]> git.wh0rd.org - tt-rss.git/commitdiff
git.wh0rd.org / tt-rss.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: afcb105)
rssutils: PDO
authorAndrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 06:55:53 +0000 (09:55 +0300)
committerAndrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 06:56:34 +0000 (09:56 +0300)
classes/ccache.php patch | blob | blame | history
classes/rssutils.php patch | blob | blame | history

diff --git a/classes/ccache.php b/classes/ccache.php
index 9a6f14f3d867fad5f65d94fef0a549a339d95a47..88e28e9e83e6ba23642fc90693f9b9fb720c2ad1 100644 (file)
--- a/classes/ccache.php
+++ b/classes/ccache.php
@@ -142,7 +142,13 @@ class CCache {
                        $unread = (int) Feeds::getFeedArticles($feed_id, $is_cat, true, $owner_uid);
                }
 
-               $pdo->beginTransaction();
+               $tr_in_progress = false;
+
+               try {
+                       $pdo->beginTransaction();
+               } catch (Exception $e) {
+                       $tr_in_progress = true;
+               }
 
                $sth = $pdo->prepare("SELECT feed_id FROM $table
                        WHERE owner_uid = ? AND feed_id = ? LIMIT 1");
@@ -164,7 +170,7 @@ class CCache {
                        $sth->execute([$feed_id, $unread, $owner_uid]);
                }
 
-               $pdo->commit();
+               if (!$tr_in_progress) $pdo->commit();
 
                if ($feed_id > 0 && $prev_unread != $unread) {
 
diff --git a/classes/rssutils.php b/classes/rssutils.php
index b8732c6666a0e889025c2faaa4ce17d8cad3a387..349f859961bf82c5ac7e4a6181da6357ae0aa539 100644 (file)
--- a/classes/rssutils.php
+++ b/classes/rssutils.php
@@ -33,10 +33,10 @@ class RSSUtils {
 
                while ($line = $sth->fetch()) {
 
-                       $subscribers = db_escape_string($line["subscribers"]);
-                       $feed_url = db_escape_string($line["feed_url"]);
-                       $title = db_escape_string($line["title"]);
-                       $site_url = db_escape_string($line["site_url"]);
+                       $subscribers = $line["subscribers"];
+                       $feed_url = $line["feed_url"];
+                       $title = $line["title"];
+                       $site_url = $line["site_url"];
 
                        $tmph = $pdo->prepare("SELECT subscribers FROM
                                ttrss_feedbrowser_cache WHERE feed_url = ?");
@@ -211,79 +211,90 @@ class RSSUtils {
        // this is used when subscribing
        static function set_basic_feed_info($feed) {
 
-               $feed = db_escape_string($feed);
+               $pdo = Db::pdo();
 
-               $result = db_query("SELECT owner_uid,feed_url,auth_pass,auth_login,auth_pass_encrypted
-                                       FROM ttrss_feeds WHERE id = '$feed'");
+               $sth = $pdo->prepare("SELECT owner_uid,feed_url,auth_pass,auth_login,auth_pass_encrypted
+                               FROM ttrss_feeds WHERE id = ?");
+               $sth->execute([$feed]);
 
-               $owner_uid = db_fetch_result($result, 0, "owner_uid");
+               if ($row = $sth->fetch()) {
 
-               $auth_pass_encrypted = sql_bool_to_bool(db_fetch_result($result,
-                       0, "auth_pass_encrypted"));
+                       $owner_uid = $row["owner_uid"];
 
-               $auth_login = db_fetch_result($result, 0, "auth_login");
-               $auth_pass = db_fetch_result($result, 0, "auth_pass");
+                       $auth_pass_encrypted = sql_bool_to_bool($row["auth_pass_encrypted"]);
 
-               if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
-                       require_once "crypt.php";
-                       $auth_pass = decrypt_string($auth_pass);
-               }
+                       $auth_login = $row["auth_login"];
+                       $auth_pass = $row["auth_pass"];
 
-               $fetch_url = db_fetch_result($result, 0, "feed_url");
+                       if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
+                               require_once "crypt.php";
+                               $auth_pass = decrypt_string($auth_pass);
+                       }
 
-               $pluginhost = new PluginHost();
-               $user_plugins = get_pref("_ENABLED_PLUGINS", $owner_uid);
+                       $fetch_url = $row["feed_url"];
 
-               $pluginhost->load(PLUGINS, PluginHost::KIND_ALL);
-               $pluginhost->load($user_plugins, PluginHost::KIND_USER, $owner_uid);
-               $pluginhost->load_data();
+                       $pluginhost = new PluginHost();
+                       $user_plugins = get_pref("_ENABLED_PLUGINS", $owner_uid);
 
-               $basic_info = array();
-               foreach ($pluginhost->get_hooks(PluginHost::HOOK_FEED_BASIC_INFO) as $plugin) {
-                       $basic_info = $plugin->hook_feed_basic_info($basic_info, $fetch_url, $owner_uid, $feed, $auth_login, $auth_pass);
-               }
+                       $pluginhost->load(PLUGINS, PluginHost::KIND_ALL);
+                       $pluginhost->load($user_plugins, PluginHost::KIND_USER, $owner_uid);
+                       $pluginhost->load_data();
+
+                       $basic_info = array();
+                       foreach ($pluginhost->get_hooks(PluginHost::HOOK_FEED_BASIC_INFO) as $plugin) {
+                               $basic_info = $plugin->hook_feed_basic_info($basic_info, $fetch_url, $owner_uid, $feed, $auth_login, $auth_pass);
+                       }
 
