diff options
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/af_psql_trgm/init.php | 105 | ||||
| -rwxr-xr-x | plugins/af_readability/init.php | 10 | ||||
| -rwxr-xr-x | plugins/af_redditimgur/init.php | 24 | ||||
| -rw-r--r-- | plugins/af_zz_imgproxy/init.php | 6 | ||||
| -rw-r--r-- | plugins/auth_internal/init.php | 166 | ||||
| -rw-r--r-- | plugins/auth_remote/init.php | 31 | ||||
| -rw-r--r-- | plugins/auto_assign_labels/init.php | 6 | ||||
| -rw-r--r-- | plugins/bookmarklets/init.php | 4 | ||||
| -rw-r--r-- | plugins/cache_starred_images/init.php | 17 | ||||
| -rw-r--r-- | plugins/embed_original/init.php | 18 | ||||
| -rw-r--r-- | plugins/mail/init.php | 28 | ||||
| -rw-r--r-- | plugins/mailto/init.php | 14 | ||||
| -rw-r--r-- | plugins/note/init.php | 44 | ||||
| -rw-r--r-- | plugins/share/init.php | 50 | ||||
| -rw-r--r-- | plugins/vf_shared/init.php | 21 |
15 files changed, 318 insertions, 226 deletions
diff --git a/plugins/af_psql_trgm/init.php b/plugins/af_psql_trgm/init.php index 175176e0b..19653c0f3 100644 --- a/plugins/af_psql_trgm/init.php +++ b/plugins/af_psql_trgm/init.php @@ -1,6 +1,7 @@ <?php class Af_Psql_Trgm extends Plugin { + /* @var PluginHost $host */ private $host; function about() { @@ -10,9 +11,9 @@ class Af_Psql_Trgm extends Plugin { } function save() { - $similarity = (float) db_escape_string($_POST["similarity"]); - $min_title_length = (int) db_escape_string($_POST["min_title_length"]); - $enable_globally = checkbox_to_sql_bool($_POST["enable_globally"]) == "true"; + $similarity = (float) $_POST["similarity"]; + $min_title_length = (int) $_POST["min_title_length"]; + $enable_globally = checkbox_to_sql_bool($_POST["enable_globally"]); if ($similarity < 0) $similarity = 0; if ($similarity > 1) $similarity = 1; @@ -44,18 +45,20 @@ class Af_Psql_Trgm extends Plugin { } function showrelated() { - $id = (int) db_escape_string($_REQUEST['param']); + $id = (int) $_REQUEST['param']; $owner_uid = $_SESSION["uid"]; - $result = db_query("SELECT title FROM ttrss_entries, ttrss_user_entries - WHERE ref_id = id AND id = $id AND owner_uid = $owner_uid"); + $sth = $this->pdo->prepare("SELECT title FROM ttrss_entries, ttrss_user_entries + WHERE ref_id = id AND id = ? AND owner_uid = ?"); + $sth->execute([$id, $owner_uid]); - $title = db_fetch_result($result, 0, "title"); + if ($row = $sth->fetch()) { - print "<h2>$title</h2>"; + $title = $row['title']; - $title = db_escape_string($title); - $result = db_query("SELECT ttrss_entries.id AS id, + print "<h2>$title</h2>"; + + $sth = $this->pdo->prepare("SELECT ttrss_entries.id AS id, feed_id, ttrss_entries.title AS title, updated, link, @@ -65,38 +68,42 @@ class Af_Psql_Trgm extends Plugin { ttrss_entries, ttrss_user_entries LEFT JOIN ttrss_feeds ON (ttrss_feeds.id = feed_id) WHERE ttrss_entries.id = ref_id AND - ttrss_user_entries.owner_uid = $owner_uid AND - ttrss_entries.id != $id AND + ttrss_user_entries.owner_uid = ? AND + ttrss_entries.id != ? AND date_entered >= NOW() - INTERVAL '2 weeks' ORDER BY sm DESC, date_entered DESC LIMIT 10"); - print "<ul class=\"browseFeedList\" style=\"border-width : 1px\">"; + $sth->execute([$owner_uid, $id]); + + print "<ul class=\"browseFeedList\" style=\"border-width : 1px\">"; - while ($line = db_fetch_assoc($result)) { - print "<li>"; - print "<div class='insensitive small' style='margin-left : 20px; float : right'>" . - smart_date_time(strtotime($line["updated"])) - . "</div>"; + while ($line = $sth->fetch()) { + print "<li>"; + print "<div class='insensitive small' style='margin-left : 20px; float : right'>" . + smart_date_time(strtotime($line["updated"])) + . "</div>"; - $sm = sprintf("%.2f", $line['sm']); - print "<img src='images/score_high.png' title='$sm' + $sm = sprintf("%.2f", $line['sm']); + print "<img src='images/score_high.png' title='$sm' style='vertical-align : middle'>"; - $article_link = htmlspecialchars($line["link"]); - print " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"$article_link\">". - $line["title"]."</a>"; + $article_link = htmlspecialchars($line["link"]); + print " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"$article_link\">". + $line["title"]."</a>"; - print " (<a href=\"#\" onclick=\"viewfeed({feed:".$line["feed_id"]."})\">". - htmlspecialchars($line["feed_title"])."</a>)"; + print " (<a href=\"#\" onclick=\"viewfeed({feed:".$line["feed_id"]."})\">". + htmlspecialchars($line["feed_title"])."</a>)"; - print " <span class='insensitive'>($sm)</span>"; + print " <span class='insensitive'>($sm)</span>"; - print "</li>"; - } + print "</li>"; + } - print "</ul>"; + print "</ul>"; + + } print "<div style='text-align : center'>"; print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('trgmRelatedDlg').hide()\">".