From: Andrew Dolgov Date: Sat, 2 Dec 2017 20:13:49 +0000 (+0300) Subject: Merge branch 'master' of git.fakecake.org:tt-rss into pdo-experimental X-Git-Tag: 17.12~35 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=4ee398a41e2176d4a5c997920db35cb6bed12f2e;hp=7c4d7bce3f15afbdab0487e101cd2f85afed8bd5;p=tt-rss.git Merge branch 'master' of git.fakecake.org:tt-rss into pdo-experimental --- diff --git a/classes/api.php b/classes/api.php index bb4d3324..8ffa74d9 100644 --- a/classes/api.php +++ b/classes/api.php @@ -49,16 +49,17 @@ class API extends Handler { @session_destroy(); @session_start(); - $login = $this->dbh->escape_string($_REQUEST["user"]); + $login = $_REQUEST["user"]; $password = $_REQUEST["password"]; $password_base64 = base64_decode($_REQUEST["password"]); if (SINGLE_USER_MODE) $login = "admin"; - $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE login = '$login'"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); + $sth->execute([$login]); - if ($this->dbh->num_rows($result) != 0) { - $uid = $this->dbh->fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + $uid = $row["id"]; } else { $uid = 0; } @@ -95,8 +96,8 @@ class API extends Handler { } function getUnread() { - $feed_id = $this->dbh->escape_string($_REQUEST["feed_id"]); - $is_cat = $this->dbh->escape_string($_REQUEST["is_cat"]); + $feed_id = $_REQUEST["feed_id"]; + $is_cat = $_REQUEST["is_cat"]; if ($feed_id) { $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat))); @@ -111,10 +112,10 @@ class API extends Handler { } function getFeeds() { - $cat_id = $this->dbh->escape_string($_REQUEST["cat_id"]); + $cat_id = $_REQUEST["cat_id"]; $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]); - $limit = (int) $this->dbh->escape_string($_REQUEST["limit"]); - $offset = (int) $this->dbh->escape_string($_REQUEST["offset"]); + $limit = (int) $_REQUEST["limit"]; + $offset = (int) $_REQUEST["offset"]; $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); $feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested); @@ -134,7 +135,7 @@ class API extends Handler { else $nested_qpart = "true"; - $result = $this->dbh->query("SELECT + $sth = $this->pdo->prepare("SELECT id, title, order_id, (SELECT COUNT(id) FROM ttrss_feeds WHERE ttrss_feed_categories.id IS NOT NULL AND cat_id = ttrss_feed_categories.id) AS num_feeds, @@ -142,12 +143,12 @@ class API extends Handler { ttrss_feed_categories AS c2 WHERE c2.parent_cat = ttrss_feed_categories.id) AS num_cats FROM ttrss_feed_categories - WHERE $nested_qpart AND owner_uid = " . - $_SESSION["uid"]); + WHERE $nested_qpart AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); $cats = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { if ($include_empty || $line["num_feeds"] > 0 || $line["num_cats"] > 0) { $unread = getFeedUnread($line["id"], true); @@ -180,31 +181,31 @@ class API extends Handler { } function getHeadlines() { - $feed_id = $this->dbh->escape_string($_REQUEST["feed_id"]); + $feed_id = $_REQUEST["feed_id"]; if ($feed_id != "") { if (is_numeric($feed_id)) $feed_id = (int) $feed_id; - $limit = (int)$this->dbh->escape_string($_REQUEST["limit"]); + $limit = (int)$_REQUEST["limit"]; if (!$limit || $limit >= 200) $limit = 200; - $offset = (int)$this->dbh->escape_string($_REQUEST["skip"]); - $filter = $this->dbh->escape_string($_REQUEST["filter"]); + $offset = (int)$_REQUEST["skip"]; + $filter = $_REQUEST["filter"]; $is_cat = sql_bool_to_bool($_REQUEST["is_cat"]); $show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]); $show_content = sql_bool_to_bool($_REQUEST["show_content"]); /* all_articles, unread, adaptive, marked, updated */ - $view_mode = $this->dbh->escape_string($_REQUEST["view_mode"]); + $view_mode = $_REQUEST["view_mode"]; $include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]); - $since_id = (int)$this->dbh->escape_string($_REQUEST["since_id"]); + $since_id = (int)$_REQUEST["since_id"]; $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); $sanitize_content = !isset($_REQUEST["sanitize"]) || sql_bool_to_bool($_REQUEST["sanitize"]); $force_update = sql_bool_to_bool($_REQUEST["force_update"]); $has_sandbox = sql_bool_to_bool($_REQUEST["has_sandbox"]); - $excerpt_length = (int)$this->dbh->escape_string($_REQUEST["excerpt_length"]); - $check_first_id = (int)$this->dbh->escape_string($_REQUEST["check_first_id"]); + $excerpt_length = (int)$_REQUEST["excerpt_length"]; + $check_first_id = (int)$_REQUEST["check_first_id"]; $include_header = sql_bool_to_bool($_REQUEST["include_header"]); $_SESSION['hasSandbox'] = $has_sandbox; @@ -227,7 +228,7 @@ class API extends Handler { /* do not rely on params below */ - $search = $this->dbh->escape_string($_REQUEST["search"]); + $search = $_REQUEST["search"]; list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order, @@ -245,10 +246,10 @@ class API extends Handler { } function updateArticle() { - $article_ids = array_filter(explode(",", $this->dbh->escape_string($_REQUEST["article_ids"])), is_numeric); - $mode = (int) $this->dbh->escape_string($_REQUEST["mode"]); - $data = $this->dbh->escape_string($_REQUEST["data"]); - $field_raw = (int)$this->dbh->escape_string($_REQUEST["field"]); + $article_ids = explode(",", $_REQUEST["article_ids"]); + $mode = (int) $_REQUEST["mode"]; + $data = $_REQUEST["data"]; + $field_raw = (int)$_REQUEST["field"]; $field = ""; $set_to = ""; @@ -282,21 +283,25 @@ class API extends Handler { break; } - if ($field == "note") $set_to = "'$data'"; + if ($field == "note") $set_to = $this->pdo->quote($data); if ($field && $set_to && count($article_ids) > 0) { - $article_ids = join(", ", $article_ids); + $article_qmarks = arr_qmarks($article_ids); - $result = $this->dbh->query("UPDATE ttrss_user_entries SET $field = $set_to $additional_fields WHERE ref_id IN ($article_ids) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + $field = $set_to $additional_fields + WHERE ref_id IN ($article_qmarks) AND owner_uid = ?"); + $sth->execute(array_merge($article_ids, [$_SESSION['uid']])); - $num_updated = $this->dbh->affected_rows($result); + $num_updated = $sth->rowCount(); if ($num_updated > 0 && $field == "unread") { - $result = $this->dbh->query("SELECT DISTINCT feed_id FROM ttrss_user_entries - WHERE ref_id IN ($article_ids)"); + $sth = $this->pdo->prepare("SELECT DISTINCT feed_id FROM ttrss_user_entries + WHERE ref_id IN ($article_qmarks)"); + $sth->execute($article_ids); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { CCache::update($line["feed_id"], $_SESSION["uid"]); } } @@ -312,69 +317,66 @@ class API extends Handler { function getArticle() { - $article_id = join(",", array_filter(explode(",", $this->dbh->escape_string($_REQUEST["article_id"])), is_numeric)); + $article_ids = explode(",", $_REQUEST["article_id"]); $sanitize_content = !isset($_REQUEST["sanitize"]) || sql_bool_to_bool($_REQUEST["sanitize"]); - if ($article_id) { + if ($article_ids) { - $query = "SELECT id,guid,title,link,content,feed_id,comments,int_id, + $article_qmarks = arr_qmarks($article_ids); + + $sth = $this->pdo->prepare("SELECT id,guid,title,link,content,feed_id,comments,int_id, marked,unread,published,score,note,lang, ".SUBSTRING_FOR_DATE."(updated,1,16) as updated, author,(SELECT title FROM ttrss_feeds WHERE id = feed_id) AS feed_title, (SELECT site_url FROM ttrss_feeds WHERE id = feed_id) AS site_url, (SELECT hide_images FROM ttrss_feeds WHERE id = feed_id) AS hide_images FROM ttrss_entries,ttrss_user_entries - WHERE id IN ($article_id) AND ref_id = id AND owner_uid = " . - $_SESSION["uid"] ; + WHERE id IN ($article_qmarks) AND ref_id = id AND owner_uid = ?"); - $result = $this->dbh->query($query); + $sth->execute(array_merge($article_ids, [$_SESSION['uid']])); $articles = array(); - if ($this->dbh->num_rows($result) != 0) { - - while ($line = $this->dbh->fetch_assoc($result)) { - - $attachments = Article::get_article_enclosures($line['id']); - - $article = array( - "id" => $line["id"], - "guid" => $line["guid"], - "title" => $line["title"], - "link" => $line["link"], - "labels" => Article::get_article_labels($line['id']), - "unread" => sql_bool_to_bool($line["unread"]), - "marked" => sql_bool_to_bool($line["marked"]), - "published" => sql_bool_to_bool($line["published"]), - "comments" => $line["comments"], - "author" => $line["author"], - "updated" => (int) strtotime($line["updated"]), - "feed_id" => $line["feed_id"], - "attachments" => $attachments, - "score" => (int)$line["score"], - "feed_title" => $line["feed_title"], - "note" => $line["note"], - "lang" => $line["lang"] - ); - - if ($sanitize_content) { - $article["content"] = sanitize( - $line["content"], - sql_bool_to_bool($line['hide_images']), - false, $line["site_url"], false, $line["id"]); - } else { - $article["content"] = $line["content"]; - } - - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE_API) as $p) { - $article = $p->hook_render_article_api(array("article" => $article)); - } + while ($line = $sth->fetch()) { + + $attachments = Article::get_article_enclosures($line['id']); + + $article = array( + "id" => $line["id"], + "guid" => $line["guid"], + "title" => $line["title"], + "link" => $line["link"], + "labels" => Article::get_article_labels($line['id']), + "unread" => sql_bool_to_bool($line["unread"]), + "marked" => sql_bool_to_bool($line["marked"]), + "published" => sql_bool_to_bool($line["published"]), + "comments" => $line["comments"], + "author" => $line["author"], + "updated" => (int) strtotime($line["updated"]), + "feed_id" => $line["feed_id"], + "attachments" => $attachments, + "score" => (int)$line["score"], + "feed_title" => $line["feed_title"], + "note" => $line["note"], + "lang" => $line["lang"] + ); + + if ($sanitize_content) { + $article["content"] = sanitize( + $line["content"], + sql_bool_to_bool($line['hide_images']), + false, $line["site_url"], false, $line["id"]); + } else { + $article["content"] = $line["content"]; + } + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE_API) as $p) { + $article = $p->hook_render_article_api(array("article" => $article)); + } - array_push($articles, $article); + array_push($articles, $article); - } } $this->wrap(self::STATUS_OK, $articles); @@ -390,18 +392,18 @@ class API extends Handler { $config["daemon_is_running"] = file_is_locked("update_daemon.lock"); - $result = $this->dbh->query("SELECT COUNT(*) AS cf FROM - ttrss_feeds WHERE owner_uid = " . $_SESSION["uid"]); - - $num_feeds = $this->dbh->fetch_result($result, 0, "cf"); + $sth = $this->pdo->prepare("SELECT COUNT(*) AS cf FROM + ttrss_feeds WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $config["num_feeds"] = (int)$num_feeds; + $config["num_feeds"] = $row["cf"]; $this->wrap(self::STATUS_OK, $config); } function updateFeed() { - $feed_id = (int) $this->dbh->escape_string($_REQUEST["feed_id"]); + $feed_id = (int) $_REQUEST["feed_id"]; if (!ini_get("open_basedir")) { RSSUtils::update_rss_feed($feed_id); @@ -411,8 +413,8 @@ class API extends Handler { } function catchupFeed() { - $feed_id = $this->dbh->escape_string($_REQUEST["feed_id"]); - $is_cat = $this->dbh->escape_string($_REQUEST["is_cat"]); + $feed_id = $_REQUEST["feed_id"]; + $is_cat = $_REQUEST["is_cat"]; Feeds::catchup_feed($feed_id, $is_cat); @@ -420,28 +422,27 @@ class API extends Handler { } function getPref() { - $pref_name = $this->dbh->escape_string($_REQUEST["pref_name"]); + $pref_name = $_REQUEST["pref_name"]; $this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name))); } function getLabels() { - //$article_ids = array_filter(explode(",", $this->dbh->escape_string($_REQUEST["article_ids"])), is_numeric); - $article_id = (int)$_REQUEST['article_id']; $rv = array(); - $result = $this->dbh->query("SELECT id, caption, fg_color, bg_color + $sth = $this->pdo->prepare("SELECT id, caption, fg_color, bg_color FROM ttrss_labels2 - WHERE owner_uid = '".$_SESSION['uid']."' ORDER BY caption"); + WHERE owner_uid = ? ORDER BY caption"); + $sth->execute([$_SESSION['uid']]); if ($article_id) $article_labels = Article::get_article_labels($article_id); else $article_labels = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $checked = false; foreach ($article_labels as $al) { @@ -464,12 +465,11 @@ class API extends Handler { function setArticleLabel() { - $article_ids = array_filter(explode(",", $this->dbh->escape_string($_REQUEST["article_ids"])), is_numeric); - $label_id = (int) $this->dbh->escape_string($_REQUEST['label_id']); + $article_ids = explode(",", $_REQUEST["article_ids"]); + $label_id = (int) $_REQUEST['label_id']; $assign = sql_bool_to_bool($_REQUEST['assign']); - $label = $this->dbh->escape_string(Labels::find_caption( - Labels::feed_to_label_id($label_id), $_SESSION["uid"])); + $label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]); $num_updated = 0; @@ -506,9 +506,9 @@ class API extends Handler { } function shareToPublished() { - $title = $this->dbh->escape_string(strip_tags($_REQUEST["title"])); - $url = $this->dbh->escape_string(strip_tags($_REQUEST["url"])); - $content = $this->dbh->escape_string(strip_tags($_REQUEST["content"])); + $title = strip_tags($_REQUEST["title"]); + $url = strip_tags($_REQUEST["url"]); + $content = strip_tags($_REQUEST["content"]); if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) { $this->wrap(self::STATUS_OK, array("status" => 'OK')); @@ -521,6 +521,12 @@ class API extends Handler { $feeds = array(); + $pdo = Db::pdo(); + + $limit = (int) $limit; + $offset = (int) $offset; + $cat_id = (int) $cat_id; + /* Labels */ if ($cat_id == -4 || $cat_id == -2) { @@ -568,12 +574,13 @@ class API extends Handler { /* Child cats */ if ($include_nested && $cat_id) { - $result = db_query("SELECT + $sth = $pdo->prepare("SELECT id, title, order_id FROM ttrss_feed_categories - WHERE parent_cat = '$cat_id' AND owner_uid = " . $_SESSION["uid"] . - " ORDER BY id, title"); + WHERE parent_cat = ? AND owner_uid = ? ORDER BY id, title"); + + $sth->execute([$cat_id, $_SESSION['uid']]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $unread = getFeedUnread($line["id"], true) + Feeds::getCategoryChildrenUnread($line["id"]); @@ -599,27 +606,26 @@ class API extends Handler { } if ($cat_id == -4 || $cat_id == -3) { - $result = db_query("SELECT + $sth = $pdo->prepare("SELECT id, feed_url, cat_id, title, order_id, ". SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated - FROM ttrss_feeds WHERE owner_uid = " . $_SESSION["uid"] . - " ORDER BY cat_id, title " . $limit_qpart); - } else { + FROM ttrss_feeds WHERE owner_uid = ? + ORDER BY cat_id, title " . $limit_qpart); + $sth->execute([$_SESSION['uid']]); - if ($cat_id) - $cat_qpart = "cat_id = '$cat_id'"; - else - $cat_qpart = "cat_id IS NULL"; + } else { - $result = db_query("SELECT + $sth = $pdo->prepare("SELECT id, feed_url, cat_id, title, order_id, ". SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated FROM ttrss_feeds WHERE - $cat_qpart AND owner_uid = " . $_SESSION["uid"] . - " ORDER BY cat_id, title " . $limit_qpart); + (cat_id = :cat OR (:cat = 0 AND cat_id IS NULL)) + AND owner_uid = :uid + ORDER BY cat_id, title " . $limit_qpart); + $sth->execute([":uid" => $_SESSION['uid'], ":cat" => $cat_id]); } - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $unread = getFeedUnread($line["id"]); @@ -654,22 +660,26 @@ class API extends Handler { $search = "", $include_nested = false, $sanitize_content = true, $force_update = false, $excerpt_length = 100, $check_first_id = false, $skip_first_id_check = false) { + $pdo = Db::pdo(); + if ($force_update && $feed_id > 0 && is_numeric($feed_id)) { // Update the feed if required with some basic flood control - $result = db_query( + $sth = $pdo->prepare( "SELECT cache_images,".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated - FROM ttrss_feeds WHERE id = '$feed_id'"); + FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$feed_id]); - if (db_num_rows($result) != 0) { - $last_updated = strtotime(db_fetch_result($result, 0, "last_updated")); - $cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images")); + if ($row = $sth->fetch()) { + $last_updated = strtotime($row["last_updated"]); + $cache_images = sql_bool_to_bool($row["cache_images"]); if (!$cache_images && time() - $last_updated > 120) { RSSUtils::update_rss_feed($feed_id, true); } else { - db_query("UPDATE ttrss_feeds SET last_updated = '1970-01-01', last_update_started = '1970-01-01' - WHERE id = '$feed_id'"); + $sth = $pdo->prepare("UPDATE ttrss_feeds SET last_updated = '1970-01-01', last_update_started = '1970-01-01' + WHERE id = ?"); + $sth->execute([$feed_id]); } } } @@ -702,7 +712,7 @@ class API extends Handler { 'is_cat' => $is_cat); if (!is_numeric($result)) { - while ($line = db_fetch_assoc($result)) { + while ($line = $result->fetch()) { $line["content_preview"] = truncate_string(strip_tags($line["content"]), $excerpt_length); foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) { $line = $p->hook_query_headlines($line, $excerpt_length, true); @@ -795,12 +805,13 @@ class API extends Handler { } function unsubscribeFeed() { - $feed_id = (int) $this->dbh->escape_string($_REQUEST["feed_id"]); + $feed_id = (int) $_REQUEST["feed_id"]; - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE - id = '$feed_id' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE + id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { + if ($row = $sth->fetch()) { Pref_Feeds::remove_feed($feed_id, $_SESSION["uid"]); $this->wrap(self::STATUS_OK, array("status" => "OK")); } else { @@ -809,10 +820,10 @@ class API extends Handler { } function subscribeToFeed() { - $feed_url = $this->dbh->escape_string($_REQUEST["feed_url"]); - $category_id = (int) $this->dbh->escape_string($_REQUEST["category_id"]); - $login = $this->dbh->escape_string($_REQUEST["login"]); - $password = $this->dbh->escape_string($_REQUEST["password"]); + $feed_url = $_REQUEST["feed_url"]; + $category_id = (int) $_REQUEST["category_id"]; + $login = $_REQUEST["login"]; + $password = $_REQUEST["password"]; if ($feed_url) { $rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password); @@ -845,16 +856,20 @@ class API extends Handler { private function isCategoryEmpty($id) { if ($id == -2) { - $result = $this->dbh->query("SELECT COUNT(*) AS count FROM ttrss_labels2 - WHERE owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS count FROM ttrss_labels2 + WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - return $this->dbh->fetch_result($result, 0, "count") == 0; + return $row["count"] == 0; } else if ($id == 0) { - $result = $this->dbh->query("SELECT COUNT(*) AS count FROM ttrss_feeds - WHERE cat_id IS NULL AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS count FROM ttrss_feeds + WHERE cat_id IS NULL AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - return $this->dbh->fetch_result($result, 0, "count") == 0; + return $row["count"] == 0; } diff --git a/classes/article.php b/classes/article.php index 1d5f06e7..869e746c 100644 --- a/classes/article.php +++ b/classes/article.php @@ -8,14 +8,13 @@ class Article extends Handler_Protected { } function redirect() { - $id = $this->dbh->escape_string($_REQUEST['id']); - - $result = $this->dbh->query("SELECT link FROM ttrss_entries, ttrss_user_entries - WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."' + $sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries + WHERE id = ? AND id = ref_id AND owner_uid = ? LIMIT 1"); + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 1) { - $article_url = $this->dbh->fetch_result($result, 0, 'link'); + if ($row = $sth->fetch()) { + $article_url = $row['link']; $article_url = str_replace("\n", "", $article_url); header("Location: $article_url"); @@ -27,9 +26,9 @@ class Article extends Handler_Protected { } function view() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $cids = explode(",", $this->dbh->escape_string($_REQUEST["cids"])); - $mode = $this->dbh->escape_string($_REQUEST["mode"]); + $id = $_REQUEST["id"]; + $cids = explode(",", $_REQUEST["cids"]); + $mode = $_REQUEST["mode"]; // in prefetch mode we only output requested cids, main article // just gets marked as read (it already exists in client cache) @@ -67,19 +66,21 @@ class Article extends Handler_Protected { private function catchupArticleById($id, $cmode) { if ($cmode == 0) { - $this->dbh->query("UPDATE ttrss_user_entries SET + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET unread = false,last_read = NOW() - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = ? AND owner_uid = ?"); } else if ($cmode == 1) { - $this->dbh->query("UPDATE ttrss_user_entries SET + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET unread = true - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = ? AND owner_uid = ?"); } else { - $this->dbh->query("UPDATE ttrss_user_entries SET + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET unread = NOT unread,last_read = NOW() - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = ? AND owner_uid = ?"); } + $sth->execute([$id, $_SESSION['uid']]); + $feed_id = $this->getArticleFeed($id); CCache::update($feed_id, $_SESSION["uid"]); } @@ -102,7 +103,7 @@ class Article extends Handler_Protected { if ($enable_share_anything) { $extracted_content = $af_readability->extract_content($url); - if ($extracted_content) $content = db_escape_string($extracted_content); + if ($extracted_content) $content = $extracted_content; } } } @@ -122,34 +123,42 @@ class Article extends Handler_Protected { if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) return false; - db_query("BEGIN"); + $pdo = Db::pdo(); + + $pdo->beginTransaction(); // only check for our user data here, others might have shared this with different content etc - $result = db_query("SELECT id FROM ttrss_entries, ttrss_user_entries WHERE - guid = '$guid' AND ref_id = id AND owner_uid = '$owner_uid' LIMIT 1"); + $sth = $pdo->prepare("SELECT id FROM ttrss_entries, ttrss_user_entries WHERE + guid = ? AND ref_id = id AND owner_uid = ? LIMIT 1"); + $sth->execute([$guid, $owner_uid]); - if (db_num_rows($result) != 0) { - $ref_id = db_fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + $ref_id = $row['id']; - $result = db_query("SELECT int_id FROM ttrss_user_entries WHERE - ref_id = '$ref_id' AND owner_uid = '$owner_uid' LIMIT 1"); + $sth = $pdo->prepare("SELECT int_id FROM ttrss_user_entries WHERE + ref_id = ? AND owner_uid = ? LIMIT 1"); + $sth->execute([$ref_id, $owner_uid]); - if (db_num_rows($result) != 0) { - $int_id = db_fetch_result($result, 0, "int_id"); + if ($row = $sth->fetch()) { + $int_id = $row['int_id']; - db_query("UPDATE ttrss_entries SET - content = '$content', content_hash = '$content_hash' WHERE id = '$ref_id'"); + $sth = $pdo->prepare("UPDATE ttrss_entries SET + content = ?, content_hash = ? WHERE id = ?"); + $sth->execute([$content, $content_hash, $ref_id]); - db_query("UPDATE ttrss_user_entries SET published = true, + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET published = true, last_published = NOW() WHERE - int_id = '$int_id' AND owner_uid = '$owner_uid'"); + int_id = ? AND owner_uid = ?"); + $sth->execute([$int_id, $owner_uid]); + } else { - db_query("INSERT INTO ttrss_user_entries + $sth = $pdo->prepare("INSERT INTO ttrss_user_entries (ref_id, uuid, feed_id, orig_feed_id, owner_uid, published, tag_cache, label_cache, last_read, note, unread, last_published) VALUES - ('$ref_id', '', NULL, NULL, $owner_uid, true, '', '', NOW(), '', false, NOW())"); + (?, '', NULL, NULL, ?, true, '', '', NOW(), '', false, NOW())"); + $sth->execute([$ref_id, $owner_uid]); } if (count($labels) != 0) { @@ -161,21 +170,24 @@ class Article extends Handler_Protected { $rc = true; } else { - $result = db_query("INSERT INTO ttrss_entries + $sth = $pdo->prepare("INSERT INTO ttrss_entries (title, guid, link, updated, content, content_hash, date_entered, date_updated) VALUES - ('$title', '$guid', '$url', NOW(), '$content', '$content_hash', NOW(), NOW())"); + (?, ?, ?, NOW(), ?, ?, NOW(), NOW())"); + $sth->execute([$title, $guid, $url, $content, $content_hash]); - $result = db_query("SELECT id FROM ttrss_entries WHERE guid = '$guid'"); + $sth = $pdo->prepare("SELECT id FROM ttrss_entries WHERE guid = ?"); + $sth->execute([$guid]); - if (db_num_rows($result) != 0) { - $ref_id = db_fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + $ref_id = $row["id"]; - db_query("INSERT INTO ttrss_user_entries + $sth = $pdo->prepare("INSERT INTO ttrss_user_entries (ref_id, uuid, feed_id, orig_feed_id, owner_uid, published, tag_cache, label_cache, last_read, note, unread, last_published) VALUES - ('$ref_id', '', NULL, NULL, $owner_uid, true, '', '', NOW(), '', false, NOW())"); + (?, '', NULL, NULL, ?, true, '', '', NOW(), '', false, NOW())"); + $sth->execute([$ref_id, $owner_uid]); if (count($labels) != 0) { foreach ($labels as $label) { @@ -187,7 +199,7 @@ class Article extends Handler_Protected { } } - db_query("COMMIT"); + $pdo->commit(); return $rc; } @@ -196,9 +208,9 @@ class Article extends Handler_Protected { print __("Tags for this article (separated by commas):")."
