diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/controls.php | 170 | ||||
-rw-r--r-- | include/feedbrowser.php | 32 | ||||
-rw-r--r-- | include/functions.php | 405 | ||||
-rwxr-xr-x | include/sanity_check.php | 6 | ||||
-rw-r--r-- | include/sessions.php | 59 |
5 files changed, 293 insertions, 379 deletions
diff --git a/include/controls.php b/include/controls.php index c3dbbfe18..931ccdd52 100644 --- a/include/controls.php +++ b/include/controls.php @@ -72,7 +72,9 @@ function print_radio($id, $default, $true_is, $values, $attributes = "") { function print_feed_multi_select($id, $default_ids = [], $attributes = "", $include_all_feeds = true, - $root_id = false, $nest_level = 0) { + $root_id = null, $nest_level = 0) { + + $pdo = DB::pdo(); print_r(in_array("CAT:6",$default_ids)); @@ -86,18 +88,18 @@ function print_feed_multi_select($id, $default_ids = [], if (get_pref('ENABLE_FEED_CATS')) { - if ($root_id) - $parent_qpart = "parent_cat = '$root_id'"; - else - $parent_qpart = "parent_cat IS NULL"; + if (!$root_id) $root_id = null; - $result = db_query("SELECT id,title, + $sth = $pdo->prepare("SELECT id,title, (SELECT COUNT(id) FROM ttrss_feed_categories AS c2 WHERE c2.parent_cat = ttrss_feed_categories.id) AS num_children FROM ttrss_feed_categories - WHERE owner_uid = ".$_SESSION["uid"]." AND $parent_qpart ORDER BY title"); + WHERE owner_uid = :uid AND + (parent_cat = :root_id OR (:root_id IS NULL AND parent_cat IS NULL)) ORDER BY title"); + + $sth->execute([":uid" => $_SESSION['uid'], ":root_id" => $root_id]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { for ($i = 0; $i < $nest_level; $i++) $line["title"] = " - " . $line["title"]; @@ -111,10 +113,12 @@ function print_feed_multi_select($id, $default_ids = [], print_feed_multi_select($id, $default_ids, $attributes, $include_all_feeds, $line["id"], $nest_level+1); - $feed_result = db_query("SELECT id,title FROM ttrss_feeds - WHERE cat_id = '".$line["id"]."' AND owner_uid = ".$_SESSION["uid"] . " ORDER BY title"); + $f_sth = $pdo->prepare("SELECT id,title FROM ttrss_feeds + WHERE cat_id = ? AND owner_uid = ? ORDER BY title"); - while ($fline = db_fetch_assoc($feed_result)) { + $f_sth->execute([$line['id'], $_SESSION['uid']]); + + while ($fline = $f_sth->fetch()) { $is_selected = (in_array($fline["id"], $default_ids)) ? "selected=\"1\"" : ""; $fline["title"] = " + " . $fline["title"]; @@ -133,10 +137,11 @@ function print_feed_multi_select($id, $default_ids = [], printf("<option $is_selected value='CAT:0'>%s</option>", __("Uncategorized")); - $feed_result = db_query("SELECT id,title FROM ttrss_feeds - WHERE cat_id IS NULL AND owner_uid = ".$_SESSION["uid"] . " ORDER BY title"); + $f_sth = $pdo->prepare("SELECT id,title FROM ttrss_feeds + WHERE cat_id IS NULL AND owner_uid = ? ORDER BY title"); + $f_sth->execute([$_SESSION['uid']]); - while ($fline = db_fetch_assoc($feed_result)) { + while ($fline = $f_sth->fetch()) { $is_selected = in_array($fline["id"], $default_ids) ? "selected=\"1\"" : ""; $fline["title"] = " + " . $fline["title"]; @@ -150,10 +155,11 @@ function print_feed_multi_select($id, $default_ids = [], } } else { - $result = db_query("SELECT id,title FROM ttrss_feeds - WHERE owner_uid = ".$_SESSION["uid"]." ORDER BY title"); + $sth = $pdo->prepare("SELECT id,title FROM ttrss_feeds + WHERE owner_uid = ? ORDER BY title"); + $sth->execute([$_SESSION['uid']]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $is_selected = (in_array($line["id"], $default_ids)) ? "selected=\"1\"" : ""; @@ -167,122 +173,30 @@ function print_feed_multi_select($id, $default_ids = [], } } - -/*function print_feed_select($id, $default_id = "", - $attributes = "", $include_all_feeds = true, - $root_id = false, $nest_level = 0) { +function print_feed_cat_select($id, $default_id, + $attributes, $include_all_cats = true, $root_id = null, $nest_level = 0) { if (!$root_id) { - print "<select id=\"$id\" name=\"$id\" $attributes>"; - if ($include_all_feeds) { - $is_selected = ("0" == $default_id) ? "selected=\"1\"" : ""; - print "<option $is_selected value=\"0\">".__('All feeds')."</option>"; - } + print "<select id=\"$id\" name=\"$id\" default=\"$default_id\" $attributes>"; } - if (get_pref('ENABLE_FEED_CATS')) { + $pdo = DB::pdo(); - if ($root_id) - $parent_qpart = "parent_cat = '$root_id'"; - else - $parent_qpart = "parent_cat IS NULL"; + if (!$root_id) $root_id = null; - $result = db_query("SELECT id,title, + $sth = $pdo->prepare("SELECT id,title, (SELECT COUNT(id) FROM ttrss_feed_categories AS c2 WHERE c2.parent_cat = ttrss_feed_categories.id) AS num_children FROM ttrss_feed_categories - WHERE owner_uid = ".