From 3972bf598195efba3e73ae1fef3faceabeb50308 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Fri, 22 Mar 2013 09:14:55 +0400 Subject: [PATCH] db_escape_string: specify link parameter for consistency; sessions: do not force-close db connection in _close() --- classes/api.php | 62 +++++++++--------- classes/article.php | 10 +-- classes/auth/base.php | 4 +- classes/dlg.php | 8 +-- classes/feeds.php | 20 +++--- classes/handler/public.php | 52 +++++++-------- classes/opml.php | 40 ++++++------ classes/pluginhost.php | 6 +- classes/pref/feeds.php | 66 +++++++++---------- classes/pref/filters.php | 36 +++++------ classes/pref/labels.php | 34 +++++----- classes/pref/prefs.php | 16 ++--- classes/pref/users.php | 20 +++--- classes/rpc.php | 108 ++++++++++++++++---------------- include/db-prefs.php | 6 +- include/db.php | 14 +---- include/functions.php | 18 +++--- include/labels.php | 2 +- include/rssfuncs.php | 54 ++++++++-------- include/sessions.php | 4 +- opml.php | 2 +- plugins/auth_internal/init.php | 8 +-- plugins/auth_remote/init.php | 12 ++-- plugins/digest/init.php | 8 +-- plugins/embed_original/init.php | 2 +- plugins/example/init.php | 2 +- plugins/googleplus/init.php | 2 +- plugins/identica/init.php | 2 +- plugins/import_export/init.php | 8 +-- plugins/instances/init.php | 28 ++++----- plugins/mail/init.php | 6 +- plugins/mailto/init.php | 2 +- plugins/note/init.php | 6 +- plugins/nsfw/init.php | 2 +- plugins/owncloud/init.php | 4 +- plugins/pinterest/init.php | 2 +- plugins/pocket/init.php | 2 +- plugins/share/init.php | 4 +- plugins/tweet/init.php | 2 +- register.php | 8 +-- 40 files changed, 342 insertions(+), 350 deletions(-) diff --git a/classes/api.php b/classes/api.php index b9168cf9..3ec21867 100644 --- a/classes/api.php +++ b/classes/api.php @@ -47,7 +47,7 @@ class API extends Handler { } function login() { - $login = db_escape_string($_REQUEST["user"]); + $login = db_escape_string($this->link, $_REQUEST["user"]); $password = $_REQUEST["password"]; $password_base64 = base64_decode($_REQUEST["password"]); @@ -92,8 +92,8 @@ class API extends Handler { } function getUnread() { - $feed_id = db_escape_string($_REQUEST["feed_id"]); - $is_cat = db_escape_string($_REQUEST["is_cat"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); + $is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]); if ($feed_id) { print $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($this->link, $feed_id, $is_cat))); @@ -108,10 +108,10 @@ class API extends Handler { } function getFeeds() { - $cat_id = db_escape_string($_REQUEST["cat_id"]); + $cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]); $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]); - $limit = (int) db_escape_string($_REQUEST["limit"]); - $offset = (int) db_escape_string($_REQUEST["offset"]); + $limit = (int) db_escape_string($this->link, $_REQUEST["limit"]); + $offset = (int) db_escape_string($this->link, $_REQUEST["offset"]); $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); $feeds = $this->api_get_feeds($this->link, $cat_id, $unread_only, $limit, $offset, $include_nested); @@ -171,29 +171,29 @@ class API extends Handler { } function getHeadlines() { - $feed_id = db_escape_string($_REQUEST["feed_id"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); if ($feed_id != "") { - $limit = (int)db_escape_string($_REQUEST["limit"]); + $limit = (int)db_escape_string($this->link, $_REQUEST["limit"]); if (!$limit || $limit >= 60) $limit = 60; - $offset = (int)db_escape_string($_REQUEST["skip"]); - $filter = db_escape_string($_REQUEST["filter"]); + $offset = (int)db_escape_string($this->link, $_REQUEST["skip"]); + $filter = db_escape_string($this->link, $_REQUEST["filter"]); $is_cat = sql_bool_to_bool($_REQUEST["is_cat"]); $show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]); $show_content = sql_bool_to_bool($_REQUEST["show_content"]); /* all_articles, unread, adaptive, marked, updated */ - $view_mode = db_escape_string($_REQUEST["view_mode"]); + $view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]); $include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]); - $since_id = (int)db_escape_string($_REQUEST["since_id"]); + $since_id = (int)db_escape_string($this->link, $_REQUEST["since_id"]); $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); $sanitize_content = true; /* do not rely on params below */ - $search = db_escape_string($_REQUEST["search"]); - $search_mode = db_escape_string($_REQUEST["search_mode"]); + $search = db_escape_string($this->link, $_REQUEST["search"]); + $search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]); $headlines = $this->api_get_headlines($this->link, $feed_id, $limit, $offset, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, false, @@ -207,10 +207,10 @@ class API extends Handler { } function updateArticle() { - $article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric); - $mode = (int) db_escape_string($_REQUEST["mode"]); - $data = db_escape_string($_REQUEST["data"]); - $field_raw = (int)db_escape_string($_REQUEST["field"]); + $article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric); + $mode = (int) db_escape_string($this->link, $_REQUEST["mode"]); + $data = db_escape_string($this->link, $_REQUEST["data"]); + $field_raw = (int)db_escape_string($this->link, $_REQUEST["field"]); $field = ""; $set_to = ""; @@ -285,7 +285,7 @@ class API extends Handler { function getArticle() { - $article_id = join(",", array_filter(explode(",", db_escape_string($_REQUEST["article_id"])), is_numeric)); + $article_id = join(",", array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_id"])), is_numeric)); $query = "SELECT id,title,link,content,cached_content,feed_id,comments,int_id, marked,unread,published, @@ -348,7 +348,7 @@ class API extends Handler { } function updateFeed() { - $feed_id = db_escape_string($_REQUEST["feed_id"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); update_rss_feed($this->link, $feed_id, true); @@ -356,8 +356,8 @@ class API extends Handler { } function catchupFeed() { - $feed_id = db_escape_string($_REQUEST["feed_id"]); - $is_cat = db_escape_string($_REQUEST["is_cat"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); + $is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]); catchup_feed($this->link, $feed_id, $is_cat); @@ -365,13 +365,13 @@ class API extends Handler { } function getPref() { - $pref_name = db_escape_string($_REQUEST["pref_name"]); + $pref_name = db_escape_string($this->link, $_REQUEST["pref_name"]); print $this->wrap(self::STATUS_OK, array("value" => get_pref($this->link, $pref_name))); } function getLabels() { - //$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric); + //$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric); $article_id = (int)$_REQUEST['article_id']; @@ -409,11 +409,11 @@ class API extends Handler { function setArticleLabel() { - $article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric); - $label_id = (int) db_escape_string($_REQUEST['label_id']); - $assign = (bool) db_escape_string($_REQUEST['assign']) == "true"; + $article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric); + $label_id = (int) db_escape_string($this->link, $_REQUEST['label_id']); + $assign = (bool) db_escape_string($this->link, $_REQUEST['assign']) == "true"; - $label = db_escape_string(label_find_caption($this->link, + $label = db_escape_string($this->link, label_find_caption($this->link, $label_id, $_SESSION["uid"])); $num_updated = 0; @@ -442,9 +442,9 @@ class API extends Handler { } function shareToPublished() { - $title = db_escape_string(strip_tags($_REQUEST["title"])); - $url = db_escape_string(strip_tags($_REQUEST["url"])); - $content = db_escape_string(strip_tags($_REQUEST["content"])); + $title = db_escape_string($this->link, strip_tags($_REQUEST["title"])); + $url = db_escape_string($this->link, strip_tags($_REQUEST["url"])); + $content = db_escape_string($this->link, strip_tags($_REQUEST["content"])); if (Article::create_published_article($this->link, $title, $url, $content, "", $_SESSION["uid"])) { print $this->wrap(self::STATUS_OK, array("status" => 'OK')); diff --git a/classes/article.php b/classes/article.php index 2f49b182..595c6c43 100644 --- a/classes/article.php +++ b/classes/article.php @@ -8,7 +8,7 @@ class Article extends Handler_Protected { } function redirect() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."' @@ -27,10 +27,10 @@ class Article extends Handler_Protected { } function view() { - $id = db_escape_string($_REQUEST["id"]); - $cids = explode(",", db_escape_string($_REQUEST["cids"])); - $mode = db_escape_string($_REQUEST["mode"]); - $omode = db_escape_string($_REQUEST["omode"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $cids = explode(",", db_escape_string($this->link, $_REQUEST["cids"])); + $mode = db_escape_string($this->link, $_REQUEST["mode"]); + $omode = db_escape_string($this->link, $_REQUEST["omode"]); // in prefetch mode we only output requested cids, main article // just gets marked as read (it already exists in client cache) diff --git a/classes/auth/base.php b/classes/auth/base.php index aa9d657a..ad7ff364 100644 --- a/classes/auth/base.php +++ b/classes/auth/base.php @@ -21,7 +21,7 @@ class Auth_Base { $user_id = $this->find_user_by_login($login); if (!