X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Fpref%2Ffeeds.php;h=8249f756a75726cb46d2b71a4389e1b9cd4adf23;hb=81fc862e370a1dfbd3941206fd00076e3cbf0551;hp=68a3eaa38456808bcac4fcd64455dcdac0714973;hpb=91d679667e58e0e7af7081e7aea7ac9518876295;p=tt-rss.git

diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 68a3eaa3..8249f756 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function renamecat() {
-		$title = $_REQUEST['title'];
-		$id = $_REQUEST['id'];
+		$title = clean($_REQUEST['title']);
+		$id = clean($_REQUEST['id']);
 
 		if ($title) {
 			$sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
@@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected {
 
 	private function get_category_items($cat_id) {
 
-		if ($_REQUEST['mode'] != 2)
+		if (clean($_REQUEST['mode']) != 2)
 			$search = $_SESSION["prefs_feed_search"];
 		else
 			$search = "";
 
 		// first one is set by API
-		$show_empty_cats = $_REQUEST['force_show_empty'] ||
-			($_REQUEST['mode'] != 2 && !$search);
+		$show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+			(clean($_REQUEST['mode']) != 2 && !$search);
 
 		$items = array();
 
@@ -69,9 +69,9 @@ class Pref_Feeds extends Handler_Protected {
 		}
 
 		$fsth = $this->pdo->prepare("SELECT id, title, last_error,
-			".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated
+			".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated, update_interval
 			FROM ttrss_feeds
-			WHERE cat_id = :cat AND 
+			WHERE cat_id = :cat AND
 			owner_uid = :uid AND
 			(:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search))
 			ORDER BY order_id, title");
@@ -90,6 +90,7 @@ class Pref_Feeds extends Handler_Protected {
 			$feed['icon'] = Feeds::getFeedIcon($feed_line['id']);
 			$feed['param'] = make_local_datetime(
 				$feed_line['last_updated'], true);
+			$feed['updates_disabled'] = (int)($feed_line['update_interval'] < 0);
 
 			array_push($items, $feed);
 		}
@@ -103,7 +104,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function makefeedtree() {
 
-		if ($_REQUEST['mode'] != 2)
+		if (clean($_REQUEST['mode']) != 2)
 			$search = $_SESSION["prefs_feed_search"];
 		else
 			$search = "";
@@ -116,7 +117,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		$enable_cats = get_pref('ENABLE_FEED_CATS');
 
-		if ($_REQUEST['mode'] == 2) {
+		if (clean($_REQUEST['mode']) == 2) {
 
 			if ($enable_cats) {
 				$cat = $this->feedlist_init_cat(-1);
@@ -193,8 +194,8 @@ class Pref_Feeds extends Handler_Protected {
 		}
 
 		if ($enable_cats) {
-			$show_empty_cats = $_REQUEST['force_show_empty'] ||
-				($_REQUEST['mode'] != 2 && !$search);
+			$show_empty_cats = clean($_REQUEST['force_show_empty']) ||
+				(clean($_REQUEST['mode']) != 2 && !$search);
 
 			$sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
 				WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
@@ -237,9 +238,9 @@ class Pref_Feeds extends Handler_Protected {
 			$cat['child_unread'] = 0;
 
 			$fsth = $this->pdo->prepare("SELECT id, title,last_error,
-				".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated
+				".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated, update_interval
 				FROM ttrss_feeds
-				WHERE cat_id IS NULL AND 
+				WHERE cat_id IS NULL AND
 				owner_uid = :uid AND
 				(:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search))
 				ORDER BY order_id, title");
@@ -258,6 +259,7 @@ class Pref_Feeds extends Handler_Protected {
 					$feed_line['last_updated'], true);
 				$feed['unread'] = 0;
 				$feed['type'] = 'feed';
+				$feed['updates_disabled'] = (int)($feed_line['update_interval'] < 0);
 
 				array_push($cat['items'], $feed);
 			}
@@ -272,7 +274,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		} else {
 			$fsth = $this->pdo->prepare("SELECT id, title, last_error,
-				".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated
+				".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated, update_interval
 				FROM ttrss_feeds
 				WHERE owner_uid = :uid AND
 				(:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search))
@@ -292,6 +294,7 @@ class Pref_Feeds extends Handler_Protected {
 					$feed_line['last_updated'], true);
 				$feed['unread'] = 0;
 				$feed['type'] = 'feed';
+				$feed['updates_disabled'] = (int)($feed_line['update_interval'] < 0);
 
 				array_push($root['items'], $feed);
 			}
@@ -303,7 +306,7 @@ class Pref_Feeds extends Handler_Protected {
 		$fl['identifier'] = 'id';
 		$fl['label'] = 'name';
 
-		if ($_REQUEST['mode'] != 2) {
+		if (clean($_REQUEST['mode']) != 2) {
 			$fl['items'] = array($root);
 		} else {
 			$fl['items'] = $root['items'];
@@ -325,13 +328,12 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	private function process_category_order(&$data_map, $item_id, $parent_id = false, $nest_level = 0) {
-		$debug = isset($_REQUEST["debug"]);
 
 		$prefix = "";
 		for ($i = 0; $i < $nest_level; $i++)
 			$prefix .= "   ";
 
-		if ($debug) _debug("$prefix C: $item_id P: $parent_id");
+		Debug::log("$prefix C: $item_id P: $parent_id");
 
 		$bare_item_id = substr($item_id, strpos($item_id, ':')+1);
 
@@ -358,7 +360,7 @@ class Pref_Feeds extends Handler_Protected {
 				$id = $item['_reference'];
 				$bare_id = substr($id, strpos($id, ':')+1);
 
-				if ($debug) _debug("$prefix [$order_id] $id/$bare_id");
+				Debug::log("$prefix [$order_id] $id/$bare_id");
 
 				if ($item['_reference']) {
 
@@ -391,7 +393,7 @@ class Pref_Feeds extends Handler_Protected {
 	function savefeedorder() {
 		$data = json_decode($_POST['payload'], true);
 
-		#file_put_contents("/tmp/saveorder.json", $_POST['payload']);
+		#file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
 		#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
 
 		if (!is_array($data['items']))
@@ -425,7 +427,7 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function removeicon() {
-		$feed_id = $_REQUEST["feed_id"];
+		$feed_id = clean($_REQUEST["feed_id"]);
 
 		$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
 			WHERE id = ? AND owner_uid = ?");
@@ -457,7 +459,7 @@ class Pref_Feeds extends Handler_Protected {
 		}
 
