Browse Source

db_escape_string: specify link parameter for consistency; sessions: do not force-close db connection in _close()

Andrew Dolgov 7 years ago
parent
commit
3972bf5981

+ 31 - 31
classes/api.php

@@ -47,7 +47,7 @@ class API extends Handler {
 	}
 
 	function login() {
-		$login = db_escape_string($_REQUEST["user"]);
+		$login = db_escape_string($this->link, $_REQUEST["user"]);
 		$password = $_REQUEST["password"];
 		$password_base64 = base64_decode($_REQUEST["password"]);
 
@@ -92,8 +92,8 @@ class API extends Handler {
 	}
 
 	function getUnread() {
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
-		$is_cat = db_escape_string($_REQUEST["is_cat"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
+		$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
 
 		if ($feed_id) {
 			print $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($this->link, $feed_id, $is_cat)));
@@ -108,10 +108,10 @@ class API extends Handler {
 	}
 
 	function getFeeds() {
-		$cat_id = db_escape_string($_REQUEST["cat_id"]);
+		$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
 		$unread_only = sql_bool_to_bool($_REQUEST["unread_only"]);
-		$limit = (int) db_escape_string($_REQUEST["limit"]);
-		$offset = (int) db_escape_string($_REQUEST["offset"]);
+		$limit = (int) db_escape_string($this->link, $_REQUEST["limit"]);
+		$offset = (int) db_escape_string($this->link, $_REQUEST["offset"]);
 		$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
 
 		$feeds = $this->api_get_feeds($this->link, $cat_id, $unread_only, $limit, $offset, $include_nested);
@@ -171,29 +171,29 @@ class API extends Handler {
 	}
 
 	function getHeadlines() {
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
 		if ($feed_id != "") {
 
-			$limit = (int)db_escape_string($_REQUEST["limit"]);
+			$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
 
 			if (!$limit || $limit >= 60) $limit = 60;
 
-			$offset = (int)db_escape_string($_REQUEST["skip"]);
-			$filter = db_escape_string($_REQUEST["filter"]);
+			$offset = (int)db_escape_string($this->link, $_REQUEST["skip"]);
+			$filter = db_escape_string($this->link, $_REQUEST["filter"]);
 			$is_cat = sql_bool_to_bool($_REQUEST["is_cat"]);
 			$show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]);
 			$show_content = sql_bool_to_bool($_REQUEST["show_content"]);
 			/* all_articles, unread, adaptive, marked, updated */
-			$view_mode = db_escape_string($_REQUEST["view_mode"]);
+			$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
 			$include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]);
-			$since_id = (int)db_escape_string($_REQUEST["since_id"]);
+			$since_id = (int)db_escape_string($this->link, $_REQUEST["since_id"]);
 			$include_nested = sql_bool_to_bool($_REQUEST["include_nested"]);
 			$sanitize_content = true;
 
 			/* do not rely on params below */
 
-			$search = db_escape_string($_REQUEST["search"]);
-			$search_mode = db_escape_string($_REQUEST["search_mode"]);
+			$search = db_escape_string($this->link, $_REQUEST["search"]);
+			$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
 
 			$headlines = $this->api_get_headlines($this->link, $feed_id, $limit, $offset,
 				$filter, $is_cat, $show_excerpt, $show_content, $view_mode, false,
@@ -207,10 +207,10 @@ class API extends Handler {
 	}
 
 	function updateArticle() {
-		$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
-		$mode = (int) db_escape_string($_REQUEST["mode"]);
-		$data = db_escape_string($_REQUEST["data"]);
-		$field_raw = (int)db_escape_string($_REQUEST["field"]);
+		$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
+		$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
+		$data = db_escape_string($this->link, $_REQUEST["data"]);
+		$field_raw = (int)db_escape_string($this->link, $_REQUEST["field"]);
 
 		$field = "";
 		$set_to = "";
@@ -285,7 +285,7 @@ class API extends Handler {
 
 	function getArticle() {
 
-		$article_id = join(",", array_filter(explode(",", db_escape_string($_REQUEST["article_id"])), is_numeric));
+		$article_id = join(",", array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_id"])), is_numeric));
 
 		$query = "SELECT id,title,link,content,cached_content,feed_id,comments,int_id,
 			marked,unread,published,
@@ -348,7 +348,7 @@ class API extends Handler {
 	}
 
 	function updateFeed() {
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
 
 		update_rss_feed($this->link, $feed_id, true);
 
@@ -356,8 +356,8 @@ class API extends Handler {
 	}
 
 	function catchupFeed() {
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
-		$is_cat = db_escape_string($_REQUEST["is_cat"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
+		$is_cat = db_escape_string($this->link, $_REQUEST["is_cat"]);
 
 		catchup_feed($this->link, $feed_id, $is_cat);
 
@@ -365,13 +365,13 @@ class API extends Handler {
 	}
 
 	function getPref() {
-		$pref_name = db_escape_string($_REQUEST["pref_name"]);
+		$pref_name = db_escape_string($this->link, $_REQUEST["pref_name"]);
 
 		print $this->wrap(self::STATUS_OK, array("value" => get_pref($this->link, $pref_name)));
 	}
 
 	function getLabels() {
-		//$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
+		//$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
 
 		$article_id = (int)$_REQUEST['article_id'];
 
@@ -409,11 +409,11 @@ class API extends Handler {
 
 	function setArticleLabel() {
 
-		$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
-		$label_id = (int) db_escape_string($_REQUEST['label_id']);
-		$assign = (bool) db_escape_string($_REQUEST['assign']) == "true";
+		$article_ids = array_filter(explode(",", db_escape_string($this->link, $_REQUEST["article_ids"])), is_numeric);
+		$label_id = (int) db_escape_string($this->link, $_REQUEST['label_id']);
+		$assign = (bool) db_escape_string($this->link, $_REQUEST['assign']) == "true";
 
-		$label = db_escape_string(label_find_caption($this->link,
+		$label = db_escape_string($this->link, label_find_caption($this->link,
 			$label_id, $_SESSION["uid"]));
 
 		$num_updated = 0;
@@ -442,9 +442,9 @@ class API extends Handler {
 	}
 
 	function shareToPublished() {
-		$title = db_escape_string(strip_tags($_REQUEST["title"]));
-		$url = db_escape_string(strip_tags($_REQUEST["url"]));
-		$content = db_escape_string(strip_tags($_REQUEST["content"]));
+		$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
+		$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
+		$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
 
 		if (Article::create_published_article($this->link, $title, $url, $content, "", $_SESSION["uid"])) {
 			print $this->wrap(self::STATUS_OK, array("status" => 'OK'));

+ 5 - 5
classes/article.php

@@ -8,7 +8,7 @@ class Article extends Handler_Protected {
 	}
 
 	function redirect() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
 						WHERE id = '$id' AND id = ref_id AND owner_uid = '".$_SESSION['uid']."'
@@ -27,10 +27,10 @@ class Article extends Handler_Protected {
 	}
 
 	function view() {
-		$id = db_escape_string($_REQUEST["id"]);
-		$cids = explode(",", db_escape_string($_REQUEST["cids"]));
-		$mode = db_escape_string($_REQUEST["mode"]);
-		$omode = db_escape_string($_REQUEST["omode"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$cids = explode(",", db_escape_string($this->link, $_REQUEST["cids"]));
+		$mode = db_escape_string($this->link, $_REQUEST["mode"]);
+		$omode = db_escape_string($this->link, $_REQUEST["omode"]);
 
 		// in prefetch mode we only output requested cids, main article
 		// just gets marked as read (it already exists in client cache)

+ 2 - 2
classes/auth/base.php

@@ -21,7 +21,7 @@ class Auth_Base {
 			$user_id = $this->find_user_by_login($login);
 
 			if (!$user_id) {
-				$login = db_escape_string($login);
+				$login = db_escape_string($this->link, $login);
 				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 				$pwd_hash = encrypt_password($password, $salt, true);
 
@@ -42,7 +42,7 @@ class Auth_Base {
 	}
 
 	function find_user_by_login($login) {
-		$login = db_escape_string($login);
+		$login = db_escape_string($this->link, $login);
 
 		$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
 			login = '$login'");

+ 4 - 4
classes/dlg.php

@@ -5,7 +5,7 @@ class Dlg extends Handler_Protected {
 	function before($method) {
 		if (parent::before($method)) {
 			header("Content-Type: text/xml; charset=utf-8");
-			$this->param = db_escape_string($_REQUEST["param"]);
+			$this->param = db_escape_string($this->link, $_REQUEST["param"]);
 			print "<dlg>";
 			return true;
 		}
@@ -302,7 +302,7 @@ class Dlg extends Handler_Protected {
 	function feedBrowser() {
 		if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
 
-		$browser_search = db_escape_string($_REQUEST["search"]);
+		$browser_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"rpc\">";
 		print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"updateFeedBrowser\">";
@@ -350,7 +350,7 @@ class Dlg extends Handler_Protected {
 	}
 
 	function search() {
-		$this->params = explode(":", db_escape_string($_REQUEST["param"]), 2);
+		$this->params = explode(":", db_escape_string($this->link, $_REQUEST["param"]), 2);
 
 		$active_feed_id = sprintf("%d", $this->params[0]);
 		$is_cat = $this->params[1] != "false";
@@ -550,7 +550,7 @@ class Dlg extends Handler_Protected {
 		print "<content><![CDATA[";
 
