xle/tt-rss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

db_escape_string: specify link parameter for consistency; sessions: do not force-close db connection in _close()

Browse Source
This commit is contained in:
Andrew Dolgov
2013-03-22 09:14:55 +04:00
parent 9d9432dab8
commit 3972bf5981
40 changed files with 342 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
classes/api.php
View File

@@ -47,7 +47,7 @@ class API extends Handler {
}
function login() {
$login = db_escape_string($_REQUEST["user"]);
$login = db_escape_string($this->link, $_REQUEST["user"]);
$password = $_REQUEST["password"];
$password_base64 = base64_decode($_REQUEST["password"]);
@@ -92,8 +92,8 @@ class API extends Handler {
}
function getUnread() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$is_cat = db_escape_string($_REQUEST["is_cat"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
if ($feed_id) {
print $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($this->link, $feed_id, $is_cat)));
@@ -108,10 +108,10 @@ class API extends Handler {
}
function getFeeds() {
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
$unread_only = sql_bool_to_bool($_REQUEST["unread_only"]);
$limit = (int) db_escape_string($_REQUEST["limit"]);
$offset = (int) db_escape_string($_REQUEST["offset"]);
$limit = (int) db_escape_string($this->link, $_REQUEST["limit"]);
$offset = (int) db_escape_string($this->link, $_REQUEST["offset"]);
$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
$feeds = $this->api_get_feeds($this->link, $cat_id, $unread_only, $limit, $offset, $include_nested);
@@ -171,29 +171,29 @@ class API extends Handler {
}
function getHeadlines() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
if ($feed_id != "") {
$limit = (int)db_escape_string($_REQUEST["limit"]);
$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
if (!$limit || $limit >= 60) $limit = 60;
$offset = (int)db_escape_string($_REQUEST["skip"]);
$filter = db_escape_string($_REQUEST["filter"]);
$offset = (int)db_escape_string($this->link, $_REQUEST["skip"]);
$filter = db_escape_string($this->link, $_REQUEST["filter"]);
$is_cat = sql_bool_to_bool($_REQUEST["is_cat"]);
$show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]);
$show_content = sql_bool_to_bool($_REQUEST["show_content"]);
/* all_articles, unread, adaptive, marked, updated */
$view_mode = db_escape_string($_REQUEST["view_mode"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
$include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]);
$since_id = (int)db_escape_string($_REQUEST["since_id"]);
$since_id = (int)db_escape_string($this->link, $_REQUEST["since_id"]);
$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
$sanitize_content = true;
/* do not rely on params below */
$search = db_escape_string($_REQUEST["search"]);
$search_mode = db_escape_string($_REQUEST["search_mode"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
$headlines = $this->api_get_headlines($this->link, $feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, false,
@@ -207,10 +207,10 @@ class API extends Handler {
}
function updateArticle() {
$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
$mode = (int) db_escape_string($_REQUEST["mode"]);
$data = db_escape_string($_REQUEST["data"]);
$field_raw = (int)db_escape_string($_REQUEST["field"]);
$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
$data = db_escape_string($this->link, $_REQUEST["data"]);
$field_raw = (int)db_escape_string($this->link, $_REQUEST["field"]);
$field = "";
$set_to = "";
@@ -285,7 +285,7 @@ class API extends Handler {
function getArticle() {
$article_id = join(",", array_filter(explode(",", db_escape_string($_REQUEST["article_id"])), is_numeric));
$article_id = join(",", array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_id"])), is_numeric));
$query = "SELECT id,title,link,content,cached_content,feed_id,comments,int_id,
marked,unread,published,
@@ -348,7 +348,7 @@ class API extends Handler {
}
function updateFeed() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
update_rss_feed($this->link, $feed_id, true);
@@ -356,8 +356,8 @@ class API extends Handler {
}
function catchupFeed() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$is_cat = db_escape_string($_REQUEST["is_cat"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
catchup_feed($this->link, $feed_id, $is_cat);
@@ -365,13 +365,13 @@ class API extends Handler {
}
function getPref() {
$pref_name = db_escape_string($_REQUEST["pref_name"]);
$pref_name = db_escape_string($this->link, $_REQUEST["pref_name"]);
print $this->wrap(self::STATUS_OK, array("value" => get_pref($this->link, $pref_name)));
}
function getLabels() {
//$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
//$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$article_id = (int)$_REQUEST['article_id'];
@@ -409,11 +409,11 @@ class API extends Handler {
function setArticleLabel() {
$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
$label_id = (int) db_escape_string($_REQUEST['label_id']);
$assign = (bool) db_escape_string($_REQUEST['assign']) == "true";
$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$label_id = (int) db_escape_string($this->link, $_REQUEST['label_id']);
$assign = (bool) db_escape_string($this->link, $_REQUEST['assign']) == "true";
$label = db_escape_string(label_find_caption($this->link,
$label = db_escape_string($this->link, label_find_caption($this->link,
$label_id, $_SESSION["uid"]));
$num_updated = 0;
@@ -442,9 +442,9 @@ class API extends Handler {
}
function shareToPublished() {
$title = db_escape_string(strip_tags($_REQUEST["title"]));
$url = db_escape_string(strip_tags($_REQUEST["url"]));
$content = db_escape_string(strip_tags($_REQUEST["content"]));
$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
if (Article::create_published_article($this->link, $title, $url, $content, "", $_SESSION["uid"])) {
print $this->wrap(self::STATUS_OK, array("status" => 'OK'));

