]> git.wh0rd.org Git - tt-rss.git/commitdiff
labels: PDO
authorAndrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 09:45:33 +0000 (12:45 +0300)
committerAndrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 09:45:33 +0000 (12:45 +0300)
classes/pref/labels.php

index 5720a1f4b8303ebfd5a9fec940303356e0e1f787..8f1f70be94ede47d0a48d570c112371d5923a77e 100644 (file)
@@ -8,80 +8,80 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function edit() {
-               $label_id = $this->dbh->escape_string($_REQUEST['id']);
+               $label_id = $_REQUEST['id'];
 
-               $result = $this->dbh->query("SELECT * FROM ttrss_labels2 WHERE
-                       id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
+               $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
+                       id = ? AND owner_uid = ?");
+               $sth->execute([$label_id, $_SESSION['uid']]);
 
-               $line = $this->dbh->fetch_assoc($result);
+               if ($line = $sth->fetch()) {
 
-               print_hidden("id", "$label_id");
-               print_hidden("op", "pref-labels");
-               print_hidden("method", "save");
+                       print_hidden("id", "$label_id");
+                       print_hidden("op", "pref-labels");
+                       print_hidden("method", "save");
 
-               print "<div class=\"dlgSec\">".__("Caption")."</div>";
+                       print "<div class=\"dlgSec\">".__("Caption")."</div>";
 
-               print "<div class=\"dlgSecCont\">";
+                       print "<div class=\"dlgSecCont\">";
 
-               $fg_color = $line['fg_color'];
-               $bg_color = $line['bg_color'];
+                       $fg_color = $line['fg_color'];
+                       $bg_color = $line['bg_color'];
 
-               print "<span class=\"labelColorIndicator\" id=\"label-editor-indicator\" style='color : $fg_color; background-color : $bg_color; margin-bottom : 4px; margin-right : 4px'>&alpha;</span>";
+                       print "<span class=\"labelColorIndicator\" id=\"label-editor-indicator\" style='color : $fg_color; background-color : $bg_color; margin-bottom : 4px; margin-right : 4px'>&alpha;</span>";
 
-               print "<input style=\"font-size : 16px\" name=\"caption\"
+                       print "<input style=\"font-size : 16px\" name=\"caption\"
                        dojoType=\"dijit.form.ValidationTextBox\"
                        required=\"true\"
                        value=\"".htmlspecialchars($line['caption'])."\">";
 
-               print "</div>";
-               print "<div class=\"dlgSec\">" . __("Colors") . "</div>";
-               print "<div class=\"dlgSecCont\">";
+                       print "</div>";
+                       print "<div class=\"dlgSec\">" . __("Colors") . "</div>";
+                       print "<div class=\"dlgSecCont\">";
 
-               print "<table cellspacing=\"0\">";
+                       print "<table cellspacing=\"0\">";
 
-               print "<tr><td>".__("Foreground:")."</td><td>".__("Background:").
-                       "</td></tr>";
+                       print "<tr><td>".__("Foreground:")."</td><td>".__("Background:").
+                               "</td></tr>";
 
-               print "<tr><td style='padding-right : 10px'>";
+                       print "<tr><td style='padding-right : 10px'>";
 
-               print "<input dojoType=\"dijit.form.TextBox\"
+                       print "<input dojoType=\"dijit.form.TextBox\"
                        style=\"display : none\" id=\"labelEdit_fgColor\"
                        name=\"fg_color\" value=\"$fg_color\">";
-               print "<input dojoType=\"dijit.form.TextBox\"
+                       print "<input dojoType=\"dijit.form.TextBox\"
                        style=\"display : none\" id=\"labelEdit_bgColor\"
                        name=\"bg_color\" value=\"$bg_color\">";
 
-               print "<div dojoType=\"dijit.ColorPalette\">
+                       print "<div dojoType=\"dijit.ColorPalette\">
                        <script type=\"dojo/method\" event=\"onChange\" args=\"fg_color\">
                                dijit.byId(\"labelEdit_fgColor\").attr('value', fg_color);
                                $('label-editor-indicator').setStyle({color: fg_color});
                        </script>
-               </div>";
-               print "</div>";
+                       </div>";
+                       print "</div>";
 