$user_id) { - $login = db_escape_string($login); + $login = db_escape_string($this->link, $login); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); @@ -42,7 +42,7 @@ class Auth_Base { } function find_user_by_login($login) { - $login = db_escape_string($login); + $login = db_escape_string($this->link, $login); $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'"); diff --git a/classes/dlg.php b/classes/dlg.php index 3bb2caba..5789af68 100644 --- a/classes/dlg.php +++ b/classes/dlg.php @@ -5,7 +5,7 @@ class Dlg extends Handler_Protected { function before($method) { if (parent::before($method)) { header("Content-Type: text/xml; charset=utf-8"); - $this->param = db_escape_string($_REQUEST["param"]); + $this->param = db_escape_string($this->link, $_REQUEST["param"]); print ""; return true; } @@ -302,7 +302,7 @@ class Dlg extends Handler_Protected { function feedBrowser() { if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; - $browser_search = db_escape_string($_REQUEST["search"]); + $browser_search = db_escape_string($this->link, $_REQUEST["search"]); print ""; print ""; @@ -350,7 +350,7 @@ class Dlg extends Handler_Protected { } function search() { - $this->params = explode(":", db_escape_string($_REQUEST["param"]), 2); + $this->params = explode(":", db_escape_string($this->link, $_REQUEST["param"]), 2); $active_feed_id = sprintf("%d", $this->params[0]); $is_cat = $this->params[1] != "false"; @@ -550,7 +550,7 @@ class Dlg extends Handler_Protected { print "params = explode(":", $this->param, 3); - $feed_id = db_escape_string($this->params[0]); + $feed_id = db_escape_string($this->link, $this->params[0]); $is_cat = (bool) $this->params[1]; $key = get_feed_access_key($this->link, $feed_id, $is_cat); diff --git a/classes/feeds.php b/classes/feeds.php index 779614dc..3a1ac2f5 100644 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -202,13 +202,13 @@ class Feeds extends Handler_Protected { } } - @$search = db_escape_string($_REQUEST["query"]); + @$search = db_escape_string($this->link, $_REQUEST["query"]); if ($search) { $disable_cache = true; } - @$search_mode = db_escape_string($_REQUEST["search_mode"]); + @$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]); if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H0", $timing_info); @@ -757,17 +757,17 @@ class Feeds extends Handler_Protected { if ($_REQUEST["debug"]) $timing_info = print_checkpoint("0", $timing_info); - $omode = db_escape_string($_REQUEST["omode"]); + $omode = db_escape_string($this->link, $_REQUEST["omode"]); - $feed = db_escape_string($_REQUEST["feed"]); - $method = db_escape_string($_REQUEST["m"]); - $view_mode = db_escape_string($_REQUEST["view_mode"]); + $feed = db_escape_string($this->link, $_REQUEST["feed"]); + $method = db_escape_string($this->link, $_REQUEST["m"]); + $view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]); $limit = (int) get_pref($this->link, "DEFAULT_ARTICLE_LIMIT"); @$cat_view = $_REQUEST["cat"] == "true"; - @$next_unread_feed = db_escape_string($_REQUEST["nuf"]); - @$offset = db_escape_string($_REQUEST["skip"]); - @$vgroup_last_feed = db_escape_string($_REQUEST["vgrlf"]); - $order_by = db_escape_string($_REQUEST["order_by"]); + @$next_unread_feed = db_escape_string($this->link, $_REQUEST["nuf"]); + @$offset = db_escape_string($this->link, $_REQUEST["skip"]); + @$vgroup_last_feed = db_escape_string($this->link, $_REQUEST["vgrlf"]); + $order_by = db_escape_string($this->link, $_REQUEST["order_by"]); if (is_numeric($feed)) $feed = (int) $feed; diff --git a/classes/handler/public.php b/classes/handler/public.php index dc1e1004..afee58a5 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -180,7 +180,7 @@ class Handler_Public extends Handler { } function getUnread() { - $login = db_escape_string($_REQUEST["login"]); + $login = db_escape_string($this->link, $_REQUEST["login"]); $fresh = $_REQUEST["fresh"] == "1"; $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'"); @@ -202,7 +202,7 @@ class Handler_Public extends Handler { } function getProfiles() { - $login = db_escape_string($_REQUEST["login"]); + $login = db_escape_string($this->link, $_REQUEST["login"]); $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title"); @@ -222,9 +222,9 @@ class Handler_Public extends Handler { } function pubsub() { - $mode = db_escape_string($_REQUEST['hub_mode']); - $feed_id = (int) db_escape_string($_REQUEST['id']); - $feed_url = db_escape_string($_REQUEST['hub_topic']); + $mode = db_escape_string($this->link, $_REQUEST['hub_mode']); + $feed_id = (int) db_escape_string($this->link, $_REQUEST['id']); + $feed_url = db_escape_string($this->link, $_REQUEST['hub_topic']); if (!PUBSUBHUBBUB_ENABLED) { header('HTTP/1.0 404 Not Found'); @@ -285,7 +285,7 @@ class Handler_Public extends Handler { } function share() { - $uuid = db_escape_string($_REQUEST["key"]); + $uuid = db_escape_string($this->link, $_REQUEST["key"]); $result = db_query($this->link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE uuid = '$uuid'"); @@ -307,17 +307,17 @@ class Handler_Public extends Handler { } function rss() { - $feed = db_escape_string($_REQUEST["id"]); - $key = db_escape_string($_REQUEST["key"]); + $feed = db_escape_string($this->link, $_REQUEST["id"]); + $key = db_escape_string($this->link, $_REQUEST["key"]); $is_cat = $_REQUEST["is_cat"] != false; - $limit = (int)db_escape_string($_REQUEST["limit"]); - $offset = (int)db_escape_string($_REQUEST["offset"]); + $limit = (int)db_escape_string($this->link, $_REQUEST["limit"]); + $offset = (int)db_escape_string($this->link, $_REQUEST["offset"]); - $search = db_escape_string($_REQUEST["q"]); - $search_mode = db_escape_string($_REQUEST["smode"]); - $view_mode = db_escape_string($_REQUEST["view-mode"]); + $search = db_escape_string($this->link, $_REQUEST["q"]); + $search_mode = db_escape_string($this->link, $_REQUEST["smode"]); + $view_mode = db_escape_string($this->link, $_REQUEST["view-mode"]); - $format = db_escape_string($_REQUEST['format']); + $format = db_escape_string($this->link, $_REQUEST['format']); if (!$format) $format = 'atom'; @@ -371,10 +371,10 @@ class Handler_Public extends Handler { if ($action == 'share') { - $title = db_escape_string(strip_tags($_REQUEST["title"])); - $url = db_escape_string(strip_tags($_REQUEST["url"])); - $content = db_escape_string(strip_tags($_REQUEST["content"])); - $labels = db_escape_string(strip_tags($_REQUEST["labels"])); + $title = db_escape_string($this->link, strip_tags($_REQUEST["title"])); + $url = db_escape_string($this->link, strip_tags($_REQUEST["url"])); + $content = db_escape_string($this->link, strip_tags($_REQUEST["content"])); + $labels = db_escape_string($this->link, strip_tags($_REQUEST["labels"])); Article::create_published_article($this->link, $title, $url, $content, $labels, $_SESSION["uid"]); @@ -483,7 +483,7 @@ class Handler_Public extends Handler { if (!SINGLE_USER_MODE) { - $login = db_escape_string($_POST["login"]); + $login = db_escape_string($this->link, $_POST["login"]); $password = $_POST["password"]; $remember_me = $_POST["remember_me"]; @@ -496,7 +496,7 @@ class Handler_Public extends Handler { if ($_POST["profile"]) { - $profile = db_escape_string($_POST["profile"]); + $profile = db_escape_string($this->link, $_POST["profile"]); $result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]); @@ -525,7 +525,7 @@ class Handler_Public extends Handler { if ($_SESSION["uid"]) { - $feed_url = db_escape_string(trim($_REQUEST["feed_url"])); + $feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"])); header('Content-Type: text/html; charset=utf-8'); print " @@ -618,14 +618,14 @@ class Handler_Public extends Handler { } function subscribe2() { - $feed_url = db_escape_string(trim($_REQUEST["feed_url"])); - $cat_id = db_escape_string($_REQUEST["cat_id"]); - $from = db_escape_string($_REQUEST["from"]); + $feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"])); + $cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]); + $from = db_escape_string($this->link, $_REQUEST["from"]); /* only read authentication information from POST */ - $auth_login = db_escape_string(trim($_POST["auth_login"])); - $auth_pass = db_escape_string(trim($_POST["auth_pass"])); + $auth_login = db_escape_string($this->link, trim($_POST["auth_login"])); + $auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"])); $rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass); diff --git a/classes/opml.php b/classes/opml.php index 34067e01..d4a0e987 100644 --- a/classes/opml.php +++ b/classes/opml.php @@ -253,13 +253,13 @@ class Opml extends Handler_Protected { private function opml_import_feed($doc, $node, $cat_id, $owner_uid) { $attrs = $node->attributes; - $feed_title = db_escape_string($attrs->getNamedItem('text')->nodeValue); - if (!$feed_title) $feed_title = db_escape_string($attrs->getNamedItem('title')->nodeValue); + $feed_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue); + if (!$feed_title) $feed_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue); - $feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue); - if (!$feed_url) $feed_url = db_escape_string($attrs->getNamedItem('xmlURL')->nodeValue); + $feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue); + if (!$feed_url) $feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlURL')->nodeValue); - $site_url = db_escape_string($attrs->getNamedItem('htmlUrl')->nodeValue); + $site_url = db_escape_string($this->link, $attrs->getNamedItem('htmlUrl')->nodeValue); if ($feed_url && $feed_title) { $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE @@ -285,11 +285,11 @@ class Opml extends Handler_Protected { private function opml_import_label($doc, $node, $owner_uid) { $attrs = $node->attributes; - $label_name = db_escape_string($attrs->getNamedItem('label-name')->nodeValue); + $label_name = db_escape_string($this->link, $attrs->getNamedItem('label-name')->nodeValue); if ($label_name) { - $fg_color = db_escape_string($attrs->getNamedItem('label-fg-color')->nodeValue); - $bg_color = db_escape_string($attrs->getNamedItem('label-bg-color')->nodeValue); + $fg_color = db_escape_string($this->link, $attrs->getNamedItem('label-fg-color')->nodeValue); + $bg_color = db_escape_string($this->link, $attrs->getNamedItem('label-bg-color')->nodeValue); if (!label_find_id($this->link, $label_name, $_SESSION['uid'])) { $this->opml_notice(T_sprintf("Adding label %s", htmlspecialchars($label_name))); @@ -302,10 +302,10 @@ class Opml extends Handler_Protected { private function opml_import_preference($doc, $node, $owner_uid) { $attrs = $node->attributes; - $pref_name = db_escape_string($attrs->getNamedItem('pref-name')->nodeValue); + $pref_name = db_escape_string($this->link, $attrs->getNamedItem('pref-name')->nodeValue); if ($pref_name) { - $pref_value = db_escape_string($attrs->getNamedItem('value')->nodeValue); + $pref_value = db_escape_string($this->link, $attrs->getNamedItem('value')->nodeValue); $this->opml_notice(T_sprintf("Setting preference key %s to %s", $pref_name, $pref_value)); @@ -317,7 +317,7 @@ class Opml extends Handler_Protected { private function opml_import_filter($doc, $node, $owner_uid) { $attrs = $node->attributes; - $filter_type = db_escape_string($attrs->getNamedItem('filter-type')->nodeValue); + $filter_type = db_escape_string($this->link, $attrs->getNamedItem('filter-type')->nodeValue); if ($filter_type == '2') { $filter = json_decode($node->nodeValue, true); @@ -344,13 +344,13 @@ class Opml extends Handler_Protected { if (!$rule["cat_filter"]) { $tmp_result = db_query($this->link, "SELECT id FROM ttrss_feeds - WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]); + WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]); if (db_num_rows($tmp_result) > 0) { $feed_id = db_fetch_result($tmp_result, 0, "id"); } } else { $tmp_result = db_query($this->link, "SELECT id FROM ttrss_feed_categories - WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]); + WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]); if (db_num_rows($tmp_result) > 0) { $cat_id = db_fetch_result($tmp_result, 0, "id"); @@ -358,7 +358,7 @@ class Opml extends Handler_Protected { } $cat_filter = bool_to_sql_bool($rule["cat_filter"]); - $reg_exp = db_escape_string($rule["reg_exp"]); + $reg_exp = db_escape_string($this->link, $rule["reg_exp"]); $filter_type = (int)$rule["filter_type"]; db_query($this->link, "INSERT INTO ttrss_filters2_rules (feed_id,cat_id,filter_id,filter_type,reg_exp,cat_filter) @@ -368,7 +368,7 @@ class Opml extends Handler_Protected { foreach ($filter["actions"] as $action) { $action_id = (int)$action["action_id"]; - $action_param = db_escape_string($action["action_param"]); + $action_param = db_escape_string($this->link, $action["action_param"]); db_query($this->link, "INSERT INTO ttrss_filters2_actions (filter_id,action_id,action_param) VALUES ($filter_id, $action_id, '$action_param')"); @@ -386,10 +386,10 @@ class Opml extends Handler_Protected { $default_cat_id = (int) get_feed_category($this->link, 'Imported feeds', false); if ($root_node) { - $cat_title = db_escape_string($root_node->attributes->getNamedItem('text')->nodeValue); + $cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('text')->nodeValue); if (!