some minor PDO-related fixes

diff --git a/include/functions.php b/include/functions.php
index e7d74df04e23727b33c30c9e5d86f351ad38edec..be8cba41fa5e06d3e2d3771105e7bcad3e20e04b 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -259,6 +259,8 @@
                else
                    $query_limit = "";
 
+               $purge_interval = (int) $purge_interval;
+
                if (DB_TYPE == "pgsql") {
                        $sth = $pdo->prepare("DELETE FROM ttrss_user_entries
                                USING ttrss_entries
@@ -266,8 +268,8 @@
                                marked = false AND
                                feed_id = ? AND
                                $query_limit
-                               ttrss_entries.date_updated < NOW() - INTERVAL ? days");
-                       $sth->execute([$feed_id, $purge_interval]);
+                               ttrss_entries.date_updated < NOW() - INTERVAL '$purge_interval days'");
+                       $sth->execute([$feed_id]);
 
                } else {
             $sth  = $pdo->prepare("DELETE FROM ttrss_user_entries
@@ -276,8 +278,8 @@
                                marked = false AND
                                feed_id = ? AND
                                $query_limit
-                               ttrss_entries.date_updated < DATE_SUB(NOW(), INTERVAL ? DAY)");
-            $sth->execute([$feed_id, $purge_interval]);
+                               ttrss_entries.date_updated < DATE_SUB(NOW(), INTERVAL $purge_interval DAY)");
+            $sth->execute([$feed_id]);
 
                }
 
@@ -587,8 +589,6 @@
 
        function initialize_user_prefs($uid, $profile = false) {
 
-               $uid = db_escape_string($uid);
-
                if (get_schema_version() < 63) $profile_qpart = "";
 
         $pdo = DB::pdo();
@@ -614,9 +614,6 @@
                        if (array_search($line["pref_name"], $active_prefs) === FALSE) {
 //                             print "adding " . $line["pref_name"] . "<br>";
 
-                               $line["def_value"] = db_escape_string($line["def_value"]);
-                               $line["pref_name"] = db_escape_string($line["pref_name"]);
-
                                if (get_schema_version() < 63) {
                                        $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs
                                                (owner_uid,pref_name,value) VALUES
@@ -1374,8 +1371,10 @@
                $search_words = array();
                $search_query_leftover = array();
 
+               $pdo = Db::pdo();
+               
                if ($search_language)
-                       $search_language = db_escape_string(mb_strtolower($search_language));
+                       $search_language = $pdo->quote(mb_strtolower($search_language));
                else
                        $search_language = "english";
 
@@ -1393,7 +1392,7 @@
                                case "title":
                                        if ($commandpair[1]) {
                                                array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%".
-                                                       db_escape_string(mb_strtolower($commandpair[1]))."%'))");
+                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1403,7 +1402,7 @@
                                case "author":
                                        if ($commandpair[1]) {
                                                array_push($query_keywords, "($not (LOWER(author) LIKE '%".
-                                                       db_escape_string(mb_strtolower($commandpair[1]))."%'))");
+                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1418,7 +1417,7 @@
                                                        array_push($query_keywords, "($not (note IS NULL OR note = ''))");
                                                else
                                                        array_push($query_keywords, "($not (LOWER(note) LIKE '%".
-                                                               db_escape_string(mb_strtolower($commandpair[1]))."%'))");
+                                                               $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
                                        } else {
                                                array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1490,7 +1489,7 @@
                }
 
                if (count($search_query_leftover) > 0) {
-                       $search_query_leftover = db_escape_string(implode(" & ", $search_query_leftover));
+                       $search_query_leftover = $pdo->quote(implode(" & ", $search_query_leftover));
 
                        if (DB_TYPE == "pgsql") {
                                array_push($query_keywords,