banananetwork
/
tt-rss
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

db_escape_string: specify link parameter for consistency; sessions: do not force-close db connection in _close()

Browse Source
master
Andrew Dolgov 12 years ago
parent 9d9432dab8
commit 3972bf5981
40 changed files with 342 additions and 350 deletions
Show Stats Download Patch File Download Diff File

62
classes/api.php
Unescape Escape View File

@ -47,7 +47,7 @@ class API extends Handler {
}
function login() {
$login = db_escape_string($_REQUEST["user"]);
$login = db_escape_string($this->link, $_REQUEST["user"]);
$password = $_REQUEST["password"];
$password_base64 = base64_decode($_REQUEST["password"]);
@ -92,8 +92,8 @@ class API extends Handler {
}
function getUnread() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$is_cat = db_escape_string($_REQUEST["is_cat"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
if ($feed_id) {
print $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($this->link, $feed_id, $is_cat)));
@ -108,10 +108,10 @@ class API extends Handler {
}
function getFeeds() {
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
$unread_only = sql_bool_to_bool($_REQUEST["unread_only"]);
$limit = (int) db_escape_string($_REQUEST["limit"]);
$offset = (int) db_escape_string($_REQUEST["offset"]);
$limit = (int) db_escape_string($this->link, $_REQUEST["limit"]);
$offset = (int) db_escape_string($this->link, $_REQUEST["offset"]);
$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
$feeds = $this->api_get_feeds($this->link, $cat_id, $unread_only, $limit, $offset, $include_nested);
@ -171,29 +171,29 @@ class API extends Handler {
}
function getHeadlines() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
if ($feed_id != "") {
$limit = (int)db_escape_string($_REQUEST["limit"]);
$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
if (!$limit || $limit >= 60) $limit = 60;
$offset = (int)db_escape_string($_REQUEST["skip"]);
$filter = db_escape_string($_REQUEST["filter"]);
$offset = (int)db_escape_string($this->link, $_REQUEST["skip"]);
$filter = db_escape_string($this->link, $_REQUEST["filter"]);
$is_cat = sql_bool_to_bool($_REQUEST["is_cat"]);
$show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]);
$show_content = sql_bool_to_bool($_REQUEST["show_content"]);
/* all_articles, unread, adaptive, marked, updated */
$view_mode = db_escape_string($_REQUEST["view_mode"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
$include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]);
$since_id = (int)db_escape_string($_REQUEST["since_id"]);
$since_id = (int)db_escape_string($this->link, $_REQUEST["since_id"]);
$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
$sanitize_content = true;
/* do not rely on params below */
$search = db_escape_string($_REQUEST["search"]);
$search_mode = db_escape_string($_REQUEST["search_mode"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
$headlines = $this->api_get_headlines($this->link, $feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, false,
@ -207,10 +207,10 @@ class API extends Handler {
}
function updateArticle() {
$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
$mode = (int) db_escape_string($_REQUEST["mode"]);
$data = db_escape_string($_REQUEST["data"]);
$field_raw = (int)db_escape_string($_REQUEST["field"]);
$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
$data = db_escape_string($this->link, $_REQUEST["data"]);
$field_raw = (int)db_escape_string($this->link, $_REQUEST["field"]);
$field = "";
$set_to = "";
@ -285,7 +285,7 @@ class API extends Handler {
function getArticle() {
$article_id = join(",", array_filter(explode(",", db_escape_string($_REQUEST["article_id"])), is_numeric));
$article_id = join(",", array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_id"])), is_numeric));
$query = "SELECT id,title,link,content,cached_content,feed_id,comments,int_id,
marked,unread,published,
@ -348,7 +348,7 @@ class API extends Handler {
}
function updateFeed() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
update_rss_feed($this->link, $feed_id, true);
@ -356,8 +356,8 @@ class API extends Handler {
}
function catchupFeed() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$is_cat = db_escape_string($_REQUEST["is_cat"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
catchup_feed($this->link, $feed_id, $is_cat);
@ -365,13 +365,13 @@ class API extends Handler {
}
function getPref() {
$pref_name = db_escape_string($_REQUEST["pref_name"]);
$pref_name = db_escape_string($this->link, $_REQUEST["pref_name"]);
print $this->wrap(self::STATUS_OK, array("value" => get_pref($this->link, $pref_name)));
}
function getLabels() {
//$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
//$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$article_id = (int)$_REQUEST['article_id'];
@ -409,11 +409,11 @@ class API extends Handler {
function setArticleLabel() {
$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
$label_id = (int) db_escape_string($_REQUEST['label_id']);
$assign = (bool) db_escape_string($_REQUEST['assign']) == "true";
$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
$label_id = (int) db_escape_string($this->link, $_REQUEST['label_id']);
$assign = (bool) db_escape_string($this->link, $_REQUEST['assign']) == "true";
$label = db_escape_string(label_find_caption($this->link,
$label = db_escape_string($this->link, label_find_caption($this->link,
$label_id, $_SESSION["uid"]));
$num_updated = 0;
@ -442,9 +442,9 @@ class API extends Handler {
}
function shareToPublished() {
$title = db_escape_string(strip_tags($_REQUEST["title"]));
$url = db_escape_string(strip_tags($_REQUEST["url"]));
$content = db_escape_string(strip_tags($_REQUEST["content"]));
$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
if (Article::create_published_article($this->link, $title, $url, $content, "", $_SESSION["uid"])) {
print $this->wrap(self::STATUS_OK, array("status" => 'OK'));

10
classes/article.php
Unescape Escape View File

@ -8,7 +8,7 @@ class Article extends Handler_Protected {
}
function redirect() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."'
@ -27,10 +27,10 @@ class Article extends Handler_Protected {
}
function view() {
$id = db_escape_string($_REQUEST["id"]);
$cids = explode(",", db_escape_string($_REQUEST["cids"]));
$mode = db_escape_string($_REQUEST["mode"]);
$omode = db_escape_string($_REQUEST["omode"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$cids = explode(",", db_escape_string($this->link, $_REQUEST["cids"]));
$mode = db_escape_string($this->link, $_REQUEST["mode"]);
$omode = db_escape_string($this->link, $_REQUEST["omode"]);
// in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache)

4
classes/auth/base.php
Unescape Escape View File

@ -21,7 +21,7 @@ class Auth_Base {
$user_id = $this->find_user_by_login($login);
if (!$user_id) {
$login = db_escape_string($login);
$login = db_escape_string($this->link, $login);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
@ -42,7 +42,7 @@ class Auth_Base {
}
function find_user_by_login($login) {
$login = db_escape_string($login);
$login = db_escape_string($this->link, $login);
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
login = '$login'");

8
classes/dlg.php
Unescape Escape View File

@ -5,7 +5,7 @@ class Dlg extends Handler_Protected {
function before($method) {
if (parent::before($method)) {
header("Content-Type: text/xml; charset=utf-8");
$this->param = db_escape_string($_REQUEST["param"]);
$this->param = db_escape_string($this->link, $_REQUEST["param"]);
print "<dlg>";
return true;
}
@ -302,7 +302,7 @@ class Dlg extends Handler_Protected {
function feedBrowser() {
if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
$browser_search = db_escape_string($_REQUEST["search"]);
$browser_search = db_escape_string($this->link, $_REQUEST["search"]);
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"rpc\">";
print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"updateFeedBrowser\">";
@ -350,7 +350,7 @@ class Dlg extends Handler_Protected {
}
function search() {
$this->params = explode(":", db_escape_string($_REQUEST["param"]), 2);
$this->params = explode(":", db_escape_string($this->link, $_REQUEST["param"]), 2);
$active_feed_id = sprintf("%d", $this->params[0]);
$is_cat = $this->params[1] != "false";
@ -550,7 +550,7 @@ class Dlg extends Handler_Protected {
print "<content><![CDATA[";
$this->params = explode(":", $this->param, 3);
$feed_id = db_escape_string($this->params[0]);
$feed_id = db_escape_string($this->link, $this->params[0]);
$is_cat = (bool) $this->params[1];
$key = get_feed_access_key($this->link, $feed_id, $is_cat);