-               if (!$basic_info) {
-                       $feed_data = fetch_file_contents($fetch_url, false,
-                               $auth_login, $auth_pass, false,
-                               FEED_FETCH_TIMEOUT,
-                               0);
+                       if (!$basic_info) {
+                               $feed_data = fetch_file_contents($fetch_url, false,
+                                       $auth_login, $auth_pass, false,
+                                       FEED_FETCH_TIMEOUT,
+                                       0);
 
-                       global $fetch_curl_used;
+                               global $fetch_curl_used;
 
-                       if (!$fetch_curl_used) {
-                               $tmp = @gzdecode($feed_data);
+                               if (!$fetch_curl_used) {
+                                       $tmp = @gzdecode($feed_data);
 
-                               if ($tmp) $feed_data = $tmp;
-                       }
+                                       if ($tmp) $feed_data = $tmp;
+                               }
 
-                       $feed_data = trim($feed_data);
+                               $feed_data = trim($feed_data);
 
-                       $rss = new FeedParser($feed_data);
-                       $rss->init();
+                               $rss = new FeedParser($feed_data);
+                               $rss->init();
 
-                       if (!$rss->error()) {
-                               $basic_info = array(
-                                       'title' => db_escape_string(mb_substr($rss->get_title(), 0, 199)),
-                                       'site_url' => db_escape_string(mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245))
-                               );
+                               if (!$rss->error()) {
+                                       $basic_info = array(
+                                               'title' => mb_substr($rss->get_title(), 0, 199),
+                                               'site_url' => mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245)
+                                       );
+                               }
                        }
-               }
 
-               if ($basic_info && is_array($basic_info)) {
-                       $result = db_query("SELECT title, site_url FROM ttrss_feeds WHERE id = '$feed'");
+                       if ($basic_info && is_array($basic_info)) {
+                               $sth = $pdo->prepare("SELECT title, site_url FROM ttrss_feeds WHERE id = ?");
+                               $sth->execute([$feed]);
 
-                       $registered_title = db_fetch_result($result, 0, "title");
-                       $orig_site_url = db_fetch_result($result, 0, "site_url");
+                               if ($row = $sth->fetch()) {
 
-                       if ($basic_info['title'] && (!$registered_title || $registered_title == "[Unknown]")) {
-                               db_query("UPDATE ttrss_feeds SET
-                                       title = '${basic_info['title']}' WHERE id = '$feed'");
-                       }
+                                       $registered_title = $row["title"];
+                                       $orig_site_url = $row["site_url"];
+
+                                       if ($basic_info['title'] && (!$registered_title || $registered_title == "[Unknown]")) {
+
+                                               $sth = $pdo->prepare("UPDATE ttrss_feeds SET
+                                                       title = ? WHERE id = ?");
+                                               $sth->execute([$basic_info['title'], $feed]);
+                                       }
 
-                       if ($basic_info['site_url'] && $orig_site_url != $basic_info['site_url']) {
-                               db_query("UPDATE ttrss_feeds SET
-                                                       site_url = '${basic_info['site_url']}' WHERE id = '$feed'");
+                                       if ($basic_info['site_url'] && $orig_site_url != $basic_info['site_url']) {
+                                               $sth = $pdo->prepare("UPDATE ttrss_feeds SET
+                                                       site_url = ? WHERE id = ?");
+                                               $sth->execute([$basic_info['site_url'], $feed]);
+                                       }
+
+                               }
                        }
                }
        }
@@ -298,16 +309,18 @@ class RSSUtils {
                _debug_suppress(!$debug_enabled);
                _debug("start", $debug_enabled);
 
-               $result = db_query("SELECT title FROM ttrss_feeds
-                       WHERE id = '$feed'");
+               $pdo = Db::pdo();
+
+               $sth = $pdo->prepare("SELECT title FROM ttrss_feeds WHERE id = ?");
+               $sth->execute([$feed]);
 
-               if (db_num_rows($result) == 0) {
+               if (!$row = $sth->fetch()) {
                        _debug("feed $feed NOT FOUND/SKIPPED", $debug_enabled);
                        user_error("Attempt to update unknown/invalid feed $feed", E_USER_WARNING);
                        return false;
                }
 
-               $title = db_fetch_result($result, 0, "title");
+               $title = $row["title"];
 
                // feed was batch-subscribed or something, we need to get basic info
                // this is not optimal currently as it fetches stuff separately TODO: optimize
@@ -316,39 +329,43 @@ class RSSUtils {
                        RSSUtils::set_basic_feed_info($feed);
                }
 
-               $result = db_query("SELECT id,update_interval,auth_login,
+               $sth = $pdo->prepare("SELECT id,update_interval,auth_login,
                        feed_url,auth_pass,cache_images,
                        mark_unread_on_update, owner_uid,
                        auth_pass_encrypted, feed_language, 
                        last_modified, 
                        ".SUBSTRING_FOR_DATE."(last_unconditional, 1, 19) AS last_unconditional                 
-                       FROM ttrss_feeds WHERE id = '$feed'");
+                       FROM ttrss_feeds WHERE id = ?");
+               $sth->execute([$feed]);
+               
+               if ($row = $sth->fetch()) {
 
-               $owner_uid = db_fetch_result($result, 0, "owner_uid");
-               $mark_unread_on_update = sql_bool_to_bool(db_fetch_result($result,
-                       0, "mark_unread_on_update"));
-               $auth_pass_encrypted = sql_bool_to_bool(db_fetch_result($result,
-                       0, "auth_pass_encrypted"));
+                       $owner_uid = $row["owner_uid"];
+                       $mark_unread_on_update = sql_bool_to_bool($row["mark_unread_on_update"]);
+                       $auth_pass_encrypted = sql_bool_to_bool($row["auth_pass_encrypted"]);
 