__('Close this window')."</button>"; @@ -121,9 +128,9 @@ class Af_Psql_Trgm extends Plugin { print_error("Database type not supported."); } else { - $result = db_query("select 'similarity'::regproc"); + $res = $this->pdo->query("select 'similarity'::regproc"); - if (db_num_rows($result) == 0) { + if (!$res->fetch()) { print_error("pg_trgm extension not found."); } @@ -226,7 +233,7 @@ class Af_Psql_Trgm extends Plugin { $enabled_feeds = $this->host->get($this, "enabled_feeds"); if (!is_array($enabled_feeds)) $enabled_feeds = array(); - $enable = checkbox_to_sql_bool($_POST["trgm_similarity_enabled"]) == 'true'; + $enable = checkbox_to_sql_bool($_POST["trgm_similarity_enabled"]); $key = array_search($feed_id, $enabled_feeds); if ($enable) { @@ -246,8 +253,8 @@ class Af_Psql_Trgm extends Plugin { if (DB_TYPE != "pgsql") return $article; - $result = db_query("select 'similarity'::regproc"); - if (db_num_rows($result) == 0) return $article; + $res = $this->pdo->query("select 'similarity'::regproc"); + if (!$res->fetch()) return $article; $enable_globally = $this->host->get($this, "enable_globally"); @@ -265,18 +272,21 @@ class Af_Psql_Trgm extends Plugin { $owner_uid = $article["owner_uid"]; $entry_guid = $article["guid_hashed"]; - $title_escaped = db_escape_string($article["title"]); + $title_escaped = $article["title"]; // trgm does not return similarity=1 for completely equal strings - $result = db_query("SELECT COUNT(id) AS nequal + $sth = $this->pdo->prepare("SELECT COUNT(id) AS nequal FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id AND date_entered >= NOW() - interval '3 days' AND - title = '$title_escaped' AND - guid != '$entry_guid' AND - owner_uid = $owner_uid"); + title = ? AND + guid != ? AND + owner_uid = ?"); + $sth->execute([$title_escaped, $entry_guid, $owner_uid]); + + $row = $sth->fetch(); + $nequal = $row['nequal']; - $nequal = db_fetch_result($result, 0, "nequal"); _debug("af_psql_trgm: num equals: $nequal"); if ($nequal != 0) { @@ -284,13 +294,15 @@ class Af_Psql_Trgm extends Plugin { return $article; } - $result = db_query("SELECT MAX(SIMILARITY(title, '$title_escaped')) AS ms + $sth = $this->pdo->prepare("SELECT MAX(SIMILARITY(title, ?)) AS ms FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id AND date_entered >= NOW() - interval '1 day' AND - guid != '$entry_guid' AND - owner_uid = $owner_uid"); + guid != ? AND + owner_uid = ?"); + $sth->execute([$title_escaped, $entry_guid, $owner_uid]); - $similarity_result = db_fetch_result($result, 0, "ms"); + $row = $sth->fetch(); + $similarity_result = $row['ms']; _debug("af_psql_trgm: similarity result: $similarity_result"); @@ -311,9 +323,10 @@ class Af_Psql_Trgm extends Plugin { foreach ($enabled_feeds as $feed) { - $result = db_query("SELECT id FROM ttrss_feeds WHERE id = '$feed' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); - if (db_num_rows($result) != 0) { + if ($row = $sth->fetch()) { array_push($tmp, $feed); } } diff --git a/plugins/af_readability/init.php b/plugins/af_readability/init.php index fbc8fe0ab..04673000a 100755 --- a/plugins/af_readability/init.php +++ b/plugins/af_readability/init.php @@ -1,6 +1,7 @@ <?php class Af_Readability extends Plugin { + /* @var PluginHost $host */ private $host; function about() { @@ -14,7 +15,7 @@ class Af_Readability extends Plugin { } function save() { - $enable_share_anything = checkbox_to_sql_bool($_POST["enable_share_anything"]) == "true"; + $enable_share_anything = checkbox_to_sql_bool($_POST["enable_share_anything"]); $this->host->set($this, "enable_share_anything", $enable_share_anything); @@ -112,7 +113,7 @@ class Af_Readability extends Plugin { $enabled_feeds = $this->host->get($this, "enabled_feeds"); if (!is_array($enabled_feeds)) $enabled_feeds = array(); - $enable = checkbox_to_sql_bool($_POST["af_readability_enabled"]) == 'true'; + $enable = checkbox_to_sql_bool($_POST["af_readability_enabled"]); $key = array_search($feed_id, $enabled_feeds); if ($enable) { @@ -240,9 +241,10 @@ class Af_Readability extends Plugin { foreach ($enabled_feeds as $feed) { - $result = db_query("SELECT id FROM ttrss_feeds WHERE id = '$feed' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed, $_SESSION['uid']]); - if (db_num_rows($result) != 0) { + if ($row = $sth->fetch()) { array_push($tmp, $feed); } } diff --git a/plugins/af_redditimgur/init.php b/plugins/af_redditimgur/init.php index 8074894fd..59e3a760c 100755 --- a/plugins/af_redditimgur/init.php +++ b/plugins/af_redditimgur/init.php @@ -1,5 +1,7 @@ <?php class Af_RedditImgur extends Plugin { + + /* @var PluginHost $host */ private $host; function about() { @@ -64,8 +66,8 @@ class Af_RedditImgur extends Plugin { } function save() { - $enable_readability = checkbox_to_sql_bool($_POST["enable_readability"]) == "true"; - $enable_content_dupcheck = checkbox_to_sql_bool($_POST["enable_content_dupcheck"]) == "true"; + $enable_readability = checkbox_to_sql_bool($_POST["enable_readability"]); + $enable_content_dupcheck = checkbox_to_sql_bool($_POST["enable_content_dupcheck"]); $this->host->set($this, "enable_readability", $enable_readability, false); $this->host->set($this, "enable_content_dupcheck", $enable_content_dupcheck); @@ -379,8 +381,8 @@ class Af_RedditImgur extends Plugin { if ($this->host->get($this, "enable_content_dupcheck")) { if ($content_link) { - $content_href = db_escape_string($content_link->getAttribute("href")); - $entry_guid = db_escape_string($article["guid_hashed"]); + $content_href = $content_link->getAttribute("href"); + $entry_guid = $article["guid_hashed"]; $owner_uid = $article["owner_uid"]; if (DB_TYPE == "pgsql") { @@ -389,16 +391,18 @@ class Af_RedditImgur extends Plugin { $interval_qpart = "date_entered < DATE_SUB(NOW(), INTERVAL 1 DAY)"; } - $result = db_query("SELECT COUNT(id) AS cid + $sth = $this->pdo->prepare("SELECT COUNT(id) AS cid FROM ttrss_entries, ttrss_user_entries WHERE ref_id = id AND $interval_qpart AND - guid != '$entry_guid' AND - owner_uid = '$owner_uid' AND - content LIKE '%href=\"$content_href\">[link]%'"); + guid != ? AND + owner_uid = ? AND + content LIKE ?"); + + $sth->execute([$entry_guid, $owner_uid, "%href=\"$content_href\">[link]%"]); - if ($result) { - $num_found = db_fetch_result($result, 0, "cid"); + if ($row = $sth->fetch()) { + $num_found = $row['cid']; if ($num_found > 0) $article["force_catchup"] = true; } diff --git a/plugins/af_zz_imgproxy/init.php b/plugins/af_zz_imgproxy/init.php index 4cfca4180..935cbdbcf 100644 --- a/plugins/af_zz_imgproxy/init.php +++ b/plugins/af_zz_imgproxy/init.php @@ -1,5 +1,7 @@ <?php class Af_Zz_ImgProxy extends Plugin { + + /* @var PluginHost $host */ private $host; function about() { @@ -241,8 +243,8 @@ class Af_Zz_ImgProxy extends Plugin { } function save() { - $proxy_all = checkbox_to_sql_bool($_POST["proxy_all"]) == "true"; - $disable_cache = checkbox_to_sql_bool($_POST["disable_cache"]) == "true"; + $proxy_all = checkbox_to_sql_bool($_POST["proxy_all"]); + $disable_cache = checkbox_to_sql_bool($_POST["disable_cache"]); $this->host->set($this, "proxy_all", $proxy_all, false); $this->host->set($this, "disable_cache", $disable_cache); diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index dc49229f6..4cc473304 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -1,5 +1,6 @@ <?php class Auth_Internal extends Plugin implements IAuthModule { + private $host; function about() { @@ -9,8 +10,10 @@ class Auth_Internal extends Plugin implements IAuthModule { true); } - function init($host) { + /* @var PluginHost $host */ + function init($host) { $this->host = $host; + $this->pdo = Db::pdo(); $host->add_hook($host::HOOK_AUTH_USER, $this); } @@ -19,16 +22,16 @@ class Auth_Internal extends Plugin implements IAuthModule { $pwd_hash1 = encrypt_password($password); $pwd_hash2 = encrypt_password($password, $login); - $login = db_escape_string($login); - $otp = db_escape_string($_REQUEST["otp"]); + $otp = $_REQUEST["otp"]; if (get_schema_version() > 96) { if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) { - $result = db_query("SELECT otp_enabled,salt FROM ttrss_users WHERE - login = '$login'"); + $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE + login = ?"); + $sth->execute([$login]); - if (db_num_rows($result) > 0) { + if ($row = $sth->fetch()) { require_once "lib/otphp/vendor/base32.php"; require_once "lib/otphp/lib/otp.php"; @@ -36,8 +39,8 @@ class Auth_Internal extends Plugin implements IAuthModule { $base32 = new Base32(); - $otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled")); - $secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt"))); + $otp_enabled = $row['otp_enabled']; + $secret = $base32->encode(sha1($row['salt'])); $topt = new \OTPHP\TOTP($secret); $otp_check = $topt->now(); @@ -50,9 +53,12 @@ class Auth_Internal extends Plugin implements IAuthModule { } else { $return = urlencode($_REQUEST["return"]); ?><html> - <head><title>Tiny Tiny RSS</title></head> - <?php echo stylesheet_tag("css/utility.css") ?> - <body class="otp"><div class="content"> + <head> + <title>Tiny Tiny RSS</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + </head> + <?php echo stylesheet_tag("css/default.css") ?> + <body class="ttrss_utility otp"><div class="content"> <form action="public.php?return=<?php echo $return ?