public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2026-01-30 10:07:11 +00:00
Code Issues Releases Wiki Activity

db_escape_string: specify link parameter for consistency; sessions: do not force-close db connection in _close()

Browse Source
This commit is contained in:
Andrew Dolgov
2013-03-22 09:14:55 +04:00
parent 9d9432dab8
commit 3972bf5981
40 changed files with 342 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
classes/pref/feeds.php
View File

@@ -14,8 +14,8 @@ class Pref_Feeds extends Handler_Protected {
}
function renamecat() {
$title = db_escape_string($_REQUEST['title']);
$id = db_escape_string($_REQUEST['id']);
$title = db_escape_string($this->link, $_REQUEST['title']);
$id = db_escape_string($this->link, $_REQUEST['id']);
if ($title) {
db_query($this->link, "UPDATE ttrss_feed_categories SET
@@ -293,7 +293,7 @@ class Pref_Feeds extends Handler_Protected {
if ($item_id != 'root') {
if ($parent_id && $parent_id != 'root') {
$parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1);
$parent_qpart = db_escape_string($parent_bare_id);
$parent_qpart = db_escape_string($this->link, $parent_bare_id);
} else {
$parent_qpart = 'NULL';
}
@@ -319,7 +319,7 @@ class Pref_Feeds extends Handler_Protected {
if (strpos($id, "FEED") === 0) {
$cat_id = ($item_id != "root") ?
db_escape_string($bare_item_id) : "NULL";
db_escape_string($this->link, $bare_item_id) : "NULL";
$cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" :
"cat_id = NULL";
@@ -334,7 +334,7 @@ class Pref_Feeds extends Handler_Protected {
$nest_level+1);
if ($item_id != 'root') {
$parent_qpart = db_escape_string($bare_id);
$parent_qpart = db_escape_string($this->link, $bare_id);
} else {
$parent_qpart = 'NULL';
}
@@ -424,7 +424,7 @@ class Pref_Feeds extends Handler_Protected {
}
function removeicon() {
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
$result = db_query($this->link, "SELECT id FROM ttrss_feeds
WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
@@ -440,7 +440,7 @@ class Pref_Feeds extends Handler_Protected {
header("Content-type: text/html");
$icon_file = $_FILES['icon_file']['tmp_name'];
$feed_id = db_escape_string($_REQUEST["feed_id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 20000) {
@@ -472,7 +472,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_id = db_escape_string($_REQUEST["id"]);
$feed_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
@@ -708,7 +708,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals;
global $update_intervals;
$feed_ids = db_escape_string($_REQUEST["ids"]);
$feed_ids = db_escape_string($this->link, $_REQUEST["ids"]);
print "<div class=\"dialogNotice\">" . __("Enable the options you wish to apply using checkboxes on the right:") . "</div>";
@@ -862,27 +862,27 @@ class Pref_Feeds extends Handler_Protected {
function editsaveops($batch) {
$feed_title = db_escape_string(trim($_POST["title"]));
$feed_link = db_escape_string(trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($_POST["update_interval"]);
$purge_intl = (int) db_escape_string($_POST["purge_interval"]);
$feed_id = (int) db_escape_string($_POST["id"]); /* editSave */
$feed_ids = db_escape_string($_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($_POST["cat_id"]);
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($_POST["private"]));
$feed_title = db_escape_string($this->link, trim($_POST["title"]));
$feed_link = db_escape_string($this->link, trim($_POST["feed_url"]));
$upd_intl = (int) db_escape_string($this->link, $_POST["update_interval"]);
$purge_intl = (int) db_escape_string($this->link, $_POST["purge_interval"]);
$feed_id = (int) db_escape_string($this->link, $_POST["id"]); /* editSave */
$feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]);
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
db_escape_string($_POST["include_in_digest"]));
db_escape_string($this->link, $_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool(
db_escape_string($_POST["cache_images"]));
db_escape_string($this->link, $_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool(
db_escape_string($_POST["hide_images"]));
db_escape_string($this->link, $_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool(
db_escape_string($_POST["always_display_enclosures"]));
db_escape_string($this->link, $_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool(
db_escape_string($_POST["mark_unread_on_update"]));
db_escape_string($this->link, $_POST["mark_unread_on_update"]));
if (get_pref($this->link, 'ENABLE_FEED_CATS')) {
if ($cat_id && $cat_id != 0) {
@@ -999,7 +999,7 @@ class Pref_Feeds extends Handler_Protected {
function resetPubSub() {
$ids = db_escape_string($_REQUEST["ids"]);
$ids = db_escape_string($this->link, $_REQUEST["ids"]);
db_query($this->link, "UPDATE ttrss_feeds SET pubsub_state = 0 WHERE id IN ($ids)
AND owner_uid = " . $_SESSION["uid"]);
@@ -1009,7 +1009,7 @@ class Pref_Feeds extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed($this->link, $id, $_SESSION["uid"]);
@@ -1019,14 +1019,14 @@ class Pref_Feeds extends Handler_Protected {
}
function clear() {
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
$this->clear_feed_articles($this->link, $id);
}
function rescore() {
require_once "rssfuncs.php";
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
@@ -1132,9 +1132,9 @@ class Pref_Feeds extends Handler_Protected {
}
function categorize() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
if ($cat_id == 0) {
$cat_id_qpart = 'NULL';
@@ -1156,14 +1156,14 @@ class Pref_Feeds extends Handler_Protected {
}
function removeCat() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
$this->remove_feed_category($this->link, $id, $_SESSION["uid"]);
}
}
function addCat() {
$feed_cat = db_escape_string(trim($_REQUEST["cat"]));
$feed_cat = db_escape_string($this->link, trim($_REQUEST["cat"]));
add_feed_category($this->link, $feed_cat);
}
@@ -1205,7 +1205,7 @@ class Pref_Feeds extends Handler_Protected {
__("Inactive feeds") . "</button>";
}
$feed_search = db_escape_string($_REQUEST["search"]);
$feed_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search;