$cat_title) - $cat_title = db_escape_string($root_node->attributes->getNamedItem('title')->nodeValue); + $cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('title')->nodeValue); if (!in_array($cat_title, array("tt-rss-filters", "tt-rss-labels", "tt-rss-prefs"))) { $cat_id = get_feed_category($this->link, $cat_title, $parent_id); @@ -418,12 +418,12 @@ class Opml extends Handler_Protected { foreach ($outlines as $node) { if ($node->hasAttributes() && strtolower($node->tagName) == "outline") { $attrs = $node->attributes; - $node_cat_title = db_escape_string($attrs->getNamedItem('text')->nodeValue); + $node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue); if (!$node_cat_title) - $node_cat_title = db_escape_string($attrs->getNamedItem('title')->nodeValue); + $node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue); - $node_feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue); + $node_feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue); if ($node_cat_title && !$node_feed_url) { $this->opml_import_category($doc, $node, $owner_uid, $cat_id); diff --git a/classes/pluginhost.php b/classes/pluginhost.php index 7dabd42a..0ef17b77 100644 --- a/classes/pluginhost.php +++ b/classes/pluginhost.php @@ -211,7 +211,7 @@ class PluginHost { function load_data($force = false) { if ($this->owner_uid && (!$_SESSION["plugin_storage"] || $force)) { - $plugin = db_escape_string($plugin); + $plugin = db_escape_string($this->link, $plugin); $result = db_query($this->link, "SELECT name, content FROM ttrss_plugin_storage WHERE owner_uid = '".$this->owner_uid."'"); @@ -226,7 +226,7 @@ class PluginHost { private function save_data($plugin) { if ($this->owner_uid) { - $plugin = db_escape_string($plugin); + $plugin = db_escape_string($this->link, $plugin); db_query($this->link, "BEGIN"); @@ -236,7 +236,7 @@ class PluginHost { if (!isset($this->storage[$plugin])) $this->storage[$plugin] = array(); - $content = db_escape_string(serialize($this->storage[$plugin])); + $content = db_escape_string($this->link, serialize($this->storage[$plugin])); if (db_num_rows($result) != 0) { db_query($this->link, "UPDATE ttrss_plugin_storage SET content = '$content' diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 285995df..ceda1337 100644 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -14,8 +14,8 @@ class Pref_Feeds extends Handler_Protected { } function renamecat() { - $title = db_escape_string($_REQUEST['title']); - $id = db_escape_string($_REQUEST['id']); + $title = db_escape_string($this->link, $_REQUEST['title']); + $id = db_escape_string($this->link, $_REQUEST['id']); if ($title) { db_query($this->link, "UPDATE ttrss_feed_categories SET @@ -293,7 +293,7 @@ class Pref_Feeds extends Handler_Protected { if ($item_id != 'root') { if ($parent_id && $parent_id != 'root') { $parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1); - $parent_qpart = db_escape_string($parent_bare_id); + $parent_qpart = db_escape_string($this->link, $parent_bare_id); } else { $parent_qpart = 'NULL'; } @@ -319,7 +319,7 @@ class Pref_Feeds extends Handler_Protected { if (strpos($id, "FEED") === 0) { $cat_id = ($item_id != "root") ? - db_escape_string($bare_item_id) : "NULL"; + db_escape_string($this->link, $bare_item_id) : "NULL"; $cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" : "cat_id = NULL"; @@ -334,7 +334,7 @@ class Pref_Feeds extends Handler_Protected { $nest_level+1); if ($item_id != 'root') { - $parent_qpart = db_escape_string($bare_id); + $parent_qpart = db_escape_string($this->link, $bare_id); } else { $parent_qpart = 'NULL'; } @@ -424,7 +424,7 @@ class Pref_Feeds extends Handler_Protected { } function removeicon() { - $feed_id = db_escape_string($_REQUEST["feed_id"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]); @@ -440,7 +440,7 @@ class Pref_Feeds extends Handler_Protected { header("Content-type: text/html"); $icon_file = $_FILES['icon_file']['tmp_name']; - $feed_id = db_escape_string($_REQUEST["feed_id"]); + $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); if (is_file($icon_file) && $feed_id) { if (filesize($icon_file) < 20000) { @@ -472,7 +472,7 @@ class Pref_Feeds extends Handler_Protected { global $purge_intervals; global $update_intervals; - $feed_id = db_escape_string($_REQUEST["id"]); + $feed_id = db_escape_string($this->link, $_REQUEST["id"]); $result = db_query($this->link, "SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND @@ -708,7 +708,7 @@ class Pref_Feeds extends Handler_Protected { global $purge_intervals; global $update_intervals; - $feed_ids = db_escape_string($_REQUEST["ids"]); + $feed_ids = db_escape_string($this->link, $_REQUEST["ids"]); print "
" . __("Enable the options you wish to apply using checkboxes on the right:") . "
"; @@ -862,27 +862,27 @@ class Pref_Feeds extends Handler_Protected { function editsaveops($batch) { - $feed_title = db_escape_string(trim($_POST["title"])); - $feed_link = db_escape_string(trim($_POST["feed_url"])); - $upd_intl = (int) db_escape_string($_POST["update_interval"]); - $purge_intl = (int) db_escape_string($_POST["purge_interval"]); - $feed_id = (int) db_escape_string($_POST["id"]); /* editSave */ - $feed_ids = db_escape_string($_POST["ids"]); /* batchEditSave */ - $cat_id = (int) db_escape_string($_POST["cat_id"]); - $auth_login = db_escape_string(trim($_POST["auth_login"])); - $auth_pass = db_escape_string(trim($_POST["auth_pass"])); - $private = checkbox_to_sql_bool(db_escape_string($_POST["private"])); + $feed_title = db_escape_string($this->link, trim($_POST["title"])); + $feed_link = db_escape_string($this->link, trim($_POST["feed_url"])); + $upd_intl = (int) db_escape_string($this->link, $_POST["update_interval"]); + $purge_intl = (int) db_escape_string($this->link, $_POST["purge_interval"]); + $feed_id = (int) db_escape_string($this->link, $_POST["id"]); /* editSave */ + $feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */ + $cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]); + $auth_login = db_escape_string($this->link, trim($_POST["auth_login"])); + $auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"])); + $private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"])); $include_in_digest = checkbox_to_sql_bool( - db_escape_string($_POST["include_in_digest"])); + db_escape_string($this->link, $_POST["include_in_digest"])); $cache_images = checkbox_to_sql_bool( - db_escape_string($_POST["cache_images"])); + db_escape_string($this->link, $_POST["cache_images"])); $hide_images = checkbox_to_sql_bool( - db_escape_string($_POST["hide_images"])); + db_escape_string($this->link, $_POST["hide_images"])); $always_display_enclosures = checkbox_to_sql_bool( - db_escape_string($_POST["always_display_enclosures"])); + db_escape_string($this->link, $_POST["always_display_enclosures"])); $mark_unread_on_update = checkbox_to_sql_bool( - db_escape_string($_POST["mark_unread_on_update"])); + db_escape_string($this->link, $_POST["mark_unread_on_update"])); if (get_pref($this->link, 'ENABLE_FEED_CATS')) { if ($cat_id && $cat_id != 0) { @@ -999,7 +999,7 @@ class Pref_Feeds extends Handler_Protected { function resetPubSub() { - $ids = db_escape_string($_REQUEST["ids"]); + $ids = db_escape_string($this->link, $_REQUEST["ids"]); db_query($this->link, "UPDATE ttrss_feeds SET pubsub_state = 0 WHERE id IN ($ids) AND owner_uid = " . $_SESSION["uid"]); @@ -1009,7 +1009,7 @@ class Pref_Feeds extends Handler_Protected { function remove() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { $this->remove_feed($this->link, $id, $_SESSION["uid"]); @@ -1019,14 +1019,14 @@ class Pref_Feeds extends Handler_Protected { } function clear() { - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); $this->clear_feed_articles($this->link, $id); } function rescore() { require_once "rssfuncs.php"; - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { @@ -1132,9 +1132,9 @@ class Pref_Feeds extends Handler_Protected { } function categorize() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); - $cat_id = db_escape_string($_REQUEST["cat_id"]); + $cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]); if ($cat_id == 0) { $cat_id_qpart = 'NULL'; @@ -1156,14 +1156,14 @@ class Pref_Feeds extends Handler_Protected { } function removeCat() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { $this->remove_feed_category($this->link, $id, $_SESSION["uid"]); } } function addCat() { - $feed_cat = db_escape_string(trim($_REQUEST["cat"])); + $feed_cat = db_escape_string($this->link, trim($_REQUEST["cat"])); add_feed_category($this->link, $feed_cat); } @@ -1205,7 +1205,7 @@ class Pref_Feeds extends Handler_Protected { __("Inactive feeds") . ""; } - $feed_search = db_escape_string($_REQUEST["search"]); + $feed_search = db_escape_string($this->link, $_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_feed_search"] = $feed_search; diff --git a/classes/pref/filters.php b/classes/pref/filters.php index 1921f2b9..c97628e5 100644 --- a/classes/pref/filters.php +++ b/classes/pref/filters.php @@ -13,7 +13,7 @@ class Pref_Filters extends Handler_Protected { $filter["enabled"] = true; $filter["match_any_rule"] = sql_bool_to_bool( - checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"]))); + checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"]))); $filter["rules"] = array(); $result = db_query($this->link, "SELECT id,name FROM ttrss_filter_types"); @@ -168,7 +168,7 @@ class Pref_Filters extends Handler_Protected { if ($line['action_id'] == 7) { $label_result = db_query($this->link, "SELECT fg_color, bg_color - FROM ttrss_labels2 WHERE caption = '".db_escape_string($line['action_param'])."' AND + FROM ttrss_labels2 WHERE caption = '".db_escape_string($this->link, $line['action_param'])."' AND owner_uid = " . $_SESSION["uid"]); if (db_num_rows($label_result) > 0) { @@ -207,7 +207,7 @@ class Pref_Filters extends Handler_Protected { function edit() { - $filter_id = db_escape_string($_REQUEST["id"]); + $filter_id = db_escape_string($this->link, $_REQUEST["id"]); $result = db_query($this->link, "SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); @@ -403,9 +403,9 @@ class Pref_Filters extends Handler_Protected { # print_r($_REQUEST); - $filter_id = db_escape_string($_REQUEST["id"]); - $enabled = checkbox_to_sql_bool(db_escape_string($_REQUEST["enabled"])); - $match_any_rule = checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"])); + $filter_id = db_escape_string($this->link, $_REQUEST["id"]); + $enabled = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["enabled"])); + $match_any_rule = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"])); $result = db_query($this->link, "UPDATE ttrss_filters2 SET enabled = $enabled, match_any_rule = $match_any_rule @@ -418,7 +418,7 @@ class Pref_Filters extends Handler_Protected { function remove() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { db_query($this->link, "DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]); @@ -457,9 +457,9 @@ class Pref_Filters extends Handler_Protected { foreach ($rules as $rule) { if ($rule) { - $reg_exp = strip_tags(db_escape_string(trim($rule["reg_exp"]))); - $filter_type = (int) db_escape_string(trim($rule["filter_type"])); - $feed_id = db_escape_string(trim($rule["feed_id"])); + $reg_exp = strip_tags(db_escape_string($this->link, trim($rule["reg_exp"]))); + $filter_type = (int) db_escape_string($this->link, trim($rule["filter_type"])); + $feed_id = db_escape_string($this->link, trim($rule["feed_id"])); if (strpos($feed_id, "CAT:") === 0) { @@ -487,9 +487,9 @@ class Pref_Filters extends Handler_Protected { foreach ($actions as $action) { if ($action) { - $action_id = (int) db_escape_string($action["action_id"]); - $action_param = db_escape_string($action["action_param"]); - $action_param_label = db_escape_string($action["action_param_label"]); + $action_id = (int) db_escape_string($this->link, $action["action_id"]); + $action_param = db_escape_string($this->link, $action["action_param"]); + $action_param_label = db_escape_string($this->link, $action["action_param_label"]); if ($action_id == 7) { $action_param = $action_param_label; @@ -541,13 +541,13 @@ class Pref_Filters extends Handler_Protected { function index() { - $sort = db_escape_string($_REQUEST["sort"]); + $sort = db_escape_string($this->link, $_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "reg_exp"; } - $filter_search = db_escape_string($_REQUEST["search"]); + $filter_search = db_escape_string($this->link, $_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_filter_search"] = $filter_search; @@ -559,7 +559,7 @@ class Pref_Filters extends Handler_Protected { print "
"; print "
"; - $filter_search = db_escape_string($_REQUEST["search"]); + $filter_search = db_escape_string($this->link, $_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_filter_search"] = $filter_search; @@ -806,7 +806,7 @@ class Pref_Filters extends Handler_Protected { $action = json_decode($_REQUEST["action"], true); if ($action) { - $action_param = db_escape_string($action["action_param"]); + $action_param = db_escape_string($this->link, $action["action_param"]); $action_id = (int)$action["action_id"]; } else { $action_param = ""; @@ -914,7 +914,7 @@ class Pref_Filters extends Handler_Protected { } function join() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); if (count($ids) > 1) { $base_id = array_shift($ids); diff --git a/classes/pref/labels.php b/classes/pref/labels.php index e63a0cfc..b45354c9 100644 --- a/classes/pref/labels.php +++ b/classes/pref/labels.php @@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected { } function edit() { - $label_id = db_escape_string($_REQUEST['id']); + $label_id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT * FROM ttrss_labels2 WHERE id = '$label_id' AND owner_uid = " . $_SESSION["uid"]); @@ -118,11 +118,11 @@ class Pref_Labels extends Handler_Protected { } function colorset() { - $kind = db_escape_string($_REQUEST["kind"]); - $ids = split(',', db_escape_string($_REQUEST["ids"])); - $color = db_escape_string($_REQUEST["color"]); - $fg = db_escape_string($_REQUEST["fg"]); - $bg = db_escape_string($_REQUEST["bg"]); + $kind = db_escape_string($this->link, $_REQUEST["kind"]); + $ids = split(',', db_escape_string($this->link, $_REQUEST["ids"])); + $color = db_escape_string($this->link, $_REQUEST["color"]); + $fg = db_escape_string($this->link, $_REQUEST["fg"]); + $bg = db_escape_string($this->link, $_REQUEST["bg"]); foreach ($ids as $id) { @@ -136,7 +136,7 @@ class Pref_Labels extends Handler_Protected { AND owner_uid = " . $_SESSION["uid"]); } - $caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"])); + $caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"])); /* Remove cached data */ @@ -149,14 +149,14 @@ class Pref_Labels extends Handler_Protected { } function colorreset() { - $ids = split(',', db_escape_string($_REQUEST["ids"])); + $ids = split(',', db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { db_query($this->link, "UPDATE ttrss_labels2 SET fg_color = '', bg_color = '' WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]); - $caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"])); + $caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"])); /* Remove cached data */ @@ -168,8 +168,8 @@ class Pref_Labels extends Handler_Protected { function save() { - $id = db_escape_string($_REQUEST["id"]); - $caption = db_escape_string(trim($_REQUEST["caption"])); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $caption = db_escape_string($this->link, trim($_REQUEST["caption"])); db_query($this->link, "BEGIN"); @@ -190,7 +190,7 @@ class Pref_Labels extends Handler_Protected { /* Update filters that reference label being renamed */ - $old_caption = db_escape_string($old_caption); + $old_caption = db_escape_string($this->link, $old_caption); db_query($this->link, "UPDATE ttrss_filters2_actions SET action_param = '$caption' WHERE action_param = '$old_caption' @@ -213,7 +213,7 @@ class Pref_Labels extends Handler_Protected { function remove() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { label_remove($this->link, $id, $_SESSION["uid"]); @@ -222,8 +222,8 @@ class Pref_Labels extends Handler_Protected { } function add() { - $caption = db_escape_string($_REQUEST["caption"]); - $output = db_escape_string($_REQUEST["output"]); + $caption = db_escape_string($this->link, $_REQUEST["caption"]); + $output = db_escape_string($this->link, $_REQUEST["output"]); if ($caption) { @@ -250,13 +250,13 @@ class Pref_Labels extends Handler_Protected { function index() { - $sort = db_escape_string($_REQUEST["sort"]); + $sort = db_escape_string($this->link, $_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "caption"; } - $label_search = db_escape_string($_REQUEST["search"]); + $label_search = db_escape_string($this->link, $_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_label_search"] = $label_search; diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 8b8630c8..4fb8650a 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -50,8 +50,8 @@ class Pref_Prefs extends Handler_Protected { foreach (array_keys($_POST) as $pref_name) { - $pref_name = db_escape_string($pref_name); - $value = db_escape_string($_POST[$pref_name]); + $pref_name = db_escape_string($this->link, $pref_name); + $value = db_escape_string($this->link, $_POST[$pref_name]); if ($pref_name == 'DIGEST_PREFERRED_TIME') { if (get_pref($this->link, 'DIGEST_PREFERRED_TIME') != $value) { @@ -71,7 +71,7 @@ class Pref_Prefs extends Handler_Protected { function getHelp() { - $pref_name = db_escape_string($_REQUEST["pn"]); + $pref_name = db_escape_string($this->link, $_REQUEST["pn"]); $result = db_query($this->link, "SELECT help_text FROM ttrss_prefs WHERE pref_name = '$pref_name'"); @@ -86,8 +86,8 @@ class Pref_Prefs extends Handler_Protected { function changeemail() { - $email = db_escape_string($_POST["email"]); - $full_name = db_escape_string($_POST["full_name"]); + $email = db_escape_string($this->link, $_POST["email"]); + $full_name = db_escape_string($this->link, $_POST["full_name"]); $active_uid = $_SESSION["uid"]; @@ -798,7 +798,7 @@ class Pref_Prefs extends Handler_Protected { } function otpenable() { - $password = db_escape_string($_REQUEST["password"]); + $password = db_escape_string($this->link, $_REQUEST["password"]); $enable_otp = $_REQUEST["enable_otp"] == "on"; global $pluginhost; @@ -819,7 +819,7 @@ class Pref_Prefs extends Handler_Protected { } function otpdisable() { - $password = db_escape_string($_REQUEST["password"]); + $password = db_escape_string($this->link, $_REQUEST["password"]); global $pluginhost; $authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]); @@ -846,7 +846,7 @@ class Pref_Prefs extends Handler_Protected { } function clearplugindata() { - $name = db_escape_string($_REQUEST["name"]); + $name = db_escape_string($this->link, $_REQUEST["name"]); global $pluginhost; $pluginhost->clear_data($pluginhost->get_plugin($name)); diff --git a/classes/pref/users.php b/classes/pref/users.php index d36ed29f..fbba5e40 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -116,7 +116,7 @@ class Pref_Users extends Handler_Protected { header("Content-Type: text/xml"); - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); print ""; print "".__('User Editor').""; @@ -199,11 +199,11 @@ class Pref_Users extends Handler_Protected { } function editSave() { - $login = db_escape_string(trim($_REQUEST["login"])); - $uid = db_escape_string($_REQUEST["id"]); + $login = db_escape_string($this->link, trim($_REQUEST["login"])); + $uid = db_escape_string($this->link, $_REQUEST["id"]); $access_level = (int) $_REQUEST["access_level"]; - $email = db_escape_string(trim($_REQUEST["email"])); - $password = db_escape_string(trim($_REQUEST["password"])); + $email = db_escape_string($this->link, trim($_REQUEST["email"])); + $password = db_escape_string($this->link, trim($_REQUEST["password"])); if ($password) { $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); @@ -220,7 +220,7 @@ class Pref_Users extends Handler_Protected { } function remove() { - $ids = split(",", db_escape_string($_REQUEST["ids"])); + $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { if ($id != $_SESSION["uid"] && $id != 1) { @@ -233,7 +233,7 @@ class Pref_Users extends Handler_Protected { function add() { - $login = db_escape_string(trim($_REQUEST["login"])); + $login = db_escape_string($this->link, trim($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); @@ -272,7 +272,7 @@ class Pref_Users extends Handler_Protected { function resetPass() { - $uid = db_escape_string($_REQUEST["id"]); + $uid = db_escape_string($this->link, $_REQUEST["id"]); $result = db_query($this->link, "SELECT login,email FROM ttrss_users WHERE id = '$uid'"); @@ -353,7 +353,7 @@ class Pref_Users extends Handler_Protected { print "
"; - $user_search = db_escape_string($_REQUEST["search"]); + $user_search = db_escape_string($this->link, $_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_user_search"] = $user_search; @@ -368,7 +368,7 @@ class Pref_Users extends Handler_Protected { __('Search')."