 		$this->params = explode(":", $this->param, 3);
-		$feed_id = db_escape_string($this->params[0]);
+		$feed_id = db_escape_string($this->link, $this->params[0]);
 		$is_cat = (bool) $this->params[1];
 
 		$key = get_feed_access_key($this->link, $feed_id, $is_cat);

+ 10 - 10
classes/feeds.php

@@ -202,13 +202,13 @@ class Feeds extends Handler_Protected {
 			}
 		}
 
-		@$search = db_escape_string($_REQUEST["query"]);
+		@$search = db_escape_string($this->link, $_REQUEST["query"]);
 
 		if ($search) {
 			$disable_cache = true;
 		}
 
-		@$search_mode = db_escape_string($_REQUEST["search_mode"]);
+		@$search_mode = db_escape_string($this->link, $_REQUEST["search_mode"]);
 
 		if ($_REQUEST["debug"]) $timing_info = print_checkpoint("H0", $timing_info);
 
@@ -757,17 +757,17 @@ class Feeds extends Handler_Protected {
 
 		if ($_REQUEST["debug"]) $timing_info = print_checkpoint("0", $timing_info);
 
-		$omode = db_escape_string($_REQUEST["omode"]);
+		$omode = db_escape_string($this->link, $_REQUEST["omode"]);
 
-		$feed = db_escape_string($_REQUEST["feed"]);
-		$method = db_escape_string($_REQUEST["m"]);
-		$view_mode = db_escape_string($_REQUEST["view_mode"]);
+		$feed = db_escape_string($this->link, $_REQUEST["feed"]);
+		$method = db_escape_string($this->link, $_REQUEST["m"]);
+		$view_mode = db_escape_string($this->link, $_REQUEST["view_mode"]);
 		$limit = (int) get_pref($this->link, "DEFAULT_ARTICLE_LIMIT");
 		@$cat_view = $_REQUEST["cat"] == "true";
-		@$next_unread_feed = db_escape_string($_REQUEST["nuf"]);
-		@$offset = db_escape_string($_REQUEST["skip"]);
-		@$vgroup_last_feed = db_escape_string($_REQUEST["vgrlf"]);
-		$order_by = db_escape_string($_REQUEST["order_by"]);
+		@$next_unread_feed = db_escape_string($this->link, $_REQUEST["nuf"]);
+		@$offset = db_escape_string($this->link, $_REQUEST["skip"]);
+		@$vgroup_last_feed = db_escape_string($this->link, $_REQUEST["vgrlf"]);
+		$order_by = db_escape_string($this->link, $_REQUEST["order_by"]);
 
 		if (is_numeric($feed)) $feed = (int) $feed;
 

+ 26 - 26
classes/handler/public.php

@@ -180,7 +180,7 @@ class Handler_Public extends Handler {
 	}
 
 	function getUnread() {
-		$login = db_escape_string($_REQUEST["login"]);
+		$login = db_escape_string($this->link, $_REQUEST["login"]);
 		$fresh = $_REQUEST["fresh"] == "1";
 
 		$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE login = '$login'");
@@ -202,7 +202,7 @@ class Handler_Public extends Handler {
 	}
 
 	function getProfiles() {
-		$login = db_escape_string($_REQUEST["login"]);
+		$login = db_escape_string($this->link, $_REQUEST["login"]);
 
 		$result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users
 			WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title");
@@ -222,9 +222,9 @@ class Handler_Public extends Handler {
 	}
 
 	function pubsub() {
-		$mode = db_escape_string($_REQUEST['hub_mode']);
-		$feed_id = (int) db_escape_string($_REQUEST['id']);
-		$feed_url = db_escape_string($_REQUEST['hub_topic']);
+		$mode = db_escape_string($this->link, $_REQUEST['hub_mode']);
+		$feed_id = (int) db_escape_string($this->link, $_REQUEST['id']);
+		$feed_url = db_escape_string($this->link, $_REQUEST['hub_topic']);
 
 		if (!PUBSUBHUBBUB_ENABLED) {
 			header('HTTP/1.0 404 Not Found');
@@ -285,7 +285,7 @@ class Handler_Public extends Handler {
 	}
 
 	function share() {
-		$uuid = db_escape_string($_REQUEST["key"]);
+		$uuid = db_escape_string($this->link, $_REQUEST["key"]);
 
 		$result = db_query($this->link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
 			uuid = '$uuid'");
@@ -307,17 +307,17 @@ class Handler_Public extends Handler {
 	}
 
 	function rss() {
-		$feed = db_escape_string($_REQUEST["id"]);
-		$key = db_escape_string($_REQUEST["key"]);
+		$feed = db_escape_string($this->link, $_REQUEST["id"]);
+		$key = db_escape_string($this->link, $_REQUEST["key"]);
 		$is_cat = $_REQUEST["is_cat"] != false;
-		$limit = (int)db_escape_string($_REQUEST["limit"]);
-		$offset = (int)db_escape_string($_REQUEST["offset"]);
+		$limit = (int)db_escape_string($this->link, $_REQUEST["limit"]);
+		$offset = (int)db_escape_string($this->link, $_REQUEST["offset"]);
 
-		$search = db_escape_string($_REQUEST["q"]);
-		$search_mode = db_escape_string($_REQUEST["smode"]);
-		$view_mode = db_escape_string($_REQUEST["view-mode"]);
+		$search = db_escape_string($this->link, $_REQUEST["q"]);
+		$search_mode = db_escape_string($this->link, $_REQUEST["smode"]);
+		$view_mode = db_escape_string($this->link, $_REQUEST["view-mode"]);
 
-		$format = db_escape_string($_REQUEST['format']);
+		$format = db_escape_string($this->link, $_REQUEST['format']);
 
 		if (!$format) $format = 'atom';
 
@@ -371,10 +371,10 @@ class Handler_Public extends Handler {
 
 			if ($action == 'share') {
 
-				$title = db_escape_string(strip_tags($_REQUEST["title"]));
-				$url = db_escape_string(strip_tags($_REQUEST["url"]));
-				$content = db_escape_string(strip_tags($_REQUEST["content"]));
-				$labels = db_escape_string(strip_tags($_REQUEST["labels"]));
+				$title = db_escape_string($this->link, strip_tags($_REQUEST["title"]));
+				$url = db_escape_string($this->link, strip_tags($_REQUEST["url"]));
+				$content = db_escape_string($this->link, strip_tags($_REQUEST["content"]));
+				$labels = db_escape_string($this->link, strip_tags($_REQUEST["labels"]));
 
 				Article::create_published_article($this->link, $title, $url, $content, $labels,
 					$_SESSION["uid"]);
@@ -483,7 +483,7 @@ class Handler_Public extends Handler {
 
 		if (!SINGLE_USER_MODE) {
 
-			$login = db_escape_string($_POST["login"]);
+			$login = db_escape_string($this->link, $_POST["login"]);
 			$password = $_POST["password"];
 			$remember_me = $_POST["remember_me"];
 
@@ -496,7 +496,7 @@ class Handler_Public extends Handler {
 
 				if ($_POST["profile"]) {
 
-					$profile = db_escape_string($_POST["profile"]);
+					$profile = db_escape_string($this->link, $_POST["profile"]);
 
 					$result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles
 						WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]);
@@ -525,7 +525,7 @@ class Handler_Public extends Handler {
 
 		if ($_SESSION["uid"]) {
 
-			$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
+			$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
 
 			header('Content-Type: text/html; charset=utf-8');
 			print "<html>
@@ -618,14 +618,14 @@ class Handler_Public extends Handler {
 	}
 
 	function subscribe2() {
-		$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
-		$cat_id = db_escape_string($_REQUEST["cat_id"]);
-		$from = db_escape_string($_REQUEST["from"]);
+		$feed_url = db_escape_string($this->link, trim($_REQUEST["feed_url"]));
+		$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
+		$from = db_escape_string($this->link, $_REQUEST["from"]);
 
 		/* only read authentication information from POST */
 
-		$auth_login = db_escape_string(trim($_POST["auth_login"]));
-		$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
+		$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
+		$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
 
 		$rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);
 

+ 20 - 20
classes/opml.php

@@ -253,13 +253,13 @@ class Opml extends Handler_Protected {
 	private function opml_import_feed($doc, $node, $cat_id, $owner_uid) {
 		$attrs = $node->attributes;
 
-		$feed_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
-		if (!$feed_title) $feed_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
+		$feed_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
+		if (!$feed_title) $feed_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
 
-		$feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
-		if (!$feed_url) $feed_url = db_escape_string($attrs->getNamedItem('xmlURL')->nodeValue);
+		$feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
+		if (!$feed_url) $feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlURL')->nodeValue);
 