"; - $param = $this->dbh->escape_string($_REQUEST['param']); + $param = $_REQUEST['param']; - $tags = Article::get_article_tags($this->dbh->escape_string($param)); + $tags = Article::get_article_tags($param); $tags_str = join(", ", $tags); @@ -227,11 +239,15 @@ class Article extends Handler_Protected { } function setScore() { - $ids = $this->dbh->escape_string($_REQUEST['id']); - $score = (int)$this->dbh->escape_string($_REQUEST['score']); + $ids = explode(",", $_REQUEST['id']); + $score = (int)$_REQUEST['score']; - $this->dbh->query("UPDATE ttrss_user_entries SET - score = '$score' WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]); + $ids_qmarks = arr_qmarks($ids); + + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + score = ? WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); + + $sth->execute(array_merge([$score], $ids, [$_SESSION['uid']])); print json_encode(array("id" => $ids, "score" => (int)$score, @@ -239,10 +255,13 @@ class Article extends Handler_Protected { } function getScore() { - $id = $this->dbh->escape_string($_REQUEST['id']); + $id = $_REQUEST['id']; + + $sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); + $row = $sth->fetch(); - $result = $this->dbh->query("SELECT score FROM ttrss_user_entries WHERE ref_id = $id AND owner_uid = " . $_SESSION["uid"]); - $score = $this->dbh->fetch_result($result, 0, "score"); + $score = $row['score']; print json_encode(array("id" => $id, "score" => (int)$score, @@ -252,24 +271,26 @@ class Article extends Handler_Protected { function setArticleTags() { - $id = $this->dbh->escape_string($_REQUEST["id"]); + $id = $_REQUEST["id"]; - $tags_str = $this->dbh->escape_string($_REQUEST["tags_str"]); + $tags_str = $_REQUEST["tags_str"]; $tags = array_unique(trim_array(explode(",", $tags_str))); - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); - $result = $this->dbh->query("SELECT int_id FROM ttrss_user_entries WHERE - ref_id = '$id' AND owner_uid = '".$_SESSION["uid"]."' LIMIT 1"); + $sth = $this->pdo->prepare("SELECT int_id FROM ttrss_user_entries WHERE + ref_id = ? AND owner_uid = ? LIMIT 1"); + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 1) { + if ($row = $sth->fetch()) { $tags_to_cache = array(); - $int_id = $this->dbh->fetch_result($result, 0, "int_id"); + $int_id = $row['int_id']; - $this->dbh->query("DELETE FROM ttrss_tags WHERE - post_int_id = $int_id AND owner_uid = '".$_SESSION["uid"]."'"); + $sth = $this->pdo->prepare("DELETE FROM ttrss_tags WHERE + post_int_id = ? AND owner_uid = ?"); + $sth->execute([$int_id, $_SESSION['uid']]); foreach ($tags as $tag) { $tag = sanitize_tag($tag); @@ -285,8 +306,11 @@ class Article extends Handler_Protected { // print ""; if ($tag != '') { - $this->dbh->query("INSERT INTO ttrss_tags - (post_int_id, owner_uid, tag_name) VALUES ('$int_id', '".$_SESSION["uid"]."', '$tag')"); + $sth = $this->pdo->prepare("INSERT INTO ttrss_tags + (post_int_id, owner_uid, tag_name) + VALUES (?, ?, ?)"); + + $sth->execute([$int_id, $_SESSION['uid'], $tag]); } array_push($tags_to_cache, $tag); @@ -297,12 +321,12 @@ class Article extends Handler_Protected { sort($tags_to_cache); $tags_str = join(",", $tags_to_cache); - $this->dbh->query("UPDATE ttrss_user_entries - SET tag_cache = '$tags_str' WHERE ref_id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries + SET tag_cache = ? WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$tags_str, $id, $_SESSION['uid']]); } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); $tags = Article::get_article_tags($id); $tags_str = $this->format_tags_string($tags, $id); @@ -316,15 +340,17 @@ class Article extends Handler_Protected { function completeTags() { - $search = $this->dbh->escape_string($_REQUEST["search"]); + $search = $_REQUEST["search"]; - $result = $this->dbh->query("SELECT DISTINCT tag_name FROM ttrss_tags - WHERE owner_uid = '".$_SESSION["uid"]."' AND - tag_name LIKE '$search%' ORDER BY tag_name + $sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags + WHERE owner_uid = ? AND + tag_name LIKE ? ORDER BY tag_name LIMIT 10"); + $sth->execute([$_SESSION['uid'], "$search%"]); + print ""; @@ -341,10 +367,10 @@ class Article extends Handler_Protected { private function labelops($assign) { $reply = array(); - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - $label_id = $this->dbh->escape_string($_REQUEST["lid"]); + $ids = explode(",", $_REQUEST["ids"]); + $label_id = $_REQUEST["lid"]; - $label = $this->dbh->escape_string(Labels::find_caption($label_id, + $label = db_escape_string(Labels::find_caption($label_id, $_SESSION["uid"])); $reply["info-for-headlines"] = array(); @@ -372,11 +398,12 @@ class Article extends Handler_Protected { } function getArticleFeed($id) { - $result = db_query("SELECT feed_id FROM ttrss_user_entries - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT feed_id FROM ttrss_user_entries + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - if (db_num_rows($result) != 0) { - return db_fetch_result($result, 0, "feed_id"); + if ($row = $sth->fetch()) { + return $row["feed_id"]; } else { return 0; } @@ -530,24 +557,29 @@ class Article extends Handler_Protected { /* we can figure out feed_id from article id anyway, why do we * pass feed_id here? let's ignore the argument :(*/ - $result = db_query("SELECT feed_id FROM ttrss_user_entries - WHERE ref_id = '$id'"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT feed_id FROM ttrss_user_entries + WHERE ref_id = ?"); + $sth->execute([$id]); + $row = $sth->fetch(); - $feed_id = (int) db_fetch_result($result, 0, "feed_id"); + $feed_id = (int) $row["feed_id"]; $rv['feed_id'] = $feed_id; //if (!$zoom_mode) { print "
prepare("UPDATE ttrss_user_entries SET unread = false,last_read = NOW() - WHERE ref_id = '$id' AND owner_uid = $owner_uid"); + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); CCache::update($feed_id, $owner_uid); } - $result = db_query("SELECT id,title,link,content,feed_id,comments,int_id,lang, + $sth = $pdo->prepare("SELECT id,title,link,content,feed_id,comments,int_id,lang, ".SUBSTRING_FOR_DATE."(updated,1,16) as updated, (SELECT site_url FROM ttrss_feeds WHERE id = feed_id) as site_url, (SELECT title FROM ttrss_feeds WHERE id = feed_id) as feed_title, @@ -560,11 +592,10 @@ class Article extends Handler_Protected { orig_feed_id, note FROM ttrss_entries,ttrss_user_entries - WHERE id = '$id' AND ref_id = id AND owner_uid = $owner_uid"); + WHERE id = ? AND ref_id = id AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - if ($result) { - - $line = db_fetch_assoc($result); + if ($line = $sth->fetch()) { $line["tags"] = Article::get_article_tags($id, $owner_uid, $line["tag_cache"]); unset($line["tag_cache"]); @@ -683,18 +714,17 @@ class Article extends Handler_Protected { if ($line["orig_feed_id"]) { - $tmp_result = db_query("SELECT * FROM ttrss_archived_feeds - WHERE id = ".$line["orig_feed_id"] . " AND owner_uid = " . $_SESSION["uid"]); + $of_sth = $pdo->prepare("SELECT * FROM ttrss_archived_feeds + WHERE id = ? AND owner_uid = ?"); + $of_sth->execute([$line["orig_feed_id"], $owner_uid]); - if (db_num_rows($tmp_result) != 0) { + if ($tmp_line = $of_sth->fetch()) { $rv['content'] .= "
"; $rv['content'] .= __("Originally from:"); $rv['content'] .= " "; - $tmp_line = db_fetch_assoc($tmp_result); - $rv['content'] .= "" . $tmp_line['title'] . ""; @@ -753,25 +783,27 @@ class Article extends Handler_Protected { static function get_article_tags($id, $owner_uid = 0, $tag_cache = false) { - $a_id = db_escape_string($id); + $a_id = $id; if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $query = "SELECT DISTINCT tag_name, - owner_uid as owner FROM - ttrss_tags WHERE post_int_id = (SELECT int_id FROM ttrss_user_entries WHERE - ref_id = '$a_id' AND owner_uid = '$owner_uid' LIMIT 1) ORDER BY tag_name"; + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT DISTINCT tag_name, + owner_uid as owner FROM ttrss_tags + WHERE post_int_id = (SELECT int_id FROM ttrss_user_entries WHERE + ref_id = ? AND owner_uid = ? LIMIT 1) ORDER BY tag_name"); $tags = array(); /* check cache first */ if ($tag_cache === false) { - $result = db_query("SELECT tag_cache FROM ttrss_user_entries - WHERE ref_id = '$id' AND owner_uid = $owner_uid"); + $csth = $pdo->prepare("SELECT tag_cache FROM ttrss_user_entries + WHERE ref_id = ? AND owner_uid = ?"); + $csth->execute([$id, $owner_uid]); - if (db_num_rows($result) != 0) - $tag_cache = db_fetch_result($result, 0, "tag_cache"); + if ($row = $csth->fetch()) $tag_cache = $row["tag_cache"]; } if ($tag_cache) { @@ -780,19 +812,20 @@ class Article extends Handler_Protected { /* do it the hard way */ - $tmp_result = db_query($query); + $sth->execute([$a_id, $owner_uid]); - while ($tmp_line = db_fetch_assoc($tmp_result)) { + while ($tmp_line = $sth->fetch()) { array_push($tags, $tmp_line["tag_name"]); } /* update the cache */ - $tags_str = db_escape_string(join(",", $tags)); + $tags_str = join(",", $tags); - db_query("UPDATE ttrss_user_entries - SET tag_cache = '$tags_str' WHERE ref_id = '$id' - AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("UPDATE ttrss_user_entries + SET tag_cache = ? WHERE ref_id = ? + AND owner_uid = ?"); + $sth->execute([$tags_str, $id, $owner_uid]); } return $tags; @@ -845,22 +878,21 @@ class Article extends Handler_Protected { static function get_article_enclosures($id) { - $query = "SELECT * FROM ttrss_enclosures - WHERE post_id = '$id' AND content_url != ''"; + $pdo = Db::pdo(); - $rv = array(); - - $result = db_query($query); + $sth = $pdo->prepare("SELECT * FROM ttrss_enclosures + WHERE post_id = ? AND content_url != ''"); + $sth->execute([$id]); - if (db_num_rows($result) > 0) { - while ($line = db_fetch_assoc($result)) { + $rv = array(); - if (file_exists(CACHE_DIR . '/images/' . sha1($line["content_url"]))) { - $line["content_url"] = get_self_url_prefix() . '/public.php?op=cached_url&hash=' . sha1($line["content_url"]); - } + while ($line = $sth->fetch()) { - array_push($rv, $line); + if (file_exists(CACHE_DIR . '/images/' . sha1($line["content_url"]))) { + $line["content_url"] = get_self_url_prefix() . '/public.php?op=cached_url&hash=' . sha1($line["content_url"]); } + + array_push($rv, $line); } return $rv; @@ -869,11 +901,13 @@ class Article extends Handler_Protected { static function purge_orphans($do_output = false) { // purge orphaned posts in main content table - $result = db_query("DELETE FROM ttrss_entries WHERE + + $pdo = Db::pdo(); + $res = $pdo->query("DELETE FROM ttrss_entries WHERE NOT EXISTS (SELECT ref_id FROM ttrss_user_entries WHERE ref_id = id)"); if ($do_output) { - $rows = db_affected_rows($result); + $rows = $res->rowCount(); _debug("Purged $rows orphaned posts."); } } @@ -881,46 +915,47 @@ class Article extends Handler_Protected { static function catchupArticlesById($ids, $cmode, $owner_uid = false) { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - if (count($ids) == 0) return; - $tmp_ids = array(); + $pdo = Db::pdo(); - foreach ($ids as $id) { - array_push($tmp_ids, "ref_id = '$id'"); - } - - $ids_qpart = join(" OR ", $tmp_ids); + $ids_qmarks = arr_qmarks($ids); if ($cmode == 0) { - db_query("UPDATE ttrss_user_entries SET + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false,last_read = NOW() - WHERE ($ids_qpart) AND owner_uid = $owner_uid"); + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else if ($cmode == 1) { - db_query("UPDATE ttrss_user_entries SET + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = true - WHERE ($ids_qpart) AND owner_uid = $owner_uid"); + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else { - db_query("UPDATE ttrss_user_entries SET - unread = NOT unread,last_read = NOW() - WHERE ($ids_qpart) AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET + unread = NOT unread,last_read = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } + $sth->execute(array_merge($ids, [$owner_uid])); + /* update ccache */ - $result = db_query("SELECT DISTINCT feed_id FROM ttrss_user_entries - WHERE ($ids_qpart) AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("SELECT DISTINCT feed_id FROM ttrss_user_entries + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); + $sth->execute(array_merge($ids, [$owner_uid])); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { CCache::update($line["feed_id"], $owner_uid); } } static function getLastArticleId() { - $result = db_query("SELECT ref_id AS id FROM ttrss_user_entries - WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY ref_id DESC LIMIT 1"); + $pdo = DB::pdo(); + + $sth = $pdo->prepare("SELECT ref_id AS id FROM ttrss_user_entries + WHERE owner_uid = ? ORDER BY ref_id DESC LIMIT 1"); + $sth->execute([$_SESSION['uid']]); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + return $row['id']; } else { return -1; } @@ -931,32 +966,34 @@ class Article extends Handler_Protected { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $result = db_query("SELECT label_cache FROM - ttrss_user_entries WHERE ref_id = '$id' AND owner_uid = " . - $owner_uid); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT label_cache FROM + ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - if (db_num_rows($result) > 0) { - $label_cache = db_fetch_result($result, 0, "label_cache"); + if ($row = $sth->fetch()) { + $label_cache = $row["label_cache"]; if ($label_cache) { - $label_cache = json_decode($label_cache, true); + $tmp = json_decode($label_cache, true); - if ($label_cache["no-labels"] == 1) + if (!$tmp || $tmp["no-labels"] == 1) return $rv; else - return $label_cache; + return $tmp; } } - $result = db_query( - "SELECT DISTINCT label_id,caption,fg_color,bg_color + $sth = $pdo->prepare("SELECT DISTINCT label_id,caption,fg_color,bg_color FROM ttrss_labels2, ttrss_user_labels2 WHERE id = label_id - AND article_id = '$id' - AND owner_uid = ". $owner_uid . " + AND article_id = ? + AND owner_uid = ? ORDER BY caption"); + $sth->execute([$id, $owner_uid]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $rk = array(Labels::label_to_feed_id($line["label_id"]), $line["caption"], $line["fg_color"], $line["bg_color"]); diff --git a/classes/auth/base.php b/classes/auth/base.php index 30443121..652b66e6 100644 --- a/classes/auth/base.php +++ b/classes/auth/base.php @@ -1,9 +1,11 @@ dbh = Db::get(); + $this->pdo = Db::pdo(); } /** @@ -29,15 +31,13 @@ class Auth_Base { if (!$password) $password = make_password(); if (!$user_id) { - $login = $this->dbh->escape_string($login); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); - $query = "INSERT INTO ttrss_users + $sth = $this->pdo->prepare("INSERT INTO ttrss_users (login,access_level,last_login,created,pwd_hash,salt) - VALUES ('$login', 0, null, NOW(), '$pwd_hash','$salt')"; - - $this->dbh->query($query); + VALUES (?, 0, null, NOW(), ?,?)"); + $sth->execute([$login, $pwd_hash, $salt]); return $this->find_user_by_login($login); @@ -50,13 +50,12 @@ class Auth_Base { } function find_user_by_login($login) { - $login = $this->dbh->escape_string($login); - - $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE - login = '$login'"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + login = ?"); + $sth->execute([$login]); - if ($this->dbh->num_rows($result) > 0) { - return $this->dbh->fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + return $row["id"]; } else { return false; } diff --git a/classes/ccache.php b/classes/ccache.php index 4efb96d9..88e28e9e 100644 --- a/classes/ccache.php +++ b/classes/ccache.php @@ -1,17 +1,15 @@ prepare("UPDATE ttrss_counters_cache SET + value = 0 WHERE owner_uid = ?"); + $sth->execute([$owner_uid]); - db_query("UPDATE ttrss_cat_counters_cache SET - value = 0 WHERE owner_uid = '$owner_uid'"); + $sth = $pdo->prepare("UPDATE ttrss_cat_counters_cache SET + value = 0 WHERE owner_uid = ?"); + $sth->execute([$owner_uid]); } static function remove($feed_id, $owner_uid, $is_cat = false) { @@ -22,19 +20,25 @@ class CCache { $table = "ttrss_cat_counters_cache"; } - db_query("DELETE FROM $table WHERE - feed_id = '$feed_id' AND owner_uid = '$owner_uid'"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("DELETE FROM $table WHERE + feed_id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $owner_uid]); } static function update_all($owner_uid) { + $pdo = Db::pdo(); + if (get_pref('ENABLE_FEED_CATS', $owner_uid)) { - $result = db_query("SELECT feed_id FROM ttrss_cat_counters_cache - WHERE feed_id > 0 AND owner_uid = '$owner_uid'"); + $sth = $pdo->prepare("SELECT feed_id FROM ttrss_cat_counters_cache + WHERE feed_id > 0 AND owner_uid = ?"); + $sth->execute([$owner_uid]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { CCache::update($line["feed_id"], $owner_uid, true); } @@ -43,10 +47,11 @@ class CCache { CCache::update(0, $owner_uid, true); } else { - $result = db_query("SELECT feed_id FROM ttrss_counters_cache - WHERE feed_id > 0 AND owner_uid = '$owner_uid'"); + $sth = $pdo->prepare("SELECT feed_id FROM ttrss_counters_cache + WHERE feed_id > 0 AND owner_uid = ?"); + $sth->execute([$owner_uid]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { print CCache::update($line["feed_id"], $owner_uid); } @@ -61,27 +66,20 @@ class CCache { if (!$is_cat) { $table = "ttrss_counters_cache"; - /* if ($feed_id > 0) { - $tmp_result = db_query("SELECT owner_uid FROM ttrss_feeds - WHERE id = '$feed_id'"); - $owner_uid = db_fetch_result($tmp_result, 0, "owner_uid"); - } */ } else { $table = "ttrss_cat_counters_cache"; } - if (DB_TYPE == "pgsql") { - $date_qpart = "updated > NOW() - INTERVAL '15 minutes'"; - } else if (DB_TYPE == "mysql") { - $date_qpart = "updated > DATE_SUB(NOW(), INTERVAL 15 MINUTE)"; - } + $pdo = Db::pdo(); - $result = db_query("SELECT value FROM $table - WHERE owner_uid = '$owner_uid' AND feed_id = '$feed_id' + $sth = $pdo->prepare("SELECT value FROM $table + WHERE owner_uid = ? AND feed_id = ? LIMIT 1"); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "value"); + $sth->execute([$owner_uid, $feed_id]); + + if ($row = $sth->fetch()) { + return $row["value"]; } else { if ($no_update) { return -1; @@ -97,12 +95,6 @@ class CCache { if (!is_numeric($feed_id)) return; - /* if (!$is_cat && $feed_id > 0) { - $tmp_result = db_query("SELECT owner_uid FROM ttrss_feeds - WHERE id = '$feed_id'"); - $owner_uid = db_fetch_result($tmp_result, 0, "owner_uid"); - } */ - $prev_unread = CCache::find($feed_id, $owner_uid, $is_cat, true); /* When updating a label, all we need to do is recalculate feed counters @@ -119,54 +111,66 @@ class CCache { $table = "ttrss_cat_counters_cache"; } - if ($is_cat && $feed_id >= 0) { - if ($feed_id != 0) { - $cat_qpart = "cat_id = '$feed_id'"; - } else { - $cat_qpart = "cat_id IS NULL"; - } + $pdo = Db::pdo(); + if ($is_cat && $feed_id >= 0) { /* Recalculate counters for child feeds */ if (!$pcat_fast) { - $result = db_query("SELECT id FROM ttrss_feeds - WHERE owner_uid = '$owner_uid' AND $cat_qpart"); + $sth = $pdo->prepare("SELECT id FROM ttrss_feeds + WHERE owner_uid = :uid AND + (cat_id = :cat OR (:cat = 0 AND cat_id IS NULL))"); + $sth->execute([":uid" => $owner_uid, ":cat" => $feed_id]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { CCache::update($line["id"], $owner_uid, false, false); } } - $result = db_query("SELECT SUM(value) AS sv + $sth = $pdo->prepare("SELECT SUM(value) AS sv FROM ttrss_counters_cache, ttrss_feeds - WHERE id = feed_id AND $cat_qpart AND - ttrss_counters_cache.owner_uid = $owner_uid AND - ttrss_feeds.owner_uid = '$owner_uid'"); + WHERE id = feed_id AND + (cat_id = :cat OR (:cat = 0 AND cat_id IS NULL)) AND + ttrss_counters_cache.owner_uid = :uid AND + ttrss_feeds.owner_uid = :uid"); + $sth->execute([":uid" => $owner_uid, ":cat" => $feed_id]); + $row = $sth->fetch(); - $unread = (int) db_fetch_result($result, 0, "sv"); + $unread = (int) $row["sv"]; } else { $unread = (int) Feeds::getFeedArticles($feed_id, $is_cat, true, $owner_uid); } - db_query("BEGIN"); + $tr_in_progress = false; + + try { + $pdo->beginTransaction(); + } catch (Exception $e) { + $tr_in_progress = true; + } + + $sth = $pdo->prepare("SELECT feed_id FROM $table + WHERE owner_uid = ? AND feed_id = ? LIMIT 1"); + $sth->execute([$owner_uid, $feed_id]); + + if ($sth->fetch()) { - $result = db_query("SELECT feed_id FROM $table - WHERE owner_uid = '$owner_uid' AND feed_id = '$feed_id' LIMIT 1"); + $sth = $pdo->prepare("UPDATE $table SET + value = ?, updated = NOW() WHERE + feed_id = ? AND owner_uid = ?"); - if (db_num_rows($result) == 1) { - db_query("UPDATE $table SET - value = '$unread', updated = NOW() WHERE - feed_id = '$feed_id' AND owner_uid = '$owner_uid'"); + $sth->execute([$unread, $feed_id, $owner_uid]); } else { - db_query("INSERT INTO $table + $sth = $pdo->prepare("INSERT INTO $table (feed_id, value, owner_uid, updated) VALUES - ($feed_id, $unread, $owner_uid, NOW())"); + (?, ?, ?, NOW())"); + $sth->execute([$feed_id, $unread, $owner_uid]); } - db_query("COMMIT"); + if (!