diff options
Diffstat (limited to 'classes/pref/feeds.php')
| -rw-r--r-- | classes/pref/feeds.php | 1063 |
1 files changed, 437 insertions, 626 deletions
diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 2a9c57e79..846e814ee 100644 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -17,35 +17,34 @@ class Pref_Feeds extends Handler_Protected { } function renamecat() { - $title = $this->dbh->escape_string($_REQUEST['title']); - $id = $this->dbh->escape_string($_REQUEST['id']); + $title = clean($_REQUEST['title']); + $id = clean($_REQUEST['id']); if ($title) { - $this->dbh->query("UPDATE ttrss_feed_categories SET - title = '$title' WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET + title = ? WHERE id = ? AND owner_uid = ?"); + $sth->execute([$title, $id, $_SESSION['uid']]); } - return; } private function get_category_items($cat_id) { - if ($_REQUEST['mode'] != 2) + if (clean($_REQUEST['mode']) != 2) $search = $_SESSION["prefs_feed_search"]; else $search = ""; - if ($search) $search_qpart = " AND (LOWER(title) LIKE LOWER('%$search%') OR LOWER(feed_url) LIKE LOWER('%$search%'))"; - // first one is set by API - $show_empty_cats = $_REQUEST['force_show_empty'] || - ($_REQUEST['mode'] != 2 && !$search); + $show_empty_cats = clean($_REQUEST['force_show_empty']) || + (clean($_REQUEST['mode']) != 2 && !$search); $items = array(); - $result = $this->dbh->query("SELECT id, title FROM ttrss_feed_categories - WHERE owner_uid = " . $_SESSION["uid"] . " AND parent_cat = '$cat_id' ORDER BY order_id, title"); + $sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories + WHERE owner_uid = ? AND parent_cat = ? ORDER BY order_id, title"); + $sth->execute([$_SESSION['uid'], $cat_id]); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $cat = array(); $cat['id'] = 'CAT:' . $line['id']; @@ -69,13 +68,17 @@ class Pref_Feeds extends Handler_Protected { } - $feed_result = $this->dbh->query("SELECT id, title, last_error, + $fsth = $this->pdo->prepare("SELECT id, title, last_error, ".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated FROM ttrss_feeds - WHERE cat_id = '$cat_id' AND owner_uid = ".$_SESSION["uid"]. - "$search_qpart ORDER BY order_id, title"); + WHERE cat_id = :cat AND + owner_uid = :uid AND + (:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search)) + ORDER BY order_id, title"); - while ($feed_line = $this->dbh->fetch_assoc($feed_result)) { + $fsth->execute([":cat" => $cat_id, ":uid" => $_SESSION['uid'], ":search" => $search ? "%$search%" : ""]); + + while ($feed_line = $fsth->fetch()) { $feed = array(); $feed['id'] = 'FEED:' . $feed_line['id']; $feed['bare_id'] = (int)$feed_line['id']; @@ -100,13 +103,11 @@ class Pref_Feeds extends Handler_Protected { function makefeedtree() { - if ($_REQUEST['mode'] != 2) + if (clean($_REQUEST['mode']) != 2) $search = $_SESSION["prefs_feed_search"]; else $search = ""; - if ($search) $search_qpart = " AND LOWER(title) LIKE LOWER('%$search%')"; - $root = array(); $root['id'] = 'root'; $root['name'] = __('Feeds'); @@ -115,7 +116,7 @@ class Pref_Feeds extends Handler_Protected { $enable_cats = get_pref('ENABLE_FEED_CATS'); - if ($_REQUEST['mode'] == 2) { + if (clean($_REQUEST['mode']) == 2) { if ($enable_cats) { $cat = $this->feedlist_init_cat(-1); @@ -158,29 +159,31 @@ class Pref_Feeds extends Handler_Protected { $root['items'] = array_merge($root['items'], $cat['items']); } - $result = $this->dbh->query("SELECT * FROM - ttrss_labels2 WHERE owner_uid = ".$_SESSION['uid']." ORDER by caption"); + $sth = $this->pdo->prepare("SELECT * FROM + ttrss_labels2 WHERE owner_uid = ? ORDER by caption"); + $sth->execute([$_SESSION['uid']]); - if ($this->dbh->num_rows($result) > 0) { - - if (get_pref('ENABLE_FEED_CATS')) { - $cat = $this->feedlist_init_cat(-2); - } else { - $cat['items'] = array(); - } + if (get_pref('ENABLE_FEED_CATS')) { + $cat = $this->feedlist_init_cat(-2); + } else { + $cat['items'] = array(); + } - while ($line = $this->dbh->fetch_assoc($result)) { + $num_labels = 0; + while ($line = $sth->fetch()) { + ++$num_labels; - $label_id = Labels::label_to_feed_id($line['id']); + $label_id = Labels::label_to_feed_id($line['id']); - $feed = $this->feedlist_init_feed($label_id, false, 0); + $feed = $this->feedlist_init_feed($label_id, false, 0); - $feed['fg_color'] = $line['fg_color']; - $feed['bg_color'] = $line['bg_color']; + $feed['fg_color'] = $line['fg_color']; + $feed['bg_color'] = $line['bg_color']; - array_push($cat['items'], $feed); - } + array_push($cat['items'], $feed); + } + if ($num_labels) { if ($enable_cats) { array_push($root['items'], $cat); } else { @@ -190,13 +193,14 @@ class Pref_Feeds extends Handler_Protected { } if ($enable_cats) { - $show_empty_cats = $_REQUEST['force_show_empty'] || - ($_REQUEST['mode'] != 2 && !$search); + $show_empty_cats = clean($_REQUEST['force_show_empty']) || + (clean($_REQUEST['mode']) != 2 && !$search); - $result = $this->dbh->query("SELECT id, title FROM ttrss_feed_categories - WHERE owner_uid = " . $_SESSION["uid"] . " AND parent_cat IS NULL ORDER BY order_id, title"); + $sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories + WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title"); + $sth->execute([$_SESSION['uid']]); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $cat = array(); $cat['id'] = 'CAT:' . $line['id']; $cat['bare_id'] = (int)$line['id']; @@ -232,13 +236,16 @@ class Pref_Feeds extends Handler_Protected { $cat['unread'] = 0; $cat['child_unread'] = 0; - $feed_result = $this->dbh->query("SELECT id, title,last_error, + $fsth = $this->pdo->prepare("SELECT id, title,last_error, ".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated FROM ttrss_feeds - WHERE cat_id IS NULL AND owner_uid = ".$_SESSION["uid"]. - "$search_qpart ORDER BY order_id, title"); + WHERE cat_id IS NULL AND + owner_uid = :uid AND + (:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search)) + ORDER BY order_id, title"); + $fsth->execute([":uid" => $_SESSION['uid'], ":search" => $search ? "%$search%" : ""]); - while ($feed_line = $this->dbh->fetch_assoc($feed_result)) { + while ($feed_line = $fsth->fetch()) { $feed = array(); $feed['id'] = 'FEED:' . $feed_line['id']; $feed['bare_id'] = (int)$feed_line['id']; @@ -264,13 +271,15 @@ class Pref_Feeds extends Handler_Protected { $root['param'] = vsprintf(_ngettext('(%d feed)', '(%d feeds)', (int) $num_children), $num_children); } else { - $feed_result = $this->dbh->query("SELECT id, title, last_error, + $fsth = $this->pdo->prepare("SELECT id, title, last_error, ".SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated FROM ttrss_feeds - WHERE owner_uid = ".