"; - $sort = db_escape_string($_REQUEST["sort"]); + $sort = db_escape_string($this->link, $_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "login"; diff --git a/classes/rpc.php b/classes/rpc.php index 8144f6b9..6f906407 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -8,14 +8,14 @@ class RPC extends Handler_Protected { } function setprofile() { - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); $_SESSION["profile"] = $id; $_SESSION["prefs_cache"] = array(); } function remprofiles() { - $ids = explode(",", db_escape_string(trim($_REQUEST["ids"]))); + $ids = explode(",", db_escape_string($this->link, trim($_REQUEST["ids"]))); foreach ($ids as $id) { if ($_SESSION["profile"] != $id) { @@ -27,7 +27,7 @@ class RPC extends Handler_Protected { // Silent function addprofile() { - $title = db_escape_string(trim($_REQUEST["title"])); + $title = db_escape_string($this->link, trim($_REQUEST["title"])); if ($title) { db_query($this->link, "BEGIN"); @@ -57,8 +57,8 @@ class RPC extends Handler_Protected { // Silent function saveprofile() { - $id = db_escape_string($_REQUEST["id"]); - $title = db_escape_string(trim($_REQUEST["value"])); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $title = db_escape_string($this->link, trim($_REQUEST["value"])); if ($id == 0) { print __("Default profile"); @@ -88,7 +88,7 @@ class RPC extends Handler_Protected { // Silent function remarchive() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { $result = db_query($this->link, "DELETE FROM ttrss_archived_feeds WHERE @@ -101,11 +101,11 @@ class RPC extends Handler_Protected { } function addfeed() { - $feed = db_escape_string($_REQUEST['feed']); - $cat = db_escape_string($_REQUEST['cat']); - $login = db_escape_string($_REQUEST['login']); - $pass = db_escape_string($_REQUEST['pass']); - $need_auth = db_escape_string($_REQUEST['need_auth']) != ""; + $feed = db_escape_string($this->link, $_REQUEST['feed']); + $cat = db_escape_string($this->link, $_REQUEST['cat']); + $login = db_escape_string($this->link, $_REQUEST['login']); + $pass = db_escape_string($this->link, $_REQUEST['pass']); + $need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != ""; $rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass, $need_auth); @@ -113,7 +113,7 @@ class RPC extends Handler_Protected { } function togglepref() { - $key = db_escape_string($_REQUEST["key"]); + $key = db_escape_string($this->link, $_REQUEST["key"]); set_pref($this->link, $key, !get_pref($this->link, $key)); $value = get_pref($this->link, $key); @@ -132,7 +132,7 @@ class RPC extends Handler_Protected { function mark() { $mark = $_REQUEST["mark"]; - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); if ($mark == "1") { $mark = "true"; @@ -148,7 +148,7 @@ class RPC extends Handler_Protected { } function delete() { - $ids = db_escape_string($_REQUEST["ids"]); + $ids = db_escape_string($this->link, $_REQUEST["ids"]); $result = db_query($this->link, "DELETE FROM ttrss_user_entries WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]); @@ -157,7 +157,7 @@ class RPC extends Handler_Protected { } function unarchive() { - $ids = db_escape_string($_REQUEST["ids"]); + $ids = db_escape_string($this->link, $_REQUEST["ids"]); $result = db_query($this->link, "UPDATE ttrss_user_entries SET feed_id = orig_feed_id, orig_feed_id = NULL @@ -167,7 +167,7 @@ class RPC extends Handler_Protected { } function archive() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); foreach ($ids as $id) { $this->archive_article($this->link, $id, $_SESSION["uid"]); @@ -210,8 +210,8 @@ class RPC extends Handler_Protected { function publ() { $pub = $_REQUEST["pub"]; - $id = db_escape_string($_REQUEST["id"]); - $note = trim(strip_tags(db_escape_string($_REQUEST["note"]))); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"]))); if ($pub == "1") { $pub = "true"; @@ -257,7 +257,7 @@ class RPC extends Handler_Protected { /* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */ function catchupSelected() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); $cmode = sprintf("%d", $_REQUEST["cmode"]); catchupArticlesById($this->link, $ids, $cmode); @@ -266,7 +266,7 @@ class RPC extends Handler_Protected { } function markSelected() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); $cmode = sprintf("%d", $_REQUEST["cmode"]); $this->markArticlesById($this->link, $ids, $cmode); @@ -275,7 +275,7 @@ class RPC extends Handler_Protected { } function publishSelected() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); $cmode = sprintf("%d", $_REQUEST["cmode"]); $this->publishArticlesById($this->link, $ids, $cmode); @@ -301,9 +301,9 @@ class RPC extends Handler_Protected { function setArticleTags() { - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); - $tags_str = db_escape_string($_REQUEST["tags_str"]); + $tags_str = db_escape_string($this->link, $_REQUEST["tags_str"]); $tags = array_unique(trim_array(explode(",", $tags_str))); db_query($this->link, "BEGIN"); @@ -373,7 +373,7 @@ class RPC extends Handler_Protected { } function completeLabels() { - $search = db_escape_string($_REQUEST["search"]); + $search = db_escape_string($this->link, $_REQUEST["search"]); $result = db_query($this->link, "SELECT DISTINCT caption FROM ttrss_labels2 @@ -390,7 +390,7 @@ class RPC extends Handler_Protected { function completeTags() { - $search = db_escape_string($_REQUEST["search"]); + $search = db_escape_string($this->link, $_REQUEST["search"]); $result = db_query($this->link, "SELECT DISTINCT tag_name FROM ttrss_tags WHERE owner_uid = '".$_SESSION["uid"]."' AND @@ -405,7 +405,7 @@ class RPC extends Handler_Protected { } function purge() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); $days = sprintf("%d", $_REQUEST["days"]); foreach ($ids as $id) { @@ -420,7 +420,7 @@ class RPC extends Handler_Protected { } function getArticles() { - $ids = explode(",", db_escape_string($_REQUEST["ids"])); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); $articles = array(); foreach ($ids as $id) { @@ -433,7 +433,7 @@ class RPC extends Handler_Protected { } function checkDate() { - $date = db_escape_string($_REQUEST["date"]); + $date = db_escape_string($this->link, $_REQUEST["date"]); $date_parsed = strtotime($date); print json_encode(array("result" => (bool)$date_parsed, @@ -451,10 +451,10 @@ class RPC extends Handler_Protected { function labelops($assign) { $reply = array(); - $ids = explode(",", db_escape_string($_REQUEST["ids"])); - $label_id = db_escape_string($_REQUEST["lid"]); + $ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"])); + $label_id = db_escape_string($this->link, $_REQUEST["lid"]); - $label = db_escape_string(label_find_caption($this->link, $label_id, + $label = db_escape_string($this->link, label_find_caption($this->link, $label_id, $_SESSION["uid"])); $reply["info-for-headlines"] = array(); @@ -482,9 +482,9 @@ class RPC extends Handler_Protected { } function updateFeedBrowser() { - $search = db_escape_string($_REQUEST["search"]); - $limit = db_escape_string($_REQUEST["limit"]); - $mode = (int) db_escape_string($_REQUEST["mode"]); + $search = db_escape_string($this->link, $_REQUEST["search"]); + $limit = db_escape_string($this->link, $_REQUEST["limit"]); + $mode = (int) db_escape_string($this->link, $_REQUEST["mode"]); require_once "feedbrowser.php"; @@ -504,8 +504,8 @@ class RPC extends Handler_Protected { if ($mode == 1) { foreach ($payload as $feed) { - $title = db_escape_string($feed[0]); - $feed_url = db_escape_string($feed[1]); + $title = db_escape_string($this->link, $feed[0]); + $feed_url = db_escape_string($this->link, $feed[1]); $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); @@ -524,9 +524,9 @@ class RPC extends Handler_Protected { WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]); if (db_num_rows($result) != 0) { - $site_url = db_escape_string(db_fetch_result($result, 0, "site_url")); - $feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url")); - $title = db_escape_string(db_fetch_result($result, 0, "title")); + $site_url = db_escape_string($this->link, db_fetch_result($result, 0, "site_url")); + $feed_url = db_escape_string($this->link, db_fetch_result($result, 0, "feed_url")); + $title = db_escape_string($this->link, db_fetch_result($result, 0, "title")); $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); @@ -543,9 +543,9 @@ class RPC extends Handler_Protected { } function catchupFeed() { - $feed_id = db_escape_string($_REQUEST['feed_id']); - $is_cat = db_escape_string($_REQUEST['is_cat']) == "true"; - $max_id = (int) db_escape_string($_REQUEST['max_id']); + $feed_id = db_escape_string($this->link, $_REQUEST['feed_id']); + $is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true"; + $max_id = (int) db_escape_string($this->link, $_REQUEST['max_id']); catchup_feed($this->link, $feed_id, $is_cat, false, $max_id); @@ -553,7 +553,7 @@ class RPC extends Handler_Protected { } function quickAddCat() { - $cat = db_escape_string($_REQUEST["cat"]); + $cat = db_escape_string($this->link, $_REQUEST["cat"]); add_feed_category($this->link, $cat); @@ -570,8 +570,8 @@ class RPC extends Handler_Protected { } function regenFeedKey() { - $feed_id = db_escape_string($_REQUEST['id']); - $is_cat = db_escape_string($_REQUEST['is_cat']) == "true"; + $feed_id = db_escape_string($this->link, $_REQUEST['id']); + $is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true"; $new_key = $this->update_feed_access_key($this->link, $feed_id, $is_cat); @@ -619,11 +619,11 @@ class RPC extends Handler_Protected { } function batchAddFeeds() { - $cat_id = db_escape_string($_REQUEST['cat']); - $feeds = explode("\n", db_escape_string($_REQUEST['feeds'])); - $login = db_escape_string($_REQUEST['login']); - $pass = db_escape_string($_REQUEST['pass']); - $need_auth = db_escape_string($_REQUEST['need_auth']) != ""; + $cat_id = db_escape_string($this->link, $_REQUEST['cat']); + $feeds = explode("\n", db_escape_string($this->link, $_REQUEST['feeds'])); + $login = db_escape_string($this->link, $_REQUEST['login']); + $pass = db_escape_string($this->link, $_REQUEST['pass']); + $need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != ""; foreach ($feeds as $feed) { $feed = trim($feed); @@ -656,8 +656,8 @@ class RPC extends Handler_Protected { } function setScore() { - $ids = db_escape_string($_REQUEST['id']); - $score = (int)db_escape_string($_REQUEST['score']); + $ids = db_escape_string($this->link, $_REQUEST['id']); + $score = (int)db_escape_string($this->link, $_REQUEST['score']); db_query($this->link, "UPDATE ttrss_user_entries SET score = '$score' WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]); @@ -756,7 +756,7 @@ class RPC extends Handler_Protected { AND owner_uid = " . $owner_uid); if (db_num_rows($result) == 1) { - $key = db_escape_string(sha1(uniqid(rand(), true))); + $key = db_escape_string($this->link, sha1(uniqid(rand(), true))); db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key' WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat @@ -830,7 +830,7 @@ class RPC extends Handler_Protected { } function getlinkbyid() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries WHERE ref_id = '$id' AND ref_id = id AND owner_uid = ". $_SESSION["uid"]); diff --git a/include/db-prefs.php b/include/db-prefs.php index 641e9d1d..f6a78939 100644 --- a/include/db-prefs.php +++ b/include/db-prefs.php @@ -44,7 +44,7 @@ function get_pref($link, $pref_name, $user_id = false, $die_on_error = false) { - $pref_name = db_escape_string($pref_name); + $pref_name = db_escape_string($link, $pref_name); $prefs_cache = true; $profile = false; @@ -115,8 +115,8 @@ } function set_pref($link, $pref_name, $value, $user_id = false, $strip_tags = true) { - $pref_name = db_escape_string($pref_name); - $value = db_escape_string($value, $strip_tags); + $pref_name = db_escape_string($link, $pref_name); + $value = db_escape_string($link, $value, $strip_tags); if (!$user_id) { $user_id = $_SESSION["uid"]; diff --git a/include/db.php b/include/db.php index 0f4bf370..0479df6a 100644 --- a/include/db.php +++ b/include/db.php @@ -41,21 +41,13 @@ function db_connect($host, $user, $pass, $db) { } } -function db_escape_string($s, $strip_tags = true, $link = NULL) { +function db_escape_string($link, $s, $strip_tags = true) { if ($strip_tags) $s = strip_tags($s); if (DB_TYPE == "pgsql") { - if ($link) { - return pg_escape_string($link, $s); - } else { - return pg_escape_string($s); - } + return pg_escape_string($link, $s); } else { - if ($link) { - return mysql_real_escape_string($s, $link); - } else { - return mysql_real_escape_string($s); - } + return mysql_real_escape_string($s, $link); } } diff --git a/include/functions.php b/include/functions.php index 5d555005..17fe1854 100644 --- a/include/functions.php +++ b/include/functions.php @@ -516,7 +516,7 @@ function initialize_user_prefs($link, $uid, $profile = false) { - $uid = db_escape_string($uid); + $uid = db_escape_string($link, $uid); if (!$profile) { $profile = "NULL"; @@ -911,7 +911,7 @@ } } - if (db_escape_string("testTEST") != "testTEST") { + if (db_escape_string($link, "testTEST") != "testTEST") { $error_code = 12; } @@ -1086,7 +1086,7 @@ } else { // tag db_query($link, "BEGIN"); - $tag_name = db_escape_string($feed); + $tag_name = db_escape_string($link, $feed); $result = db_query($link, "SELECT post_int_id FROM ttrss_tags WHERE tag_name = '$tag_name' AND owner_uid = $owner_uid"); @@ -1283,7 +1283,7 @@ return 0; } else if ($feed != "0" && $n_feed == 0) { - $feed = db_escape_string($feed); + $feed = db_escape_string($link, $feed); $result = db_query($link, "SELECT SUM((SELECT COUNT(int_id) FROM ttrss_user_entries,ttrss_entries WHERE int_id = post_int_id @@ -2744,7 +2744,7 @@ function get_article_tags($link, $id, $owner_uid = 0, $tag_cache = false) { - $a_id = db_escape_string($id); + $a_id = db_escape_string($link, $id); if (!$owner_uid) $owner_uid = $_SESSION["uid"]; @@ -2779,7 +2779,7 @@ /* update the cache */ - $tags_str = db_escape_string(join(",", $tags)); + $tags_str = db_escape_string($link, join(",", $tags)); db_query($link, "UPDATE ttrss_user_entries SET tag_cache = '$tags_str' WHERE ref_id = '$id' @@ -3511,7 +3511,7 @@ if (db_num_rows($result) == 1) { return db_fetch_result($result, 0, "access_key"); } else { - $key = db_escape_string(sha1(uniqid(rand(), true))); + $key = db_escape_string($link, sha1(uniqid(rand(), true))); $result = db_query($link, "INSERT INTO ttrss_access_keys (access_key, feed_id, is_cat, owner_uid) @@ -3865,7 +3865,7 @@ if ($regexp_valid) { - $rule['reg_exp'] = db_escape_string($rule['reg_exp']); + $rule['reg_exp'] = db_escape_string($link, $rule['reg_exp']); switch ($rule["type"]) { case "title": @@ -3896,7 +3896,7 @@ } if (isset($rule["feed_id"]) && $rule["feed_id"] > 0) { - $qpart .= " AND feed_id = " . db_escape_string($rule["feed_id"]); + $qpart .= " AND feed_id = " . db_escape_string($link, $rule["feed_id"]); } if (isset($rule["cat_id"])) { diff --git a/include/labels.php b/include/labels.php index da7e3f97..e45a3862 100644 --- a/include/labels.php +++ b/include/labels.php @@ -88,7 +88,7 @@ if (!$labels) $labels = get_article_labels($link, $id); - $labels = db_escape_string(json_encode($labels)); + $labels = db_escape_string($link, json_encode($labels)); db_query($link, "UPDATE ttrss_user_entries SET label_cache = '$labels' WHERE ref_id = '$id' AND owner_uid = '$owner_uid'"); diff --git a/include/rssfuncs.php b/include/rssfuncs.php index df1d1698..55c0baa4 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -18,10 +18,10 @@ $count = 0; while ($line = db_fetch_assoc($result)) { - $subscribers = db_escape_string($line["subscribers"]); - $feed_url = db_escape_string($line["feed_url"]); - $title = db_escape_string($line["title"]); - $site_url = db_escape_string($line["site_url"]); + $subscribers = db_escape_string($link, $line["subscribers"]); + $feed_url = db_escape_string($link, $line["feed_url"]); + $title = db_escape_string($link, $line["title"]); + $site_url = db_escape_string($link, $line["site_url"]); $tmp_result = db_query($link, "SELECT subscribers FROM ttrss_feedbrowser_cache WHERE feed_url = '$feed_url'"); @@ -200,7 +200,7 @@ $cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images")); $fetch_url = db_fetch_result($result, 0, "feed_url"); - $feed = db_escape_string($feed); + $feed = db_escape_string($link, $feed); /* if ($auth_login && $auth_pass ){ $url_parts = array(); @@ -238,7 +238,7 @@ _debug("update_rss_feed: unable to fetch: $fetch_last_error"); } - $error_escaped = db_escape_string($fetch_last_error); + $error_escaped = db_escape_string($link, $fetch_last_error); db_query($link, "UPDATE ttrss_feeds SET last_error = '$error_escaped', @@ -287,7 +287,7 @@ // print_r($rss); - $feed = db_escape_string($feed); + $feed = db_escape_string($link, $feed); if (!$rss->error()) { @@ -318,7 +318,7 @@ $owner_uid = db_fetch_result($result, 0, "owner_uid"); - $site_url = db_escape_string(mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245)); + $site_url = db_escape_string($link, mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245)); if ($debug_enabled) { _debug("update_rss_feed: checking favicon..."); @@ -333,7 +333,7 @@ if (!$registered_title || $registered_title == "[Unknown]") { - $feed_title = db_escape_string($rss->get_title()); + $feed_title = db_escape_string($link, $rss->get_title()); if ($debug_enabled) { _debug("update_rss_feed: registering title: $feed_title"); @@ -475,13 +475,13 @@ $entry_author = $entry_author_item->get_name(); if (!