20
classes/feeds.php
Unescape Escape View File

@ -202,13 +202,13 @@ class Feeds extends Handler_Protected {
}
}
@$search = db_escape_string($_REQUEST["query"]);
@$search = db_escape_string($this->link, $_REQUEST["query"]);
if ($search) {
$disable_cache = true;
}
@$search_mode = db_escape_string($_REQUEST["search_mode"]);
@$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H0", $timing_info);
@ -757,17 +757,17 @@ class Feeds extends Handler_Protected {
if ($_REQUEST["debug"]) $timing_info = print_checkpoint("0", $timing_info);
$omode = db_escape_string($_REQUEST["omode"]);
$omode = db_escape_string($this->link, $_REQUEST["omode"]);
$feed = db_escape_string($_REQUEST["feed"]);
$method = db_escape_string($_REQUEST["m"]);
$view_mode = db_escape_string($_REQUEST["view_mode"]);
$feed = db_escape_string($this->link, $_REQUEST["feed"]);
$method = db_escape_string($this->link, $_REQUEST["m"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
$limit = (int) get_pref($this->link, "DEFAULT_ARTICLE_LIMIT");
@$cat_view = $_REQUEST["cat"] == "true";
@$next_unread_feed = db_escape_string($_REQUEST["nuf"]);
@$offset = db_escape_string($_REQUEST["skip"]);
@$vgroup_last_feed = db_escape_string($_REQUEST["vgrlf"]);
$order_by = db_escape_string($_REQUEST["order_by"]);
@$next_unread_feed = db_escape_string($this->link, $_REQUEST["nuf"]);
@$offset = db_escape_string($this->link, $_REQUEST["skip"]);
@$vgroup_last_feed = db_escape_string($this->link, $_REQUEST["vgrlf"]);
$order_by = db_escape_string($this->link, $_REQUEST["order_by"]);
if (is_numeric($feed)) $feed = (int) $feed;

52
classes/handler/public.php
Unescape Escape View File

@ -180,7 +180,7 @@ class Handler_Public extends Handler {
}
function getUnread() {
$login = db_escape_string($_REQUEST["login"]);
$login = db_escape_string($this->link, $_REQUEST["login"]);
$fresh = $_REQUEST["fresh"] == "1";
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'");
@ -202,7 +202,7 @@ class Handler_Public extends Handler {
}
function getProfiles() {
$login = db_escape_string($_REQUEST["login"]);
$login = db_escape_string($this->link, $_REQUEST["login"]);
$result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users
WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title");
@ -222,9 +222,9 @@ class Handler_Public extends Handler {
}
function pubsub() {
$mode = db_escape_string($_REQUEST['hub_mode']);
$feed_id = (int) db_escape_string($_REQUEST['id']);
$feed_url = db_escape_string($_REQUEST['hub_topic']);
$mode = db_escape_string($this->link, $_REQUEST['hub_mode']);
$feed_id = (int) db_escape_string($this->link, $_REQUEST['id']);
$feed_url = db_escape_string($this->link, $_REQUEST['hub_topic']);
if (!PUBSUBHUBBUB_ENABLED) {
header('HTTP/1.0 404 Not Found');
@ -285,7 +285,7 @@ class Handler_Public extends Handler {
}
function share() {
$uuid = db_escape_string($_REQUEST["key"]);
$uuid = db_escape_string($this->link, $_REQUEST["key"]);
$result = db_query($this->link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
uuid = '$uuid'");
@ -307,17 +307,17 @@ class Handler_Public extends Handler {
}
function rss() {
$feed = db_escape_string($_REQUEST["id"]);
$key = db_escape_string($_REQUEST["key"]);
$feed = db_escape_string($this->link, $_REQUEST["id"]);
$key = db_escape_string($this->link, $_REQUEST["key"]);
$is_cat = $_REQUEST["is_cat"] != false;
$limit = (int)db_escape_string($_REQUEST["limit"]);
$offset = (int)db_escape_string($_REQUEST["offset"]);
$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
$offset = (int)db_escape_string($this->link, $_REQUEST["offset"]);
$search = db_escape_string($_REQUEST["q"]);
$search_mode = db_escape_string($_REQUEST["smode"]);
$view_mode = db_escape_string($_REQUEST["view-mode"]);
$search = db_escape_string($this->link, $_REQUEST["q"]);
$search_mode = db_escape_string($this->link, $_REQUEST["smode"]);
$view_mode = db_escape_string($this->link, $_REQUEST["view-mode"]);
$format = db_escape_string($_REQUEST['format']);
$format = db_escape_string($this->link, $_REQUEST['format']);
if (!$format) $format = 'atom';
@ -371,10 +371,10 @@ class Handler_Public extends Handler {
if ($action == 'share') {
$title = db_escape_string(strip_tags($_REQUEST["title"]));
$url = db_escape_string(strip_tags($_REQUEST["url"]));
$content = db_escape_string(strip_tags($_REQUEST["content"]));
$labels = db_escape_string(strip_tags($_REQUEST["labels"]));
$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
$labels = db_escape_string($this->link, strip_tags($_REQUEST["labels"]));
Article::create_published_article($this->link, $title, $url, $content, $labels,
$_SESSION["uid"]);
@ -483,7 +483,7 @@ class Handler_Public extends Handler {
if (!SINGLE_USER_MODE) {
$login = db_escape_string($_POST["login"]);
$login = db_escape_string($this->link, $_POST["login"]);
$password = $_POST["password"];
$remember_me = $_POST["remember_me"];
@ -496,7 +496,7 @@ class Handler_Public extends Handler {
if ($_POST["profile"]) {
$profile = db_escape_string($_POST["profile"]);
$profile = db_escape_string($this->link, $_POST["profile"]);
$result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles
WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]);
@ -525,7 +525,7 @@ class Handler_Public extends Handler {
if ($_SESSION["uid"]) {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
header('Content-Type: text/html; charset=utf-8');
print "<html>
@ -618,14 +618,14 @@ class Handler_Public extends Handler {
}
function subscribe2() {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$from = db_escape_string($_REQUEST["from"]);
$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
$from = db_escape_string($this->link, $_REQUEST["from"]);
/* only read authentication information from POST */
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);

40
classes/opml.php
Unescape Escape View File

@ -253,13 +253,13 @@ class Opml extends Handler_Protected {
private function opml_import_feed($doc, $node, $cat_id, $owner_uid) {
$attrs = $node->attributes;
$feed_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
if (!$feed_title) $feed_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
$feed_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
if (!$feed_title) $feed_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
$feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
if (!$feed_url) $feed_url = db_escape_string($attrs->getNamedItem('xmlURL')->nodeValue);
$feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
if (!$feed_url) $feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlURL')->nodeValue);
$site_url = db_escape_string($attrs->getNamedItem('htmlUrl')->nodeValue);
$site_url = db_escape_string($this->link, $attrs->getNamedItem('htmlUrl')->nodeValue);
if ($feed_url && $feed_title) {
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
@ -285,11 +285,11 @@ class Opml extends Handler_Protected {
private function opml_import_label($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$label_name = db_escape_string($attrs->getNamedItem('label-name')->nodeValue);
$label_name = db_escape_string($this->link, $attrs->getNamedItem('label-name')->nodeValue);
if ($label_name) {
$fg_color = db_escape_string($attrs->getNamedItem('label-fg-color')->nodeValue);
$bg_color = db_escape_string($attrs->getNamedItem('label-bg-color')->nodeValue);
$fg_color = db_escape_string($this->link, $attrs->getNamedItem('label-fg-color')->nodeValue);
$bg_color = db_escape_string($this->link, $attrs->getNamedItem('label-bg-color')->nodeValue);
if (!label_find_id($this->link, $label_name, $_SESSION['uid'])) {
$this->opml_notice(T_sprintf("Adding label %s", htmlspecialchars($label_name)));
@ -302,10 +302,10 @@ class Opml extends Handler_Protected {
private function opml_import_preference($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$pref_name = db_escape_string($attrs->getNamedItem('pref-name')->nodeValue);
$pref_name = db_escape_string($this->link, $attrs->getNamedItem('pref-name')->nodeValue);
if ($pref_name) {
$pref_value = db_escape_string($attrs->getNamedItem('value')->nodeValue);
$pref_value = db_escape_string($this->link, $attrs->getNamedItem('value')->nodeValue);
$this->opml_notice(T_sprintf("Setting preference key %s to %s",
$pref_name, $pref_value));
@ -317,7 +317,7 @@ class Opml extends Handler_Protected {
private function opml_import_filter($doc, $node, $owner_uid) {
$attrs = $node->attributes;
$filter_type = db_escape_string($attrs->getNamedItem('filter-type')->nodeValue);
$filter_type = db_escape_string($this->link, $attrs->getNamedItem('filter-type')->nodeValue);
if ($filter_type == '2') {
$filter = json_decode($node->nodeValue, true);
@ -344,13 +344,13 @@ class Opml extends Handler_Protected {
if (!$rule["cat_filter"]) {
$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feeds
WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
if (db_num_rows($tmp_result) > 0) {
$feed_id = db_fetch_result($tmp_result, 0, "id");
}
} else {
$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feed_categories
WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
if (db_num_rows($tmp_result) > 0) {
$cat_id = db_fetch_result($tmp_result, 0, "id");
@ -358,7 +358,7 @@ class Opml extends Handler_Protected {
}
$cat_filter = bool_to_sql_bool($rule["cat_filter"]);
$reg_exp = db_escape_string($rule["reg_exp"]);
$reg_exp = db_escape_string($this->link, $rule["reg_exp"]);
$filter_type = (int)$rule["filter_type"];
db_query($this->link, "INSERT INTO ttrss_filters2_rules (feed_id,cat_id,filter_id,filter_type,reg_exp,cat_filter)
@ -368,7 +368,7 @@ class Opml extends Handler_Protected {
foreach ($filter["actions"] as $action) {
$action_id = (int)$action["action_id"];
$action_param = db_escape_string($action["action_param"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
db_query($this->link, "INSERT INTO ttrss_filters2_actions (filter_id,action_id,action_param)
VALUES ($filter_id, $action_id, '$action_param')");
@ -386,10 +386,10 @@ class Opml extends Handler_Protected {
$default_cat_id = (int) get_feed_category($this->link, 'Imported feeds', false);
if ($root_node) {
$cat_title = db_escape_string($root_node->attributes->getNamedItem('text')->nodeValue);
$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('text')->nodeValue);
if (!$cat_title)
$cat_title = db_escape_string($root_node->attributes->getNamedItem('title')->nodeValue);
$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('title')->nodeValue);
if (!in_array($cat_title, array("tt-rss-filters", "tt-rss-labels", "tt-rss-prefs"))) {
$cat_id = get_feed_category($this->link, $cat_title, $parent_id);
@ -418,12 +418,12 @@ class Opml extends Handler_Protected {
foreach ($outlines as $node) {
if ($node->hasAttributes() && strtolower($node->tagName) == "outline") {
$attrs = $node->attributes;
$node_cat_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
if (!$node_cat_title)
$node_cat_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
$node_feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
$node_feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
if ($node_cat_title && !$node_feed_url) {
$this->opml_import_category($doc, $node, $owner_uid, $cat_id);

