From fbe7cb0a4802519c405c86394a8426791d48fe26 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Fri, 1 Dec 2017 23:49:14 +0300 Subject: [PATCH] rpc: switch to PDO --- classes/rpc.php | 448 ++++++++++++++++++++---------------------- include/functions.php | 9 +- js/functions.js | 53 ----- 3 files changed, 217 insertions(+), 293 deletions(-) diff --git a/classes/rpc.php b/classes/rpc.php index 7d39261b..d8ab5d37 100755 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -2,47 +2,51 @@ class RPC extends Handler_Protected { function csrf_ignore($method) { - $csrf_ignored = array("sanitycheck", "completelabels"); + $csrf_ignored = array("sanitycheck", "completelabels", "saveprofile"); return array_search($method, $csrf_ignored) !== false; } function setprofile() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - - $_SESSION["profile"] = $id; + $_SESSION["profile"] = $_REQUEST["id"]; } function remprofiles() { - $ids = explode(",", $this->dbh->escape_string(trim($_REQUEST["ids"]))); + $ids = explode(",", trim($_REQUEST["ids"])); foreach ($ids as $id) { if ($_SESSION["profile"] != $id) { - $this->dbh->query("DELETE FROM ttrss_settings_profiles WHERE id = '$id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("DELETE FROM ttrss_settings_profiles WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); } } } // Silent function addprofile() { - $title = $this->dbh->escape_string(trim($_REQUEST["title"])); + $title = trim($_REQUEST["title"]); + if ($title) { - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); - $result = $this->dbh->query("SELECT id FROM ttrss_settings_profiles - WHERE title = '$title' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles + WHERE title = ? AND owner_uid = ?"); + $sth->execute([$title, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 0) { + if (!$sth->fetch()) { - $this->dbh->query("INSERT INTO ttrss_settings_profiles (title, owner_uid) - VALUES ('$title', ".$_SESSION["uid"] .")"); + $sth = $this->pdo->prepare("INSERT INTO ttrss_settings_profiles (title, owner_uid) + VALUES (?, ?)"); - $result = $this->dbh->query("SELECT id FROM ttrss_settings_profiles WHERE - title = '$title'"); + $sth->execute([$title, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { - $profile_id = $this->dbh->fetch_result($result, 0, "id"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles WHERE + title = ? AND owner_uid = ?"); + $sth->execute([$title, $_SESSION['uid']]); + + if ($row = $sth->fetch()) { + $profile_id = $row['id']; if ($profile_id) { initialize_user_prefs($_SESSION["uid"], $profile_id); @@ -50,14 +54,13 @@ class RPC extends Handler_Protected { } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } } - // Silent function saveprofile() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $title = $this->dbh->escape_string(trim($_REQUEST["value"])); + $id = $_REQUEST["id"]; + $title = trim($_REQUEST["value"]); if ($id == 0) { print __("Default profile"); @@ -65,45 +68,34 @@ class RPC extends Handler_Protected { } if ($title) { - $this->dbh->query("BEGIN"); - - $result = $this->dbh->query("SELECT id FROM ttrss_settings_profiles - WHERE title = '$title' AND owner_uid =" . $_SESSION["uid"]); - - if ($this->dbh->num_rows($result) == 0) { - $this->dbh->query("UPDATE ttrss_settings_profiles - SET title = '$title' WHERE id = '$id' AND - owner_uid = " . $_SESSION["uid"]); - print $title; - } else { - $result = $this->dbh->query("SELECT title FROM ttrss_settings_profiles - WHERE id = '$id' AND owner_uid =" . $_SESSION["uid"]); - print $this->dbh->fetch_result($result, 0, "title"); - } + $sth = $this->pdo->prepare("UPDATE ttrss_settings_profiles + SET title = ? WHERE id = ? AND + owner_uid = ?"); - $this->dbh->query("COMMIT"); + $sth->execute([$title, $id, $_SESSION['uid']]); + print $title; } } // Silent function remarchive() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); - foreach ($ids as $id) { - $result = $this->dbh->query("DELETE FROM ttrss_archived_feeds WHERE - (SELECT COUNT(*) FROM ttrss_user_entries - WHERE orig_feed_id = '$id') = 0 AND - id = '$id' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE + (SELECT COUNT(*) FROM ttrss_user_entries + WHERE orig_feed_id = :id) = 0 AND + id = :id AND owner_uid = :uid"); - $this->dbh->affected_rows($result); + foreach ($ids as $id) { + $sth->execute([":id" => $id, ":uid" => $_SESSION['uid']]); } } function addfeed() { - $feed = $this->dbh->escape_string($_REQUEST['feed']); - $cat = $this->dbh->escape_string($_REQUEST['cat']); - $login = $this->dbh->escape_string($_REQUEST['login']); - $pass = trim($_REQUEST['pass']); // escaped later + $feed = $_REQUEST['feed']; + $cat = $_REQUEST['cat']; + $login = $_REQUEST['login']; + $pass = trim($_REQUEST['pass']); $rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass); @@ -111,7 +103,7 @@ class RPC extends Handler_Protected { } function togglepref() { - $key = $this->dbh->escape_string($_REQUEST["key"]); + $key = $_REQUEST["key"]; set_pref($key, !get_pref($key)); $value = get_pref($key); @@ -130,26 +122,24 @@ class RPC extends Handler_Protected { function mark() { $mark = $_REQUEST["mark"]; - $id = $this->dbh->escape_string($_REQUEST["id"]); - - if ($mark == "1") { - $mark = "true"; - } else { - $mark = "false"; - } + $id = $_REQUEST["id"]; - $this->dbh->query("UPDATE ttrss_user_entries SET marked = $mark, + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?, last_marked = NOW() - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = ? AND owner_uid = ?"); + + $sth->execute([$mark, $id, $_SESSION['uid']]); print json_encode(array("message" => "UPDATE_COUNTERS")); } function delete() { - $ids = $this->dbh->escape_string($_REQUEST["ids"]); + $ids = explode(",", $_REQUEST["ids"]); + $ids_qmarks = arr_qmarks($ids); - $this->dbh->query("DELETE FROM ttrss_user_entries - WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); + $sth->execute(array_merge($ids, [$_SESSION['uid']])); Article::purge_orphans(); @@ -160,61 +150,57 @@ class RPC extends Handler_Protected { $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { - $id = $this->dbh->escape_string(trim($id)); - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); - $result = $this->dbh->query("SELECT feed_url,site_url,title FROM ttrss_archived_feeds - WHERE id = (SELECT orig_feed_id FROM ttrss_user_entries WHERE ref_id = $id - AND owner_uid = ".$_SESSION["uid"].") AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT feed_url,site_url,title FROM ttrss_archived_feeds + WHERE id = (SELECT orig_feed_id FROM ttrss_user_entries WHERE ref_id = :id + AND owner_uid = :uid) AND owner_uid = :uid"); + $sth->execute([":uid" => $_SESSION['uid'], ":id" => $id]); - if ($this->dbh->num_rows($result) != 0) { - $feed_url = $this->dbh->escape_string(db_fetch_result($result, 0, "feed_url")); - $site_url = $this->dbh->escape_string(db_fetch_result($result, 0, "site_url")); - $title = $this->dbh->escape_string(db_fetch_result($result, 0, "title")); + if ($row = $sth->fetch()) { + $feed_url = $row['feed_url']; + $site_url = $row['site_url']; + $title = $row['title']; - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_url' - AND owner_uid = " .$_SESSION["uid"]); - - if ($this->dbh->num_rows($result) == 0) { + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE feed_url = ? + AND owner_uid = ?"); + $sth->execute([$feed_url, $_SESSION['uid']]); + if ($row = $sth->fetch()) { + $feed_id = $row["id"]; + } else { if (!$title) $title = '[Unknown]'; - $result = $this->dbh->query( - "INSERT INTO ttrss_feeds + $sth = $this->pdo->prepare("INSERT INTO ttrss_feeds (owner_uid,feed_url,site_url,title,cat_id,auth_login,auth_pass,update_method) - VALUES (".$_SESSION["uid"].", - '$feed_url', - '$site_url', - '$title', - NULL, '', '', 0)"); - - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_url' - AND owner_uid = ".