36
classes/pref/filters.php
View File

@@ -13,7 +13,7 @@ class Pref_Filters extends Handler_Protected {
$filter["enabled"] = true;
$filter["match_any_rule"] = sql_bool_to_bool(
checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"])));
checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"])));
$filter["rules"] = array();
$result = db_query($this->link, "SELECT id,name FROM ttrss_filter_types");
@@ -168,7 +168,7 @@ class Pref_Filters extends Handler_Protected {
if ($line['action_id'] == 7) {
$label_result = db_query($this->link, "SELECT fg_color, bg_color
FROM ttrss_labels2 WHERE caption = '".db_escape_string($line['action_param'])."' AND
FROM ttrss_labels2 WHERE caption = '".db_escape_string($this->link, $line['action_param'])."' AND
owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($label_result) > 0) {
@@ -207,7 +207,7 @@ class Pref_Filters extends Handler_Protected {
function edit() {
$filter_id = db_escape_string($_REQUEST["id"]);
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link,
"SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -403,9 +403,9 @@ class Pref_Filters extends Handler_Protected {
# print_r($_REQUEST);
$filter_id = db_escape_string($_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"]));
$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
$enabled = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"]));
$result = db_query($this->link, "UPDATE ttrss_filters2 SET enabled = $enabled,
match_any_rule = $match_any_rule
@@ -418,7 +418,7 @@ class Pref_Filters extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
@@ -457,9 +457,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($rules as $rule) {
if ($rule) {
$reg_exp = strip_tags(db_escape_string(trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string(trim($rule["filter_type"]));
$feed_id = db_escape_string(trim($rule["feed_id"]));
$reg_exp = strip_tags(db_escape_string($this->link, trim($rule["reg_exp"])));
$filter_type = (int) db_escape_string($this->link, trim($rule["filter_type"]));
$feed_id = db_escape_string($this->link, trim($rule["feed_id"]));
if (strpos($feed_id, "CAT:") === 0) {
@@ -487,9 +487,9 @@ class Pref_Filters extends Handler_Protected {
foreach ($actions as $action) {
if ($action) {
$action_id = (int) db_escape_string($action["action_id"]);
$action_param = db_escape_string($action["action_param"]);
$action_param_label = db_escape_string($action["action_param_label"]);
$action_id = (int) db_escape_string($this->link, $action["action_id"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_param_label = db_escape_string($this->link, $action["action_param_label"]);
if ($action_id == 7) {
$action_param = $action_param_label;
@@ -541,13 +541,13 @@ class Pref_Filters extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "reg_exp";
}
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@@ -559,7 +559,7 @@ class Pref_Filters extends Handler_Protected {
print "<div id=\"pref-filter-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";
print "<div id=\"pref-filter-toolbar\" dojoType=\"dijit.Toolbar\">";
$filter_search = db_escape_string($_REQUEST["search"]);
$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search;
@@ -806,7 +806,7 @@ class Pref_Filters extends Handler_Protected {
$action = json_decode($_REQUEST["action"], true);
if ($action) {
$action_param = db_escape_string($action["action_param"]);
$action_param = db_escape_string($this->link, $action["action_param"]);
$action_id = (int)$action["action_id"];
} else {
$action_param = "";
@@ -914,7 +914,7 @@ class Pref_Filters extends Handler_Protected {
}
function join() {
$ids = explode(",", db_escape_string($_REQUEST["ids"]));
$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
if (count($ids) > 1) {
$base_id = array_shift($ids);