$tr_in_progress) $pdo->commit(); if ($feed_id > 0 && $prev_unread != $unread) { @@ -176,13 +180,13 @@ class CCache { if ($update_pcat) { - $result = db_query("SELECT cat_id FROM ttrss_feeds - WHERE owner_uid = '$owner_uid' AND id = '$feed_id'"); - - $cat_id = (int) db_fetch_result($result, 0, "cat_id"); - - CCache::update($cat_id, $owner_uid, true, true, true); + $sth = $pdo->prepare("SELECT cat_id FROM ttrss_feeds + WHERE owner_uid = ? AND id = ?"); + $sth->execute([$owner_uid, $feed_id]); + if ($row = $sth->fetch()) { + CCache::update($row["cat_id"], $owner_uid, true, true, true); + } } } } else if ($feed_id < 0) { @@ -192,37 +196,4 @@ class CCache { return $unread; } - /* function ccache_cleanup($owner_uid) { - - if (DB_TYPE == "pgsql") { - db_query("DELETE FROM ttrss_counters_cache AS c1 WHERE - (SELECT count(*) FROM ttrss_counters_cache AS c2 - WHERE c1.feed_id = c2.feed_id AND c2.owner_uid = c1.owner_uid) > 1 - AND owner_uid = '$owner_uid'"); - - db_query("DELETE FROM ttrss_cat_counters_cache AS c1 WHERE - (SELECT count(*) FROM ttrss_cat_counters_cache AS c2 - WHERE c1.feed_id = c2.feed_id AND c2.owner_uid = c1.owner_uid) > 1 - AND owner_uid = '$owner_uid'"); - } else { - db_query("DELETE c1 FROM - ttrss_counters_cache AS c1, - ttrss_counters_cache AS c2 - WHERE - c1.owner_uid = '$owner_uid' AND - c1.owner_uid = c2.owner_uid AND - c1.feed_id = c2.feed_id"); - - db_query("DELETE c1 FROM - ttrss_cat_counters_cache AS c1, - ttrss_cat_counters_cache AS c2 - WHERE - c1.owner_uid = '$owner_uid' AND - c1.owner_uid = c2.owner_uid AND - c1.feed_id = c2.feed_id"); - - } - } */ - - } \ No newline at end of file diff --git a/classes/counters.php b/classes/counters.php index c608acf7..54e4041f 100644 --- a/classes/counters.php +++ b/classes/counters.php @@ -22,15 +22,18 @@ class Counters { array_push($ret_arr, $cv); - $result = db_query("SELECT id AS cat_id, value AS unread, + $pdo = DB::pdo(); + + $sth = $pdo->prepare("SELECT id AS cat_id, value AS unread, (SELECT COUNT(id) FROM ttrss_feed_categories AS c2 WHERE c2.parent_cat = ttrss_feed_categories.id) AS num_children FROM ttrss_feed_categories, ttrss_cat_counters_cache WHERE ttrss_cat_counters_cache.feed_id = id AND ttrss_cat_counters_cache.owner_uid = ttrss_feed_categories.owner_uid AND - ttrss_feed_categories.owner_uid = " . $_SESSION["uid"]); + ttrss_feed_categories.owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $line["cat_id"] = (int) $line["cat_id"]; if ($line["num_children"] > 0) { @@ -67,10 +70,14 @@ class Counters { array_push($ret_arr, $cv); - $result = db_query("SELECT COUNT(id) AS fn FROM - ttrss_feeds WHERE owner_uid = " . $_SESSION["uid"]); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT COUNT(id) AS fn FROM + ttrss_feeds WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $subscribed_feeds = db_fetch_result($result, 0, "fn"); + $subscribed_feeds = $row["fn"]; $cv = array("id" => "subscribed-feeds", "counter" => (int) $subscribed_feeds); @@ -124,17 +131,18 @@ class Counters { $ret_arr = array(); - $owner_uid = $_SESSION["uid"]; + $pdo = Db::pdo(); - $result = db_query("SELECT id,caption,SUM(CASE WHEN u1.unread = true THEN 1 ELSE 0 END) AS unread, COUNT(u1.unread) AS total + $sth = $pdo->prepare("SELECT id,caption,SUM(CASE WHEN u1.unread = true THEN 1 ELSE 0 END) AS unread, COUNT(u1.unread) AS total FROM ttrss_labels2 LEFT JOIN ttrss_user_labels2 ON (ttrss_labels2.id = label_id) LEFT JOIN ttrss_user_entries AS u1 ON u1.ref_id = article_id - WHERE ttrss_labels2.owner_uid = $owner_uid AND u1.owner_uid = $owner_uid + WHERE ttrss_labels2.owner_uid = :uid AND u1.owner_uid = :uid GROUP BY ttrss_labels2.id, ttrss_labels2.caption"); + $sth->execute([":uid" => $_SESSION['uid']]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $id = Labels::label_to_feed_id($line["id"]); @@ -155,18 +163,19 @@ class Counters { $ret_arr = array(); - $query = "SELECT ttrss_feeds.id, + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT ttrss_feeds.id, ttrss_feeds.title, ".SUBSTRING_FOR_DATE."(ttrss_feeds.last_updated,1,19) AS last_updated, last_error, value AS count FROM ttrss_feeds, ttrss_counters_cache - WHERE ttrss_feeds.owner_uid = ".$_SESSION["uid"]." + WHERE ttrss_feeds.owner_uid = ? AND ttrss_counters_cache.owner_uid = ttrss_feeds.owner_uid - AND ttrss_counters_cache.feed_id = id"; - - $result = db_query($query); + AND ttrss_counters_cache.feed_id = id"); + $sth->execute([$_SESSION['uid']]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $id = $line["id"]; $count = $line["count"]; diff --git a/classes/db.php b/classes/db.php index 3b71f3c8..aba249a5 100644 --- a/classes/db.php +++ b/classes/db.php @@ -3,15 +3,13 @@ class Db implements IDb { private static $instance; private $adapter; private $link; + private $pdo; private function __construct() { $er = error_reporting(E_ALL); - if (defined('_ENABLE_PDO') && _ENABLE_PDO && class_exists("PDO")) { - $this->adapter = new Db_PDO(); - } else { - switch (DB_TYPE) { + switch (DB_TYPE) { case "mysql": $this->adapter = new Db_Mysqli(); break; @@ -20,7 +18,6 @@ class Db implements IDb { break; default: die("Unknown DB_TYPE: " . DB_TYPE); - } } if (!$this->adapter) { @@ -28,6 +25,34 @@ class Db implements IDb { exit(100); } + $db_port = defined(DB_PORT) ? ';port='.DB_PORT : ''; + + $this->pdo = new PDO(DB_TYPE . ':dbname='.DB_NAME.';host='.DB_HOST.$db_port, + DB_USER, + DB_PASS); + + $this->pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING ); + + if (!$this->pdo) { + print("Error connecting via PDO."); + exit(101); + } + + if (DB_TYPE == "pgsql") { + + $this->pdo->query("set client_encoding = 'UTF-8'"); + $this->pdo->query("set datestyle = 'ISO, european'"); + $this->pdo->query("set TIME ZONE 0"); + $this->pdo->query("set cpu_tuple_cost = 0.5"); + + } else if (DB_TYPE == "mysql") { + $this->pdo->query("SET time_zone = '+0:0'"); + + if (defined('MYSQL_CHARSET') && MYSQL_CHARSET) { + $this->pdo->query("SET NAMES " . MYSQL_CHARSET); + } + } + $this->link = $this->adapter->connect(DB_HOST, DB_USER, DB_PASS, DB_NAME, defined('DB_PORT') ? DB_PORT : ""); if (!$this->link) { @@ -49,6 +74,13 @@ class Db implements IDb { return self::$instance; } + public static function pdo() { + if (self::$instance == null) + self::$instance = new self(); + + return self::$instance->pdo; + } + static function quote($str){ return("'$str'"); } diff --git a/classes/db/pdo.php b/classes/db/pdo.php deleted file mode 100644 index d3070fac..00000000 --- a/classes/db/pdo.php +++ /dev/null @@ -1,100 +0,0 @@ -pdo = new PDO($connstr, $user, $pass); - $this->pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); - $this->init(); - } catch (PDOException $e) { - die($e->getMessage()); - } - - return $this->pdo; - } - - function escape_string($s, $strip_tags = true) { - if ($strip_tags) $s = strip_tags($s); - - $qs = $this->pdo->quote($s); - - return mb_substr($qs, 1, mb_strlen($qs)-2); - } - - function query($query, $die_on_error = true) { - try { - return new Db_Stmt($this->pdo->query($query)); - } catch (PDOException $e) { - user_error($e->getMessage(), $die_on_error ? E_USER_ERROR : E_USER_WARNING); - } - } - - function fetch_assoc($result) { - try { - if ($result) { - return $result->fetch(); - } else { - return null; - } - } catch (PDOException $e) { - user_error($e->getMessage(), E_USER_WARNING); - } - } - - function num_rows($result) { - try { - if ($result) { - return $result->rowCount(); - } else { - return false; - } - } catch (PDOException $e) { - user_error($e->getMessage(), E_USER_WARNING); - } - } - - function fetch_result($result, $row, $param) { - return $result->fetch_result($row, $param); - } - - function close() { - $this->pdo = null; - } - - function affected_rows($result) { - try { - if ($result) { - return $result->rowCount(); - } else { - return null; - } - } catch (PDOException $e) { - user_error($e->getMessage(), E_USER_WARNING); - } - } - - function last_error() { - return join(" ", $this->pdo->errorInfo()); - } - - function init() { - switch (DB_TYPE) { - case "pgsql": - $this->query("set client_encoding = 'UTF-8'"); - $this->query("set datestyle = 'ISO, european'"); - $this->query("set TIME ZONE 0"); - return; - case "mysql": - $this->query("SET time_zone = '+0:0'"); - return; - } - - return true; - } - -} \ No newline at end of file diff --git a/classes/db/prefs.php b/classes/db/prefs.php index d61cc107..e704a135 100644 --- a/classes/db/prefs.php +++ b/classes/db/prefs.php @@ -1,11 +1,11 @@ dbh = Db::get(); + $this->pdo = Db::pdo(); $this->cache = array(); if ($_SESSION["uid"]) $this->cache(); @@ -26,26 +26,22 @@ class Db_Prefs { $user_id = $_SESSION["uid"]; @$profile = $_SESSION["profile"]; - if ($profile) { - $profile_qpart = "profile = '$profile' AND"; - } else { - $profile_qpart = "profile IS NULL AND"; - } + if (!$profile || get_schema_version() < 63) $profile = null; - if (get_schema_version() < 63) $profile_qpart = ""; - - $result = db_query("SELECT + $sth = $this->pdo->prepare("SELECT value,ttrss_prefs_types.type_name as type_name,ttrss_prefs.pref_name AS pref_name FROM ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types WHERE - $profile_qpart + (profile = :profile OR (:profile IS NULL AND profile IS NULL)) AND ttrss_prefs.pref_name NOT LIKE '_MOBILE%' AND ttrss_prefs_types.id = type_id AND - owner_uid = '$user_id' AND + owner_uid = :uid AND ttrss_user_prefs.pref_name = ttrss_prefs.pref_name"); - while ($line = db_fetch_assoc($result)) { + $sth->execute([":profile" => $profile, ":uid" => $user_id]); + + while ($line = $sth->fetch()) { if ($user_id == $_SESSION["uid"]) { $pref_name = $line["pref_name"]; @@ -57,7 +53,6 @@ class Db_Prefs { function read($pref_name, $user_id = false, $die_on_error = false) { - $pref_name = db_escape_string($pref_name); $profile = false; if (!$user_id) { @@ -72,28 +67,23 @@ class Db_Prefs { return $this->convert($tuple["value"], $tuple["type"]); } - if ($profile) { - $profile_qpart = "profile = '$profile' AND"; - } else { - $profile_qpart = "profile IS NULL AND"; - } - - if (get_schema_version() < 63) $profile_qpart = ""; + if (!$profile || get_schema_version() < 63) $profile = null; - $result = db_query("SELECT + $sth = $this->pdo->prepare("SELECT value,ttrss_prefs_types.type_name as type_name FROM ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types WHERE - $profile_qpart - ttrss_user_prefs.pref_name = '$pref_name' AND + (profile = :profile OR (:profile IS NULL AND profile IS NULL)) AND + ttrss_user_prefs.pref_name = :pref_name AND ttrss_prefs_types.id = type_id AND - owner_uid = '$user_id' AND + owner_uid = :uid AND ttrss_user_prefs.pref_name = ttrss_prefs.pref_name"); + $sth->execute([":uid" => $user_id, ":profile" => $profile, ":pref_name" => $pref_name]); - if (db_num_rows($result) > 0) { - $value = db_fetch_result($result, 0, "value"); - $type_name = db_fetch_result($result, 0, "type_name"); + if ($row = $sth->fetch()) { + $value = $row["value"]; + $type_name = $row["type_name"]; if ($user_id == $_SESSION["uid"]) { $this->cache[$pref_name]["type"] = $type_name; @@ -119,8 +109,7 @@ class Db_Prefs { } function write($pref_name, $value, $user_id = false, $strip_tags = true) { - $pref_name = db_escape_string($pref_name); - $value = db_escape_string($value, $strip_tags); + if ($strip_tags) $value = strip_tags($value); if (!$user_id) { $user_id = $_SESSION["uid"]; @@ -135,7 +124,7 @@ class Db_Prefs { $profile_qpart = "AND profile IS NULL"; } - if (get_schema_version() < 63) $profile_qpart = ""; + if (!$profile || get_schema_version() < 63) $profile = null; $type_name = ""; $current_value = ""; @@ -146,12 +135,14 @@ class Db_Prefs { } if (!$type_name) { - $result = db_query("SELECT type_name + $sth = $this->pdo->prepare("SELECT type_name FROM ttrss_prefs,ttrss_prefs_types - WHERE pref_name = '$pref_name' AND type_id = ttrss_prefs_types.id"); + WHERE pref_name = ? AND type_id = ttrss_prefs_types.id"); + $sth->execute([$pref_name]); + + if ($row = $sth->fetch()) + $type_name = $row["type_name"]; - if (db_num_rows($result) > 0) - $type_name = db_fetch_result($result, 0, "type_name"); } else if ($current_value == $value) { return; } @@ -171,10 +162,12 @@ class Db_Prefs { $value = 'UTC'; } - db_query("UPDATE ttrss_user_prefs SET - value = '$value' WHERE pref_name = '$pref_name' - $profile_qpart - AND owner_uid = " . $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_user_prefs SET + value = :value WHERE pref_name = :pref_name + AND (profile = :profile OR (:profile IS NULL AND profile IS NULL)) + AND owner_uid = :uid"); + + $sth->execute([":pref_name" => $pref_name, ":value" => $value, ":uid" => $user_id, ":profile" => $profile]); if ($user_id == $_SESSION["uid"]) { $this->cache[$pref_name]["type"] = $type_name; diff --git a/classes/db/stmt.php b/classes/db/stmt.php deleted file mode 100644 index 7d6bbb30..00000000 --- a/classes/db/stmt.php +++ /dev/null @@ -1,31 +0,0 @@ -stmt = $stmt; - $this->cache = false; - } - - function fetch_result($row, $param) { - if (!$this->cache) { - $this->cache = $this->stmt->fetchAll(); - } - - if (isset($this->cache[$row])) { - return $this->cache[$row][$param]; - } else { - user_error("Unable to jump to row $row", E_USER_WARNING); - return false; - } - } - - function rowCount() { - return $this->stmt->rowCount(); - } - - function fetch() { - return $this->stmt->fetch(); - } -} \ No newline at end of file diff --git a/classes/dbupdater.php b/classes/dbupdater.php index 2d131fde..1014fa5a 100644 --- a/classes/dbupdater.php +++ b/classes/dbupdater.php @@ -1,19 +1,19 @@ dbh = $dbh; + function __construct($pdo, $db_type, $need_version) { + $this->pdo = Db::pdo(); //$pdo; $this->db_type = $db_type; $this->need_version = (int) $need_version; } function getSchemaVersion() { - $result = db_query("SELECT schema_version FROM ttrss_version"); - return (int) db_fetch_result($result, 0, "schema_version"); + $row = $this->pdo->query("SELECT schema_version FROM ttrss_version")->fetch(); + return (int) $row['schema_version']; } function isUpdateRequired() { @@ -26,6 +26,7 @@ class DbUpdater { if (file_exists($filename)) { return explode(";", preg_replace("/[\r\n]/", "", file_get_contents($filename))); } else { + user_error("DB Updater: schema file for version $version is not found."); return false; } } @@ -37,17 +38,17 @@ class DbUpdater { if (is_array($lines)) { - db_query("BEGIN"); + $this->pdo->beginTransaction(); foreach ($lines as $line) { if (strpos($line, "--") !== 0 && $line) { - if (!db_query($line, false)) { + if (!$this->pdo->query($line)) { if ($html_output) { print_notice("Query: $line"); - print_error("Error: " . db_last_query_error()); + print_error("Error: " . implode(", ", $this->pdo->errorInfo())); } else { _debug("Query: $line"); - _debug("Error: " . db_last_query_error()); + _debug("Error: " . implode(", ", $this->pdo->errorInfo())); } return false; @@ -58,10 +59,10 @@ class DbUpdater { $db_version = $this->getSchemaVersion(); if ($db_version == $version) { - db_query("COMMIT"); + $this->pdo->commit(); return true; } else { - db_query("ROLLBACK"); + $this->pdo->rollBack(); return false; } } else { diff --git a/classes/digest.php b/classes/digest.php index 5a50eb07..83f39a86 100644 --- a/classes/digest.php +++ b/classes/digest.php @@ -19,15 +19,17 @@ class Digest if ($debug) _debug("Sending digests, batch of max $user_limit users, headline limit = $limit"); if (DB_TYPE == "pgsql") { - $interval_query = "last_digest_sent < NOW() - INTERVAL '1 days'"; + $interval_qpart = "last_digest_sent < NOW() - INTERVAL '1 days'"; } else if (DB_TYPE == "mysql") { - $interval_query = "last_digest_sent < DATE_SUB(NOW(), INTERVAL 1 DAY)"; + $interval_qpart = "last_digest_sent < DATE_SUB(NOW(), INTERVAL 1 DAY)"; } - $result = db_query("SELECT id,email FROM ttrss_users - WHERE email != '' AND (last_digest_sent IS NULL OR $interval_query)"); + $pdo = Db::pdo(); - while ($line = db_fetch_assoc($result)) { + $res = $pdo->query("SELECT id,email FROM ttrss_users + WHERE email != '' AND (last_digest_sent IS NULL OR $interval_qpart)"); + + while ($line = $res->fetch()) { if (@get_pref('DIGEST_ENABLE', $line['id'], false)) { $preferred_ts = strtotime(get_pref('DIGEST_PREFERRED_TIME', $line['id'], '00:00')); @@ -70,8 +72,9 @@ class Digest if ($debug) _debug("No headlines"); } - db_query("UPDATE ttrss_users SET last_digest_sent = NOW() - WHERE id = " . $line["id"]); + $sth = $pdo->prepare("UPDATE ttrss_users SET last_digest_sent = NOW() + WHERE id = ?"); + $sth->execute([$line["id"]]); } } @@ -102,13 +105,17 @@ class Digest $affected_ids = array(); + $days = (int) $days; + if (DB_TYPE == "pgsql") { - $interval_query = "ttrss_entries.date_updated > NOW() - INTERVAL '$days days'"; + $interval_qpart = "ttrss_entries.date_updated > NOW() - INTERVAL '$days days'"; } else if (DB_TYPE == "mysql") { - $interval_query = "ttrss_entries.date_updated > DATE_SUB(NOW(), INTERVAL $days DAY)"; + $interval_qpart = "ttrss_entries.date_updated > DATE_SUB(NOW(), INTERVAL $days DAY)"; } - $result = db_query("SELECT ttrss_entries.title, + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT ttrss_entries.title, ttrss_feeds.title AS feed_title, COALESCE(ttrss_feed_categories.title, '" . __('Uncategorized') . "') AS cat_title, date_updated, @@ -124,19 +131,20 @@ class Digest WHERE ref_id = ttrss_entries.id AND feed_id = ttrss_feeds.id AND include_in_digest = true - AND $interval_query - AND ttrss_user_entries.owner_uid = $user_id + AND $interval_qpart + AND ttrss_user_entries.owner_uid = ? AND unread = true AND score >= 0 ORDER BY ttrss_feed_categories.title, ttrss_feeds.title, score DESC, date_updated DESC - LIMIT $limit"); - - $headlines_count = db_num_rows($result); + LIMIT ?"); + $sth->execute([$user_id, $limit]); + $headlines_count = 0; $headlines = array(); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($headlines, $line); + $headlines_count++; } for ($i = 0; $i < sizeof($headlines); $i++) { @@ -148,12 +156,6 @@ class Digest $updated = make_local_datetime($line['last_updated'], false, $user_id); - /* if ($line["score"] != 0) { - if ($line["score"] > 0) $line["score"] = '+' . $line["score"]; - - $line["title"] .= " (".$line['score'].")"; - } */ - if (get_pref('ENABLE_FEED_CATS', $user_id)) { $line['feed_title'] = $line['cat_title'] . " / " . $line['feed_title']; } diff --git a/classes/dlg.php b/classes/dlg.php index 53fa6028..6f22c81e 100644 --- a/classes/dlg.php +++ b/classes/dlg.php @@ -7,7 +7,7 @@ class Dlg extends Handler_Protected { if (parent::before($method)) { header("Content-Type: text/html"); # required for iframe - $this->param = $this->dbh->escape_string($_REQUEST["param"]); + $this->param = $_REQUEST["param"]; return true; } return false; @@ -18,16 +18,12 @@ class Dlg extends Handler_Protected { print "
"; - $this->dbh->query("BEGIN"); - print "
    "; $opml = new Opml($_REQUEST); $opml->opml_import($_SESSION["uid"]); - $this->dbh->query("COMMIT"); - print "
"; print "
"; @@ -102,15 +98,14 @@ class Dlg extends Handler_Protected { // from here: http://www.roscripts.com/Create_tag_cloud-71.html - $query = "SELECT tag_name, COUNT(post_int_id) AS count - FROM ttrss_tags WHERE owner_uid = ".$_SESSION["uid"]." - GROUP BY tag_name ORDER BY count DESC LIMIT 50"; - - $result = $this->dbh->query($query); + $sth = $this->pdo->prepare("SELECT tag_name, COUNT(post_int_id) AS count + FROM ttrss_tags WHERE owner_uid = ? + GROUP BY tag_name ORDER BY count DESC LIMIT 50"); + $sth->execute([$_SESSION['uid']]); $tags = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $tags[$line["tag_name"]] = $line["count"]; } @@ -164,7 +159,7 @@ class Dlg extends Handler_Protected { function generatedFeed() { $this->params = explode(":", $this->param, 3); - $feed_id = $this->dbh->escape_string($this->params[0]); + $feed_id = $this->params[0]; $is_cat = (bool) $this->params[1]; $key = get_feed_access_key($feed_id, $is_cat); diff --git a/classes/feeds.php b/classes/feeds.php index 70271802..f2244ae8 100755 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -39,7 +39,7 @@ class Feeds extends Handler_Protected { $search_q = ""; } - $reply .= ""; + $reply = ""; $rss_link = htmlspecialchars(get_self_url_prefix() . "/public.php?op=rss&id=$feed_id$cat_q$search_q"); @@ -193,24 +193,28 @@ class Feeds extends Handler_Protected { if (!$any_needs_curl) { - $result = $this->dbh->query( - "SELECT cache_images," . SUBSTRING_FOR_DATE . "(last_updated,1,19) AS last_updated - FROM ttrss_feeds WHERE id = '$feed'"); + $sth = $this->pdo->prepare("SELECT cache_images," . SUBSTRING_FOR_DATE . "(last_updated,1,19) AS last_updated + FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$feed]); - if ($this->dbh->num_rows($result) != 0) { - $last_updated = strtotime($this->dbh->fetch_result($result, 0, "last_updated")); - $cache_images = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "cache_images")); + if ($row = $sth->fetch()) { + $last_updated = strtotime($row["last_updated"]); + $cache_images = sql_bool_to_bool($row["cache_images"]); if (!$cache_images && time() - $last_updated > 120) { RSSUtils::update_rss_feed($feed, true); } else { - $this->dbh->query("UPDATE ttrss_feeds SET last_updated = '1970-01-01', last_update_started = '1970-01-01' - WHERE id = '$feed'"); + $sth = $this->pdo->prepare("UPDATE ttrss_feeds + SET last_updated = '1970-01-01', last_update_started = '1970-01-01' + WHERE id = ?"); + $sth->execute([$feed]); } } } else { - $this->dbh->query("UPDATE ttrss_feeds SET last_updated = '1970-01-01', last_update_started = '1970-01-01' - WHERE id = '$feed'"); + $sth = $this->pdo->prepare("UPDATE ttrss_feeds + SET last_updated = '1970-01-01', last_update_started = '1970-01-01' + WHERE id = ?"); + $sth->execute([$feed]); } } @@ -221,16 +225,16 @@ class Feeds extends Handler_Protected { // FIXME: might break tag display? if (is_numeric($feed) && $feed > 0 && !$cat_view) { - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds WHERE id = '$feed' LIMIT 1"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? LIMIT 1"); + $sth->execute([$feed]); - if ($this->dbh->num_rows($result) == 0) { + if (!$sth->fetch()) { $reply['content'] = "
".__('Feed not found.')."
