private $seq;
+ static function param_to_bool($p) {
+ return $p && ($p !== "f" && $p !== "false");
+ }
+
function before($method) {
if (parent::before($method)) {
header("Content-Type: text/json");
return false;
}
- $this->seq = (int) $_REQUEST['seq'];
+ $this->seq = (int) clean($_REQUEST['seq']);
return true;
}
@session_destroy();
@session_start();
- $login = $_REQUEST["user"];
- $password = $_REQUEST["password"];
- $password_base64 = base64_decode($_REQUEST["password"]);
+ $login = clean($_REQUEST["user"]);
+ $password = clean($_REQUEST["password"]);
+ $password_base64 = base64_decode(clean($_REQUEST["password"]));
if (SINGLE_USER_MODE) $login = "admin";
}
function getUnread() {
- $feed_id = $_REQUEST["feed_id"];
- $is_cat = $_REQUEST["is_cat"];
+ $feed_id = clean($_REQUEST["feed_id"]);
+ $is_cat = clean($_REQUEST["is_cat"]);
if ($feed_id) {
$this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat)));
}
function getFeeds() {
- $cat_id = $_REQUEST["cat_id"];
- $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]);
- $limit = (int) $_REQUEST["limit"];
- $offset = (int) $_REQUEST["offset"];
- $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
+ $cat_id = clean($_REQUEST["cat_id"]);
+ $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+ $limit = (int) clean($_REQUEST["limit"]);
+ $offset = (int) clean($_REQUEST["offset"]);
+ $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested);
}
function getCategories() {
- $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]);
- $enable_nested = sql_bool_to_bool($_REQUEST["enable_nested"]);
- $include_empty = sql_bool_to_bool($_REQUEST['include_empty']);
+ $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
+ $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"]));
+ $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
// TODO do not return empty categories, return Uncategorized and standard virtual cats
}
function getHeadlines() {
- $feed_id = $_REQUEST["feed_id"];
+ $feed_id = clean($_REQUEST["feed_id"]);
if ($feed_id != "") {
if (is_numeric($feed_id)) $feed_id = (int) $feed_id;
- $limit = (int)$_REQUEST["limit"];
+ $limit = (int)clean($_REQUEST["limit"]);
if (!$limit || $limit >= 200) $limit = 200;
- $offset = (int)$_REQUEST["skip"];
- $filter = $_REQUEST["filter"];
- $is_cat = sql_bool_to_bool($_REQUEST["is_cat"]);
- $show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]);
- $show_content = sql_bool_to_bool($_REQUEST["show_content"]);
+ $offset = (int)clean($_REQUEST["skip"]);
+ $filter = clean($_REQUEST["filter"]);
+ $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"]));
+ $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"]));
+ $show_content = API::param_to_bool(clean($_REQUEST["show_content"]));
/* all_articles, unread, adaptive, marked, updated */
- $view_mode = $_REQUEST["view_mode"];
- $include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]);
- $since_id = (int)$_REQUEST["since_id"];
- $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
+ $view_mode = clean($_REQUEST["view_mode"]);
+ $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"]));
+ $since_id = (int)clean($_REQUEST["since_id"]);
+ $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) ||
- sql_bool_to_bool($_REQUEST["sanitize"]);
- $force_update = sql_bool_to_bool($_REQUEST["force_update"]);
- $has_sandbox = sql_bool_to_bool($_REQUEST["has_sandbox"]);
- $excerpt_length = (int)$_REQUEST["excerpt_length"];
- $check_first_id = (int)$_REQUEST["check_first_id"];
- $include_header = sql_bool_to_bool($_REQUEST["include_header"]);
+ API::param_to_bool($_REQUEST["sanitize"]);
+ $force_update = API::param_to_bool(clean($_REQUEST["force_update"]));
+ $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"]));
+ $excerpt_length = (int)clean($_REQUEST["excerpt_length"]);
+ $check_first_id = (int)clean($_REQUEST["check_first_id"]);
+ $include_header = API::param_to_bool(clean($_REQUEST["include_header"]));
$_SESSION['hasSandbox'] = $has_sandbox;
$skip_first_id_check = false;
$override_order = false;
- switch ($_REQUEST["order_by"]) {
+ switch (clean($_REQUEST["order_by"])) {
case "title":
$override_order = "ttrss_entries.title, date_entered, updated";
break;
/* do not rely on params below */
- $search = $_REQUEST["search"];
+ $search = clean($_REQUEST["search"]);
list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order,
}
function updateArticle() {
- $article_ids = explode(",", $_REQUEST["article_ids"]);
- $mode = (int) $_REQUEST["mode"];
- $data = $_REQUEST["data"];
- $field_raw = (int)$_REQUEST["field"];
+ $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+ $mode = (int) clean($_REQUEST["mode"]);
+ $data = clean($_REQUEST["data"]);
+ $field_raw = (int)clean($_REQUEST["field"]);
$field = "";
$set_to = "";
$num_updated = $sth->rowCount();
if ($num_updated > 0 && $field == "unread") {
- $sth = $this->pdo->query("SELECT DISTINCT feed_id FROM ttrss_user_entries
- WHERE ref_id IN ($article_ids)");
+ $sth = $this->pdo->prepare("SELECT DISTINCT feed_id FROM ttrss_user_entries
+ WHERE ref_id IN ($article_qmarks)");
+ $sth->execute($article_ids);