10
classes/article.php
View File

@@ -8,7 +8,7 @@ class Article extends Handler_Protected {
}
function redirect() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."'
@@ -27,10 +27,10 @@ class Article extends Handler_Protected {
}
function view() {
$id = db_escape_string($_REQUEST["id"]);
$cids = explode(",", db_escape_string($_REQUEST["cids"]));
$mode = db_escape_string($_REQUEST["mode"]);
$omode = db_escape_string($_REQUEST["omode"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$cids = explode(",", db_escape_string($this->link, $_REQUEST["cids"]));
$mode = db_escape_string($this->link, $_REQUEST["mode"]);
$omode = db_escape_string($this->link, $_REQUEST["omode"]);
// in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache)

4
classes/auth/base.php
View File

@@ -21,7 +21,7 @@ class Auth_Base {
$user_id = $this->find_user_by_login($login);
if (!$user_id) {
$login = db_escape_string($login);
$login = db_escape_string($this->link, $login);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
@@ -42,7 +42,7 @@ class Auth_Base {
}
function find_user_by_login($login) {
$login = db_escape_string($login);
$login = db_escape_string($this->link, $login);
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
login = '$login'");

8
classes/dlg.php
View File

@@ -5,7 +5,7 @@ class Dlg extends Handler_Protected {
function before($method) {
if (parent::before($method)) {
header("Content-Type: text/xml; charset=utf-8");
$this->param = db_escape_string($_REQUEST["param"]);
$this->param = db_escape_string($this->link, $_REQUEST["param"]);
print "<dlg>";
return true;
}
@@ -302,7 +302,7 @@ class Dlg extends Handler_Protected {
function feedBrowser() {
if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
$browser_search = db_escape_string($_REQUEST["search"]);
$browser_search = db_escape_string($this->link, $_REQUEST["search"]);
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"rpc\">";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"updateFeedBrowser\">";
@@ -350,7 +350,7 @@ class Dlg extends Handler_Protected {
}
function search() {
$this->params = explode(":", db_escape_string($_REQUEST["param"]), 2);
$this->params = explode(":", db_escape_string($this->link, $_REQUEST["param"]), 2);
$active_feed_id = sprintf("%d", $this->params[0]);
$is_cat = $this->params[1] != "false";
@@ -550,7 +550,7 @@ class Dlg extends Handler_Protected {
print "<content><![CDATA[";
$this->params = explode(":", $this->param, 3);
$feed_id = db_escape_string($this->params[0]);
$feed_id = db_escape_string($this->link, $this->params[0]);
$is_cat = (bool) $this->params[1];
$key = get_feed_access_key($this->link, $feed_id, $is_cat);

20
classes/feeds.php
View File

@@ -202,13 +202,13 @@ class Feeds extends Handler_Protected {
}
}
@$search = db_escape_string($_REQUEST["query"]);
@$search = db_escape_string($this->link, $_REQUEST["query"]);
if ($search) {
$disable_cache = true;
}
@$search_mode = db_escape_string($_REQUEST["search_mode"]);
@$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H0", $timing_info);
@@ -757,17 +757,17 @@ class Feeds extends Handler_Protected {
if ($_REQUEST["debug"]) $timing_info = print_checkpoint("0", $timing_info);
$omode = db_escape_string($_REQUEST["omode"]);
$omode = db_escape_string($this->link, $_REQUEST["omode"]);
$feed = db_escape_string($_REQUEST["feed"]);
$method = db_escape_string($_REQUEST["m"]);
$view_mode = db_escape_string($_REQUEST["view_mode"]);
$feed = db_escape_string($this->link, $_REQUEST["feed"]);
$method = db_escape_string($this->link, $_REQUEST["m"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
$limit = (int) get_pref($this->link, "DEFAULT_ARTICLE_LIMIT");
@$cat_view = $_REQUEST["cat"] == "true";
@$next_unread_feed = db_escape_string($_REQUEST["nuf"]);
@$offset = db_escape_string($_REQUEST["skip"]);
@$vgroup_last_feed = db_escape_string($_REQUEST["vgrlf"]);
$order_by = db_escape_string($_REQUEST["order_by"]);
@$next_unread_feed = db_escape_string($this->link, $_REQUEST["nuf"]);
@$offset = db_escape_string($this->link, $_REQUEST["skip"]);
@$vgroup_last_feed = db_escape_string($this->link, $_REQUEST["vgrlf"]);
$order_by = db_escape_string($this->link, $_REQUEST["order_by"]);
if (is_numeric($feed)) $feed = (int) $feed;

