diff --git a/classes/db/prefs.php b/classes/db/prefs.php index d61cc107b..9683202f3 100644 --- a/classes/db/prefs.php +++ b/classes/db/prefs.php @@ -1,11 +1,11 @@ dbh = Db::get(); + $this->pdo = Db::pdo(); $this->cache = array(); if ($_SESSION["uid"]) $this->cache(); @@ -26,26 +26,22 @@ class Db_Prefs { $user_id = $_SESSION["uid"]; @$profile = $_SESSION["profile"]; - if ($profile) { - $profile_qpart = "profile = '$profile' AND"; - } else { - $profile_qpart = "profile IS NULL AND"; - } + if (!$profile || get_schema_version() < 63) $profile = null; - if (get_schema_version() < 63) $profile_qpart = ""; - - $result = db_query("SELECT + $sth = $this->pdo->prepare("SELECT value,ttrss_prefs_types.type_name as type_name,ttrss_prefs.pref_name AS pref_name FROM ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types WHERE - $profile_qpart + profile = :profile OR (:profile IS NULL AND profile IS NULL) AND ttrss_prefs.pref_name NOT LIKE '_MOBILE%' AND ttrss_prefs_types.id = type_id AND - owner_uid = '$user_id' AND + owner_uid = :uid AND ttrss_user_prefs.pref_name = ttrss_prefs.pref_name"); - while ($line = db_fetch_assoc($result)) { + $sth->execute([":profile" => $profile, ":uid" => $user_id]); + + while ($line = $sth->fetch()) { if ($user_id == $_SESSION["uid"]) { $pref_name = $line["pref_name"]; @@ -57,7 +53,6 @@ class Db_Prefs { function read($pref_name, $user_id = false, $die_on_error = false) { - $pref_name = db_escape_string($pref_name); $profile = false; if (!$user_id) { @@ -72,28 +67,23 @@ class Db_Prefs { return $this->convert($tuple["value"], $tuple["type"]); } - if ($profile) { - $profile_qpart = "profile = '$profile' AND"; - } else { - $profile_qpart = "profile IS NULL AND"; - } - - if (get_schema_version() < 63) $profile_qpart = ""; + if (!$profile || get_schema_version() < 63) $profile = null; - $result = db_query("SELECT + $sth = $this->pdo->prepare("SELECT value,ttrss_prefs_types.type_name as type_name FROM ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types WHERE - $profile_qpart - ttrss_user_prefs.pref_name = '$pref_name' AND + profile = :profile OR (:profile IS NULL AND profile IS NULL) AND + ttrss_user_prefs.pref_name = :pref_name AND ttrss_prefs_types.id = type_id AND - owner_uid = '$user_id' AND + owner_uid = :uid AND ttrss_user_prefs.pref_name = ttrss_prefs.pref_name"); + $sth->execute([":uid" => $user_id, ":profile" => $profile, ":pref_name" => $pref_name]); - if (db_num_rows($result) > 0) { - $value = db_fetch_result($result, 0, "value"); - $type_name = db_fetch_result($result, 0, "type_name"); + if ($row = $sth->fetch()) { + $value = $row["value"]; + $type_name = $row["type_name"]; if ($user_id == $_SESSION["uid"]) { $this->cache[$pref_name]["type"] = $type_name; @@ -119,8 +109,7 @@ class Db_Prefs { } function write($pref_name, $value, $user_id = false, $strip_tags = true) { - $pref_name = db_escape_string($pref_name); - $value = db_escape_string($value, $strip_tags); + if ($strip_tags) $value = strip_tags($value); if (!$user_id) { $user_id = $_SESSION["uid"]; @@ -135,7 +124,7 @@ class Db_Prefs { $profile_qpart = "AND profile IS NULL"; } - if (get_schema_version() < 63) $profile_qpart = ""; + if (!$profile || get_schema_version() < 63) $profile = null; $type_name = ""; $current_value = ""; @@ -146,12 +135,14 @@ class Db_Prefs { } if (!$type_name) { - $result = db_query("SELECT type_name + $sth = $this->pdo->prepare("SELECT type_name FROM ttrss_prefs,ttrss_prefs_types - WHERE pref_name = '$pref_name' AND type_id = ttrss_prefs_types.id"); + WHERE pref_name = ? AND type_id = ttrss_prefs_types.id"); + $sth->execute([$pref_name]); + + if ($row = $sth->fetch()) + $type_name = $row["type_name"]; - if (db_num_rows($result) > 0) - $type_name = db_fetch_result($result, 0, "type_name"); } else if ($current_value == $value) { return; } @@ -171,10 +162,12 @@ class Db_Prefs { $value = 'UTC'; } - db_query("UPDATE ttrss_user_prefs SET - value = '$value' WHERE pref_name = '$pref_name' - $profile_qpart - AND owner_uid = " . $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_user_prefs SET + value = :value WHERE pref_name = :pref_name + AND (profile = :profile OR (:profile IS NULL AND profile IS NULL)) + AND owner_uid = :uid"); + + $sth->execute([":pref_name" => $pref_name, ":value" => $value, ":uid" => $user_id, ":profile" => $profile]); if ($user_id == $_SESSION["uid"]) { $this->cache[$pref_name]["type"] = $type_name;