-               db_query("UPDATE ttrss_feeds SET last_update_started = NOW()
-                       WHERE id = '$feed'");
+                       $sth = $pdo->prepare("UPDATE ttrss_feeds SET last_update_started = NOW()
+                               WHERE id = ?");
+                       $sth->execute([$feed]);
 
-               $auth_login = db_fetch_result($result, 0, "auth_login");
-               $auth_pass = db_fetch_result($result, 0, "auth_pass");
+                       $auth_login = $row["auth_login"];
+                       $auth_pass = $row["auth_pass"];
 
-               if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
-                       require_once "crypt.php";
-                       $auth_pass = decrypt_string($auth_pass);
-               }
+                       if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
+                               require_once "crypt.php";
+                               $auth_pass = decrypt_string($auth_pass);
+                       }
 
-               $stored_last_modified = db_fetch_result($result, 0, "last_modified");
-        $last_unconditional = db_fetch_result($result, 0, "last_unconditional");
-               $cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images"));
-               $fetch_url = db_fetch_result($result, 0, "feed_url");
-               $feed_language = db_escape_string(mb_strtolower(db_fetch_result($result, 0, "feed_language")));
-               if (!$feed_language) $feed_language = 'english';
+                       $stored_last_modified = $row["last_modified"];
+                       $last_unconditional = $row["last_unconditional"];
+                       $cache_images = sql_bool_to_bool($row["cache_images"]);
+                       $fetch_url = $row["feed_url"];
+                       $feed_language = mb_strtolower($row["feed_language"]);
+                       if (!$feed_language) $feed_language = 'english';
 
-               $feed = db_escape_string($feed);
+               } else {
+                       return false;
+               }
 
                $date_feed_processed = date('Y-m-d H:i');
 
@@ -432,10 +449,8 @@ class RSSUtils {
                        _debug("source last modified: " . $fetch_last_modified, $debug_enabled);
 
                        if ($feed_data && $fetch_last_modified != $stored_last_modified) {
-                               $last_modified_escaped = db_escape_string(substr($fetch_last_modified, 0, 245));
-
-                               db_query("UPDATE ttrss_feeds SET last_modified = '$last_modified_escaped' WHERE id = '$feed'");
-
+                               $sth = $pdo->prepare("UPDATE ttrss_feeds SET last_modified = ? WHERE id = ?");
+                               $sth->execute([substr($fetch_last_modified, 0, 245), $feed]);
                        }
 
                        // cache vanilla feed data for re-use
@@ -455,18 +470,17 @@ class RSSUtils {
 
                        _debug("unable to fetch: $fetch_last_error [$fetch_last_error_code]", $debug_enabled);
 
-                       $error_escaped = '';
-
                        // If-Modified-Since
                        if ($fetch_last_error_code != 304) {
-                               $error_escaped = db_escape_string($fetch_last_error);
+                               $error_message = $fetch_last_error;
                        } else {
                                _debug("source claims data not modified, nothing to do.", $debug_enabled);
+                               $error_message = "";
                        }
 
-                       db_query(
-                               "UPDATE ttrss_feeds SET last_error = '$error_escaped',
-                                       last_updated = NOW() WHERE id = '$feed'");
+                       $sth = $pdo->prepare("UPDATE ttrss_feeds SET last_error = ?,
+                                       last_updated = NOW() WHERE id = ?");
+                       $sth->execute([$error_message, $feed]);
 
                        return;
                }
@@ -478,7 +492,7 @@ class RSSUtils {
                $rss = new FeedParser($feed_data);
                $rss->init();
 
-               $feed = db_escape_string($feed);
+               $feed = $feed;
 
                if (!$rss->error()) {
 
@@ -488,26 +502,27 @@ class RSSUtils {
                        _debug("language: $feed_language", $debug_enabled);
                        _debug("processing feed data...", $debug_enabled);
 
-//                     db_query("BEGIN");
-
                        if (DB_TYPE == "pgsql") {
                                $favicon_interval_qpart = "favicon_last_checked < NOW() - INTERVAL '12 hour'";
                        } else {
                                $favicon_interval_qpart = "favicon_last_checked < DATE_SUB(NOW(), INTERVAL 12 HOUR)";
                        }
 
-                       $result = db_query("SELECT owner_uid,favicon_avg_color,
+                       $sth = $pdo->prepare("SELECT owner_uid,favicon_avg_color,
                                (favicon_last_checked IS NULL OR $favicon_interval_qpart) AS
                                                favicon_needs_check
-                               FROM ttrss_feeds WHERE id = '$feed'");
+                               FROM ttrss_feeds WHERE id = ?");
+                       $sth->execute([$feed]);
 
-                       $favicon_needs_check = sql_bool_to_bool(db_fetch_result($result, 0,
-                               "favicon_needs_check"));
-                       $favicon_avg_color = db_fetch_result($result, 0, "favicon_avg_color");
-
-                       $owner_uid = db_fetch_result($result, 0, "owner_uid");
+                       if ($row = $sth->fetch()) {
+                               $favicon_needs_check = sql_bool_to_bool($row["favicon_needs_check"]);
+                               $favicon_avg_color = $row["favicon_avg_color"];
+                               $owner_uid = $row["owner_uid"];
+                       } else {
+                               return false;
+                       }
 