52
classes/handler/public.php
View File

@@ -180,7 +180,7 @@ class Handler_Public extends Handler {
}
function getUnread() {
$login = db_escape_string($_REQUEST["login"]);
$login = db_escape_string($this->link, $_REQUEST["login"]);
$fresh = $_REQUEST["fresh"] == "1";
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'");
@@ -202,7 +202,7 @@ class Handler_Public extends Handler {
}
function getProfiles() {
$login = db_escape_string($_REQUEST["login"]);
$login = db_escape_string($this->link, $_REQUEST["login"]);
$result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users
WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title");
@@ -222,9 +222,9 @@ class Handler_Public extends Handler {
}
function pubsub() {
$mode = db_escape_string($_REQUEST['hub_mode']);
$feed_id = (int) db_escape_string($_REQUEST['id']);
$feed_url = db_escape_string($_REQUEST['hub_topic']);
$mode = db_escape_string($this->link, $_REQUEST['hub_mode']);
$feed_id = (int) db_escape_string($this->link, $_REQUEST['id']);
$feed_url = db_escape_string($this->link, $_REQUEST['hub_topic']);
if (!PUBSUBHUBBUB_ENABLED) {
header('HTTP/1.0 404 Not Found');
@@ -285,7 +285,7 @@ class Handler_Public extends Handler {
}
function share() {
$uuid = db_escape_string($_REQUEST["key"]);
$uuid = db_escape_string($this->link, $_REQUEST["key"]);
$result = db_query($this->link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
uuid = '$uuid'");
@@ -307,17 +307,17 @@ class Handler_Public extends Handler {
}
function rss() {
$feed = db_escape_string($_REQUEST["id"]);
$key = db_escape_string($_REQUEST["key"]);
$feed = db_escape_string($this->link, $_REQUEST["id"]);
$key = db_escape_string($this->link, $_REQUEST["key"]);
$is_cat = $_REQUEST["is_cat"] != false;
$limit = (int)db_escape_string($_REQUEST["limit"]);
$offset = (int)db_escape_string($_REQUEST["offset"]);
$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
$offset = (int)db_escape_string($this->link, $_REQUEST["offset"]);
$search = db_escape_string($_REQUEST["q"]);
$search_mode = db_escape_string($_REQUEST["smode"]);
$view_mode = db_escape_string($_REQUEST["view-mode"]);
$search = db_escape_string($this->link, $_REQUEST["q"]);
$search_mode = db_escape_string($this->link, $_REQUEST["smode"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view-mode"]);
$format = db_escape_string($_REQUEST['format']);
$format = db_escape_string($this->link, $_REQUEST['format']);
if (!$format) $format = 'atom';
@@ -371,10 +371,10 @@ class Handler_Public extends Handler {
if ($action == 'share') {
$title = db_escape_string(strip_tags($_REQUEST["title"]));
$url = db_escape_string(strip_tags($_REQUEST["url"]));
$content = db_escape_string(strip_tags($_REQUEST["content"]));
$labels = db_escape_string(strip_tags($_REQUEST["labels"]));
$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
$labels = db_escape_string($this->link, strip_tags($_REQUEST["labels"]));
Article::create_published_article($this->link, $title, $url, $content, $labels,
$_SESSION["uid"]);
@@ -483,7 +483,7 @@ class Handler_Public extends Handler {
if (!SINGLE_USER_MODE) {
$login = db_escape_string($_POST["login"]);
$login = db_escape_string($this->link, $_POST["login"]);
$password = $_POST["password"];
$remember_me = $_POST["remember_me"];
@@ -496,7 +496,7 @@ class Handler_Public extends Handler {
if ($_POST["profile"]) {
$profile = db_escape_string($_POST["profile"]);
$profile = db_escape_string($this->link, $_POST["profile"]);
$result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles
WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]);
@@ -525,7 +525,7 @@ class Handler_Public extends Handler {
if ($_SESSION["uid"]) {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
header('Content-Type: text/html; charset=utf-8');
print "<html>
@@ -618,14 +618,14 @@ class Handler_Public extends Handler {
}
function subscribe2() {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$from = db_escape_string($_REQUEST["from"]);
$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
$from = db_escape_string($this->link, $_REQUEST["from"]);
/* only read authentication information from POST */
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);