$_SESSION["uid"]); - - if ($this->dbh->num_rows($result) != 0) { - $feed_id = $this->dbh->fetch_result($result, 0, "id"); - } + VALUES (?, ?, ?, ?, NULL, '', '', 0)"); + $sth->execute([$_SESSION['uid'], $feed_url, $site_url, $title]); - } else { - $feed_id = $this->dbh->fetch_result($result, 0, "id"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE feed_url = ? + AND owner_uid = ?"); + $sth->execute([$feed_url, $_SESSION['uid']]); + + if ($row = $sth->fetch()) { + $feed_id = $row['id']; + } } if ($feed_id) { - $result = $this->dbh->query("UPDATE ttrss_user_entries - SET feed_id = '$feed_id', orig_feed_id = NULL - WHERE ref_id = $id AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries + SET feed_id = ?, orig_feed_id = NULL + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $id, $_SESSION['uid']]); } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } print json_encode(array("message" => "UPDATE_COUNTERS")); } function archive() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { $this->archive_article($id, $_SESSION["uid"]); @@ -224,55 +210,58 @@ class RPC extends Handler_Protected { } private function archive_article($id, $owner_uid) { - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); + + if (!$owner_uid) $owner_uid = $_SESSION['uid']; - $result = $this->dbh->query("SELECT feed_id FROM ttrss_user_entries - WHERE ref_id = '$id' AND owner_uid = $owner_uid"); + $sth = $this->pdo->prepare("SELECT feed_id FROM ttrss_user_entries + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - if ($this->dbh->num_rows($result) != 0) { + if ($row = $sth->fetch()) { /* prepare the archived table */ - $feed_id = (int) $this->dbh->fetch_result($result, 0, "feed_id"); + $feed_id = (int) $row['feed_id']; if ($feed_id) { - $result = $this->dbh->query("SELECT id FROM ttrss_archived_feeds - WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_archived_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $owner_uid]); - if ($this->dbh->num_rows($result) == 0) { - $result = db_query("SELECT MAX(id) AS id FROM ttrss_archived_feeds"); - $new_feed_id = (int)db_fetch_result($result, 0, "id") + 1; + if ($row = $sth->fetch()) { + $new_feed_id = $row['id']; + } else { + $row = $this->pdo->query("SELECT MAX(id) AS id FROM ttrss_archived_feeds")->fetch(); + $new_feed_id = (int)$row['id'] + 1; - $this->dbh->query("INSERT INTO ttrss_archived_feeds + $sth = $this->pdo->prepare("INSERT INTO ttrss_archived_feeds (id, owner_uid, title, feed_url, site_url) - SELECT $new_feed_id, owner_uid, title, feed_url, site_url from ttrss_feeds - WHERE id = '$feed_id'"); - } else { - $new_feed_id = $this->dbh->fetch_result($result, 0, "id"); + SELECT ?, owner_uid, title, feed_url, site_url from ttrss_feeds + WHERE id = ?"); + + $sth->execute([$new_feed_id, $feed_id]); } - $this->dbh->query("UPDATE ttrss_user_entries - SET orig_feed_id = $new_feed_id, feed_id = NULL - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries + SET orig_feed_id = ?, feed_id = NULL + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$new_feed_id, $id, $owner_uid]); } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } function publ() { $pub = $_REQUEST["pub"]; - $id = $this->dbh->escape_string($_REQUEST["id"]); + $id = $_REQUEST["id"]; - if ($pub == "1") { - $pub = "true"; - } else { - $pub = "false"; - } + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + published = ?, last_published = NOW() + WHERE ref_id = ? AND owner_uid = ?"); - $this->dbh->query("UPDATE ttrss_user_entries SET - published = $pub, last_published = NOW() - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + $sth->execute([$pub, $id, $_SESSION['uid']]); print json_encode(array("message" => "UPDATE_COUNTERS")); } @@ -295,7 +284,7 @@ class RPC extends Handler_Protected { /* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */ function catchupSelected() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); $cmode = sprintf("%d", $_REQUEST["cmode"]); Article::catchupArticlesById($ids, $cmode); @@ -304,8 +293,8 @@ class RPC extends Handler_Protected { } function markSelected() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - $cmode = sprintf("%d", $_REQUEST["cmode"]); + $ids = explode(",", $_REQUEST["ids"]); + $cmode = (int)$_REQUEST["cmode"]; $this->markArticlesById($ids, $cmode); @@ -313,8 +302,8 @@ class RPC extends Handler_Protected { } function publishSelected() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - $cmode = sprintf("%d", $_REQUEST["cmode"]); + $ids = explode(",", $_REQUEST["ids"]); + $cmode = (int)$_REQUEST["cmode"]; $this->publishArticlesById($ids, $cmode); @@ -340,31 +329,33 @@ class RPC extends Handler_Protected { } function completeLabels() { - $search = $this->dbh->escape_string($_REQUEST["search"]); + $search = $_REQUEST["search"]; - $result = $this->dbh->query("SELECT DISTINCT caption FROM + $sth = $this->pdo->query("SELECT DISTINCT caption FROM ttrss_labels2 - WHERE owner_uid = '".