"; } } - @$search = $this->dbh->escape_string($_REQUEST["query"]); - @$search_language = $this->dbh->escape_string($_REQUEST["search_language"]); // PGSQL only + @$search = $_REQUEST["query"]; + @$search_language = $_REQUEST["search_language"]; // PGSQL only if ($search) { $disable_cache = true; @@ -238,7 +242,6 @@ class Feeds extends Handler_Protected { if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H0", $timing_info); - if (!$cat_view && is_numeric($feed) && $feed < PLUGIN_FEED_BASE_INDEX && $feed > LABEL_BASE_INDEX) { $handler = PluginHost::getInstance()->get_feed_handler( PluginHost::feed_to_pfeed_id($feed)); @@ -300,8 +303,6 @@ class Feeds extends Handler_Protected { $feed, $cat_view, $search, $last_error, $last_updated); - $headlines_count = is_numeric($result) ? 0 : $this->dbh->num_rows($result); - if ($offset == 0) { foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_HEADLINES_BEFORE) as $p) { $reply['content'] .= $p->hook_headlines_before($feed, $cat_view, $qfh_ret); @@ -310,521 +311,505 @@ class Feeds extends Handler_Protected { $reply['content'] = ''; - if ($headlines_count > 0) { + $headlines_count = 0; + + $lnum = $offset; + $num_unread = 0; + if ($_REQUEST["debug"]) $timing_info = print_checkpoint("PS", $timing_info); + $expand_cdm = get_pref('CDM_EXPANDED'); + + while ($line = $result->fetch()) { + + ++$headlines_count; + + $line["content_preview"] = "— " . truncate_string(strip_tags($line["content"]), 250); - $lnum = $offset; + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) { + $line = $p->hook_query_headlines($line, 250, false); + } - $num_unread = 0; - $cur_feed_title = ''; + if (get_pref('SHOW_CONTENT_PREVIEW')) { + $content_preview = $line["content_preview"]; + } - if ($_REQUEST["debug"]) $timing_info = print_checkpoint("PS", $timing_info); + $id = $line["id"]; + $feed_id = $line["feed_id"]; + $label_cache = $line["label_cache"]; + $labels = false; - $expand_cdm = get_pref('CDM_EXPANDED'); + if ($label_cache) { + $label_cache = json_decode($label_cache, true); - while ($line = $this->dbh->fetch_assoc($result)) { + if ($label_cache) { + if ($label_cache["no-labels"] == 1) + $labels = array(); + else + $labels = $label_cache; + } + } - $line["content_preview"] = "— " . truncate_string(strip_tags($line["content"]), 250); + if (!is_array($labels)) $labels = Article::get_article_labels($id); - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) { - $line = $p->hook_query_headlines($line, 250, false); - } + $labels_str = ""; + $labels_str .= Article::format_article_labels($labels); + $labels_str .= ""; - if (get_pref('SHOW_CONTENT_PREVIEW')) { - $content_preview = $line["content_preview"]; - } + if (count($topmost_article_ids) < 3) { + array_push($topmost_article_ids, $id); + } - $id = $line["id"]; - $feed_id = $line["feed_id"]; - $label_cache = $line["label_cache"]; - $labels = false; + $class = ""; - if ($label_cache) { - $label_cache = json_decode($label_cache, true); + if (sql_bool_to_bool($line["unread"])) { + $class .= " Unread"; + ++$num_unread; + } - if ($label_cache) { - if ($label_cache["no-labels"] == 1) - $labels = array(); - else - $labels = $label_cache; - } - } + if (sql_bool_to_bool($line["marked"])) { + $marked_pic = "\"Unstar"; + $class .= " marked"; + } else { + $marked_pic = "\"Star"; + } - if (!is_array($labels)) $labels = Article::get_article_labels($id); + if (sql_bool_to_bool($line["published"])) { + $published_pic = "\"Unpublish"; + $class .= " published"; + } else { + $published_pic = "\"Publish"; + } - $labels_str = ""; - $labels_str .= Article::format_article_labels($labels); - $labels_str .= ""; + $updated_fmt = make_local_datetime($line["updated"], false, false, false, true); + $date_entered_fmt = T_sprintf("Imported at %s", + make_local_datetime($line["date_entered"], false)); - if (count($topmost_article_ids) < 3) { - array_push($topmost_article_ids, $id); - } + $score = $line["score"]; - $class = ""; + $score_pic = "images/" . get_score_pic($score); - if (sql_bool_to_bool($line["unread"])) { - $class .= " Unread"; - ++$num_unread; - } + $score_pic = ""; - if (sql_bool_to_bool($line["marked"])) { - $marked_pic = "\"Unstar"; - $class .= " marked"; - } else { - $marked_pic = "\"Star"; - } + if ($score > 500) { + $hlc_suffix = "high"; + } else if ($score < -100) { + $hlc_suffix = "low"; + } else { + $hlc_suffix = ""; + } - if (sql_bool_to_bool($line["published"])) { - $published_pic = "\"Unpublish"; - $class .= " published"; - } else { - $published_pic = "\"Publish"; - } + $entry_author = $line["author"]; -# $content_link = "" . -# $line["title"] . ""; + if ($entry_author) { + $entry_author = " — $entry_author"; + } -# $content_link = "" . -# $line["title"] . ""; + $has_feed_icon = feed_has_icon($feed_id); -# $content_link = "" . -# $line["title"] . ""; + if ($has_feed_icon) { + $feed_icon_img = "\"\""; + } else { + $feed_icon_img = "\"\""; + } - $updated_fmt = make_local_datetime($line["updated"], false, false, false, true); - $date_entered_fmt = T_sprintf("Imported at %s", - make_local_datetime($line["date_entered"], false)); + $entry_site_url = $line["site_url"]; - $score = $line["score"]; + //setting feed headline background color, needs to change text color based on dark/light + $fav_color = $line['favicon_avg_color']; - $score_pic = "images/" . get_score_pic($score); + require_once "colors.php"; -/* $score_title = __("(Click to change)"); - $score_pic = ""; */ + if ($fav_color && $fav_color != 'fail') { + if (!isset($rgba_cache[$feed_id])) { + $rgba_cache[$feed_id] = join(",", _color_unpack($fav_color)); + } + } - $score_pic = ""; + if (!get_pref('COMBINED_DISPLAY_MODE')) { - if ($score > 500) { - $hlc_suffix = "high"; - } else if ($score < -100) { - $hlc_suffix = "low"; - } else { - $hlc_suffix = ""; - } + if ($vfeed_group_enabled) { + if ($feed_id != $vgroup_last_feed && $line["feed_title"]) { - $entry_author = $line["author"]; + $cur_feed_title = $line["feed_title"]; + $vgroup_last_feed = $feed_id; - if ($entry_author) { - $entry_author = " — $entry_author"; - } + $cur_feed_title = htmlspecialchars($cur_feed_title); - $has_feed_icon = feed_has_icon($feed_id); + $vf_catchup_link = "".__('mark feed as read').""; - if ($has_feed_icon) { - $feed_icon_img = "\"\""; - } else { - $feed_icon_img = "\"\""; - } + $reply['content'] .= "
". + "
$feed_icon_img
". + "". + $line["feed_title"]." + $vf_catchup_link
"; - $entry_site_url = $line["site_url"]; - //setting feed headline background color, needs to change text color based on dark/light - $fav_color = $line['favicon_avg_color']; + } + } - require_once "colors.php"; + $mouseover_attrs = "onmouseover='postMouseIn(event, $id)' + onmouseout='postMouseOut($id)'"; - if ($fav_color && $fav_color != 'fail') { - if (!isset($rgba_cache[$feed_id])) { - $rgba_cache[$feed_id] = join(",", _color_unpack($fav_color)); - } - } + $reply['content'] .= "
"; - if (!get_pref('COMBINED_DISPLAY_MODE')) { + $reply['content'] .= "
"; - if ($vfeed_group_enabled) { - if ($feed_id != $vgroup_last_feed && $line["feed_title"]) { + $reply['content'] .= ""; - $cur_feed_title = $line["feed_title"]; - $vgroup_last_feed = $feed_id; + $reply['content'] .= "$marked_pic"; + $reply['content'] .= "$published_pic"; - $cur_feed_title = htmlspecialchars($cur_feed_title); + $reply['content'] .= "
"; - $vf_catchup_link = "".__('mark feed as read').""; + $reply['content'] .= "
"; + $reply['content'] .= "" . + truncate_string($line["title"], 200); - $reply['content'] .= ""; + if (get_pref('SHOW_CONTENT_PREVIEW')) { + $reply['content'] .= "" . $line["content_preview"] . ""; + } + $reply['content'] .= ""; - } - } + $reply['content'] .= $labels_str; - $mouseover_attrs = "onmouseover='postMouseIn(event, $id)' - onmouseout='postMouseOut($id)'"; + $reply['content'] .= "
"; - $reply['content'] .= "
"; + if (!$vfeed_group_enabled) { + if (@$line["feed_title"]) { + $rgba = @$rgba_cache[$feed_id]; - $reply['content'] .= "
"; + $reply['content'] .= "". + truncate_string($line["feed_title"],30).""; + } + } - $reply['content'] .= ""; - $reply['content'] .= "$marked_pic"; - $reply['content'] .= "$published_pic"; + $reply['content'] .= ""; - $reply['content'] .= "
"; + $reply['content'] .= "
$updated_fmt
+ "; - $reply['content'] .= "
"; - $reply['content'] .= "" . - truncate_string($line["title"], 200); + $reply['content'] .= "
"; - if (get_pref('SHOW_CONTENT_PREVIEW')) { - $reply['content'] .= "" . $line["content_preview"] . ""; - } + $reply['content'] .= $score_pic; - $reply['content'] .= ""; + if ($line["feed_title"] && !$vfeed_group_enabled) { - $reply['content'] .= $labels_str; + $reply['content'] .= " + $feed_icon_img"; + } - $reply['content'] .= "
"; + $reply['content'] .= "
"; + $reply['content'] .= "
"; - if (!$vfeed_group_enabled) { - if (@$line["feed_title"]) { - $rgba = @$rgba_cache[$feed_id]; + } else { - $reply['content'] .= "". - truncate_string($line["feed_title"],30).""; - } - } + if ($line["tag_cache"]) + $tags = explode(",", $line["tag_cache"]); + else + $tags = false; + $line["content"] = sanitize($line["content"], + sql_bool_to_bool($line['hide_images']), false, $entry_site_url, $highlight_words, $line["id"]); - $reply['content'] .= ""; + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE_CDM) as $p) { + $line = $p->hook_render_article_cdm($line); + } - $reply['content'] .= "
$updated_fmt
- "; + if ($vfeed_group_enabled && $line["feed_title"]) { + if ($feed_id != $vgroup_last_feed) { - $reply['content'] .= "
"; + $cur_feed_title = $line["feed_title"]; + $vgroup_last_feed = $feed_id; - $reply['content'] .= $score_pic; + $cur_feed_title = htmlspecialchars($cur_feed_title); - if ($line["feed_title"] && !$vfeed_group_enabled) { + $vf_catchup_link = "".__('mark feed as read').""; - $reply['content'] .= " - $feed_icon_img"; - } + $has_feed_icon = feed_has_icon($feed_id); - $reply['content'] .= "
"; - $reply['content'] .= "
"; + if ($has_feed_icon) { + $feed_icon_img = "\"\""; + } else { + //$feed_icon_img = "\"\""; + } - } else { + $reply['content'] .= "
". + "
$feed_icon_img
". + "". + $line["feed_title"]." $vf_catchup_link
"; - if ($line["tag_cache"]) - $tags = explode(",", $line["tag_cache"]); - else - $tags = false; + } + } - $line["content"] = sanitize($line["content"], - sql_bool_to_bool($line['hide_images']), false, $entry_site_url, $highlight_words, $line["id"]); + $mouseover_attrs = "onmouseover='postMouseIn(event, $id)' + onmouseout='postMouseOut($id)'"; - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE_CDM) as $p) { - $line = $p->hook_render_article_cdm($line); - } + $expanded_class = $expand_cdm ? "expanded" : "expandable"; - if ($vfeed_group_enabled && $line["feed_title"]) { - if ($feed_id != $vgroup_last_feed) { + $tmp_content = "
"; - $cur_feed_title = $line["feed_title"]; - $vgroup_last_feed = $feed_id; + $tmp_content .= "
"; + $tmp_content .= "
"; - $cur_feed_title = htmlspecialchars($cur_feed_title); + $tmp_content .= ""; - $vf_catchup_link = "".__('mark feed as read').""; + $tmp_content .= "$marked_pic"; + $tmp_content .= "$published_pic"; - $has_feed_icon = feed_has_icon($feed_id); + $tmp_content .= "
"; - if ($has_feed_icon) { - $feed_icon_img = "\"\""; - } else { - //$feed_icon_img = "\"\""; - } + if ($highlight_words && count($highlight_words > 0)) { + foreach ($highlight_words as $word) { + $line["title"] = preg_replace("/(\Q$word\E)/i", + "$1", $line["title"]); + } + } - $reply['content'] .= "
". - "
$feed_icon_img
". - "". - $line["feed_title"]." $vf_catchup_link
"; + // data-article-id included for context menu + $tmp_content .= " + ". + $line["title"] . + " $entry_author"; - } - } + $tmp_content .= $labels_str; - $mouseover_attrs = "onmouseover='postMouseIn(event, $id)' - onmouseout='postMouseOut($id)'"; + $tmp_content .= ""; - $expanded_class = $expand_cdm ? "expanded" : "expandable"; - - $tmp_content = "
"; + if (!$expand_cdm) + $content_hidden = "style=\"display : none\""; + else + $excerpt_hidden = "style=\"display : none\""; - $tmp_content .= "
"; - $tmp_content .= "
"; + $tmp_content .= "" . $content_preview . ""; - $tmp_content .= ""; + $tmp_content .= ""; - $tmp_content .= "$marked_pic"; - $tmp_content .= "$published_pic"; + if (!$vfeed_group_enabled) { + if (@$line["feed_title"]) { + $rgba = @$rgba_cache[$feed_id]; - $tmp_content .= "
"; + $tmp_content .= "
+ ". + truncate_string($line["feed_title"],30)." +
"; + } + } - if ($highlight_words && count($highlight_words > 0)) { - foreach ($highlight_words as $word) { - $line["title"] = preg_replace("/(\Q$word\E)/i", - "$1", $line["title"]); - } - } + $tmp_content .= "$updated_fmt"; - // data-article-id included for context menu - $tmp_content .= " - ". - $line["title"] . - " $entry_author"; - - $tmp_content .= $labels_str; - - $tmp_content .= ""; - - if (!$expand_cdm) - $content_hidden = "style=\"display : none\""; - else - $excerpt_hidden = "style=\"display : none\""; - - $tmp_content .= "" . $content_preview . ""; - - $tmp_content .= ""; - - if (!$vfeed_group_enabled) { - if (@$line["feed_title"]) { - $rgba = @$rgba_cache[$feed_id]; - - $tmp_content .= "
- ". - truncate_string($line["feed_title"],30)." -
"; - } - } + $tmp_content .= "
"; + $tmp_content .= "$score_pic"; - $tmp_content .= "$updated_fmt"; + if (!get_pref("VFEED_GROUP_BY_FEED") && $line["feed_title"]) { + $tmp_content .= "$feed_icon_img"; + } + $tmp_content .= "
"; //scoreWrap - $tmp_content .= "
"; - $tmp_content .= "$score_pic"; + $tmp_content .= "
"; //cdmHeader - if (!get_pref("VFEED_GROUP_BY_FEED") && $line["feed_title"]) { - $tmp_content .= "$feed_icon_img"; - } - $tmp_content .= "
"; //scoreWrap + $tmp_content .= "
"; - $tmp_content .= "
"; //cdmHeader + $tmp_content .= "
"; + if ($line['note']) { + $tmp_content .= Article::format_article_note($id, $line['note']); + } + $tmp_content .= "
"; //POSTNOTE - $tmp_content .= "
"; + if (!$line['lang']) $line['lang'] = 'en'; - $tmp_content .= "
"; - if ($line['note']) { - $tmp_content .= Article::format_article_note($id, $line['note']); - } - $tmp_content .= "
"; //POSTNOTE + $tmp_content .= "
"; - if (!$line['lang']) $line['lang'] = 'en'; + if ($line["orig_feed_id"]) { - $tmp_content .= "
"; + $ofgh = $this->pdo->prepare("SELECT * FROM ttrss_archived_feeds + WHERE id = ? AND owner_uid = ?"); + $ofgh->execute([$line["orig_feed_id"], $_SESSION['uid']]); - if ($line["orig_feed_id"]) { + if ($tmp_line = $ofgh->fetch()) { - $tmp_result = $this->dbh->query("SELECT * FROM ttrss_archived_feeds - WHERE id = ".$line["orig_feed_id"] . " AND owner_uid = " . $_SESSION["uid"]); + $tmp_content .= "
"; + $tmp_content .= __("Originally from:"); - if ($this->dbh->num_rows($tmp_result) != 0) { + $tmp_content .= " "; - $tmp_content .= "
"; - $tmp_content .= __("Originally from:"); + $tmp_content .= "" . + $tmp_line['title'] . ""; - $tmp_content .= " "; + $tmp_content .= " "; - $tmp_line = $this->dbh->fetch_assoc($tmp_result); + $tmp_content .= ""; + $tmp_content .= ""; - $tmp_content .= "" . - $tmp_line['title'] . ""; + $tmp_content .= "
"; + } + } - $tmp_content .= " "; + $tmp_content .= ""; + $tmp_content .= ""; + $tmp_content .= htmlspecialchars($line["content"]); + $tmp_content .= ""; + $tmp_content .= ""; - $tmp_content .= ""; - $tmp_content .= ""; + $tmp_content .= "
"; //cdmContentInner - $tmp_content .= "
"; - } - } + $tmp_content .= "
"; - $tmp_content .= ""; - $tmp_content .= ""; - $tmp_content .= htmlspecialchars($line["content"]); - $tmp_content .= ""; - $tmp_content .= ""; + $always_display_enclosures = sql_bool_to_bool($line["always_display_enclosures"]); + $tmp_content .= Article::format_article_enclosures($id, $always_display_enclosures, $line["content"], sql_bool_to_bool($line["hide_images"])); - $tmp_content .= "
"; //cdmContentInner + $tmp_content .= "
"; // cdmIntermediate - $tmp_content .= "
"; + $tmp_content .= "
"; - $always_display_enclosures = sql_bool_to_bool($line["always_display_enclosures"]); - $tmp_content .= Article::format_article_enclosures($id, $always_display_enclosures, $line["content"], sql_bool_to_bool($line["hide_images"])); + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_LEFT_BUTTON) as $p) { + $tmp_content .= $p->hook_article_left_button($line); + } - $tmp_content .= "
"; // cdmIntermediate + $tags_str = Article::format_tags_string($tags, $id); - $tmp_content .= "
"; + $tmp_content .= ""; - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_LEFT_BUTTON) as $p) { - $tmp_content .= $p->hook_article_left_button($line); - } + $tmp_content .= "Tags + $tags_str + (+)"; - $tags_str = Article::format_tags_string($tags, $id); + $num_comments = (int) $line["num_comments"]; + $entry_comments = ""; - $tmp_content .= ""; + if ($num_comments > 0) { + if ($line["comments"]) { + $comments_url = htmlspecialchars($line["comments"]); + } else { + $comments_url = htmlspecialchars($line["link"]); + } + $entry_comments = "$num_comments ". + _ngettext("comment", "comments", $num_comments).""; - $tmp_content .= "Tags - $tags_str - (+)"; + } else { + if ($line["comments"] && $line["link"] != $line["comments"]) { + $entry_comments = "".__("comments").""; + } + } - $num_comments = (int) $line["num_comments"]; - $entry_comments = ""; + if ($entry_comments) $tmp_content .= " ($entry_comments)"; - if ($num_comments > 0) { - if ($line["comments"]) { - $comments_url = htmlspecialchars($line["comments"]); - } else { - $comments_url = htmlspecialchars($line["link"]); - } - $entry_comments = "$num_comments ". - _ngettext("comment", "comments", $num_comments).""; + $tmp_content .= ""; + $tmp_content .= "
"; - } else { - if ($line["comments"] && $line["link"] != $line["comments"]) { - $entry_comments = "".__("comments").""; - } - } + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_BUTTON) as $p) { + $tmp_content .= $p->hook_article_button($line); + } - if ($entry_comments) $tmp_content .= " ($entry_comments)"; + $tmp_content .= "
"; // buttons - $tmp_content .= ""; - $tmp_content .= "
"; + $tmp_content .= "
"; // cdmFooter + $tmp_content .= "
"; // cdmContent + $tmp_content .= "
"; // RROW.cdm -// $tmp_content .= "$marked_pic"; -// $tmp_content .= "$published_pic"; + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FORMAT_ARTICLE_CDM) as $p) { + $tmp_content = $p->hook_format_article_cdm($tmp_content, $line); + } - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_BUTTON) as $p) { - $tmp_content .= $p->hook_article_button($line); - } + $reply['content'] .= $tmp_content; + } - $tmp_content .= "
"; // buttons + ++$lnum; + } - $tmp_content .= "
"; // cdmFooter - $tmp_content .= "
"; // cdmContent - $tmp_content .= "
"; // RROW.cdm + if ($_REQUEST["debug"]) $timing_info = print_checkpoint("PE", $timing_info); - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FORMAT_ARTICLE_CDM) as $p) { - $tmp_content = $p->hook_format_article_cdm($tmp_content, $line); - } + if (!$headlines_count) { - $reply['content'] .= $tmp_content; - } + if (!is_numeric($result)) { - ++$lnum; - } + switch ($view_mode) { + case "unread": + $message = __("No unread articles found to display."); + break; + case "updated": + $message = __("No updated articles found to display."); + break; + case "marked": + $message = __("No starred articles found to display."); + break; + default: + if ($feed < LABEL_BASE_INDEX) { + $message = __("No articles found to display. You can assign articles to labels manually from article header context menu (applies to all selected articles) or use a filter."); + } else { + $message = __("No articles found to display."); + } + } - if ($_REQUEST["debug"]) $timing_info = print_checkpoint("PE", $timing_info); - - } else if (!is_numeric($result)) { - $message = ""; - - switch ($view_mode) { - case "unread": - $message = __("No unread articles found to display."); - break; - case "updated": - $message = __("No updated articles found to display."); - break; - case "marked": - $message = __("No starred articles found to display."); - break; - default: - if ($feed < LABEL_BASE_INDEX) { - $message = __("No articles found to display. You can assign articles to labels manually from article header context menu (applies to all selected articles) or use a filter."); - } else { - $message = __("No articles found to display."); - } - } + if (!$offset && $message) { + $reply['content'] = "
$message"; - if (!$offset && $message) { - $reply['content'] = "
$message"; + $reply['content'] .= "

"; - $reply['content'] .= "

"; + $sth = $this->pdo->prepare("SELECT " . SUBSTRING_FOR_DATE . "(MAX(last_updated), 1, 19) AS last_updated FROM ttrss_feeds + WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $result = $this->dbh->query("SELECT ".SUBSTRING_FOR_DATE."(MAX(last_updated), 1, 19) AS last_updated FROM ttrss_feeds - WHERE owner_uid = " . $_SESSION['uid']); + $last_updated = make_local_datetime($row["last_updated"], false); - $last_updated = $this->dbh->fetch_result($result, 0, "last_updated"); - $last_updated = make_local_datetime($last_updated, false); + $reply['content'] .= sprintf(__("Feeds last updated at %s"), $last_updated); - $reply['content'] .= sprintf(__("Feeds last updated at %s"), $last_updated); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_errors + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $result = $this->dbh->query("SELECT COUNT(id) AS num_errors - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $num_errors = $row["num_errors"]; - $num_errors = $this->dbh->fetch_result($result, 0, "num_errors"); + if ($num_errors > 0) { + $reply['content'] .= "
"; + $reply['content'] .= "" . + __('Some feeds have update errors (click for details)') . ""; + } + $reply['content'] .= "

"; - if ($num_errors > 0) { - $reply['content'] .= "
"; - $reply['content'] .= "". - __('Some feeds have update errors (click for details)').""; } - $reply['content'] .= "