-                       $site_url = db_escape_string(mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245));
+                       $site_url = mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245);
 
                        _debug("site_url: $site_url", $debug_enabled);
                        _debug("feed_title: " . $rss->get_title(), $debug_enabled);
@@ -528,23 +543,25 @@ class RSSUtils {
                                if ($favicon_modified_new > $favicon_modified)
                                        $favicon_avg_color = '';
 
+                               $favicon_colorstring = "";
                                if (file_exists($favicon_file) && function_exists("imagecreatefromstring") && $favicon_avg_color == '') {
                                        require_once "colors.php";
 
-                                       db_query("UPDATE ttrss_feeds SET favicon_avg_color = 'fail' WHERE
-                                                       id = '$feed'");
+                                       $sth = $pdo->prepare("UPDATE ttrss_feeds SET favicon_avg_color = 'fail' WHERE
+                                                       id = ?");
+                                       $sth->execute([$feed]);
 
-                                       $favicon_color = db_escape_string(
-                                               calculate_avg_color($favicon_file));
+                                       $favicon_color = calculate_avg_color($favicon_file);
+
+                                       $favicon_colorstring = ",favicon_avg_color = " . $pdo->quote($favicon_color);
 
-                                       $favicon_colorstring = ",favicon_avg_color = '".$favicon_color."'";
                                } else if ($favicon_avg_color == 'fail') {
                                        _debug("floicon failed on this file, not trying to recalculate avg color", $debug_enabled);
                                }
 
-                               db_query("UPDATE ttrss_feeds SET favicon_last_checked = NOW()
-                                       $favicon_colorstring
-                                       WHERE id = '$feed'");
+                               $sth = $pdo->prepare("UPDATE ttrss_feeds SET favicon_last_checked = NOW()
+                                       $favicon_colorstring WHERE id = ?");
+                               $sth->execute([$feed]);
                        }
 
                        _debug("loading filters & labels...", $debug_enabled);
@@ -562,10 +579,11 @@ class RSSUtils {
                        if (!is_array($items)) {
                                _debug("no articles found.", $debug_enabled);
 
-                               db_query("UPDATE ttrss_feeds
-                                       SET last_updated = NOW(), last_unconditional = NOW(), last_error = '' WHERE id = '$feed'");
+                               $sth = $pdo->prepare("UPDATE ttrss_feeds
+                                       SET last_updated = NOW(), last_unconditional = NOW(), last_error = '' WHERE id = ?");
+                               $sth->execute([$feed]);
 
-                               return; // no articles
+                               return true; // no articles
                        }
 
                        _debug("processing articles...", $debug_enabled);
@@ -582,20 +600,18 @@ class RSSUtils {
                                        break;
                                }
 
-                               $entry_guid = $item->get_id();
-                               if (!$entry_guid) $entry_guid = $item->get_link();
+                               $entry_guid = strip_tags($item->get_id());
+                               if (!$entry_guid) $entry_guid = strip_tags($item->get_link());
                                if (!$entry_guid) $entry_guid = RSSUtils::make_guid_from_title($item->get_title());
                                if (!$entry_guid) continue;
 
                                $entry_guid = "$owner_uid,$entry_guid";
 
-                               $entry_guid_hashed = db_escape_string('SHA1:' . sha1($entry_guid));
+                               $entry_guid_hashed = 'SHA1:' . sha1($entry_guid);
 
                                _debug("guid $entry_guid / $entry_guid_hashed", $debug_enabled);
 
-                               $entry_timestamp = "";
-
-                               $entry_timestamp = $item->get_date();
+                               $entry_timestamp = strip_tags($item->get_date());
 
                                _debug("orig date: " . $item->get_date(), $debug_enabled);
 
@@ -607,9 +623,7 @@ class RSSUtils {
 
                                _debug("date $entry_timestamp [$entry_timestamp_fmt]", $debug_enabled);
 
-//                             $entry_title = html_entity_decode($item->get_title(), ENT_COMPAT, 'UTF-8');
-//                             $entry_title = decode_numeric_entities($entry_title);
-                               $entry_title = $item->get_title();
+                               $entry_title = strip_tags($item->get_title());
 
                                $entry_link = rewrite_relative_url($site_url, $item->get_link());
 
@@ -627,11 +641,11 @@ class RSSUtils {
                                        print "\n";
                                }
 
-                               $entry_comments = db_escape_string(mb_substr($item->get_comments_url(), 0, 245));
+                               $entry_comments = mb_substr(strip_tags($item->get_comments_url()), 0, 245);
                                $num_comments = (int) $item->get_comments_count();
 
-                               $entry_author = $item->get_author(); // escaped later
-                               $entry_guid = db_escape_string(mb_substr($entry_guid, 0, 245));
+                               $entry_author = strip_tags($item->get_author());
+                               $entry_guid = mb_substr($entry_guid, 0, 245);
 
                                _debug("author $entry_author", $debug_enabled);
                                _debug("num_comments: $num_comments", $debug_enabled);
@@ -658,18 +672,18 @@ class RSSUtils {
 
                                _debug("done collecting data.", $debug_enabled);
 
-                               $result = db_query("SELECT id, content_hash, lang FROM ttrss_entries
-                                       WHERE guid = '".db_escape_string($entry_guid)."' OR guid = '$entry_guid_hashed'");
+                               $sth = $pdo->prepare("SELECT id, content_hash, lang FROM ttrss_entries
+                                       WHERE guid = ? OR guid = ?");
+                               $sth->execute([$entry_guid, $entry_guid_hashed]);
 