 		$icon_file = $tmp_file;
-		$feed_id = $_REQUEST["feed_id"];
+		$feed_id = clean($_REQUEST["feed_id"]);
 
 		if (is_file($icon_file) && $feed_id) {
 			if (filesize($icon_file) < 65535) {
@@ -499,283 +501,288 @@ class Pref_Feeds extends Handler_Protected {
 		global $purge_intervals;
 		global $update_intervals;
 
-		print '<div dojoType="dijit.layout.TabContainer" style="height : 450px">
-        		<div dojoType="dijit.layout.ContentPane" title="'.__('General').'">';
 
-		$feed_id = $_REQUEST["id"];
+		$feed_id = clean($_REQUEST["id"]);
 
-		$result = db_query(
-			"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
-				owner_uid = " . $_SESSION["uid"]);
+		$sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
+				owner_uid = ?");
+		$sth->execute([$feed_id, $_SESSION['uid']]);
 
-		$auth_pass_encrypted = sql_bool_to_bool(db_fetch_result($result, 0,
-			"auth_pass_encrypted"));
+		if ($row = $sth->fetch()) {
+			print '<div dojoType="dijit.layout.TabContainer" style="height : 450px">
+        		<div dojoType="dijit.layout.ContentPane" title="'.__('General').'">';
 
-		$title = htmlspecialchars(db_fetch_result($result,
-			0, "title"));
+			$title = htmlspecialchars($row["title"]);
 
-		print_hidden("id", "$feed_id");
-		print_hidden("op", "pref-feeds");
-		print_hidden("method", "editSave");
+			print_hidden("id", "$feed_id");
+			print_hidden("op", "pref-feeds");
+			print_hidden("method", "editSave");
 
-		print "<div class=\"dlgSec\">".__("Feed")."</div>";
-		print "<div class=\"dlgSecCont\">";
+			print "<div class=\"dlgSec\">".__("Feed")."</div>";
+			print "<div class=\"dlgSecCont\">";
 
-		/* Title */
+			/* Title */
 
-		print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
+			print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
 			placeHolder=\"".__("Feed Title")."\"
 			style=\"font-size : 16px; width: 20em\" name=\"title\" value=\"$title\">";
 
-		/* Feed URL */
+			/* Feed URL */
 
-		$feed_url = db_fetch_result($result, 0, "feed_url");
-		$feed_url = htmlspecialchars(db_fetch_result($result,
-			0, "feed_url"));
+			$feed_url = htmlspecialchars($row["feed_url"]);
 
-		print "<hr/>";
+			print "<hr/>";
 
-		print __('URL:') . " ";
-		print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
+			print __('URL:') . " ";
+			print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
 			placeHolder=\"".__("Feed URL")."\"
 			regExp='^(http|https)://.*' style=\"width : 20em\"
 			name=\"feed_url\" value=\"$feed_url\">";
 
-		$last_error = db_fetch_result($result, 0, "last_error");
+			$last_error = $row["last_error"];
 
-		if ($last_error) {
-			print "&nbsp;<img src=\"images/error.png\" alt=\"(error)\"
+			if ($last_error) {
+				print "&nbsp;<img src=\"images/error.png\" alt=\"(error)\"
 				style=\"vertical-align : middle\"
 				title=\"".htmlspecialchars($last_error)."\">";
 
-		}
+			}
 
-		/* Category */
+			/* Category */
 
-		if (get_pref('ENABLE_FEED_CATS')) {
+			if (get_pref('ENABLE_FEED_CATS')) {
 
-			$cat_id = db_fetch_result($result, 0, "cat_id");
+				$cat_id = $row["cat_id"];
 
-			print "<hr/>";
+				print "<hr/>";
 
-			print __('Place in category:') . " ";
+				print __('Place in category:') . " ";
 
-			print_feed_cat_select("cat_id", $cat_id,
-				'dojoType="dijit.form.Select"');
-		}
+				print_feed_cat_select("cat_id", $cat_id,
+					'dojoType="dijit.form.Select"');
+			}
 
-		/* FTS Stemming Language */
+			/* Site URL  */
 
-		if (DB_TYPE == "pgsql") {
-			$feed_language = db_fetch_result($result, 0, "feed_language");
+			$site_url = htmlspecialchars($row["site_url"]);
 
 			print "<hr/>";
 
-			print __('Language:') . " ";
-			print_select("feed_language", $feed_language, $this::$feed_languages,
-				'dojoType="dijit.form.Select"');
-		}
+			print __('Site URL:') . " ";
+			print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
+			placeHolder=\"".__("Site URL")."\"
+			regExp='^(http|https)://.*' style=\"width : 15em\"
+			name=\"site_url\" value=\"$site_url\">";
 
-		print "</div>";
+			/* FTS Stemming Language */
 
-		print "<div class=\"dlgSec\">".__("Update")."</div>";
-		print "<div class=\"dlgSecCont\">";
+			if (DB_TYPE == "pgsql") {
+				$feed_language = $row["feed_language"];
 
-		/* Update Interval */
+				print "<hr/>";
 
-		$update_interval = db_fetch_result($result, 0, "update_interval");
+				print __('Language:') . " ";
+				print_select("feed_language", $feed_language, $this::$feed_languages,
+					'dojoType="dijit.form.Select"');
+			}
 
-		print_select_hash("update_interval", $update_interval, $update_intervals,
-			'dojoType="dijit.form.Select"');
+			print "</div>";
 
-		/* Purge intl */
+			print "<div class=\"dlgSec\">".__("Update")."</div>";
+			print "<div class=\"dlgSecCont\">";
 
-		$purge_interval = db_fetch_result($result, 0, "purge_interval");
+			/* Update Interval */
 
-		print "<hr/>";
-		print __('Article purging:') . " ";
+			$update_interval = $row["update_interval"];
 
-		print_select_hash("purge_interval", $purge_interval, $purge_intervals,
-			'dojoType="dijit.form.Select" ' .
-				((FORCE_ARTICLE_PURGE == 0) ? "" : 'disabled="1"'));
+			print_select_hash("update_interval", $update_interval, $update_intervals,
+				'dojoType="dijit.form.Select"');
 
-		print "</div>";
+			/* Purge intl */
 
-		$auth_login = htmlspecialchars(db_fetch_result($result, 0, "auth_login"));
-		$auth_pass = db_fetch_result($result, 0, "auth_pass");
+			$purge_interval = $row["purge_interval"];
 
-		if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
-			require_once "crypt.php";
-			$auth_pass = decrypt_string($auth_pass);
-		}
+			print "<hr/>";
+			print __('Article purging:') . " ";
 
-		$auth_pass = htmlspecialchars($auth_pass);
-		$auth_enabled = $auth_login !== '' || $auth_pass !== '';
+			print_select_hash("purge_interval", $purge_interval, $purge_intervals,
+				'dojoType="dijit.form.Select" ' .
+				((FORCE_ARTICLE_PURGE == 0) ? "" : 'disabled="1"'));
 