6
classes/pluginhost.php
Unescape Escape View File

@ -211,7 +211,7 @@ class PluginHost {
function load_data($force = false) {
if ($this->owner_uid && (!$_SESSION["plugin_storage"] || $force)) {
$plugin = db_escape_string($plugin);
$plugin = db_escape_string($this->link, $plugin);
$result = db_query($this->link, "SELECT name, content FROM ttrss_plugin_storage
WHERE owner_uid = '".$this->owner_uid."'");
@ -226,7 +226,7 @@ class PluginHost {
private function save_data($plugin) {
if ($this->owner_uid) {
$plugin = db_escape_string($plugin);
$plugin = db_escape_string($this->link, $plugin);
db_query($this->link, "BEGIN");
@ -236,7 +236,7 @@ class PluginHost {
if (!isset($this->storage[$plugin]))
$this->storage[$plugin] = array();
$content = db_escape_string(serialize($this->storage[$plugin]));
$content = db_escape_string($this->link, serialize($this->storage[$plugin]));
if (db_num_rows($result) != 0) {
db_query($this->link, "UPDATE ttrss_plugin_storage SET content = '$content'

66
classes/pref/feeds.php
Unescape Escape View File

@ -14,8 +14,8 @@ class Pref_Feeds extends Handler_Protected {
}
function renamecat() {
$title = db_escape_string($_REQUEST['title']);
$id = db_escape_string($_REQUEST['id']);
$title = db_escape_string($this->link, $_REQUEST['title']);
$id = db_escape_string($this->link, $_REQUEST['id']);
if ($title) {
db_query($this->link, "UPDATE ttrss_feed_categories SET
@ -293,7 +293,7 @@ class Pref_Feeds extends Handler_Protected {
if ($item_id != 'root') {
if ($parent_id && $parent_id != 'root') {
$parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1);
$parent_qpart = db_escape_string($parent_bare_id);
$parent_qpart = db_escape_string($this->link, $parent_bare_id);
} else {
$parent_qpart = 'NULL';
}
@ -319,7 +319,7 @@ class Pref_Feeds extends Handler_Protected {
if (strpos($id, "FEED") === 0) {
$cat_id = ($item_id != "root") ?
db_escape_string($bare_item_id) : "NULL";
db_escape_string($this->link, $bare_item_id) : "NULL";
$cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" :
"cat_id = NULL";
@ -334,7 +334,7 @@ class Pref_Feeds extends Handler_Protected {
$nest_level+1);
if ($item_id != 'root') {
$parent_qpart = db_escape_string($bare_id);
$parent_qpart = db_escape_string($this->link, $bare_id);
} else {
$parent_qpart = 'NULL';
}
@ -424,7 +424,7 @@ class Pref_Feeds extends Handler_Protected {
}
function removeicon() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$result = db_query($this->link, "SELECT id FROM ttrss_feeds
WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
@ -440,7 +440,7 @@ class Pref_Feeds extends Handler_Protected {
header("Content-type: text/html");
$icon_file = $_FILES['icon_file']['tmp_name'];
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 20000) {
@ -472,7 +472,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_id = db_escape_string($_REQUEST["id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
@ -708,7 +708,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_ids = db_escape_string($_REQUEST["ids"]);
$feed_ids = db_escape_string($this->link, $_REQUEST["ids"]);
print "<div class=\"dialogNotice\">" . __("Enable the options you wish to apply using checkboxes on the right:") . "</div>";
@ -862,27 +862,27 @@ class Pref_Feeds extends Handler_Protected {
function editsaveops($batch) {
$feed_title = db_escape_string(trim($_POST["title"]));
$feed_link = db_escape_string(trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($_POST["update_interval"]);
$purge_intl = (int) db_escape_string($_POST["purge_interval"]);
$feed_id = (int) db_escape_string($_POST["id"]); /* editSave */
$feed_ids = db_escape_string($_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($_POST["cat_id"]);
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($_POST["private"]));
$feed_title = db_escape_string($this->link, trim($_POST["title"]));
$feed_link = db_escape_string($this->link, trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($this->link, $_POST["update_interval"]);
$purge_intl = (int) db_escape_string($this->link, $_POST["purge_interval"]);
$feed_id = (int) db_escape_string($this->link, $_POST["id"]); /* editSave */
$feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]);
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
db_escape_string($_POST["include_in_digest"]));
db_escape_string($this->link, $_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool(
db_escape_string($_POST["cache_images"]));
db_escape_string($this->link, $_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool(
db_escape_string($_POST["hide_images"]));
db_escape_string($this->link, $_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool(
db_escape_string($_POST["always_display_enclosures"]));
db_escape_string($this->link, $_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool(
db_escape_string($_POST["mark_unread_on_update"]));
db_escape_string($this->link, $_POST["mark_unread_on_update"]));
if (get_pref($this->link, 'ENABLE_FEED_CATS')) {
if ($cat_id && $cat_id != 0) {
@ -999,7 +999,7 @@ class Pref_Feeds extends Handler_Protected {
function resetPubSub() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
db_query($this->link, "UPDATE ttrss_feeds SET pubsub_state = 0 WHERE id IN ($ids)
AND owner_uid = " . $_SESSION["uid"]);
@ -1009,7 +1009,7 @@ class Pref_Feeds extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed($this->link, $id, $_SESSION["uid"]);
@ -1019,14 +1019,14 @@ class Pref_Feeds extends Handler_Protected {
}
function clear() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$this->clear_feed_articles($this->link, $id);
}
function rescore() {
require_once "rssfuncs.php";
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
@ -1132,9 +1132,9 @@ class Pref_Feeds extends Handler_Protected {
}
function categorize() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
if ($cat_id == 0) {
$cat_id_qpart = 'NULL';
@ -1156,14 +1156,14 @@ class Pref_Feeds extends Handler_Protected {
}
function removeCat() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed_category($this->link, $id, $_SESSION["uid"]);
}
}
function addCat() {
$feed_cat = db_escape_string(trim($_REQUEST["cat"]));
$feed_cat = db_escape_string($this->link, trim($_REQUEST["cat"]));
add_feed_category($this->link, $feed_cat);
}
@ -1205,7 +1205,7 @@ class Pref_Feeds extends Handler_Protected {
__("Inactive feeds") . "</button>";
}
$feed_search = db_escape_string($_REQUEST["search"]);
$feed_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search;