$_SESSION["uid"]."' AND - LOWER(caption) LIKE LOWER('$search%') ORDER BY caption + WHERE owner_uid = ? AND + LOWER(caption) LIKE LOWER(?) ORDER BY caption LIMIT 5"); + $sth->execute([$_SESSION['uid'], "%$search%"]); print ""; } function purge() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - $days = sprintf("%d", $_REQUEST["days"]); + $ids = explode(",", $_REQUEST["ids"]); + $days = (int) $_REQUEST["days"]; - foreach ($ids as $id) { + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE + id = ? AND owner_uid = ?"); - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE - id = '$id' AND owner_uid = ".$_SESSION["uid"]); + foreach ($ids as $id) { + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 1) { + if ($sth->fetch()) { purge_feed($id, $days); } } @@ -373,9 +364,9 @@ class RPC extends Handler_Protected { function updateFeedBrowser() { if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; - $search = $this->dbh->escape_string($_REQUEST["search"]); - $limit = $this->dbh->escape_string($_REQUEST["limit"]); - $mode = (int) $this->dbh->escape_string($_REQUEST["mode"]); + $search = $_REQUEST["search"]; + $limit = $_REQUEST["limit"]; + $mode = (int) $_REQUEST["mode"]; require_once "feedbrowser.php"; @@ -395,38 +386,43 @@ class RPC extends Handler_Protected { if ($mode == 1) { foreach ($payload as $feed) { - $title = $this->dbh->escape_string($feed[0]); - $feed_url = $this->dbh->escape_string($feed[1]); + $title = $feed[0]; + $feed_url = $feed[1]; - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE - feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE + feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed_url, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 0) { - $result = $this->dbh->query("INSERT INTO ttrss_feeds + if (!$sth->fetch()) { + $sth = $this->pdo->prepare("INSERT INTO ttrss_feeds (owner_uid,feed_url,title,cat_id,site_url) - VALUES ('".$_SESSION["uid"]."', - '$feed_url', '$title', NULL, '')"); + VALUES (?, ?, ?, NULL, '')"); + + $sth->execute([$_SESSION['uid'], $feed_url, $title]); } } } else if ($mode == 2) { // feed archive foreach ($payload as $id) { - $result = $this->dbh->query("SELECT * FROM ttrss_archived_feeds - WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]); - - if ($this->dbh->num_rows($result) != 0) { - $site_url = $this->dbh->escape_string(db_fetch_result($result, 0, "site_url")); - $feed_url = $this->dbh->escape_string(db_fetch_result($result, 0, "feed_url")); - $title = $this->dbh->escape_string(db_fetch_result($result, 0, "title")); - - $result = $this->dbh->query("SELECT id FROM ttrss_feeds WHERE - feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); - - if ($this->dbh->num_rows($result) == 0) { - $result = $this->dbh->query("INSERT INTO ttrss_feeds - (owner_uid,feed_url,title,cat_id,site_url) - VALUES ('".$_SESSION["uid"]."', - '$feed_url', '$title', NULL, '$site_url')"); + $sth = $this->pdo->prepare("SELECT * FROM ttrss_archived_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); + + if ($row = $sth->fetch()) { + $site_url = $row['site_url']; + $feed_url = $row['feed_url']; + $title = $row['title']; + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE + feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed_url, $_SESSION['uid']]); + + if (!