>" method="POST" class="otpform"> <input type="hidden" name="op" value="login"> @@ -79,109 +85,127 @@ class Auth_Internal extends Plugin implements IAuthModule { if (get_schema_version() > 87) { - $result = db_query("SELECT salt FROM ttrss_users WHERE - login = '$login'"); + $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?"); + $sth->execute([$login]); - if (db_num_rows($result) != 1) { - return false; - } + if ($row = $sth->fetch()) { + $salt = $row['salt']; - $salt = db_fetch_result($result, 0, "salt"); + if ($salt == "") { - if ($salt == "") { + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - $query = "SELECT id - FROM ttrss_users WHERE - login = '$login' AND (pwd_hash = '$pwd_hash1' OR - pwd_hash = '$pwd_hash2')"; + $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - // verify and upgrade password to new salt base + // verify and upgrade password to new salt base - $result = db_query($query); + if ($row = $sth->fetch()) { + // upgrade password to MODE2 - if (db_num_rows($result) == 1) { - // upgrade password to MODE2 + $user_id = $row['id']; - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($password, $salt, true); + $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); + $pwd_hash = encrypt_password($password, $salt, true); + + $sth = $this->pdo->prepare("UPDATE ttrss_users SET + pwd_hash = ?, salt = ? WHERE login = ?"); - db_query("UPDATE ttrss_users SET - pwd_hash = '$pwd_hash', salt = '$salt' WHERE login = '$login'"); + $sth->execute([$pwd_hash, $salt, $login]); - $query = "SELECT id - FROM ttrss_users WHERE - login = '$login' AND pwd_hash = '$pwd_hash'"; + return $user_id; + + } else { + return false; + } } else { - return false; + $pwd_hash = encrypt_password($password, $salt, true); + + $sth = $this->pdo->prepare("SELECT id + FROM ttrss_users WHERE + login = ? AND pwd_hash = ?"); + $sth->execute([$login, $pwd_hash]); + + if ($row = $sth->fetch()) { + return $row['id']; + } } } else { + $sth = $this->pdo->prepare("SELECT id + FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - $pwd_hash = encrypt_password($password, $salt, true); - - $query = "SELECT id - FROM ttrss_users WHERE - login = '$login' AND pwd_hash = '$pwd_hash'"; + $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + if ($row = $sth->fetch()) { + return $row['id']; + } } - } else { - $query = "SELECT id - FROM ttrss_users WHERE - login = '$login' AND (pwd_hash = '$pwd_hash1' OR - pwd_hash = '$pwd_hash2')"; - } + $sth = $this->pdo->prepare("SELECT id + FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - $result = db_query($query); + $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - if (db_num_rows($result) == 1) { - return db_fetch_result($result, 0, "id"); - } + if ($row = $sth->fetch()) { + return $row['id']; + } + } return false; } function check_password($owner_uid, $password) { - $owner_uid = db_escape_string($owner_uid); - $result = db_query("SELECT salt,login FROM ttrss_users WHERE - id = '$owner_uid'"); + $sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE + id = ?"); + $sth->execute([$owner_uid]); - $salt = db_fetch_result($result, 0, "salt"); - $login = db_fetch_result($result, 0, "login"); + if ($row = $sth->fetch()) { - if (!$salt) { - $password_hash1 = encrypt_password($password); - $password_hash2 = encrypt_password($password, $login); + $salt = $row['salt']; + $login = $row['login']; - $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND (pwd_hash = '$password_hash1' OR - pwd_hash = '$password_hash2')"; + if (!$salt) { + $password_hash1 = encrypt_password($password); + $password_hash2 = encrypt_password($password, $login); - } else { - $password_hash = encrypt_password($password, $salt, true); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + id = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND pwd_hash = '$password_hash'"; - } + $sth->execute([$owner_uid, $password_hash1, $password_hash2]); + + return $sth->fetch(); - $result = db_query($query); + } else { + $password_hash = encrypt_password($password, $salt, true); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + id = ? AND pwd_hash = ?"); + + $sth->execute([$owner_uid, $password_hash]); + + return $sth->fetch(); + } + } - return db_num_rows($result) != 0; + return false; } function change_password($owner_uid, $old_password, $new_password) { - $owner_uid = db_escape_string($owner_uid); if ($this->check_password($owner_uid, $old_password)) { $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $new_password_hash = encrypt_password($new_password, $new_salt, true); - db_query("UPDATE ttrss_users SET - pwd_hash = '$new_password_hash', salt = '$new_salt', otp_enabled = false - WHERE id = '$owner_uid'"); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET + pwd_hash = ?, salt = ?, otp_enabled = false + WHERE id = ?"); + $sth->execute([$new_password_hash, $new_salt, $owner_uid]); $_SESSION["pwd_hash"] = $new_password_hash; diff --git a/plugins/auth_remote/init.php b/plugins/auth_remote/init.php index dd04dcd10..bad1af65e 100644 --- a/plugins/auth_remote/init.php +++ b/plugins/auth_remote/init.php @@ -2,6 +2,7 @@ class Auth_Remote extends Plugin implements IAuthModule { private $host; + /* @var Auth_Base $base */ private $base; function about() { @@ -11,7 +12,8 @@ class Auth_Remote extends Plugin implements IAuthModule { true); } - function init($host) { + /* @var PluginHost $host */ + function init($host ) { $this->host = $host; $this->base = new Auth_Base(); @@ -19,15 +21,16 @@ class Auth_Remote extends Plugin implements IAuthModule { } function get_login_by_ssl_certificate() { - $cert_serial = db_escape_string(get_ssl_certificate_id()); + $cert_serial = get_ssl_certificate_id(); if ($cert_serial) { - $result = db_query("SELECT login FROM ttrss_user_prefs, ttrss_users - WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND + $sth = $this->pdo->prepare("SELECT login FROM ttrss_user_prefs, ttrss_users + WHERE pref_name = 'SSL_CERT_SERIAL' AND value = ? AND owner_uid = ttrss_users.id"); + $sth->execute([$cert_serial]); - if (db_num_rows($result) != 0) { - return db_escape_string(db_fetch_result($result, 0, "login")); + if ($row = $sth->fetch()) { + return $row['login']; } } @@ -38,11 +41,11 @@ class Auth_Remote extends Plugin implements IAuthModule { * @SuppressWarnings(PHPMD.UnusedFormalParameter) */ function authenticate($login, $password) { - $try_login = db_escape_string($_SERVER["REMOTE_USER"]); + $try_login = $_SERVER["REMOTE_USER"]; // php-cgi - if (!$try_login) $try_login = db_escape_string($_SERVER["REDIRECT_REMOTE_USER"]); - if (!$try_login) $try_login = db_escape_string($_SERVER["PHP_AUTH_USER"]); + if (!$try_login) $try_login = $_SERVER["REDIRECT_REMOTE_USER"]; + if (!$try_login) $try_login = $_SERVER["PHP_AUTH_USER"]; if (!$try_login) $try_login = $this->get_login_by_ssl_certificate(); @@ -60,16 +63,14 @@ class Auth_Remote extends Plugin implements IAuthModule { // update user name $fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN']; if ($fullname){ - $fullname = db_escape_string($fullname); - db_query("UPDATE ttrss_users SET full_name = '$fullname' WHERE id = " . - $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET full_name = ? WHERE id = ?"); + $sth->execute([$fullname, $user_id]); } // update user mail $email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL']; if ($email){ - $email = db_escape_string($email); - db_query("UPDATE ttrss_users SET email = '$email' WHERE id = " . - $user_id); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ? WHERE id = ?"); + $sth->execute([$email, $user_id]); } } diff --git a/plugins/auto_assign_labels/init.php b/plugins/auto_assign_labels/init.php index 911adb6b8..cc70e2dff 100644 --- a/plugins/auto_assign_labels/init.php +++ b/plugins/auto_assign_labels/init.php @@ -1,6 +1,7 @@ <?php class Auto_Assign_Labels extends Plugin { + /* @var PluginHost $host */ private $host; function about() { @@ -18,9 +19,10 @@ class Auto_Assign_Labels extends Plugin { function get_all_labels_filter_format($owner_uid) { $rv = array(); - $result = db_query("SELECT id, fg_color, bg_color, caption FROM ttrss_labels2 WHERE owner_uid = " . $owner_uid); + $sth = $this->pdo->prepare("SELECT id, fg_color, bg_color, caption FROM ttrss_labels2 WHERE owner_uid = ?"); + $sth->execute([$owner_uid]); - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { array_push($rv, array(Labels::label_to_feed_id($line["id"]), $line["caption"], $line["fg_color"], $line["bg_color"])); } diff --git a/plugins/bookmarklets/init.php b/plugins/bookmarklets/init.php index 43bc42870..0aa953a27 100644 --- a/plugins/bookmarklets/init.php +++ b/plugins/bookmarklets/init.php @@ -28,7 +28,7 @@ class Bookmarklets extends Plugin { $bm_url = htmlspecialchars("javascript:{if(confirm('$confirm_str'.replace('%s',window.location.href)))window.location.href='$bm_subscribe_url'+window.location.href}"); print "<p>"; - print "<a href=\"$bm_url\" class='bookmarklet'>" . __('Subscribe in Tiny Tiny RSS'). "</a>"; + print "<a href=\"$bm_url\" class='dijitButton'>" . __('Subscribe in Tiny Tiny RSS'). "</a>"; print "</p>"; print "<p>" . __("Use this bookmarklet to publish arbitrary pages using Tiny Tiny RSS") . "</p>"; @@ -37,7 +37,7 @@ class Bookmarklets extends Plugin { $bm_url = htmlspecialchars("javascript:(function(){var d=document,w=window,e=w.getSelection,k=d.getSelection,x=d.selection,s=(e?e():(k)?k():(x?x.createRange().text:0)),f='".get_self_url_prefix()."