$_SESSION["uid"]." AND $parent_qpart ORDER BY title"); - - while ($line = db_fetch_assoc($result)) { - - for ($i = 0; $i < $nest_level; $i++) - $line["title"] = " - " . $line["title"]; - - $is_selected = ("CAT:".$line["id"] == $default_id) ? "selected=\"1\"" : ""; - - printf("<option $is_selected value='CAT:%d'>%s</option>", - $line["id"], htmlspecialchars($line["title"])); - - if ($line["num_children"] > 0) - print_feed_select($id, $default_id, $attributes, - $include_all_feeds, $line["id"], $nest_level+1); - - $feed_result = db_query("SELECT id,title FROM ttrss_feeds - WHERE cat_id = '".$line["id"]."' AND owner_uid = ".$_SESSION["uid"] . " ORDER BY title"); - - while ($fline = db_fetch_assoc($feed_result)) { - $is_selected = ($fline["id"] == $default_id) ? "selected=\"1\"" : ""; - - $fline["title"] = " + " . $fline["title"]; - - for ($i = 0; $i < $nest_level; $i++) - $fline["title"] = " - " . $fline["title"]; - - printf("<option $is_selected value='%d'>%s</option>", - $fline["id"], htmlspecialchars($fline["title"])); - } - } - - if (!$root_id) { - $default_is_cat = ($default_id == "CAT:0"); - $is_selected = $default_is_cat ? "selected=\"1\"" : ""; - - printf("<option $is_selected value='CAT:0'>%s</option>", - __("Uncategorized")); - - $feed_result = db_query("SELECT id,title FROM ttrss_feeds - WHERE cat_id IS NULL AND owner_uid = ".$_SESSION["uid"] . " ORDER BY title"); - - while ($fline = db_fetch_assoc($feed_result)) { - $is_selected = ($fline["id"] == $default_id && !$default_is_cat) ? "selected=\"1\"" : ""; - - $fline["title"] = " + " . $fline["title"]; - - for ($i = 0; $i < $nest_level; $i++) - $fline["title"] = " - " . $fline["title"]; + WHERE owner_uid = :uid AND + (parent_cat = :root_id OR (:root_id IS NULL AND parent_cat IS NULL)) ORDER BY title"); + $sth->execute([":uid" => $_SESSION['uid'], ":root_id" => $root_id]); - printf("<option $is_selected value='%d'>%s</option>", - $fline["id"], htmlspecialchars($fline["title"])); - } - } - - } else { - $result = db_query("SELECT id,title FROM ttrss_feeds - WHERE owner_uid = ".$_SESSION["uid"]." ORDER BY title"); - - while ($line = db_fetch_assoc($result)) { - - $is_selected = ($line["id"] == $default_id) ? "selected=\"1\"" : ""; - - printf("<option $is_selected value='%d'>%s</option>", - $line["id"], htmlspecialchars($line["title"])); - } - } + $found = 0; - if (!$root_id) { - print "</select>"; - } -}*/ + while ($line = $sth->fetch()) { + ++$found; -function print_feed_cat_select($id, $default_id, - $attributes, $include_all_cats = true, $root_id = false, $nest_level = 0) { - - if (!$root_id) { - print "<select id=\"$id\" name=\"$id\" default=\"$default_id\" $attributes>"; - } - - if ($root_id) - $parent_qpart = "parent_cat = '$root_id'"; - else - $parent_qpart = "parent_cat IS NULL"; - - $result = db_query("SELECT id,title, - (SELECT COUNT(id) FROM ttrss_feed_categories AS c2 WHERE - c2.parent_cat = ttrss_feed_categories.id) AS num_children - FROM ttrss_feed_categories - WHERE owner_uid = ".$_SESSION["uid"]." AND $parent_qpart ORDER BY title"); - - while ($line = db_fetch_assoc($result)) { if ($line["id"] == $default_id) { $is_selected = "selected=\"1\""; } else { @@ -303,7 +217,7 @@ function print_feed_cat_select($id, $default_id, if (!$root_id) { if ($include_all_cats) { - if (db_num_rows($result) > 0) { + if ($found > 0) { print "<option disabled=\"1\">--------</option>"; } @@ -401,13 +315,16 @@ function format_inline_player($url, $ctype) { function print_label_select($name, $value, $attributes = "") { - $result = db_query("SELECT caption FROM ttrss_labels2 - WHERE owner_uid = '".$_SESSION["uid"]."' ORDER BY caption"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT caption FROM ttrss_labels2 + WHERE owner_uid = ? ORDER BY caption"); + $sth->execute([$_SESSION['uid']]); print "<select default=\"$value\" name=\"" . htmlspecialchars($name) . "\" $attributes>"; - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $issel = ($line["caption"] == $value) ? "selected=\"1\"" : ""; @@ -421,5 +338,4 @@ function print_label_select($name, $value, $attributes = "") { print "</select>"; -} - +}