36
classes/pref/filters.php
Unescape Escape View File

@ -13,7 +13,7 @@ class Pref_Filters extends Handler_Protected {
$filter["enabled"] = true;
$filter["match_any_rule"] = sql_bool_to_bool(
checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"])));
checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"])));
$filter["rules"] = array();
$result = db_query($this->link, "SELECT id,name FROM ttrss_filter_types");
@ -168,7 +168,7 @@ class Pref_Filters extends Handler_Protected {
if ($line['action_id'] == 7) {
$label_result = db_query($this->link, "SELECT fg_color, bg_color
FROM ttrss_labels2 WHERE caption = '".db_escape_string($line['action_param'])."' AND
FROM ttrss_labels2 WHERE caption = '".db_escape_string($this->link, $line['action_param'])."' AND
owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($label_result) > 0) {
@ -207,7 +207,7 @@ class Pref_Filters extends Handler_Protected {
function edit() {
$filter_id = db_escape_string($_REQUEST["id"]);
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
@ -403,9 +403,9 @@ class Pref_Filters extends Handler_Protected {
# print_r($_REQUEST);
$filter_id = db_escape_string($_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"]));
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"]));
$result = db_query($this->link, "UPDATE ttrss_filters2 SET enabled = $enabled,
match_any_rule = $match_any_rule
@ -418,7 +418,7 @@ class Pref_Filters extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
@ -457,9 +457,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($rules as $rule) {
if ($rule) {
$reg_exp = strip_tags(db_escape_string(trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string(trim($rule["filter_type"]));
$feed_id = db_escape_string(trim($rule["feed_id"]));
$reg_exp = strip_tags(db_escape_string($this->link, trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string($this->link, trim($rule["filter_type"]));
$feed_id = db_escape_string($this->link, trim($rule["feed_id"]));
if (strpos($feed_id, "CAT:") === 0) {
@ -487,9 +487,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($actions as $action) {
if ($action) {
$action_id = (int) db_escape_string($action["action_id"]);
$action_param = db_escape_string($action["action_param"]);
$action_param_label = db_escape_string($action["action_param_label"]);
$action_id = (int) db_escape_string($this->link, $action["action_id"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_param_label = db_escape_string($this->link, $action["action_param_label"]);
if ($action_id == 7) {
$action_param = $action_param_label;
@ -541,13 +541,13 @@ class Pref_Filters extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "reg_exp";
}
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@ -559,7 +559,7 @@ class Pref_Filters extends Handler_Protected {
print "<div id=\"pref-filter-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";
print "<div id=\"pref-filter-toolbar\" dojoType=\"dijit.Toolbar\">";
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@ -806,7 +806,7 @@ class Pref_Filters extends Handler_Protected {
$action = json_decode($_REQUEST["action"], true);
if ($action) {
$action_param = db_escape_string($action["action_param"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_id = (int)$action["action_id"];
} else {
$action_param = "";
@ -914,7 +914,7 @@ class Pref_Filters extends Handler_Protected {
}
function join() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
if (count($ids) > 1) {
$base_id = array_shift($ids);

34
classes/pref/labels.php
Unescape Escape View File

@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
}
function edit() {
$label_id = db_escape_string($_REQUEST['id']);
$label_id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT * FROM ttrss_labels2 WHERE
id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
@ -118,11 +118,11 @@ class Pref_Labels extends Handler_Protected {
}
function colorset() {
$kind = db_escape_string($_REQUEST["kind"]);
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$color = db_escape_string($_REQUEST["color"]);
$fg = db_escape_string($_REQUEST["fg"]);
$bg = db_escape_string($_REQUEST["bg"]);
$kind = db_escape_string($this->link, $_REQUEST["kind"]);
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
$color = db_escape_string($this->link, $_REQUEST["color"]);
$fg = db_escape_string($this->link, $_REQUEST["fg"]);
$bg = db_escape_string($this->link, $_REQUEST["bg"]);
foreach ($ids as $id) {
@ -136,7 +136,7 @@ class Pref_Labels extends Handler_Protected {
AND owner_uid = " . $_SESSION["uid"]);
}
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@ -149,14 +149,14 @@ class Pref_Labels extends Handler_Protected {
}
function colorreset() {
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "UPDATE ttrss_labels2 SET
fg_color = '', bg_color = '' WHERE id = '$id'
AND owner_uid = " . $_SESSION["uid"]);
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@ -168,8 +168,8 @@ class Pref_Labels extends Handler_Protected {
function save() {
$id = db_escape_string($_REQUEST["id"]);
$caption = db_escape_string(trim($_REQUEST["caption"]));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$caption = db_escape_string($this->link, trim($_REQUEST["caption"]));
db_query($this->link, "BEGIN");
@ -190,7 +190,7 @@ class Pref_Labels extends Handler_Protected {
/* Update filters that reference label being renamed */
$old_caption = db_escape_string($old_caption);
$old_caption = db_escape_string($this->link, $old_caption);
db_query($this->link, "UPDATE ttrss_filters2_actions SET
action_param = '$caption' WHERE action_param = '$old_caption'
@ -213,7 +213,7 @@ class Pref_Labels extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
label_remove($this->link, $id, $_SESSION["uid"]);
@ -222,8 +222,8 @@ class Pref_Labels extends Handler_Protected {
}
function add() {
$caption = db_escape_string($_REQUEST["caption"]);
$output = db_escape_string($_REQUEST["output"]);
$caption = db_escape_string($this->link, $_REQUEST["caption"]);
$output = db_escape_string($this->link, $_REQUEST["output"]);
if ($caption) {
@ -250,13 +250,13 @@ class Pref_Labels extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "caption";
}
$label_search = db_escape_string($_REQUEST["search"]);
$label_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_label_search"] = $label_search;

16
classes/pref/prefs.php
Unescape Escape View File

@ -50,8 +50,8 @@ class Pref_Prefs extends Handler_Protected {
foreach (array_keys($_POST) as $pref_name) {
$pref_name = db_escape_string($pref_name);
$value = db_escape_string($_POST[$pref_name]);
$pref_name = db_escape_string($this->link, $pref_name);
$value = db_escape_string($this->link, $_POST[$pref_name]);
if ($pref_name == 'DIGEST_PREFERRED_TIME') {
if (get_pref($this->link, 'DIGEST_PREFERRED_TIME') != $value) {
@ -71,7 +71,7 @@ class Pref_Prefs extends Handler_Protected {
function getHelp() {
$pref_name = db_escape_string($_REQUEST["pn"]);
$pref_name = db_escape_string($this->link, $_REQUEST["pn"]);
$result = db_query($this->link, "SELECT help_text FROM ttrss_prefs
WHERE pref_name = '$pref_name'");
@ -86,8 +86,8 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() {
$email = db_escape_string($_POST["email"]);
$full_name = db_escape_string($_POST["full_name"]);
$email = db_escape_string($this->link, $_POST["email"]);
$full_name = db_escape_string($this->link, $_POST["full_name"]);
$active_uid = $_SESSION["uid"];
@ -798,7 +798,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpenable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
$enable_otp = $_REQUEST["enable_otp"] == "on";
global $pluginhost;
@ -819,7 +819,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpdisable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
global $pluginhost;
$authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]);
@ -846,7 +846,7 @@ class Pref_Prefs extends Handler_Protected {
}
function clearplugindata() {
$name = db_escape_string($_REQUEST["name"]);
$name = db_escape_string($this->link, $_REQUEST["name"]);
global $pluginhost;
$pluginhost->clear_data($pluginhost->get_plugin($name));

20
classes/pref/users.php
Unescape Escape View File

@ -116,7 +116,7 @@ class Pref_Users extends Handler_Protected {
header("Content-Type: text/xml");
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
print "<dlg id=\"$method\">";
print "<title>".__('User Editor')."</title>";
@ -199,11 +199,11 @@ class Pref_Users extends Handler_Protected {
}
function editSave() {
$login = db_escape_string(trim($_REQUEST["login"]));
$uid = db_escape_string($_REQUEST["id"]);
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$access_level = (int) $_REQUEST["access_level"];
$email = db_escape_string(trim($_REQUEST["email"]));
$password = db_escape_string(trim($_REQUEST["password"]));
$email = db_escape_string($this->link, trim($_REQUEST["email"]));
$password = db_escape_string($this->link, trim($_REQUEST["password"]));
if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@ -220,7 +220,7 @@ class Pref_Users extends Handler_Protected {
}
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) {
@ -233,7 +233,7 @@ class Pref_Users extends Handler_Protected {
function add() {
$login = db_escape_string(trim($_REQUEST["login"]));
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@ -272,7 +272,7 @@ class Pref_Users extends Handler_Protected {
function resetPass() {
$uid = db_escape_string($_REQUEST["id"]);
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link, "SELECT login,email
FROM ttrss_users WHERE id = '$uid'");
@ -353,7 +353,7 @@ class Pref_Users extends Handler_Protected {
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
$user_search = db_escape_string($_REQUEST["search"]);
$user_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
@ -368,7 +368,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."</button>
</div>";
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";