-		$auth_style = $auth_enabled ? '' : 'display: none';
-		print "<div id='feedEditDlg_loginContainer' style='$auth_style'>";
-		print "<div class=\"dlgSec\">".__("Authentication")."</div>";
-		print "<div class=\"dlgSecCont\">";
+			print "</div>";
 
-		print "<input dojoType=\"dijit.form.TextBox\" id=\"feedEditDlg_login\"
+			$auth_login = htmlspecialchars($row["auth_login"]);
+			$auth_pass = htmlspecialchars($row["auth_pass"]);
+
+			$auth_enabled = $auth_login !== '' || $auth_pass !== '';
+
+			$auth_style = $auth_enabled ? '' : 'display: none';
+			print "<div id='feedEditDlg_loginContainer' style='$auth_style'>";
+			print "<div class=\"dlgSec\">".__("Authentication")."</div>";
+			print "<div class=\"dlgSecCont\">";
+
+			print "<input dojoType=\"dijit.form.TextBox\" id=\"feedEditDlg_login\"
 			placeHolder=\"".__("Login")."\"
 			autocomplete=\"new-password\"
 			name=\"auth_login\" value=\"$auth_login\"><hr/>";
 
-
-		print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" name=\"auth_pass\"
+			print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" name=\"auth_pass\"
 			autocomplete=\"new-password\"
 			placeHolder=\"".__("Password")."\"
 			value=\"$auth_pass\">";
 
-		print "<div dojoType=\"dijit.Tooltip\" connectId=\"feedEditDlg_login\" position=\"below\">
+			print "<div dojoType=\"dijit.Tooltip\" connectId=\"feedEditDlg_login\" position=\"below\">
 			".__('<b>Hint:</b> you need to fill in your login information if your feed requires authentication, except for Twitter feeds.')."
 			</div>";
 
-		print "</div></div>";
+			print "</div></div>";
 
-		$auth_checked = $auth_enabled ? 'checked' : '';
-		print "<div style=\"clear : both\">
+			$auth_checked = $auth_enabled ? 'checked' : '';
+			print "<div style=\"clear : both\">
 				<input type=\"checkbox\" $auth_checked name=\"need_auth\" dojoType=\"dijit.form.CheckBox\" id=\"feedEditDlg_loginCheck\"
 						onclick='checkboxToggleElement(this, \"feedEditDlg_loginContainer\")'>
 					<label for=\"feedEditDlg_loginCheck\">".
-					__('This feed requires authentication.')."</div>";
+				__('This feed requires authentication.')."</div>";
 
-		print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Options').'">';
+			print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Options').'">';
 
-		//print "<div class=\"dlgSec\">".__("Options")."</div>";
-		print "<div class=\"dlgSecSimple\">";
+			//print "<div class=\"dlgSec\">".__("Options")."</div>";
+			print "<div class=\"dlgSecSimple\">";
 
-		$private = sql_bool_to_bool(db_fetch_result($result, 0, "private"));
+			$private = $row["private"];
 
-		if ($private) {
-			$checked = "checked=\"1\"";
-		} else {
-			$checked = "";
-		}
+			if ($private) {
+				$checked = "checked=\"1\"";
+			} else {
+				$checked = "";
+			}
 
-		print "<input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" name=\"private\" id=\"private\"
+			print "<input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" name=\"private\" id=\"private\"
 			$checked>&nbsp;<label for=\"private\">".__('Hide from Popular feeds')."</label>";
 
-		$include_in_digest = sql_bool_to_bool(db_fetch_result($result, 0, "include_in_digest"));
+		if (DIGEST_SUBJECT !== false) {
+			$include_in_digest = $row["include_in_digest"];
 
-		if ($include_in_digest) {
-			$checked = "checked=\"1\"";
-		} else {
-			$checked = "";
-		}
+			if ($include_in_digest) {
+				$checked = "checked=\"1\"";
+			} else {
+				$checked = "";
+			}
 
-		print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"include_in_digest\"
+			print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"include_in_digest\"
 			name=\"include_in_digest\"
 			$checked>&nbsp;<label for=\"include_in_digest\">".__('Include in e-mail digest')."</label>";
+		}
 
 
-		$always_display_enclosures = sql_bool_to_bool(db_fetch_result($result, 0, "always_display_enclosures"));
+			$always_display_enclosures = $row["always_display_enclosures"];
 
-		if ($always_display_enclosures) {
-			$checked = "checked";
-		} else {
-			$checked = "";
-		}
+			if ($always_display_enclosures) {
+				$checked = "checked";
+			} else {
+				$checked = "";
+			}
 
-		print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"always_display_enclosures\"
+			print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"always_display_enclosures\"
 			name=\"always_display_enclosures\"
 			$checked>&nbsp;<label for=\"always_display_enclosures\">".__('Always display image attachments')."</label>";
 
-		$hide_images = sql_bool_to_bool(db_fetch_result($result, 0, "hide_images"));
+			$hide_images = $row["hide_images"];
 
-		if ($hide_images) {
-			$checked = "checked=\"1\"";
-		} else {
-			$checked = "";
-		}
+			if ($hide_images) {
+				$checked = "checked=\"1\"";
+			} else {
+				$checked = "";
+			}
 
-		print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"hide_images\"
+			print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"hide_images\"
 		name=\"hide_images\"
 			$checked>&nbsp;<label for=\"hide_images\">".
-		__('Do not embed images')."</label>";
+				__('Do not embed media')."</label>";
 
-		$cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images"));
+			$cache_images = $row["cache_images"];
 
-		if ($cache_images) {
-			$checked = "checked=\"1\"";
-		} else {
-			$checked = "";
-		}
+			if ($cache_images) {
+				$checked = "checked=\"1\"";
+			} else {
+				$checked = "";
+			}
 
-		print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"cache_images\"
+			print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"cache_images\"
 		name=\"cache_images\"
 			$checked>&nbsp;<label for=\"cache_images\">".
-		__('Cache media')."</label>";
+				__('Cache media')."</label>";
 
-		$mark_unread_on_update = sql_bool_to_bool(db_fetch_result($result, 0, "mark_unread_on_update"));
+			$mark_unread_on_update = $row["mark_unread_on_update"];
 
-		if ($mark_unread_on_update) {
-			$checked = "checked";
-		} else {
-			$checked = "";
-		}
+			if ($mark_unread_on_update) {
+				$checked = "checked";
+			} else {
+				$checked = "";
+			}
 