"; - + } else if (is_numeric($result) && $result == -1) { + $reply['first_id_changed'] = true; } - } else if (is_numeric($result) && $result == -1) { - $reply['first_id_changed'] = true; } if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H2", $timing_info); @@ -834,8 +819,10 @@ class Feeds extends Handler_Protected { } function catchupAll() { - $this->dbh->query("UPDATE ttrss_user_entries SET - last_read = NOW(), unread = false WHERE unread = true AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + last_read = NOW(), unread = false WHERE unread = true AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + CCache::zero_all($_SESSION["uid"]); } @@ -846,16 +833,16 @@ class Feeds extends Handler_Protected { if ($_REQUEST["debug"]) $timing_info = print_checkpoint("0", $timing_info); - $feed = $this->dbh->escape_string($_REQUEST["feed"]); - $method = $this->dbh->escape_string($_REQUEST["m"]); - $view_mode = $this->dbh->escape_string($_REQUEST["view_mode"]); + $feed = $_REQUEST["feed"]; + $method = $_REQUEST["m"]; + $view_mode = $_REQUEST["view_mode"]; $limit = 30; @$cat_view = $_REQUEST["cat"] == "true"; - @$next_unread_feed = $this->dbh->escape_string($_REQUEST["nuf"]); - @$offset = $this->dbh->escape_string($_REQUEST["skip"]); - @$vgroup_last_feed = $this->dbh->escape_string($_REQUEST["vgrlf"]); - $order_by = $this->dbh->escape_string($_REQUEST["order_by"]); - $check_first_id = $this->dbh->escape_string($_REQUEST["fid"]); + @$next_unread_feed = $_REQUEST["nuf"]; + @$offset = $_REQUEST["skip"]; + @$vgroup_last_feed = $_REQUEST["vgrlf"]; + $order_by = $_REQUEST["order_by"]; + $check_first_id = $_REQUEST["fid"]; if (is_numeric($feed)) $feed = (int) $feed; @@ -867,21 +854,30 @@ class Feeds extends Handler_Protected { return; } - $result = false; - + $sth = false; if ($feed < LABEL_BASE_INDEX) { + $label_feed = Labels::feed_to_label_id($feed); - $result = $this->dbh->query("SELECT id FROM ttrss_labels2 WHERE - id = '$label_feed' AND owner_uid = " . $_SESSION['uid']); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_labels2 WHERE + id = ? AND owner_uid = ?"); + $sth->execute([$label_feed, $_SESSION['uid']]); + } else if (!$cat_view && is_numeric($feed) && $feed > 0) { - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE - id = '$feed' AND owner_uid = " . $_SESSION['uid']); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE + id = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); + } else if ($cat_view && is_numeric($feed) && $feed > 0) { - $result = $this->dbh->query("SELECT id FROM ttrss_feed_categories WHERE - id = '$feed' AND owner_uid = " . $_SESSION['uid']); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feed_categories WHERE + id = ? AND owner_uid = ?"); + + $sth->execute([$feed, $_SESSION['uid']]); } - if ($result && $this->dbh->num_rows($result) == 0) { + if ($sth && !$sth->fetch()) { print json_encode($this->generate_error_feed(__("Feed not found."))); return; } @@ -898,14 +894,16 @@ class Feeds extends Handler_Protected { /* bump login timestamp if needed */ if (time() - $_SESSION["last_login_update"] > 3600) { - $this->dbh->query("UPDATE ttrss_users SET last_login = NOW() WHERE id = " . - $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); + $_SESSION["last_login_update"] = time(); } if (!$cat_view && is_numeric($feed) && $feed > 0) { - $this->dbh->query("UPDATE ttrss_feeds SET last_viewed = NOW() - WHERE id = '$feed' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET last_viewed = NOW() + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); } $reply['headlines'] = array(); @@ -976,18 +974,21 @@ class Feeds extends Handler_Protected { $reply['headlines']['content'] .= "

"; - $result = $this->dbh->query("SELECT ".SUBSTRING_FOR_DATE."(MAX(last_updated), 1, 19) AS last_updated FROM ttrss_feeds - WHERE owner_uid = " . $_SESSION['uid']); + $sth = $this->pdo->prepare("SELECT ".SUBSTRING_FOR_DATE."(MAX(last_updated), 1, 19) AS last_updated FROM ttrss_feeds + WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $last_updated = $this->dbh->fetch_result($result, 0, "last_updated"); - $last_updated = make_local_datetime($last_updated, false); + $last_updated = make_local_datetime($row["last_updated"], false); $reply['headlines']['content'] .= sprintf(__("Feeds last updated at %s"), $last_updated); - $result = $this->dbh->query("SELECT COUNT(id) AS num_errors - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_errors + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $num_errors = $this->dbh->fetch_result($result, 0, "num_errors"); + $num_errors = $row["num_errors"]; if ($num_errors > 0) { $reply['headlines']['content'] .= "
"; @@ -1104,7 +1105,7 @@ class Feeds extends Handler_Protected { function feedBrowser() { if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; - $browser_search = $this->dbh->escape_string($_REQUEST["search"]); + $browser_search = $_REQUEST["search"]; print_hidden("op", "rpc"); print_hidden("method", "updateFeedBrowser"); @@ -1150,7 +1151,7 @@ class Feeds extends Handler_Protected { } function search() { - $this->params = explode(":", $this->dbh->escape_string($_REQUEST["param"]), 2); + $this->params = explode(":", $_REQUEST["param"], 2); $active_feed_id = sprintf("%d", $this->params[0]); $is_cat = $this->params[1] != "false"; @@ -1237,9 +1238,10 @@ class Feeds extends Handler_Protected { if (!$owner_uid) $owner_uid = $_SESSION['uid']; + $pdo = Db::pdo(); + // Todo: all this interval stuff needs some generic generator function - $date_qpart = "false"; $search_qpart = is_array($search) && $search[0] ? search_to_sql($search[0], $search[1])[0] : 'true'; switch ($mode) { @@ -1284,50 +1286,55 @@ class Feeds extends Handler_Protected { $cat_qpart = "cat_id IS NULL"; } - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND unread = true AND feed_id IN + AND owner_uid = ? AND unread = true AND feed_id IN (SELECT id FROM ttrss_feeds WHERE $cat_qpart) AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid]); } else if ($feed == -2) { - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false,last_read = NOW() WHERE (SELECT COUNT(*) FROM ttrss_user_labels2, ttrss_entries WHERE article_id = ref_id AND id = ref_id AND $date_qpart AND $search_qpart) > 0 - AND unread = true AND owner_uid = $owner_uid"); + AND unread = true AND owner_uid = ?"); + $sth->execute([$owner_uid]); } } else if ($feed > 0) { - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND unread = true AND feed_id = $feed AND $date_qpart AND $search_qpart) as tmp)"); + AND owner_uid = ? AND unread = true AND feed_id = ? AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid, $feed]); } else if ($feed < 0 && $feed > LABEL_BASE_INDEX) { // special, like starred if ($feed == -1) { - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND unread = true AND marked = true AND $date_qpart AND $search_qpart) as tmp)"); + AND owner_uid = ? AND unread = true AND marked = true AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid]); } if ($feed == -2) { - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND unread = true AND published = true AND $date_qpart AND $search_qpart) as tmp)"); + AND owner_uid = ? AND unread = true AND published = true AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid]); } if ($feed == -3) { - $intl = get_pref("FRESH_ARTICLE_MAX_AGE"); + $intl = (int) get_pref("FRESH_ARTICLE_MAX_AGE"); if (DB_TYPE == "pgsql") { $match_part = "date_entered > NOW() - INTERVAL '$intl hour' "; @@ -1336,43 +1343,47 @@ class Feeds extends Handler_Protected { INTERVAL $intl HOUR) "; } - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND score >= 0 AND unread = true AND $date_qpart AND $match_part AND $search_qpart) as tmp)"); + AND owner_uid = ? AND score >= 0 AND unread = true AND $date_qpart AND $match_part AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid]); } if ($feed == -4) { - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT id FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id - AND owner_uid = $owner_uid AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + AND owner_uid = ? AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$owner_uid]); } } else if ($feed < LABEL_BASE_INDEX) { // label $label_id = Labels::feed_to_label_id($feed); - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT ttrss_entries.id FROM ttrss_entries, ttrss_user_entries, ttrss_user_labels2 WHERE ref_id = id - AND label_id = '$label_id' AND ref_id = article_id - AND owner_uid = $owner_uid AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + AND label_id = ? AND ref_id = article_id + AND owner_uid = ? AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$label_id, $owner_uid]); } CCache::update($feed, $owner_uid, $cat_view); } else { // tag - db_query("UPDATE ttrss_user_entries + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET unread = false, last_read = NOW() WHERE ref_id IN (SELECT id FROM (SELECT DISTINCT ttrss_entries.id FROM ttrss_entries, ttrss_user_entries, ttrss_tags WHERE ref_id = ttrss_entries.id - AND post_int_id = int_id AND tag_name = '$feed' - AND ttrss_user_entries.owner_uid = $owner_uid AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + AND post_int_id = int_id AND tag_name = ? + AND ttrss_user_entries.owner_uid = ? AND unread = true AND $date_qpart AND $search_qpart) as tmp)"); + $sth->execute([$feed, $owner_uid]); } } @@ -1383,6 +1394,8 @@ class Feeds extends Handler_Protected { $n_feed = (int) $feed; $need_entries = false; + $pdo = Db::pdo(); + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; if ($unread_only) { @@ -1391,19 +1404,23 @@ class Feeds extends Handler_Protected { $unread_qpart = "true"; } + $match_part = ""; + if ($is_cat) { return Feeds::getCategoryUnread($n_feed, $owner_uid); } else if ($n_feed == -6) { return 0; } else if ($feed != "0" && $n_feed == 0) { - $feed = db_escape_string($feed); - - $result = db_query("SELECT SUM((SELECT COUNT(int_id) + $sth = $pdo->prepare("SELECT SUM((SELECT COUNT(int_id) FROM ttrss_user_entries,ttrss_entries WHERE int_id = post_int_id AND ref_id = id AND $unread_qpart)) AS count FROM ttrss_tags - WHERE owner_uid = $owner_uid AND tag_name = '$feed'"); - return db_fetch_result($result, 0, "count"); + WHERE owner_uid = ? AND tag_name = ?"); + + $sth->execute([$owner_uid, $feed]); + $row = $sth->fetch(); + + return $row["count"]; } else if ($n_feed == -1) { $match_part = "marked = true"; @@ -1412,7 +1429,7 @@ class Feeds extends Handler_Protected { } else if ($n_feed == -3) { $match_part = "unread = true AND score >= 0"; - $intl = get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid); + $intl = (int) get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid); if (DB_TYPE == "pgsql") { $match_part .= " AND date_entered > NOW() - INTERVAL '$intl hour' "; @@ -1437,7 +1454,6 @@ class Feeds extends Handler_Protected { $label_id = Labels::feed_to_label_id($feed); return Feeds::getLabelUnread($label_id, $owner_uid); - } if ($match_part) { @@ -1450,25 +1466,26 @@ class Feeds extends Handler_Protected { $from_where = ""; } - $query = "SELECT count(int_id) AS unread + $sth = $pdo->prepare("SELECT count(int_id) AS unread FROM $from_qpart WHERE - $unread_qpart AND $from_where ($match_part) AND ttrss_user_entries.owner_uid = $owner_uid"; - - //echo "[$feed/$query]\n"; + $unread_qpart AND $from_where ($match_part) AND ttrss_user_entries.owner_uid = ?"); + $sth->execute([$owner_uid]); + $row = $sth->fetch(); - $result = db_query($query); + return $row["unread"]; } else { - $result = db_query("SELECT COUNT(post_int_id) AS unread + $sth = $pdo->prepare("SELECT COUNT(post_int_id) AS unread FROM ttrss_tags,ttrss_user_entries,ttrss_entries - WHERE tag_name = '$feed' AND post_int_id = int_id AND ref_id = ttrss_entries.id - AND $unread_qpart AND ttrss_tags.owner_uid = " . $owner_uid); - } + WHERE tag_name = ? AND post_int_id = int_id AND ref_id = ttrss_entries.id + AND $unread_qpart AND ttrss_tags.owner_uid = ,"); - $unread = db_fetch_result($result, 0, "unread"); + $sth->execute([$feed, $owner_uid]); + $row = $sth->fetch(); - return $unread; + return $row["unread"]; + } } /** @@ -1490,6 +1507,8 @@ class Feeds extends Handler_Protected { global $fetch_last_error; global $fetch_last_error_content; + $pdo = Db::pdo(); + $url = fix_url($url); if (!$url || !validate_feed_url($url)) return array("code" => 2); @@ -1526,32 +1545,35 @@ class Feeds extends Handler_Protected { $cat_qpart = "'$cat_id'"; } - $result = db_query( - "SELECT id FROM ttrss_feeds - WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]); + if (!(int)$cat_id) $cat_id = null; - $auth_pass = db_escape_string($auth_pass); + $sth = $pdo->prepare("SELECT id FROM ttrss_feeds + WHERE feed_url = ? AND owner_uid = ?"); + $sth->execute([$url, $_SESSION['uid']]); - if (db_num_rows($result) == 0) { - $result = db_query( + if ($row = $sth->fetch()) { + return array("code" => 0, "feed_id" => (int) $row["id"]); + } else { + $sth = $pdo->prepare( "INSERT INTO ttrss_feeds (owner_uid,feed_url,title,cat_id, auth_login,auth_pass,update_method,auth_pass_encrypted) - VALUES ('".$_SESSION["uid"]."', '$url', - '[Unknown]', $cat_qpart, '$auth_login', '$auth_pass', 0, false)"); + VALUES (?, ?, ?, ?, ?, ?, 0, false)"); - $result = db_query( - "SELECT id FROM ttrss_feeds WHERE feed_url = '$url' - AND owner_uid = " . $_SESSION["uid"]); + $sth->execute([$_SESSION['uid'], $url, "[Unknown]", $cat_id, $auth_login, $auth_pass]); - $feed_id = db_fetch_result($result, 0, "id"); + $sth = $pdo->prepare("SELECT id FROM ttrss_feeds WHERE feed_url = ? + AND owner_uid = ?"); + $sth->execute([$url, $_SESSION['uid']]); + $row = $sth->fetch(); + + $feed_id = $row["id"]; if ($feed_id) { RSSUtils::set_basic_feed_info($feed_id); } return array("code" => 1, "feed_id" => (int) $feed_id); - } else { - return array("code" => 0, "feed_id" => (int) db_fetch_result($result, 0, "id")); + } } @@ -1589,6 +1611,8 @@ class Feeds extends Handler_Protected { } static function getFeedTitle($id, $cat = false) { + $pdo = Db::pdo(); + if ($cat) { return Feeds::getCategoryTitle($id); } else if ($id == -1) { @@ -1604,21 +1628,29 @@ class Feeds extends Handler_Protected { } else if ($id == -6) { return __("Recently read"); } else if ($id < LABEL_BASE_INDEX) { + $label_id = Labels::feed_to_label_id($id); - $result = db_query("SELECT caption FROM ttrss_labels2 WHERE id = '$label_id'"); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "caption"); + + $sth = $pdo->prepare("SELECT caption FROM ttrss_labels2 WHERE id = ?"); + $sth->execute([$label_id]); + + if ($row = $sth->fetch()) { + return $row["caption"]; } else { return "Unknown label ($label_id)"; } } else if (is_numeric($id) && $id > 0) { - $result = db_query("SELECT title FROM ttrss_feeds WHERE id = '$id'"); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "title"); + + $sth = $pdo->prepare("SELECT title FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$id]); + + if ($row = $sth->fetch()) { + return $row["title"]; } else { return "Unknown feed ($id)"; } + } else { return $id; } @@ -1628,19 +1660,20 @@ class Feeds extends Handler_Protected { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; + $pdo = Db::pdo(); + if ($cat >= 0) { - if ($cat != 0) { - $cat_query = "cat_id = '$cat'"; - } else { - $cat_query = "cat_id IS NULL"; - } + if (!$cat) $cat = null; + + $sth = $pdo->prepare("SELECT id FROM ttrss_feeds + WHERE (cat_id = :cat OR (:cat IS NULL AND cat_id IS NULL)) + AND owner_uid = :uid"); - $result = db_query("SELECT id FROM ttrss_feeds WHERE $cat_query - AND owner_uid = " . $owner_uid); + $sth->execute([":cat" => $cat, ":uid" => $owner_uid]); $cat_feeds = array(); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($cat_feeds, "feed_id = " . $line["id"]); } @@ -1648,15 +1681,16 @@ class Feeds extends Handler_Protected { $match_part = implode(" OR ", $cat_feeds); - $result = db_query("SELECT COUNT(int_id) AS unread + $sth = $pdo->prepare("SELECT COUNT(int_id) AS unread FROM ttrss_user_entries WHERE unread = true AND ($match_part) - AND owner_uid = " . $owner_uid); + AND owner_uid = ?"); + $sth->execute([$owner_uid]); $unread = 0; # this needs to be rewritten - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $unread += $line["unread"]; } @@ -1665,16 +1699,14 @@ class Feeds extends Handler_Protected { return getFeedUnread(-1) + getFeedUnread(-2) + getFeedUnread(-3) + getFeedUnread(0); } else if ($cat == -2) { - $result = db_query(" - SELECT COUNT(unread) AS unread FROM + $sth = $pdo->prepare("SELECT COUNT(unread) AS unread FROM ttrss_user_entries, ttrss_user_labels2 WHERE article_id = ref_id AND unread = true - AND ttrss_user_entries.owner_uid = '$owner_uid'"); - - $unread = db_fetch_result($result, 0, "unread"); - - return $unread; + AND ttrss_user_entries.owner_uid = ?"); + $sth->execute([$owner_uid]); + $row = $sth->fetch(); + return $row["unread"]; } } @@ -1682,12 +1714,15 @@ class Feeds extends Handler_Protected { static function getCategoryChildrenUnread($cat, $owner_uid = false) { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $result = db_query("SELECT id FROM ttrss_feed_categories WHERE parent_cat = '$cat' - AND owner_uid = $owner_uid"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT id FROM ttrss_feed_categories WHERE parent_cat = ? + AND owner_uid = ?"); + $sth->execute([$cat, $owner_uid]); $unread = 0; - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $unread += Feeds::getCategoryUnread($line["id"], $owner_uid); $unread += Feeds::getCategoryChildrenUnread($line["id"], $owner_uid); } @@ -1697,16 +1732,16 @@ class Feeds extends Handler_Protected { static function getGlobalUnread($user_id = false) { - if (!$user_id) { - $user_id = $_SESSION["uid"]; - } + if (!$user_id) $user_id = $_SESSION["uid"]; - $result = db_query("SELECT SUM(value) AS c_id FROM ttrss_counters_cache - WHERE owner_uid = '$user_id' AND feed_id > 0"); + $pdo = Db::pdo(); - $c_id = db_fetch_result($result, 0, "c_id"); + $sth = $pdo->prepare("SELECT SUM(value) AS c_id FROM ttrss_counters_cache + WHERE owner_uid = ? AND feed_id > 0"); + $sth->execute([$user_id]); + $row = $sth->fetch(); - return $c_id; + return $row["c_id"]; } static function getCategoryTitle($cat_id) { @@ -1717,11 +1752,14 @@ class Feeds extends Handler_Protected { return __("Labels"); } else { - $result = db_query("SELECT title FROM ttrss_feed_categories WHERE - id = '$cat_id'"); + $pdo = Db::pdo(); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "title"); + $sth = $pdo->prepare("SELECT title FROM ttrss_feed_categories WHERE + id = ?"); + $sth->execute([$cat_id]); + + if ($row = $sth->fetch()) { + return $row["title"]; } else { return __("Uncategorized"); } @@ -1731,11 +1769,15 @@ class Feeds extends Handler_Protected { static function getLabelUnread($label_id, $owner_uid = false) { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $result = db_query("SELECT COUNT(ref_id) AS unread FROM ttrss_user_entries, ttrss_user_labels2 - WHERE owner_uid = '$owner_uid' AND unread = true AND label_id = '$label_id' AND article_id = ref_id"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT COUNT(ref_id) AS unread FROM ttrss_user_entries, ttrss_user_labels2 + WHERE owner_uid = ? AND unread = true AND label_id = ? AND article_id = ref_id"); - if (db_num_rows($result) != 0) { - return db_fetch_result($result, 0, "unread"); + $sth->execute([$owner_uid, $label_id]); + + if ($row = $sth->fetch()) { + return $row["unread"]; } else { return 0; } @@ -1743,6 +1785,11 @@ class Feeds extends Handler_Protected { static function queryFeedHeadlines($params) { + $pdo = Db::pdo(); + + // WARNING: due to highly dynamic nature of this query its going to quote parameters + // right before adding them to SQL part + $feed = $params["feed"]; $limit = isset($params["limit"]) ? $params["limit"] : 30; $view_mode = $params["view_mode"]; @@ -1762,7 +1809,7 @@ class Feeds extends Handler_Protected { $skip_first_id_check = isset($params["skip_first_id_check"]) ? $params["skip_first_id_check"] : false; $ext_tables_part = ""; - $query_strategy_part = ""; + $limit_query_part = ""; $search_words = array(); @@ -1782,7 +1829,7 @@ class Feeds extends Handler_Protected { } if ($since_id) { - $since_id_part = "ttrss_entries.id > $since_id AND "; + $since_id_part = "ttrss_entries.id > ".$pdo->quote($since_id)." AND "; } else { $since_id_part = ""; } @@ -1822,7 +1869,7 @@ class Feeds extends Handler_Protected { } if ($limit > 0) { - $limit_query_part = "LIMIT " . $limit; + $limit_query_part = "LIMIT " . (int)$limit; } $allow_archived = false; @@ -1848,7 +1895,7 @@ class Feeds extends Handler_Protected { implode(",", $subcats).")"; } else { - $query_strategy_part = "cat_id = '$feed'"; + $query_strategy_part = "cat_id = " . $pdo->quote($feed); } } else { @@ -1858,7 +1905,7 @@ class Feeds extends Handler_Protected { $vfeed_query_part = "ttrss_feeds.title AS feed_title,"; } else { - $query_strategy_part = "feed_id = '$feed'"; + $query_strategy_part = "feed_id = " . $pdo->quote($feed); } } else if ($feed == 0 && !$cat_view) { // archive virtual feed $query_strategy_part = "feed_id IS NULL"; @@ -1913,7 +1960,7 @@ class Feeds extends Handler_Protected { } else if ($feed == -3) { // fresh virtual feed $query_strategy_part = "unread = true AND score >= 0"; - $intl = get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid); + $intl = (int) get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid); if (DB_TYPE == "pgsql") { $query_strategy_part .= " AND date_entered > NOW() - INTERVAL '$intl hour' "; @@ -1929,7 +1976,7 @@ class Feeds extends Handler_Protected { } else if ($feed <= LABEL_BASE_INDEX) { // labels $label_id = Labels::feed_to_label_id($feed); - $query_strategy_part = "label_id = '$label_id' AND + $query_strategy_part = "label_id = ".$pdo->quote($label_id)." AND ttrss_labels2.id = ttrss_user_labels2.label_id AND ttrss_user_labels2.article_id = ref_id"; @@ -1955,8 +2002,6 @@ class Feeds extends Handler_Protected { $vfeed_query_part = $override_vfeed; } - $feed_title = ""; - if ($search) { $feed_title = T_sprintf("Search results: %s", $search); } else { @@ -1964,24 +2009,25 @@ class Feeds extends Handler_Protected { $feed_title = Feeds::getCategoryTitle($feed); } else { if (is_numeric($feed) && $feed > 0) { - $result = db_query("SELECT title,site_url,last_error,last_updated - FROM ttrss_feeds WHERE id = '$feed' AND owner_uid = $owner_uid"); - - $feed_title = db_fetch_result($result, 0, "title"); - $feed_site_url = db_fetch_result($result, 0, "site_url"); - $last_error = db_fetch_result($result, 0, "last_error"); - $last_updated = db_fetch_result($result, 0, "last_updated"); + $ssth = $pdo->prepare("SELECT title,site_url,last_error,last_updated + FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); + $ssth->execute([$feed, $owner_uid]); + $row = $ssth->fetch(); + + $feed_title = $row["title"]; + $feed_site_url = $row["site_url"]; + $last_error = $row["last_error"]; + $last_updated = $row["last_updated"]; } else { $feed_title = Feeds::getFeedTitle($feed); } } } - $content_query_part = "content, "; if ($limit_query_part) { - $offset_query_part = "OFFSET $offset"; + $offset_query_part = "OFFSET " . (int)$offset; } else { $offset_query_part = ""; } @@ -1990,9 +2036,9 @@ class Feeds extends Handler_Protected { // proper override_order applied above if ($vfeed_query_part && !$ignore_vfeed_group && get_pref('VFEED_GROUP_BY_FEED', $owner_uid)) { if (!$override_order) { - $order_by = "ttrss_feeds.title, $order_by"; + $order_by = "ttrss_feeds.title, ".$pdo->quote($order_by); } else { - $order_by = "ttrss_feeds.title, $override_order"; + $order_by = "ttrss_feeds.title, ".