108
classes/rpc.php
Unescape Escape View File

@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
}
function setprofile() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$_SESSION["profile"] = $id;
$_SESSION["prefs_cache"] = array();
}
function remprofiles() {
$ids = explode(",", db_escape_string(trim($_REQUEST["ids"])));
$ids = explode(",", db_escape_string($this->link, trim($_REQUEST["ids"])));
foreach ($ids as $id) {
if ($_SESSION["profile"] != $id) {
@ -27,7 +27,7 @@ class RPC extends Handler_Protected {
// Silent
function addprofile() {
$title = db_escape_string(trim($_REQUEST["title"]));
$title = db_escape_string($this->link, trim($_REQUEST["title"]));
if ($title) {
db_query($this->link, "BEGIN");
@ -57,8 +57,8 @@ class RPC extends Handler_Protected {
// Silent
function saveprofile() {
$id = db_escape_string($_REQUEST["id"]);
$title = db_escape_string(trim($_REQUEST["value"]));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$title = db_escape_string($this->link, trim($_REQUEST["value"]));
if ($id == 0) {
print __("Default profile");
@ -88,7 +88,7 @@ class RPC extends Handler_Protected {
// Silent
function remarchive() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$result = db_query($this->link, "DELETE FROM ttrss_archived_feeds WHERE
@ -101,11 +101,11 @@ class RPC extends Handler_Protected {
}
function addfeed() {
$feed = db_escape_string($_REQUEST['feed']);
$cat = db_escape_string($_REQUEST['cat']);
$login = db_escape_string($_REQUEST['login']);
$pass = db_escape_string($_REQUEST['pass']);
$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
$feed = db_escape_string($this->link, $_REQUEST['feed']);
$cat = db_escape_string($this->link, $_REQUEST['cat']);
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
$rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass, $need_auth);
@ -113,7 +113,7 @@ class RPC extends Handler_Protected {
}
function togglepref() {
$key = db_escape_string($_REQUEST["key"]);
$key = db_escape_string($this->link, $_REQUEST["key"]);
set_pref($this->link, $key, !get_pref($this->link, $key));
$value = get_pref($this->link, $key);
@ -132,7 +132,7 @@ class RPC extends Handler_Protected {
function mark() {
$mark = $_REQUEST["mark"];
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
if ($mark == "1") {
$mark = "true";
@ -148,7 +148,7 @@ class RPC extends Handler_Protected {
}
function delete() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
$result = db_query($this->link, "DELETE FROM ttrss_user_entries
WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@ -157,7 +157,7 @@ class RPC extends Handler_Protected {
}
function unarchive() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
$result = db_query($this->link, "UPDATE ttrss_user_entries
SET feed_id = orig_feed_id, orig_feed_id = NULL
@ -167,7 +167,7 @@ class RPC extends Handler_Protected {
}
function archive() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->archive_article($this->link, $id, $_SESSION["uid"]);
@ -210,8 +210,8 @@ class RPC extends Handler_Protected {
function publ() {
$pub = $_REQUEST["pub"];
$id = db_escape_string($_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($_REQUEST["note"])));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"])));
if ($pub == "1") {
$pub = "true";
@ -257,7 +257,7 @@ class RPC extends Handler_Protected {
/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
function catchupSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
catchupArticlesById($this->link, $ids, $cmode);
@ -266,7 +266,7 @@ class RPC extends Handler_Protected {
}
function markSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
$this->markArticlesById($this->link, $ids, $cmode);
@ -275,7 +275,7 @@ class RPC extends Handler_Protected {
}
function publishSelected() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]);
$this->publishArticlesById($this->link, $ids, $cmode);
@ -301,9 +301,9 @@ class RPC extends Handler_Protected {
function setArticleTags() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$tags_str = db_escape_string($_REQUEST["tags_str"]);
$tags_str = db_escape_string($this->link, $_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str)));
db_query($this->link, "BEGIN");
@ -373,7 +373,7 @@ class RPC extends Handler_Protected {
}
function completeLabels() {
$search = db_escape_string($_REQUEST["search"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$result = db_query($this->link, "SELECT DISTINCT caption FROM
ttrss_labels2
@ -390,7 +390,7 @@ class RPC extends Handler_Protected {
function completeTags() {
$search = db_escape_string($_REQUEST["search"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$result = db_query($this->link, "SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = '".$_SESSION["uid"]."' AND
@ -405,7 +405,7 @@ class RPC extends Handler_Protected {
}
function purge() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$days = sprintf("%d", $_REQUEST["days"]);
foreach ($ids as $id) {
@ -420,7 +420,7 @@ class RPC extends Handler_Protected {
}
function getArticles() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$articles = array();
foreach ($ids as $id) {
@ -433,7 +433,7 @@ class RPC extends Handler_Protected {
}
function checkDate() {
$date = db_escape_string($_REQUEST["date"]);
$date = db_escape_string($this->link, $_REQUEST["date"]);
$date_parsed = strtotime($date);
print json_encode(array("result" => (bool)$date_parsed,
@ -451,10 +451,10 @@ class RPC extends Handler_Protected {
function labelops($assign) {
$reply = array();
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$label_id = db_escape_string($_REQUEST["lid"]);
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
$label_id = db_escape_string($this->link, $_REQUEST["lid"]);
$label = db_escape_string(label_find_caption($this->link, $label_id,
$label = db_escape_string($this->link, label_find_caption($this->link, $label_id,
$_SESSION["uid"]));
$reply["info-for-headlines"] = array();
@ -482,9 +482,9 @@ class RPC extends Handler_Protected {
}
function updateFeedBrowser() {
$search = db_escape_string($_REQUEST["search"]);
$limit = db_escape_string($_REQUEST["limit"]);
$mode = (int) db_escape_string($_REQUEST["mode"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
$limit = db_escape_string($this->link, $_REQUEST["limit"]);
$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
require_once "feedbrowser.php";
@ -504,8 +504,8 @@ class RPC extends Handler_Protected {
if ($mode == 1) {
foreach ($payload as $feed) {
$title = db_escape_string($feed[0]);
$feed_url = db_escape_string($feed[1]);
$title = db_escape_string($this->link, $feed[0]);
$feed_url = db_escape_string($this->link, $feed[1]);
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@ -524,9 +524,9 @@ class RPC extends Handler_Protected {
WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($result) != 0) {
$site_url = db_escape_string(db_fetch_result($result, 0, "site_url"));
$feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url"));
$title = db_escape_string(db_fetch_result($result, 0, "title"));
$site_url = db_escape_string($this->link, db_fetch_result($result, 0, "site_url"));
$feed_url = db_escape_string($this->link, db_fetch_result($result, 0, "feed_url"));
$title = db_escape_string($this->link, db_fetch_result($result, 0, "title"));
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@ -543,9 +543,9 @@ class RPC extends Handler_Protected {
}
function catchupFeed() {
$feed_id = db_escape_string($_REQUEST['feed_id']);
$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
$max_id = (int) db_escape_string($_REQUEST['max_id']);
$feed_id = db_escape_string($this->link, $_REQUEST['feed_id']);
$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
$max_id = (int) db_escape_string($this->link, $_REQUEST['max_id']);
catchup_feed($this->link, $feed_id, $is_cat, false, $max_id);
@ -553,7 +553,7 @@ class RPC extends Handler_Protected {
}
function quickAddCat() {
$cat = db_escape_string($_REQUEST["cat"]);
$cat = db_escape_string($this->link, $_REQUEST["cat"]);
add_feed_category($this->link, $cat);
@ -570,8 +570,8 @@ class RPC extends Handler_Protected {
}
function regenFeedKey() {
$feed_id = db_escape_string($_REQUEST['id']);
$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
$feed_id = db_escape_string($this->link, $_REQUEST['id']);
$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
$new_key = $this->update_feed_access_key($this->link, $feed_id, $is_cat);
@ -619,11 +619,11 @@ class RPC extends Handler_Protected {
}
function batchAddFeeds() {
$cat_id = db_escape_string($_REQUEST['cat']);
$feeds = explode("\n", db_escape_string($_REQUEST['feeds']));
$login = db_escape_string($_REQUEST['login']);
$pass = db_escape_string($_REQUEST['pass']);
$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
$cat_id = db_escape_string($this->link, $_REQUEST['cat']);
$feeds = explode("\n", db_escape_string($this->link, $_REQUEST['feeds']));
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
foreach ($feeds as $feed) {
$feed = trim($feed);
@ -656,8 +656,8 @@ class RPC extends Handler_Protected {
}
function setScore() {
$ids = db_escape_string($_REQUEST['id']);
$score = (int)db_escape_string($_REQUEST['score']);
$ids = db_escape_string($this->link, $_REQUEST['id']);
$score = (int)db_escape_string($this->link, $_REQUEST['score']);
db_query($this->link, "UPDATE ttrss_user_entries SET
score = '$score' WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@ -756,7 +756,7 @@ class RPC extends Handler_Protected {
AND owner_uid = " . $owner_uid);
if (db_num_rows($result) == 1) {
$key = db_escape_string(sha1(uniqid(rand(), true)));
$key = db_escape_string($this->link, sha1(uniqid(rand(), true)));
db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key'
WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
@ -830,7 +830,7 @@ class RPC extends Handler_Protected {
}
function getlinkbyid() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE ref_id = '$id' AND ref_id = id AND owner_uid = ". $_SESSION["uid"]);