-		print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"mark_unread_on_update\"
+			print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"mark_unread_on_update\"
 			name=\"mark_unread_on_update\"
 			$checked>&nbsp;<label for=\"mark_unread_on_update\">".__('Mark updated articles as unread')."</label>";
 
-		print "</div>";
+			print "</div>";
 
-		print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Icon').'">';
+			print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Icon').'">';
 
-		/* Icon */
+			/* Icon */
 
-		print "<div class=\"dlgSecSimple\">";
+			print "<div class=\"dlgSecSimple\">";
 
-		print "<iframe name=\"icon_upload_iframe\"
-			style=\"width: 400px; height: 100px; display: none;\"></iframe>";
+			print "<img class=\"feedIcon\" src=\"".Feeds::getFeedIcon($feed_id)."\">";
+
+			print "<iframe name=\"icon_upload_iframe\"
+				style=\"width: 400px; height: 100px; display: none;\"></iframe>";
 
-		print "<form style='display : block' target=\"icon_upload_iframe\"
+			print "<form style='display : block' target=\"icon_upload_iframe\"
 			enctype=\"multipart/form-data\" method=\"POST\"
 			action=\"backend.php\">
-			<input id=\"icon_file\" size=\"10\" name=\"icon_file\" type=\"file\">
+			<label class=\"dijitButton\">".__("Choose file...")."
+				<input style=\"display: none\" id=\"icon_file\" size=\"10\" name=\"icon_file\" type=\"file\">
+			</label>
 			<input type=\"hidden\" name=\"op\" value=\"pref-feeds\">
 			<input type=\"hidden\" name=\"feed_id\" value=\"$feed_id\">
-			<input type=\"hidden\" name=\"method\" value=\"uploadicon\"><p>
+			<input type=\"hidden\" name=\"method\" value=\"uploadicon\">
 			<button class=\"\" dojoType=\"dijit.form.Button\" onclick=\"return uploadFeedIcon();\"
 				type=\"submit\">".__('Replace')."</button>
-			<button class=\"\" dojoType=\"dijit.form.Button\" onclick=\"return removeFeedIcon($feed_id);\"
+			<button class=\"btn-danger\" dojoType=\"dijit.form.Button\" onclick=\"return removeFeedIcon($feed_id);\"
 				type=\"submit\">".__('Remove')."</button>
 			</form>";
 
-		print "</div>";
+			print "</div>";
 
-		print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Plugins').'">';
+			print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Plugins').'">';
 
-		PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED,
-			"hook_prefs_edit_feed", $feed_id);
+			PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED,
+				"hook_prefs_edit_feed", $feed_id);
 
 
-		print "</div></div>";
+			print "</div></div>";
 
-		$title = htmlspecialchars($title, ENT_QUOTES);
+			$title = htmlspecialchars($title, ENT_QUOTES);
 
-		print "<div class='dlgButtons'>
+			print "<div class='dlgButtons'>
 			<div style=\"float : left\">
-			<button class=\"danger\" dojoType=\"dijit.form.Button\" onclick='return unsubscribeFeed($feed_id, \"$title\")'>".
+			<button class=\"btn-danger\" dojoType=\"dijit.form.Button\" onclick='return unsubscribeFeed($feed_id, \"$title\")'>".
 				__('Unsubscribe')."</button>";
 
-		print "</div>";
-
-		print "<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').execute()\">".__('Save')."</button>
-			<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').hide()\">".__('Cancel')."</button>
-		</div>";
+			print "</div>";
 
-
-		return;
+			print "<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').execute()\">".__('Save')."</button>
+				<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').hide()\">".__('Cancel')."</button>
+				</div>";
+		}
 	}
 
 	function editfeeds() {
 		global $purge_intervals;
 		global $update_intervals;
 
-		$feed_ids = $_REQUEST["ids"];
+		$feed_ids = clean($_REQUEST["ids"]);
 
 		print_notice("Enable the options you wish to apply using checkboxes on the right:");
 
@@ -882,7 +889,7 @@ class Pref_Feeds extends Handler_Protected {
 			name=\"hide_images\"
 			dojoType=\"dijit.form.CheckBox\">&nbsp;<label class='insensitive' id=\"hide_images_l\"
 			for=\"hide_images\">".
-		__('Do not embed images')."</label>";
+		__('Do not embed media')."</label>";
 
 		print "&nbsp;"; $this->batch_edit_cbox("hide_images", "hide_images_l");
 
@@ -924,47 +931,48 @@ class Pref_Feeds extends Handler_Protected {
 
 	function editsaveops($batch) {
 
-		$feed_title = trim($_POST["title"]);
-		$feed_url = trim($_POST["feed_url"]);
-		$upd_intl = (int) $_POST["update_interval"];
-		$purge_intl = (int) $_POST["purge_interval"];
-		$feed_id = (int) $_POST["id"]; /* editSave */
-		$feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */
-		$cat_id = (int) $_POST["cat_id"];
-		$auth_login = trim($_POST["auth_login"]);
-		$auth_pass = trim($_POST["auth_pass"]);
-		$private = checkbox_to_sql_bool($_POST["private"]);
+		$feed_title = trim(clean($_POST["title"]));
+		$feed_url = trim(clean($_POST["feed_url"]));
+		$site_url = trim(clean($_POST["site_url"]));
+		$upd_intl = (int) clean($_POST["update_interval"]);
+		$purge_intl = (int) clean($_POST["purge_interval"]);
+		$feed_id = (int) clean($_POST["id"]); /* editSave */
+		$feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
+		$cat_id = (int) clean($_POST["cat_id"]);
+		$auth_login = trim(clean($_POST["auth_login"]));
+		$auth_pass = trim(clean($_POST["auth_pass"]));
+		$private = checkbox_to_sql_bool(clean($_POST["private"]));
 		$include_in_digest = checkbox_to_sql_bool(
-			$_POST["include_in_digest"]);
+			clean($_POST["include_in_digest"]));
 		$cache_images = checkbox_to_sql_bool(
-			$_POST["cache_images"]);
+			clean($_POST["cache_images"]));
 		$hide_images = checkbox_to_sql_bool(
-			$_POST["hide_images"]);
+			clean($_POST["hide_images"]));
 		$always_display_enclosures = checkbox_to_sql_bool(
-			$_POST["always_display_enclosures"]);
+			clean($_POST["always_display_enclosures"]));
 
 		$mark_unread_on_update = checkbox_to_sql_bool(
-			$_POST["mark_unread_on_update"]);
+			clean($_POST["mark_unread_on_update"]));
 
-		$feed_language = trim($_POST["feed_language"]);
+		$feed_language = trim(clean($_POST["feed_language"]));
 
 		if (!$batch) {
-			if ($_POST["need_auth"] !== 'on') {
+			if (clean($_POST["need_auth"]) !== 'on') {
 				$auth_login = '';
 				$auth_pass = '';
 			}
 