$_SESSION["uid"]. - "$search_qpart ORDER BY order_id, title"); + WHERE owner_uid = :uid AND + (:search = '' OR (LOWER(title) LIKE :search OR LOWER(feed_url) LIKE :search)) + ORDER BY order_id, title"); + $fsth->execute([":uid" => $_SESSION['uid'], ":search" => $search ? "%$search%" : ""]); - while ($feed_line = $this->dbh->fetch_assoc($feed_result)) { + while ($feed_line = $fsth->fetch()) { $feed = array(); $feed['id'] = 'FEED:' . $feed_line['id']; $feed['bare_id'] = (int)$feed_line['id']; @@ -294,7 +303,7 @@ class Pref_Feeds extends Handler_Protected { $fl['identifier'] = 'id'; $fl['label'] = 'name'; - if ($_REQUEST['mode'] != 2) { + if (clean($_REQUEST['mode']) != 2) { $fl['items'] = array($root); } else { $fl['items'] = $root['items']; @@ -304,15 +313,15 @@ class Pref_Feeds extends Handler_Protected { } function catsortreset() { - $this->dbh->query("UPDATE ttrss_feed_categories - SET order_id = 0 WHERE owner_uid = " . $_SESSION["uid"]); - return; + $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories + SET order_id = 0 WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); } function feedsortreset() { - $this->dbh->query("UPDATE ttrss_feeds - SET order_id = 0 WHERE owner_uid = " . $_SESSION["uid"]); - return; + $sth = $this->pdo->prepare("UPDATE ttrss_feeds + SET order_id = 0 WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); } private function process_category_order(&$data_map, $item_id, $parent_id = false, $nest_level = 0) { @@ -324,19 +333,20 @@ class Pref_Feeds extends Handler_Protected { if ($debug) _debug("$prefix C: $item_id P: $parent_id"); - $bare_item_id = $this->dbh->escape_string(substr($item_id, strpos($item_id, ':')+1)); + $bare_item_id = substr($item_id, strpos($item_id, ':')+1); if ($item_id != 'root') { if ($parent_id && $parent_id != 'root') { $parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1); - $parent_qpart = $this->dbh->escape_string($parent_bare_id); + $parent_qpart = $parent_bare_id; } else { - $parent_qpart = 'NULL'; + $parent_qpart = null; } - $this->dbh->query("UPDATE ttrss_feed_categories - SET parent_cat = $parent_qpart WHERE id = '$bare_item_id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories + SET parent_cat = ? WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$parent_qpart, $bare_item_id, $_SESSION['uid']]); } $order_id = 1; @@ -346,7 +356,7 @@ class Pref_Feeds extends Handler_Protected { if ($cat && is_array($cat)) { foreach ($cat as $item) { $id = $item['_reference']; - $bare_id = $this->dbh->escape_string(substr($id, strpos($id, ':')+1)); + $bare_id = substr($id, strpos($id, ':')+1); if ($debug) _debug("$prefix [$order_id] $id/$bare_id"); @@ -354,30 +364,22 @@ class Pref_Feeds extends Handler_Protected { if (strpos($id, "FEED") === 0) { - $cat_id = ($item_id != "root") ? - $this->dbh->escape_string($bare_item_id) : "NULL"; + $cat_id = ($item_id != "root") ? $bare_item_id : null; - $cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" : - "cat_id = NULL"; + $sth = $this->pdo->prepare("UPDATE ttrss_feeds + SET order_id = ?, cat_id = ? + WHERE id = ? AND owner_uid = ?"); - $this->dbh->query("UPDATE ttrss_feeds - SET order_id = $order_id, $cat_qpart - WHERE id = '$bare_id' AND - owner_uid = " . $_SESSION["uid"]); + $sth->execute([$order_id, $cat_id ? $cat_id : null, $bare_id, $_SESSION['uid']]); } else if (strpos($id, "CAT:") === 0) { $this->process_category_order($data_map, $item['_reference'], $item_id, $nest_level+1); - if ($item_id != 'root') { - $parent_qpart = $this->dbh->escape_string($bare_id); - } else { - $parent_qpart = 'NULL'; - } - - $this->dbh->query("UPDATE ttrss_feed_categories - SET order_id = '$order_id' WHERE id = '$bare_id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories + SET order_id = ? WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$order_id, $bare_id, $_SESSION['uid']]); } } @@ -387,9 +389,9 @@ class Pref_Feeds extends Handler_Protected { } function savefeedorder() { - $data = json_decode($_POST['payload'], true); + $data = json_decode(clean($_POST['payload']), true); - #file_put_contents("/tmp/saveorder.json", $_POST['payload']); + #file_put_contents("/tmp/saveorder.json", clean($_POST['payload'])); #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true); if (!is_array($data['items'])) @@ -419,67 +421,28 @@ class Pref_Feeds extends Handler_Protected { } $this->process_category_order($data_map, $root_item); - - /* foreach ($data['items'][0]['items'] as $item) { - $id = $item['_reference']; - $bare_id = substr($id, strpos($id, ':')+1); - - ++$cat_order_id; - - if ($bare_id > 0) { - $this->dbh->query("UPDATE ttrss_feed_categories - SET order_id = '$cat_order_id' WHERE id = '$bare_id' AND - owner_uid = " . $_SESSION["uid"]); - } - - $feed_order_id = 0; - - if (is_array($data_map[$id])) { - foreach ($data_map[$id] as $feed) { - $id = $feed['_reference']; - $feed_id = substr($id, strpos($id, ':')+1); - - if ($bare_id != 0) - $cat_query = "cat_id = '$bare_id'"; - else - $cat_query = "cat_id = NULL"; - - $this->dbh->query("UPDATE ttrss_feeds - SET order_id = '$feed_order_id', - $cat_query - WHERE id = '$feed_id' AND - owner_uid = " . $_SESSION["uid"]); - - ++$feed_order_id; - } - } - } */ } - - return; } function removeicon() { - $feed_id = $this->dbh->escape_string($_REQUEST["feed_id"]); + $feed_id = clean($_REQUEST["feed_id"]); - $result = $this->dbh->query("SELECT id FROM ttrss_feeds - WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { + if ($row = $sth->fetch()) { @unlink(ICONS_DIR . "/$feed_id.ico"); - $this->dbh->query("UPDATE ttrss_feeds SET favicon_avg_color = NULL - where id = '$feed_id'"); + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET favicon_avg_color = NULL + where id = ?"); + $sth->execute([$feed_id]); } - - return; } function uploadicon() { header("Content-type: text/html"); - $tmp_file = false; - if (is_uploaded_file($_FILES['icon_file']['tmp_name'])) { $tmp_file = tempnam(CACHE_DIR . '/upload', 'icon'); @@ -494,20 +457,23 @@ class Pref_Feeds extends Handler_Protected { } $icon_file = $tmp_file; - $feed_id = $this->dbh->escape_string($_REQUEST["feed_id"]); + $feed_id = clean($_REQUEST["feed_id"]); if (is_file($icon_file) && $feed_id) { if (filesize($icon_file) < 65535) { - $result = $this->dbh->query("SELECT id FROM ttrss_feeds - WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { + if ($row = $sth->fetch()) { @unlink(ICONS_DIR . "/$feed_id.ico"); if (rename($icon_file, ICONS_DIR . "/$feed_id.ico")) { - $this->dbh->query("UPDATE ttrss_feeds SET + + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET favicon_avg_color = '' - WHERE id = '$feed_id'"); + WHERE id = ?"); + $sth->execute([$feed_id]); $rc = 0; } @@ -533,283 +499,283 @@ class Pref_Feeds extends Handler_Protected { global $purge_intervals; global $update_intervals; - print '<div dojoType="dijit.layout.TabContainer" style="height : 450px"> - <div dojoType="dijit.layout.ContentPane" title="'.