if ($feed >= 0) {
if ($feed > 0) {
- $cat_qpart = "cat_id = '$feed'";
+ $children = getChildCategories($link, $feed, $owner_uid);
+ array_push($children, $feed);
+
+ $children = join(",", $children);
+
+ $cat_qpart = "cat_id IN ($children)";
} else {
$cat_qpart = "cat_id IS NULL";
}
- $tmp_result = db_query($link, "SELECT id
- FROM ttrss_feeds WHERE $cat_qpart AND owner_uid = $owner_uid");
-
- while ($tmp_line = db_fetch_assoc($tmp_result)) {
-
- $tmp_feed = $tmp_line["id"];
+ db_query($link, "UPDATE ttrss_user_entries
+ SET unread = false,last_read = NOW()
+ WHERE feed_id IN (SELECT id FROM ttrss_feeds WHERE $cat_qpart)
+ AND $ref_check_qpart
+ AND owner_uid = $owner_uid");
- db_query($link, "UPDATE ttrss_user_entries
- SET unread = false,last_read = NOW()
- WHERE feed_id = '$tmp_feed'
- AND $ref_check_qpart
- AND owner_uid = $owner_uid");
- }
} else if ($feed == -2) {
db_query($link, "UPDATE ttrss_user_entries
$override_order = "updated DESC";
- $filter_query_part = filter_to_sql($filter) . " AND";
+ $filter_query_part = filter_to_sql($filter);
+
+ // Try to check if SQL regexp implementation chokes on a valid regexp
+ $result = db_query($link, "SELECT true AS true FROM ttrss_entries
+ WHERE $filter_query_part LIMIT 1", false);
+
+ $test = db_fetch_result($result, 0, "true");
+
+ if (!$test) {
+ $filter_query_part = "false AND";
+ } else {
+ $filter_query_part .= " AND";
+ }
+
} else {
$filter_query_part = "";
}
if ($num_comments > 0) {
if ($line["comments"]) {
- $comments_url = $line["comments"];
+ $comments_url = htmlspecialchars($line["comments"]);
} else {
- $comments_url = $line["link"];
+ $comments_url = htmlspecialchars($line["link"]);
}
$entry_comments = "<a target='_blank' href=\"$comments_url\">$num_comments comments</a>";
} else {
if ($line["comments"] && $line["link"] != $line["comments"]) {
- $entry_comments = "<a target='_blank' href=\"".$line["comments"]."\">comments</a>";
+ $entry_comments = "<a target='_blank' href=\"".htmlspecialchars($line["comments"])."\">comments</a>";
}
}
</head><body>";
}
- $title_escaped = db_escape_string($line['title']);
+ $title_escaped = htmlspecialchars($line['title']);
$rv['content'] .= "<div id=\"PTITLE-$id\" style=\"display : none\">" .
truncate_string(strip_tags($line['title']), 15) . "</div>";
$rv['content'] .= "<div class='postTitle'><a target='_blank'
title=\"".htmlspecialchars($line['title'])."\"
href=\"" .
- $line["link"] . "\">" .
+ htmlspecialchars($line["link"]) . "\">" .
$line["title"] .
"<span class='author'>$entry_author</span></a></div>";
} else {