-			$sth = $this->pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?");
+			/* $sth = $this->pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?");
 			$sth->execute([$feed_id]);
-			$row = $sth->fetch();
-			$orig_feed_url = $row["feed_url"];
+			$row = $sth->fetch();$orig_feed_url = $row["feed_url"];
 
-			$reset_basic_info = $orig_feed_url != $feed_url;
+			$reset_basic_info = $orig_feed_url != $feed_url; */
 
 			$sth = $this->pdo->prepare("UPDATE ttrss_feeds SET
 				cat_id = :cat_id,
-				title = :title, 
+				title = :title,
 				feed_url = :feed_url,
+				site_url = :site_url,
 				update_interval = :upd_intl,
 				purge_interval = :purge_intl,
 				auth_login = :auth_login,
@@ -982,6 +990,7 @@ class Pref_Feeds extends Handler_Protected {
 			$sth->execute([":title" => $feed_title,
 					":cat_id" => $cat_id ? $cat_id : null,
 					":feed_url" => $feed_url,
+					":site_url" => $site_url,
 					":upd_intl" => $upd_intl,
 					":purge_intl" => $purge_intl,
 					":auth_login" => $auth_login,
@@ -996,9 +1005,9 @@ class Pref_Feeds extends Handler_Protected {
 					":id" => $feed_id,
 					":uid" => $_SESSION['uid']]);
 
-			if ($reset_basic_info) {
+/*			if ($reset_basic_info) {
 				RSSUtils::set_basic_feed_info($feed_id);
-			}
+			} */
 
 			PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_SAVE_FEED,
 				"hook_prefs_save_feed", $feed_id);
@@ -1008,7 +1017,7 @@ class Pref_Feeds extends Handler_Protected {
 
 			foreach (array_keys($_POST) as $k) {
 				if ($k != "op" && $k != "method" && $k != "ids") {
-					$feed_data[$k] = $_POST[$k];
+					$feed_data[$k] = clean($_POST[$k]);
 				}
 			}
 
@@ -1102,7 +1111,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function remove() {
 
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
@@ -1111,150 +1120,15 @@ class Pref_Feeds extends Handler_Protected {
 		return;
 	}
 
-	function clear() {
-		$id = $_REQUEST["id"];
-		$this->clear_feed_articles($id);
-	}
-
-	function rescore() {
-		$ids = explode(",", $_REQUEST["ids"]);
-
-		foreach ($ids as $id) {
-
-			$filters = load_filters($id, $_SESSION["uid"], 6);
-
-			$result = db_query("SELECT
-				title, content, link, ref_id, author,".
-				SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated
-			  	FROM
-					ttrss_user_entries, ttrss_entries
-					WHERE ref_id = id AND feed_id = '$id' AND
-						owner_uid = " .$_SESSION['uid']."
-					");
-
-			$scores = array();
-
-			while ($line = db_fetch_assoc($result)) {
-
-				$tags = Article::get_article_tags($line["ref_id"]);
-
-				$article_filters = RSSUtils::get_article_filters($filters, $line['title'],
-					$line['content'], $line['link'], strtotime($line['updated']),
-					$line['author'], $tags);
-
-				$new_score = RSSUtils::calculate_article_score($article_filters);
-
-				if (!$scores[$new_score]) $scores[$new_score] = array();
-
-				array_push($scores[$new_score], $line['ref_id']);
-			}
-
-			foreach (array_keys($scores) as $s) {
-				if ($s > 1000) {
-					db_query("UPDATE ttrss_user_entries SET score = '$s',
-						marked = true WHERE
-						ref_id IN (" . join(',', $scores[$s]) . ")");
-				} else if ($s < -500) {
-					db_query("UPDATE ttrss_user_entries SET score = '$s',
-						unread = false WHERE
-						ref_id IN (" . join(',', $scores[$s]) . ")");
-				} else {
-					db_query("UPDATE ttrss_user_entries SET score = '$s' WHERE
-						ref_id IN (" . join(',', $scores[$s]) . ")");
-				}
-			}
-		}
-
-		print __("All done.");
-
-	}
-
-	function rescoreAll() {
-
-		$result = db_query(
-			"SELECT id FROM ttrss_feeds WHERE owner_uid = " . $_SESSION['uid']);
-
-		while ($feed_line = db_fetch_assoc($result)) {
-
-			$id = $feed_line["id"];
-
-			$filters = load_filters($id, $_SESSION["uid"], 6);
-
-			$tmp_result = db_query("SELECT
-				title, content, link, ref_id, author,".
-				  	SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated
-					FROM
-					ttrss_user_entries, ttrss_entries
-					WHERE ref_id = id AND feed_id = '$id' AND
-						owner_uid = " .$_SESSION['uid']."
-					");
-
-			$scores = array();
-
-			while ($line = db_fetch_assoc($tmp_result)) {
-
-				$tags = Article::get_article_tags($line["ref_id"]);
-
-				$article_filters = RSSUtils::get_article_filters($filters, $line['title'],
-					$line['content'], $line['link'], strtotime($line['updated']),
-					$line['author'], $tags);
-
-				$new_score = RSSUtils::calculate_article_score($article_filters);
-
-				if (!$scores[$new_score]) $scores[$new_score] = array();
-
-				array_push($scores[$new_score], $line['ref_id']);
-			}
-
-			foreach (array_keys($scores) as $s) {
-				if ($s > 1000) {
-					db_query("UPDATE ttrss_user_entries SET score = '$s',
-						marked = true WHERE
-						ref_id IN (" . join(',', $scores[$s]) . ")");
-				} else {
-					db_query("UPDATE ttrss_user_entries SET score = '$s' WHERE
-						ref_id IN (" . join(',', $scores[$s]) . ")");
-				}
-			}
-		}
-
-		print __("All done.");
-
-	}
-
-	function categorize() {
-		$ids = explode(",", $_REQUEST["ids"]);
-
-		$cat_id = $_REQUEST["cat_id"];
-
-		if ($cat_id == 0) {
-			$cat_id_qpart = 'NULL';
-		} else {
-			$cat_id_qpart = "'$cat_id'";
-		}
-
-		db_query("BEGIN");
-
-		foreach ($ids as $id) {
-
-			db_query("UPDATE ttrss_feeds SET cat_id = $cat_id_qpart
-				WHERE id = '$id'
-			  	AND owner_uid = " . $_SESSION["uid"]);
-
-		}
-
-		db_query("COMMIT");
-	}
-
 	function removeCat() {
-		$ids = explode(",", $_REQUEST["ids"]);
+		$ids = explode(",", clean($_REQUEST["ids"]));
 		foreach ($ids as $id) {
 			$this->remove_feed_category($id, $_SESSION["uid"]);
 		}
 	}
 
 	function addCat() {
-		$feed_cat = trim($_REQUEST["cat"]);
+		$feed_cat = trim(clean($_REQUEST["cat"]));
 
 		add_feed_category($feed_cat);
 	}
@@ -1264,10 +1138,15 @@ class Pref_Feeds extends Handler_Protected {
 		print "<div dojoType=\"dijit.layout.AccordionContainer\" region=\"center\">";
 		print "<div id=\"pref-feeds-feeds\" dojoType=\"dijit.layout.AccordionPane\" title=\"".__('Feeds')."\">";
 