-		$site_url = db_escape_string($attrs->getNamedItem('htmlUrl')->nodeValue);
+		$site_url = db_escape_string($this->link, $attrs->getNamedItem('htmlUrl')->nodeValue);
 
 		if ($feed_url && $feed_title) {
 			$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
@@ -285,11 +285,11 @@ class Opml extends Handler_Protected {
 
 	private function opml_import_label($doc, $node, $owner_uid) {
 		$attrs = $node->attributes;
-		$label_name = db_escape_string($attrs->getNamedItem('label-name')->nodeValue);
+		$label_name = db_escape_string($this->link, $attrs->getNamedItem('label-name')->nodeValue);
 
 		if ($label_name) {
-			$fg_color = db_escape_string($attrs->getNamedItem('label-fg-color')->nodeValue);
-			$bg_color = db_escape_string($attrs->getNamedItem('label-bg-color')->nodeValue);
+			$fg_color = db_escape_string($this->link, $attrs->getNamedItem('label-fg-color')->nodeValue);
+			$bg_color = db_escape_string($this->link, $attrs->getNamedItem('label-bg-color')->nodeValue);
 
 			if (!label_find_id($this->link, $label_name, $_SESSION['uid'])) {
 				$this->opml_notice(T_sprintf("Adding label %s", htmlspecialchars($label_name)));
@@ -302,10 +302,10 @@ class Opml extends Handler_Protected {
 
 	private function opml_import_preference($doc, $node, $owner_uid) {
 		$attrs = $node->attributes;
-		$pref_name = db_escape_string($attrs->getNamedItem('pref-name')->nodeValue);
+		$pref_name = db_escape_string($this->link, $attrs->getNamedItem('pref-name')->nodeValue);
 
 		if ($pref_name) {
-			$pref_value = db_escape_string($attrs->getNamedItem('value')->nodeValue);
+			$pref_value = db_escape_string($this->link, $attrs->getNamedItem('value')->nodeValue);
 
 			$this->opml_notice(T_sprintf("Setting preference key %s to %s",
 				$pref_name, $pref_value));
@@ -317,7 +317,7 @@ class Opml extends Handler_Protected {
 	private function opml_import_filter($doc, $node, $owner_uid) {
 		$attrs = $node->attributes;
 
-		$filter_type = db_escape_string($attrs->getNamedItem('filter-type')->nodeValue);
+		$filter_type = db_escape_string($this->link, $attrs->getNamedItem('filter-type')->nodeValue);
 
 		if ($filter_type == '2') {
 			$filter = json_decode($node->nodeValue, true);
@@ -344,13 +344,13 @@ class Opml extends Handler_Protected {
 
 						if (!$rule["cat_filter"]) {
 							$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feeds
-								WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
+								WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
 							if (db_num_rows($tmp_result) > 0) {
 								$feed_id = db_fetch_result($tmp_result, 0, "id");
 							}
 						} else {
 							$tmp_result = db_query($this->link, "SELECT id FROM ttrss_feed_categories
-								WHERE title = '".db_escape_string($rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
+								WHERE title = '".db_escape_string($this->link, $rule["feed"])."' AND owner_uid = ".$_SESSION["uid"]);
 
 							if (db_num_rows($tmp_result) > 0) {
 								$cat_id = db_fetch_result($tmp_result, 0, "id");
@@ -358,7 +358,7 @@ class Opml extends Handler_Protected {
 						}
 
 						$cat_filter = bool_to_sql_bool($rule["cat_filter"]);
-						$reg_exp = db_escape_string($rule["reg_exp"]);
+						$reg_exp = db_escape_string($this->link, $rule["reg_exp"]);
 						$filter_type = (int)$rule["filter_type"];
 
 						db_query($this->link, "INSERT INTO ttrss_filters2_rules (feed_id,cat_id,filter_id,filter_type,reg_exp,cat_filter)
@@ -368,7 +368,7 @@ class Opml extends Handler_Protected {
 					foreach ($filter["actions"] as $action) {
 
 						$action_id = (int)$action["action_id"];
-						$action_param = db_escape_string($action["action_param"]);
+						$action_param = db_escape_string($this->link, $action["action_param"]);
 
 						db_query($this->link, "INSERT INTO ttrss_filters2_actions (filter_id,action_id,action_param)
 							VALUES ($filter_id, $action_id, '$action_param')");
@@ -386,10 +386,10 @@ class Opml extends Handler_Protected {
 		$default_cat_id = (int) get_feed_category($this->link, 'Imported feeds', false);
 
 		if ($root_node) {
-			$cat_title = db_escape_string($root_node->attributes->getNamedItem('text')->nodeValue);
+			$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('text')->nodeValue);
 
 			if (!$cat_title)
-				$cat_title = db_escape_string($root_node->attributes->getNamedItem('title')->nodeValue);
+				$cat_title = db_escape_string($this->link, $root_node->attributes->getNamedItem('title')->nodeValue);
 
 			if (!in_array($cat_title, array("tt-rss-filters", "tt-rss-labels", "tt-rss-prefs"))) {
 				$cat_id = get_feed_category($this->link, $cat_title, $parent_id);
@@ -418,12 +418,12 @@ class Opml extends Handler_Protected {
 		foreach ($outlines as $node) {
 			if ($node->hasAttributes() && strtolower($node->tagName) == "outline") {
 				$attrs = $node->attributes;
-				$node_cat_title = db_escape_string($attrs->getNamedItem('text')->nodeValue);
+				$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('text')->nodeValue);
 
 				if (!$node_cat_title)
-					$node_cat_title = db_escape_string($attrs->getNamedItem('title')->nodeValue);
+					$node_cat_title = db_escape_string($this->link, $attrs->getNamedItem('title')->nodeValue);
 
-				$node_feed_url = db_escape_string($attrs->getNamedItem('xmlUrl')->nodeValue);
+				$node_feed_url = db_escape_string($this->link, $attrs->getNamedItem('xmlUrl')->nodeValue);
 
 				if ($node_cat_title && !$node_feed_url) {
 					$this->opml_import_category($doc, $node, $owner_uid, $cat_id);

+ 3 - 3
classes/pluginhost.php

@@ -211,7 +211,7 @@ class PluginHost {
 
 	function load_data($force = false) {
 		if ($this->owner_uid && (!$_SESSION["plugin_storage"] || $force))  {
-			$plugin = db_escape_string($plugin);
+			$plugin = db_escape_string($this->link, $plugin);
 
 			$result = db_query($this->link, "SELECT name, content FROM ttrss_plugin_storage
 				WHERE owner_uid = '".$this->owner_uid."'");
@@ -226,7 +226,7 @@ class PluginHost {
 
 	private function save_data($plugin) {
 		if ($this->owner_uid) {
-			$plugin = db_escape_string($plugin);
+			$plugin = db_escape_string($this->link, $plugin);
 
 			db_query($this->link, "BEGIN");
 
@@ -236,7 +236,7 @@ class PluginHost {
 			if (!isset($this->storage[$plugin]))
 				$this->storage[$plugin] = array();
 
-			$content = db_escape_string(serialize($this->storage[$plugin]));
+			$content = db_escape_string($this->link, serialize($this->storage[$plugin]));
 
 			if (db_num_rows($result) != 0) {
 				db_query($this->link, "UPDATE ttrss_plugin_storage SET content = '$content'

+ 33 - 33
classes/pref/feeds.php

@@ -14,8 +14,8 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function renamecat() {
-		$title = db_escape_string($_REQUEST['title']);
-		$id = db_escape_string($_REQUEST['id']);
+		$title = db_escape_string($this->link, $_REQUEST['title']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		if ($title) {
 			db_query($this->link, "UPDATE ttrss_feed_categories SET
@@ -293,7 +293,7 @@ class Pref_Feeds extends Handler_Protected {
 		if ($item_id != 'root') {
 			if ($parent_id && $parent_id != 'root') {
 				$parent_bare_id = substr($parent_id, strpos($parent_id, ':')+1);
-				$parent_qpart = db_escape_string($parent_bare_id);
+				$parent_qpart = db_escape_string($this->link, $parent_bare_id);
 			} else {
 				$parent_qpart = 'NULL';
 			}
@@ -319,7 +319,7 @@ class Pref_Feeds extends Handler_Protected {
 					if (strpos($id, "FEED") === 0) {
 
 						$cat_id = ($item_id != "root") ?
-							db_escape_string($bare_item_id) : "NULL";
+							db_escape_string($this->link, $bare_item_id) : "NULL";
 
 						$cat_qpart = ($cat_id != 0) ? "cat_id = '$cat_id'" :
 							"cat_id = NULL";
@@ -334,7 +334,7 @@ class Pref_Feeds extends Handler_Protected {
 							$nest_level+1);
 
 						if ($item_id != 'root') {
-							$parent_qpart = db_escape_string($bare_id);
+							$parent_qpart = db_escape_string($this->link, $bare_id);
 						} else {
 							$parent_qpart = 'NULL';
 						}
@@ -424,7 +424,7 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function removeicon() {
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
 
 		$result = db_query($this->link, "SELECT id FROM ttrss_feeds
 			WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
@@ -440,7 +440,7 @@ class Pref_Feeds extends Handler_Protected {
 		header("Content-type: text/html");
 
 		$icon_file = $_FILES['icon_file']['tmp_name'];
-		$feed_id = db_escape_string($_REQUEST["feed_id"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
 
 		if (is_file($icon_file) && $feed_id) {
 			if (filesize($icon_file) < 20000) {
@@ -472,7 +472,7 @@ class Pref_Feeds extends Handler_Protected {
 		global $purge_intervals;
 		global $update_intervals;
 
-		$feed_id = db_escape_string($_REQUEST["id"]);
+		$feed_id = db_escape_string($this->link, $_REQUEST["id"]);
 
 		$result = db_query($this->link,
 			"SELECT * FROM ttrss_feeds WHERE id = '$feed_id' AND
@@ -708,7 +708,7 @@ class Pref_Feeds extends Handler_Protected {
 		global $purge_intervals;
 		global $update_intervals;
 