-                               if (db_num_rows($result) != 0) {
-                                       $base_entry_id = db_fetch_result($result, 0, "id");
-                                       $entry_stored_hash = db_fetch_result($result, 0, "content_hash");
+                               if ($row = $sth->fetch()) {
+                                       $base_entry_id = $row["id"];
+                                       $entry_stored_hash = $row["content_hash"];
                                        $article_labels = Article::get_article_labels($base_entry_id, $owner_uid);
-                                       $entry_language = db_fetch_result($result, 0, "lang");
+                                       $entry_language = $row["lang"];
 
                                        $existing_tags = Article::get_article_tags($base_entry_id, $owner_uid);
                                        $entry_tags = array_unique(array_merge($entry_tags, $existing_tags));
-
                                } else {
                                        $base_entry_id = false;
                                        $entry_stored_hash = "";
@@ -709,10 +723,9 @@ class RSSUtils {
                                        // dupes when the entry gets purged and reinserted again e.g.
                                        // in the case of SLOW SLOW OMG SLOW updating feeds
 
-                                       $base_entry_id = db_fetch_result($result, 0, "id");
-
-                                       db_query("UPDATE ttrss_entries SET date_updated = NOW()
-                                               WHERE id = '$base_entry_id'");
+                                       $sth = $pdo->prepare("UPDATE ttrss_entries SET date_updated = NOW()
+                                               WHERE id = ?");
+                                       $sth->execute([$base_entry_id]);
 
                                        continue;
                                }
@@ -736,8 +749,6 @@ class RSSUtils {
                                        print "\n";
                                }
 
-                               $entry_plugin_data = db_escape_string($entry_plugin_data);
-
                                _debug("plugin data: $entry_plugin_data", $debug_enabled);
 
                                // Workaround: 4-byte unicode requires utf8mb4 in MySQL. See https://tt-rss.org/forum/viewtopic.php?f=1&t=3377&p=20077#p20077
@@ -802,15 +813,14 @@ class RSSUtils {
                                }
 
                                $entry_tags = $article["tags"];
-                               $entry_guid = db_escape_string($entry_guid);
-                               $entry_title = db_escape_string($article["title"]);
-                               $entry_author = db_escape_string(mb_substr($article["author"], 0, 245));
-                               $entry_link = db_escape_string($article["link"]);
+                               $entry_title = strip_tags($article["title"]);
+                               $entry_author = mb_substr(strip_tags($article["author"]), 0, 245);
+                               $entry_link = strip_tags($article["link"]);
                                $entry_content = $article["content"]; // escaped below
                                $entry_force_catchup = $article["force_catchup"];
                                $article_labels = $article["labels"];
                                $entry_score_modifier = (int) $article["score_modifier"];
-                               $entry_language = db_escape_string($article["language"]);
+                               $entry_language = $article["language"];
 
                                if ($debug_enabled) {
                                        _debug("article labels:", $debug_enabled);
@@ -825,22 +835,19 @@ class RSSUtils {
                                if ($cache_images && is_writable(CACHE_DIR . '/images'))
                                        RSSUtils::cache_media($entry_content, $site_url, $debug_enabled);
 
-                               $entry_content = db_escape_string($entry_content, false);
-
-                               //db_query("BEGIN");
-
-                               $result = db_query("SELECT id FROM      ttrss_entries
-                                       WHERE (guid = '$entry_guid' OR guid = '$entry_guid_hashed')");
+                               $csth = $pdo->prepare("SELECT id FROM ttrss_entries
+                                       WHERE guid = ? OR guid = ?");
+                               $csth->execute([$entry_guid, $entry_guid_hashed]);
 
-                               if (db_num_rows($result) == 0) {
+                               if (!$row = $csth->fetch()) {
 
                                        _debug("base guid [$entry_guid or $entry_guid_hashed] not found, creating...", $debug_enabled);
 
                                        // base post entry does not exist, create it
 
-                                       db_query(
+                                       $usth = $pdo->prepare(
                                                "INSERT INTO ttrss_entries
-                                                       (title,
+                                                       (title, 
                                                        guid,
                                                        link,
                                                        updated,
@@ -855,48 +862,39 @@ class RSSUtils {
                                                        lang,
                                                        author)
                                                VALUES
-                                                       ('$entry_title',
-                                                       '$entry_guid_hashed',
-                                                       '$entry_link',
-                                                       '$entry_timestamp_fmt',
-                                                       '$entry_content',
-                                                       '$entry_current_hash',
+                                                       (?, ?, ?, ?, ?, ?,
                                                        false,
                                                        NOW(),
-                                                       '$date_feed_processed',
-                                                       '$entry_comments',
-                                                       '$num_comments',
-                                                       '$entry_plugin_data',
-                                                       '$entry_language',
-                                                       '$entry_author')");
+                                                       ?, ?, ?, ?,     ?, ?)");
+
+                                               $usth->execute([$entry_title,
+                                                       $entry_guid_hashed,
+                                                       $entry_link,
+                                                       $entry_timestamp_fmt,
+                                                       $entry_content,
+                                                       $entry_current_hash,
+                                                       $date_feed_processed,
+                                                       $entry_comments,
+                                                       $num_comments,
+                                                       $entry_plugin_data,
+                                                       $entry_language,
+                                                       $entry_author]);
 
                                }
 
-                               // now it should exist, if not - bad luck then
-
-                               $result = db_query("SELECT id FROM ttrss_entries
-                                       WHERE guid = '$entry_guid' OR guid = '$entry_guid_hashed'");
+                               $csth->execute([$entry_guid, $entry_guid_hashed]);
 