-               print "</td><td>";
+                       print "</td><td>";
 
-               print "<div dojoType=\"dijit.ColorPalette\">
+                       print "<div dojoType=\"dijit.ColorPalette\">
                        <script type=\"dojo/method\" event=\"onChange\" args=\"bg_color\">
                                dijit.byId(\"labelEdit_bgColor\").attr('value', bg_color);
                                $('label-editor-indicator').setStyle({backgroundColor: bg_color});
                        </script>
-               </div>";
-               print "</div>";
+                       </div>";
+                       print "</div>";
 
-               print "</td></tr></table>";
-               print "</div>";
+                       print "</td></tr></table>";
+                       print "</div>";
 
 #                      print "</form>";
 
-               print "<div class=\"dlgButtons\">";
-               print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').execute()\">".
-                       __('Save')."</button>";
-               print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').hide()\">".
-                       __('Cancel')."</button>";
-               print "</div>";
-
-               return;
+                       print "<div class=\"dlgButtons\">";
+                       print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').execute()\">".
+                               __('Save')."</button>";
+                       print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').hide()\">".
+                               __('Cancel')."</button>";
+                       print "</div>";
+               }
        }
 
        function getlabeltree() {
@@ -90,12 +90,13 @@ class Pref_Labels extends Handler_Protected {
                $root['name'] = __('Labels');
                $root['items'] = array();
 
-               $result = $this->dbh->query("SELECT *
+               $sth = $this->pdo->prepare("SELECT *
                        FROM ttrss_labels2
-                       WHERE owner_uid = ".$_SESSION["uid"]."
+                       WHERE owner_uid = ?
                        ORDER BY caption");
+               $sth->execute([$_SESSION['uid']]);
 
-               while ($line = $this->dbh->fetch_assoc($result)) {
+               while ($line = $sth->fetch()) {
                        $label = array();
                        $label['id'] = 'LABEL:' . $line['id'];
                        $label['bare_id'] = $line['id'];
@@ -118,84 +119,92 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function colorset() {
-               $kind = $this->dbh->escape_string($_REQUEST["kind"]);
-               $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"]));
-               $color = $this->dbh->escape_string($_REQUEST["color"]);
-               $fg = $this->dbh->escape_string($_REQUEST["fg"]);
-               $bg = $this->dbh->escape_string($_REQUEST["bg"]);
+               $kind = $_REQUEST["kind"];
+               $ids = explode(',', $_REQUEST["ids"]);
+               $color = $_REQUEST["color"];
+               $fg = $_REQUEST["fg"];
+               $bg = $_REQUEST["bg"];
 
                foreach ($ids as $id) {
 
                        if ($kind == "fg" || $kind == "bg") {
-                               $this->dbh->query("UPDATE ttrss_labels2 SET
-                                       ${kind}_color = '$color' WHERE id = '$id'
-                                       AND owner_uid = " . $_SESSION["uid"]);
+                               $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+                                       ${kind}_color = ? WHERE id = ?
+                                       AND owner_uid = ?");
+
+                               $sth->execute([$color, $id, $_SESSION['uid']]);
+
                        } else {
-                               $this->dbh->query("UPDATE ttrss_labels2 SET
-                                       fg_color = '$fg', bg_color = '$bg' WHERE id = '$id'
-                                       AND owner_uid = " . $_SESSION["uid"]);
+
+                               $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+                                       fg_color = ?, bg_color = ? WHERE id = ?
+                                       AND owner_uid = ?");
+
+                               $sth->execute([$fg, $bg, $id, $_SESSION['uid']]);
                        }
 
-                       $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"]));
+                       $caption = Labels::find_caption($id, $_SESSION["uid"]);
 
