From 474390311fd646db88acfdbff7dcc7c57ac7249e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 19 May 2007 15:09:16 +0100
Subject: [PATCH] remove db_unescape_string() hack

---
 functions.php            | 18 ++++++------------
 modules/pref-feeds.php   | 20 ++++++++++----------
 modules/pref-filters.php |  6 +++---
 modules/pref-labels.php  | 14 +++++++-------
 4 files changed, 26 insertions(+), 32 deletions(-)

diff --git a/functions.php b/functions.php
index f6783ff9..ba4b0234 100644
--- a/functions.php
+++ b/functions.php
@@ -386,8 +386,8 @@
 		$result = db_query($link, "SELECT update_interval,auth_login,auth_pass	
 			FROM ttrss_feeds WHERE id = '$feed'");
 
-		$auth_login = db_unescape_string(db_fetch_result($result, 0, "auth_login"));
-		$auth_pass = db_unescape_string(db_fetch_result($result, 0, "auth_pass"));
+		$auth_login = db_fetch_result($result, 0, "auth_login");
+		$auth_pass = db_fetch_result($result, 0, "auth_pass");
 
 		$update_interval = db_fetch_result($result, 0, "update_interval");
 
@@ -2141,7 +2141,7 @@
 				$is_selected = "";
 			}
 			printf("<option $is_selected value='%d'>%s</option>", 
-				$line["id"], htmlspecialchars(db_unescape_string($line["title"])));
+				$line["id"], htmlspecialchars($line["title"]));
 		}
 	
 		print "</select>";
@@ -2170,7 +2170,7 @@
 				$is_selected = "";
 			}
 			printf("<option $is_selected value='%d'>%s</option>", 
-				$line["id"], htmlspecialchars(db_unescape_string($line["title"])));
+				$line["id"], htmlspecialchars($line["title"]));
 		}
 
 		print "</select>";
@@ -2525,8 +2525,6 @@
 				$feed_title = "?";
 			}
 
-			$feed_title = db_unescape_string($feed_title);
-
 			if ($feed < -10) error_reporting (0);
 
 			if (preg_match("/^-?[0-9][0-9]*$/", $feed) != false) {
@@ -2899,10 +2897,6 @@
 		}
 	}
 
-	function escape_for_form($s) {
-		return htmlspecialchars(db_unescape_string($s));
-	}
-
 	function make_guid_from_title($title) {
 		return preg_replace("/[ \"\',.:;]/", "-", 
 			mb_strtolower(strip_tags($title), 'utf-8'));
@@ -3121,7 +3115,7 @@
 					error_reporting (DEFAULT_ERROR_LEVEL);
 	
 					printFeedEntry($label_id, 
-						$class, db_unescape_string($line["description"]), 
+						$class, $line["description"], 
 						$count, "images/label.png", $link);
 		
 				}
@@ -3182,7 +3176,7 @@
 	
 			while ($line = db_fetch_assoc($result)) {
 			
-				$feed = trim(db_unescape_string($line["title"]));
+				$feed = trim($line["title"]);
 
 				if (!$feed) $feed = "[Untitled]";
 
diff --git a/modules/pref-feeds.php b/modules/pref-feeds.php
index ae5ab28e..9ef88e8f 100644
--- a/modules/pref-feeds.php
+++ b/modules/pref-feeds.php
@@ -101,7 +101,7 @@
 				$class = ($feedctr % 2) ? "even" : "odd";
 
 				print "<li class='$class' id=\"FBROW-".$details["id"]."\">$check_box".
-					"$feed_icon " . db_unescape_string($details["title"]) . 
+					"$feed_icon " . $details["title"] . 
 					"&nbsp;<span class='subscribers'>($subscribers)</span></li>";
 
 					++$feedctr;
@@ -130,8 +130,8 @@
 				"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
 					owner_uid = " . $_SESSION["uid"]);
 
-			$title = htmlspecialchars(db_unescape_string(db_fetch_result($result,
-				0, "title")));
+			$title = htmlspecialchars(db_fetch_result($result,
+				0, "title"));
 
 			$icon_file = ICONS_DIR . "/$feed_id.ico";
 	
@@ -159,8 +159,8 @@
 				name=\"title\" value=\"$title\"></td></tr>";
 
 			$feed_url = db_fetch_result($result, 0, "feed_url");
-			$feed_url = htmlspecialchars(db_unescape_string(db_fetch_result($result,
-				0, "feed_url")));
+			$feed_url = htmlspecialchars(db_fetch_result($result,
+				0, "feed_url"));
 				
 			print "<tr><td>".__('Feed URL:')."</td>";
 			print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\"
@@ -259,13 +259,13 @@
 			
 			print "</td>";
 