                                $entry_ref_id = 0;
                                $entry_int_id = 0;
 
-                               if (db_num_rows($result) == 1) {
+                               if ($row = $csth->fetch()) {
 
                                        _debug("base guid found, checking for user record", $debug_enabled);
 
-                                       $ref_id = db_fetch_result($result, 0, "id");
+                                       $ref_id = $row['id'];
                                        $entry_ref_id = $ref_id;
 
-                                       /* $stored_guid = db_fetch_result($result, 0, "guid");
-                                       if ($stored_guid != $entry_guid_hashed) {
-                                               if ($debug_enabled) _debug("upgrading compat guid to hashed one", $debug_enabled);
-
-                                               db_query("UPDATE ttrss_entries SET guid = '$entry_guid_hashed' WHERE
-                                                       id = '$ref_id'");
-                                       } */
-
                                        if (RSSUtils::find_article_filter($article_filters, "filter")) {
-                                               //db_query("COMMIT"); // close transaction in progress
                                                continue;
                                        }
 
@@ -906,103 +904,104 @@ class RSSUtils {
 
                                        // check for user post link to main table
 
-                                       $query = "SELECT ref_id, int_id FROM ttrss_user_entries WHERE
-                                                       ref_id = '$ref_id' AND owner_uid = '$owner_uid'";
-
-//                                     if ($_REQUEST["xdebug"]) print "$query\n";
-
-                                       $result = db_query($query);
+                                       $sth = $pdo->prepare("SELECT ref_id, int_id FROM ttrss_user_entries WHERE
+                                                       ref_id = ? AND owner_uid = ?");
+                                       $sth->execute([$ref_id, $owner_uid]);
 
                                        // okay it doesn't exist - create user entry
-                                       if (db_num_rows($result) == 0) {
+                                       if ($row = $sth->fetch()) {
+                                               $entry_ref_id = $row["ref_id"];
+                                               $entry_int_id = $row["int_id"];
 
+                                               _debug("user record FOUND: RID: $entry_ref_id, IID: $entry_int_id", $debug_enabled);
+                                       } else {
+                                               
                                                _debug("user record not found, creating...", $debug_enabled);
 
                                                if ($score >= -500 && !RSSUtils::find_article_filter($article_filters, 'catchup') && !$entry_force_catchup) {
-                                                       $unread = 'true';
-                                                       $last_read_qpart = 'NULL';
+                                                       $unread = 1;
+                                                       $last_read_qpart = null;
                                                } else {
-                                                       $unread = 'false';
+                                                       $unread = 0;
                                                        $last_read_qpart = 'NOW()';
                                                }
 
                                                if (RSSUtils::find_article_filter($article_filters, 'mark') || $score > 1000) {
-                                                       $marked = 'true';
+                                                       $marked = 1;
                                                } else {
-                                                       $marked = 'false';
+                                                       $marked = 0;
                                                }
 
                                                if (RSSUtils::find_article_filter($article_filters, 'publish')) {
-                                                       $published = 'true';
+                                                       $published = 1;
                                                } else {
-                                                       $published = 'false';
+                                                       $published = 0;
                                                }
 
-                                               $last_marked = ($marked == 'true') ? 'NOW()' : 'NULL';
-                                               $last_published = ($published == 'true') ? 'NOW()' : 'NULL';
+                                               $last_marked = ($marked == 'true') ? 'NOW()' : null;
+                                               $last_published = ($published == 'true') ? 'NOW()' : null;
 
-                                               $result = db_query(
+                                               $sth = $pdo->prepare(
                                                        "INSERT INTO ttrss_user_entries
                                                                (ref_id, owner_uid, feed_id, unread, last_read, marked,
                                                                published, score, tag_cache, label_cache, uuid,
                                                                last_marked, last_published)
-                                                       VALUES ('$ref_id', '$owner_uid', '$feed', $unread,
-                                                               $last_read_qpart, $marked, $published, '$score', '', '',
-                                                               '', $last_marked, $last_published)");
+                                                       VALUES (?, ?, ?, ?, ?, ?, ?, ?, '', '', '', ?, ?)");
 
-                                               $result = db_query(
-                                                       "SELECT int_id FROM ttrss_user_entries WHERE
-                                                               ref_id = '$ref_id' AND owner_uid = '$owner_uid' AND
-                                                               feed_id = '$feed' LIMIT 1");
+                                               $sth->execute([$ref_id, $owner_uid, $feed, $unread, $last_read_qpart, $marked,
+                                                       $published, $score, $last_marked, $last_published]);
 
-                                               if (db_num_rows($result) == 1) {
-                                                       $entry_int_id = db_fetch_result($result, 0, "int_id");
-                                               }
-                                       } else {
-                                               _debug("user record FOUND", $debug_enabled);
+                                               $sth = $pdo->prepare("SELECT int_id FROM ttrss_user_entries WHERE
+                                                               ref_id = ? AND owner_uid = ? AND
+                                                               feed_id = ? LIMIT 1");
 
-                                               $entry_ref_id = db_fetch_result($result, 0, "ref_id");
-                                               $entry_int_id = db_fetch_result($result, 0, "int_id");
+                                               $sth->execute([$ref_id, $owner_uid, $feed]);
+
+                                               if ($row = $sth->fetch())
+                                                       $entry_int_id = $row['int_id'];
                                        }
 
-                                       _debug("RID: $entry_ref_id, IID: $entry_int_id", $debug_enabled);
+                                       _debug("resulting RID: $entry_ref_id, IID: $entry_int_id", $debug_enabled);
 