                        /* Remove cached data */
 
-                       $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = ''
-                               WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]);
-
+                       $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = ''
+                               WHERE label_cache LIKE ? AND owner_uid = ?");
+                       $sth->execute(["%$caption%", $_SESSION['uid']]);
                }
-
-               return;
        }
 
        function colorreset() {
-               $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"]));
+               $ids = explode(',', $_REQUEST["ids"]);
 
                foreach ($ids as $id) {
-                       $this->dbh->query("UPDATE ttrss_labels2 SET
-                               fg_color = '', bg_color = '' WHERE id = '$id'
-                               AND owner_uid = " . $_SESSION["uid"]);
+                       $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+                               fg_color = '', bg_color = '' WHERE id = ?
+                               AND owner_uid = ?");
+                       $sth->execute([$id, $_SESSION['uid']]);
 
-                       $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"]));
+                       $caption = Labels::find_caption($id, $_SESSION["uid"]);
 
                        /* Remove cached data */
 
-                       $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = ''
-                               WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]);
+                       $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = ''
+                               WHERE label_cache LIKE ? AND owner_uid = ?");
+                       $sth->execute(["%$caption%", $_SESSION['uid']]);
                }
-
        }
 
        function save() {
 
-               $id = $this->dbh->escape_string($_REQUEST["id"]);
-               $caption = $this->dbh->escape_string(trim($_REQUEST["caption"]));
+               $id = $_REQUEST["id"];
+               $caption = trim($_REQUEST["caption"]);
 
-               $this->dbh->query("BEGIN");
+               $this->pdo->beginTransaction();
 
-               $result = $this->dbh->query("SELECT caption FROM ttrss_labels2
-                       WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
+               $sth = $this->pdo->prepare("SELECT caption FROM ttrss_labels2
+                       WHERE id = ? AND owner_uid = ?");
+               $sth->execute([$id, $_SESSION['uid']]);
 
-               if ($this->dbh->num_rows($result) != 0) {
-                       $old_caption = $this->dbh->fetch_result($result, 0, "caption");
+               if ($row = $sth->fetch()) {
+                       $old_caption = $row["caption"];
 
-                       $result = $this->dbh->query("SELECT id FROM ttrss_labels2
-                               WHERE caption = '$caption' AND owner_uid = ". $_SESSION["uid"]);
+                       $sth = $this->pdo->prepare("SELECT id FROM ttrss_labels2
+                               WHERE caption = ? AND owner_uid = ?");
+                       $sth->execute([$caption, $_SESSION['uid']]);
 
-                       if ($this->dbh->num_rows($result) == 0) {
+                       if (!$sth->fetch()) {
                                if ($caption) {
-                                       $result = $this->dbh->query("UPDATE ttrss_labels2 SET
-                                               caption = '$caption' WHERE id = '$id' AND
-                                               owner_uid = " . $_SESSION["uid"]);
+                                       $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
+                                               caption = ? WHERE id = ? AND
+                                               owner_uid = ?");
+                                       $sth->execute([$caption, $id, $_SESSION['uid']]);
 
                                        /* Update filters that reference label being renamed */
 
-                                       $old_caption = $this->dbh->escape_string($old_caption);
-
-                                       $this->dbh->query("UPDATE ttrss_filters2_actions SET
-                                               action_param = '$caption' WHERE action_param = '$old_caption'
+                                       $sth = $this->pdo->prepare("UPDATE ttrss_filters2_actions SET
+                                               action_param = ? WHERE action_param = ?
                                                AND action_id = 7
-                                               AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ".$_SESSION["uid"].")");
+                                               AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ?)");
+
+                                       $sth->execute([$caption, $old_caption, $_SESSION['uid']]);
 
                                        print $_REQUEST["value"];
                                } else {
@@ -206,14 +215,13 @@ class Pref_Labels extends Handler_Protected {
                        }
                }
 
-               $this->dbh->query("COMMIT");
+               $this->pdo->commit();
 
-               return;
        }
 
        function remove() {
 
-               $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"]));
+               $ids = explode(",", $_REQUEST["ids"]);
 
                foreach ($ids as $id) {
                        Labels::remove($id, $_SESSION["uid"]);
@@ -222,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function add() {
-               $caption = $this->dbh->escape_string($_REQUEST["caption"]);
-               $output = $this->dbh->escape_string($_REQUEST["output"]);
+               $caption = $_REQUEST["caption"];
+               $output = $_REQUEST["output"];
 
                if ($caption) {