-		$feed_ids = db_escape_string($_REQUEST["ids"]);
+		$feed_ids = db_escape_string($this->link, $_REQUEST["ids"]);
 
 		print "<div class=\"dialogNotice\">" . __("Enable the options you wish to apply using checkboxes on the right:") . "</div>";
 
@@ -862,27 +862,27 @@ class Pref_Feeds extends Handler_Protected {
 
 	function editsaveops($batch) {
 
-		$feed_title = db_escape_string(trim($_POST["title"]));
-		$feed_link = db_escape_string(trim($_POST["feed_url"]));
-		$upd_intl = (int) db_escape_string($_POST["update_interval"]);
-		$purge_intl = (int) db_escape_string($_POST["purge_interval"]);
-		$feed_id = (int) db_escape_string($_POST["id"]); /* editSave */
-		$feed_ids = db_escape_string($_POST["ids"]); /* batchEditSave */
-		$cat_id = (int) db_escape_string($_POST["cat_id"]);
-		$auth_login = db_escape_string(trim($_POST["auth_login"]));
-		$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
-		$private = checkbox_to_sql_bool(db_escape_string($_POST["private"]));
+		$feed_title = db_escape_string($this->link, trim($_POST["title"]));
+		$feed_link = db_escape_string($this->link, trim($_POST["feed_url"]));
+		$upd_intl = (int) db_escape_string($this->link, $_POST["update_interval"]);
+		$purge_intl = (int) db_escape_string($this->link, $_POST["purge_interval"]);
+		$feed_id = (int) db_escape_string($this->link, $_POST["id"]); /* editSave */
+		$feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */
+		$cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]);
+		$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
+		$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
+		$private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"]));
 		$include_in_digest = checkbox_to_sql_bool(
-			db_escape_string($_POST["include_in_digest"]));
+			db_escape_string($this->link, $_POST["include_in_digest"]));
 		$cache_images = checkbox_to_sql_bool(
-			db_escape_string($_POST["cache_images"]));
+			db_escape_string($this->link, $_POST["cache_images"]));
 		$hide_images = checkbox_to_sql_bool(
-			db_escape_string($_POST["hide_images"]));
+			db_escape_string($this->link, $_POST["hide_images"]));
 		$always_display_enclosures = checkbox_to_sql_bool(
-			db_escape_string($_POST["always_display_enclosures"]));
+			db_escape_string($this->link, $_POST["always_display_enclosures"]));
 
 		$mark_unread_on_update = checkbox_to_sql_bool(
-			db_escape_string($_POST["mark_unread_on_update"]));
+			db_escape_string($this->link, $_POST["mark_unread_on_update"]));
 
 		if (get_pref($this->link, 'ENABLE_FEED_CATS')) {
 			if ($cat_id && $cat_id != 0) {
@@ -999,7 +999,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function resetPubSub() {
 
-		$ids = db_escape_string($_REQUEST["ids"]);
+		$ids = db_escape_string($this->link, $_REQUEST["ids"]);
 
 		db_query($this->link, "UPDATE ttrss_feeds SET pubsub_state = 0 WHERE id IN ($ids)
 			AND owner_uid = " . $_SESSION["uid"]);
@@ -1009,7 +1009,7 @@ class Pref_Feeds extends Handler_Protected {
 
 	function remove() {
 
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$this->remove_feed($this->link, $id, $_SESSION["uid"]);
@@ -1019,14 +1019,14 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function clear() {
-		$id = db_escape_string($_REQUEST["id"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
 		$this->clear_feed_articles($this->link, $id);
 	}
 
 	function rescore() {
 		require_once "rssfuncs.php";
 
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 
@@ -1132,9 +1132,9 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function categorize() {
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
-		$cat_id = db_escape_string($_REQUEST["cat_id"]);
+		$cat_id = db_escape_string($this->link, $_REQUEST["cat_id"]);
 
 		if ($cat_id == 0) {
 			$cat_id_qpart = 'NULL';
@@ -1156,14 +1156,14 @@ class Pref_Feeds extends Handler_Protected {
 	}
 
 	function removeCat() {
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		foreach ($ids as $id) {
 			$this->remove_feed_category($this->link, $id, $_SESSION["uid"]);
 		}
 	}
 
 	function addCat() {
-		$feed_cat = db_escape_string(trim($_REQUEST["cat"]));
+		$feed_cat = db_escape_string($this->link, trim($_REQUEST["cat"]));
 
 		add_feed_category($this->link, $feed_cat);
 	}
@@ -1205,7 +1205,7 @@ class Pref_Feeds extends Handler_Protected {
 					__("Inactive feeds") . "</button>";
 		}
 
-		$feed_search = db_escape_string($_REQUEST["search"]);
+		$feed_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_feed_search"] = $feed_search;

+ 18 - 18
classes/pref/filters.php

@@ -13,7 +13,7 @@ class Pref_Filters extends Handler_Protected {
 
 		$filter["enabled"] = true;
 		$filter["match_any_rule"] = sql_bool_to_bool(
-			checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"])));
+			checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"])));
 		$filter["rules"] = array();
 
 		$result = db_query($this->link, "SELECT id,name FROM ttrss_filter_types");
@@ -168,7 +168,7 @@ class Pref_Filters extends Handler_Protected {
 
 			if ($line['action_id'] == 7) {
 				$label_result = db_query($this->link, "SELECT fg_color, bg_color
-					FROM ttrss_labels2 WHERE caption = '".db_escape_string($line['action_param'])."' AND
+					FROM ttrss_labels2 WHERE caption = '".db_escape_string($this->link, $line['action_param'])."' AND
 						owner_uid = " . $_SESSION["uid"]);
 
 				if (db_num_rows($label_result) > 0) {
@@ -207,7 +207,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function edit() {
 
-		$filter_id = db_escape_string($_REQUEST["id"]);
+		$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
 
 		$result = db_query($this->link,
 			"SELECT * FROM ttrss_filters2 WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -403,9 +403,9 @@ class Pref_Filters extends Handler_Protected {
 
 #		print_r($_REQUEST);
 
-		$filter_id = db_escape_string($_REQUEST["id"]);
-		$enabled = checkbox_to_sql_bool(db_escape_string($_REQUEST["enabled"]));
-		$match_any_rule = checkbox_to_sql_bool(db_escape_string($_REQUEST["match_any_rule"]));
+		$filter_id = db_escape_string($this->link, $_REQUEST["id"]);
+		$enabled = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["enabled"]));
+		$match_any_rule = checkbox_to_sql_bool(db_escape_string($this->link, $_REQUEST["match_any_rule"]));
 
 		$result = db_query($this->link, "UPDATE ttrss_filters2 SET enabled = $enabled,
 		  	match_any_rule = $match_any_rule
@@ -418,7 +418,7 @@ class Pref_Filters extends Handler_Protected {
 
 	function remove() {
 
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			db_query($this->link, "DELETE FROM ttrss_filters2 WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]);
@@ -457,9 +457,9 @@ class Pref_Filters extends Handler_Protected {
 			foreach ($rules as $rule) {
 				if ($rule) {
 
-					$reg_exp = strip_tags(db_escape_string(trim($rule["reg_exp"])));
-					$filter_type = (int) db_escape_string(trim($rule["filter_type"]));
-					$feed_id = db_escape_string(trim($rule["feed_id"]));
+					$reg_exp = strip_tags(db_escape_string($this->link, trim($rule["reg_exp"])));
+					$filter_type = (int) db_escape_string($this->link, trim($rule["filter_type"]));
+					$feed_id = db_escape_string($this->link, trim($rule["feed_id"]));
 
 					if (strpos($feed_id, "CAT:") === 0) {
 
@@ -487,9 +487,9 @@ class Pref_Filters extends Handler_Protected {
 			foreach ($actions as $action) {
 				if ($action) {
 
-					$action_id = (int) db_escape_string($action["action_id"]);
-					$action_param = db_escape_string($action["action_param"]);
-					$action_param_label = db_escape_string($action["action_param_label"]);
+					$action_id = (int) db_escape_string($this->link, $action["action_id"]);
+					$action_param = db_escape_string($this->link, $action["action_param"]);
+					$action_param_label = db_escape_string($this->link, $action["action_param_label"]);
 
 					if ($action_id == 7) {
 						$action_param = $action_param_label;
@@ -541,13 +541,13 @@ class Pref_Filters extends Handler_Protected {
 
 	function index() {
 
-		$sort = db_escape_string($_REQUEST["sort"]);
+		$sort = db_escape_string($this->link, $_REQUEST["sort"]);
 
 		if (!$sort || $sort == "undefined") {
 			$sort = "reg_exp";
 		}
 
-		$filter_search = db_escape_string($_REQUEST["search"]);
+		$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_filter_search"] = $filter_search;
@@ -559,7 +559,7 @@ class Pref_Filters extends Handler_Protected {
 		print "<div id=\"pref-filter-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";
 		print "<div id=\"pref-filter-toolbar\" dojoType=\"dijit.Toolbar\">";
 
-		$filter_search = db_escape_string($_REQUEST["search"]);
+		$filter_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_filter_search"] = $filter_search;
@@ -806,7 +806,7 @@ class Pref_Filters extends Handler_Protected {
 		$action = json_decode($_REQUEST["action"], true);
 
 		if ($action) {
-			$action_param = db_escape_string($action["action_param"]);
+			$action_param = db_escape_string($this->link, $action["action_param"]);
 			$action_id = (int)$action["action_id"];
 		} else {
 			$action_param = "";
@@ -914,7 +914,7 @@ class Pref_Filters extends Handler_Protected {
 	}
 
 	function join() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		if (count($ids) > 1) {
 			$base_id = array_shift($ids);