$pdo->quote($override_order); } } @@ -2045,7 +2091,7 @@ class Feeds extends Handler_Protected { $from_qpart WHERE $feed_check_qpart - ttrss_user_entries.owner_uid = '$owner_uid' AND + ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND $search_query_part $start_ts_query_part $since_id_part @@ -2056,9 +2102,10 @@ class Feeds extends Handler_Protected { print $query; } - $result = db_query($query); - if ($result && db_num_rows($result) > 0) { - $first_id = (int)db_fetch_result($result, 0, "id"); + $res = $pdo->query($query); + + if ($row = $res->fetch()) { + $first_id = (int)$row["id"]; if ($offset > 0 && $first_id && $check_first_id && $first_id != $check_first_id) { return array(-1, $feed_title, $feed_site_url, $last_error, $last_updated, $search_words, $first_id); @@ -2091,7 +2138,7 @@ class Feeds extends Handler_Protected { $from_qpart WHERE $feed_check_qpart - ttrss_user_entries.owner_uid = '$owner_uid' AND + ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND $search_query_part $start_ts_query_part $view_query_part @@ -2101,7 +2148,7 @@ class Feeds extends Handler_Protected { if ($_REQUEST["debug"]) print $query; - $result = db_query($query); + $res = $pdo->query($query); } else { // browsing by tag @@ -2135,9 +2182,9 @@ class Feeds extends Handler_Protected { FROM ttrss_entries, ttrss_user_entries, ttrss_tags WHERE ref_id = ttrss_entries.id AND - ttrss_user_entries.owner_uid = $owner_uid AND + ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND post_int_id = int_id AND - tag_name = '$feed' AND + tag_name = ".$pdo->quote($feed)." AND $view_query_part $search_query_part $query_strategy_part ORDER BY $order_by @@ -2145,20 +2192,23 @@ class Feeds extends Handler_Protected { if ($_REQUEST["debug"]) print $query; - $result = db_query($query); + $res = $pdo->query($query); } - return array($result, $feed_title, $feed_site_url, $last_error, $last_updated, $search_words, $first_id); + return array($res, $feed_title, $feed_site_url, $last_error, $last_updated, $search_words, $first_id); } static function getParentCategories($cat, $owner_uid) { $rv = array(); - $result = db_query("SELECT parent_cat FROM ttrss_feed_categories - WHERE id = '$cat' AND parent_cat IS NOT NULL AND owner_uid = $owner_uid"); + $pdo = Db::pdo(); - while ($line = db_fetch_assoc($result)) { + $sth = $pdo->prepare("SELECT parent_cat FROM ttrss_feed_categories + WHERE id = ? AND parent_cat IS NOT NULL AND owner_uid = ?"); + $sth->execute([$cat, $owner_uid]); + + while ($line = $sth->fetch()) { array_push($rv, $line["parent_cat"]); $rv = array_merge($rv, Feeds::getParentCategories($line["parent_cat"], $owner_uid)); } @@ -2169,10 +2219,13 @@ class Feeds extends Handler_Protected { static function getChildCategories($cat, $owner_uid) { $rv = array(); - $result = db_query("SELECT id FROM ttrss_feed_categories - WHERE parent_cat = '$cat' AND owner_uid = $owner_uid"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT id FROM ttrss_feed_categories + WHERE parent_cat = ? AND owner_uid = ?"); + $sth->execute([$cat, $owner_uid]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($rv, $line["id"]); $rv = array_merge($rv, Feeds::getChildCategories($line["id"], $owner_uid)); } @@ -2181,11 +2234,14 @@ class Feeds extends Handler_Protected { } static function getFeedCategory($feed) { - $result = db_query("SELECT cat_id FROM ttrss_feeds - WHERE id = '$feed'"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT cat_id FROM ttrss_feeds + WHERE id = ?"); + $sth->execute([$feed]); - if (db_num_rows($result) > 0) { - return db_fetch_result($result, 0, "cat_id"); + if ($row = $sth->fetch()) { + return $row["cat_id"]; } else { return false; } diff --git a/classes/handler.php b/classes/handler.php index 16c20960..483b573e 100644 --- a/classes/handler.php +++ b/classes/handler.php @@ -1,10 +1,12 @@ dbh = Db::get(); + $this->pdo = Db::pdo(); $this->args = $args; } diff --git a/classes/handler/public.php b/classes/handler/public.php index a98ea019..f36ee8b1 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -36,39 +36,6 @@ class Handler_Public extends Handler { $date_sort_field = "updated DESC"; break; } - - $params = array( - "owner_uid" => $owner_uid, - "feed" => $feed, - "limit" => 1, - "view_mode" => $view_mode, - "cat_view" => $is_cat, - "search" => $search, - "override_order" => $date_sort_field, - "include_children" => true, - "ignore_vfeed_group" => true, - "offset" => $offset, - "start_ts" => $start_ts - ); - - $qfh_ret = Feeds::queryFeedHeadlines($params); - - $result = $qfh_ret[0]; - - if ($this->dbh->num_rows($result) != 0) { - - $ts = strtotime($this->dbh->fetch_result($result, 0, $date_check_field)); - - if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && - strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $ts) { - header('HTTP/1.0 304 Not Modified'); - return; - } - - $last_modified = gmdate("D, d M Y H:i:s", $ts) . " GMT"; - header("Last-Modified: $last_modified", true); - } - $params = array( "owner_uid" => $owner_uid, "feed" => $feed, @@ -106,7 +73,7 @@ class Handler_Public extends Handler { $tpl->setVariable('FEED_URL', htmlspecialchars($feed_self_url), true); $tpl->setVariable('SELF_URL', htmlspecialchars(get_self_url_prefix()), true); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $result->fetch()) { $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content"]), 100, '...')); @@ -194,7 +161,7 @@ class Handler_Public extends Handler { $feed['articles'] = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $result->fetch()) { $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content_preview"]), 100, '...')); @@ -255,13 +222,14 @@ class Handler_Public extends Handler { } function getUnread() { - $login = $this->dbh->escape_string($_REQUEST["login"]); + $login = $_REQUEST["login"]; $fresh = $_REQUEST["fresh"] == "1"; - $result = $this->dbh->query("SELECT id FROM ttrss_users WHERE login = '$login'"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); + $sth->execute([$login]); - if ($this->dbh->num_rows($result) == 1) { - $uid = $this->dbh->fetch_result($result, 0, "id"); + if ($row = $sth->fetch()) { + $uid = $row["id"]; print Feeds::getGlobalUnread($uid); @@ -273,20 +241,20 @@ class Handler_Public extends Handler { } else { print "-1;User not found"; } - } function getProfiles() { - $login = $this->dbh->escape_string($_REQUEST["login"]); + $login = $_REQUEST["login"]; - $result = $this->dbh->query("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users - WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title"); + $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users + WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title"); + $sth->execute([$login]); print ""; - /* Feed URL */ + /* Feed URL */ - $feed_url = $this->dbh->fetch_result($result, 0, "feed_url"); - $feed_url = htmlspecialchars($this->dbh->fetch_result($result, - 0, "feed_url")); + $feed_url = htmlspecialchars($row["feed_url"]); - print "

"; + print "
"; - print __('URL:') . " "; - print ""; - $last_error = $this->dbh->fetch_result($result, 0, "last_error"); + $last_error = $row["last_error"]; - if ($last_error) { - print " \"(error)\""; - } + } - /* Category */ + /* Category */ - if (get_pref('ENABLE_FEED_CATS')) { + if (get_pref('ENABLE_FEED_CATS')) { - $cat_id = $this->dbh->fetch_result($result, 0, "cat_id"); + $cat_id = $row["cat_id"]; - print "
"; + print "
"; - print __('Place in category:') . " "; + print __('Place in category:') . " "; - print_feed_cat_select("cat_id", $cat_id, - 'dojoType="dijit.form.Select"'); - } + print_feed_cat_select("cat_id", $cat_id, + 'dojoType="dijit.form.Select"'); + } - /* FTS Stemming Language */ + /* FTS Stemming Language */ - if (DB_TYPE == "pgsql") { - $feed_language = $this->dbh->fetch_result($result, 0, "feed_language"); + if (DB_TYPE == "pgsql") { + $feed_language = $row["feed_language"]; - print "
"; + print "
"; - print __('Language:') . " "; - print_select("feed_language", $feed_language, $this::$feed_languages, - 'dojoType="dijit.form.Select"'); - } + print __('Language:') . " "; + print_select("feed_language", $feed_language, $this::$feed_languages, + 'dojoType="dijit.form.Select"'); + } - print "
"; + print ""; - print "
".__("Update")."
"; - print "
"; + print "
".__("Update")."
"; + print "
"; - /* Update Interval */ + /* Update Interval */ - $update_interval = $this->dbh->fetch_result($result, 0, "update_interval"); + $update_interval = $row["update_interval"]; - print_select_hash("update_interval", $update_interval, $update_intervals, - 'dojoType="dijit.form.Select"'); + print_select_hash("update_interval", $update_interval, $update_intervals, + 'dojoType="dijit.form.Select"'); - /* Purge intl */ + /* Purge intl */ - $purge_interval = $this->dbh->fetch_result($result, 0, "purge_interval"); + $purge_interval = $row["purge_interval"]; - print "
"; - print __('Article purging:') . " "; + print "
"; + print __('Article purging:') . " "; - print_select_hash("purge_interval", $purge_interval, $purge_intervals, - 'dojoType="dijit.form.Select" ' . + print_select_hash("purge_interval", $purge_interval, $purge_intervals, + 'dojoType="dijit.form.Select" ' . ((FORCE_ARTICLE_PURGE == 0) ? "" : 'disabled="1"')); - print "
"; + print "
"; - $auth_login = htmlspecialchars($this->dbh->fetch_result($result, 0, "auth_login")); - $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass"); + $auth_login = htmlspecialchars($row["auth_login"]); + $auth_pass = $row["auth_pass"]; - if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { - require_once "crypt.php"; - $auth_pass = decrypt_string($auth_pass); - } + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { + require_once "crypt.php"; + $auth_pass = decrypt_string($auth_pass); + } - $auth_pass = htmlspecialchars($auth_pass); - $auth_enabled = $auth_login !== '' || $auth_pass !== ''; + $auth_pass = htmlspecialchars($auth_pass); + $auth_enabled = $auth_login !== '' || $auth_pass !== ''; - $auth_style = $auth_enabled ? '' : 'display: none'; - print "
"; - print "
".__("Authentication")."
"; - print "
"; + $auth_style = $auth_enabled ? '' : 'display: none'; + print "
"; + print "
".__("Authentication")."
"; + print "
"; - print "
"; - print ""; - print "
+ print "
".__('Hint: you need to fill in your login information if your feed requires authentication, except for Twitter feeds.')."
"; - print "
"; + print "
"; - $auth_checked = $auth_enabled ? 'checked' : ''; - print "
+ $auth_checked = $auth_enabled ? 'checked' : ''; + print "
"; + __('This feed requires authentication.')."
"; - print '
'; + print '
'; - //print "
".__("Options")."
"; - print "
"; + //print "
".__("Options")."
"; + print "
"; - $private = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "private")); + $private = sql_bool_to_bool($row["private"]); - if ($private) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($private) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print " "; - $include_in_digest = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "include_in_digest")); + $include_in_digest = sql_bool_to_bool($row["include_in_digest"]); - if ($include_in_digest) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($include_in_digest) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "
 "; - $always_display_enclosures = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "always_display_enclosures")); + $always_display_enclosures = sql_bool_to_bool($row["always_display_enclosures"]); - if ($always_display_enclosures) { - $checked = "checked"; - } else { - $checked = ""; - } + if ($always_display_enclosures) { + $checked = "checked"; + } else { + $checked = ""; + } - print "
 "; - $hide_images = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "hide_images")); + $hide_images = sql_bool_to_bool($row["hide_images"]); - if ($hide_images) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($hide_images) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "
 "; + __('Do not embed images').""; - $cache_images = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "cache_images")); + $cache_images = sql_bool_to_bool($row["cache_images"]); - if ($cache_images) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($cache_images) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "
 "; + __('Cache media').""; - $mark_unread_on_update = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "mark_unread_on_update")); + $mark_unread_on_update = sql_bool_to_bool($row["mark_unread_on_update"]); - if ($mark_unread_on_update) { - $checked = "checked"; - } else { - $checked = ""; - } + if ($mark_unread_on_update) { + $checked = "checked"; + } else { + $checked = ""; + } - print "
 "; - print "
"; + print "
"; - print '
'; + print '
'; - /* Icon */ + /* Icon */ - print "
"; + print "
"; - print ""; - print "
@@ -778,38 +742,36 @@ class Pref_Feeds extends Handler_Protected { type=\"submit\">".__('Remove')."
"; - print "
"; + print "
"; - print '
'; + print '
'; - PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED, - "hook_prefs_edit_feed", $feed_id); + PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED, + "hook_prefs_edit_feed", $feed_id); - print "
"; + print ""; - $title = htmlspecialchars($title, ENT_QUOTES); + $title = htmlspecialchars($title, ENT_QUOTES); - print "
+ print "
"; - print "
"; - - print " - -
"; + print "
"; - - return; + print " + + "; + } } function editfeeds() { global $purge_intervals; global $update_intervals; - $feed_ids = $this->dbh->escape_string($_REQUEST["ids"]); + $feed_ids = $_REQUEST["ids"]; print_notice("Enable the options you wish to apply using checkboxes on the right:"); @@ -958,44 +920,29 @@ class Pref_Feeds extends Handler_Protected { function editsaveops($batch) { - $feed_title = $this->dbh->escape_string(trim($_POST["title"])); - $feed_link = $this->dbh->escape_string(trim($_POST["feed_url"])); - $upd_intl = (int) $this->dbh->escape_string($_POST["update_interval"]); - $purge_intl = (int) $this->dbh->escape_string($_POST["purge_interval"]); - $feed_id = (int) $this->dbh->escape_string($_POST["id"]); /* editSave */ - $feed_ids = $this->dbh->escape_string($_POST["ids"]); /* batchEditSave */ - $cat_id = (int) $this->dbh->escape_string($_POST["cat_id"]); - $auth_login = $this->dbh->escape_string(trim($_POST["auth_login"])); + $feed_title = trim($_POST["title"]); + $feed_url = trim($_POST["feed_url"]); + $upd_intl = (int) $_POST["update_interval"]; + $purge_intl = (int) $_POST["purge_interval"]; + $feed_id = (int) $_POST["id"]; /* editSave */ + $feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */ + $cat_id = (int) $_POST["cat_id"]; + $auth_login = trim($_POST["auth_login"]); $auth_pass = trim($_POST["auth_pass"]); - $private = checkbox_to_sql_bool($this->dbh->escape_string($_POST["private"])); + $private = checkbox_to_sql_bool($_POST["private"]); $include_in_digest = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["include_in_digest"])); + $_POST["include_in_digest"]); $cache_images = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["cache_images"])); + $_POST["cache_images"]); $hide_images = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["hide_images"])); + $_POST["hide_images"]); $always_display_enclosures = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["always_display_enclosures"])); + $_POST["always_display_enclosures"]); $mark_unread_on_update = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["mark_unread_on_update"])); + $_POST["mark_unread_on_update"]); - $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"])); - - $auth_pass = $this->dbh->escape_string($auth_pass); - - if (get_pref('ENABLE_FEED_CATS')) { - if ($cat_id && $cat_id != 0) { - $category_qpart = "cat_id = '$cat_id',"; - $category_qpart_nocomma = "cat_id = '$cat_id'"; - } else { - $category_qpart = 'cat_id = NULL,'; - $category_qpart_nocomma = 'cat_id = NULL'; - } - } else { - $category_qpart = ""; - $category_qpart_nocomma = ""; - } + $feed_language = trim($_POST["feed_language"]); if (!$batch) { if ($_POST["need_auth"] !== 'on') { @@ -1003,27 +950,47 @@ class Pref_Feeds extends Handler_Protected { $auth_pass = ''; } - $result = db_query("SELECT feed_url FROM ttrss_feeds WHERE id = " . $feed_id); - $orig_feed_url = db_fetch_result($result, 0, "feed_url"); - - $reset_basic_info = $orig_feed_url != $feed_link; - - $this->dbh->query("UPDATE ttrss_feeds SET - $category_qpart - title = '$feed_title', feed_url = '$feed_link', - update_interval = '$upd_intl', - purge_interval = '$purge_intl', - auth_login = '$auth_login', - auth_pass = '$auth_pass', + $sth = $this->pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$feed_id]); + $row = $sth->fetch(); + $orig_feed_url = $row["feed_url"]; + + $reset_basic_info = $orig_feed_url != $feed_url; + + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET + cat_id = :cat_id, + title = :title, + feed_url = :feed_url, + update_interval = :upd_intl, + purge_interval = :purge_intl, + auth_login = :auth_login, + auth_pass = :auth_pass, auth_pass_encrypted = false, - private = $private, - cache_images = $cache_images, - hide_images = $hide_images, - include_in_digest = $include_in_digest, - always_display_enclosures = $always_display_enclosures, - mark_unread_on_update = $mark_unread_on_update, - feed_language = '$feed_language' - WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]); + private = :private, + cache_images = :cache_images, + hide_images = :hide_images, + include_in_digest = :include_in_digest, + always_display_enclosures = :always_display_enclosures, + mark_unread_on_update = :mark_unread_on_update, + feed_language = :feed_language + WHERE id = :id AND owner_uid = :uid"); + + $sth->execute([":title" => $feed_title, + ":cat_id" => $cat_id ? $cat_id : null, + ":feed_url" => $feed_url, + ":upd_intl" => $upd_intl, + ":purge_intl" => $purge_intl, + ":auth_login" => $auth_login, + ":auth_pass" => $auth_pass, + ":private" => (int)$private, + ":cache_images" => (int)$cache_images, + ":hide_images" => (int)$hide_images, + ":include_in_digest" => (int)$include_in_digest, + ":always_display_enclosures" => (int)$always_display_enclosures, + ":mark_unread_on_update" => (int)$mark_unread_on_update, + ":feed_language" => $feed_language, + ":id" => $feed_id, + ":uid" => $_SESSION['uid']]); if ($reset_basic_info) { RSSUtils::set_basic_feed_info($feed_id); @@ -1041,7 +1008,9 @@ class Pref_Feeds extends Handler_Protected { } } - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); + + $feed_ids_qmarks = arr_qmarks($feed_ids); foreach (array_keys($feed_data) as $k) { @@ -1049,79 +1018,87 @@ class Pref_Feeds extends Handler_Protected { switch ($k) { case "title": - $qpart = "title = '$feed_title'"; + $qpart = "title = " . $this->pdo->quote($feed_title); break; case "feed_url": - $qpart = "feed_url = '$feed_link'"; + $qpart = "feed_url = " . $this->pdo->quote($feed_url); break; case "update_interval": - $qpart = "update_interval = '$upd_intl'"; + $qpart = "update_interval = " . $this->pdo->quote($upd_intl); break; case "purge_interval": - $qpart = "purge_interval = '$purge_intl'"; + $qpart = "purge_interval =" . $this->pdo->quote($purge_intl); break; case "auth_login": - $qpart = "auth_login = '$auth_login'"; + $qpart = "auth_login = " . $this->pdo->quote($auth_login); break; case "auth_pass": - $qpart = "auth_pass = '$auth_pass', auth_pass_encrypted = false"; + $qpart = "auth_pass =" . $this->pdo->quote($auth_pass). ", auth_pass_encrypted = false"; break; case "private": - $qpart = "private = $private"; + $qpart = "private = " . $this->pdo->quote($private); break; case "include_in_digest": - $qpart = "include_in_digest = $include_in_digest"; + $qpart = "include_in_digest = " . $this->pdo->quote($include_in_digest); break; case "always_display_enclosures": - $qpart = "always_display_enclosures = $always_display_enclosures"; + $qpart = "always_display_enclosures = " . $this->pdo->quote($always_display_enclosures); break; case "mark_unread_on_update": - $qpart = "mark_unread_on_update = $mark_unread_on_update"; + $qpart = "mark_unread_on_update = " . $this->pdo->quote($mark_unread_on_update); break; case "cache_images": - $qpart = "cache_images = $cache_images"; + $qpart = "cache_images = " . $this->pdo->quote($cache_images); break; case "hide_images": - $qpart = "hide_images = $hide_images"; + $qpart = "hide_images = " . $this->pdo->quote($hide_images); break; case "cat_id": - $qpart = $category_qpart_nocomma; + if (get_pref('ENABLE_FEED_CATS')) { + if ($cat_id) { + $qpart = "cat_id = " . $this->pdo->quote($cat_id); + } else { + $qpart = 'cat_id = NULL'; + } + } else { + $qpart = ""; + } + break; case "feed_language": - $qpart = "feed_language = '$feed_language'"; + $qpart = "feed_language = " . $this->pdo->quote($feed_language); break; } if ($qpart) { - $this->dbh->query( - "UPDATE ttrss_feeds SET $qpart WHERE id IN ($feed_ids) - AND owner_uid = " . $_SESSION["uid"]); - print "
"; + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET $qpart WHERE id IN ($feed_ids_qmarks) + AND owner_uid = ?"); + $sth->execute(array_merge($feed_ids, [$_SESSION['uid']])); } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } return; } function remove() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { Pref_Feeds::remove_feed($id, $_SESSION["uid"]); @@ -1130,150 +1107,15 @@ class Pref_Feeds extends Handler_Protected { return; } - function clear() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $this->clear_feed_articles($id); - } - - function rescore() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - - foreach ($ids as $id) { - - $filters = load_filters($id, $_SESSION["uid"], 6); - - $result = $this->dbh->query("SELECT - title, content, link, ref_id, author,". - SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated - FROM - ttrss_user_entries, ttrss_entries - WHERE ref_id = id AND feed_id = '$id' AND - owner_uid = " .$_SESSION['uid']." - "); - - $scores = array(); - - while ($line = $this->dbh->fetch_assoc($result)) { - - $tags = Article::get_article_tags($line["ref_id"]); - - $article_filters = RSSUtils::get_article_filters($filters, $line['title'], - $line['content'], $line['link'], strtotime($line['updated']), - $line['author'], $tags); - - $new_score = RSSUtils::calculate_article_score($article_filters); - - if (!$scores[$new_score]) $scores[$new_score] = array(); - - array_push($scores[$new_score], $line['ref_id']); - } - - foreach (array_keys($scores) as $s) { - if ($s > 1000) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - marked = true WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else if ($s < -500) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - unread = false WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s' WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } - } - } - - print __("All done."); - - } - - function rescoreAll() { - - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds WHERE owner_uid = " . $_SESSION['uid']); - - while ($feed_line = $this->dbh->fetch_assoc($result)) { - - $id = $feed_line["id"]; - - $filters = load_filters($id, $_SESSION["uid"], 6); - - $tmp_result = $this->dbh->query("SELECT - title, content, link, ref_id, author,". - SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated - FROM - ttrss_user_entries, ttrss_entries - WHERE ref_id = id AND feed_id = '$id' AND - owner_uid = " .$_SESSION['uid']." - "); - - $scores = array(); - - while ($line = $this->dbh->fetch_assoc($tmp_result)) { - - $tags = Article::get_article_tags($line["ref_id"]); - - $article_filters = RSSUtils::get_article_filters($filters, $line['title'], - $line['content'], $line['link'], strtotime($line['updated']), - $line['author'], $tags); - - $new_score = RSSUtils::calculate_article_score($article_filters); - - if (!$scores[$new_score]) $scores[$new_score] = array(); - - array_push($scores[$new_score], $line['ref_id']); - } - - foreach (array_keys($scores) as $s) { - if ($s > 1000) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - marked = true WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s' WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } - } - } - - print __("All done."); - - } - - function categorize() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - - $cat_id = $this->dbh->escape_string($_REQUEST["cat_id"]); - - if ($cat_id == 0) { - $cat_id_qpart = 'NULL'; - } else { - $cat_id_qpart = "'$cat_id'"; - } - - $this->dbh->query("BEGIN"); - - foreach ($ids as $id) { - - $this->dbh->query("UPDATE ttrss_feeds SET cat_id = $cat_id_qpart - WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); - - } - - $this->dbh->query("COMMIT"); - } - function removeCat() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { $this->remove_feed_category($id, $_SESSION["uid"]); } } function addCat() { - $feed_cat = $this->dbh->escape_string(trim($_REQUEST["cat"])); + $feed_cat = trim($_REQUEST["cat"]); add_feed_category($feed_cat); } @@ -1283,10 +1125,15 @@ class Pref_Feeds extends Handler_Protected { print "
"; print "
"; - $result = $this->dbh->query("SELECT COUNT(id) AS num_errors - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_errors + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - $num_errors = $this->dbh->fetch_result($result, 0, "num_errors"); + if ($row = $sth->fetch()) { + $num_errors = $row["num_errors"]; + } else { + $num_errors = 0; + } if ($num_errors > 0) { @@ -1301,7 +1148,7 @@ class Pref_Feeds extends Handler_Protected { onclick=\"showInactiveFeeds()\">" . __("Inactive feeds") . ""; - $feed_search = $this->dbh->escape_string($_REQUEST["search"]); + $feed_search = $_REQUEST["search"]; if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_feed_search"] = $feed_search; @@ -1568,17 +1415,18 @@ class Pref_Feeds extends Handler_Protected { $interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)"; } - $result = $this->dbh->query("SELECT ttrss_feeds.title, ttrss_feeds.site_url, + $sth = $this->pdo->prepare("SELECT ttrss_feeds.title, ttrss_feeds.site_url, ttrss_feeds.feed_url, ttrss_feeds.id, MAX(updated) AS last_article FROM ttrss_feeds, ttrss_entries, ttrss_user_entries WHERE (SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE ttrss_entries.id = ref_id AND ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart - AND ttrss_feeds.owner_uid = ".$_SESSION["uid"]." AND + AND ttrss_feeds.owner_uid = ? AND ttrss_user_entries.feed_id = ttrss_feeds.id AND ttrss_entries.id = ref_id GROUP BY ttrss_feeds.title, ttrss_feeds.id, ttrss_feeds.site_url, ttrss_feeds.feed_url ORDER BY last_article"); + $sth->execute([$_SESSION['uid']]); print ""; @@ -1599,7 +1447,7 @@ class Pref_Feeds extends Handler_Protected { $lnum = 1; - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $feed_id = $line["id"]; $this_row_id = "id=\"FUPDD-$feed_id\""; @@ -1643,8 +1491,9 @@ class Pref_Feeds extends Handler_Protected { } function feedsWithErrors() { - $result = $this->dbh->query("SELECT id,title,feed_url,last_error,site_url - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id,title,feed_url,last_error,site_url + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); print "
"; print "
". @@ -1663,7 +1512,7 @@ class Pref_Feeds extends Handler_Protected { $lnum = 1; - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $feed_id = $line["id"]; $this_row_id = "id=\"FERDD-$feed_id\""; @@ -1707,84 +1556,74 @@ class Pref_Feeds extends Handler_Protected { print "
"; } - /** - * Purge a feed contents, marked articles excepted. - * - * @param mixed $link The database connection. - * @param integer $id The id of the feed to purge. - * @return void - */ - private function clear_feed_articles($id) { - - if ($id != 0) { - $result = $this->dbh->query("DELETE FROM ttrss_user_entries - WHERE feed_id = '$id' AND marked = false AND owner_uid = " . $_SESSION["uid"]); - } else { - $result = $this->dbh->query("DELETE FROM ttrss_user_entries - WHERE feed_id IS NULL AND marked = false AND owner_uid = " . $_SESSION["uid"]); - } - - $result = $this->dbh->query("DELETE FROM ttrss_entries WHERE - (SELECT COUNT(int_id) FROM ttrss_user_entries WHERE ref_id = id) = 0"); - - CCache::update($id, $_SESSION['uid']); - } // function clear_feed_articles - private function remove_feed_category($id, $owner_uid) { - $this->dbh->query("DELETE FROM ttrss_feed_categories - WHERE id = '$id' AND owner_uid = $owner_uid"); + $sth = $this->pdo->prepare("DELETE FROM ttrss_feed_categories + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); CCache::remove($id, $owner_uid, true); } static function remove_feed($id, $owner_uid) { + $pdo = Db::pdo(); + if ($id > 0) { + $pdo->beginTransaction(); /* save starred articles in Archived feed */ - db_query("BEGIN"); - /* prepare feed if necessary */ - $result = db_query("SELECT feed_url FROM ttrss_feeds WHERE id = $id - AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ? + AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - $feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url")); + if ($row = $sth->fetch()) { + $feed_url = $row["feed_url"]; - $result = db_query("SELECT id FROM ttrss_archived_feeds - WHERE feed_url = '$feed_url' AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("SELECT id FROM ttrss_archived_feeds + WHERE feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed_url, $owner_uid]); - if (db_num_rows($result) == 0) { - $result = db_query("SELECT MAX(id) AS id FROM ttrss_archived_feeds"); - $new_feed_id = (int)db_fetch_result($result, 0, "id") + 1; + if ($row = $sth->fetch()) { + $archive_id = $row["id"]; + } else { + $res = $pdo->query("SELECT MAX(id) AS id FROM ttrss_archived_feeds"); + $row = $res->fetch(); - db_query("INSERT INTO ttrss_archived_feeds - (id, owner_uid, title, feed_url, site_url) - SELECT $new_feed_id, owner_uid, title, feed_url, site_url from ttrss_feeds - WHERE id = '$id'"); + $new_feed_id = (int)$row['id'] + 1; - $archive_id = $new_feed_id; - } else { - $archive_id = db_fetch_result($result, 0, "id"); - } + $sth = $pdo->prepare("INSERT INTO ttrss_archived_feeds + (id, owner_uid, title, feed_url, site_url) + SELECT ?, owner_uid, title, feed_url, site_url from ttrss_feeds + WHERE id = ?"); + $sth->execute([$new_feed_id, $id]); + + $archive_id = $new_feed_id; + } + + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET feed_id = NULL, + orig_feed_id = ? WHERE feed_id = ? AND + marked = true AND owner_uid = ?"); - db_query("UPDATE ttrss_user_entries SET feed_id = NULL, - orig_feed_id = '$archive_id' WHERE feed_id = '$id' AND - marked = true AND owner_uid = $owner_uid"); + $sth->execute([$archive_id, $id, $owner_uid]); - /* Remove access key for the feed */ + /* Remove access key for the feed */ - db_query("DELETE FROM ttrss_access_keys WHERE - feed_id = '$id' AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("DELETE FROM ttrss_access_keys WHERE + feed_id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - /* remove the feed */ + /* remove the feed */ - db_query("DELETE FROM ttrss_feeds - WHERE id = '$id' AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("DELETE FROM ttrss_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); + } - db_query("COMMIT"); + $pdo->commit(); if (file_exists(ICONS_DIR . "/$id.ico")) { unlink(ICONS_DIR . "/$id.ico"); @@ -1848,39 +1687,31 @@ class Pref_Feeds extends Handler_Protected { } function batchAddFeeds() { - $cat_id = $this->dbh->escape_string($_REQUEST['cat']); + $cat_id = $_REQUEST['cat']; $feeds = explode("\n", $_REQUEST['feeds']); - $login = $this->dbh->escape_string($_REQUEST['login']); + $login = $_REQUEST['login']; $pass = trim($_REQUEST['pass']); foreach ($feeds as $feed) { - $feed = $this->dbh->escape_string(trim($feed)); + $feed = trim($feed); if (validate_feed_url($feed)) { - $this->dbh->query("BEGIN"); - - if ($cat_id == "0" || !$cat_id) { - $cat_qpart = "NULL"; - } else { - $cat_qpart = "'$cat_id'"; - } + $this->pdo->beginTransaction(); - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds - WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds + WHERE feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); - $pass = $this->dbh->escape_string($pass); - - if ($this->dbh->num_rows($result) == 0) { - $result = $this->dbh->query( - "INSERT INTO ttrss_feeds + if (!$sth->fetch()) { + $sth = $this->pdo->prepare("INSERT INTO ttrss_feeds (owner_uid,feed_url,title,cat_id,auth_login,auth_pass,update_method,auth_pass_encrypted) - VALUES ('".$_SESSION["uid"]."', '$feed', - '[Unknown]', $cat_qpart, '$login', '$pass', 0, false)"); + VALUES (?, ?, '[Unknown]', ?, ?, ?, 0, false)"); + + $sth->execute([$_SESSION['uid'], $feed, $cat_id ? $cat_id : null, $login, $pass]); } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } } } @@ -1895,8 +1726,8 @@ class Pref_Feeds extends Handler_Protected { } function regenFeedKey() { - $feed_id = $this->dbh->escape_string($_REQUEST['id']); - $is_cat = $this->dbh->escape_string($_REQUEST['is_cat']) == "true"; + $feed_id = $_REQUEST['id']; + $is_cat = $_REQUEST['is_cat'] == "true"; $new_key = $this->update_feed_access_key($feed_id, $is_cat); @@ -1907,30 +1738,19 @@ class Pref_Feeds extends Handler_Protected { private function update_feed_access_key($feed_id, $is_cat, $owner_uid = false) { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $sql_is_cat = bool_to_sql_bool($is_cat); - - $result = $this->dbh->query("SELECT access_key FROM ttrss_access_keys - WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat - AND owner_uid = " . $owner_uid); + // clear old value and generate new one + $sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys + WHERE feed_id = ? AND is_cat = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $is_cat, $owner_uid]); - if ($this->dbh->num_rows($result) == 1) { - $key = $this->dbh->escape_string(uniqid_short()); - - $this->dbh->query("UPDATE ttrss_access_keys SET access_key = '$key' - WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat - AND owner_uid = " . $owner_uid); - - return $key; - - } else { - return get_feed_access_key($feed_id, $is_cat, $owner_uid); - } + return get_feed_access_key($feed_id, $is_cat, $owner_uid); } // Silent function clearKeys() { - $this->dbh->query("DELETE FROM ttrss_access_keys WHERE - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys WHERE + owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); } private function calculate_children_count($cat) { @@ -1954,13 +1774,16 @@ class Pref_Feeds extends Handler_Protected { $interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)"; } - $result = $this->dbh->query("SELECT COUNT(*) AS num_inactive FROM ttrss_feeds WHERE + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_inactive FROM ttrss_feeds WHERE (SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE ttrss_entries.id = ref_id AND ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart AND - ttrss_feeds.owner_uid = ".$_SESSION["uid"]); + ttrss_feeds.owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - print (int) $this->dbh->fetch_result($result, 0, "num_inactive"); + if ($row = $sth->fetch()) { + print (int)$row["num_inactive"]; + } } static function subscribe_to_feed_url() { diff --git a/classes/pref/filters.php b/classes/pref/filters.php index 6ea233cb..f24d0a01 100755 --- a/classes/pref/filters.php +++ b/classes/pref/filters.php @@ -9,8 +9,9 @@ class Pref_Filters extends Handler_Protected { } function filtersortreset() { - $this->dbh->query("UPDATE ttrss_filters2 - SET order_id = 0 WHERE owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_filters2 + SET order_id = 0 WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); return; } @@ -26,15 +27,16 @@ class Pref_Filters extends Handler_Protected { $index = 0; if (is_array($data) && is_array($data['items'])) { + + $sth = $this->pdo->prepare("UPDATE ttrss_filters2 SET + order_id = ? WHERE id = ? AND + owner_uid = ?"); + foreach ($data['items'][0]['items'] as $item) { $filter_id = (int) str_replace("FILTER:", "", $item['_reference']); if ($filter_id > 0) { - - $this->dbh->query("UPDATE ttrss_filters2 SET - order_id = $index WHERE id = '$filter_id' AND - owner_uid = " .$_SESSION["uid"]); - + $sth->execute([$index, $filter_id, $_SESSION['uid']]); ++$index; } } @@ -44,24 +46,24 @@ class Pref_Filters extends Handler_Protected { } function testFilterDo() { - $offset = (int) db_escape_string($_REQUEST["offset"]); - $limit = (int) db_escape_string($_REQUEST["limit"]); + $offset = (int) $_REQUEST["offset"]; + $limit = (int) $_REQUEST["limit"]; $filter = array(); $filter["enabled"] = true; $filter["match_any_rule"] = sql_bool_to_bool( - checkbox_to_sql_bool($this->dbh->escape_string($_REQUEST["match_any_rule"]))); + checkbox_to_sql_bool($_REQUEST["match_any_rule"])); $filter["inverse"] = sql_bool_to_bool( - checkbox_to_sql_bool($this->dbh->escape_string($_REQUEST["inverse"]))); + checkbox_to_sql_bool($_REQUEST["inverse"])); $filter["rules"] = array(); $filter["actions"] = array("dummy-action"); - $result = $this->dbh->query("SELECT id,name FROM ttrss_filter_types"); + $res = $this->pdo->query("SELECT id,name FROM ttrss_filter_types"); $filter_types = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $res->fetch()) { $filter_types[$line["id"]] = $line["name"]; } @@ -80,9 +82,9 @@ class Pref_Filters extends Handler_Protected { if (strpos($feed_id, "CAT:") === 0) { $cat_id = (int) substr($feed_id, 4); - array_push($scope_inner_qparts, "cat_id = " . $cat_id); + array_push($scope_inner_qparts, "cat_id = " . $this->pdo->quote($cat_id)); } else if ($feed_id > 0) { - array_push($scope_inner_qparts, "feed_id = " . $feed_id); + array_push($scope_inner_qparts, "feed_id = " . $this->pdo->quote($feed_id)); } } @@ -109,74 +111,76 @@ class Pref_Filters extends Handler_Protected { //while ($found < $limit && $offset < $limit * 1000 && time() - $started < ini_get("max_execution_time") * 0.7) { - $result = db_query("SELECT ttrss_entries.id, - ttrss_entries.title, - ttrss_feeds.id AS feed_id, - ttrss_feeds.title AS feed_title, - ttrss_feed_categories.id AS cat_id, - content, - date_entered, - link, - author, - tag_cache - FROM - ttrss_entries, ttrss_user_entries - LEFT JOIN ttrss_feeds ON (feed_id = ttrss_feeds.id) - LEFT JOIN ttrss_feed_categories ON (ttrss_feeds.cat_id = ttrss_feed_categories.id) - WHERE - ref_id = ttrss_entries.id AND - ($scope_qpart) AND - ttrss_user_entries.owner_uid = " . $_SESSION["uid"] . " - ORDER BY date_entered DESC LIMIT $limit OFFSET $offset"); - - while ($line = db_fetch_assoc($result)) { - - $rc = RSSUtils::get_article_filters(array($filter), $line['title'], $line['content'], $line['link'], - $line['author'], explode(",", $line['tag_cache'])); - - if (count($rc) > 0) { - - $line["content_preview"] = truncate_string(strip_tags($line["content"]), 200, '…'); - - foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) { - $line = $p->hook_query_headlines($line, 100); - } + $sth = $this->pdo->prepare("SELECT ttrss_entries.id, + ttrss_entries.title, + ttrss_feeds.id AS feed_id, + ttrss_feeds.title AS feed_title, + ttrss_feed_categories.id AS cat_id, + content, + date_entered, + link, + author, + tag_cache + FROM + ttrss_entries, ttrss_user_entries + LEFT JOIN ttrss_feeds ON (feed_id = ttrss_feeds.id) + LEFT JOIN ttrss_feed_categories ON (ttrss_feeds.cat_id = ttrss_feed_categories.id) + WHERE + ref_id = ttrss_entries.id AND + ($scope_qpart) AND + ttrss_user_entries.owner_uid = ? + ORDER BY date_entered DESC LIMIT $limit OFFSET $offset"); - $content_preview = $line["content_preview"]; + $sth->execute([$_SESSION['uid']]); - $tmp = ""; + while ($line = $sth->fetch()) { - #$tmp .= ""; + $rc = RSSUtils::get_article_filters(array($filter), $line['title'], $line['content'], $line['link'], + $line['author'], explode(",", $line['tag_cache'])); - $id = $line['id']; - $tmp .= ""; + if (count($rc) > 0) { - /*foreach ($filter['rules'] as $rule) { - $reg_exp = str_replace('/', '\/', $rule["reg_exp"]); + $line["content_preview"] = truncate_string(strip_tags($line["content"]), 200, '…'); - $line["title"] = preg_replace("/($reg_exp)/i", - "$1", $line["title"]); + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) { + $line = $p->hook_query_headlines($line, 100); + } - $content_preview = preg_replace("/($reg_exp)/i", - "$1", $content_preview); - }*/ + $content_preview = $line["content_preview"]; - $tmp .= "" . $line["title"] . "
"; - $tmp .= $line['feed_title'] . ", " . mb_substr($line["date_entered"], 0, 16); - $tmp .= "
" . $content_preview . "
"; - $tmp .= ""; + $tmp = ""; - array_push($rv, $tmp); + #$tmp .= ""; - /*array_push($rv, array("title" => $line["title"], - "content" => $content_preview, - "date" => $line["date_entered"], - "feed" => $line["feed_title"])); */ + $id = $line['id']; + $tmp .= ""; + + /*foreach ($filter['rules'] as $rule) { + $reg_exp = str_replace('/', '\/', $rule["reg_exp"]); + + $line["title"] = preg_replace("/($reg_exp)/i", + "$1", $line["title"]); + + $content_preview = preg_replace("/($reg_exp)/i", + "$1", $content_preview); + }*/ + + $tmp .= "" . $line["title"] . "
"; + $tmp .= $line['feed_title'] . ", " . mb_substr($line["date_entered"], 0, 16); + $tmp .= "
" . $content_preview . "
"; + $tmp .= ""; + + array_push($rv, $tmp); + + /*array_push($rv, array("title" => $line["title"], + "content" => $content_preview, + "date" => $line["date_entered"], + "feed" => $line["feed_title"])); */ - } } + } //$offset += $limit; //} @@ -209,7 +213,7 @@ class Pref_Filters extends Handler_Protected { } private function getfilterrules_concise($filter_id) { - $result = $this->dbh->query("SELECT reg_exp, + $sth = $this->pdo->prepare("SELECT reg_exp, inverse, match_on, feed_id, @@ -219,12 +223,13 @@ class Pref_Filters extends Handler_Protected { FROM ttrss_filters2_rules, ttrss_filter_types WHERE - filter_id = '$filter_id' AND filter_type = ttrss_filter_types.id + filter_id = ? AND filter_type = ttrss_filter_types.id ORDER BY reg_exp"); + $sth->execute([$filter_id]); $rv = ""; - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { if ($line["match_on"]) { $feeds = json_decode($line["match_on"], true); @@ -275,7 +280,7 @@ class Pref_Filters extends Handler_Protected { $filter_search = $_SESSION["prefs_filter_search"]; - $result = $this->dbh->query("SELECT *, + $sth = $this->pdo->prepare("SELECT *, (SELECT action_param FROM ttrss_filters2_actions WHERE filter_id = ttrss_filters2.id ORDER BY id LIMIT 1) AS action_param, (SELECT action_id FROM ttrss_filters2_actions @@ -286,22 +291,23 @@ class Pref_Filters extends Handler_Protected { (SELECT reg_exp FROM ttrss_filters2_rules WHERE filter_id = ttrss_filters2.id ORDER BY id LIMIT 1) AS reg_exp FROM ttrss_filters2 WHERE - owner_uid = ".$_SESSION["uid"]." ORDER BY order_id, title"); - + owner_uid = ? ORDER BY order_id, title"); + $sth->execute([$_SESSION['uid']]); $folder = array(); $folder['items'] = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $name = $this->getFilterName($line["id"]); $match_ok = false; if ($filter_search) { - $rules_result = $this->dbh->query( - "SELECT reg_exp FROM ttrss_filters2_rules WHERE filter_id = ".$line["id"]); + $rules_sth = $this->pdo->prepare("SELECT reg_exp + FROM ttrss_filters2_rules WHERE filter_id = ?"); + $rules_sth->execute([$line['id']]); - while ($rule_line = $this->dbh->fetch_assoc($rules_result)) { + while ($rule_line = $rules_sth->fetch()) { if (mb_strpos($rule_line['reg_exp'], $filter_search) !== false) { $match_ok = true; break; @@ -310,13 +316,14 @@ class Pref_Filters extends Handler_Protected { } if ($line['action_id'] == 7) { - $label_result = $this->dbh->query("SELECT fg_color, bg_color - FROM ttrss_labels2 WHERE caption = '".$this->dbh->escape_string($line['action_param'])."' AND - owner_uid = " . $_SESSION["uid"]); + $label_sth = $this->pdo->prepare("SELECT fg_color, bg_color + FROM ttrss_labels2 WHERE caption = ? AND + owner_uid = ?"); + $label_sth->execute([$line['action_param'], $_SESSION['uid']]); - if ($this->dbh->num_rows($label_result) > 0) { - $fg_color = $this->dbh->fetch_result($label_result, 0, "fg_color"); - $bg_color = $this->dbh->fetch_result($label_result, 0, "bg_color"); + if ($label_row = $label_sth->fetch()) { + $fg_color = $label_row["fg_color"]; + $bg_color = $label_row["bg_color"]; $name[1] = "α" . $name[1]; } @@ -336,10 +343,6 @@ class Pref_Filters extends Handler_Protected { } } - /* if (count($folder['items']) > 0) { - array_push($root['items'], $folder); - } */ - $root['items'] = $folder['items']; $fl = array(); @@ -353,175 +356,182 @@ class Pref_Filters extends Handler_Protected { function edit() { - $filter_id = $this->dbh->escape_string($_REQUEST["id"]); + $filter_id = $_REQUEST["id"]; - $result = $this->dbh->query( - "SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$filter_id, $_SESSION['uid']]); - $enabled = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "enabled")); - $match_any_rule = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "match_any_rule")); - $inverse = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "inverse")); - $title = htmlspecialchars($this->dbh->fetch_result($result, 0, "title")); + if ($row = $sth->fetch()) { - print "
"; + $enabled = sql_bool_to_bool($row["enabled"]); + $match_any_rule = sql_bool_to_bool($row["match_any_rule"]); + $inverse = sql_bool_to_bool($row["inverse"]); + $title = htmlspecialchars($row["title"]); - print_hidden("op", "pref-filters"); - print_hidden("id", "$filter_id"); - print_hidden("method", "editSave"); - print_hidden("csrf_token", $_SESSION['csrf_token']); + print ""; - print "
".__("Caption")."