\ No newline at end of file diff --git a/include/feedbrowser.php b/include/feedbrowser.php index b70e47fdf..a5a9f3dca 100644 --- a/include/feedbrowser.php +++ b/include/feedbrowser.php @@ -3,34 +3,32 @@ if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; - $owner_uid = $_SESSION["uid"]; $rv = ''; + $pdo = Db::pdo(); + if ($search) { - $search_qpart = "AND (UPPER(feed_url) LIKE UPPER('%$search%') OR + $search = $pdo->quote($search); + + $search_qpart = "AND (UPPER(feed_url) LIKE UPPER('%$search%') OR UPPER(title) LIKE UPPER('%$search%'))"; } else { $search_qpart = ""; } if ($mode == 1) { - /* $result = db_query("SELECT feed_url, subscribers FROM - ttrss_feedbrowser_cache WHERE (SELECT COUNT(id) = 0 FROM ttrss_feeds AS tf - WHERE tf.feed_url = ttrss_feedbrowser_cache.feed_url - AND owner_uid = '$owner_uid') $search_qpart - ORDER BY subscribers DESC LIMIT $limit"); */ - - $result = db_query("SELECT feed_url, site_url, title, SUM(subscribers) AS subscribers FROM + $sth = $pdo->prepare("SELECT feed_url, site_url, title, SUM(subscribers) AS subscribers FROM (SELECT feed_url, site_url, title, subscribers FROM ttrss_feedbrowser_cache UNION ALL SELECT feed_url, site_url, title, subscribers FROM ttrss_linked_feeds) AS qqq WHERE (SELECT COUNT(id) = 0 FROM ttrss_feeds AS tf WHERE tf.feed_url = qqq.feed_url - AND owner_uid = '$owner_uid') $search_qpart - GROUP BY feed_url, site_url, title ORDER BY subscribers DESC LIMIT $limit"); + AND owner_uid = ?) $search_qpart + GROUP BY feed_url, site_url, title ORDER BY subscribers DESC LIMIT ?"); + $sth->execute([$_SESSION['uid'], $limit]); } else if ($mode == 2) { - $result = db_query("SELECT *, + $sth = $pdo->prepare("SELECT *, (SELECT COUNT(*) FROM ttrss_user_entries WHERE orig_feed_id = ttrss_archived_feeds.id) AS articles_archived FROM @@ -38,14 +36,16 @@ WHERE (SELECT COUNT(*) FROM ttrss_feeds WHERE ttrss_feeds.feed_url = ttrss_archived_feeds.feed_url AND - owner_uid = '$owner_uid') = 0 AND - owner_uid = '$owner_uid' $search_qpart - ORDER BY id DESC LIMIT $limit"); + owner_uid = :uid) = 0 AND + owner_uid = :uid $search_qpart + ORDER BY id DESC LIMIT :limit"); + + $sth->execute([":uid" => $_SESSION['uid'], ":limit" => $limit]); } $feedctr = 0; - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { if ($mode == 1) { diff --git a/include/functions.php b/include/functions.php index 5667ac416..1d7033c89 100644 --- a/include/functions.php +++ b/include/functions.php @@ -226,15 +226,15 @@ if (!$purge_interval) $purge_interval = feed_purge_interval($feed_id); - $rows = -1; + $pdo = Db::pdo(); - $result = db_query( - "SELECT owner_uid FROM ttrss_feeds WHERE id = '$feed_id'"); + $sth = $pdo->prepare("SELECT owner_uid FROM ttrss_feeds WHERE id = ?"); + $sth->execute([$feed_id]); $owner_uid = false; - if (db_num_rows($result) == 1) { - $owner_uid = db_fetch_result($result, 0, "owner_uid"); + if ($row = $sth->fetch()) { + $owner_uid = $row["owner_uid"]; } if ($purge_interval == -1 || !$purge_interval) { @@ -254,34 +254,36 @@ $purge_interval = FORCE_ARTICLE_PURGE; } - if (!$purge_unread) $query_limit = " unread = false AND "; + if (!$purge_unread) + $query_limit = " unread = false AND "; + else + $query_limit = ""; + + $purge_interval = (int) $purge_interval; if (DB_TYPE == "pgsql") { - $result = db_query("DELETE FROM ttrss_user_entries + $sth = $pdo->prepare("DELETE FROM ttrss_user_entries USING ttrss_entries WHERE ttrss_entries.id = ref_id AND marked = false AND - feed_id = '$feed_id' AND + feed_id = ? AND $query_limit ttrss_entries.date_updated < NOW() - INTERVAL '$purge_interval days'"); + $sth->execute([$feed_id]); } else { - -/* $result = db_query("DELETE FROM ttrss_user_entries WHERE - marked = false AND feed_id = '$feed_id' AND - (SELECT date_updated FROM ttrss_entries WHERE - id = ref_id) < DATE_SUB(NOW(), INTERVAL $purge_interval DAY)"); */ - - $result = db_query("DELETE FROM ttrss_user_entries + $sth = $pdo->prepare("DELETE FROM ttrss_user_entries USING ttrss_user_entries, ttrss_entries WHERE ttrss_entries.id = ref_id AND marked = false AND - feed_id = '$feed_id' AND + feed_id = ? AND $query_limit ttrss_entries.date_updated < DATE_SUB(NOW(), INTERVAL $purge_interval DAY)"); + $sth->execute([$feed_id]); + } - $rows = db_affected_rows($result); + $rows = $sth->rowCount(); CCache::update($feed_id, $owner_uid); @@ -294,12 +296,15 @@ function feed_purge_interval($feed_id) { - $result = db_query("SELECT purge_interval, owner_uid FROM ttrss_feeds - WHERE id = '$feed_id'"); + $pdo = DB::pdo(); - if (db_num_rows($result) == 1) { - $purge_interval = db_fetch_result($result, 0, "purge_interval"); - $owner_uid = db_fetch_result($result, 0, "owner_uid"); + $sth = $pdo->prepare("SELECT purge_interval, owner_uid FROM ttrss_feeds + WHERE id = ?"); + $sth->execute([$feed_id]); + + if ($row = $sth->fetch()) { + $purge_interval = $row["purge_interval"]; + $owner_uid = $row["owner_uid"]; if ($purge_interval == 