REST-based login.

hello;

i got phplist v3.2.4
and when i try the demo script at the end of the readme i got

PHP Notice: Trying to get property of non-object in example.php on line 17
PHP Stack trace:
PHP 1. {main}() example.php:0
example.php:17:
NULL
PHP Notice: Trying to get property of non-object in example.php on line 31
PHP Stack trace:
PHP 1. {main}() example.php:0
example.php:31:
NULL

i investigate a little and find out that the curl retrive an xhtml page and not a json.
Do i make something wrong?

The description should mention that this is the REST plugin for phpList 3.

There is no security on the restapi, despite what the documentation and tests show. i.e. I am able to get the news lists using the listsGet with no login, secret or password.

I am surprised something like this is even possible and not spotted by anyone. See HTTP Trace below

POST /admin/?page=call&pi=restapi&cmd=listsGet HTTP/1.1
Host: MYHOST..bizmate
Connection: keep-alive
Content-Length: 33
Origin: chrome-extension://cokgbflfommojglbmbpenpphppikmonn
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,it-IT;q=0.4,it;q=0.2
Cookie: browsetrail=%3Fpage%3Dplugins%26tk%3D0177899; PHPSESSID=RAY%2ChQo8PYG%2CEUHdeH9Xi3

password=SOMEPASSWORDTOTALLYIGNORED~HTTP/1.1 200 OK
Date: Sun, 19 Jun 2016 09:15:05 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-UA-Compatible: IE=Edge
X-Robots-Tag: noindex
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json

2ad
{"status":"success","type":"Lists","data":[{"id":"1","name":"test","description":"List for testing.","entered":"2014-02-24 17:32:42","listorder":"","prefix":"","rssfeed":"","modified":"2014-02-24 17:32:42","active":"0","owner":"1","category":""},{"id":"2","name":"newsletter","description":"Sign up to our newsletter","entered":"2014-02-24 17:32:42","listorder":"","prefix":"","rssfeed":"","modified":"2014-02-24 17:32:42","active":"1","owner":"1","category":""},{"id":"3","name":"test2","description":"List for test2 membership","entered":"2016-06-19 00:51:37","listorder":"0","prefix":"","rssfeed":"","modified":"2016-06-19 00:51:37","active":"0","owner":"1","category":""}]}
0

If I enable the restapi-test i get a development login and password but nothing like this is available with restapi

Hi,

Im looking to confirm that its possible to add a new user to an existing list? i.e. when a user submits their name and email address they are automatically added to the default mailing list. The code below does not seem to work at it creates the user but they are not added to any mailing list;

curl_setopt($c,CURLOPT_POSTFIELDS,'cmd=subscriberAdd&list_id=7&email='.$email.'&confirmed=1&htmlemail=1&password=#PasswordNotSet#&disabled=0' );

Any help is appreciated?

J

I discovered that this file:

admin/plugins/restapi/includes/pdo.php

does not check the server port specified in the config file.

My quick fix was:

--- pdo.php.old	2024-01-05 18:38:56.724455609 +0100
+++ pdo.php	2024-01-05 18:07:00.221162380 +0100
@@ -15,7 +15,8 @@
         $dbuser = $GLOBALS['database_user'];
         $dbpass = $GLOBALS['database_password'];
         $dbname = $GLOBALS['database_name'];
-        $dbh = new \PDO("mysql:host=$dbhost;dbname=$dbname;charset=UTF8;", $dbuser, $dbpass, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8';"));
+        $dbport = $GLOBALS['database_port'];
+        $dbh = new \PDO("mysql:host=$dbhost;dbname=$dbname;port=$dbport;charset=UTF8;", $dbuser, $dbpass, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8';"));
         $dbh->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
 
         return $dbh;

It also doesn't appear to use a socket either even if specified in the config file eg this format:

$dsn = 'mysql:dbname=testdb;unix_socket=/path/to/socket';