+ 17 - 17
classes/pref/labels.php

@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function edit() {
-		$label_id = db_escape_string($_REQUEST['id']);
+		$label_id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT * FROM ttrss_labels2 WHERE
 			id = '$label_id' AND owner_uid = " . $_SESSION["uid"]);
@@ -118,11 +118,11 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function colorset() {
-		$kind = db_escape_string($_REQUEST["kind"]);
-		$ids = split(',', db_escape_string($_REQUEST["ids"]));
-		$color = db_escape_string($_REQUEST["color"]);
-		$fg = db_escape_string($_REQUEST["fg"]);
-		$bg = db_escape_string($_REQUEST["bg"]);
+		$kind = db_escape_string($this->link, $_REQUEST["kind"]);
+		$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
+		$color = db_escape_string($this->link, $_REQUEST["color"]);
+		$fg = db_escape_string($this->link, $_REQUEST["fg"]);
+		$bg = db_escape_string($this->link, $_REQUEST["bg"]);
 
 		foreach ($ids as $id) {
 
@@ -136,7 +136,7 @@ class Pref_Labels extends Handler_Protected {
 					AND owner_uid = " . $_SESSION["uid"]);
 			}
 
-			$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
+			$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
 
 			/* Remove cached data */
 
@@ -149,14 +149,14 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function colorreset() {
-		$ids = split(',', db_escape_string($_REQUEST["ids"]));
+		$ids = split(',', db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			db_query($this->link, "UPDATE ttrss_labels2 SET
 				fg_color = '', bg_color = '' WHERE id = '$id'
 				AND owner_uid = " . $_SESSION["uid"]);
 
-			$caption = db_escape_string(label_find_caption($this->link, $id, $_SESSION["uid"]));
+			$caption = db_escape_string($this->link, label_find_caption($this->link, $id, $_SESSION["uid"]));
 
 			/* Remove cached data */
 
@@ -168,8 +168,8 @@ class Pref_Labels extends Handler_Protected {
 
 	function save() {
 
-		$id = db_escape_string($_REQUEST["id"]);
-		$caption = db_escape_string(trim($_REQUEST["caption"]));
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$caption = db_escape_string($this->link, trim($_REQUEST["caption"]));
 
 		db_query($this->link, "BEGIN");
 
@@ -190,7 +190,7 @@ class Pref_Labels extends Handler_Protected {
 
 					/* Update filters that reference label being renamed */
 
-					$old_caption = db_escape_string($old_caption);
+					$old_caption = db_escape_string($this->link, $old_caption);
 
 					db_query($this->link, "UPDATE ttrss_filters2_actions SET
 						action_param = '$caption' WHERE action_param = '$old_caption'
@@ -213,7 +213,7 @@ class Pref_Labels extends Handler_Protected {
 
 	function remove() {
 
-		$ids = split(",", db_escape_string($_REQUEST["ids"]));
+		$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			label_remove($this->link, $id, $_SESSION["uid"]);
@@ -222,8 +222,8 @@ class Pref_Labels extends Handler_Protected {
 	}
 
 	function add() {
-		$caption = db_escape_string($_REQUEST["caption"]);
-		$output = db_escape_string($_REQUEST["output"]);
+		$caption = db_escape_string($this->link, $_REQUEST["caption"]);
+		$output = db_escape_string($this->link, $_REQUEST["output"]);
 
 		if ($caption) {
 
@@ -250,13 +250,13 @@ class Pref_Labels extends Handler_Protected {
 
 	function index() {
 
-		$sort = db_escape_string($_REQUEST["sort"]);
+		$sort = db_escape_string($this->link, $_REQUEST["sort"]);
 
 		if (!$sort || $sort == "undefined") {
 			$sort = "caption";
 		}
 
-		$label_search = db_escape_string($_REQUEST["search"]);
+		$label_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		if (array_key_exists("search", $_REQUEST)) {
 			$_SESSION["prefs_label_search"] = $label_search;

+ 8 - 8
classes/pref/prefs.php

@@ -50,8 +50,8 @@ class Pref_Prefs extends Handler_Protected {
 
 		foreach (array_keys($_POST) as $pref_name) {
 
-			$pref_name = db_escape_string($pref_name);
-			$value = db_escape_string($_POST[$pref_name]);
+			$pref_name = db_escape_string($this->link, $pref_name);
+			$value = db_escape_string($this->link, $_POST[$pref_name]);
 
 			if ($pref_name == 'DIGEST_PREFERRED_TIME') {
 				if (get_pref($this->link, 'DIGEST_PREFERRED_TIME') != $value) {
@@ -71,7 +71,7 @@ class Pref_Prefs extends Handler_Protected {
 
 	function getHelp() {
 
-		$pref_name = db_escape_string($_REQUEST["pn"]);
+		$pref_name = db_escape_string($this->link, $_REQUEST["pn"]);
 
 		$result = db_query($this->link, "SELECT help_text FROM ttrss_prefs
 			WHERE pref_name = '$pref_name'");
@@ -86,8 +86,8 @@ class Pref_Prefs extends Handler_Protected {
 
 	function changeemail() {
 
-		$email = db_escape_string($_POST["email"]);
-		$full_name = db_escape_string($_POST["full_name"]);
+		$email = db_escape_string($this->link, $_POST["email"]);
+		$full_name = db_escape_string($this->link, $_POST["full_name"]);
 
 		$active_uid = $_SESSION["uid"];
 
@@ -798,7 +798,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function otpenable() {
-		$password = db_escape_string($_REQUEST["password"]);
+		$password = db_escape_string($this->link, $_REQUEST["password"]);
 		$enable_otp = $_REQUEST["enable_otp"] == "on";
 
 		global $pluginhost;
@@ -819,7 +819,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function otpdisable() {
-		$password = db_escape_string($_REQUEST["password"]);
+		$password = db_escape_string($this->link, $_REQUEST["password"]);
 
 		global $pluginhost;
 		$authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]);
@@ -846,7 +846,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function clearplugindata() {
-		$name = db_escape_string($_REQUEST["name"]);
+		$name = db_escape_string($this->link, $_REQUEST["name"]);
 
 		global $pluginhost;
 		$pluginhost->clear_data($pluginhost->get_plugin($name));

+ 10 - 10
classes/pref/users.php

@@ -116,7 +116,7 @@ class Pref_Users extends Handler_Protected {
 
 			header("Content-Type: text/xml");
 
-			$id = db_escape_string($_REQUEST["id"]);
+			$id = db_escape_string($this->link, $_REQUEST["id"]);
 
 			print "<dlg id=\"$method\">";
 			print "<title>".__('User Editor')."</title>";
@@ -199,11 +199,11 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function editSave() {
-			$login = db_escape_string(trim($_REQUEST["login"]));
-			$uid = db_escape_string($_REQUEST["id"]);
+			$login = db_escape_string($this->link, trim($_REQUEST["login"]));
+			$uid = db_escape_string($this->link, $_REQUEST["id"]);
 			$access_level = (int) $_REQUEST["access_level"];
-			$email = db_escape_string(trim($_REQUEST["email"]));
-			$password = db_escape_string(trim($_REQUEST["password"]));
+			$email = db_escape_string($this->link, trim($_REQUEST["email"]));
+			$password = db_escape_string($this->link, trim($_REQUEST["password"]));
 
 			if ($password) {
 				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@@ -220,7 +220,7 @@ class Pref_Users extends Handler_Protected {
 		}
 
 		function remove() {
-			$ids = split(",", db_escape_string($_REQUEST["ids"]));
+			$ids = split(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 			foreach ($ids as $id) {
 				if ($id != $_SESSION["uid"] && $id != 1) {
@@ -233,7 +233,7 @@ class Pref_Users extends Handler_Protected {
 
 		function add() {
 
-			$login = db_escape_string(trim($_REQUEST["login"]));
+			$login = db_escape_string($this->link, trim($_REQUEST["login"]));
 			$tmp_user_pwd = make_password(8);
 			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@@ -272,7 +272,7 @@ class Pref_Users extends Handler_Protected {
 
 		function resetPass() {
 
-			$uid = db_escape_string($_REQUEST["id"]);
+			$uid = db_escape_string($this->link, $_REQUEST["id"]);
 
 			$result = db_query($this->link, "SELECT login,email
 				FROM ttrss_users WHERE id = '$uid'");
@@ -353,7 +353,7 @@ class Pref_Users extends Handler_Protected {
 
 			print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
 
-			$user_search = db_escape_string($_REQUEST["search"]);
+			$user_search = db_escape_string($this->link, $_REQUEST["search"]);
 
 			if (array_key_exists("search", $_REQUEST)) {
 				$_SESSION["prefs_user_search"] = $user_search;
@@ -368,7 +368,7 @@ class Pref_Users extends Handler_Protected {
 					__('Search')."</button>
 				</div>";
 
-			$sort = db_escape_string($_REQUEST["sort"]);
+			$sort = db_escape_string($this->link, $_REQUEST["sort"]);
 
 			if (!$sort || $sort == "undefined") {
 				$sort = "login";