0) $purge_interval = get_pref( 'PURGE_OLD_DAYS', $owner_uid); @@ -311,25 +316,6 @@ } } - /*function get_feed_update_interval($feed_id) { - $result = db_query("SELECT owner_uid, update_interval FROM - ttrss_feeds WHERE id = '$feed_id'"); - - if (db_num_rows($result) == 1) { - $update_interval = db_fetch_result($result, 0, "update_interval"); - $owner_uid = db_fetch_result($result, 0, "owner_uid"); - - if ($update_interval != 0) { - return $update_interval; - } else { - return get_pref('DEFAULT_UPDATE_INTERVAL', $owner_uid, false); - } - - } else { - return -1; - } - }*/ - // TODO: multiple-argument way is deprecated, first parameter is a hash now function fetch_file_contents($options /* previously: 0: $url , 1: $type = false, 2: $login = false, 3: $pass = false, 4: $post_query = false, 5: $timeout = false, 6: $timestamp = 0, 7: $useragent = false*/) { @@ -603,52 +589,53 @@ function initialize_user_prefs($uid, $profile = false) { - $uid = db_escape_string($uid); + if (get_schema_version() < 63) $profile_qpart = ""; - if (!$profile) { - $profile = "NULL"; - $profile_qpart = "AND profile IS NULL"; - } else { - $profile_qpart = "AND profile = '$profile'"; - } + $pdo = DB::pdo(); + $in_nested_tr = false; - if (get_schema_version() < 63) $profile_qpart = ""; + try { + $pdo->beginTransaction(); + } catch (Exception $e) { + $in_nested_tr = true; + } - db_query("BEGIN"); + $sth = $pdo->query("SELECT pref_name,def_value FROM ttrss_prefs"); - $result = db_query("SELECT pref_name,def_value FROM ttrss_prefs"); + $profile = $profile ? $profile : null; - $u_result = db_query("SELECT pref_name - FROM ttrss_user_prefs WHERE owner_uid = '$uid' $profile_qpart"); + $u_sth = $pdo->prepare("SELECT pref_name + FROM ttrss_user_prefs WHERE owner_uid = :uid AND + (profile = :profile OR (:profile IS NULL AND profile IS NULL))"); + $u_sth->execute([':uid' => $uid, ':profile' => $profile]); $active_prefs = array(); - while ($line = db_fetch_assoc($u_result)) { + while ($line = $u_sth->fetch()) { array_push($active_prefs, $line["pref_name"]); } - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { if (array_search($line["pref_name"], $active_prefs) === FALSE) { // print "adding " . $line["pref_name"] . "<br>"; - $line["def_value"] = db_escape_string($line["def_value"]); - $line["pref_name"] = db_escape_string($line["pref_name"]); - if (get_schema_version() < 63) { - db_query("INSERT INTO ttrss_user_prefs + $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs (owner_uid,pref_name,value) VALUES - ('$uid', '".$line["pref_name"]."','".$line["def_value"]."')"); + (?, ?, ?)"); + $i_sth->execute([$uid, $line["pref_name"], $line["def_value"]]); } else { - db_query("INSERT INTO ttrss_user_prefs + $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs (owner_uid,pref_name,value, profile) VALUES - ('$uid', '".$line["pref_name"]."','".$line["def_value"]."', $profile)"); + (?, ?, ?, ?)"); + $i_sth->execute([$uid, $line["pref_name"], $line["def_value"], $profile]); } } } - db_query("COMMIT"); + if (!$in_nested_tr) $pdo->commit(); } @@ -689,19 +676,22 @@ $_SESSION["uid"] = $user_id; $_SESSION["version"] = VERSION_STATIC; - $result = db_query("SELECT login,access_level,pwd_hash FROM ttrss_users - WHERE id = '$user_id'"); + $pdo = DB::pdo(); + $sth = $pdo->prepare("SELECT login,access_level,pwd_hash FROM ttrss_users + WHERE id = ?"); + $sth->execute([$user_id]); + $row = $sth->fetch(); - $_SESSION["name"] = db_fetch_result($result, 0, "login"); - $_SESSION["access_level"] = db_fetch_result($result, 0, "access_level"); + $_SESSION["name"] = $row["login"]; + $_SESSION["access_level"] = $row["access_level"]; $_SESSION["csrf_token"] = uniqid_short(); - db_query("UPDATE ttrss_users SET last_login = NOW() WHERE id = " . - $_SESSION["uid"]); + $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); + $usth->execute([$user_id]); $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; $_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']); - $_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash"); + $_SESSION["pwd_hash"] = $row["pwd_hash"]; $_SESSION["last_version_check"] = time(); @@ -760,9 +750,12 @@ function initialize_user($uid) { - db_query("insert into ttrss_feeds (owner_uid,title,feed_url) - values ('$uid', 'Tiny Tiny RSS: Forum', + $pdo = DB::pdo(); + + $sth = $pdo->prepare("insert into ttrss_feeds (owner_uid,title,feed_url) + values (?, 'Tiny Tiny RSS: Forum', 'http://tt-rss.org/forum/rss.php')"); + $sth->execute([$uid]); } function logout_user() { @@ -792,6 +785,8 @@ } function login_sequence() { + $pdo = Db::pdo(); + if (SINGLE_USER_MODE) { @session_start(); authenticate_user("admin", null); @@ -818,8 +813,9 @@ } else { /* bump login timestamp */ - db_query("UPDATE ttrss_users SET last_login = NOW() WHERE id = " . - $_SESSION["uid"]); + $sth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); + $_SESSION["last_login_update"] = time(); } @@ -829,16 +825,19 @@ /* cleanup ccache */ - db_query("DELETE FROM ttrss_counters_cache WHERE owner_uid = ". - $_SESSION["uid"] . " AND + $sth = $pdo->prepare("DELETE FROM ttrss_counters_cache WHERE owner_uid = ? + AND (SELECT COUNT(id) FROM ttrss_feeds WHERE ttrss_feeds.id = feed_id) = 0"); - db_query("DELETE FROM ttrss_cat_counters_cache WHERE owner_uid = ". - $_SESSION["uid"] . " AND + $sth->execute([$_SESSION['uid']]); + + $sth = $pdo->prepare("DELETE FROM ttrss_cat_counters_cache WHERE owner_uid = ? + AND (SELECT COUNT(id) FROM ttrss_feed_categories WHERE ttrss_feed_categories.id = feed_id) = 0"); + $sth->execute([$_SESSION['uid']]); } } @@ -942,19 +941,11 @@ } function sql_bool_to_bool($s) { - if ($s == "t" || $s == "1" || strtolower($s) == "true") { - return true; - } else { - return false; - } + return $s && ($s !== "f" && $s !== "false"); //no-op for PDO, backwards compat for legacy layer } function bool_to_sql_bool($s) { - if ($s) { - return "true"; - } else { - return "false"; - } + return (bool)$s; //no-op for PDO } // Session caching removed due to causing wrong redirects to upgrade @@ -963,9 +954,11 @@ function get_schema_version($nocache = false) { global $schema_version; + $pdo = DB::pdo(); + if (!$schema_version && !$nocache) { - $result = db_query("SELECT schema_version FROM ttrss_version"); - $version = db_fetch_result($result, 0, "schema_version"); + $row = $pdo->query("SELECT schema_version FROM ttrss_version")->fetch(); + $version = $row["schema_version"]; $schema_version = $version; return $version; } else { @@ -984,17 +977,6 @@ $error_code = 5; } - if (DB_TYPE == "mysql") { - $result = db_query("SELECT true", false); - if (db_num_rows($result) != 1) { - $error_code = 10; - } - } - - if (db_escape_string("testTEST") != "testTEST") { - $error_code = 12; - } - return array("code" => $error_code, "message" => $ERRORS[$error_code]); } @@ -1070,36 +1052,9 @@ return Feeds::getFeedArticles($feed, $is_cat, true, $_SESSION["uid"]); } - - /*function get_pgsql_version() { - $result = db_query("SELECT version() AS version"); - $version = explode(" ", db_fetch_result($result, 0, "version")); - return $version[1]; - }*/ - function checkbox_to_sql_bool($val) { - return ($val == "on") ? "true" : "false"; - } - - /*function getFeedCatTitle($id) { - if ($id == -1) { - return __("Special"); - } else if ($id < LABEL_BASE_INDEX) { - return __("Labels"); - } else if ($id > 0) { - $result = db_query("SELECT ttrss_feed_categories.title - FROM ttrss_feeds, ttrss_feed_categories WHERE ttrss_feeds.id = '$id' AND - cat_id = ttrss_feed_categories.id"); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "title"); - } else { - return __("Uncategorized"); - } - } else { - return "getFeedCatTitle($id) failed"; - } - - }*/ + return ($val == "on") ? true : false; + } function uniqid_short() { return uniqid(base_convert(rand(), 10, 36)); @@ -1134,11 +1089,15 @@ $params["sanity_checksum"] = sha1(file_get_contents("include/sanity_check.php")); - $result = db_query("SELECT MAX(id) AS mid, COUNT(*) AS nf FROM - ttrss_feeds WHERE owner_uid = " . $_SESSION["uid"]); + $pdo = Db::pdo(); - $max_feed_id = db_fetch_result($result, 0, "mid"); - $num_feeds = db_fetch_result($result, 0, "nf"); + $sth = $pdo->prepare("SELECT MAX(id) AS mid, COUNT(*) AS nf FROM + ttrss_feeds WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); + + $max_feed_id = $row["mid"]; + $num_feeds = $row["nf"]; $params["max_feed_id"] = (int) $max_feed_id; $params["num_feeds"] = (int) $num_feeds; @@ -1339,11 +1298,15 @@ function make_runtime_info($disable_update_check = false) { $data = array(); - $result = db_query("SELECT MAX(id) AS mid, COUNT(*) AS nf FROM - ttrss_feeds WHERE owner_uid = " . $_SESSION["uid"]); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT MAX(id) AS mid, COUNT(*) AS nf FROM + ttrss_feeds WHERE owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); + $row = $sth->fetch(); - $max_feed_id = db_fetch_result($result, 0, "mid"); - $num_feeds = db_fetch_result($result, 0, "nf"); + $max_feed_id = $row['mid']; + $num_feeds = $row['nf']; $data["max_feed_id"] = (int) $max_feed_id; $data["num_feeds"] = (int) $num_feeds; @@ -1401,8 +1364,10 @@ $search_words = array(); $search_query_leftover = array(); + $pdo = Db::pdo(); + if ($search_language) - $search_language = db_escape_string(mb_strtolower($search_language)); + $search_language = $pdo->quote(mb_strtolower($search_language)); else $search_language = "english"; @@ -1419,21 +1384,21 @@ switch ($commandpair[0]) { case "title": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%". - db_escape_string(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%') ."