40
classes/opml.php
View File

@@ -253,13 +253,13 @@ class Opml extends Handler_Protected {
private function opml_import_feed($doc, $node, $cat_id, $owner_uid) {
$attrs = $node->attributes;
$feed_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
if (!$feed_title) $feed_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
$feed_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
if (!$feed_title) $feed_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
$feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
if (!$feed_url) $feed_url = db_escape_string($attrs->getNamedItem('xmlURL')->nodeValue);
$feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
if (!$feed_url) $feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlURL')->nodeValue);
$site_url = db_escape_string($attrs->getNamedItem('htmlUrl')->nodeValue);
$site_url = db_escape_string($this->link, $attrs->getNamedItem('htmlUrl')->nodeValue);
if ($feed_url && $feed_title) {
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
@@ -285,11 +285,11 @@ class Opml extends Handler_Protected {
private function opml_import_label($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$label_name = db_escape_string($attrs->getNamedItem('label-name')->nodeValue);
$label_name = db_escape_string($this->link, $attrs->getNamedItem('label-name')->nodeValue);
if ($label_name) {
$fg_color = db_escape_string($attrs->getNamedItem('label-fg-color')->nodeValue);
$bg_color = db_escape_string($attrs->getNamedItem('label-bg-color')->nodeValue);
$fg_color = db_escape_string($this->link, $attrs->getNamedItem('label-fg-color')->nodeValue);
$bg_color = db_escape_string($this->link, $attrs->getNamedItem('label-bg-color')->nodeValue);
if (!label_find_id($this->link, $label_name, $_SESSION['uid'])) {
$this->opml_notice(T_sprintf("Adding label %s", htmlspecialchars($label_name)));
@@ -302,10 +302,10 @@ class Opml extends Handler_Protected {
private function opml_import_preference($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$pref_name = db_escape_string($attrs->getNamedItem('pref-name')->nodeValue);
$pref_name = db_escape_string($this->link, $attrs->getNamedItem('pref-name')->nodeValue);
if ($pref_name) {
$pref_value = db_escape_string($attrs->getNamedItem('value')->nodeValue);
$pref_value = db_escape_string($this->link, $attrs->getNamedItem('value')->nodeValue);
$this->opml_notice(T_sprintf("Setting preference key %s to %s",
$pref_name, $pref_value));
@@ -317,7 +317,7 @@ class Opml extends Handler_Protected {
private function opml_import_filter($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$filter_type = db_escape_string($attrs->getNamedItem('filter-type')->nodeValue);
$filter_type = db_escape_string($this->link, $attrs->getNamedItem('filter-type')->nodeValue);
if ($filter_type == '2') {
$filter = json_decode($node->nodeValue, true);
@@ -344,13 +344,13 @@ class Opml extends Handler_Protected {
if (!$rule["cat_filter"]) {
$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feeds
WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
if (db_num_rows($tmp_result) > 0) {
$feed_id = db_fetch_result($tmp_result, 0, "id");
}
} else {
$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feed_categories
WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
if (db_num_rows($tmp_result) > 0) {
$cat_id = db_fetch_result($tmp_result, 0, "id");
@@ -358,7 +358,7 @@ class Opml extends Handler_Protected {
}
$cat_filter = bool_to_sql_bool($rule["cat_filter"]);
$reg_exp = db_escape_string($rule["reg_exp"]);
$reg_exp = db_escape_string($this->link, $rule["reg_exp"]);
$filter_type = (int)$rule["filter_type"];
db_query($this->link, "INSERT INTO ttrss_filters2_rules (feed_id,cat_id,filter_id,filter_type,reg_exp,cat_filter)
@@ -368,7 +368,7 @@ class Opml extends Handler_Protected {
foreach ($filter["actions"] as $action) {
$action_id = (int)$action["action_id"];
$action_param = db_escape_string($action["action_param"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
db_query($this->link, "INSERT INTO ttrss_filters2_actions (filter_id,action_id,action_param)
VALUES ($filter_id, $action_id, '$action_param')");
@@ -386,10 +386,10 @@ class Opml extends Handler_Protected {
$default_cat_id = (int) get_feed_category($this->link, 'Imported feeds', false);
if ($root_node) {
$cat_title = db_escape_string($root_node->attributes->getNamedItem('text')->nodeValue);
$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('text')->nodeValue);
if (!$cat_title)
$cat_title = db_escape_string($root_node->attributes->getNamedItem('title')->nodeValue);
$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('title')->nodeValue);
if (!in_array($cat_title, array("tt-rss-filters", "tt-rss-labels", "tt-rss-prefs"))) {
$cat_id = get_feed_category($this->link, $cat_title, $parent_id);
@@ -418,12 +418,12 @@ class Opml extends Handler_Protected {
foreach ($outlines as $node) {
if ($node->hasAttributes() && strtolower($node->tagName) == "outline") {
$attrs = $node->attributes;
$node_cat_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
if (!$node_cat_title)
$node_cat_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
$node_feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
$node_feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
if ($node_cat_title && !$node_feed_url) {
$this->opml_import_category($doc, $node, $owner_uid, $cat_id);

6
classes/pluginhost.php
View File

@@ -211,7 +211,7 @@ class PluginHost {
function load_data($force = false) {
if ($this->owner_uid && (!$_SESSION["plugin_storage"] || $force)) {
$plugin = db_escape_string($plugin);
$plugin = db_escape_string($this->link, $plugin);
$result = db_query($this->link, "SELECT name, content FROM ttrss_plugin_storage
WHERE owner_uid = '".$this->owner_uid."'");
@@ -226,7 +226,7 @@ class PluginHost {
private function save_data($plugin) {
if ($this->owner_uid) {
$plugin = db_escape_string($plugin);
$plugin = db_escape_string($this->link, $plugin);
db_query($this->link, "BEGIN");
@@ -236,7 +236,7 @@ class PluginHost {
if (!isset($this->storage[$plugin]))
$this->storage[$plugin] = array();
$content = db_escape_string(serialize($this->storage[$plugin]));
$content = db_escape_string($this->link, serialize($this->storage[$plugin]));
if (db_num_rows($result) != 0) {
db_query($this->link, "UPDATE ttrss_plugin_storage SET content = '$content'