6
include/db-prefs.php
Unescape Escape View File

@ -44,7 +44,7 @@
function get_pref($link, $pref_name, $user_id = false, $die_on_error = false) {
$pref_name = db_escape_string($pref_name);
$pref_name = db_escape_string($link, $pref_name);
$prefs_cache = true;
$profile = false;
@ -115,8 +115,8 @@
}
function set_pref($link, $pref_name, $value, $user_id = false, $strip_tags = true) {
$pref_name = db_escape_string($pref_name);
$value = db_escape_string($value, $strip_tags);
$pref_name = db_escape_string($link, $pref_name);
$value = db_escape_string($link, $value, $strip_tags);
if (!$user_id) {
$user_id = $_SESSION["uid"];

14
include/db.php
Unescape Escape View File

@ -41,21 +41,13 @@ function db_connect($host, $user, $pass, $db) {
}
}
function db_escape_string($s, $strip_tags = true, $link = NULL) {
function db_escape_string($link, $s, $strip_tags = true) {
if ($strip_tags) $s = strip_tags($s);
if (DB_TYPE == "pgsql") {
if ($link) {
return pg_escape_string($link, $s);
} else {
return pg_escape_string($s);
}
return pg_escape_string($link, $s);
} else {
if ($link) {
return mysql_real_escape_string($s, $link);
} else {
return mysql_real_escape_string($s);
}
return mysql_real_escape_string($s, $link);
}
}

18
include/functions.php
Unescape Escape View File

@ -516,7 +516,7 @@
function initialize_user_prefs($link, $uid, $profile = false) {
$uid = db_escape_string($uid);
$uid = db_escape_string($link, $uid);
if (!$profile) {
$profile = "NULL";
@ -911,7 +911,7 @@
}
}
if (db_escape_string("testTEST") != "testTEST") {
if (db_escape_string($link, "testTEST") != "testTEST") {
$error_code = 12;
}
@ -1086,7 +1086,7 @@
} else { // tag
db_query($link, "BEGIN");
$tag_name = db_escape_string($feed);
$tag_name = db_escape_string($link, $feed);
$result = db_query($link, "SELECT post_int_id FROM ttrss_tags
WHERE tag_name = '$tag_name' AND owner_uid = $owner_uid");
@ -1283,7 +1283,7 @@
return 0;
} else if ($feed != "0" && $n_feed == 0) {
$feed = db_escape_string($feed);
$feed = db_escape_string($link, $feed);
$result = db_query($link, "SELECT SUM((SELECT COUNT(int_id)
FROM ttrss_user_entries,ttrss_entries WHERE int_id = post_int_id
@ -2744,7 +2744,7 @@
function get_article_tags($link, $id, $owner_uid = 0, $tag_cache = false) {
$a_id = db_escape_string($id);
$a_id = db_escape_string($link, $id);
if (!$owner_uid) $owner_uid = $_SESSION["uid"];
@ -2779,7 +2779,7 @@
/* update the cache */
$tags_str = db_escape_string(join(",", $tags));
$tags_str = db_escape_string($link, join(",", $tags));
db_query($link, "UPDATE ttrss_user_entries
SET tag_cache = '$tags_str' WHERE ref_id = '$id'
@ -3511,7 +3511,7 @@
if (db_num_rows($result) == 1) {
return db_fetch_result($result, 0, "access_key");
} else {
$key = db_escape_string(sha1(uniqid(rand(), true)));
$key = db_escape_string($link, sha1(uniqid(rand(), true)));
$result = db_query($link, "INSERT INTO ttrss_access_keys
(access_key, feed_id, is_cat, owner_uid)
@ -3865,7 +3865,7 @@
if ($regexp_valid) {
$rule['reg_exp'] = db_escape_string($rule['reg_exp']);
$rule['reg_exp'] = db_escape_string($link, $rule['reg_exp']);
switch ($rule["type"]) {
case "title":
@ -3896,7 +3896,7 @@
}
if (isset($rule["feed_id"]) && $rule["feed_id"] > 0) {
$qpart .= " AND feed_id = " . db_escape_string($rule["feed_id"]);
$qpart .= " AND feed_id = " . db_escape_string($link, $rule["feed_id"]);
}
if (isset($rule["cat_id"])) {

2
include/labels.php
Unescape Escape View File

@ -88,7 +88,7 @@
if (!$labels)
$labels = get_article_labels($link, $id);
$labels = db_escape_string(json_encode($labels));
$labels = db_escape_string($link, json_encode($labels));
db_query($link, "UPDATE ttrss_user_entries SET
label_cache = '$labels' WHERE ref_id = '$id' AND owner_uid = '$owner_uid'");

54
include/rssfuncs.php
Unescape Escape View File

@ -18,10 +18,10 @@
$count = 0;
while ($line = db_fetch_assoc($result)) {
$subscribers = db_escape_string($line["subscribers"]);
$feed_url = db_escape_string($line["feed_url"]);
$title = db_escape_string($line["title"]);
$site_url = db_escape_string($line["site_url"]);
$subscribers = db_escape_string($link, $line["subscribers"]);
$feed_url = db_escape_string($link, $line["feed_url"]);
$title = db_escape_string($link, $line["title"]);
$site_url = db_escape_string($link, $line["site_url"]);
$tmp_result = db_query($link, "SELECT subscribers FROM
ttrss_feedbrowser_cache WHERE feed_url = '$feed_url'");
@ -200,7 +200,7 @@
$cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images"));
$fetch_url = db_fetch_result($result, 0, "feed_url");
$feed = db_escape_string($feed);
$feed = db_escape_string($link, $feed);
/* if ($auth_login && $auth_pass ){
$url_parts = array();
@ -238,7 +238,7 @@
_debug("update_rss_feed: unable to fetch: $fetch_last_error");
}
$error_escaped = db_escape_string($fetch_last_error);
$error_escaped = db_escape_string($link, $fetch_last_error);
db_query($link,
"UPDATE ttrss_feeds SET last_error = '$error_escaped',
@ -287,7 +287,7 @@
// print_r($rss);
$feed = db_escape_string($feed);
$feed = db_escape_string($link, $feed);
if (!$rss->error()) {
@ -318,7 +318,7 @@
$owner_uid = db_fetch_result($result, 0, "owner_uid");
$site_url = db_escape_string(mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245));
$site_url = db_escape_string($link, mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245));
if ($debug_enabled) {
_debug("update_rss_feed: checking favicon...");
@ -333,7 +333,7 @@
if (!$registered_title || $registered_title == "[Unknown]") {
$feed_title = db_escape_string($rss->get_title());
$feed_title = db_escape_string($link, $rss->get_title());
if ($debug_enabled) {
_debug("update_rss_feed: registering title: $feed_title");
@ -475,13 +475,13 @@
$entry_author = $entry_author_item->get_name();
if (!$entry_author) $entry_author = $entry_author_item->get_email();
$entry_author = db_escape_string($entry_author);
$entry_author = db_escape_string($link, $entry_author);
}
$entry_guid = db_escape_string(mb_substr($entry_guid, 0, 245));
$entry_guid = db_escape_string($link, mb_substr($entry_guid, 0, 245));
$entry_comments = db_escape_string(mb_substr($entry_comments, 0, 245));
$entry_author = db_escape_string(mb_substr($entry_author, 0, 245));
$entry_comments = db_escape_string($link, mb_substr($entry_comments, 0, 245));
$entry_author = db_escape_string($link, mb_substr($entry_author, 0, 245));
$num_comments = $item->get_item_tags('http://purl.org/rss/1.0/modules/slash/', 'comments');
@ -539,7 +539,7 @@
// FIXME not sure if owner_uid is a good idea here, we may have a base entry without user entry (?)
$result = db_query($link, "SELECT plugin_data,title,content,link,tag_cache,author FROM ttrss_entries, ttrss_user_entries
WHERE ref_id = id AND guid = '".db_escape_string($entry_guid)."' AND owner_uid = $owner_uid");
WHERE ref_id = id AND guid = '".db_escape_string($link, $entry_guid)."' AND owner_uid = $owner_uid");
if (db_num_rows($result) != 0) {
$entry_plugin_data = db_fetch_result($result, 0, "plugin_data");
@ -568,11 +568,11 @@
}
$entry_tags = $article["tags"];
$entry_guid = db_escape_string($entry_guid);
$entry_title = db_escape_string($article["title"]);
$entry_author = db_escape_string($article["author"]);
$entry_link = db_escape_string($article["link"]);
$entry_plugin_data = db_escape_string($article["plugin_data"]);
$entry_guid = db_escape_string($link, $entry_guid);
$entry_title = db_escape_string($link, $article["title"]);
$entry_author = db_escape_string($link, $article["author"]);
$entry_link = db_escape_string($link, $article["link"]);
$entry_plugin_data = db_escape_string($link, $article["plugin_data"]);
$entry_content = $article["content"]; // escaped below
@ -583,7 +583,7 @@
if ($cache_images && is_writable(CACHE_DIR . '/images'))
cache_images($entry_content, $site_url, $debug_enabled);
$entry_content = db_escape_string($entry_content, false);
$entry_content = db_escape_string($link, $entry_content, false);
$content_hash = "SHA1:" . sha1($entry_content);
@ -829,7 +829,7 @@
$update_insignificant = false;
}
if (db_escape_string($orig_title) != $entry_title) {
if (db_escape_string($link, $orig_title) != $entry_title) {
$post_needs_update = true;
$update_insignificant = false;
}
@ -896,9 +896,9 @@
db_query($link, "BEGIN");
foreach ($enclosures as $enc) {
$enc_url = db_escape_string($enc[0]);
$enc_type = db_escape_string($enc[1]);
$enc_dur = db_escape_string($enc[2]);
$enc_url = db_escape_string($link, $enc[0]);
$enc_type = db_escape_string($link, $enc[1]);
$enc_dur = db_escape_string($link, $enc[2]);
$result = db_query($link, "SELECT id FROM ttrss_enclosures
WHERE content_url = '$enc_url' AND post_id = '$entry_ref_id'");
@ -959,7 +959,7 @@
foreach ($filtered_tags as $tag) {
$tag = sanitize_tag($tag);
$tag = db_escape_string($tag);
$tag = db_escape_string($link, $tag);
if (!tag_is_valid($tag)) continue;
@ -981,7 +981,7 @@
$tags_to_cache = array_unique($tags_to_cache);
$tags_str = db_escape_string(join(",", $tags_to_cache));
$tags_str = db_escape_string($link, join(",", $tags_to_cache));
db_query($link, "UPDATE ttrss_user_entries
SET tag_cache = '$tags_str' WHERE ref_id = '$entry_ref_id'
@ -1031,7 +1031,7 @@
} else {
$error_msg = db_escape_string(mb_substr($rss->error(), 0, 245));
$error_msg = db_escape_string($link, mb_substr($rss->error(), 0, 245));
if ($debug_enabled) {
_debug("update_rss_feed: error fetching feed: $error_msg");