/public.php?op=sharepopup',l=d.location,e=encodeURIComponent,g=f+'&title='+((e(s))?e(s):e(document.title))+'&url='+e(l.href);function a(){if(!w.open(g,'t','toolbar=0,resizable=0,scrollbars=1,status=1,width=500,height=250')){l.href=g;}}a();})()"); - print "<a href=\"$bm_url\" class='bookmarklet'>" . __('Share with Tiny Tiny RSS'). "</a>"; + print "<a href=\"$bm_url\" class='dijitButton'>" . __('Share with Tiny Tiny RSS'). "</a>"; print "</p>"; diff --git a/plugins/cache_starred_images/init.php b/plugins/cache_starred_images/init.php index 82e7d1fbd..6c32ff57f 100644 --- a/plugins/cache_starred_images/init.php +++ b/plugins/cache_starred_images/init.php @@ -1,6 +1,7 @@ <?php class Cache_Starred_Images extends Plugin implements IHandler { + /* @var PluginHost $host */ private $host; private $cache_dir; @@ -92,11 +93,11 @@ class Cache_Starred_Images extends Plugin implements IHandler { if ($article_id != $last_article_id) { $last_article_id = $article_id; - $article_id = db_escape_string($article_id); - $result = db_query("SELECT id FROM ttrss_entries WHERE id = " . $article_id); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_entries WHERE id = ?"); + $sth->execute([$article_id]); - $article_exists = db_num_rows($result) > 0; + $article_exists = $sth->fetch(); } if (!$article_exists) { @@ -135,7 +136,7 @@ class Cache_Starred_Images extends Plugin implements IHandler { } function hook_update_task() { - $result = db_query("SELECT content, ttrss_user_entries.owner_uid, link, site_url, ttrss_entries.id, plugin_data + $res = $this->pdo->query("SELECT content, ttrss_user_entries.owner_uid, link, site_url, ttrss_entries.id, plugin_data FROM ttrss_entries, ttrss_user_entries LEFT JOIN ttrss_feeds ON (ttrss_user_entries.feed_id = ttrss_feeds.id) WHERE ref_id = ttrss_entries.id AND @@ -145,14 +146,16 @@ class Cache_Starred_Images extends Plugin implements IHandler { plugin_data NOT LIKE '%starred_cache_images%' ORDER BY ".sql_random_function()." LIMIT 100"); - while ($line = db_fetch_assoc($result)) { + $usth = $this->pdo->prepare("UPDATE ttrss_entries SET plugin_data = ? WHERE id = ?"); + + while ($line = $res->fetch()) { if ($line["site_url"]) { $success = $this->cache_article_images($line["content"], $line["site_url"], $line["owner_uid"], $line["id"]); if ($success) { - $plugin_data = db_escape_string("starred_cache_images,${line['owner_uid']}:" . $line["plugin_data"]); + $plugin_data = "starred_cache_images,${line['owner_uid']}:" . $line["plugin_data"]; - db_query("UPDATE ttrss_entries SET plugin_data = '$plugin_data' WHERE id = " . $line["id"]); + $usth->execute([$plugin_data, $line['id']]); } } } diff --git a/plugins/embed_original/init.php b/plugins/embed_original/init.php index a74905f8f..1925d141d 100644 --- a/plugins/embed_original/init.php +++ b/plugins/embed_original/init.php @@ -1,5 +1,7 @@ <?php class Embed_Original extends Plugin { + + /* @var PluginHost $host */ private $host; function init($host) { @@ -34,17 +36,17 @@ class Embed_Original extends Plugin { } function getUrl() { - $id = db_escape_string($_REQUEST['id']); + $id = $_REQUEST['id']; - $result = db_query("SELECT link + $sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries - WHERE id = '$id' AND ref_id = id AND owner_uid = " .$_SESSION['uid']); - - $url = ""; - - if (db_num_rows($result) != 0) { - $url = db_fetch_result($result, 0, "link"); + WHERE id = ? AND ref_id = id AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); + if ($row = $sth->fetch()) { + $url = $row['link']; + } else { + $url = ""; } print json_encode(array("url" => $url, "id" => $id)); diff --git a/plugins/mail/init.php b/plugins/mail/init.php index 5fa8c8e1c..045fd7986 100644 --- a/plugins/mail/init.php +++ b/plugins/mail/init.php @@ -1,6 +1,7 @@ <?php class Mail extends Plugin { + /* @var PluginHost $host */ private $host; function about() { @@ -21,7 +22,7 @@ class Mail extends Plugin { } function save() { - $addresslist = db_escape_string($_POST["addresslist"]); + $addresslist = $_POST["addresslist"]; $this->host->set($this, "addresslist", $addresslist); @@ -77,17 +78,21 @@ class Mail extends Plugin { function emailArticle() { - $param = db_escape_string($_REQUEST['param']); + $ids = explode(",", $_REQUEST['param']); + $ids_qmarks = arr_qmarks($ids); print_hidden("op", "pluginhandler"); print_hidden("plugin", "mail"); print_hidden("method", "sendEmail"); - $result = db_query("SELECT email, full_name FROM ttrss_users WHERE + $sth = $this->pdo->prepare("SELECT email, full_name FROM ttrss_users WHERE id = " . $_SESSION["uid"]); + $sth->execute([$_SESSION['uid']]); - $user_email = htmlspecialchars(db_fetch_result($result, 0, "email")); - $user_name = htmlspecialchars(db_fetch_result($result, 0, "full_name")); + if ($row = $sth->fetch()) { + $user_email = htmlspecialchars($row['email']); + $user_name = htmlspecialchars($row['full_name']); + } if (!