"; + print_hidden("op", "pref-filters"); + print_hidden("id", "$filter_id"); + print_hidden("method", "editSave"); + print_hidden("csrf_token", $_SESSION['csrf_token']); - print ""; + print "
".__("Caption")."
"; - print "
"; + print ""; - print "
".__("Match")."
"; + print "
"; - print "
"; + print "
".__("Match")."
"; - print "
". + print "
"; + + print "
". "" . __('Select').""; - print "
"; - print "
"; + print "
".__('All')."
"; - print "
".__('None')."
"; - print "
"; + print "
"; - print " "; + print " "; - print " "; + print " "; - print "
"; + print "
"; - print "
    "; + print "
      "; - $rules_result = $this->dbh->query("SELECT * FROM ttrss_filters2_rules - WHERE filter_id = '$filter_id' ORDER BY reg_exp, id"); + $rules_sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2_rules + WHERE filter_id = ? ORDER BY reg_exp, id"); + $rules_sth->execute([$filter_id]); - while ($line = $this->dbh->fetch_assoc($rules_result)) { - if ($line["match_on"]) { - $line["feed_id"] = json_decode($line["match_on"], true); - } else { - if (sql_bool_to_bool($line["cat_filter"])) { - $feed_id = "CAT:" . (int)$line["cat_id"]; - } else { - $feed_id = (int)$line["feed_id"]; - } + while ($line = $rules_sth->fetch()) { + if ($line["match_on"]) { + $line["feed_id"] = json_decode($line["match_on"], true); + } else { + if (sql_bool_to_bool($line["cat_filter"])) { + $feed_id = "CAT:" . (int)$line["cat_id"]; + } else { + $feed_id = (int)$line["feed_id"]; + } - $line["feed_id"] = ["" . $feed_id]; // set item type to string for in_array() - } + $line["feed_id"] = ["" . $feed_id]; // set item type to string for in_array() + } - unset($line["cat_filter"]); - unset($line["cat_id"]); - unset($line["filter_id"]); - unset($line["id"]); - if (!sql_bool_to_bool($line["inverse"])) unset($line["inverse"]); - unset($line["match_on"]); + unset($line["cat_filter"]); + unset($line["cat_id"]); + unset($line["filter_id"]); + unset($line["id"]); + if (!sql_bool_to_bool($line["inverse"])) unset($line["inverse"]); + unset($line["match_on"]); - $data = htmlspecialchars(json_encode($line)); + $data = htmlspecialchars(json_encode($line)); - print "
    • ". - "".$this->getRuleName($line)."". - "
      • "; - } + print "
    • ". + "".$this->getRuleName($line)."". + "
      • "; + } - print "
    "; + print "
"; - print "
"; + print ""; - print "
".__("Apply actions")."
"; + print "
".__("Apply actions")."
"; - print "
"; + print "
"; - print "
". + print "
". "" . __('Select').""; - print "
"; - print "
"; + print "
".__('All')."
"; - print "
".__('None')."
"; - print "
"; + print "
"; - print " "; + print " "; - print " "; + print " "; - print "
"; + print "
"; - print ""; - print ""; + print ""; - if ($enabled) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($enabled) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print " + print " "; - if ($match_any_rule) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($match_any_rule) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "
+ print "
"; - if ($inverse) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($inverse) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "
+ print "
"; - print "

"; + print "

"; - print "

"; + print "
"; - print "
"; - print ""; - print "
"; + print "
"; + print ""; + print "
"; - print " "; + print " "; - print " "; + print " "; - print ""; + print ""; - print "
"; + print "
"; + + } } private function getRuleName($rule) { @@ -547,9 +557,15 @@ class Pref_Filters extends Handler_Protected { $feed = implode(", ", $feeds_fmt); - $result = $this->dbh->query("SELECT description FROM ttrss_filter_types - WHERE id = ".(int)$rule["filter_type"]); - $filter_type = $this->dbh->fetch_result($result, 0, "description"); + $sth = $this->pdo->prepare("SELECT description FROM ttrss_filter_types + WHERE id = ?"); + $sth->execute([(int)$rule["filter_type"]]); + + if ($row = $sth->fetch()) { + $filter_type = $row["description"]; + } else { + $filter_type = "?UNKNOWN?"; + } $inverse = isset($rule["inverse"]) ? "inverse" : ""; @@ -563,25 +579,31 @@ class Pref_Filters extends Handler_Protected { } private function getActionName($action) { - $result = $this->dbh->query("SELECT description FROM - ttrss_filter_actions WHERE id = " .(int)$action["action_id"]); + $sth = $this->pdo->prepare("SELECT description FROM + ttrss_filter_actions WHERE id = ?"); + $sth->execute([(int)$action["action_id"]]); + + $title = ""; - $title = __($this->dbh->fetch_result($result, 0, "description")); + if ($row = $sth->fetch()) { - if ($action["action_id"] == 4 || $action["action_id"] == 6 || - $action["action_id"] == 7) + $title = __($row["description"]); + + if ($action["action_id"] == 4 || $action["action_id"] == 6 || + $action["action_id"] == 7) $title .= ": " . $action["action_param"]; - if ($action["action_id"] == 9) { - list ($pfclass, $pfaction) = explode(":", $action["action_param"]); + if ($action["action_id"] == 9) { + list ($pfclass, $pfaction) = explode(":", $action["action_param"]); - $filter_actions = PluginHost::getInstance()->get_filter_actions(); + $filter_actions = PluginHost::getInstance()->get_filter_actions(); - foreach ($filter_actions as $fclass => $factions) { - foreach ($factions as $faction) { - if ($pfaction == $faction["action"] && $pfclass == $fclass) { - $title .= ": " . $fclass . ": " . $faction["description"]; - break; + foreach ($filter_actions as $fclass => $factions) { + foreach ($factions as $faction) { + if ($pfaction == $faction["action"] && $pfclass == $fclass) { + $title .= ": " . $fclass . ": " . $faction["description"]; + break; + } } } } @@ -599,39 +621,49 @@ class Pref_Filters extends Handler_Protected { return $this->testFilter(); } -# print_r($_REQUEST); + $filter_id = $_REQUEST["id"]; + $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); + $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); + $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); + $title = $_REQUEST["title"]; + + $this->pdo->beginTransaction(); - $filter_id = $this->dbh->escape_string($_REQUEST["id"]); - $enabled = checkbox_to_sql_bool($this->dbh->escape_string($_REQUEST["enabled"])); - $match_any_rule = checkbox_to_sql_bool($this->dbh->escape_string($_REQUEST["match_any_rule"])); - $inverse = checkbox_to_sql_bool($this->dbh->escape_string($_REQUEST["inverse"])); - $title = $this->dbh->escape_string($_REQUEST["title"]); + $sth = $this->pdo->prepare("UPDATE ttrss_filters2 SET enabled = ?, + match_any_rule = ?, + inverse = ?, + title = ? + WHERE id = ? AND owner_uid = ?"); - $this->dbh->query("UPDATE ttrss_filters2 SET enabled = $enabled, - match_any_rule = $match_any_rule, - inverse = $inverse, - title = '$title' - WHERE id = '$filter_id' - AND owner_uid = ". $_SESSION["uid"]); + $sth->execute([$enabled, $match_any_rule, $inverse, $title, $filter_id, $_SESSION['uid']]); $this->saveRulesAndActions($filter_id); + $this->pdo->commit(); } function remove() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); + $ids_qmarks = arr_qmarks($ids); - foreach ($ids as $id) { - $this->dbh->query("DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]); - } + $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) + AND owner_uid = ?"); + $sth->execute(array_merge($ids, [$_SESSION['uid']])); } - private function saveRulesAndActions($filter_id) { + private function saveRulesAndActions($filter_id) + { + + $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_rules WHERE filter_id = ?"); + $sth->execute([$filter_id]); - $this->dbh->query("DELETE FROM ttrss_filters2_rules WHERE filter_id = '$filter_id'"); - $this->dbh->query("DELETE FROM ttrss_filters2_actions WHERE filter_id = '$filter_id'"); + $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?"); + $sth->execute([$filter_id]); + if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = []; + if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = []; + if ($filter_id) { /* create rules */ @@ -656,63 +688,46 @@ class Pref_Filters extends Handler_Protected { } } + $rsth = $this->pdo->prepare("INSERT INTO ttrss_filters2_rules + (filter_id, reg_exp,filter_type,feed_id,cat_id,match_on,inverse) VALUES + (?, ?, ?, NULL, NULL, ?, ?)"); + foreach ($rules as $rule) { if ($rule) { - $reg_exp = $this->dbh->escape_string(trim($rule["reg_exp"]), false); - $inverse = isset($rule["inverse"]) ? "true" : "false"; + $reg_exp = trim($rule["reg_exp"]); + $inverse = isset($rule["inverse"]) ? 1 : 0; - $filter_type = (int) $this->dbh->escape_string(trim($rule["filter_type"])); - $match_on = $this->dbh->escape_string(json_encode($rule["feed_id"])); + $filter_type = (int)trim($rule["filter_type"]); + $match_on = json_encode($rule["feed_id"]); - /*if (strpos($feed_id, "CAT:") === 0) { - - $cat_filter = bool_to_sql_bool(true); - $cat_id = (int) substr($feed_id, 4); - $feed_id = "NULL"; - - if (!$cat_id) $cat_id = "NULL"; // Uncategorized - } else { - $cat_filter = bool_to_sql_bool(false); - $feed_id = (int) $feed_id; - $cat_id = "NULL"; - - if (!$feed_id) $feed_id = "NULL"; // Uncategorized - }*/ - - $query = "INSERT INTO ttrss_filters2_rules - (filter_id, reg_exp,filter_type,feed_id,cat_id,match_on,inverse) VALUES - ('$filter_id', '$reg_exp', '$filter_type', NULL, NULL, '$match_on', $inverse)"; - - $this->dbh->query($query); + $rsth->execute([$filter_id, $reg_exp, $filter_type, $match_on, $inverse]); } } + $asth = $this->pdo->prepare("INSERT INTO ttrss_filters2_actions + (filter_id, action_id, action_param) VALUES + (?, ?, ?)"); + foreach ($actions as $action) { if ($action) { - $action_id = (int) $this->dbh->escape_string($action["action_id"]); - $action_param = $this->dbh->escape_string($action["action_param"]); - $action_param_label = $this->dbh->escape_string($action["action_param_label"]); + $action_id = (int)$action["action_id"]; + $action_param = $action["action_param"]; + $action_param_label = $action["action_param_label"]; if ($action_id == 7) { $action_param = $action_param_label; } if ($action_id == 6) { - $action_param = (int) str_replace("+", "", $action_param); + $action_param = (int)str_replace("+", "", $action_param); } - $query = "INSERT INTO ttrss_filters2_actions - (filter_id, action_id, action_param) VALUES - ('$filter_id', '$action_id', '$action_param')"; - - $this->dbh->query($query); + $asth->execute([$filter_id, $action_id, $action_param]); } } } - - } function add() { @@ -720,40 +735,42 @@ class Pref_Filters extends Handler_Protected { return $this->testFilter(); } -# print_r($_REQUEST); - $enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); $match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); - $title = $this->dbh->escape_string($_REQUEST["title"]); + $title = $_REQUEST["title"]; $inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); /* create base filter */ - $result = $this->dbh->query("INSERT INTO ttrss_filters2 + $sth = $this->pdo->prepare("INSERT INTO ttrss_filters2 (owner_uid, match_any_rule, enabled, title, inverse) VALUES - (".$_SESSION["uid"].",$match_any_rule,$enabled, '$title', $inverse)"); + (?, ?, ?, ?, ?)"); - $result = $this->dbh->query("SELECT MAX(id) AS id FROM ttrss_filters2 - WHERE owner_uid = ".$_SESSION["uid"]); + $sth->execute([$_SESSION['uid'], $match_any_rule, $enabled, $title, $inverse]); - $filter_id = $this->dbh->fetch_result($result, 0, "id"); + $sth = $this->pdo->prepare("SELECT MAX(id) AS id FROM ttrss_filters2 + WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - $this->saveRulesAndActions($filter_id); + if ($row = $sth->fetch()) { + $filter_id = $row['id']; + $this->saveRulesAndActions($filter_id); + } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } function index() { - $sort = $this->dbh->escape_string($_REQUEST["sort"]); + $sort = $_REQUEST["sort"]; if (!$sort || $sort == "undefined") { $sort = "reg_exp"; } - $filter_search = $this->dbh->escape_string($_REQUEST["search"]); + $filter_search = $_REQUEST["search"]; if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_filter_search"] = $filter_search; @@ -765,7 +782,7 @@ class Pref_Filters extends Handler_Protected { print "
"; print "
"; - $filter_search = $this->dbh->escape_string($_REQUEST["search"]); + $filter_search = $_REQUEST["search"]; if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_filter_search"] = $filter_search; @@ -805,11 +822,6 @@ class Pref_Filters extends Handler_Protected { print " "; - if (defined('_ENABLE_FEED_DEBUGGING')) { - print " "; - } - print "
"; # toolbar print "
"; # toolbar-frame print "
"; @@ -960,21 +972,14 @@ class Pref_Filters extends Handler_Protected { $inverse_checked = ""; } - /*if (strpos($feed_id, "CAT:") === 0) { - $feed_id = substr($feed_id, 4); - $cat_filter = true; - } else { - $cat_filter = false; - }*/ - print ""; - $result = $this->dbh->query("SELECT id,description + $res = $this->pdo->query("SELECT id,description FROM ttrss_filter_types WHERE id != 5 ORDER BY description"); $filter_types = array(); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $res->fetch()) { $filter_types[$line["id"]] = __($line["description"]); } @@ -1030,7 +1035,7 @@ class Pref_Filters extends Handler_Protected { $action = json_decode($_REQUEST["action"], true); if ($action) { - $action_param = $this->dbh->escape_string($action["action_param"]); + $action_param = $action["action_param"]; $action_id = (int)$action["action_id"]; } else { $action_param = ""; @@ -1046,10 +1051,10 @@ class Pref_Filters extends Handler_Protected { print ""; - print "
"; - print "
" . __("Colors") . "
"; - print "
"; + print "
"; + print "
" . __("Colors") . "
"; + print "
"; - print ""; + print "
"; - print ""; + print ""; - print "
".__("Foreground:")."".__("Background:"). - "
".__("Foreground:")."".__("Background:"). + "
"; + print "
"; - print ""; - print ""; - print "
+ print "
-
"; - print "
"; + "; + print ""; - print "		"; + print ""; - print "
+ print "
-
"; - print "
"; + "; + print ""; - print "
"; - print "
"; + print ""; + print ""; # print ""; - print "
"; - print ""; - print ""; - print "
"; - - return; + print "
"; + print ""; + print ""; + print "
"; + } } function getlabeltree() { @@ -90,12 +90,13 @@ class Pref_Labels extends Handler_Protected { $root['name'] = __('Labels'); $root['items'] = array(); - $result = $this->dbh->query("SELECT * + $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 - WHERE owner_uid = ".$_SESSION["uid"]." + WHERE owner_uid = ? ORDER BY caption"); + $sth->execute([$_SESSION['uid']]); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $label = array(); $label['id'] = 'LABEL:' . $line['id']; $label['bare_id'] = $line['id']; @@ -118,84 +119,92 @@ class Pref_Labels extends Handler_Protected { } function colorset() { - $kind = $this->dbh->escape_string($_REQUEST["kind"]); - $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"])); - $color = $this->dbh->escape_string($_REQUEST["color"]); - $fg = $this->dbh->escape_string($_REQUEST["fg"]); - $bg = $this->dbh->escape_string($_REQUEST["bg"]); + $kind = $_REQUEST["kind"]; + $ids = explode(',', $_REQUEST["ids"]); + $color = $_REQUEST["color"]; + $fg = $_REQUEST["fg"]; + $bg = $_REQUEST["bg"]; foreach ($ids as $id) { if ($kind == "fg" || $kind == "bg") { - $this->dbh->query("UPDATE ttrss_labels2 SET - ${kind}_color = '$color' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + ${kind}_color = ? WHERE id = ? + AND owner_uid = ?"); + + $sth->execute([$color, $id, $_SESSION['uid']]); + } else { - $this->dbh->query("UPDATE ttrss_labels2 SET - fg_color = '$fg', bg_color = '$bg' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + fg_color = ?, bg_color = ? WHERE id = ? + AND owner_uid = ?"); + + $sth->execute([$fg, $bg, $id, $_SESSION['uid']]); } - $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"])); + $caption = Labels::find_caption($id, $_SESSION["uid"]); /* Remove cached data */ - $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = '' - WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]); - + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = '' + WHERE label_cache LIKE ? AND owner_uid = ?"); + $sth->execute(["%$caption%", $_SESSION['uid']]); } - - return; } function colorreset() { - $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(',', $_REQUEST["ids"]); foreach ($ids as $id) { - $this->dbh->query("UPDATE ttrss_labels2 SET - fg_color = '', bg_color = '' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + fg_color = '', bg_color = '' WHERE id = ? + AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"])); + $caption = Labels::find_caption($id, $_SESSION["uid"]); /* Remove cached data */ - $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = '' - WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = '' + WHERE label_cache LIKE ? AND owner_uid = ?"); + $sth->execute(["%$caption%", $_SESSION['uid']]); } - } function save() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $caption = $this->dbh->escape_string(trim($_REQUEST["caption"])); + $id = $_REQUEST["id"]; + $caption = trim($_REQUEST["caption"]); - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); - $result = $this->dbh->query("SELECT caption FROM ttrss_labels2 - WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT caption FROM ttrss_labels2 + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { - $old_caption = $this->dbh->fetch_result($result, 0, "caption"); + if ($row = $sth->fetch()) { + $old_caption = $row["caption"]; - $result = $this->dbh->query("SELECT id FROM ttrss_labels2 - WHERE caption = '$caption' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_labels2 + WHERE caption = ? AND owner_uid = ?"); + $sth->execute([$caption, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 0) { + if (!$sth->fetch()) { if ($caption) { - $result = $this->dbh->query("UPDATE ttrss_labels2 SET - caption = '$caption' WHERE id = '$id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + caption = ? WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$caption, $id, $_SESSION['uid']]); /* Update filters that reference label being renamed */ - $old_caption = $this->dbh->escape_string($old_caption); - - $this->dbh->query("UPDATE ttrss_filters2_actions SET - action_param = '$caption' WHERE action_param = '$old_caption' + $sth = $this->pdo->prepare("UPDATE ttrss_filters2_actions SET + action_param = ? WHERE action_param = ? AND action_id = 7 - AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ".$_SESSION["uid"].")"); + AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ?)"); + + $sth->execute([$caption, $old_caption, $_SESSION['uid']]); print $_REQUEST["value"]; } else { @@ -206,14 +215,13 @@ class Pref_Labels extends Handler_Protected { } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); - return; } function remove() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { Labels::remove($id, $_SESSION["uid"]); @@ -222,8 +230,8 @@ class Pref_Labels extends Handler_Protected { } function add() { - $caption = $this->dbh->escape_string($_REQUEST["caption"]); - $output = $this->dbh->escape_string($_REQUEST["output"]); + $caption = $_REQUEST["caption"]; + $output = $_REQUEST["output"]; if ($caption) { diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index cf27a72d..cf1322f4 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -99,14 +99,15 @@ class Pref_Prefs extends Handler_Protected { foreach (array_keys($_POST) as $pref_name) { - $pref_name = $this->dbh->escape_string($pref_name); - $value = $this->dbh->escape_string($_POST[$pref_name]); + $pref_name = $pref_name; + $value = $_POST[$pref_name]; if ($pref_name == 'DIGEST_PREFERRED_TIME') { if (get_pref('DIGEST_PREFERRED_TIME') != $value) { - $this->dbh->query("UPDATE ttrss_users SET - last_digest_sent = NULL WHERE id = " . $_SESSION['uid']); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET + last_digest_sent = NULL WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); } } @@ -129,13 +130,13 @@ class Pref_Prefs extends Handler_Protected { function changeemail() { - $email = $this->dbh->escape_string($_POST["email"]); - $full_name = $this->dbh->escape_string($_POST["full_name"]); - + $email = $_POST["email"]; + $full_name = $_POST["full_name"]; $active_uid = $_SESSION["uid"]; - $this->dbh->query("UPDATE ttrss_users SET email = '$email', - full_name = '$full_name' WHERE id = '$active_uid'"); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?, + full_name = ? WHERE id = ?"); + $sth->execute([$email, $full_name, $active_uid]); print __("Your personal data has been saved."); @@ -146,14 +147,10 @@ class Pref_Prefs extends Handler_Protected { $_SESSION["prefs_op_result"] = "reset-to-defaults"; - if ($_SESSION["profile"]) { - $profile_qpart = "profile = '" . $_SESSION["profile"] . "'"; - } else { - $profile_qpart = "profile IS NULL"; - } - - $this->dbh->query("DELETE FROM ttrss_user_prefs - WHERE $profile_qpart AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->query("DELETE FROM ttrss_user_prefs + WHERE (profile = :profile OR (:profile IS NULL AND profile IS NULL)) + AND owner_uid = :uid"); + $sth->execute([":profile" => $_SESSION['profile'], ":uid" => $_SESSION['uid']]); initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]); @@ -202,13 +199,15 @@ class Pref_Prefs extends Handler_Protected { print "

" . __("Personal data") . "

"; - $result = $this->dbh->query("SELECT email,full_name,otp_enabled, + $sth = $this->pdo->prepare("SELECT email,full_name,otp_enabled, access_level FROM ttrss_users - WHERE id = ".$_SESSION["uid"]); + WHERE id = ?"); + $sth->execute([$_SESSION["uid"]]); + $row = $sth->fetch(); - $email = htmlspecialchars($this->dbh->fetch_result($result, 0, "email")); - $full_name = htmlspecialchars($this->dbh->fetch_result($result, 0, "full_name")); - $otp_enabled = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "otp_enabled")); + $email = htmlspecialchars($row["email"]); + $full_name = htmlspecialchars($row["full_name"]); + $otp_enabled = sql_bool_to_bool($row["otp_enabled"]); print "".__('Full name').""; print "dbh->fetch_result($result, 0, "access_level"); + $access_level = $row["access_level"]; print "".__('Access level').""; print "" . $access_level_names[$access_level] . ""; } @@ -246,14 +245,6 @@ class Pref_Prefs extends Handler_Protected { print ""; - $result = $this->dbh->query("SELECT id FROM ttrss_users - WHERE id = ".$_SESSION["uid"]." AND pwd_hash - = 'SHA1:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'"); - - if ($this->dbh->num_rows($result) != 0) { - print format_warning(__("Your password is at default value, please change it."), "default_pass_warning"); - } - print "
"; print "