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); array_push($search_words, $k); } break; case "author": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(author) LIKE '%". - db_escape_string(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(author) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); array_push($search_words, $k); } break; @@ -1444,11 +1409,11 @@ else if ($commandpair[1] == "false") array_push($query_keywords, "($not (note IS NULL OR note = ''))"); else - array_push($query_keywords, "($not (LOWER(note) LIKE '%". - db_escape_string(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(note) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { - array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER(".$pdo->quote("%$k%").") + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); if (!$not) array_push($search_words, $k); } break; @@ -1460,8 +1425,8 @@ else array_push($query_keywords, "($not (marked = false))"); } else { - array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER(".$pdo->quote("%$k%").") + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); if (!$not) array_push($search_words, $k); } break; @@ -1474,7 +1439,7 @@ } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); if (!$not) array_push($search_words, $k); } break; @@ -1486,8 +1451,8 @@ array_push($query_keywords, "($not (unread = false))"); } else { - array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER(".$pdo->quote("%$k%").") + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); if (!$not) array_push($search_words, $k); } break; @@ -1507,8 +1472,8 @@ $k = mb_strtolower($k); array_push($search_query_leftover, $not ? "!$k" : $k); } else { - array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') - OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); + array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER(".$pdo->quote("%$k%").") + OR UPPER(ttrss_entries.content) $not LIKE UPPER(".$pdo->quote("%$k%")."))"); } if (!$not) array_push($search_words, $k); @@ -1517,11 +1482,11 @@ } if (count($search_query_leftover) > 0) { - $search_query_leftover = db_escape_string(implode(" & ", $search_query_leftover)); + $search_query_leftover = $pdo->quote(implode(" & ", $search_query_leftover)); if (DB_TYPE == "pgsql") { array_push($query_keywords, - "(tsvector_combined @@ to_tsquery('$search_language', '$search_query_leftover'))"); + "(tsvector_combined @@ to_tsquery($search_language, $search_query_leftover))"); } } @@ -1846,6 +1811,7 @@ function load_filters($feed_id, $owner_uid) { $filters = array(); + $feed_id = (int) $feed_id; $cat_id = (int)Feeds::getFeedCategory($feed_id); if ($cat_id == 0) @@ -1853,8 +1819,11 @@ else $null_cat_qpart = ""; - $result = db_query("SELECT * FROM ttrss_filters2 WHERE - owner_uid = $owner_uid AND enabled = true ORDER BY order_id, title"); + $pdo = Db::pdo(); + + $sth = $pdo->prepare("SELECT * FROM ttrss_filters2 WHERE + owner_uid = ? AND enabled = true ORDER BY order_id, title"); + $sth->execute([$owner_uid]); $check_cats = array_merge( Feeds::getParentCategories($cat_id, $owner_uid), @@ -1863,25 +1832,26 @@ $check_cats_str = join(",", $check_cats); $check_cats_fullids = array_map(function($a) { return "CAT:$a"; }, $check_cats); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { $filter_id = $line["id"]; $match_any_rule = sql_bool_to_bool($line["match_any_rule"]); - $result2 = db_query("SELECT + $sth2 = $pdo->prepare("SELECT r.reg_exp, r.inverse, r.feed_id, r.cat_id, r.cat_filter, r.match_on, t.name AS type_name FROM ttrss_filters2_rules AS r, ttrss_filter_types AS t WHERE (match_on IS NOT NULL OR (($null_cat_qpart (cat_id IS NULL AND cat_filter = false) OR cat_id IN ($check_cats_str)) AND - (feed_id IS NULL OR feed_id = '$feed_id'))) AND - filter_type = t.id AND filter_id = '$filter_id'"); + (feed_id IS NULL OR feed_id = ?))) AND + filter_type = t.id AND filter_id = ?"); + $sth2->execute([$feed_id, $filter_id]); $rules = array(); $actions = array(); - while ($rule_line = db_fetch_assoc($result2)) { + while ($rule_line = $sth2->fetch()) { # print_r($rule_line); if ($rule_line["match_on"]) { @@ -1915,13 +1885,14 @@ } if (count($rules) > 0) { - $result2 = db_query("SELECT a.action_param,t.name AS type_name + $sth2 = $pdo->prepare("SELECT a.action_param,t.name AS type_name FROM ttrss_filters2_actions AS a, ttrss_filter_actions AS t WHERE - action_id = t.id AND filter_id = '$filter_id'"); + action_id = t.id AND filter_id = ?"); + $sth2->execute([$filter_id]); - while ($action_line = db_fetch_assoc($result2)) { + while ($action_line = $sth2->fetch()) { # print_r($action_line); $action = array(); @@ -1974,33 +1945,36 @@ if (!