66
classes/pref/feeds.php
View File

@@ -14,8 +14,8 @@ class Pref_Feeds extends Handler_Protected {
}
function renamecat() {
$title = db_escape_string($_REQUEST['title']);
$id = db_escape_string($_REQUEST['id']);
$title = db_escape_string($this->link, $_REQUEST['title']);
$id = db_escape_string($this->link, $_REQUEST['id']);
if ($title) {
db_query($this->link, "UPDATE ttrss_feed_categories SET
@@ -293,7 +293,7 @@ class Pref_Feeds extends Handler_Protected {
if ($item_id != 'root') {
if ($parent_id && $parent_id != 'root') {
$parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1);
$parent_qpart = db_escape_string($parent_bare_id);
$parent_qpart = db_escape_string($this->link, $parent_bare_id);
} else {
$parent_qpart = 'NULL';
}
@@ -319,7 +319,7 @@ class Pref_Feeds extends Handler_Protected {
if (strpos($id, "FEED") === 0) {
$cat_id = ($item_id != "root") ?
db_escape_string($bare_item_id) : "NULL";
db_escape_string($this->link, $bare_item_id) : "NULL";
$cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" :
"cat_id = NULL";
@@ -334,7 +334,7 @@ class Pref_Feeds extends Handler_Protected {
$nest_level+1);
if ($item_id != 'root') {
$parent_qpart = db_escape_string($bare_id);
$parent_qpart = db_escape_string($this->link, $bare_id);
} else {
$parent_qpart = 'NULL';
}
@@ -424,7 +424,7 @@ class Pref_Feeds extends Handler_Protected {
}
function removeicon() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$result = db_query($this->link, "SELECT id FROM ttrss_feeds
WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
@@ -440,7 +440,7 @@ class Pref_Feeds extends Handler_Protected {
header("Content-type: text/html");
$icon_file = $_FILES['icon_file']['tmp_name'];
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 20000) {
@@ -472,7 +472,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_id = db_escape_string($_REQUEST["id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
@@ -708,7 +708,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_ids = db_escape_string($_REQUEST["ids"]);
$feed_ids = db_escape_string($this->link, $_REQUEST["ids"]);
print "<div class=\"dialogNotice\">" . __("Enable the options you wish to apply using checkboxes on the right:") . "</div>";
@@ -862,27 +862,27 @@ class Pref_Feeds extends Handler_Protected {
function editsaveops($batch) {
$feed_title = db_escape_string(trim($_POST["title"]));
$feed_link = db_escape_string(trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($_POST["update_interval"]);
$purge_intl = (int) db_escape_string($_POST["purge_interval"]);
$feed_id = (int) db_escape_string($_POST["id"]); /* editSave */
$feed_ids = db_escape_string($_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($_POST["cat_id"]);
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($_POST["private"]));
$feed_title = db_escape_string($this->link, trim($_POST["title"]));
$feed_link = db_escape_string($this->link, trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($this->link, $_POST["update_interval"]);
$purge_intl = (int) db_escape_string($this->link, $_POST["purge_interval"]);
$feed_id = (int) db_escape_string($this->link, $_POST["id"]); /* editSave */
$feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]);
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
db_escape_string($_POST["include_in_digest"]));
db_escape_string($this->link, $_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool(
db_escape_string($_POST["cache_images"]));
db_escape_string($this->link, $_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool(
db_escape_string($_POST["hide_images"]));
db_escape_string($this->link, $_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool(
db_escape_string($_POST["always_display_enclosures"]));
db_escape_string($this->link, $_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool(
db_escape_string($_POST["mark_unread_on_update"]));
db_escape_string($this->link, $_POST["mark_unread_on_update"]));
if (get_pref($this->link, 'ENABLE_FEED_CATS')) {
if ($cat_id && $cat_id != 0) {
@@ -999,7 +999,7 @@ class Pref_Feeds extends Handler_Protected {
function resetPubSub() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
db_query($this->link, "UPDATE ttrss_feeds SET pubsub_state = 0 WHERE id IN ($ids)
AND owner_uid = " . $_SESSION["uid"]);
@@ -1009,7 +1009,7 @@ class Pref_Feeds extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed($this->link, $id, $_SESSION["uid"]);
@@ -1019,14 +1019,14 @@ class Pref_Feeds extends Handler_Protected {
}
function clear() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$this->clear_feed_articles($this->link, $id);
}
function rescore() {
require_once "rssfuncs.php";
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
@@ -1132,9 +1132,9 @@ class Pref_Feeds extends Handler_Protected {
}
function categorize() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
if ($cat_id == 0) {
$cat_id_qpart = 'NULL';
@@ -1156,14 +1156,14 @@ class Pref_Feeds extends Handler_Protected {
}
function removeCat() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed_category($this->link, $id, $_SESSION["uid"]);
}
}
function addCat() {
$feed_cat = db_escape_string(trim($_REQUEST["cat"]));
$feed_cat = db_escape_string($this->link, trim($_REQUEST["cat"]));
add_feed_category($this->link, $feed_cat);
}
@@ -1205,7 +1205,7 @@ class Pref_Feeds extends Handler_Protected {
__("Inactive feeds") . "</button>";
}
$feed_search = db_escape_string($_REQUEST["search"]);
$feed_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search;

36
classes/pref/filters.php
View File

@@ -13,7 +13,7 @@ class Pref_Filters extends Handler_Protected {
$filter["enabled"] = true;
$filter["match_any_rule"] = sql_bool_to_bool(
checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"])));
checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"])));
$filter["rules"] = array();
$result = db_query($this->link, "SELECT id,name FROM ttrss_filter_types");
@@ -168,7 +168,7 @@ class Pref_Filters extends Handler_Protected {
if ($line['action_id'] == 7) {
$label_result = db_query($this->link, "SELECT fg_color, bg_color
FROM ttrss_labels2 WHERE caption = '".db_escape_string($line['action_param'])."' AND
FROM ttrss_labels2 WHERE caption = '".db_escape_string($this->link, $line['action_param'])."' AND
owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($label_result) > 0) {
@@ -207,7 +207,7 @@ class Pref_Filters extends Handler_Protected {
function edit() {
$filter_id = db_escape_string($_REQUEST["id"]);
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -403,9 +403,9 @@ class Pref_Filters extends Handler_Protected {
# print_r($_REQUEST);
$filter_id = db_escape_string($_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"]));
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"]));
$result = db_query($this->link, "UPDATE ttrss_filters2 SET enabled = $enabled,
match_any_rule = $match_any_rule
@@ -418,7 +418,7 @@ class Pref_Filters extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
@@ -457,9 +457,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($rules as $rule) {
if ($rule) {
$reg_exp = strip_tags(db_escape_string(trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string(trim($rule["filter_type"]));
$feed_id = db_escape_string(trim($rule["feed_id"]));
$reg_exp = strip_tags(db_escape_string($this->link, trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string($this->link, trim($rule["filter_type"]));
$feed_id = db_escape_string($this->link, trim($rule["feed_id"]));
if (strpos($feed_id, "CAT:") === 0) {
@@ -487,9 +487,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($actions as $action) {
if ($action) {
$action_id = (int) db_escape_string($action["action_id"]);
$action_param = db_escape_string($action["action_param"]);
$action_param_label = db_escape_string($action["action_param_label"]);
$action_id = (int) db_escape_string($this->link, $action["action_id"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_param_label = db_escape_string($this->link, $action["action_param_label"]);
if ($action_id == 7) {
$action_param = $action_param_label;
@@ -541,13 +541,13 @@ class Pref_Filters extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "reg_exp";
}
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@@ -559,7 +559,7 @@ class Pref_Filters extends Handler_Protected {
print "<div id=\"pref-filter-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";
print "<div id=\"pref-filter-toolbar\" dojoType=\"dijit.Toolbar\">";
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@@ -806,7 +806,7 @@ class Pref_Filters extends Handler_Protected {
$action = json_decode($_REQUEST["action"], true);
if ($action) {
$action_param = db_escape_string($action["action_param"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_id = (int)$action["action_id"];
} else {
$action_param = "";
@@ -914,7 +914,7 @@ class Pref_Filters extends Handler_Protected {
}
function join() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
if (count($ids) > 1) {
$base_id = array_shift($ids);