4
include/sessions.php
Unescape Escape View File

@ -53,7 +53,7 @@
$expire = time() + $session_expire;
$data = db_escape_string(base64_encode($data), false, $session_connection);
$data = db_escape_string($session_connection, base64_encode($data), false);
if ($session_read) {
$query = "UPDATE ttrss_sessions SET data='$data',
@ -71,7 +71,7 @@
global $session_connection;
db_close($session_connection);
//db_close($session_connection);
return true;
}

2
opml.php
Unescape Escape View File

@ -16,7 +16,7 @@
$op = $_REQUEST['op'];
if ($op == "publish"){
$key = db_escape_string($_REQUEST["key"]);
$key = db_escape_string($link, $_REQUEST["key"]);
$result = db_query($link, "SELECT owner_uid
FROM ttrss_access_keys WHERE

8
plugins/auth_internal/init.php
Unescape Escape View File

@ -22,8 +22,8 @@ class Auth_Internal extends Plugin implements IAuthModule {
$pwd_hash1 = encrypt_password($password);
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
$otp = db_escape_string($_REQUEST["otp"]);
$login = db_escape_string($this->link, $login);
$otp = db_escape_string($this->link, $_REQUEST["otp"]);
if (get_schema_version($this->link) > 96) {
if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
@ -140,7 +140,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
}
function check_password($owner_uid, $password) {
$owner_uid = db_escape_string($owner_uid);
$owner_uid = db_escape_string($this->link, $owner_uid);
$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
id = '$owner_uid'");
@ -169,7 +169,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
}
function change_password($owner_uid, $old_password, $new_password) {
$owner_uid = db_escape_string($owner_uid);
$owner_uid = db_escape_string($this->link, $owner_uid);
if ($this->check_password($owner_uid, $old_password)) {

12
plugins/auth_remote/init.php
Unescape Escape View File

@ -21,7 +21,7 @@ class Auth_Remote extends Plugin implements IAuthModule {
}
function get_login_by_ssl_certificate() {
$cert_serial = db_escape_string(get_ssl_certificate_id());
$cert_serial = db_escape_string($this->link, get_ssl_certificate_id());
if ($cert_serial) {
$result = db_query($this->link, "SELECT login FROM ttrss_user_prefs, ttrss_users
@ -29,7 +29,7 @@ class Auth_Remote extends Plugin implements IAuthModule {
owner_uid = ttrss_users.id");
if (db_num_rows($result) != 0) {
return db_escape_string(db_fetch_result($result, 0, "login"));
return db_escape_string($this->link, db_fetch_result($result, 0, "login"));
}
}
@ -38,10 +38,10 @@ class Auth_Remote extends Plugin implements IAuthModule {
function authenticate($login, $password) {
$try_login = db_escape_string($_SERVER["REMOTE_USER"]);
$try_login = db_escape_string($this->link, $_SERVER["REMOTE_USER"]);
// php-cgi
if (!$try_login) $try_login = db_escape_string($_SERVER["REDIRECT_REMOTE_USER"]);
if (!$try_login) $try_login = db_escape_string($this->link, $_SERVER["REDIRECT_REMOTE_USER"]);
if (!$try_login) $try_login = $this->get_login_by_ssl_certificate();
# if (!$try_login) $try_login = "test_qqq";
@ -60,14 +60,14 @@ class Auth_Remote extends Plugin implements IAuthModule {
// update user name
$fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN'];
if ($fullname){
$fullname = db_escape_string($fullname);
$fullname = db_escape_string($this->link, $fullname);
db_query($this->link, "UPDATE ttrss_users SET full_name = '$fullname' WHERE id = " .
$user_id);
}
// update user mail
$email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL'];
if ($email){
$email = db_escape_string($email);
$email = db_escape_string($this->link, $email);
db_query($this->link, "UPDATE ttrss_users SET email = '$email' WHERE id = " .
$user_id);
}

8
plugins/digest/init.php
Unescape Escape View File

@ -47,7 +47,7 @@ class Digest extends Plugin implements IHandler {
}
function digestgetcontents() {
$article_id = db_escape_string($_REQUEST['article_id']);
$article_id = db_escape_string($this->link, $_REQUEST['article_id']);
$result = db_query($this->link, "SELECT content,title,link,marked,published
FROM ttrss_entries, ttrss_user_entries
@ -67,9 +67,9 @@ class Digest extends Plugin implements IHandler {
}
function digestupdate() {
$feed_id = db_escape_string($_REQUEST['feed_id']);
$offset = db_escape_string($_REQUEST['offset']);
$seq = db_escape_string($_REQUEST['seq']);
$feed_id = db_escape_string($this->link, $_REQUEST['feed_id']);
$offset = db_escape_string($this->link, $_REQUEST['offset']);
$seq = db_escape_string($this->link, $_REQUEST['seq']);
if (!$feed_id) $feed_id = -4;
if (!$offset) $offset = 0;

2
plugins/embed_original/init.php
Unescape Escape View File

@ -36,7 +36,7 @@ class Embed_Original extends Plugin {
}
function getUrl() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT link
FROM ttrss_entries, ttrss_user_entries

2
plugins/example/init.php
Unescape Escape View File

@ -21,7 +21,7 @@ class Example extends Plugin {
}
function save() {
$example_value = db_escape_string($_POST["example_value"]);
$example_value = db_escape_string($this->link, $_POST["example_value"]);
$this->host->set($this, "example", $example_value);

2
plugins/googleplus/init.php
Unescape Escape View File

@ -32,7 +32,7 @@ class GooglePlus extends Plugin {
}
function getInfo() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

2
plugins/identica/init.php
Unescape Escape View File

@ -32,7 +32,7 @@ class Identica extends Plugin {
}
function getInfo() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

8
plugins/import_export/init.php
Unescape Escape View File

@ -49,7 +49,7 @@ class Import_Export extends Plugin implements IHandler {
}
function save() {
$example_value = db_escape_string($_POST["example_value"]);
$example_value = db_escape_string($this->link, $_POST["example_value"]);
echo "Value set to $example_value (not really)";
}
@ -122,7 +122,7 @@ class Import_Export extends Plugin implements IHandler {
}
function exportrun() {
$offset = (int) db_escape_string($_REQUEST['offset']);
$offset = (int) db_escape_string($this->link, $_REQUEST['offset']);
$exported = 0;
$limit = 250;
@ -238,7 +238,7 @@ class Import_Export extends Plugin implements IHandler {
foreach ($article_node->childNodes as $child) {
if ($child->nodeName != 'label_cache')
$article[$child->nodeName] = db_escape_string($child->nodeValue);
$article[$child->nodeName] = db_escape_string($this->link, $child->nodeValue);
else
$article[$child->nodeName] = $child->nodeValue;
}
@ -346,7 +346,7 @@ class Import_Export extends Plugin implements IHandler {
$score = (int) $article['score'];
$tag_cache = $article['tag_cache'];
$label_cache = db_escape_string($article['label_cache']);
$label_cache = db_escape_string($this->link, $article['label_cache']);
$note = $article['note'];
//print "Importing " . $article['title'] . "<br/>";