__('General').'">'; - $feed_id = $this->dbh->escape_string($_REQUEST["id"]); + $feed_id = clean($_REQUEST["id"]); - $result = $this->dbh->query( - "SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$feed_id, $_SESSION['uid']]); - $auth_pass_encrypted = sql_bool_to_bool($this->dbh->fetch_result($result, 0, - "auth_pass_encrypted")); + if ($row = $sth->fetch()) { + print '<div dojoType="dijit.layout.TabContainer" style="height : 450px"> + <div dojoType="dijit.layout.ContentPane" title="'.__('General').'">'; - $title = htmlspecialchars($this->dbh->fetch_result($result, - 0, "title")); + $auth_pass_encrypted = $row["auth_pass_encrypted"]; - print_hidden("id", "$feed_id"); - print_hidden("op", "pref-feeds"); - print_hidden("method", "editSave"); + $title = htmlspecialchars($row["title"]); - print "<div class=\"dlgSec\">".__("Feed")."</div>"; - print "<div class=\"dlgSecCont\">"; + print_hidden("id", "$feed_id"); + print_hidden("op", "pref-feeds"); + print_hidden("method", "editSave"); + + print "<div class=\"dlgSec\">".__("Feed")."</div>"; + print "<div class=\"dlgSecCont\">"; - /* Title */ + /* Title */ - print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\" + print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\" placeHolder=\"".__("Feed Title")."\" style=\"font-size : 16px; width: 20em\" name=\"title\" value=\"$title\">"; - /* Feed URL */ + /* Feed URL */ - $feed_url = $this->dbh->fetch_result($result, 0, "feed_url"); - $feed_url = htmlspecialchars($this->dbh->fetch_result($result, - 0, "feed_url")); + $feed_url = htmlspecialchars($row["feed_url"]); - print "<hr/>"; + print "<hr/>"; - print __('URL:') . " "; - print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\" + print __('URL:') . " "; + print "<input dojoType=\"dijit.form.ValidationTextBox\" required=\"1\" placeHolder=\"".__("Feed URL")."\" regExp='^(http|https)://.*' style=\"width : 20em\" name=\"feed_url\" value=\"$feed_url\">"; - $last_error = $this->dbh->fetch_result($result, 0, "last_error"); + $last_error = $row["last_error"]; - if ($last_error) { - print " <img src=\"images/error.png\" alt=\"(error)\" + if ($last_error) { + print " <img src=\"images/error.png\" alt=\"(error)\" style=\"vertical-align : middle\" title=\"".htmlspecialchars($last_error)."\">"; - } + } - /* Category */ + /* Category */ - if (get_pref('ENABLE_FEED_CATS')) { + if (get_pref('ENABLE_FEED_CATS')) { - $cat_id = $this->dbh->fetch_result($result, 0, "cat_id"); + $cat_id = $row["cat_id"]; - print "<hr/>"; + print "<hr/>"; - print __('Place in category:') . " "; + print __('Place in category:') . " "; - print_feed_cat_select("cat_id", $cat_id, - 'dojoType="dijit.form.Select"'); - } + print_feed_cat_select("cat_id", $cat_id, + 'dojoType="dijit.form.Select"'); + } - /* FTS Stemming Language */ + /* FTS Stemming Language */ - if (DB_TYPE == "pgsql") { - $feed_language = $this->dbh->fetch_result($result, 0, "feed_language"); + if (DB_TYPE == "pgsql") { + $feed_language = $row["feed_language"]; - print "<hr/>"; + print "<hr/>"; - print __('Language:') . " "; - print_select("feed_language", $feed_language, $this::$feed_languages, - 'dojoType="dijit.form.Select"'); - } + print __('Language:') . " "; + print_select("feed_language", $feed_language, $this::$feed_languages, + 'dojoType="dijit.form.Select"'); + } - print "</div>"; + print "</div>"; - print "<div class=\"dlgSec\">".__("Update")."</div>"; - print "<div class=\"dlgSecCont\">"; + print "<div class=\"dlgSec\">".__("Update")."</div>"; + print "<div class=\"dlgSecCont\">"; - /* Update Interval */ + /* Update Interval */ - $update_interval = $this->dbh->fetch_result($result, 0, "update_interval"); + $update_interval = $row["update_interval"]; - print_select_hash("update_interval", $update_interval, $update_intervals, - 'dojoType="dijit.form.Select"'); + print_select_hash("update_interval", $update_interval, $update_intervals, + 'dojoType="dijit.form.Select"'); - /* Purge intl */ + /* Purge intl */ - $purge_interval = $this->dbh->fetch_result($result, 0, "purge_interval"); + $purge_interval = $row["purge_interval"]; - print "<hr/>"; - print __('Article purging:') . " "; + print "<hr/>"; + print __('Article purging:') . " "; - print_select_hash("purge_interval", $purge_interval, $purge_intervals, - 'dojoType="dijit.form.Select" ' . + print_select_hash("purge_interval", $purge_interval, $purge_intervals, + 'dojoType="dijit.form.Select" ' . ((FORCE_ARTICLE_PURGE == 0) ? "" : 'disabled="1"')); - print "</div>"; + print "</div>"; - $auth_login = htmlspecialchars($this->dbh->fetch_result($result, 0, "auth_login")); - $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass"); + $auth_login = htmlspecialchars($row["auth_login"]); + $auth_pass = $row["auth_pass"]; - if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { - require_once "crypt.php"; - $auth_pass = decrypt_string($auth_pass); - } + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { + require_once "crypt.php"; + $auth_pass = decrypt_string($auth_pass); + } - $auth_pass = htmlspecialchars($auth_pass); - $auth_enabled = $auth_login !== '' || $auth_pass !== ''; + $auth_pass = htmlspecialchars($auth_pass); + $auth_enabled = $auth_login !== '' || $auth_pass !== ''; - $auth_style = $auth_enabled ? '' : 'display: none'; - print "<div id='feedEditDlg_loginContainer' style='$auth_style'>"; - print "<div class=\"dlgSec\">".__("Authentication")."</div>"; - print "<div class=\"dlgSecCont\">"; + $auth_style = $auth_enabled ? '' : 'display: none'; + print "<div id='feedEditDlg_loginContainer' style='$auth_style'>"; + print "<div class=\"dlgSec\">".__("Authentication")."</div>"; + print "<div class=\"dlgSecCont\">"; - print "<input dojoType=\"dijit.form.TextBox\" id=\"feedEditDlg_login\" + print "<input dojoType=\"dijit.form.TextBox\" id=\"feedEditDlg_login\" placeHolder=\"".__("Login")."