34
classes/pref/labels.php
View File

@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
}
function edit() {
$label_id = db_escape_string($_REQUEST['id']);
$label_id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT * FROM ttrss_labels2 WHERE
id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -118,11 +118,11 @@ class Pref_Labels extends Handler_Protected {
}
function colorset() {
$kind = db_escape_string($_REQUEST["kind"]);
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$color = db_escape_string($_REQUEST["color"]);
$fg = db_escape_string($_REQUEST["fg"]);
$bg = db_escape_string($_REQUEST["bg"]);
$kind = db_escape_string($this->link, $_REQUEST["kind"]);
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
$color = db_escape_string($this->link, $_REQUEST["color"]);
$fg = db_escape_string($this->link, $_REQUEST["fg"]);
$bg = db_escape_string($this->link, $_REQUEST["bg"]);
foreach ($ids as $id) {
@@ -136,7 +136,7 @@ class Pref_Labels extends Handler_Protected {
AND owner_uid = " . $_SESSION["uid"]);
}
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@@ -149,14 +149,14 @@ class Pref_Labels extends Handler_Protected {
}
function colorreset() {
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "UPDATE ttrss_labels2 SET
fg_color = '', bg_color = '' WHERE id = '$id'
AND owner_uid = " . $_SESSION["uid"]);
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@@ -168,8 +168,8 @@ class Pref_Labels extends Handler_Protected {
function save() {
$id = db_escape_string($_REQUEST["id"]);
$caption = db_escape_string(trim($_REQUEST["caption"]));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$caption = db_escape_string($this->link, trim($_REQUEST["caption"]));
db_query($this->link, "BEGIN");
@@ -190,7 +190,7 @@ class Pref_Labels extends Handler_Protected {
/* Update filters that reference label being renamed */
$old_caption = db_escape_string($old_caption);
$old_caption = db_escape_string($this->link, $old_caption);
db_query($this->link, "UPDATE ttrss_filters2_actions SET
action_param = '$caption' WHERE action_param = '$old_caption'
@@ -213,7 +213,7 @@ class Pref_Labels extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
label_remove($this->link, $id, $_SESSION["uid"]);
@@ -222,8 +222,8 @@ class Pref_Labels extends Handler_Protected {
}
function add() {
$caption = db_escape_string($_REQUEST["caption"]);
$output = db_escape_string($_REQUEST["output"]);
$caption = db_escape_string($this->link, $_REQUEST["caption"]);
$output = db_escape_string($this->link, $_REQUEST["output"]);
if ($caption) {
@@ -250,13 +250,13 @@ class Pref_Labels extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "caption";
}
$label_search = db_escape_string($_REQUEST["search"]);
$label_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_label_search"] = $label_search;

16
classes/pref/prefs.php
View File

@@ -50,8 +50,8 @@ class Pref_Prefs extends Handler_Protected {
foreach (array_keys($_POST) as $pref_name) {
$pref_name = db_escape_string($pref_name);
$value = db_escape_string($_POST[$pref_name]);
$pref_name = db_escape_string($this->link, $pref_name);
$value = db_escape_string($this->link, $_POST[$pref_name]);
if ($pref_name == 'DIGEST_PREFERRED_TIME') {
if (get_pref($this->link, 'DIGEST_PREFERRED_TIME') != $value) {
@@ -71,7 +71,7 @@ class Pref_Prefs extends Handler_Protected {
function getHelp() {
$pref_name = db_escape_string($_REQUEST["pn"]);
$pref_name = db_escape_string($this->link, $_REQUEST["pn"]);
$result = db_query($this->link, "SELECT help_text FROM ttrss_prefs
WHERE pref_name = '$pref_name'");
@@ -86,8 +86,8 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() {
$email = db_escape_string($_POST["email"]);
$full_name = db_escape_string($_POST["full_name"]);
$email = db_escape_string($this->link, $_POST["email"]);
$full_name = db_escape_string($this->link, $_POST["full_name"]);
$active_uid = $_SESSION["uid"];
@@ -798,7 +798,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpenable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
$enable_otp = $_REQUEST["enable_otp"] == "on";
global $pluginhost;
@@ -819,7 +819,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpdisable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
global $pluginhost;
$authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]);
@@ -846,7 +846,7 @@ class Pref_Prefs extends Handler_Protected {
}
function clearplugindata() {
$name = db_escape_string($_REQUEST["name"]);
$name = db_escape_string($this->link, $_REQUEST["name"]);
global $pluginhost;
$pluginhost->clear_data($pluginhost->get_plugin($name));