while ($line = $sth->fetch()) {
CCache::update($line["feed_id"], $_SESSION["uid"]);
function getArticle() {
- $article_ids = explode(",", $_REQUEST["article_id"]);
+ $article_ids = explode(",", clean($_REQUEST["article_id"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) ||
- sql_bool_to_bool($_REQUEST["sanitize"]);
+ API::param_to_bool($_REQUEST["sanitize"]);
if ($article_ids) {
"title" => $line["title"],
"link" => $line["link"],
"labels" => Article::get_article_labels($line['id']),
- "unread" => sql_bool_to_bool($line["unread"]),
- "marked" => sql_bool_to_bool($line["marked"]),
- "published" => sql_bool_to_bool($line["published"]),
+ "unread" => API::param_to_bool($line["unread"]),
+ "marked" => API::param_to_bool($line["marked"]),
+ "published" => API::param_to_bool($line["published"]),
"comments" => $line["comments"],
"author" => $line["author"],
"updated" => (int) strtotime($line["updated"]),
if ($sanitize_content) {
$article["content"] = sanitize(
$line["content"],
- sql_bool_to_bool($line['hide_images']),
+ API::param_to_bool($line['hide_images']),
false, $line["site_url"], false, $line["id"]);
} else {
$article["content"] = $line["content"];
}
function updateFeed() {
- $feed_id = (int) $_REQUEST["feed_id"];
+ $feed_id = (int) clean($_REQUEST["feed_id"]);
if (!ini_get("open_basedir")) {
RSSUtils::update_rss_feed($feed_id);
}
function catchupFeed() {
- $feed_id = $_REQUEST["feed_id"];
- $is_cat = $_REQUEST["is_cat"];
+ $feed_id = clean($_REQUEST["feed_id"]);
+ $is_cat = clean($_REQUEST["is_cat"]);
Feeds::catchup_feed($feed_id, $is_cat);
}
function getPref() {
- $pref_name = $_REQUEST["pref_name"];
+ $pref_name = clean($_REQUEST["pref_name"]);
$this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name)));
}
function getLabels() {
- $article_id = (int)$_REQUEST['article_id'];
+ $article_id = (int)clean($_REQUEST['article_id']);
$rv = array();
function setArticleLabel() {
- $article_ids = explode(",", $_REQUEST["article_ids"]);
- $label_id = (int) $_REQUEST['label_id'];
- $assign = sql_bool_to_bool($_REQUEST['assign']);
+ $article_ids = explode(",", clean($_REQUEST["article_ids"]));
+ $label_id = (int) clean($_REQUEST['label_id']);
+ $assign = API::param_to_bool(clean($_REQUEST['assign']));
$label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]);
}
function shareToPublished() {
- $title = strip_tags($_REQUEST["title"]);
- $url = strip_tags($_REQUEST["url"]);
- $content = strip_tags($_REQUEST["content"]);
+ $title = strip_tags(clean($_REQUEST["title"]));
+ $url = strip_tags(clean($_REQUEST["url"]));
+ $content = strip_tags(clean($_REQUEST["content"]));
if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
$this->wrap(self::STATUS_OK, array("status" => 'OK'));
$unread = getFeedUnread($line["id"]);
- $has_icon = feed_has_icon($line['id']);
+ $has_icon = Feeds::feedHasIcon($line['id']);
if ($unread || !$unread_only) {
if ($row = $sth->fetch()) {
$last_updated = strtotime($row["last_updated"]);
- $cache_images = sql_bool_to_bool($row["cache_images"]);
+ $cache_images = API::param_to_bool($row["cache_images"]);
if (!$cache_images && time() - $last_updated > 120) {
RSSUtils::update_rss_feed($feed_id, true);
$headline_row = array(
"id" => (int)$line["id"],
"guid" => $line["guid"],
- "unread" => sql_bool_to_bool($line["unread"]),
- "marked" => sql_bool_to_bool($line["marked"]),
- "published" => sql_bool_to_bool($line["published"]),
+ "unread" => API::param_to_bool($line["unread"]),
+ "marked" => API::param_to_bool($line["marked"]),
+ "published" => API::param_to_bool($line["published"]),
"updated" => (int)strtotime($line["updated"]),
"is_updated" => $is_updated,
"title" => $line["title"],
if ($sanitize_content) {
$headline_row["content"] = sanitize(
$line["content"],
- sql_bool_to_bool($line['hide_images']),
+ API::param_to_bool($line['hide_images']),
false, $line["site_url"], false, $line["id"]);
} else {
$headline_row["content"] = $line["content"];
$headline_row["comments_count"] = (int)$line["num_comments"];
$headline_row["comments_link"] = $line["comments"];
- $headline_row["always_display_attachments"] = sql_bool_to_bool($line["always_display_enclosures"]);
+ $headline_row["always_display_attachments"] = API::param_to_bool($line["always_display_enclosures"]);
$headline_row["author"] = $line["author"];
}
function unsubscribeFeed() {
- $feed_id = (int) $_REQUEST["feed_id"];
+ $feed_id = (int) clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
id = ? AND owner_uid = ?");
}
function subscribeToFeed() {
- $feed_url = $_REQUEST["feed_url"];
- $category_id = (int) $_REQUEST["category_id"];
- $login = $_REQUEST["login"];
- $password = $_REQUEST["password"];
+ $feed_url = clean($_REQUEST["feed_url"]);
+ $category_id = (int) clean($_REQUEST["category_id"]);
+ $login = clean($_REQUEST["login"]);
+ $password = clean($_REQUEST["password"]);
if ($feed_url) {
$rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password);
}
function getFeedTree() {
- $include_empty = sql_bool_to_bool($_REQUEST['include_empty']);
+ $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
$pf = new Pref_Feeds($_REQUEST);