' . $subject . ''; $body .= $message; // %TEKST% is injected into a PHP double-quoted string inside text_format.tpl, // so escape backslash, double-quote and $ to avoid breaking the string or // allowing code injection. str_replace (not preg_replace) so the replacement // is treated literally. $safe = str_replace(['\\', '"', '$'], ['\\\\', '\\"', '\\$'], $body); $format = @file_get_contents($autoprefix . 'Templates/text_format.tpl'); if ($format === false) { die("Cannot read Templates/text_format.tpl"); } $out = str_replace('%TEKST%', $safe, $format); if (@file_put_contents($autoprefix . 'Templates/text.tpl', $out) === false) { die("Cannot write Templates/text.tpl (check permissions)"); } // Make the message visible to every player (they will see it on next page). $database->setUsersOk(1); unset($_SESSION['sys_subject'], $_SESSION['sys_message'], $_SESSION['sys_color']); header("Location: ../../../Admin/admin.php?p=sysmessage&done=1"); exit; } // Fallback header("Location: ../../../Admin/admin.php?p=sysmessage"); exit; ?>