-		$result = db_query("SELECT COUNT(id) AS num_errors
-			FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]);
+		$sth = $this->pdo->prepare("SELECT COUNT(id) AS num_errors
+			FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?");
+		$sth->execute([$_SESSION['uid']]);
 
-		$num_errors = db_fetch_result($result, 0, "num_errors");
+		if ($row = $sth->fetch()) {
+			$num_errors = $row["num_errors"];
+		} else {
+			$num_errors = 0;
+		}
 
 		if ($num_errors > 0) {
 
@@ -1282,7 +1161,7 @@ class Pref_Feeds extends Handler_Protected {
 				onclick=\"showInactiveFeeds()\">" .
 				__("Inactive feeds") . "</button>";
 
-		$feed_search = $_REQUEST["search"];
+		$feed_search = clean($_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_feed_search"] = $feed_search;
@@ -1342,24 +1221,6 @@ class Pref_Feeds extends Handler_Protected {
 		print $error_button;
 		print $inactive_button;
 
-		if (defined('_ENABLE_FEED_DEBUGGING')) {
-
-			print "<select id=\"feedActionChooser\" onchange=\"feedActionChange()\">
-				<option value=\"facDefault\" selected>".__('More actions...')."</option>";
-
-			if (FORCE_ARTICLE_PURGE == 0) {
-				print
-					"<option value=\"facPurge\">".__('Manual purge')."</option>";
-			}
-
-			print "
-				<option value=\"facClear\">".__('Clear feed data')."</option>
-				<option value=\"facRescore\">".__('Rescore articles')."</option>";
-
-			print "</select>";
-
-		}
-
 		print "</div>"; # toolbar
 
 		//print '</div>';
@@ -1369,6 +1230,8 @@ class Pref_Feeds extends Handler_Protected {
 		<img src='images/indicator_tiny.gif'>".
 		 __("Loading, please wait...")."</div>";
 
+		$auto_expand = $feed_search != "" ? "true" : "false";
+
 		print "<div dojoType=\"fox.PrefFeedStore\" jsId=\"feedStore\"
 			url=\"backend.php?op=pref-feeds&method=getfeedtree\">
 		</div>
@@ -1379,7 +1242,7 @@ class Pref_Feeds extends Handler_Protected {
 		<div dojoType=\"fox.PrefFeedTree\" id=\"feedTree\"
 			dndController=\"dijit.tree.dndSource\"
 			betweenThreshold=\"5\"
-			autoExpand='true'
+			autoExpand='$auto_expand'
 			model=\"feedModel\" openOnClick=\"false\">
 		<script type=\"dojo/method\" event=\"onClick\" args=\"item\">
 			var id = String(item.id);
@@ -1419,7 +1282,9 @@ class Pref_Feeds extends Handler_Protected {
 		print "<form  name=\"opml_form\" style='display : block' target=\"upload_iframe\"
 			enctype=\"multipart/form-data\" method=\"POST\"
 			action=\"backend.php\">
-			<input id=\"opml_file\" name=\"opml_file\" type=\"file\">&nbsp;
+			<label class=\"dijitButton\">".__("Choose file...")."
+				<input style=\"display : none\" id=\"opml_file\" name=\"opml_file\" type=\"file\">&nbsp;
+			</label>
 			<input type=\"hidden\" name=\"op\" value=\"dlg\">
 			<input type=\"hidden\" name=\"method\" value=\"importOpml\">
 			<button dojoType=\"dijit.form.Button\" onclick=\"return opmlImport();\" type=\"submit\">" .
@@ -1430,7 +1295,7 @@ class Pref_Feeds extends Handler_Protected {
 		$opml_export_filename = "TinyTinyRSS_".date("Y-m-d").".opml";
 
 		print "<p>" . __('Filename:') .
-            " <input type=\"text\" id=\"filename\" value=\"$opml_export_filename\" />&nbsp;" .
+            " <input class=\"input input-text\" type=\"text\" id=\"filename\" value=\"$opml_export_filename\" />&nbsp;" .
 				__('Include settings') . "<input type=\"checkbox\" id=\"settings\" checked=\"1\"/>";
 
 		print "</p><button dojoType=\"dijit.form.Button\"
@@ -1451,25 +1316,6 @@ class Pref_Feeds extends Handler_Protected {
 
 		print "</div>"; # pane
 
-		if (strpos($_SERVER['HTTP_USER_AGENT'], "Firefox") !== false) {
-
-			print "<div dojoType=\"dijit.layout.AccordionPane\" title=\"".__('Firefox integration')."\">";
-
-			print_notice(__('This Tiny Tiny RSS site can be used as a Firefox Feed Reader by clicking the link below.'));
-
-			print "<p>";
-
-			print "<button onclick='window.navigator.registerContentHandler(" .
-                      "\"application/vnd.mozilla.maybe.feed\", " .
-                      "\"" . $this->subscribe_to_feed_url() . "\", " . " \"Tiny Tiny RSS\")'>" .
-							 __('Click here to register this site as a feed reader.') .
-				"</button>";
-
-			print "</p>";
-
-			print "</div>"; # pane
-		}
-
 		print "<div dojoType=\"dijit.layout.AccordionPane\" title=\"".__('Published & shared articles / Generated feeds')."\">";
 
 		print "<p>" . __('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.') . "</p>";
@@ -1549,17 +1395,18 @@ class Pref_Feeds extends Handler_Protected {
 			$interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)";
 		}
 