$feed_cat) return false; - db_query("BEGIN"); + $feed_cat = mb_substr($feed_cat, 0, 250); + if (!$parent_cat_id) $parent_cat_id = null; - if ($parent_cat_id) { - $parent_qpart = "parent_cat = '$parent_cat_id'"; - $parent_insert = "'$parent_cat_id'"; - } else { - $parent_qpart = "parent_cat IS NULL"; - $parent_insert = "NULL"; - } + $pdo = Db::pdo(); + $tr_in_progress = false; - $feed_cat = mb_substr($feed_cat, 0, 250); + try { + $pdo->beginTransaction(); + } catch (Exception $e) { + $tr_in_progress = true; + } - $result = db_query( - "SELECT id FROM ttrss_feed_categories - WHERE $parent_qpart AND title = '$feed_cat' AND owner_uid = ".$_SESSION["uid"]); + $sth = $pdo->prepare("SELECT id FROM ttrss_feed_categories + WHERE (parent_cat = :parent OR (:parent IS NULL AND parent_cat IS NULL)) + AND title = :title AND owner_uid = :uid"); + $sth->execute([':parent' => $parent_cat_id, ':title' => $feed_cat, ':uid' => $_SESSION['uid']]); - if (db_num_rows($result) == 0) { + if (!$sth->fetch()) { - $result = db_query( - "INSERT INTO ttrss_feed_categories (owner_uid,title,parent_cat) - VALUES ('".$_SESSION["uid"]."', '$feed_cat', $parent_insert)"); + $sth = $pdo->prepare("INSERT INTO ttrss_feed_categories (owner_uid,title,parent_cat) + VALUES (?, ?, ?)"); + $sth->execute([$_SESSION['uid'], $feed_cat, $parent_cat_id]); - db_query("COMMIT"); + if (!$tr_in_progress) $pdo->commit(); return true; } + $pdo->commit(); + return false; } @@ -2070,24 +2044,28 @@ if (!$owner_uid) $owner_uid = $_SESSION["uid"]; - $sql_is_cat = bool_to_sql_bool($is_cat); + $is_cat = bool_to_sql_bool($is_cat); + + $pdo = Db::pdo(); - $result = db_query("SELECT access_key FROM ttrss_access_keys - WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat - AND owner_uid = " . $owner_uid); + $sth = $pdo->prepare("SELECT access_key FROM ttrss_access_keys + WHERE feed_id = ? AND is_cat = ? + AND owner_uid = ?"); + $sth->execute([$feed_id, $is_cat, $owner_uid]); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "access_key"); + if ($row = $sth->fetch()) { + return $row["access_key"]; } else { - $key = db_escape_string(uniqid_short()); + $key = uniqid_short(); - $result = db_query("INSERT INTO ttrss_access_keys + $sth = $pdo->prepare("INSERT INTO ttrss_access_keys (access_key, feed_id, is_cat, owner_uid) - VALUES ('$key', '$feed_id', $sql_is_cat, '$owner_uid')"); + VALUES (?, ?, ?, ?)"); + + $sth->execute([$key, $feed_id, $is_cat, $owner_uid]); return $key; } - return false; } function get_feeds_from_html($url, $content) @@ -2180,6 +2158,8 @@ function cleanup_tags($days = 14, $limit = 1000) { + $days = (int) $days; + if (DB_TYPE == "pgsql") { $interval_query = "date_updated < NOW() - INTERVAL '$days days'"; } else if (DB_TYPE == "mysql") { @@ -2188,27 +2168,28 @@ $tags_deleted = 0; - while ($limit > 0) { + $pdo = Db::pdo(); + + while ($limit > 0) { $limit_part = 500; - $query = "SELECT ttrss_tags.id AS id + $sth = $pdo->prepare("SELECT ttrss_tags.id AS id FROM ttrss_tags, ttrss_user_entries, ttrss_entries WHERE post_int_id = int_id AND $interval_query AND - ref_id = ttrss_entries.id AND tag_cache != '' LIMIT $limit_part"; - - $result = db_query($query); + ref_id = ttrss_entries.id AND tag_cache != '' LIMIT ?"); + $sth->execute([$limit]); $ids = array(); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($ids, $line['id']); } if (count($ids) > 0) { $ids = join(",", $ids); - $tmp_result = db_query("DELETE FROM ttrss_tags WHERE id IN ($ids)"); - $tags_deleted += db_affected_rows($tmp_result); + $usth = $pdo->query("DELETE FROM ttrss_tags WHERE id IN ($ids)"); + $tags_deleted = $usth->rowCount(); } else { break; } @@ -2233,6 +2214,8 @@ function filter_to_sql($filter, $owner_uid) { $query = array(); + $pdo = Db::pdo(); + if (DB_TYPE == "pgsql") $reg_qpart = "~"; else @@ -2245,7 +2228,7 @@ if ($regexp_valid) { - $rule['reg_exp'] = db_escape_string($rule['reg_exp']); + $rule['reg_exp'] = $pdo->quote($rule['reg_exp']); switch ($rule["type"]) { case "title": @@ -2278,7 +2261,7 @@ if (isset($rule['inverse'])) $qpart = "NOT ($qpart)"; if (isset($rule["feed_id"]) && $rule["feed_id"] > 0) { - $qpart .