$entry_author) $entry_author = $entry_author_item->get_email(); - $entry_author = db_escape_string($entry_author); + $entry_author = db_escape_string($link, $entry_author); } - $entry_guid = db_escape_string(mb_substr($entry_guid, 0, 245)); + $entry_guid = db_escape_string($link, mb_substr($entry_guid, 0, 245)); - $entry_comments = db_escape_string(mb_substr($entry_comments, 0, 245)); - $entry_author = db_escape_string(mb_substr($entry_author, 0, 245)); + $entry_comments = db_escape_string($link, mb_substr($entry_comments, 0, 245)); + $entry_author = db_escape_string($link, mb_substr($entry_author, 0, 245)); $num_comments = $item->get_item_tags('http://purl.org/rss/1.0/modules/slash/', 'comments'); @@ -539,7 +539,7 @@ // FIXME not sure if owner_uid is a good idea here, we may have a base entry without user entry (?) $result = db_query($link, "SELECT plugin_data,title,content,link,tag_cache,author FROM ttrss_entries, ttrss_user_entries - WHERE ref_id = id AND guid = '".db_escape_string($entry_guid)."' AND owner_uid = $owner_uid"); + WHERE ref_id = id AND guid = '".db_escape_string($link, $entry_guid)."' AND owner_uid = $owner_uid"); if (db_num_rows($result) != 0) { $entry_plugin_data = db_fetch_result($result, 0, "plugin_data"); @@ -568,11 +568,11 @@ } $entry_tags = $article["tags"]; - $entry_guid = db_escape_string($entry_guid); - $entry_title = db_escape_string($article["title"]); - $entry_author = db_escape_string($article["author"]); - $entry_link = db_escape_string($article["link"]); - $entry_plugin_data = db_escape_string($article["plugin_data"]); + $entry_guid = db_escape_string($link, $entry_guid); + $entry_title = db_escape_string($link, $article["title"]); + $entry_author = db_escape_string($link, $article["author"]); + $entry_link = db_escape_string($link, $article["link"]); + $entry_plugin_data = db_escape_string($link, $article["plugin_data"]); $entry_content = $article["content"]; // escaped below @@ -583,7 +583,7 @@ if ($cache_images && is_writable(CACHE_DIR . '/images')) cache_images($entry_content, $site_url, $debug_enabled); - $entry_content = db_escape_string($entry_content, false); + $entry_content = db_escape_string($link, $entry_content, false); $content_hash = "SHA1:" . sha1($entry_content); @@ -829,7 +829,7 @@ $update_insignificant = false; } - if (db_escape_string($orig_title) != $entry_title) { + if (db_escape_string($link, $orig_title) != $entry_title) { $post_needs_update = true; $update_insignificant = false; } @@ -896,9 +896,9 @@ db_query($link, "BEGIN"); foreach ($enclosures as $enc) { - $enc_url = db_escape_string($enc[0]); - $enc_type = db_escape_string($enc[1]); - $enc_dur = db_escape_string($enc[2]); + $enc_url = db_escape_string($link, $enc[0]); + $enc_type = db_escape_string($link, $enc[1]); + $enc_dur = db_escape_string($link, $enc[2]); $result = db_query($link, "SELECT id FROM ttrss_enclosures WHERE content_url = '$enc_url' AND post_id = '$entry_ref_id'"); @@ -959,7 +959,7 @@ foreach ($filtered_tags as $tag) { $tag = sanitize_tag($tag); - $tag = db_escape_string($tag); + $tag = db_escape_string($link, $tag); if (!tag_is_valid($tag)) continue; @@ -981,7 +981,7 @@ $tags_to_cache = array_unique($tags_to_cache); - $tags_str = db_escape_string(join(",", $tags_to_cache)); + $tags_str = db_escape_string($link, join(",", $tags_to_cache)); db_query($link, "UPDATE ttrss_user_entries SET tag_cache = '$tags_str' WHERE ref_id = '$entry_ref_id' @@ -1031,7 +1031,7 @@ } else { - $error_msg = db_escape_string(mb_substr($rss->error(), 0, 245)); + $error_msg = db_escape_string($link, mb_substr($rss->error(), 0, 245)); if ($debug_enabled) { _debug("update_rss_feed: error fetching feed: $error_msg"); diff --git a/include/sessions.php b/include/sessions.php index 92e346af..3355ec49 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -53,7 +53,7 @@ $expire = time() + $session_expire; - $data = db_escape_string(base64_encode($data), false, $session_connection); + $data = db_escape_string($session_connection, base64_encode($data), false); if ($session_read) { $query = "UPDATE ttrss_sessions SET data='$data', @@ -71,7 +71,7 @@ global $session_connection; - db_close($session_connection); + //db_close($session_connection); return true; } diff --git a/opml.php b/opml.php index 62391363..b8c9fb6c 100644 --- a/opml.php +++ b/opml.php @@ -16,7 +16,7 @@ $op = $_REQUEST['op']; if ($op == "publish"){ - $key = db_escape_string($_REQUEST["key"]); + $key = db_escape_string($link, $_REQUEST["key"]); $result = db_query($link, "SELECT owner_uid FROM ttrss_access_keys WHERE diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index cf6c1378..e910e52a 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -22,8 +22,8 @@ class Auth_Internal extends Plugin implements IAuthModule { $pwd_hash1 = encrypt_password($password); $pwd_hash2 = encrypt_password($password, $login); - $login = db_escape_string($login); - $otp = db_escape_string($_REQUEST["otp"]); + $login = db_escape_string($this->link, $login); + $otp = db_escape_string($this->link, $_REQUEST["otp"]); if (get_schema_version($this->link) > 96) { if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) { @@ -140,7 +140,7 @@ class Auth_Internal extends Plugin implements IAuthModule { } function check_password($owner_uid, $password) { - $owner_uid = db_escape_string($owner_uid); + $owner_uid = db_escape_string($this->link, $owner_uid); $result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE id = '$owner_uid'"); @@ -169,7 +169,7 @@ class Auth_Internal extends Plugin implements IAuthModule { } function change_password($owner_uid, $old_password, $new_password) { - $owner_uid = db_escape_string($owner_uid); + $owner_uid = db_escape_string($this->link, $owner_uid); if ($this->check_password($owner_uid, $old_password)) { diff --git a/plugins/auth_remote/init.php b/plugins/auth_remote/init.php index 7c8d835f..7e4638fb 100644 --- a/plugins/auth_remote/init.php +++ b/plugins/auth_remote/init.php @@ -21,7 +21,7 @@ class Auth_Remote extends Plugin implements IAuthModule { } function get_login_by_ssl_certificate() { - $cert_serial = db_escape_string(get_ssl_certificate_id()); + $cert_serial = db_escape_string($this->link, get_ssl_certificate_id()); if ($cert_serial) { $result = db_query($this->link, "SELECT login FROM ttrss_user_prefs, ttrss_users @@ -29,7 +29,7 @@ class Auth_Remote extends Plugin implements IAuthModule { owner_uid = ttrss_users.id"); if (db_num_rows($result) != 0) { - return db_escape_string(db_fetch_result($result, 0, "login")); + return db_escape_string($this->link, db_fetch_result($result, 0, "login")); } } @@ -38,10 +38,10 @@ class Auth_Remote extends Plugin implements IAuthModule { function authenticate($login, $password) { - $try_login = db_escape_string($_SERVER["REMOTE_USER"]); + $try_login = db_escape_string($this->link, $_SERVER["REMOTE_USER"]); // php-cgi - if (!$try_login) $try_login = db_escape_string($_SERVER["REDIRECT_REMOTE_USER"]); + if (!$try_login) $try_login = db_escape_string($this->link, $_SERVER["REDIRECT_REMOTE_USER"]); if (!$try_login) $try_login = $this->get_login_by_ssl_certificate(); # if (!$try_login) $try_login = "test_qqq"; @@ -60,14 +60,14 @@ class Auth_Remote extends Plugin implements IAuthModule { // update user name $fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN']; if ($fullname){ - $fullname = db_escape_string($fullname); + $fullname = db_escape_string($this->link, $fullname); db_query($this->link, "UPDATE ttrss_users SET full_name = '$fullname' WHERE id = " . $user_id); } // update user mail $email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL']; if ($email){ - $email = db_escape_string($email); + $email = db_escape_string($this->link, $email); db_query($this->link, "UPDATE ttrss_users SET email = '$email' WHERE id = " . $user_id); } diff --git a/plugins/digest/init.php b/plugins/digest/init.php index 2feabe3b..2fc98b0e 100644 --- a/plugins/digest/init.php +++ b/plugins/digest/init.php @@ -47,7 +47,7 @@ class Digest extends Plugin implements IHandler { } function digestgetcontents() { - $article_id = db_escape_string($_REQUEST['article_id']); + $article_id = db_escape_string($this->link, $_REQUEST['article_id']); $result = db_query($this->link, "SELECT content,title,link,marked,published FROM ttrss_entries, ttrss_user_entries @@ -67,9 +67,9 @@ class Digest extends Plugin implements IHandler { } function digestupdate() { - $feed_id = db_escape_string($_REQUEST['feed_id']); - $offset = db_escape_string($_REQUEST['offset']); - $seq = db_escape_string($_REQUEST['seq']); + $feed_id = db_escape_string($this->link, $_REQUEST['feed_id']); + $offset = db_escape_string($this->link, $_REQUEST['offset']); + $seq = db_escape_string($this->link, $_REQUEST['seq']); if (!$feed_id) $feed_id = -4; if (!$offset) $offset = 0; diff --git a/plugins/embed_original/init.php b/plugins/embed_original/init.php index b28b2f8e..0e0eb960 100644 --- a/plugins/embed_original/init.php +++ b/plugins/embed_original/init.php @@ -36,7 +36,7 @@ class Embed_Original extends Plugin { } function getUrl() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/example/init.php b/plugins/example/init.php index f3788ae8..926a57da 100644 --- a/plugins/example/init.php +++ b/plugins/example/init.php @@ -21,7 +21,7 @@ class Example extends Plugin { } function save() { - $example_value = db_escape_string($_POST["example_value"]); + $example_value = db_escape_string($this->link, $_POST["example_value"]); $this->host->set($this, "example", $example_value); diff --git a/plugins/googleplus/init.php b/plugins/googleplus/init.php index 7ae6d145..6045d2df 100644 --- a/plugins/googleplus/init.php +++ b/plugins/googleplus/init.php @@ -32,7 +32,7 @@ class GooglePlus extends Plugin { } function getInfo() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/identica/init.php b/plugins/identica/init.php index c9aa4118..8e0ad4b9 100644 --- a/plugins/identica/init.php +++ b/plugins/identica/init.php @@ -32,7 +32,7 @@ class Identica extends Plugin { } function getInfo() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/import_export/init.php b/plugins/import_export/init.php index de21dbf3..61b9a439 100644 --- a/plugins/import_export/init.php +++ b/plugins/import_export/init.php @@ -49,7 +49,7 @@ class Import_Export extends Plugin implements IHandler { } function save() { - $example_value = db_escape_string($_POST["example_value"]); + $example_value = db_escape_string($this->link, $_POST["example_value"]); echo "Value set to $example_value (not really)"; } @@ -122,7 +122,7 @@ class Import_Export extends Plugin implements IHandler { } function exportrun() { - $offset = (int) db_escape_string($_REQUEST['offset']); + $offset = (int) db_escape_string($this->link, $_REQUEST['offset']); $exported = 0; $limit = 250; @@ -238,7 +238,7 @@ class Import_Export extends Plugin implements IHandler { foreach ($article_node->childNodes as $child) { if ($child->nodeName != 'label_cache') - $article[$child->nodeName] = db_escape_string($child->nodeValue); + $article[$child->nodeName] = db_escape_string($this->link, $child->nodeValue); else $article[$child->nodeName] = $child->nodeValue; } @@ -346,7 +346,7 @@ class Import_Export extends Plugin implements IHandler { $score = (int) $article['score']; $tag_cache = $article['tag_cache']; - $label_cache = db_escape_string($article['label_cache']); + $label_cache = db_escape_string($this->link, $article['label_cache']); $note = $article['note']; //print "Importing " . $article['title'] . "