-		$result = db_query("SELECT ttrss_feeds.title, ttrss_feeds.site_url,
+		$sth = $this->pdo->prepare("SELECT ttrss_feeds.title, ttrss_feeds.site_url,
 		  		ttrss_feeds.feed_url, ttrss_feeds.id, MAX(updated) AS last_article
 			FROM ttrss_feeds, ttrss_entries, ttrss_user_entries WHERE
 				(SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE
 					ttrss_entries.id = ref_id AND
 						ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart
-			AND ttrss_feeds.owner_uid = ".$_SESSION["uid"]." AND
+			AND ttrss_feeds.owner_uid = ? AND
 				ttrss_user_entries.feed_id = ttrss_feeds.id AND
 				ttrss_entries.id = ref_id
 			GROUP BY ttrss_feeds.title, ttrss_feeds.id, ttrss_feeds.site_url, ttrss_feeds.feed_url
 			ORDER BY last_article");
+		$sth->execute([$_SESSION['uid']]);
 
 		print "<p" .__("These feeds have not been updated with new content for 3 months (oldest first):") . "</p>";
 
@@ -1580,7 +1427,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		$lnum = 1;
 
-		while ($line = db_fetch_assoc($result)) {
+		while ($line = $sth->fetch()) {
 
 			$feed_id = $line["id"];
 			$this_row_id = "id=\"FUPDD-$feed_id\"";
@@ -1612,7 +1459,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		print "<div class='dlgButtons'>";
 		print "<div style='float : left'>";
-		print "<button class=\"danger\" dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('inactiveFeedsDlg').removeSelected()\">"
+		print "<button class=\"btn-danger\" dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('inactiveFeedsDlg').removeSelected()\">"
 			.__('Unsubscribe from selected feeds')."</button> ";
 		print "</div>";
 
@@ -1624,8 +1471,9 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function feedsWithErrors() {
-		$result = db_query("SELECT id,title,feed_url,last_error,site_url
-		FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]);
+		$sth = $this->pdo->prepare("SELECT id,title,feed_url,last_error,site_url
+			FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?");
+		$sth->execute([$_SESSION['uid']]);
 
 		print "<div dojoType=\"dijit.Toolbar\">";
 		print "<div dojoType=\"dijit.form.DropDownButton\">".
@@ -1644,7 +1492,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		$lnum = 1;
 
-		while ($line = db_fetch_assoc($result)) {
+		while ($line = $sth->fetch()) {
 
 			$feed_id = $line["id"];
 			$this_row_id = "id=\"FERDD-$feed_id\"";
@@ -1678,7 +1526,7 @@ class Pref_Feeds extends Handler_Protected {
 
 		print "<div class='dlgButtons'>";
 		print "<div style='float : left'>";
-		print "<button class=\"danger\" dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('errorFeedsDlg').removeSelected()\">"
+		print "<button class=\"btn-danger\" dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('errorFeedsDlg').removeSelected()\">"
 			.__('Unsubscribe from selected feeds')."</button> ";
 		print "</div>";
 
@@ -1688,84 +1536,80 @@ class Pref_Feeds extends Handler_Protected {
 		print "</div>";
 	}
 
-	/**
-	 * Purge a feed contents, marked articles excepted.
-	 *
-	 * @param mixed $link The database connection.
-	 * @param integer $id The id of the feed to purge.
-	 * @return void
-	 */
-	private function clear_feed_articles($id) {
-
-		if ($id != 0) {
-			$result = db_query("DELETE FROM ttrss_user_entries
-			WHERE feed_id = '$id' AND marked = false AND owner_uid = " . $_SESSION["uid"]);
-		} else {
-			$result = db_query("DELETE FROM ttrss_user_entries
-			WHERE feed_id IS NULL AND marked = false AND owner_uid = " . $_SESSION["uid"]);
-		}
-
-		$result = db_query("DELETE FROM ttrss_entries WHERE
-			(SELECT COUNT(int_id) FROM ttrss_user_entries WHERE ref_id = id) = 0");
-
-		CCache::update($id, $_SESSION['uid']);
-	} // function clear_feed_articles
-
 	private function remove_feed_category($id, $owner_uid) {
 
-		db_query("DELETE FROM ttrss_feed_categories
-			WHERE id = '$id' AND owner_uid = $owner_uid");
+		$sth = $this->pdo->prepare("DELETE FROM ttrss_feed_categories
+			WHERE id = ? AND owner_uid = ?");
+		$sth->execute([$id, $owner_uid]);
 
 		CCache::remove($id, $owner_uid, true);
 	}
 
 	static function remove_feed($id, $owner_uid) {
+		foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_UNSUBSCRIBE_FEED) as $p) {
+			if (! $p->hook_unsubscribe_feed($id, $owner_uid)) {
+                user_error("Feed $id (owner: $owner_uid) not removed due to plugin error (HOOK_UNSUBSCRIBE_FEED).", E_USER_WARNING);
+                return;
+			}
+		}
+
+		$pdo = Db::pdo();
 
 		if ($id > 0) {
+			$pdo->beginTransaction();
 
 			/* save starred articles in Archived feed */
 
-			db_query("BEGIN");
-
 			/* prepare feed if necessary */
 
-			$result = db_query("SELECT feed_url FROM ttrss_feeds WHERE id = $id
-				AND owner_uid = $owner_uid");
+			$sth = $pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?
+				AND owner_uid = ?");
+			$sth->execute([$id, $owner_uid]);
 
-			$feed_url = db_fetch_result($result, 0, "feed_url");
+			if ($row = $sth->fetch()) {
+				$feed_url = $row["feed_url"];
 
-			$result = db_query("SELECT id FROM ttrss_archived_feeds
-				WHERE feed_url = '$feed_url' AND owner_uid = $owner_uid");
+				$sth = $pdo->prepare("SELECT id FROM ttrss_archived_feeds
+					WHERE feed_url = ? AND owner_uid = ?");
+				$sth->execute([$feed_url, $owner_uid]);
 
-			if (db_num_rows($result) == 0) {
-				$result = db_query("SELECT MAX(id) AS id FROM ttrss_archived_feeds");
-				$new_feed_id = (int)db_fetch_result($result, 0, "id") + 1;
+				if ($row = $sth->fetch()) {
+					$archive_id = $row["id"];
+				} else {
+					$res = $pdo->query("SELECT MAX(id) AS id FROM ttrss_archived_feeds");
+					$row = $res->fetch();
 
-				db_query("INSERT INTO ttrss_archived_feeds
-					(id, owner_uid, title, feed_url, site_url)
-				SELECT $new_feed_id, owner_uid, title, feed_url, site_url from ttrss_feeds
-				WHERE id = '$id'");
+					$new_feed_id = (int)$row['id'] + 1;
 
-				$archive_id = $new_feed_id;
-			} else {
-				$archive_id = db_fetch_result($result, 0, "id");
-			}
+					$sth = $pdo->prepare("INSERT INTO ttrss_archived_feeds
+						(id, owner_uid, title, feed_url, site_url)
+							SELECT ?, owner_uid, title, feed_url, site_url from ttrss_feeds
+							WHERE id = ?");
+					$sth->execute([$new_feed_id, $id]);
 