= " AND feed_id = " . db_escape_string($rule["feed_id"]); + $qpart .= " AND feed_id = " . $pdo->quote($rule["feed_id"]); } if (isset($rule["cat_id"])) { @@ -2550,17 +2533,21 @@ } function check_mysql_tables() { - $schema = db_escape_string(DB_NAME); + $pdo = Db::pdo(); - $result = db_query("SELECT engine, table_name FROM information_schema.tables WHERE - table_schema = '$schema' AND table_name LIKE 'ttrss_%' AND engine != 'InnoDB'"); + $sth = $pdo->prepare("SELECT engine, table_name FROM information_schema.tables WHERE + table_schema = ? AND table_name LIKE 'ttrss_%' AND engine != 'InnoDB'"); + $sth->execute([DB_NAME]); $bad_tables = []; - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($bad_tables, $line); } return $bad_tables; } + function arr_qmarks($arr) { + return str_repeat('?,', count($arr) - 1) . '?'; + } diff --git a/include/sanity_check.php b/include/sanity_check.php index a84959f8e..713777585 100755 --- a/include/sanity_check.php +++ b/include/sanity_check.php @@ -91,9 +91,11 @@ } if (SINGLE_USER_MODE) { - $result = db_query("SELECT id FROM ttrss_users WHERE id = 1"); + $pdo = DB::pdo(); - if (db_num_rows($result) != 1) { + $res = $pdo->query("SELECT id FROM ttrss_users WHERE id = 1"); + + if (!$res->fetch()) { array_push($errors, "SINGLE_USER_MODE is enabled in config.php but default admin account is not found."); } } diff --git a/include/sessions.php b/include/sessions.php index 7ea9052bc..c80c21de3 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -27,8 +27,10 @@ global $schema_version; if (!$schema_version) { - $result = Db::get()->query("SELECT schema_version FROM ttrss_version"); - $version = Db::get()->fetch_result($result, 0, "schema_version"); + $row = Db::pdo()->query("SELECT schema_version FROM ttrss_version")->fetch(); + + $version = $row["schema_version"]; + $schema_version = $version; return $version; } else { @@ -44,28 +46,30 @@ __("Session failed to validate (schema version changed)"); return false; } + $pdo = Db::pdo(); if ($_SESSION["uid"]) { - $result = Db::get()->query( - "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'"); + $sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); // user not found - if (Db::get()->num_rows($result) == 0) { + if ($row = $sth->fetch()) { + $pwd_hash = $row["pwd_hash"]; + + if ($pwd_hash != $_SESSION["pwd_hash"]) { - $_SESSION["login_error_msg"] = - __("Session failed to validate (user not found)"); + $_SESSION["login_error_msg"] = + __("Session failed to validate (password changed)"); - return false; + return false; + } } else { - $pwd_hash = Db::get()->fetch_result($result, 0, "pwd_hash"); - if ($pwd_hash != $_SESSION["pwd_hash"]) { + $_SESSION["login_error_msg"] = + __("Session failed to validate (user not found)"); - $_SESSION["login_error_msg"] = - __("Session failed to validate (password changed)"); + return false; - return false; - } } } @@ -82,18 +86,21 @@ function ttrss_read ($id){ global $session_expire; - $res = Db::get()->query("SELECT data FROM ttrss_sessions WHERE id='$id'"); + $sth = Db::pdo()->prepare("SELECT data FROM ttrss_sessions WHERE id=?"); + $sth->execute([$id]); - if (Db::get()->num_rows($res) != 1) { + if ($row = $sth->fetch()) { + return base64_decode($row["data"]); - $expire = time() + $session_expire; + } else { + $expire = time() + $session_expire; - Db::get()->query("INSERT INTO ttrss_sessions (id, data, expire) - VALUES ('$id', '', '$expire')"); + $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) + VALUES (?, '', ?)"); + $sth->execute([$id, $expire]); + + return ""; - return ""; - } else { - return base64_decode(Db::get()->fetch_result($res, 0, "data")); } } @@ -104,7 +111,8 @@ $data = base64_encode($data); $expire = time() + $session_expire; - Db::get()->query("UPDATE ttrss_sessions SET data='$data', expire='$expire' WHERE id='$id'"); + $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?"); + $sth->execute([$data, $expire, $id]); return true; } @@ -114,7 +122,8 @@ } function ttrss_destroy($id) { - Db::get()->query("DELETE FROM ttrss_sessions WHERE id = '$id'"); + $sth = Db::pdo()->prepare("DELETE FROM ttrss_sessions WHERE id = ?"); + $sth->execute([$id]); return true; } @@ -123,7 +132,7 @@ * @SuppressWarnings(PHPMD.UnusedFormalParameter) */ function ttrss_gc ($expire) { - Db::get()->query("DELETE FROM ttrss_sessions WHERE expire < " . time()); + Db::pdo()->query("DELETE FROM ttrss_sessions WHERE expire < " . time()); return true; } |