+ 54 - 54
classes/rpc.php

@@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
 	}
 
 	function setprofile() {
-		$id = db_escape_string($_REQUEST["id"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
 
 		$_SESSION["profile"] = $id;
 		$_SESSION["prefs_cache"] = array();
 	}
 
 	function remprofiles() {
-		$ids = explode(",", db_escape_string(trim($_REQUEST["ids"])));
+		$ids = explode(",", db_escape_string($this->link, trim($_REQUEST["ids"])));
 
 		foreach ($ids as $id) {
 			if ($_SESSION["profile"] != $id) {
@@ -27,7 +27,7 @@ class RPC extends Handler_Protected {
 
 	// Silent
 	function addprofile() {
-		$title = db_escape_string(trim($_REQUEST["title"]));
+		$title = db_escape_string($this->link, trim($_REQUEST["title"]));
 		if ($title) {
 			db_query($this->link, "BEGIN");
 
@@ -57,8 +57,8 @@ class RPC extends Handler_Protected {
 
 	// Silent
 	function saveprofile() {
-		$id = db_escape_string($_REQUEST["id"]);
-		$title = db_escape_string(trim($_REQUEST["value"]));
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$title = db_escape_string($this->link, trim($_REQUEST["value"]));
 
 		if ($id == 0) {
 			print __("Default profile");
@@ -88,7 +88,7 @@ class RPC extends Handler_Protected {
 
 	// Silent
 	function remarchive() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$result = db_query($this->link, "DELETE FROM ttrss_archived_feeds WHERE
@@ -101,11 +101,11 @@ class RPC extends Handler_Protected {
 	}
 
 	function addfeed() {
-		$feed = db_escape_string($_REQUEST['feed']);
-		$cat = db_escape_string($_REQUEST['cat']);
-		$login = db_escape_string($_REQUEST['login']);
-		$pass = db_escape_string($_REQUEST['pass']);
-		$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
+		$feed = db_escape_string($this->link, $_REQUEST['feed']);
+		$cat = db_escape_string($this->link, $_REQUEST['cat']);
+		$login = db_escape_string($this->link, $_REQUEST['login']);
+		$pass = db_escape_string($this->link, $_REQUEST['pass']);
+		$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
 
 		$rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass, $need_auth);
 
@@ -113,7 +113,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function togglepref() {
-		$key = db_escape_string($_REQUEST["key"]);
+		$key = db_escape_string($this->link, $_REQUEST["key"]);
 		set_pref($this->link, $key, !get_pref($this->link, $key));
 		$value = get_pref($this->link, $key);
 
@@ -132,7 +132,7 @@ class RPC extends Handler_Protected {
 
 	function mark() {
 		$mark = $_REQUEST["mark"];
-		$id = db_escape_string($_REQUEST["id"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
 
 		if ($mark == "1") {
 			$mark = "true";
@@ -148,7 +148,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function delete() {
-		$ids = db_escape_string($_REQUEST["ids"]);
+		$ids = db_escape_string($this->link, $_REQUEST["ids"]);
 
 		$result = db_query($this->link, "DELETE FROM ttrss_user_entries
 		WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@@ -157,7 +157,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function unarchive() {
-		$ids = db_escape_string($_REQUEST["ids"]);
+		$ids = db_escape_string($this->link, $_REQUEST["ids"]);
 
 		$result = db_query($this->link, "UPDATE ttrss_user_entries
 					SET feed_id = orig_feed_id, orig_feed_id = NULL
@@ -167,7 +167,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function archive() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 
 		foreach ($ids as $id) {
 			$this->archive_article($this->link, $id, $_SESSION["uid"]);
@@ -210,8 +210,8 @@ class RPC extends Handler_Protected {
 
 	function publ() {
 		$pub = $_REQUEST["pub"];
-		$id = db_escape_string($_REQUEST["id"]);
-		$note = trim(strip_tags(db_escape_string($_REQUEST["note"])));
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"])));
 
 		if ($pub == "1") {
 			$pub = "true";
@@ -257,7 +257,7 @@ class RPC extends Handler_Protected {
 
 	/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
 	function catchupSelected() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		$cmode = sprintf("%d", $_REQUEST["cmode"]);
 
 		catchupArticlesById($this->link, $ids, $cmode);
@@ -266,7 +266,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function markSelected() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		$cmode = sprintf("%d", $_REQUEST["cmode"]);
 
 		$this->markArticlesById($this->link, $ids, $cmode);
@@ -275,7 +275,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function publishSelected() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		$cmode = sprintf("%d", $_REQUEST["cmode"]);
 
 		$this->publishArticlesById($this->link, $ids, $cmode);
@@ -301,9 +301,9 @@ class RPC extends Handler_Protected {
 
 	function setArticleTags() {
 
-		$id = db_escape_string($_REQUEST["id"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
 
-		$tags_str = db_escape_string($_REQUEST["tags_str"]);
+		$tags_str = db_escape_string($this->link, $_REQUEST["tags_str"]);
 		$tags = array_unique(trim_array(explode(",", $tags_str)));
 
 		db_query($this->link, "BEGIN");
@@ -373,7 +373,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function completeLabels() {
-		$search = db_escape_string($_REQUEST["search"]);
+		$search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		$result = db_query($this->link, "SELECT DISTINCT caption FROM
 				ttrss_labels2
@@ -390,7 +390,7 @@ class RPC extends Handler_Protected {
 
 
 	function completeTags() {
-		$search = db_escape_string($_REQUEST["search"]);
+		$search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		$result = db_query($this->link, "SELECT DISTINCT tag_name FROM ttrss_tags
 				WHERE owner_uid = '".$_SESSION["uid"]."' AND
@@ -405,7 +405,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function purge() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		$days = sprintf("%d", $_REQUEST["days"]);
 
 		foreach ($ids as $id) {
@@ -420,7 +420,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function getArticles() {
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
 		$articles = array();
 
 		foreach ($ids as $id) {
@@ -433,7 +433,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function checkDate() {
-		$date = db_escape_string($_REQUEST["date"]);
+		$date = db_escape_string($this->link, $_REQUEST["date"]);
 		$date_parsed = strtotime($date);
 
 		print json_encode(array("result" => (bool)$date_parsed,
@@ -451,10 +451,10 @@ class RPC extends Handler_Protected {
 	function labelops($assign) {
 		$reply = array();
 
-		$ids = explode(",", db_escape_string($_REQUEST["ids"]));
-		$label_id = db_escape_string($_REQUEST["lid"]);
+		$ids = explode(",", db_escape_string($this->link, $_REQUEST["ids"]));
+		$label_id = db_escape_string($this->link, $_REQUEST["lid"]);
 
-		$label = db_escape_string(label_find_caption($this->link, $label_id,
+		$label = db_escape_string($this->link, label_find_caption($this->link, $label_id,
 		$_SESSION["uid"]));
 
 		$reply["info-for-headlines"] = array();
@@ -482,9 +482,9 @@ class RPC extends Handler_Protected {
 	}
 
 	function updateFeedBrowser() {
-		$search = db_escape_string($_REQUEST["search"]);
-		$limit = db_escape_string($_REQUEST["limit"]);
-		$mode = (int) db_escape_string($_REQUEST["mode"]);
+		$search = db_escape_string($this->link, $_REQUEST["search"]);
+		$limit = db_escape_string($this->link, $_REQUEST["limit"]);
+		$mode = (int) db_escape_string($this->link, $_REQUEST["mode"]);
 
 		require_once "feedbrowser.php";
 
@@ -504,8 +504,8 @@ class RPC extends Handler_Protected {
 		if ($mode == 1) {
 			foreach ($payload as $feed) {
 
-				$title = db_escape_string($feed[0]);
-				$feed_url = db_escape_string($feed[1]);
+				$title = db_escape_string($this->link, $feed[0]);
+				$feed_url = db_escape_string($this->link, $feed[1]);
 
 				$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
 					feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@@ -524,9 +524,9 @@ class RPC extends Handler_Protected {
 					WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]);
 
 				if (db_num_rows($result) != 0) {
-					$site_url = db_escape_string(db_fetch_result($result, 0, "site_url"));
-					$feed_url = db_escape_string(db_fetch_result($result, 0, "feed_url"));
-					$title = db_escape_string(db_fetch_result($result, 0, "title"));
+					$site_url = db_escape_string($this->link, db_fetch_result($result, 0, "site_url"));
+					$feed_url = db_escape_string($this->link, db_fetch_result($result, 0, "feed_url"));
+					$title = db_escape_string($this->link, db_fetch_result($result, 0, "title"));
 
 					$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
 						feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
@@ -543,9 +543,9 @@ class RPC extends Handler_Protected {
 	}
 
 	function catchupFeed() {
-		$feed_id = db_escape_string($_REQUEST['feed_id']);
-		$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
-		$max_id = (int) db_escape_string($_REQUEST['max_id']);
+		$feed_id = db_escape_string($this->link, $_REQUEST['feed_id']);
+		$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
+		$max_id = (int) db_escape_string($this->link, $_REQUEST['max_id']);
 
 		catchup_feed($this->link, $feed_id, $is_cat, false, $max_id);
 
@@ -553,7 +553,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function quickAddCat() {
-		$cat = db_escape_string($_REQUEST["cat"]);
+		$cat = db_escape_string($this->link, $_REQUEST["cat"]);
 
 		add_feed_category($this->link, $cat);
 