\" autocomplete=\"new-password\" name=\"auth_login\" value=\"$auth_login\"><hr/>"; - print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" name=\"auth_pass\" + print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" name=\"auth_pass\" autocomplete=\"new-password\" placeHolder=\"".__("Password")."\" value=\"$auth_pass\">"; - print "<div dojoType=\"dijit.Tooltip\" connectId=\"feedEditDlg_login\" position=\"below\"> + print "<div dojoType=\"dijit.Tooltip\" connectId=\"feedEditDlg_login\" position=\"below\"> ".__('<b>Hint:</b> you need to fill in your login information if your feed requires authentication, except for Twitter feeds.')." </div>"; - print "</div></div>"; + print "</div></div>"; - $auth_checked = $auth_enabled ? 'checked' : ''; - print "<div style=\"clear : both\"> + $auth_checked = $auth_enabled ? 'checked' : ''; + print "<div style=\"clear : both\"> <input type=\"checkbox\" $auth_checked name=\"need_auth\" dojoType=\"dijit.form.CheckBox\" id=\"feedEditDlg_loginCheck\" onclick='checkboxToggleElement(this, \"feedEditDlg_loginContainer\")'> <label for=\"feedEditDlg_loginCheck\">". - __('This feed requires authentication.')."</div>"; + __('This feed requires authentication.')."</div>"; - print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Options').'">'; + print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Options').'">'; - //print "<div class=\"dlgSec\">".__("Options")."</div>"; - print "<div class=\"dlgSecSimple\">"; + //print "<div class=\"dlgSec\">".__("Options")."</div>"; + print "<div class=\"dlgSecSimple\">"; - $private = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "private")); + $private = $row["private"]; - if ($private) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($private) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "<input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" name=\"private\" id=\"private\" + print "<input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" name=\"private\" id=\"private\" $checked> <label for=\"private\">".__('Hide from Popular feeds')."</label>"; - $include_in_digest = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "include_in_digest")); + $include_in_digest = $row["include_in_digest"]; - if ($include_in_digest) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($include_in_digest) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"include_in_digest\" + print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"include_in_digest\" name=\"include_in_digest\" $checked> <label for=\"include_in_digest\">".__('Include in e-mail digest')."</label>"; - $always_display_enclosures = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "always_display_enclosures")); + $always_display_enclosures = $row["always_display_enclosures"]; - if ($always_display_enclosures) { - $checked = "checked"; - } else { - $checked = ""; - } + if ($always_display_enclosures) { + $checked = "checked"; + } else { + $checked = ""; + } - print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"always_display_enclosures\" + print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"always_display_enclosures\" name=\"always_display_enclosures\" $checked> <label for=\"always_display_enclosures\">".__('Always display image attachments')."</label>"; - $hide_images = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "hide_images")); + $hide_images = $row["hide_images"]; - if ($hide_images) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($hide_images) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"hide_images\" + print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"hide_images\" name=\"hide_images\" $checked> <label for=\"hide_images\">". - __('Do not embed images')."</label>"; + __('Do not embed images')."</label>"; - $cache_images = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "cache_images")); + $cache_images = $row["cache_images"]; - if ($cache_images) { - $checked = "checked=\"1\""; - } else { - $checked = ""; - } + if ($cache_images) { + $checked = "checked=\"1\""; + } else { + $checked = ""; + } - print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"cache_images\" + print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"cache_images\" name=\"cache_images\" $checked> <label for=\"cache_images\">". - __('Cache media')."</label>"; + __('Cache media')."</label>"; - $mark_unread_on_update = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "mark_unread_on_update")); + $mark_unread_on_update = $row["mark_unread_on_update"]; - if ($mark_unread_on_update) { - $checked = "checked"; - } else { - $checked = ""; - } + if ($mark_unread_on_update) { + $checked = "checked"; + } else { + $checked = ""; + } - print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"mark_unread_on_update\" + print "<hr/><input dojoType=\"dijit.form.CheckBox\" type=\"checkbox\" id=\"mark_unread_on_update\" name=\"mark_unread_on_update\" $checked> <label for=\"mark_unread_on_update\">".__('Mark updated articles as unread')."</label>"; - print "</div>"; + print "</div>"; - print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Icon').'">'; + print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Icon').'">'; - /* Icon */ + /* Icon */ - print "<div class=\"dlgSecSimple\">"; + print "<div class=\"dlgSecSimple\">"; - print "<iframe name=\"icon_upload_iframe\" - style=\"width: 400px; height: 100px; display: none;\"></iframe>"; + print "<img class=\"feedIcon\" src=\"".Feeds::getFeedIcon($feed_id)."\">"; - print "<form style='display : block' target=\"icon_upload_iframe\" + print "<iframe name=\"icon_upload_iframe\" + style=\"width: 400px; height: 100px; display: none;\"></iframe>"; + + print "<form style='display : block' target=\"icon_upload_iframe\" enctype=\"multipart/form-data\" method=\"POST\" action=\"backend.php\"> - <input id=\"icon_file\" size=\"10\" name=\"icon_file\" type=\"file\"> + <label class=\"dijitButton\">".__("Choose file...")." + <input style=\"display: none\" id=\"icon_file\" size=\"10\" name=\"icon_file\" type=\"file\"> + </label> <input type=\"hidden\" name=\"op\" value=\"pref-feeds\"> <input type=\"hidden\" name=\"feed_id\" value=\"$feed_id\"> - <input type=\"hidden\" name=\"method\" value=\"uploadicon\"><p> + <input type=\"hidden\" name=\"method\" value=\"uploadicon\"> <button class=\"\" dojoType=\"dijit.form.Button\" onclick=\"return uploadFeedIcon();\" type=\"submit\">".__('Replace')."