20
classes/pref/users.php
View File

@@ -116,7 +116,7 @@ class Pref_Users extends Handler_Protected {
header("Content-Type: text/xml");
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
print "<dlg id=\"$method\">";
print "<title>".__('User Editor')."</title>";
@@ -199,11 +199,11 @@ class Pref_Users extends Handler_Protected {
}
function editSave() {
$login = db_escape_string(trim($_REQUEST["login"]));
$uid = db_escape_string($_REQUEST["id"]);
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$access_level = (int) $_REQUEST["access_level"];
$email = db_escape_string(trim($_REQUEST["email"]));
$password = db_escape_string(trim($_REQUEST["password"]));
$email = db_escape_string($this->link, trim($_REQUEST["email"]));
$password = db_escape_string($this->link, trim($_REQUEST["password"]));
if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -220,7 +220,7 @@ class Pref_Users extends Handler_Protected {
}
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) {
@@ -233,7 +233,7 @@ class Pref_Users extends Handler_Protected {
function add() {
$login = db_escape_string(trim($_REQUEST["login"]));
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -272,7 +272,7 @@ class Pref_Users extends Handler_Protected {
function resetPass() {
$uid = db_escape_string($_REQUEST["id"]);
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link, "SELECT login,email
FROM ttrss_users WHERE id = '$uid'");
@@ -353,7 +353,7 @@ class Pref_Users extends Handler_Protected {
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
$user_search = db_escape_string($_REQUEST["search"]);
$user_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
@@ -368,7 +368,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."</button>
</div>";
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";