@@ -570,8 +570,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function regenFeedKey() {
-		$feed_id = db_escape_string($_REQUEST['id']);
-		$is_cat = db_escape_string($_REQUEST['is_cat']) == "true";
+		$feed_id = db_escape_string($this->link, $_REQUEST['id']);
+		$is_cat = db_escape_string($this->link, $_REQUEST['is_cat']) == "true";
 
 		$new_key = $this->update_feed_access_key($this->link, $feed_id, $is_cat);
 
@@ -619,11 +619,11 @@ class RPC extends Handler_Protected {
 	}
 
 	function batchAddFeeds() {
-		$cat_id = db_escape_string($_REQUEST['cat']);
-		$feeds = explode("\n", db_escape_string($_REQUEST['feeds']));
-		$login = db_escape_string($_REQUEST['login']);
-		$pass = db_escape_string($_REQUEST['pass']);
-		$need_auth = db_escape_string($_REQUEST['need_auth']) != "";
+		$cat_id = db_escape_string($this->link, $_REQUEST['cat']);
+		$feeds = explode("\n", db_escape_string($this->link, $_REQUEST['feeds']));
+		$login = db_escape_string($this->link, $_REQUEST['login']);
+		$pass = db_escape_string($this->link, $_REQUEST['pass']);
+		$need_auth = db_escape_string($this->link, $_REQUEST['need_auth']) != "";
 
 		foreach ($feeds as $feed) {
 			$feed = trim($feed);
@@ -656,8 +656,8 @@ class RPC extends Handler_Protected {
 	}
 
 	function setScore() {
-		$ids = db_escape_string($_REQUEST['id']);
-		$score = (int)db_escape_string($_REQUEST['score']);
+		$ids = db_escape_string($this->link, $_REQUEST['id']);
+		$score = (int)db_escape_string($this->link, $_REQUEST['score']);
 
 		db_query($this->link, "UPDATE ttrss_user_entries SET
 			score = '$score' WHERE ref_id IN ($ids) AND owner_uid = " . $_SESSION["uid"]);
@@ -756,7 +756,7 @@ class RPC extends Handler_Protected {
 			AND owner_uid = " . $owner_uid);
 
 		if (db_num_rows($result) == 1) {
-			$key = db_escape_string(sha1(uniqid(rand(), true)));
+			$key = db_escape_string($this->link, sha1(uniqid(rand(), true)));
 
 			db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key'
 				WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
@@ -830,7 +830,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function getlinkbyid() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT link FROM ttrss_entries, ttrss_user_entries
 			WHERE ref_id = '$id' AND ref_id = id AND owner_uid = ". $_SESSION["uid"]);

+ 3 - 3
include/db-prefs.php

@@ -44,7 +44,7 @@
 
 	function get_pref($link, $pref_name, $user_id = false, $die_on_error = false) {
 
-		$pref_name = db_escape_string($pref_name);
+		$pref_name = db_escape_string($link, $pref_name);
 		$prefs_cache = true;
 		$profile = false;
 
@@ -115,8 +115,8 @@
 	}
 
 	function set_pref($link, $pref_name, $value, $user_id = false, $strip_tags = true) {
-		$pref_name = db_escape_string($pref_name);
-		$value = db_escape_string($value, $strip_tags);
+		$pref_name = db_escape_string($link, $pref_name);
+		$value = db_escape_string($link, $value, $strip_tags);
 
 		if (!$user_id) {
 			$user_id = $_SESSION["uid"];

+ 3 - 11
include/db.php

@@ -41,21 +41,13 @@ function db_connect($host, $user, $pass, $db) {
 	}
 }
 
-function db_escape_string($s, $strip_tags = true, $link = NULL) {
+function db_escape_string($link, $s, $strip_tags = true) {
 	if ($strip_tags) $s = strip_tags($s);
 
 	if (DB_TYPE == "pgsql") {
-		if ($link) {
-			return pg_escape_string($link, $s);
-		} else {
-			return pg_escape_string($s);
-		}
+		return pg_escape_string($link, $s);
 	} else {
-		if ($link) {
-			return mysql_real_escape_string($s, $link);
-		} else {
-			return mysql_real_escape_string($s);
-		}
+		return mysql_real_escape_string($s, $link);
 	}
 }
 

+ 9 - 9
include/functions.php

@@ -516,7 +516,7 @@
 
 	function initialize_user_prefs($link, $uid, $profile = false) {
 
-		$uid = db_escape_string($uid);
+		$uid = db_escape_string($link, $uid);
 
 		if (!$profile) {
 			$profile = "NULL";
@@ -911,7 +911,7 @@
 			}
 		}
 
-		if (db_escape_string("testTEST") != "testTEST") {
+		if (db_escape_string($link, "testTEST") != "testTEST") {
 			$error_code = 12;
 		}
 
@@ -1086,7 +1086,7 @@
 			} else { // tag
 				db_query($link, "BEGIN");
 
-				$tag_name = db_escape_string($feed);
+				$tag_name = db_escape_string($link, $feed);
 
 				$result = db_query($link, "SELECT post_int_id FROM ttrss_tags
 					WHERE tag_name = '$tag_name' AND owner_uid = $owner_uid");
@@ -1283,7 +1283,7 @@
 			return 0;
 		} else if ($feed != "0" && $n_feed == 0) {
 
-			$feed = db_escape_string($feed);
+			$feed = db_escape_string($link, $feed);
 
 			$result = db_query($link, "SELECT SUM((SELECT COUNT(int_id)
 				FROM ttrss_user_entries,ttrss_entries WHERE int_id = post_int_id
@@ -2744,7 +2744,7 @@
 
 	function get_article_tags($link, $id, $owner_uid = 0, $tag_cache = false) {
 
-		$a_id = db_escape_string($id);
+		$a_id = db_escape_string($link, $id);
 
 		if (!$owner_uid) $owner_uid = $_SESSION["uid"];
 
@@ -2779,7 +2779,7 @@
 
 			/* update the cache */
 
-			$tags_str = db_escape_string(join(",", $tags));
+			$tags_str = db_escape_string($link, join(",", $tags));
 
 			db_query($link, "UPDATE ttrss_user_entries
 				SET tag_cache = '$tags_str' WHERE ref_id = '$id'
@@ -3511,7 +3511,7 @@
 		if (db_num_rows($result) == 1) {
 			return db_fetch_result($result, 0, "access_key");
 		} else {
-			$key = db_escape_string(sha1(uniqid(rand(), true)));
+			$key = db_escape_string($link, sha1(uniqid(rand(), true)));
 
 			$result = db_query($link, "INSERT INTO ttrss_access_keys
 				(access_key, feed_id, is_cat, owner_uid)
@@ -3865,7 +3865,7 @@
 
 			if ($regexp_valid) {
 
-				$rule['reg_exp'] = db_escape_string($rule['reg_exp']);
+				$rule['reg_exp'] = db_escape_string($link, $rule['reg_exp']);
 
 				switch ($rule["type"]) {
 					case "title":
@@ -3896,7 +3896,7 @@
 				}
 
 				if (isset($rule["feed_id"]) && $rule["feed_id"] > 0) {
-					$qpart .= " AND feed_id = " . db_escape_string($rule["feed_id"]);
+					$qpart .= " AND feed_id = " . db_escape_string($link, $rule["feed_id"]);
 				}
 
 				if (isset($rule["cat_id"])) {

+ 1 - 1
include/labels.php

@@ -88,7 +88,7 @@
 		if (!$labels)
 			$labels = get_article_labels($link, $id);
 
-		$labels = db_escape_string(json_encode($labels));
+		$labels = db_escape_string($link, json_encode($labels));
 
 		db_query($link, "UPDATE ttrss_user_entries SET
 			label_cache = '$labels' WHERE ref_id = '$id' AND  owner_uid = '$owner_uid'");

+ 27 - 27
include/rssfuncs.php

@@ -18,10 +18,10 @@
 		$count = 0;
 
 		while ($line = db_fetch_assoc($result)) {
-			$subscribers = db_escape_string($line["subscribers"]);
-			$feed_url = db_escape_string($line["feed_url"]);
-			$title = db_escape_string($line["title"]);
-			$site_url = db_escape_string($line["site_url"]);
+			$subscribers = db_escape_string($link, $line["subscribers"]);
+			$feed_url = db_escape_string($link, $line["feed_url"]);
+			$title = db_escape_string($link, $line["title"]);
+			$site_url = db_escape_string($link, $line["site_url"]);
 
 			$tmp_result = db_query($link, "SELECT subscribers FROM
 				ttrss_feedbrowser_cache WHERE feed_url = '$feed_url'");
@@ -200,7 +200,7 @@
 		$cache_images = sql_bool_to_bool(db_fetch_result($result, 0, "cache_images"));
 		$fetch_url = db_fetch_result($result, 0, "feed_url");
 
-		$feed = db_escape_string($feed);
+		$feed = db_escape_string($link, $feed);
 
 		/* if ($auth_login && $auth_pass ){
 			$url_parts = array();
@@ -238,7 +238,7 @@
 				_debug("update_rss_feed: unable to fetch: $fetch_last_error");
 			}
 
-			$error_escaped = db_escape_string($fetch_last_error);
+			$error_escaped = db_escape_string($link, $fetch_last_error);
 
 			db_query($link,
 				"UPDATE ttrss_feeds SET last_error = '$error_escaped',
@@ -287,7 +287,7 @@
 