</button> - <button class=\"\" dojoType=\"dijit.form.Button\" onclick=\"return removeFeedIcon($feed_id);\" + <button class=\"danger\" dojoType=\"dijit.form.Button\" onclick=\"return removeFeedIcon($feed_id);\" type=\"submit\">".__('Remove')."</button> </form>"; - print "</div>"; + print "</div>"; - print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Plugins').'">'; + print '</div><div dojoType="dijit.layout.ContentPane" title="'.__('Plugins').'">'; - PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED, - "hook_prefs_edit_feed", $feed_id); + PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_EDIT_FEED, + "hook_prefs_edit_feed", $feed_id); - print "</div></div>"; + print "</div></div>"; - $title = htmlspecialchars($title, ENT_QUOTES); + $title = htmlspecialchars($title, ENT_QUOTES); - print "<div class='dlgButtons'> + print "<div class='dlgButtons'> <div style=\"float : left\"> <button class=\"danger\" dojoType=\"dijit.form.Button\" onclick='return unsubscribeFeed($feed_id, \"$title\")'>". __('Unsubscribe')."</button>"; - print "</div>"; + print "</div>"; - print "<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').execute()\">".__('Save')."</button> - <button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').hide()\">".__('Cancel')."</button> - </div>"; - - - return; + print "<button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').execute()\">".__('Save')."</button> + <button dojoType=\"dijit.form.Button\" onclick=\"return dijit.byId('feedEditDlg').hide()\">".__('Cancel')."</button> + </div>"; + } } function editfeeds() { global $purge_intervals; global $update_intervals; - $feed_ids = $this->dbh->escape_string($_REQUEST["ids"]); + $feed_ids = clean($_REQUEST["ids"]); print_notice("Enable the options you wish to apply using checkboxes on the right:"); @@ -958,72 +924,77 @@ class Pref_Feeds extends Handler_Protected { function editsaveops($batch) { - $feed_title = $this->dbh->escape_string(trim($_POST["title"])); - $feed_link = $this->dbh->escape_string(trim($_POST["feed_url"])); - $upd_intl = (int) $this->dbh->escape_string($_POST["update_interval"]); - $purge_intl = (int) $this->dbh->escape_string($_POST["purge_interval"]); - $feed_id = (int) $this->dbh->escape_string($_POST["id"]); /* editSave */ - $feed_ids = $this->dbh->escape_string($_POST["ids"]); /* batchEditSave */ - $cat_id = (int) $this->dbh->escape_string($_POST["cat_id"]); - $auth_login = $this->dbh->escape_string(trim($_POST["auth_login"])); - $auth_pass = trim($_POST["auth_pass"]); - $private = checkbox_to_sql_bool($this->dbh->escape_string($_POST["private"])); + $feed_title = trim(clean($_POST["title"])); + $feed_url = trim(clean($_POST["feed_url"])); + $upd_intl = (int) clean($_POST["update_interval"]); + $purge_intl = (int) clean($_POST["purge_interval"]); + $feed_id = (int) clean($_POST["id"]); /* editSave */ + $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */ + $cat_id = (int) clean($_POST["cat_id"]); + $auth_login = trim(clean($_POST["auth_login"])); + $auth_pass = trim(clean($_POST["auth_pass"])); + $private = checkbox_to_sql_bool(clean($_POST["private"])); $include_in_digest = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["include_in_digest"])); + clean($_POST["include_in_digest"])); $cache_images = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["cache_images"])); + clean($_POST["cache_images"])); $hide_images = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["hide_images"])); + clean($_POST["hide_images"])); $always_display_enclosures = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["always_display_enclosures"])); + clean($_POST["always_display_enclosures"])); $mark_unread_on_update = checkbox_to_sql_bool( - $this->dbh->escape_string($_POST["mark_unread_on_update"])); + clean($_POST["mark_unread_on_update"])); - $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"])); - - $auth_pass = $this->dbh->escape_string($auth_pass); - - if (get_pref('ENABLE_FEED_CATS')) { - if ($cat_id && $cat_id != 0) { - $category_qpart = "cat_id = '$cat_id',"; - $category_qpart_nocomma = "cat_id = '$cat_id'"; - } else { - $category_qpart = 'cat_id = NULL,'; - $category_qpart_nocomma = 'cat_id = NULL'; - } - } else { - $category_qpart = ""; - $category_qpart_nocomma = ""; - } + $feed_language = trim(clean($_POST["feed_language"])); if (!$batch) { - if ($_POST["need_auth"] !== 'on') { + if (clean($_POST["need_auth"]) !== 'on') { $auth_login = ''; $auth_pass = ''; } - $result = db_query("SELECT feed_url FROM ttrss_feeds WHERE id = " . $feed_id); - $orig_feed_url = db_fetch_result($result, 0, "feed_url"); - - $reset_basic_info = $orig_feed_url != $feed_link; - - $this->dbh->query("UPDATE ttrss_feeds SET - $category_qpart - title = '$feed_title', feed_url = '$feed_link', - update_interval = '$upd_intl', - purge_interval = '$purge_intl', - auth_login = '$auth_login', - auth_pass = '$auth_pass', + $sth = $this->pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$feed_id]); + $row = $sth->fetch(); + $orig_feed_url = $row["feed_url"]; + + $reset_basic_info = $orig_feed_url != $feed_url; + + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET + cat_id = :cat_id, + title = :title, + feed_url = :feed_url, + update_interval = :upd_intl, + purge_interval = :purge_intl, + auth_login = :auth_login, + auth_pass = :auth_pass, auth_pass_encrypted = false, - private = $private, - cache_images = $cache_images, - hide_images = $hide_images, - include_in_digest = $include_in_digest, - always_display_enclosures = $always_display_enclosures, - mark_unread_on_update = $mark_unread_on_update, - feed_language = '$feed_language' - WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]); + private = :private, + cache_images = :cache_images, + hide_images = :hide_images, + include_in_digest = :include_in_digest, + always_display_enclosures = :always_display_enclosures, + mark_unread_on_update = :mark_unread_on_update, + feed_language = :feed_language + WHERE id = :id AND owner_uid = :uid"); + + $sth->execute([":title" => $feed_title, + ":cat_id" => $cat_id ? $cat_id : null, + ":feed_url" => $feed_url, + ":upd_intl" => $upd_intl, + ":purge_intl" => $purge_intl, + ":auth_login" => $auth_login, + ":auth_pass" => $auth_pass, + ":private" => (int)$private, + ":cache_images" => (int)$cache_images, + ":hide_images" => (int)$hide_images, + ":include_in_digest" => (int)$include_in_digest, + ":always_display_enclosures" => (int)$always_display_enclosures, + ":mark_unread_on_update" => (int)$mark_unread_on_update, + ":feed_language" => $feed_language, + ":id" => $feed_id, + ":uid" => $_SESSION['uid']]); if ($reset_basic_info) { RSSUtils::set_basic_feed_info($feed_id); @@ -1037,11 +1008,13 @@ class Pref_Feeds extends Handler_Protected { foreach (array_keys($_POST) as $k) { if ($k != "op" && $k != "method" && $k != "ids") { - $feed_data[$k] = $_POST[$k]; + $feed_data[$k] = clean($_POST[$k]); } } - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); + + $feed_ids_qmarks = arr_qmarks($feed_ids); foreach (array_keys($feed_data) as $k) { @@ -1049,79 +1022,87 @@ class Pref_Feeds extends Handler_Protected { switch ($k) { case "title": - $qpart = "title = '$feed_title'"; + $qpart = "title = " . $this->pdo->quote($feed_title); break; case "feed_url": - $qpart = "feed_url = '$feed_link'"; + $qpart = "feed_url = " . $this->pdo->quote($feed_url); break; case "update_interval": - $qpart = "update_interval = '$upd_intl'"; + $qpart = "update_interval = " . $this->pdo->quote($upd_intl); break; case "purge_interval": - $qpart = "purge_interval = '$purge_intl'"; + $qpart = "purge_interval =" . $this->pdo->quote($purge_intl); break; case "auth_login": - $qpart = "auth_login = '$auth_login'"; + $qpart = "auth_login = " . $this->pdo->quote($auth_login); break; case "auth_pass": - $qpart = "auth_pass = '$auth_pass', auth_pass_encrypted = false"; + $qpart = "auth_pass =" . $this->pdo->quote($auth_pass). ", auth_pass_encrypted = false"; break; case "private": - $qpart = "private = $private"; + $qpart = "private = " . $this->pdo->quote($private); break; case "include_in_digest": - $qpart = "include_in_digest = $include_in_digest"; + $qpart = "include_in_digest = " . $this->pdo->quote($include_in_digest); break; case "always_display_enclosures": - $qpart = "always_display_enclosures = $always_display_enclosures"; + $qpart = "always_display_enclosures = " . $this->pdo->quote($always_display_enclosures); break; case "mark_unread_on_update": - $qpart = "mark_unread_on_update = $mark_unread_on_update"; + $qpart = "mark_unread_on_update = " . $this->pdo->quote($mark_unread_on_update); break; case "cache_images": - $qpart = "cache_images = $cache_images"; + $qpart = "cache_images = " . $this->pdo->quote($cache_images); break; case "hide_images": - $qpart = "hide_images = $hide_images"; + $qpart = "hide_images = " . $this->pdo->quote($hide_images); break; case "cat_id": - $qpart = $category_qpart_nocomma; + if (get_pref('ENABLE_FEED_CATS')) { + if ($cat_id) { + $qpart = "cat_id = " . $this->pdo->quote($cat_id); + } else { + $qpart = 'cat_id = NULL'; + } + } else { + $qpart = ""; + } + break; case "feed_language": - $qpart = "feed_language = '$feed_language'"; + $qpart = "feed_language = " . $this->pdo->quote($feed_language); break; } if ($qpart) { - $this->dbh->query( - "UPDATE ttrss_feeds SET $qpart WHERE id IN ($feed_ids) - AND owner_uid = " . $_SESSION["uid"]); - print "<br/>"; + $sth = $this->pdo->prepare("UPDATE ttrss_feeds SET $qpart WHERE id IN ($feed_ids_qmarks) + AND owner_uid = ?"); + $sth->execute(array_merge($feed_ids, [$_SESSION['uid']])); } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } return; } function remove() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { Pref_Feeds::remove_feed($id, $_SESSION["uid"]); @@ -1130,150 +1111,15 @@ class Pref_Feeds extends Handler_Protected { return; } - function clear() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $this->clear_feed_articles($id); - } - - function rescore() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - - foreach ($ids as $id) { - - $filters = load_filters($id, $_SESSION["uid"], 6); - - $result = $this->dbh->query("SELECT - title, content, link, ref_id, author,". - SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated - FROM - ttrss_user_entries, ttrss_entries - WHERE ref_id = id AND feed_id = '$id' AND - owner_uid = " .$_SESSION['uid']." - "); - - $scores = array(); - - while ($line = $this->dbh->fetch_assoc($result)) { - - $tags = Article::get_article_tags($line["ref_id"]); - - $article_filters = RSSUtils::get_article_filters($filters, $line['title'], - $line['content'], $line['link'], strtotime($line['updated']), - $line['author'], $tags); - - $new_score = RSSUtils::calculate_article_score($article_filters); - - if (!$scores[$new_score]) $scores[$new_score] = array(); - - array_push($scores[$new_score], $line['ref_id']); - } - - foreach (array_keys($scores) as $s) { - if ($s > 1000) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - marked = true WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else if ($s < -500) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - unread = false WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s' WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } - } - } - - print __("All done."); - - } - - function rescoreAll() { - - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds WHERE owner_uid = " . $_SESSION['uid']); - - while ($feed_line = $this->dbh->fetch_assoc($result)) { - - $id = $feed_line["id"]; - - $filters = load_filters($id, $_SESSION["uid"], 6); - - $tmp_result = $this->dbh->query("SELECT - title, content, link, ref_id, author,". - SUBSTRING_FOR_DATE."(updated, 1, 19) AS updated - FROM - ttrss_user_entries, ttrss_entries - WHERE ref_id = id AND feed_id = '$id' AND - owner_uid = " .$_SESSION['uid']." - "); - - $scores = array(); - - while ($line = $this->dbh->fetch_assoc($tmp_result)) { - - $tags = Article::get_article_tags($line["ref_id"]); - - $article_filters = RSSUtils::get_article_filters($filters, $line['title'], - $line['content'], $line['link'], strtotime($line['updated']), - $line['author'], $tags); - - $new_score = RSSUtils::calculate_article_score($article_filters); - - if (!$scores[$new_score]) $scores[$new_score] = array(); - - array_push($scores[$new_score], $line['ref_id']); - } - - foreach (array_keys($scores) as $s) { - if ($s > 1000) { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s', - marked = true WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } else { - $this->dbh->query("UPDATE ttrss_user_entries SET score = '$s' WHERE - ref_id IN (" . join(',', $scores[$s]) . ")"); - } - } - } - - print __("All done."); - - } - - function categorize() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); - - $cat_id = $this->dbh->escape_string($_REQUEST["cat_id"]); - - if ($cat_id == 0) { - $cat_id_qpart = 'NULL'; - } else { - $cat_id_qpart = "'$cat_id'"; - } - - $this->dbh->query("BEGIN"); - - foreach ($ids as $id) { - - $this->dbh->query("UPDATE ttrss_feeds SET cat_id = $cat_id_qpart - WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); - - } - - $this->dbh->query("COMMIT"); - } - function removeCat() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { $this->remove_feed_category($id, $_SESSION["uid"]); } } function addCat() { - $feed_cat = $this->dbh->escape_string(trim($_REQUEST["cat"])); + $feed_cat = trim(clean($_REQUEST["cat"])); add_feed_category($feed_cat); } @@ -1283,10 +1129,15 @@ class Pref_Feeds extends Handler_Protected { print "<div dojoType=\"dijit.layout.AccordionContainer\" region=\"center\">"; print "<div id=\"pref-feeds-feeds\" dojoType=\"dijit.layout.AccordionPane\" title=\"".