34
classes/pref/labels.php
View File

@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
}
function edit() {
$label_id = db_escape_string($_REQUEST['id']);
$label_id = db_escape_string($this->link, $_REQUEST['id']);
$result = db_query($this->link, "SELECT * FROM ttrss_labels2 WHERE
id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -118,11 +118,11 @@ class Pref_Labels extends Handler_Protected {
}
function colorset() {
$kind = db_escape_string($_REQUEST["kind"]);
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$color = db_escape_string($_REQUEST["color"]);
$fg = db_escape_string($_REQUEST["fg"]);
$bg = db_escape_string($_REQUEST["bg"]);
$kind = db_escape_string($this->link, $_REQUEST["kind"]);
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
$color = db_escape_string($this->link, $_REQUEST["color"]);
$fg = db_escape_string($this->link, $_REQUEST["fg"]);
$bg = db_escape_string($this->link, $_REQUEST["bg"]);
foreach ($ids as $id) {
@@ -136,7 +136,7 @@ class Pref_Labels extends Handler_Protected {
AND owner_uid = " . $_SESSION["uid"]);
}
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@@ -149,14 +149,14 @@ class Pref_Labels extends Handler_Protected {
}
function colorreset() {
$ids = split(',', db_escape_string($_REQUEST["ids"]));
$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
db_query($this->link, "UPDATE ttrss_labels2 SET
fg_color = '', bg_color = '' WHERE id = '$id'
AND owner_uid = " . $_SESSION["uid"]);
$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
/* Remove cached data */
@@ -168,8 +168,8 @@ class Pref_Labels extends Handler_Protected {
function save() {
$id = db_escape_string($_REQUEST["id"]);
$caption = db_escape_string(trim($_REQUEST["caption"]));
$id = db_escape_string($this->link, $_REQUEST["id"]);
$caption = db_escape_string($this->link, trim($_REQUEST["caption"]));
db_query($this->link, "BEGIN");
@@ -190,7 +190,7 @@ class Pref_Labels extends Handler_Protected {
/* Update filters that reference label being renamed */
$old_caption = db_escape_string($old_caption);
$old_caption = db_escape_string($this->link, $old_caption);
db_query($this->link, "UPDATE ttrss_filters2_actions SET
action_param = '$caption' WHERE action_param = '$old_caption'
@@ -213,7 +213,7 @@ class Pref_Labels extends Handler_Protected {
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
label_remove($this->link, $id, $_SESSION["uid"]);
@@ -222,8 +222,8 @@ class Pref_Labels extends Handler_Protected {
}
function add() {
$caption = db_escape_string($_REQUEST["caption"]);
$output = db_escape_string($_REQUEST["output"]);
$caption = db_escape_string($this->link, $_REQUEST["caption"]);
$output = db_escape_string($this->link, $_REQUEST["output"]);
if ($caption) {
@@ -250,13 +250,13 @@ class Pref_Labels extends Handler_Protected {
function index() {
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "caption";
}
$label_search = db_escape_string($_REQUEST["search"]);
$label_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_label_search"] = $label_search;