-			$auth_login = escape_for_form(db_fetch_result($result, 0, "auth_login"));
+			$auth_login = htmlspecialchars(db_fetch_result($result, 0, "auth_login"));
 
 			print "<tr><td>".__('Login:')."</td>";
 			print "<td><input class=\"iedit\" onkeypress=\"return filterCR(event, feedEditSave)\"
 				name=\"auth_login\" value=\"$auth_login\"></td></tr>";
 
-			$auth_pass = escape_for_form(db_fetch_result($result, 0, "auth_pass"));
+			$auth_pass = htmlspecialchars(db_fetch_result($result, 0, "auth_pass"));
 
 			print "<tr><td>".__('Password:')."</td>";
 			print "<td><input class=\"iedit\" type=\"password\" name=\"auth_pass\" 
@@ -652,7 +652,7 @@
 		
 					print "<tr class=\"$class\" $this_row_id>";
 		
-					$edit_title = htmlspecialchars(db_unescape_string($line["title"]));
+					$edit_title = htmlspecialchars($line["title"]);
 		
 					if (!$edit_cat_id || $action != "edit") {
 		
@@ -880,8 +880,8 @@
 				$feed_id = $line["id"];
 				$cat_id = $line["cat_id"];
 
-				$edit_title = htmlspecialchars(db_unescape_string($line["title"]));
-				$edit_cat = htmlspecialchars(db_unescape_string($line["category"]));
+				$edit_title = htmlspecialchars($line["title"]);
+				$edit_cat = htmlspecialchars($line["category"]);
 
 				$hidden = sql_bool_to_bool($line["hidden"]);
 
diff --git a/modules/pref-filters.php b/modules/pref-filters.php
index 7445c0e0..3c0f6129 100644
--- a/modules/pref-filters.php
+++ b/modules/pref-filters.php
@@ -10,7 +10,7 @@
 			$result = db_query($link, 
 				"SELECT * FROM ttrss_filters WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
 
-			$reg_exp = htmlspecialchars(db_unescape_string(db_fetch_result($result, 0, "reg_exp")));
+			$reg_exp = htmlspecialchars(db_fetch_result($result, 0, "reg_exp"));
 			$filter_type = db_fetch_result($result, 0, "filter_type");
 			$feed_id = db_fetch_result($result, 0, "feed_id");
 			$action_id = db_fetch_result($result, 0, "action_id");
@@ -285,11 +285,11 @@
 	
 				print "<tr class=\"$class\" $this_row_id>";
 	
-				$line["reg_exp"] = htmlspecialchars(db_unescape_string($line["reg_exp"]));
+				$line["reg_exp"] = htmlspecialchars($line["reg_exp"]);
 	
 				if (!$line["feed_title"]) $line["feed_title"] = __("All feeds");
 
-				$line["feed_title"] = htmlspecialchars(db_unescape_string($line["feed_title"]));
+				$line["feed_title"] = htmlspecialchars($line["feed_title"]);
 
 				print "<td align='center'><input onclick='toggleSelectPrefRow(this, \"filter\");' 
 					type=\"checkbox\" id=\"FICHK-".$line["id"]."\"></td>";
diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index 3f7b7f80..8d19d028 100644
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -21,8 +21,8 @@
 
 			$line = db_fetch_assoc($result);
 
-			$sql_exp = htmlspecialchars(db_unescape_string($line["sql_exp"]));
-			$description = htmlspecialchars(db_unescape_string($line["description"]));
+			$sql_exp = htmlspecialchars($line["sql_exp"]);
+			$description = htmlspecialchars($line["description"]);
 
 			print "<div id=\"infoBoxTitle\">Label editor</div>";
 			print "<div class=\"infoBoxContents\">";
@@ -78,8 +78,9 @@
 
 		if ($subop == "test") {
 
-			$expr = db_unescape_string(trim($_GET["expr"]));
-			$descr = db_unescape_string(trim($_GET["descr"]));
+			// no escaping here on purpose
+			$expr = trim($_GET["expr"]);
+			$descr = db_escape_string(trim($_GET["descr"]));
 
 			if (!$expr) {
 				print "<div>Error: SQL expression is blank.</div>";
@@ -260,9 +261,8 @@
 	
 				print "<tr class=\"$class\" $this_row_id>";
 	
-				$line["sql_exp"] = htmlspecialchars(db_unescape_string($line["sql_exp"]));
-				$line["description"] = htmlspecialchars(
-						db_unescape_string($line["description"]));
+				$line["sql_exp"] = htmlspecialchars($line["sql_exp"]);
+				$line["description"] = htmlspecialchars($line["description"]);
 	
 				if (!$line["description"]) $line["description"] = "[No caption]";
 	
-- 
2.39.2