__('Feeds')."\">"; - $result = $this->dbh->query("SELECT COUNT(id) AS num_errors - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_errors + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - $num_errors = $this->dbh->fetch_result($result, 0, "num_errors"); + if ($row = $sth->fetch()) { + $num_errors = $row["num_errors"]; + } else { + $num_errors = 0; + } if ($num_errors > 0) { @@ -1301,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected { onclick=\"showInactiveFeeds()\">" . __("Inactive feeds") . "</button>"; - $feed_search = $this->dbh->escape_string($_REQUEST["search"]); + $feed_search = clean($_REQUEST["search"]); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_feed_search"] = $feed_search; @@ -1361,24 +1212,6 @@ class Pref_Feeds extends Handler_Protected { print $error_button; print $inactive_button; - if (defined('_ENABLE_FEED_DEBUGGING')) { - - print "<select id=\"feedActionChooser\" onchange=\"feedActionChange()\"> - <option value=\"facDefault\" selected>".__('More actions...')."</option>"; - - if (FORCE_ARTICLE_PURGE == 0) { - print - "<option value=\"facPurge\">".__('Manual purge')."</option>"; - } - - print " - <option value=\"facClear\">".__('Clear feed data')."</option> - <option value=\"facRescore\">".__('Rescore articles')."</option>"; - - print "</select>"; - - } - print "</div>"; # toolbar //print '</div>'; @@ -1438,7 +1271,9 @@ class Pref_Feeds extends Handler_Protected { print "<form name=\"opml_form\" style='display : block' target=\"upload_iframe\" enctype=\"multipart/form-data\" method=\"POST\" action=\"backend.php\"> - <input id=\"opml_file\" name=\"opml_file\" type=\"file\"> + <label class=\"dijitButton\">".__("Choose file...")." + <input style=\"display : none\" id=\"opml_file\" name=\"opml_file\" type=\"file\"> + </label> <input type=\"hidden\" name=\"op\" value=\"dlg\"> <input type=\"hidden\" name=\"method\" value=\"importOpml\"> <button dojoType=\"dijit.form.Button\" onclick=\"return opmlImport();\" type=\"submit\">" . @@ -1449,7 +1284,7 @@ class Pref_Feeds extends Handler_Protected { $opml_export_filename = "TinyTinyRSS_".date("Y-m-d").".opml"; print "<p>" . __('Filename:') . - " <input type=\"text\" id=\"filename\" value=\"$opml_export_filename\" /> " . + " <input class=\"input input-text\" type=\"text\" id=\"filename\" value=\"$opml_export_filename\" /> " . __('Include settings') . "<input type=\"checkbox\" id=\"settings\" checked=\"1\"/>"; print "</p><button dojoType=\"dijit.form.Button\" @@ -1568,17 +1403,18 @@ class Pref_Feeds extends Handler_Protected { $interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)"; } - $result = $this->dbh->query("SELECT ttrss_feeds.title, ttrss_feeds.site_url, + $sth = $this->pdo->prepare("SELECT ttrss_feeds.title, ttrss_feeds.site_url, ttrss_feeds.feed_url, ttrss_feeds.id, MAX(updated) AS last_article FROM ttrss_feeds, ttrss_entries, ttrss_user_entries WHERE (SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE ttrss_entries.id = ref_id AND ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart - AND ttrss_feeds.owner_uid = ".$_SESSION["uid"]." AND + AND ttrss_feeds.owner_uid = ? AND ttrss_user_entries.feed_id = ttrss_feeds.id AND ttrss_entries.id = ref_id GROUP BY ttrss_feeds.title, ttrss_feeds.id, ttrss_feeds.site_url, ttrss_feeds.feed_url ORDER BY last_article"); + $sth->execute([$_SESSION['uid']]); print "<p" .__("These feeds have not been updated with new content for 3 months (oldest first):") . "</p>"; @@ -1599,7 +1435,7 @@ class Pref_Feeds extends Handler_Protected { $lnum = 1; - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $feed_id = $line["id"]; $this_row_id = "id=\"FUPDD-$feed_id\""; @@ -1643,8 +1479,9 @@ class Pref_Feeds extends Handler_Protected { } function feedsWithErrors() { - $result = $this->dbh->query("SELECT id,title,feed_url,last_error,site_url - FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id,title,feed_url,last_error,site_url + FROM ttrss_feeds WHERE last_error != '' AND owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); print "<div dojoType=\"dijit.Toolbar\">"; print "<div dojoType=\"dijit.form.DropDownButton\">". @@ -1663,7 +1500,7 @@ class Pref_Feeds extends Handler_Protected { $lnum = 1; - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $feed_id = $line["id"]; $this_row_id = "id=\"FERDD-$feed_id\""; @@ -1707,33 +1544,11 @@ class Pref_Feeds extends Handler_Protected { print "</div>"; } - /** - * Purge a feed contents, marked articles excepted. - * - * @param mixed $link The database connection. - * @param integer $id The id of the feed to purge. - * @return void - */ - private function clear_feed_articles($id) { - - if ($id != 0) { - $result = $this->dbh->query("DELETE FROM ttrss_user_entries - WHERE feed_id = '$id' AND marked = false AND owner_uid = " . $_SESSION["uid"]); - } else { - $result = $this->dbh->query("DELETE FROM ttrss_user_entries - WHERE feed_id IS NULL AND marked = false AND owner_uid = " . $_SESSION["uid"]); - } - - $result = $this->dbh->query("DELETE FROM ttrss_entries WHERE - (SELECT COUNT(int_id) FROM ttrss_user_entries WHERE ref_id = id) = 0"); - - CCache::update($id, $_SESSION['uid']); - } // function clear_feed_articles - private function remove_feed_category($id, $owner_uid) { - $this->dbh->query("DELETE FROM ttrss_feed_categories - WHERE id = '$id' AND owner_uid = $owner_uid"); + $sth = $this->pdo->prepare("DELETE FROM ttrss_feed_categories + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); CCache::remove($id, $owner_uid, true); } @@ -1748,51 +1563,63 @@ class Pref_Feeds extends Handler_Protected { } } + $pdo = Db::pdo(); + if ($id > 0) { + $pdo->beginTransaction(); /* save starred articles in Archived feed */ - db_query("BEGIN"); - /* prepare feed if necessary */ - $result = db_query("SELECT feed_url FROM ttrss_feeds WHERE id = $id - AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ? + AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - $feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url")); + if ($row = $sth->fetch()) { + $feed_url = $row["feed_url"]; - $result = db_query("SELECT id FROM ttrss_archived_feeds - WHERE feed_url = '$feed_url' AND owner_uid = $owner_uid"); + $sth = $pdo->prepare("SELECT id FROM ttrss_archived_feeds + WHERE feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed_url, $owner_uid]); - if (db_num_rows($result) == 0) { - $result = db_query("SELECT MAX(id) AS id FROM ttrss_archived_feeds"); - $new_feed_id = (int)db_fetch_result($result, 0, "id") + 1; + if ($row = $sth->fetch()) { + $archive_id = $row["id"]; + } else { + $res = $pdo->query("SELECT MAX(id) AS id FROM ttrss_archived_feeds"); + $row = $res->fetch(); - db_query("INSERT INTO ttrss_archived_feeds - (id, owner_uid, title, feed_url, site_url) - SELECT $new_feed_id, owner_uid, title, feed_url, site_url from ttrss_feeds - WHERE id = '$id'"); + $new_feed_id = (int)$row['id'] + 1; - $archive_id = $new_feed_id; - } else { - $archive_id = db_fetch_result($result, 0, "id"); - } + $sth = $pdo->prepare("INSERT INTO ttrss_archived_feeds + (id, owner_uid, title, feed_url, site_url) + SELECT ?, owner_uid, title, feed_url, site_url from ttrss_feeds + WHERE id = ?"); + $sth->execute([$new_feed_id, $id]); - db_query("UPDATE ttrss_user_entries SET feed_id = NULL, - orig_feed_id = '$archive_id' WHERE feed_id = '$id' AND - marked = true AND owner_uid = $owner_uid"); + $archive_id = $new_feed_id; + } + + $sth = $pdo->prepare("UPDATE ttrss_user_entries SET feed_id = NULL, + orig_feed_id = ? WHERE feed_id = ? AND + marked = true AND owner_uid = ?"); - /* Remove access key for the feed */ + $sth->execute([$archive_id, $id, $owner_uid]); - db_query("DELETE FROM ttrss_access_keys WHERE - feed_id = '$id' AND owner_uid = $owner_uid"); + /* Remove access key for the feed */ - /* remove the feed */ + $sth = $pdo->prepare("DELETE FROM ttrss_access_keys WHERE + feed_id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - db_query("DELETE FROM ttrss_feeds - WHERE id = '$id' AND owner_uid = $owner_uid"); + /* remove the feed */ - db_query("COMMIT"); + $sth = $pdo->prepare("DELETE FROM ttrss_feeds + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); + } + + $pdo->commit(); if (file_exists(ICONS_DIR . "/$id.ico")) { unlink(ICONS_DIR . "/$id.ico"); @@ -1856,39 +1683,31 @@ class Pref_Feeds extends Handler_Protected { } function batchAddFeeds() { - $cat_id = $this->dbh->escape_string($_REQUEST['cat']); - $feeds = explode("\n", $_REQUEST['feeds']); - $login = $this->dbh->escape_string($_REQUEST['login']); - $pass = trim($_REQUEST['pass']); + $cat_id = clean($_REQUEST['cat']); + $feeds = explode("\n", clean($_REQUEST['feeds'])); + $login = clean($_REQUEST['login']); + $pass = trim(clean($_REQUEST['pass'])); foreach ($feeds as $feed) { - $feed = $this->dbh->escape_string(trim($feed)); + $feed = trim($feed); if (validate_feed_url($feed)) { - $this->dbh->query("BEGIN"); - - if ($cat_id == "0" || !$cat_id) { - $cat_qpart = "NULL"; - } else { - $cat_qpart = "'$cat_id'"; - } + $this->pdo->beginTransaction(); - $result = $this->dbh->query( - "SELECT id FROM ttrss_feeds - WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds + WHERE feed_url = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); - $pass = $this->dbh->escape_string($pass); - - if ($this->dbh->num_rows($result) == 0) { - $result = $this->dbh->query( - "INSERT INTO ttrss_feeds + if (!$sth->fetch()) { + $sth = $this->pdo->prepare("INSERT INTO ttrss_feeds (owner_uid,feed_url,title,cat_id,auth_login,auth_pass,update_method,auth_pass_encrypted) - VALUES ('".$_SESSION["uid"]."', '$feed', - '[Unknown]', $cat_qpart, '$login', '$pass', 0, false)"); + VALUES (?, ?, '[Unknown]', ?, ?, ?, 0, false)"); + + $sth->execute([$_SESSION['uid'], $feed, $cat_id ? $cat_id : null, $login, $pass]); } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); } } } @@ -1903,8 +1722,8 @@ class Pref_Feeds extends Handler_Protected { } function regenFeedKey() { - $feed_id = $this->dbh->escape_string($_REQUEST['id']); - $is_cat = $this->dbh->escape_string($_REQUEST['is_cat']) == "true"; + $feed_id = clean($_REQUEST['id']); + $is_cat = clean($_REQUEST['is_cat']) == "true"; $new_key = $this->update_feed_access_key($feed_id, $is_cat); @@ -1915,30 +1734,19 @@ class Pref_Feeds extends Handler_Protected { private function update_feed_access_key($feed_id, $is_cat, $owner_uid = false) { if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $sql_is_cat = bool_to_sql_bool($is_cat); - - $result = $this->dbh->query("SELECT access_key FROM ttrss_access_keys - WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat - AND owner_uid = " . $owner_uid); + // clear old value and generate new one + $sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys + WHERE feed_id = ? AND is_cat = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $is_cat, $owner_uid]); - if ($this->dbh->num_rows($result) == 1) { - $key = $this->dbh->escape_string(uniqid_short()); - - $this->dbh->query("UPDATE ttrss_access_keys SET access_key = '$key' - WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat - AND owner_uid = " . $owner_uid); - - return $key; - - } else { - return get_feed_access_key($feed_id, $is_cat, $owner_uid); - } + return get_feed_access_key($feed_id, $is_cat, $owner_uid); } // Silent function clearKeys() { - $this->dbh->query("DELETE FROM ttrss_access_keys WHERE - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("DELETE FROM ttrss_access_keys WHERE + owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); } private function calculate_children_count($cat) { @@ -1962,13 +1770,16 @@ class Pref_Feeds extends Handler_Protected { $interval_qpart = "DATE_SUB(NOW(), INTERVAL 3 MONTH)"; } - $result = $this->dbh->query("SELECT COUNT(*) AS num_inactive FROM ttrss_feeds WHERE + $sth = $this->pdo->prepare("SELECT COUNT(id) AS num_inactive FROM ttrss_feeds WHERE (SELECT MAX(updated) FROM ttrss_entries, ttrss_user_entries WHERE ttrss_entries.id = ref_id AND ttrss_user_entries.feed_id = ttrss_feeds.id) < $interval_qpart AND - ttrss_feeds.owner_uid = ".$_SESSION["uid"]); + ttrss_feeds.owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); - print (int) $this->dbh->fetch_result($result, 0, "num_inactive"); + if ($row = $sth->fetch()) { + print (int)$row["num_inactive"]; + } } static function subscribe_to_feed_url() { |