16
classes/pref/prefs.php
View File

@@ -50,8 +50,8 @@ class Pref_Prefs extends Handler_Protected {
foreach (array_keys($_POST) as $pref_name) {
$pref_name = db_escape_string($pref_name);
$value = db_escape_string($_POST[$pref_name]);
$pref_name = db_escape_string($this->link, $pref_name);
$value = db_escape_string($this->link, $_POST[$pref_name]);
if ($pref_name == 'DIGEST_PREFERRED_TIME') {
if (get_pref($this->link, 'DIGEST_PREFERRED_TIME') != $value) {
@@ -71,7 +71,7 @@ class Pref_Prefs extends Handler_Protected {
function getHelp() {
$pref_name = db_escape_string($_REQUEST["pn"]);
$pref_name = db_escape_string($this->link, $_REQUEST["pn"]);
$result = db_query($this->link, "SELECT help_text FROM ttrss_prefs
WHERE pref_name = '$pref_name'");
@@ -86,8 +86,8 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() {
$email = db_escape_string($_POST["email"]);
$full_name = db_escape_string($_POST["full_name"]);
$email = db_escape_string($this->link, $_POST["email"]);
$full_name = db_escape_string($this->link, $_POST["full_name"]);
$active_uid = $_SESSION["uid"];
@@ -798,7 +798,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpenable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
$enable_otp = $_REQUEST["enable_otp"] == "on";
global $pluginhost;
@@ -819,7 +819,7 @@ class Pref_Prefs extends Handler_Protected {
}
function otpdisable() {
$password = db_escape_string($_REQUEST["password"]);
$password = db_escape_string($this->link, $_REQUEST["password"]);
global $pluginhost;
$authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]);
@@ -846,7 +846,7 @@ class Pref_Prefs extends Handler_Protected {
}
function clearplugindata() {
$name = db_escape_string($_REQUEST["name"]);
$name = db_escape_string($this->link, $_REQUEST["name"]);
global $pluginhost;
$pluginhost->clear_data($pluginhost->get_plugin($name));

20
classes/pref/users.php
View File

@@ -116,7 +116,7 @@ class Pref_Users extends Handler_Protected {
header("Content-Type: text/xml");
$id = db_escape_string($_REQUEST["id"]);
$id = db_escape_string($this->link, $_REQUEST["id"]);
print "<dlg id=\"$method\">";
print "<title>".__('User Editor')."</title>";
@@ -199,11 +199,11 @@ class Pref_Users extends Handler_Protected {
}
function editSave() {
$login = db_escape_string(trim($_REQUEST["login"]));
$uid = db_escape_string($_REQUEST["id"]);
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$access_level = (int) $_REQUEST["access_level"];
$email = db_escape_string(trim($_REQUEST["email"]));
$password = db_escape_string(trim($_REQUEST["password"]));
$email = db_escape_string($this->link, trim($_REQUEST["email"]));
$password = db_escape_string($this->link, trim($_REQUEST["password"]));
if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -220,7 +220,7 @@ class Pref_Users extends Handler_Protected {
}
function remove() {
$ids = split(",", db_escape_string($_REQUEST["ids"]));
$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) {
@@ -233,7 +233,7 @@ class Pref_Users extends Handler_Protected {
function add() {
$login = db_escape_string(trim($_REQUEST["login"]));
$login = db_escape_string($this->link, trim($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -272,7 +272,7 @@ class Pref_Users extends Handler_Protected {
function resetPass() {
$uid = db_escape_string($_REQUEST["id"]);
$uid = db_escape_string($this->link, $_REQUEST["id"]);
$result = db_query($this->link, "SELECT login,email
FROM ttrss_users WHERE id = '$uid'");
@@ -353,7 +353,7 @@ class Pref_Users extends Handler_Protected {
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
$user_search = db_escape_string($_REQUEST["search"]);
$user_search = db_escape_string($this->link, $_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
@@ -368,7 +368,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."</button>
</div>";
$sort = db_escape_string($_REQUEST["sort"]);
$sort = db_escape_string($this->link, $_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";