$user_name) $user_name = $_SESSION['name']; @@ -104,15 +109,16 @@ class Mail extends Plugin { $tpl->setVariable('USER_EMAIL', $user_email, true); $tpl->setVariable('TTRSS_HOST', $_SERVER["HTTP_HOST"], true); - $result = db_query("SELECT DISTINCT link, content, title, note + $sth = $this->pdo->prepare("SELECT DISTINCT link, content, title, note FROM ttrss_user_entries, ttrss_entries WHERE id = ref_id AND - id IN ($param) AND owner_uid = " . $_SESSION["uid"]); + id IN ($ids_qmarks) AND owner_uid = ?"); + $sth->execute(array_merge($ids, [$_SESSION['uid']])); - if (db_num_rows($result) > 1) { + if (count($ids) > 1) { $subject = __("[Forwarded]") . " " . __("Multiple articles"); } - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { if (!$subject) $subject = __("[Forwarded]") . " " . htmlspecialchars($line["title"]); @@ -199,7 +205,7 @@ class Mail extends Plugin { if (!$rc) { $reply['error'] = $mail->ErrorInfo; } else { - //save_email_address(db_escape_string($destination)); + //save_email_address($destination); $reply['message'] = "UPDATE_COUNTERS"; } @@ -207,7 +213,7 @@ class Mail extends Plugin { } /* function completeEmails() { - $search = db_escape_string($_REQUEST["search"]); + $search = $_REQUEST["search"]; print "<ul>"; diff --git a/plugins/mailto/init.php b/plugins/mailto/init.php index 83e643231..60c58b707 100644 --- a/plugins/mailto/init.php +++ b/plugins/mailto/init.php @@ -27,7 +27,8 @@ class MailTo extends Plugin { function emailArticle() { - $param = db_escape_string($_REQUEST['param']); + $ids = explode(",", $_REQUEST['param']); + $ids_qmarks = arr_qmarks($ids); require_once "lib/MiniTemplator.class.php"; @@ -40,15 +41,18 @@ class MailTo extends Plugin { $tpl->setVariable('TTRSS_HOST', $_SERVER["HTTP_HOST"], true); - $result = db_query("SELECT DISTINCT link, content, title + $sth = $this->pdo->prepare("SELECT DISTINCT link, content, title FROM ttrss_user_entries, ttrss_entries WHERE id = ref_id AND - id IN ($param) AND owner_uid = " . $_SESSION["uid"]); + id IN ($ids_qmarks) AND owner_uid = ?"); + $sth->execute(array_merge($ids, [$_SESSION['uid']])); - if (db_num_rows($result) > 1) { + if (count($ids) > 1) { $subject = __("[Forwarded]") . " " . __("Multiple articles"); + } else { + $subject = ""; } - while ($line = db_fetch_assoc($result)) { + while ($line = $sth->fetch()) { if (!$subject) $subject = __("[Forwarded]") . " " . htmlspecialchars($line["title"]); diff --git a/plugins/note/init.php b/plugins/note/init.php index 65cdf30e4..354591b75 100644 --- a/plugins/note/init.php +++ b/plugins/note/init.php @@ -1,5 +1,7 @@ <?php class Note extends Plugin { + + /* @var PluginHost $host */ private $host; function about() { @@ -27,24 +29,29 @@ class Note extends Plugin { } function edit() { - $param = db_escape_string($_REQUEST['param']); + $param = $_REQUEST['param']; + + $sth = $this->pdo->prepare("SELECT note FROM ttrss_user_entries WHERE + ref_id = ? AND owner_uid = ?"); + $sth->execute([$param, $_SESSION['uid']]); + + if ($row = $sth->fetch()) { - $result = db_query("SELECT note FROM ttrss_user_entries WHERE - ref_id = '$param' AND owner_uid = " . $_SESSION['uid']); + $note = $row['note']; - $note = db_fetch_result($result, 0, "note"); + print_hidden("id", "$param"); + print_hidden("op", "pluginhandler"); + print_hidden("method", "setNote"); + print_hidden("plugin", "note"); - print_hidden("id", "$param"); - print_hidden("op", "pluginhandler"); - print_hidden("method", "setNote"); - print_hidden("plugin", "note"); + print "<table width='100%'><tr><td>"; + print "<textarea dojoType=\"dijit.form.SimpleTextarea\" + style='font-size : 12px; width : 98%; height: 100px;' + placeHolder='body#ttrssMain { font-size : 14px; };' + name='note'>$note</textarea>"; + print "</td></tr></table>"; - print "<table width='100%'><tr><td>"; - print "<textarea dojoType=\"dijit.form.SimpleTextarea\" - style='font-size : 12px; width : 98%; height: 100px;' - placeHolder='body#ttrssMain { font-size : 14px; };' - name='note'>$note</textarea>"; - print "</td></tr></table>"; + } print "<div class='dlgButtons'>"; print "<button dojoType=\"dijit.form.Button\" @@ -56,11 +63,12 @@ class Note extends Plugin { } function setNote() { - $id = db_escape_string($_REQUEST["id"]); - $note = trim(strip_tags(db_escape_string($_REQUEST["note"]))); + $id = $_REQUEST["id"]; + $note = trim(strip_tags($_REQUEST["note"])); - db_query("UPDATE ttrss_user_entries SET note = '$note' - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET note = ? + WHERE ref_id = ? AND owner_uid = ?"); + $sth->execute([$note, $id, $_SESSION['uid']]); $formatted_note = Article::format_article_note($id, $note); diff --git a/plugins/share/init.php b/plugins/share/init.php index 133f09447..94571bb1b 100644 --- a/plugins/share/init.php +++ b/plugins/share/init.php @@ -8,6 +8,7 @@ class Share extends Plugin { "fox"); } + /* @var PluginHost $host */ function init($host) { $this->host = $host; @@ -25,10 +26,11 @@ class Share extends Plugin { function unshare() { - $id = db_escape_string($_REQUEST['id']); + $id = $_REQUEST['id']; - db_query("UPDATE ttrss_user_entries SET uuid = '' WHERE int_id = '$id' - AND owner_uid = " . $_SESSION['uid']); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET uuid = '' WHERE int_id = ? + AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); print "OK"; } @@ -38,7 +40,7 @@ class Share extends Plugin { print "<p>" . __("You can disable all articles shared by unique URLs here.") . "</p>"; - print "<button class=\"danger\" dojoType=\"dijit.form.Button\" onclick=\"return clearArticleAccessKeys()\">". + print "<button class=\"btn-danger\" dojoType=\"dijit.form.Button\" onclick=\"return clearArticleAccessKeys()\">". __('Unshare all articles')."</button> "; print "</p>"; @@ -48,20 +50,21 @@ class Share extends Plugin { // Silent function clearArticleKeys() { - db_query("UPDATE ttrss_user_entries SET uuid = '' WHERE - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET uuid = '' WHERE + owner_uid = ?"); + $sth->execute([$_SESSION['uid']]); return; } function newkey() { - $id = db_escape_string($_REQUEST['id']); + $id = $_REQUEST['id']; + $uuid = uniqid_short(); - $uuid = db_escape_string(uniqid_short()); - - db_query("UPDATE ttrss_user_entries SET uuid = '$uuid' WHERE int_id = '$id' - AND owner_uid = " . $_SESSION['uid']); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET uuid = ? WHERE int_id = ? + AND owner_uid = ?"); + $sth->execute([$uuid, $id, $_SESSION['uid']]); print json_encode(array("link" => $uuid)); } @@ -76,21 +79,22 @@ class Share extends Plugin { } function shareArticle() { - $param = db_escape_string($_REQUEST['param']); + $param = $_REQUEST['param']; - $result = db_query("SELECT uuid FROM ttrss_user_entries WHERE int_id = '$param' - AND owner_uid = " . $_SESSION['uid']); + $sth = $this->pdo->prepare("SELECT uuid FROM ttrss_user_entries WHERE int_id = ? + AND owner_uid = ?"); + $sth->execute([$param, $_SESSION['uid']]); - if (db_num_rows($result) == 0) { - print "Article not found."; - } else { + if ($row = $sth->fetch()) { - $uuid = db_fetch_result($result, 0, "uuid"); + $uuid = $row['uuid']; if (!$uuid) { - $uuid = db_escape_string(uniqid_short()); - db_query("UPDATE ttrss_user_entries SET uuid = '$uuid' WHERE int_id = '$param' - AND owner_uid = " . $_SESSION['uid']); + $uuid = uniqid_short(); + + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET uuid = ? WHERE int_id = ? + AND owner_uid = ?"); + $sth->execute([$uuid, $param, $_SESSION['uid']]); } print __("You can share this article by the following unique URL:") . "<br/>"; @@ -106,6 +110,10 @@ class Share extends Plugin { label_create(__('Shared'), $_SESSION["uid"]); label_add_article($ref_id, __('Shared'), $_SESSION['uid']); */ + + + } else { + print "Article not found."; } print "<div align='center'>"; diff --git a/plugins/vf_shared/init.php b/plugins/vf_shared/init.php index ce18f92d5..a3b0daeb6 100644 --- a/plugins/vf_shared/init.php +++ b/plugins/vf_shared/init.php @@ -1,6 +1,7 @@ <?php class VF_Shared extends Plugin { + /* @var PluginHost $host */ private $host; function about() { @@ -24,18 +25,30 @@ class VF_Shared extends Plugin { * @SuppressWarnings(PHPMD.UnusedFormalParameter) */ function get_unread($feed_id) { - $result = db_query("select count(int_id) AS count from ttrss_user_entries where owner_uid = ".$_SESSION["uid"]." and unread = true and uuid != ''"); + $sth = $this->pdo->prepare("select count(int_id) AS count + from ttrss_user_entries where owner_uid = ? and unread = true and uuid != ''"); + $sth->execute([$_SESSION['uid']]); - return db_fetch_result($result, 0, "count"); + if ($row = $sth->fetch()) { + return $row['count']; + } + + return 0; } /** * @SuppressWarnings(PHPMD.UnusedFormalParameter) */ function get_total($feed_id) { - $result = db_query("select count(int_id) AS count from ttrss_user_entries where owner_uid = ".$_SESSION["uid"]." and uuid != ''"); + $sth = $this->pdo->prepare("select count(int_id) AS count + from ttrss_user_entries where owner_uid = ? and uuid != ''"); + $sth->execute([$_SESSION['uid']]); + + if ($row = $sth->fetch()) { + return $row['count']; + } - return db_fetch_result($result, 0, "count"); + return 0; } /** |