$sth->fetch()) { + $sth = $this->pdo->prepare("INSERT INTO ttrss_feeds + (owner_uid,feed_url,title,cat_id,site_url) + VALUES (?, ?, ?, NULL, ?)"); + + $sth->execute([$_SESSION['uid'], $feed_url, $title, $site_url]); } } } @@ -434,34 +430,17 @@ class RPC extends Handler_Protected { } function catchupFeed() { - $feed_id = $this->dbh->escape_string($_REQUEST['feed_id']); - $is_cat = $this->dbh->escape_string($_REQUEST['is_cat']) == "true"; - $mode = $this->dbh->escape_string($_REQUEST['mode']); - $search_query = $this->dbh->escape_string($_REQUEST['search_query']); - $search_lang = $this->dbh->escape_string($_REQUEST['search_lang']); + $feed_id = $_REQUEST['feed_id']; + $is_cat = $_REQUEST['is_cat'] == "true"; + $mode = $_REQUEST['mode']; + $search_query = $_REQUEST['search_query']; + $search_lang = $_REQUEST['search_lang']; Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]); print json_encode(array("message" => "UPDATE_COUNTERS")); } - function quickAddCat() { - $cat = $this->dbh->escape_string($_REQUEST["cat"]); - - add_feed_category($cat); - - $result = $this->dbh->query("SELECT id FROM ttrss_feed_categories WHERE - title = '$cat' AND owner_uid = " . $_SESSION["uid"]); - - if ($this->dbh->num_rows($result) == 1) { - $id = $this->dbh->fetch_result($result, 0, "id"); - } else { - $id = 0; - } - - print_feed_cat_select("cat_id", $id, ''); - } - function setpanelmode() { $wide = (int) $_REQUEST["wide"]; @@ -471,7 +450,7 @@ class RPC extends Handler_Protected { print json_encode(array("wide" => $wide)); } - static function updaterandomfeed_real($dbh) { + static function updaterandomfeed_real() { // Test if the feed need a update (update interval exceded). if (DB_TYPE == "pgsql") { @@ -503,15 +482,17 @@ class RPC extends Handler_Protected { $random_qpart = sql_random_function(); + $pdo = Db::pdo(); + // we could be invoked from public.php with no active session if ($_SESSION["uid"]) { - $owner_check_qpart = "AND ttrss_feeds.owner_uid = '".$_SESSION["uid"]."'"; + $owner_check_qpart = "AND ttrss_feeds.owner_uid = ".$pdo->quote($_SESSION["uid"]); } else { $owner_check_qpart = ""; } // We search for feed needing update. - $result = $dbh->query("SELECT ttrss_feeds.feed_url,ttrss_feeds.id + $res = $pdo->query("SELECT ttrss_feeds.feed_url,ttrss_feeds.id FROM ttrss_feeds, ttrss_users, ttrss_user_prefs WHERE @@ -523,13 +504,11 @@ class RPC extends Handler_Protected { $updstart_thresh_qpart ORDER BY $random_qpart LIMIT 30"); - $feed_id = -1; - $num_updated = 0; $tstart = time(); - while ($line = $dbh->fetch_assoc($result)) { + while ($line = $res->fetch()) { $feed_id = $line["id"]; if (time() - $tstart < ini_get("max_execution_time") * 0.7) { @@ -554,68 +533,61 @@ class RPC extends Handler_Protected { } function updaterandomfeed() { - RPC::updaterandomfeed_real($this->dbh); + RPC::updaterandomfeed_real(); } private function markArticlesById($ids, $cmode) { - $tmp_ids = array(); - - foreach ($ids as $id) { - array_push($tmp_ids, "ref_id = '$id'"); - } - - $ids_qpart = join(" OR ", $tmp_ids); + $ids_qmarks = arr_qmarks($ids); if ($cmode == 0) { - $this->dbh->query("UPDATE ttrss_user_entries SET - marked = false, last_marked = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + marked = false, last_marked = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else if ($cmode == 1) { - $this->dbh->query("UPDATE ttrss_user_entries SET - marked = true, last_marked = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + marked = true, last_marked = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else { - $this->dbh->query("UPDATE ttrss_user_entries SET - marked = NOT marked,last_marked = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + marked = NOT marked,last_marked = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } + + $sth->execute(array_merge($ids, [$_SESSION['uid']])); } private function publishArticlesById($ids, $cmode) { - $tmp_ids = array(); - - foreach ($ids as $id) { - array_push($tmp_ids, "ref_id = '$id'"); - } - - $ids_qpart = join(" OR ", $tmp_ids); + $ids_qmarks = arr_qmarks($ids); if ($cmode == 0) { - $this->dbh->query("UPDATE ttrss_user_entries SET - published = false,last_published = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + published = false, last_published = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else if ($cmode == 1) { - $this->dbh->query("UPDATE ttrss_user_entries SET - published = true,last_published = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + published = true, last_published = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } else { - $this->dbh->query("UPDATE ttrss_user_entries SET - published = NOT published,last_published = NOW() - WHERE ($ids_qpart) AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + published = NOT published,last_published = NOW() + WHERE ref_id IN ($ids_qmarks) AND owner_uid = ?"); } + + $sth->execute(array_merge($ids, [$_SESSION['uid']])); } function getlinktitlebyid() { - $id = $this->dbh->escape_string($_REQUEST['id']); + $id = $_REQUEST['id']; - $result = $this->dbh->query("SELECT link, title FROM ttrss_entries, ttrss_user_entries - WHERE ref_id = '$id' AND ref_id = id AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries + WHERE ref_id = ? AND ref_id = id AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { - $link = $this->dbh->fetch_result($result, 0, "link"); - $title = $this->dbh->fetch_result($result, 0, "title"); + if ($row = $sth->fetch()) { + $link = $row['link']; + $title = $row['title']; echo json_encode(array("link" => $link, "title" => $title)); } else { @@ -624,10 +596,10 @@ class RPC extends Handler_Protected { } function log() { - $msg = $this->dbh->escape_string($_REQUEST['msg']); - $file = $this->dbh->escape_string(basename($_REQUEST['file'])); + $msg = $_REQUEST['msg']; + $file = basename($_REQUEST['file']); $line = (int) $_REQUEST['line']; - $context = $this->dbh->escape_string($_REQUEST['context']); + $context = $_REQUEST['context']; if ($msg) { Logger::get()->log_error(E_USER_WARNING, diff --git a/include/functions.php b/include/functions.php index 4154d8d5..f09d72cd 100644 --- a/include/functions.php +++ b/include/functions.php @@ -592,8 +592,13 @@ if (get_schema_version() < 63) $profile_qpart = ""; $pdo = DB::pdo(); + $in_nested_tr = false; - $pdo->beginTransaction(); + try { + $pdo->beginTransaction(); + } catch (Exception $e) { + $in_nested_tr = true; + } $sth = $pdo->query("SELECT pref_name,def_value FROM ttrss_prefs"); @@ -630,7 +635,7 @@ } } - $pdo->commit(); + if (!$in_nested_tr) $pdo->commit(); } diff --git a/js/functions.js b/js/functions.js index aff20a33..d52fee89 100755 --- a/js/functions.js +++ b/js/functions.js @@ -1200,31 +1200,6 @@ function backend_sanity_check_callback(transport) { } -function quickAddCat(elem) { - var cat = prompt(__("Please enter category title:")); - - if (cat) { - - var query = "?op=rpc&method=quickAddCat&cat=" + param_escape(cat); - - notify_progress("Loading, please wait...", true); - - new Ajax.Request("backend.php", { - parameters: query, - onComplete: function (transport) { - var response = transport.responseXML; - var select = response.getElementsByTagName("select")[0]; - var options = select.getElementsByTagName("option"); - - dropbox_replace_options(elem, options); - - notify(''); - - } }); - - } -} - function genUrlChangeKey(feed, is_cat) { var ok = confirm(__("Generate new syndication address for this feed?")); @@ -1263,34 +1238,6 @@ function genUrlChangeKey(feed, is_cat) { return false; } -function dropbox_replace_options(elem, options) { - while (elem.hasChildNodes()) - elem.removeChild(elem.firstChild); - - var sel_idx = -1; - - for (var i = 0; i < options.length; i++) { - var text = options[i].firstChild.nodeValue; - var value = options[i].getAttribute("value"); - - if (value == undefined) value = text; - - var issel = options[i].getAttribute("selected") == "1"; - - var option = new Option(text, value, issel); - - if (options[i].getAttribute("disabled")) - option.setAttribute("disabled", true); - - elem.insert(option); - - if (issel) sel_idx = i; - } - - // Chrome doesn't seem to just select stuff when you pass new Option(x, y, true) - if (sel_idx >= 0) elem.selectedIndex = sel_idx; -} - // mode = all, none, invert function selectTableRows(id, mode) { var rows = $(id).rows; -- 2.39.5