                                        if (DB_TYPE == "pgsql") {
-                                               $tsvector_combined = db_escape_string(mb_substr($entry_title . ' ' . strip_tags(str_replace('<', ' <', $entry_content)),
-                                                       0, 1000000));
+                                               $tsvector_combined = mb_substr($entry_title . ' ' . strip_tags(str_replace('<', ' <', $entry_content)),
+                                                       0, 1000000);
 
-                                               $tsvector_qpart = "tsvector_combined = to_tsvector('$feed_language', '$tsvector_combined'),";
+                                               $tsvector_qpart = "tsvector_combined = to_tsvector('$feed_language', ".$pdo->quote($tsvector_combined)."),";
 
                                        } else {
                                                $tsvector_qpart = "";
                                        }
 
-                                       db_query("UPDATE ttrss_entries
-                                               SET title = '$entry_title',
-                                                       content = '$entry_content',
-                                                       content_hash = '$entry_current_hash',
-                                                       updated = '$entry_timestamp_fmt',
+                                       $sth = $pdo->prepare("UPDATE ttrss_entries
+                                               SET title = ?,
+                                                       content = ?,
+                                                       content_hash = ?,
+                                                       updated = ?,
                                                        $tsvector_qpart
-                                                       num_comments = '$num_comments',
-                                                       plugin_data = '$entry_plugin_data',
-                                                       author = '$entry_author',
-                                                       lang = '$entry_language'
-                                               WHERE id = '$ref_id'");
+                                                       num_comments = ?,
+                                                       plugin_data = ?,
+                                                       author = ?,
+                                                       lang = ?
+                                               WHERE id = ?");
+
+                                       $sth->execute([$entry_title, $entry_content, $entry_current_hash, $entry_timestamp_fmt,
+                                               $num_comments, $entry_plugin_data, $entry_author, $entry_language, $ref_id]);
 
                                        // update aux data
-                                       db_query("UPDATE ttrss_user_entries
-                                                       SET score = '$score' WHERE ref_id = '$ref_id'");
+                                       $sth = $pdo->prepare("UPDATE ttrss_user_entries
+                                                       SET score = ? WHERE ref_id = ?");
+                                       $sth->execute([$score, $ref_id]);
 
                                        if ($mark_unread_on_update) {
                                                _debug("article updated, marking unread as requested.", $debug_enabled);
 
-                                               db_query("UPDATE ttrss_user_entries
-                                                       SET last_read = null, unread = true WHERE ref_id = '$ref_id'");
+                                               $sth = $pdo->prepare("UPDATE ttrss_user_entries
+                                                       SET last_read = null, unread = true WHERE ref_id = ?");
+                                               $sth->execute([$ref_id]);
                                        }
                                }
 
-                               //db_query("COMMIT");
-
                                _debug("assigning labels [other]...", $debug_enabled);
 
                                foreach ($article_labels as $label) {
@@ -1039,31 +1038,28 @@ class RSSUtils {
                                        print_r($enclosures);
                                }
 
-                               //db_query("BEGIN");
+                               $esth = $pdo->prepare("SELECT id FROM ttrss_enclosures
+                                               WHERE content_url = ? AND post_id = ?");
 
-//                             debugging
-//                             db_query("DELETE FROM ttrss_enclosures WHERE post_id = '$entry_ref_id'");
+                               $usth = $pdo->prepare("INSERT INTO ttrss_enclosures
+                                                       (content_url, content_type, title, duration, post_id, width, height) VALUES
+                                                       (?, ?, ?, ?, ?, ?, ?)");
 
                                foreach ($enclosures as $enc) {
-                                       $enc_url = db_escape_string($enc[0]);
-                                       $enc_type = db_escape_string($enc[1]);
-                                       $enc_dur = db_escape_string($enc[2]);
-                                       $enc_title = db_escape_string($enc[3]);
+                                       $enc_url = $enc[0];
+                                       $enc_type = $enc[1];
+                                       $enc_dur = $enc[2];
+                                       $enc_title = $enc[3];
                                        $enc_width = intval($enc[4]);
                                        $enc_height = intval($enc[5]);
 
-                                       $result = db_query("SELECT id FROM ttrss_enclosures
-                                               WHERE content_url = '$enc_url' AND post_id = '$entry_ref_id'");
+                                       $esth->execute([$enc_url, $entry_ref_id]);
 
-                                       if (db_num_rows($result) == 0) {
-                                               db_query("INSERT INTO ttrss_enclosures
-                                                       (content_url, content_type, title, duration, post_id, width, height) VALUES
-                                                       ('$enc_url', '$enc_type', '$enc_title', '$enc_dur', '$entry_ref_id', $enc_width, $enc_height)");
+                                       if (!$esth->fetch()) {
+                                               $usth->execute([$enc_url, $enc_type, (string)$enc_title, $enc_dur, $entry_ref_id, $enc_width, $enc_height]);
                                        }
                                }
 
-                               //db_query("COMMIT");
-
                                // check for manual tags (we have to do it here since they're loaded from filters)
 
                                foreach ($article_filters as $f) {
@@ -1106,24 +1102,24 @@ class RSSUtils {
 
                                if (count($filtered_tags) > 0) {
 
-                                       //db_query("BEGIN");
+                                       $tsth = $pdo->prepare("SELECT id FROM ttrss_tags
+                                                       WHERE tag_name = ? AND post_int_id = ? AND
+                                                       owner_uid = ? LIMIT 1");
+
+                                       $usth = $pdo->prepare("INSERT INTO ttrss_tags
+                                                                       (owner_uid,tag_name,post_int_id)
+                                                                       VALUES (?, ?, ?)");
 