-			db_query("UPDATE ttrss_user_entries SET feed_id = NULL,
-				orig_feed_id = '$archive_id' WHERE feed_id = '$id' AND
-					marked = true AND owner_uid = $owner_uid");
+					$archive_id = $new_feed_id;
+				}
 
-			/* Remove access key for the feed */
+				$sth = $pdo->prepare("UPDATE ttrss_user_entries SET feed_id = NULL,
+					orig_feed_id = ? WHERE feed_id = ? AND
+						marked = true AND owner_uid = ?");
 
-			db_query("DELETE FROM ttrss_access_keys WHERE
-				feed_id = '$id' AND owner_uid = $owner_uid");
+				$sth->execute([$archive_id, $id, $owner_uid]);
 
-			/* remove the feed */
+				/* Remove access key for the feed */
 
-			db_query("DELETE FROM ttrss_feeds
-					WHERE id = '$id' AND owner_uid = $owner_uid");
+				$sth = $pdo->prepare("DELETE FROM ttrss_access_keys WHERE
+					feed_id = ? AND owner_uid = ?");
+				$sth->execute([$id, $owner_uid]);
 
-			db_query("COMMIT");
+				/* remove the feed */
+
+				$sth = $pdo->prepare("DELETE FROM ttrss_feeds
+					WHERE id = ? AND owner_uid = ?");
+				$sth->execute([$id, $owner_uid]);
+			}
+
+			$pdo->commit();
 
 			if (file_exists(ICONS_DIR . "/$id.ico")) {
 				unlink(ICONS_DIR . "/$id.ico");
@@ -1829,39 +1673,31 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function batchAddFeeds() {
-		$cat_id = $_REQUEST['cat'];
-		$feeds = explode("\n", $_REQUEST['feeds']);
-		$login = $_REQUEST['login'];
-		$pass = trim($_REQUEST['pass']);
+		$cat_id = clean($_REQUEST['cat']);
+		$feeds = explode("\n", clean($_REQUEST['feeds']));
+		$login = clean($_REQUEST['login']);
+		$pass = trim(clean($_REQUEST['pass']));
 
 		foreach ($feeds as $feed) {
 			$feed = trim($feed);
 
 			if (validate_feed_url($feed)) {
 
-				db_query("BEGIN");
-
-				if ($cat_id == "0" || !$cat_id) {
-					$cat_qpart = "NULL";
-				} else {
-					$cat_qpart = "'$cat_id'";
-				}
-
-				$result = db_query(
-					"SELECT id FROM ttrss_feeds
-					WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]);
+				$this->pdo->beginTransaction();
 
-				$pass = $pass;
+				$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
+						WHERE feed_url = ? AND owner_uid = ?");
+				$sth->execute([$feed, $_SESSION['uid']]);
 
-				if (db_num_rows($result) == 0) {
-					$result = db_query(
-						"INSERT INTO ttrss_feeds
+				if (!$sth->fetch()) {
+					$sth = $this->pdo->prepare("INSERT INTO ttrss_feeds
 							(owner_uid,feed_url,title,cat_id,auth_login,auth_pass,update_method,auth_pass_encrypted)
-						VALUES ('".$_SESSION["uid"]."', '$feed',
-							'[Unknown]', $cat_qpart, '$login', '$pass', 0, false)");
+						VALUES (?, ?, '[Unknown]', ?, ?, ?, 0, false)");
+
+					$sth->execute([$_SESSION['uid'], $feed, $cat_id ? $cat_id : null, $login, $pass]);
 				}
 
-				db_query("COMMIT");
+				$this->pdo->commit();
 			}
 		}
 	}
@@ -1876,42 +1712,31 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function regenFeedKey() {
-		$feed_id = $_REQUEST['id'];
-		$is_cat = $_REQUEST['is_cat'] == "true";
+		$feed_id = clean($_REQUEST['id']);
+		$is_cat = clean($_REQUEST['is_cat']);
 
 		$new_key = $this->update_feed_access_key($feed_id, $is_cat);
 
-		print json_encode(array("link" => $new_key));
+		print json_encode(["link" => $new_key]);
 	}
 
 
 	private function update_feed_access_key($feed_id, $is_cat, $owner_uid = false) {
 		if (!$owner_uid) $owner_uid = $_SESSION["uid"];
 
-		$sql_is_cat = bool_to_sql_bool($is_cat);
-
-		$result = db_query("SELECT access_key FROM ttrss_access_keys
-			WHERE feed_id = '$feed_id'	AND is_cat = $sql_is_cat
-			AND owner_uid = " . $owner_uid);
-
-		if (db_num_rows($result) == 1) {
-			$key = uniqid_short();
-
-			db_query("UPDATE ttrss_access_keys SET access_key = '$key'
-				WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
-				AND owner_uid = " . $owner_uid);
-
-			return $key;
+		// clear old value and generate new one
+		$sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys
+			WHERE feed_id = ? AND is_cat = ? AND owner_uid = ?");
+		$sth->execute([$feed_id, bool_to_sql_bool($is_cat), $owner_uid]);
 
-		} else {
-			return get_feed_access_key($feed_id, $is_cat, $owner_uid);
-		}
+		return get_feed_access_key($feed_id, $is_cat, $owner_uid);
 	}
 
 	// Silent
 	function clearKeys() {
-		db_query("DELETE FROM ttrss_access_keys WHERE
-			owner_uid = " . $_SESSION["uid"]);
+		$sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys WHERE
+			owner_uid = ?");
+		$sth->execute([$_SESSION['uid']]);
 	}
 
 	private function calculate_children_count($cat) {
@@ -1935,13 +1760,16 @@ class Pref_Feeds extends Handler_Protected {
 			$interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)";
 		}
 
-		$result = db_query("SELECT COUNT(*) AS num_inactive FROM ttrss_feeds WHERE
+		$sth = $this->pdo->prepare("SELECT COUNT(id) AS num_inactive FROM ttrss_feeds WHERE
 				(SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE
 					ttrss_entries.id = ref_id AND
 						ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart AND
-			  ttrss_feeds.owner_uid = ".$_SESSION["uid"]);
+			  ttrss_feeds.owner_uid = ?");
+		$sth->execute([$_SESSION['uid']]);
 
-		print (int) db_fetch_result($result, 0, "num_inactive");
+		if ($row = $sth->fetch()) {
+			print (int)$row["num_inactive"];
+		}
 	}
 
 	static function subscribe_to_feed_url() {
@@ -1950,4 +1778,4 @@ class Pref_Feeds extends Handler_Protected {
 		return $url_path;
 	}
 
-}
\ No newline at end of file
+}