"; diff --git a/plugins/instances/init.php b/plugins/instances/init.php index 6c0f89e1..6e8d43e9 100644 --- a/plugins/instances/init.php +++ b/plugins/instances/init.php @@ -92,10 +92,10 @@ class Instances extends Plugin implements IHandler { WHERE instance_id = '$id'"); foreach ($feeds['feeds'] as $feed) { - $feed_url = db_escape_string($feed['feed_url']); - $title = db_escape_string($feed['title']); - $subscribers = db_escape_string($feed['subscribers']); - $site_url = db_escape_string($feed['site_url']); + $feed_url = db_escape_string($this->link, $feed['feed_url']); + $title = db_escape_string($this->link, $feed['title']); + $subscribers = db_escape_string($this->link, $feed['subscribers']); + $site_url = db_escape_string($this->link, $feed['site_url']); db_query($link, "INSERT INTO ttrss_linked_feeds (feed_url, site_url, title, subscribers, instance_id, created, updated) @@ -167,16 +167,16 @@ class Instances extends Plugin implements IHandler { } function remove() { - $ids = db_escape_string($_REQUEST['ids']); + $ids = db_escape_string($this->link, $_REQUEST['ids']); db_query($this->link, "DELETE FROM ttrss_linked_instances WHERE id IN ($ids)"); } function add() { - $id = db_escape_string($_REQUEST["id"]); - $access_url = db_escape_string($_REQUEST["access_url"]); - $access_key = db_escape_string($_REQUEST["access_key"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $access_url = db_escape_string($this->link, $_REQUEST["access_url"]); + $access_key = db_escape_string($this->link, $_REQUEST["access_key"]); db_query($this->link, "BEGIN"); @@ -195,7 +195,7 @@ class Instances extends Plugin implements IHandler { } function edit() { - $id = db_escape_string($_REQUEST["id"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); $result = db_query($this->link, "SELECT * FROM ttrss_linked_instances WHERE id = '$id'"); @@ -253,9 +253,9 @@ class Instances extends Plugin implements IHandler { } function editSave() { - $id = db_escape_string($_REQUEST["id"]); - $access_url = db_escape_string($_REQUEST["access_url"]); - $access_key = db_escape_string($_REQUEST["access_key"]); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $access_url = db_escape_string($this->link, $_REQUEST["access_url"]); + $access_key = db_escape_string($this->link, $_REQUEST["access_key"]); db_query($this->link, "UPDATE ttrss_linked_instances SET access_key = '$access_key', access_url = '$access_url', @@ -277,7 +277,7 @@ class Instances extends Plugin implements IHandler { print "
"; - $sort = db_escape_string($_REQUEST["sort"]); + $sort = db_escape_string($this->link, $_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "access_url"; @@ -364,7 +364,7 @@ class Instances extends Plugin implements IHandler { function fbexport() { - $access_key = db_escape_string($_POST["key"]); + $access_key = db_escape_string($this->link, $_POST["key"]); // TODO: rate limit checking using last_connected $result = db_query($this->link, "SELECT id FROM ttrss_linked_instances diff --git a/plugins/mail/init.php b/plugins/mail/init.php index 30a417a1..a4817a15 100644 --- a/plugins/mail/init.php +++ b/plugins/mail/init.php @@ -30,7 +30,7 @@ class Mail extends Plugin { function emailArticle() { - $param = db_escape_string($_REQUEST['param']); + $param = db_escape_string($this->link, $_REQUEST['param']); $secretkey = sha1(uniqid(rand(), true)); @@ -181,7 +181,7 @@ class Mail extends Plugin { if (!$rc) { $reply['error'] = $mail->ErrorInfo; } else { - save_email_address($this->link, db_escape_string($destination)); + save_email_address($this->link, db_escape_string($this->link, $destination)); $reply['message'] = "UPDATE_COUNTERS"; } @@ -193,7 +193,7 @@ class Mail extends Plugin { } function completeEmails() { - $search = db_escape_string($_REQUEST["search"]); + $search = db_escape_string($this->link, $_REQUEST["search"]); print "
    "; diff --git a/plugins/mailto/init.php b/plugins/mailto/init.php index 8d175ae1..e140bbea 100644 --- a/plugins/mailto/init.php +++ b/plugins/mailto/init.php @@ -30,7 +30,7 @@ class MailTo extends Plugin { function emailArticle() { - $param = db_escape_string($_REQUEST['param']); + $param = db_escape_string($this->link, $_REQUEST['param']); require_once "lib/MiniTemplator.class.php"; diff --git a/plugins/note/init.php b/plugins/note/init.php index 83db9424..7e8cfb57 100644 --- a/plugins/note/init.php +++ b/plugins/note/init.php @@ -29,7 +29,7 @@ class Note extends Plugin { } function edit() { - $param = db_escape_string($_REQUEST['param']); + $param = db_escape_string($this->link, $_REQUEST['param']); $result = db_query($this->link, "SELECT note FROM ttrss_user_entries WHERE ref_id = '$param' AND owner_uid = " . $_SESSION['uid']); @@ -58,8 +58,8 @@ class Note extends Plugin { } function setNote() { - $id = db_escape_string($_REQUEST["id"]); - $note = trim(strip_tags(db_escape_string($_REQUEST["note"]))); + $id = db_escape_string($this->link, $_REQUEST["id"]); + $note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"]))); db_query($this->link, "UPDATE ttrss_user_entries SET note = '$note' WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); diff --git a/plugins/nsfw/init.php b/plugins/nsfw/init.php index 9aadde4d..247d56a1 100644 --- a/plugins/nsfw/init.php +++ b/plugins/nsfw/init.php @@ -91,7 +91,7 @@ class NSFW extends Plugin { } function save() { - $tags = explode(",", db_escape_string($_POST["tags"])); + $tags = explode(",", db_escape_string($this->link, $_POST["tags"])); $tags = array_map("trim", $tags); $tags = array_map("mb_strtolower", $tags); $tags = join(", ", $tags); diff --git a/plugins/owncloud/init.php b/plugins/owncloud/init.php index 48377e9d..5d215b38 100644 --- a/plugins/owncloud/init.php +++ b/plugins/owncloud/init.php @@ -20,7 +20,7 @@ class OwnCloud extends Plugin { } function save() { - $owncloud_url = db_escape_string($_POST["owncloud_url"]); + $owncloud_url = db_escape_string($this->link, $_POST["owncloud_url"]); $this->host->set($this, "owncloud", $owncloud_url); echo "Value set to $owncloud_url"; } @@ -75,7 +75,7 @@ class OwnCloud extends Plugin { } function getOwnCloud() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/pinterest/init.php b/plugins/pinterest/init.php index 96c730e8..11fe64eb 100644 --- a/plugins/pinterest/init.php +++ b/plugins/pinterest/init.php @@ -32,7 +32,7 @@ class Pinterest extends Plugin { } function getInfo() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/pocket/init.php b/plugins/pocket/init.php index 688a6258..e96d0800 100644 --- a/plugins/pocket/init.php +++ b/plugins/pocket/init.php @@ -33,7 +33,7 @@ class Pocket extends Plugin { } function getInfo() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/plugins/share/init.php b/plugins/share/init.php index f52d2a4f..a3dc3522 100644 --- a/plugins/share/init.php +++ b/plugins/share/init.php @@ -28,7 +28,7 @@ class Share extends Plugin { } function shareArticle() { - $param = db_escape_string($_REQUEST['param']); + $param = db_escape_string($this->link, $_REQUEST['param']); $result = db_query($this->link, "SELECT uuid, ref_id FROM ttrss_user_entries WHERE int_id = '$param' AND owner_uid = " . $_SESSION['uid']); @@ -41,7 +41,7 @@ class Share extends Plugin { $ref_id = db_fetch_result($result, 0, "ref_id"); if (!$uuid) { - $uuid = db_escape_string(sha1(uniqid(rand(), true))); + $uuid = db_escape_string($this->link, sha1(uniqid(rand(), true))); db_query($this->link, "UPDATE ttrss_user_entries SET uuid = '$uuid' WHERE int_id = '$param' AND owner_uid = " . $_SESSION['uid']); } diff --git a/plugins/tweet/init.php b/plugins/tweet/init.php index 2d20c718..bbcf7836 100644 --- a/plugins/tweet/init.php +++ b/plugins/tweet/init.php @@ -32,7 +32,7 @@ class Tweet extends Plugin { } function getInfo() { - $id = db_escape_string($_REQUEST['id']); + $id = db_escape_string($this->link, $_REQUEST['id']); $result = db_query($this->link, "SELECT title, link FROM ttrss_entries, ttrss_user_entries diff --git a/register.php b/register.php index 678b3c31..0dc91e96 100644 --- a/register.php +++ b/register.php @@ -74,7 +74,7 @@ if ($action == "check") { header("Content-Type: application/xml"); - $login = trim(db_escape_string($_REQUEST['login'])); + $login = trim(db_escape_string($link, $_REQUEST['login'])); $result = db_query($link, "SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER('$login')"); @@ -242,9 +242,9 @@