28
plugins/instances/init.php
Unescape Escape View File

@ -92,10 +92,10 @@ class Instances extends Plugin implements IHandler {
WHERE instance_id = '$id'");
foreach ($feeds['feeds'] as $feed) {
$feed_url = db_escape_string($feed['feed_url']);
$title = db_escape_string($feed['title']);
$subscribers = db_escape_string($feed['subscribers']);
$site_url = db_escape_string($feed['site_url']);
$feed_url = db_escape_string($this->link, $feed['feed_url']);
$title = db_escape_string($this->link, $feed['title']);
$subscribers = db_escape_string($this->link, $feed['subscribers']);
$site_url = db_escape_string($this->link, $feed['site_url']);
db_query($link, "INSERT INTO ttrss_linked_feeds
(feed_url, site_url, title, subscribers, instance_id, created, updated)
@ -167,16 +167,16 @@ class Instances extends Plugin implements IHandler {
}
function remove() {
$ids = db_escape_string($_REQUEST['ids']);
$ids = db_escape_string($this->link, $_REQUEST['ids']);
db_query($this->link, "DELETE FROM ttrss_linked_instances WHERE
id IN ($ids)");
}
function add() {
$id = db_escape_string($_REQUEST["id"]);
$access_url = db_escape_string($_REQUEST["access_url"]);
$access_key = db_escape_string($_REQUEST["access_key"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$access_url = db_escape_string($this->link, $_REQUEST["access_url"]);
$access_key = db_escape_string($this->link, $_REQUEST["access_key"]);
db_query($this->link, "BEGIN");
@ -195,7 +195,7 @@ class Instances extends Plugin implements IHandler {
}
function edit() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link, "SELECT * FROM ttrss_linked_instances WHERE
id = '$id'");
@ -253,9 +253,9 @@ class Instances extends Plugin implements IHandler {
}
function editSave() {
$id = db_escape_string($_REQUEST["id"]);
$access_url = db_escape_string($_REQUEST["access_url"]);
$access_key = db_escape_string($_REQUEST["access_key"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$access_url = db_escape_string($this->link, $_REQUEST["access_url"]);
$access_key = db_escape_string($this->link, $_REQUEST["access_key"]);
db_query($this->link, "UPDATE ttrss_linked_instances SET
access_key = '$access_key', access_url = '$access_url',
@ -277,7 +277,7 @@ class Instances extends Plugin implements IHandler {
print "<div id=\"pref-instance-toolbar\" dojoType=\"dijit.Toolbar\">";
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "access_url";
@ -364,7 +364,7 @@ class Instances extends Plugin implements IHandler {
function fbexport() {
$access_key = db_escape_string($_POST["key"]);
$access_key = db_escape_string($this->link, $_POST["key"]);
// TODO: rate limit checking using last_connected
$result = db_query($this->link, "SELECT id FROM ttrss_linked_instances

6
plugins/mail/init.php
Unescape Escape View File

@ -30,7 +30,7 @@ class Mail extends Plugin {
function emailArticle() {
$param = db_escape_string($_REQUEST['param']);
$param = db_escape_string($this->link, $_REQUEST['param']);
$secretkey = sha1(uniqid(rand(), true));
@ -181,7 +181,7 @@ class Mail extends Plugin {
if (!$rc) {
$reply['error'] = $mail->ErrorInfo;
} else {
save_email_address($this->link, db_escape_string($destination));
save_email_address($this->link, db_escape_string($this->link, $destination));
$reply['message'] = "UPDATE_COUNTERS";
}
@ -193,7 +193,7 @@ class Mail extends Plugin {
}
function completeEmails() {
$search = db_escape_string($_REQUEST["search"]);
$search = db_escape_string($this->link, $_REQUEST["search"]);
print "<ul>";

2
plugins/mailto/init.php
Unescape Escape View File

@ -30,7 +30,7 @@ class MailTo extends Plugin {
function emailArticle() {
$param = db_escape_string($_REQUEST['param']);
$param = db_escape_string($this->link, $_REQUEST['param']);
require_once "lib/MiniTemplator.class.php";

6
plugins/note/init.php
Unescape Escape View File

@ -29,7 +29,7 @@ class Note extends Plugin {
}
function edit() {
$param = db_escape_string($_REQUEST['param']);
$param = db_escape_string($this->link, $_REQUEST['param']);
$result = db_query($this->link, "SELECT note FROM ttrss_user_entries WHERE
ref_id = '$param' AND owner_uid = " . $_SESSION['uid']);
@ -58,8 +58,8 @@ class Note extends Plugin {
}
function setNote() {
$id = db_escape_string($_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($_REQUEST["note"])));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"])));
db_query($this->link, "UPDATE ttrss_user_entries SET note = '$note'
WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);

2
plugins/nsfw/init.php
Unescape Escape View File

@ -91,7 +91,7 @@ class NSFW extends Plugin {
}
function save() {
$tags = explode(",", db_escape_string($_POST["tags"]));
$tags = explode(",", db_escape_string($this->link, $_POST["tags"]));
$tags = array_map("trim", $tags);
$tags = array_map("mb_strtolower", $tags);
$tags = join(", ", $tags);

4
plugins/owncloud/init.php
Unescape Escape View File

@ -20,7 +20,7 @@ class OwnCloud extends Plugin {
}
function save() {
$owncloud_url = db_escape_string($_POST["owncloud_url"]);
$owncloud_url = db_escape_string($this->link, $_POST["owncloud_url"]);
$this->host->set($this, "owncloud", $owncloud_url);
echo "Value set to $owncloud_url";
}
@ -75,7 +75,7 @@ class OwnCloud extends Plugin {
}
function getOwnCloud() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

2
plugins/pinterest/init.php
Unescape Escape View File

@ -32,7 +32,7 @@ class Pinterest extends Plugin {
}
function getInfo() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

2
plugins/pocket/init.php
Unescape Escape View File

@ -33,7 +33,7 @@ class Pocket extends Plugin {
}
function getInfo() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

4
plugins/share/init.php
Unescape Escape View File

@ -28,7 +28,7 @@ class Share extends Plugin {
}
function shareArticle() {
$param = db_escape_string($_REQUEST['param']);
$param = db_escape_string($this->link, $_REQUEST['param']);
$result = db_query($this->link, "SELECT uuid, ref_id FROM ttrss_user_entries WHERE int_id = '$param'
AND owner_uid = " . $_SESSION['uid']);
@ -41,7 +41,7 @@ class Share extends Plugin {
$ref_id = db_fetch_result($result, 0, "ref_id");
if (!$uuid) {
$uuid = db_escape_string(sha1(uniqid(rand(), true)));
$uuid = db_escape_string($this->link, sha1(uniqid(rand(), true)));
db_query($this->link, "UPDATE ttrss_user_entries SET uuid = '$uuid' WHERE int_id = '$param'
AND owner_uid = " . $_SESSION['uid']);
}

2
plugins/tweet/init.php
Unescape Escape View File

@ -32,7 +32,7 @@ class Tweet extends Plugin {
}
function getInfo() {
$id = db_escape_string($_REQUEST['id']);
$id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT title, link
FROM ttrss_entries, ttrss_user_entries

8
register.php
Unescape Escape View File

@ -74,7 +74,7 @@
if ($action == "check") {
header("Content-Type: application/xml");
$login = trim(db_escape_string($_REQUEST['login']));
$login = trim(db_escape_string($link, $_REQUEST['login']));
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
LOWER(login) = LOWER('$login')");
@ -242,9 +242,9 @@
<?php } else if ($action == "do_register") { ?>
<?php
$login = mb_strtolower(trim(db_escape_string($_REQUEST["login"])));
$email = trim(db_escape_string($_REQUEST["email"]));
$test = trim(db_escape_string($_REQUEST["turing_test"]));
$login = mb_strtolower(trim(db_escape_string($link, $_REQUEST["login"])));
$email = trim(db_escape_string($link, $_REQUEST["email"]));
$test = trim(db_escape_string($link, $_REQUEST["turing_test"]));
if (!$login || !$email || !$test) {
print_error(__("Your registration information is incomplete."));

Write Preview
Loading…
Cancel
Save