search_to_sql: quoting fix

[tt-rss.git] / include / functions.php

diff --git a/include/functions.php b/include/functions.php
index 0b301b82e0f3b34faed5320503c125a4b255d979..9e4ed34627262af14f6b35f68c31ab5423dbec93 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -941,7 +941,7 @@
        }
 
        function sql_bool_to_bool($s) {
-               return $s; //no-op for PDO
+               return $s && ($s !== "f" && $s !== "false"); //no-op for PDO, backwards compat for legacy layer
        }
 
        function bool_to_sql_bool($s) {
@@ -977,10 +977,6 @@
                        $error_code = 5;
                }
 
-               if (db_escape_string("testTEST") != "testTEST") {
-                       $error_code = 12;
-               }
-
                return array("code" => $error_code, "message" => $ERRORS[$error_code]);
        }
 
@@ -1057,7 +1053,7 @@
        }
 
        function checkbox_to_sql_bool($val) {
-               return ($val == "on") ? "true" : "false";
+               return ($val == "on") ? true : false;
        }
 
        function uniqid_short() {
@@ -1388,8 +1384,8 @@
                        switch ($commandpair[0]) {
                                case "title":
                                        if ($commandpair[1]) {
-                                               array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%".
-                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                               array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE ".
+                                                       $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%') ."))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1398,8 +1394,8 @@
                                        break;
                                case "author":
                                        if ($commandpair[1]) {
-                                               array_push($query_keywords, "($not (LOWER(author) LIKE '%".
-                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                               array_push($query_keywords, "($not (LOWER(author) LIKE ".
+                                                       $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1413,8 +1409,8 @@
                                                else if ($commandpair[1] == "false")
                                                        array_push($query_keywords, "($not (note IS NULL OR note = ''))");
                                                else
-                                                       array_push($query_keywords, "($not (LOWER(note) LIKE '%".
-                                                               $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                                       array_push($query_keywords, "($not (LOWER(note) LIKE ".
+                                                               $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -2218,6 +2214,8 @@
        function filter_to_sql($filter, $owner_uid) {
                $query = array();
 
+               $pdo = Db::pdo();
+
                if (DB_TYPE == "pgsql")
                        $reg_qpart = "~";
                else
@@ -2230,7 +2228,7 @@
 
                        if ($regexp_valid) {
 
-                               $rule['reg_exp'] = db_escape_string($rule['reg_exp']);
+                               $rule['reg_exp'] = $pdo->quote($rule['reg_exp']);
 
                                switch ($rule["type"]) {
                                        case "title":
@@ -2263,7 +2261,7 @@
                                if (isset($rule['inverse'])) $qpart = "NOT ($qpart)";
 
                                if (isset($rule["feed_id"]) && $rule["feed_id"] > 0) {
-                                       $qpart .= " AND feed_id = " . db_escape_string($rule["feed_id"]);
+                                       $qpart .= " AND feed_id = " . $pdo->quote($rule["feed_id"]);
                                }
 
                                if (isset($rule["cat_id"])) {