108
classes/rpc.php
View File

@@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
}
function setprofile() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$_SESSION["profile"] = $id;
$_SESSION["prefs_cache"] = array();
}
function remprofiles() {
$ids = explode(",", db_escape_string(trim($_REQUEST["ids"])));
$ids = explode(",", db_escape_string($this->link, trim($_REQUEST["ids"])));
foreach ($ids as $id) {
if ($_SESSION["profile"] != $id) {
@@ -27,7 +27,7 @@ class RPC extends Handler_Protected {
// Silent
function addprofile() {
$title = db_escape_string(trim($_REQUEST["title"]));
$title = db_escape_string($this->link, trim($_REQUEST["title"]));
if ($title) {
db_query($this->link, "BEGIN");
@@ -57,8 +57,8 @@ class RPC extends Handler_Protected {
// Silent
function saveprofile() {
$id = db_escape_string($_REQUEST["id"]);
$title = db_escape_string(trim($_REQUEST["value"]));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$title = db_escape_string($this->link, trim($_REQUEST["value"]));
if ($id == 0) {
print __("Default profile");
@@ -88,7 +88,7 @@ class RPC extends Handler_Protected {
// Silent
function remarchive() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$result = db_query($this->link, "DELETE FROM ttrss_archived_feeds WHERE
@@ -101,11 +101,11 @@ class RPC extends Handler_Protected {
}
function addfeed() {
$feed = db_escape_string($_REQUEST['feed']);
$cat = db_escape_string($_REQUEST['cat']);
$login = db_escape_string($_REQUEST['login']);
$pass = db_escape_string($_REQUEST['pass']);
$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
$feed = db_escape_string($this->link, $_REQUEST['feed']);
$cat = db_escape_string($this->link, $_REQUEST['cat']);
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
$rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass, $need_auth);
@@ -113,7 +113,7 @@ class RPC extends Handler_Protected {
}
function togglepref() {
$key = db_escape_string($_REQUEST["key"]);
$key = db_escape_string($this->link, $_REQUEST["key"]);
set_pref($this->link, $key, !get_pref($this->link, $key));
$value = get_pref($this->link, $key);
@@ -132,7 +132,7 @@ class RPC extends Handler_Protected {
function mark() {
$mark = $_REQUEST["mark"];
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
if ($mark == "1") {
$mark = "true";
@@ -148,7 +148,7 @@ class RPC extends Handler_Protected {
}
function delete() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
$result = db_query($this->link, "DELETE FROM ttrss_user_entries
WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@@ -157,7 +157,7 @@ class RPC extends Handler_Protected {
}
function unarchive() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
$result = db_query($this->link, "UPDATE ttrss_user_entries
SET feed_id = orig_feed_id, orig_feed_id = NULL
@@ -167,7 +167,7 @@ class RPC extends Handler_Protected {
}
function archive() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->archive_article($this->link, $id, $_SESSION["uid"]);
@@ -210,8 +210,8 @@ class RPC extends Handler_Protected {
function publ() {
$pub = $_REQUEST["pub"];
$id = db_escape_string($_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($_REQUEST["note"])));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"])));
if ($pub == "1") {
$pub = "true";
@@ -257,7 +257,7 @@ class RPC extends Handler_Protected {
/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
function catchupSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
catchupArticlesById($this->link, $ids, $cmode);
@@ -266,7 +266,7 @@ class RPC extends Handler_Protected {
}
function markSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
$this->markArticlesById($this->link, $ids, $cmode);
@@ -275,7 +275,7 @@ class RPC extends Handler_Protected {
}
function publishSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
$this->publishArticlesById($this->link, $ids, $cmode);
@@ -301,9 +301,9 @@ class RPC extends Handler_Protected {
function setArticleTags() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$tags_str = db_escape_string($_REQUEST["tags_str"]);
$tags_str = db_escape_string($this->link, $_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str)));
db_query($this->link, "BEGIN");
@@ -373,7 +373,7 @@ class RPC extends Handler_Protected {
}
function completeLabels() {
$search = db_escape_string($_REQUEST["search"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$result = db_query($this->link, "SELECT DISTINCT caption FROM
ttrss_labels2
@@ -390,7 +390,7 @@ class RPC extends Handler_Protected {
function completeTags() {
$search = db_escape_string($_REQUEST["search"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$result = db_query($this->link, "SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = '".$_SESSION["uid"]."' AND
@@ -405,7 +405,7 @@ class RPC extends Handler_Protected {
}
function purge() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$days = sprintf("%d", $_REQUEST["days"]);
foreach ($ids as $id) {
@@ -420,7 +420,7 @@ class RPC extends Handler_Protected {
}
function getArticles() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$articles = array();
foreach ($ids as $id) {
@@ -433,7 +433,7 @@ class RPC extends Handler_Protected {
}
function checkDate() {
$date = db_escape_string($_REQUEST["date"]);
$date = db_escape_string($this->link, $_REQUEST["date"]);
$date_parsed = strtotime($date);
print json_encode(array("result" => (bool)$date_parsed,
@@ -451,10 +451,10 @@ class RPC extends Handler_Protected {
function labelops($assign) {
$reply = array();
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$label_id = db_escape_string($_REQUEST["lid"]);
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$label_id = db_escape_string($this->link, $_REQUEST["lid"]);
$label = db_escape_string(label_find_caption($this->link, $label_id,
$label = db_escape_string($this->link, label_find_caption($this->link, $label_id,
$_SESSION["uid"]));
$reply["info-for-headlines"] = array();
@@ -482,9 +482,9 @@ class RPC extends Handler_Protected {
}
function updateFeedBrowser() {
$search = db_escape_string($_REQUEST["search"]);
$limit = db_escape_string($_REQUEST["limit"]);
$mode = (int) db_escape_string($_REQUEST["mode"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$limit = db_escape_string($this->link, $_REQUEST["limit"]);
$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
require_once "feedbrowser.php";
@@ -504,8 +504,8 @@ class RPC extends Handler_Protected {
if ($mode == 1) {
foreach ($payload as $feed) {
$title = db_escape_string($feed[0]);
$feed_url = db_escape_string($feed[1]);
$title = db_escape_string($this->link, $feed[0]);
$feed_url = db_escape_string($this->link, $feed[1]);
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@@ -524,9 +524,9 @@ class RPC extends Handler_Protected {
WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($result) != 0) {
$site_url = db_escape_string(db_fetch_result($result, 0, "site_url"));
$feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url"));
$title = db_escape_string(db_fetch_result($result, 0, "title"));
$site_url = db_escape_string($this->link, db_fetch_result($result, 0, "site_url"));
$feed_url = db_escape_string($this->link, db_fetch_result($result, 0, "feed_url"));
$title = db_escape_string($this->link, db_fetch_result($result, 0, "title"));
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@@ -543,9 +543,9 @@ class RPC extends Handler_Protected {
}
function catchupFeed() {
$feed_id = db_escape_string($_REQUEST['feed_id']);
$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
$max_id = (int) db_escape_string($_REQUEST['max_id']);
$feed_id = db_escape_string($this->link, $_REQUEST['feed_id']);
$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
$max_id = (int) db_escape_string($this->link, $_REQUEST['max_id']);
catchup_feed($this->link, $feed_id, $is_cat, false, $max_id);
@@ -553,7 +553,7 @@ class RPC extends Handler_Protected {
}
function quickAddCat() {
$cat = db_escape_string($_REQUEST["cat"]);
$cat = db_escape_string($this->link, $_REQUEST["cat"]);
add_feed_category($this->link, $cat);
@@ -570,8 +570,8 @@ class RPC extends Handler_Protected {
}
function regenFeedKey() {
$feed_id = db_escape_string($_REQUEST['id']);
$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
$feed_id = db_escape_string($this->link, $_REQUEST['id']);
$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
$new_key = $this->update_feed_access_key($this->link, $feed_id, $is_cat);
@@ -619,11 +619,11 @@ class RPC extends Handler_Protected {
}
function batchAddFeeds() {
$cat_id = db_escape_string($_REQUEST['cat']);
$feeds = explode("\n", db_escape_string($_REQUEST['feeds']));
$login = db_escape_string($_REQUEST['login']);
$pass = db_escape_string($_REQUEST['pass']);
$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
$cat_id = db_escape_string($this->link, $_REQUEST['cat']);
$feeds = explode("\n", db_escape_string($this->link, $_REQUEST['feeds']));
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
foreach ($feeds as $feed) {
$feed = trim($feed);
@@ -656,8 +656,8 @@ class RPC extends Handler_Protected {
}
function setScore() {
$ids = db_escape_string($_REQUEST['id']);
$score = (int)db_escape_string($_REQUEST['score']);
$ids = db_escape_string($this->link, $_REQUEST['id']);
$score = (int)db_escape_string($this->link, $_REQUEST['score']);
db_query($this->link, "UPDATE ttrss_user_entries SET
score = '$score' WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@@ -756,7 +756,7 @@ class RPC extends Handler_Protected {
AND owner_uid = " . $owner_uid);
if (db_num_rows($result) == 1) {
$key = db_escape_string(sha1(uniqid(rand(), true)));
$key = db_escape_string($this->link, sha1(uniqid(rand(), true)));
db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key'
WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
@@ -830,7 +830,7 @@ class RPC extends Handler_Protected {
}
function getlinkbyid() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE ref_id = '$id' AND ref_id = id AND owner_uid = ". $_SESSION["uid"]);