                                        foreach ($filtered_tags as $tag) {
 
                                                $tag = sanitize_tag($tag);
-                                               $tag = db_escape_string($tag);
 
                                                if (!tag_is_valid($tag)) continue;
 
-                                               $result = db_query("SELECT id FROM ttrss_tags
-                                                       WHERE tag_name = '$tag' AND post_int_id = '$entry_int_id' AND
-                                                       owner_uid = '$owner_uid' LIMIT 1");
-
-                                               if ($result && db_num_rows($result) == 0) {
+                                               $tsth->execute([$tag, $entry_int_id, $owner_uid]);
 
-                                                       db_query("INSERT INTO ttrss_tags
-                                                                       (owner_uid,tag_name,post_int_id)
-                                                                       VALUES ('$owner_uid','$tag', '$entry_int_id')");
+                                               if (!$tsth->fetch()) {
+                                                       $usth->execute([$owner_uid, $tag, $entry_int_id]);
                                                }
 
                                                array_push($tags_to_cache, $tag);
@@ -1133,13 +1129,12 @@ class RSSUtils {
 
                                        $tags_to_cache = array_unique($tags_to_cache);
 
-                                       $tags_str = db_escape_string(join(",", $tags_to_cache));
+                                       $tags_str = join(",", $tags_to_cache);
 
-                                       db_query("UPDATE ttrss_user_entries
-                                               SET tag_cache = '$tags_str' WHERE ref_id = '$entry_ref_id'
-                                               AND owner_uid = $owner_uid");
-
-                                       //db_query("COMMIT");
+                                       $tsth = $pdo->prepare("UPDATE ttrss_user_entries
+                                               SET tag_cache = ? WHERE ref_id = ?
+                                               AND owner_uid = ?");
+                                       $tsth->execute([$tags_str, $entry_ref_id, $owner_uid]);
                                }
 
                                _debug("article processed", $debug_enabled);
@@ -1149,14 +1144,13 @@ class RSSUtils {
 
                        purge_feed($feed, 0, $debug_enabled);
 
-                       db_query("UPDATE ttrss_feeds
-                               SET last_updated = NOW(), last_unconditional = NOW(), last_error = '' WHERE id = '$feed'");
-
-//                     db_query("COMMIT");
+                       $sth = $pdo->prepare("UPDATE ttrss_feeds
+                               SET last_updated = NOW(), last_unconditional = NOW(), last_error = '' WHERE id = ?");
+                       $sth->execute([$feed]);
 
                } else {
 
-                       $error_msg = db_escape_string(mb_substr($rss->error(), 0, 245));
+                       $error_msg = mb_substr($rss->error(), 0, 245);
 
                        _debug("fetch error: $error_msg", $debug_enabled);
 
@@ -1166,12 +1160,12 @@ class RSSUtils {
                                }
                        }
 
-                       db_query(
-                               "UPDATE ttrss_feeds SET last_error = '$error_msg',
-                               last_updated = NOW(), last_unconditional = NOW()   WHERE id = '$feed'");
+                       $sth = $pdo->prepare("UPDATE ttrss_feeds SET last_error = ?,
+                               last_updated = NOW(), last_unconditional = NOW() WHERE id = ?");
+                       $sth->execute([$error_msg, $feed]);
 
                        unset($rss);
-                       return;
+                       return false;
                }
 
                _debug("done", $debug_enabled);
@@ -1240,14 +1234,15 @@ class RSSUtils {
        static function expire_error_log($debug) {
                if ($debug) _debug("Removing old error log entries...");
 
+               $pdo = Db::pdo();
+
                if (DB_TYPE == "pgsql") {
-                       db_query("DELETE FROM ttrss_error_log
+                       $pdo->query("DELETE FROM ttrss_error_log
                                WHERE created_at < NOW() - INTERVAL '7 days'");
                } else {
-                       db_query("DELETE FROM ttrss_error_log
+                       $pdo->query("DELETE FROM ttrss_error_log
                                WHERE created_at < DATE_SUB(NOW(), INTERVAL 7 DAY)");
                }
-
        }
 
        static function expire_lock_files($debug) {
@@ -1454,19 +1449,23 @@ class RSSUtils {
        }
 
        static function cleanup_counters_cache($debug) {
-               $result = db_query("DELETE FROM ttrss_counters_cache
+               $pdo = Db::pdo();
+
+               $res = $pdo->query("DELETE FROM ttrss_counters_cache
                        WHERE feed_id > 0 AND
                        (SELECT COUNT(id) FROM ttrss_feeds WHERE
                                id = feed_id AND
                                ttrss_counters_cache.owner_uid = ttrss_feeds.owner_uid) = 0");
-               $frows = db_affected_rows($result);
 
-               $result = db_query("DELETE FROM ttrss_cat_counters_cache
+               $frows = $res->rowCount();
+
+               $res = $pdo->query("DELETE FROM ttrss_cat_counters_cache
                        WHERE feed_id > 0 AND
                        (SELECT COUNT(id) FROM ttrss_feed_categories WHERE
                                id = feed_id AND
                                ttrss_cat_counters_cache.owner_uid = ttrss_feed_categories.owner_uid) = 0");
-               $crows = db_affected_rows($result);
+
+               $crows = $res->rowCount();
 
                if ($debug) _debug("Removed $frows (feeds) $crows (cats) orphaned counter cache entries.");
        }
web-based news feed (RSS/Atom) reader and aggregator; see https://tt-rss.org/