 //		print_r($rss);
 
-		$feed = db_escape_string($feed);
+		$feed = db_escape_string($link, $feed);
 
 		if (!$rss->error()) {
 
@@ -318,7 +318,7 @@
 
 			$owner_uid = db_fetch_result($result, 0, "owner_uid");
 
-			$site_url = db_escape_string(mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245));
+			$site_url = db_escape_string($link, mb_substr(rewrite_relative_url($fetch_url, $rss->get_link()), 0, 245));
 
 			if ($debug_enabled) {
 				_debug("update_rss_feed: checking favicon...");
@@ -333,7 +333,7 @@
 
 			if (!$registered_title || $registered_title == "[Unknown]") {
 
-				$feed_title = db_escape_string($rss->get_title());
+				$feed_title = db_escape_string($link, $rss->get_title());
 
 				if ($debug_enabled) {
 					_debug("update_rss_feed: registering title: $feed_title");
@@ -475,13 +475,13 @@
 					$entry_author = $entry_author_item->get_name();
 					if (!$entry_author) $entry_author = $entry_author_item->get_email();
 
-					$entry_author = db_escape_string($entry_author);
+					$entry_author = db_escape_string($link, $entry_author);
 				}
 
-				$entry_guid = db_escape_string(mb_substr($entry_guid, 0, 245));
+				$entry_guid = db_escape_string($link, mb_substr($entry_guid, 0, 245));
 
-				$entry_comments = db_escape_string(mb_substr($entry_comments, 0, 245));
-				$entry_author = db_escape_string(mb_substr($entry_author, 0, 245));
+				$entry_comments = db_escape_string($link, mb_substr($entry_comments, 0, 245));
+				$entry_author = db_escape_string($link, mb_substr($entry_author, 0, 245));
 
 				$num_comments = $item->get_item_tags('http://purl.org/rss/1.0/modules/slash/', 'comments');
 
@@ -539,7 +539,7 @@
 
 				// FIXME not sure if owner_uid is a good idea here, we may have a base entry without user entry (?)
 				$result = db_query($link, "SELECT plugin_data,title,content,link,tag_cache,author FROM ttrss_entries, ttrss_user_entries
-					WHERE ref_id = id AND guid = '".db_escape_string($entry_guid)."' AND owner_uid = $owner_uid");
+					WHERE ref_id = id AND guid = '".db_escape_string($link, $entry_guid)."' AND owner_uid = $owner_uid");
 
 				if (db_num_rows($result) != 0) {
 					$entry_plugin_data = db_fetch_result($result, 0, "plugin_data");
@@ -568,11 +568,11 @@
 				}
 
 				$entry_tags = $article["tags"];
-				$entry_guid = db_escape_string($entry_guid);
-				$entry_title = db_escape_string($article["title"]);
-				$entry_author = db_escape_string($article["author"]);
-				$entry_link = db_escape_string($article["link"]);
-				$entry_plugin_data = db_escape_string($article["plugin_data"]);
+				$entry_guid = db_escape_string($link, $entry_guid);
+				$entry_title = db_escape_string($link, $article["title"]);
+				$entry_author = db_escape_string($link, $article["author"]);
+				$entry_link = db_escape_string($link, $article["link"]);
+				$entry_plugin_data = db_escape_string($link, $article["plugin_data"]);
 				$entry_content = $article["content"]; // escaped below
 
 
@@ -583,7 +583,7 @@
 				if ($cache_images && is_writable(CACHE_DIR . '/images'))
 					cache_images($entry_content, $site_url, $debug_enabled);
 
-				$entry_content = db_escape_string($entry_content, false);
+				$entry_content = db_escape_string($link, $entry_content, false);
 
 				$content_hash = "SHA1:" . sha1($entry_content);
 
@@ -829,7 +829,7 @@
 						$update_insignificant = false;
 					}
 
-					if (db_escape_string($orig_title) != $entry_title) {
+					if (db_escape_string($link, $orig_title) != $entry_title) {
 						$post_needs_update = true;
 						$update_insignificant = false;
 					}
@@ -896,9 +896,9 @@
 				db_query($link, "BEGIN");
 
 				foreach ($enclosures as $enc) {
-					$enc_url = db_escape_string($enc[0]);
-					$enc_type = db_escape_string($enc[1]);
-					$enc_dur = db_escape_string($enc[2]);
+					$enc_url = db_escape_string($link, $enc[0]);
+					$enc_type = db_escape_string($link, $enc[1]);
+					$enc_dur = db_escape_string($link, $enc[2]);
 
 					$result = db_query($link, "SELECT id FROM ttrss_enclosures
 						WHERE content_url = '$enc_url' AND post_id = '$entry_ref_id'");
@@ -959,7 +959,7 @@
 					foreach ($filtered_tags as $tag) {
 
 						$tag = sanitize_tag($tag);
-						$tag = db_escape_string($tag);
+						$tag = db_escape_string($link, $tag);
 
 						if (!tag_is_valid($tag)) continue;
 
@@ -981,7 +981,7 @@
 
 					$tags_to_cache = array_unique($tags_to_cache);
 
-					$tags_str = db_escape_string(join(",", $tags_to_cache));
+					$tags_str = db_escape_string($link, join(",", $tags_to_cache));
 
 					db_query($link, "UPDATE ttrss_user_entries
 						SET tag_cache = '$tags_str' WHERE ref_id = '$entry_ref_id'
@@ -1031,7 +1031,7 @@
 
 		} else {
 
-			$error_msg = db_escape_string(mb_substr($rss->error(), 0, 245));
+			$error_msg = db_escape_string($link, mb_substr($rss->error(), 0, 245));
 
 			if ($debug_enabled) {
 				_debug("update_rss_feed: error fetching feed: $error_msg");

+ 2 - 2
include/sessions.php

@@ -53,7 +53,7 @@
 
 		$expire = time() + $session_expire;
 
-		$data = db_escape_string(base64_encode($data), false, $session_connection);
+		$data = db_escape_string($session_connection, base64_encode($data), false);
 
 		if ($session_read) {
 		 	$query = "UPDATE ttrss_sessions SET data='$data',
@@ -71,7 +71,7 @@
 
 		global $session_connection;
 
-		db_close($session_connection);
+		//db_close($session_connection);
 
 		return true;
 	}

+ 1 - 1
opml.php

@@ -16,7 +16,7 @@
 	$op = $_REQUEST['op'];
 
 	if ($op == "publish"){
-		$key = db_escape_string($_REQUEST["key"]);
+		$key = db_escape_string($link, $_REQUEST["key"]);
 
 		$result = db_query($link, "SELECT owner_uid
 				FROM ttrss_access_keys WHERE

+ 4 - 4
plugins/auth_internal/init.php

@@ -22,8 +22,8 @@ class Auth_Internal extends Plugin implements IAuthModule {
 
 		$pwd_hash1 = encrypt_password($password);
 		$pwd_hash2 = encrypt_password($password, $login);
-		$login = db_escape_string($login);
-		$otp = db_escape_string($_REQUEST["otp"]);
+		$login = db_escape_string($this->link, $login);
+		$otp = db_escape_string($this->link, $_REQUEST["otp"]);
 
 		if (get_schema_version($this->link) > 96) {
 			if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
@@ -140,7 +140,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
 	}
 
 	function check_password($owner_uid, $password) {
-		$owner_uid = db_escape_string($owner_uid);
+		$owner_uid = db_escape_string($this->link, $owner_uid);
 
 		$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
 			id = '$owner_uid'");
@@ -169,7 +169,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
 	}
 
 	function change_password($owner_uid, $old_password, $new_password) {
-		$owner_uid = db_escape_string($owner_uid);
+		$owner_uid = db_escape_string($this->link, $owner_uid);
 
 		if ($this->check_password($owner_uid, $old_password)) {
 

+ 6 - 6
plugins/auth_remote/init.php

@@ -21,7 +21,7 @@ class Auth_Remote extends Plugin implements IAuthModule {
 	}
 
 	function get_login_by_ssl_certificate() {
-		$cert_serial = db_escape_string(get_ssl_certificate_id());
+		$cert_serial = db_escape_string($this->link, get_ssl_certificate_id());
 
 		if ($cert_serial) {
 			$result = db_query($this->link, "SELECT login FROM ttrss_user_prefs, ttrss_users
@@ -29,7 +29,7 @@ class Auth_Remote extends Plugin implements IAuthModule {
 				owner_uid = ttrss_users.id");
 
 			if (db_num_rows($result) != 0) {
-				return db_escape_string(db_fetch_result($result, 0, "login"));
+				return db_escape_string($this->link, db_fetch_result($result, 0, "login"));
 			}
 		}
 
@@ -38,10 +38,10 @@ class Auth_Remote extends Plugin implements IAuthModule {
 
 
 	function authenticate($login, $password) {
-		$try_login = db_escape_string($_SERVER["REMOTE_USER"]);
+		$try_login = db_escape_string($this->link, $_SERVER["REMOTE_USER"]);
 
 		// php-cgi
-		if (!$try_login) $try_login = db_escape_string($_SERVER["REDIRECT_REMOTE_USER"]);
+		if (!$try_login) $try_login = db_escape_string($this->link, $_SERVER["REDIRECT_REMOTE_USER"]);
 
 		if (!$try_login) $try_login = $this->get_login_by_ssl_certificate();
 #	  	if (!$try_login) $try_login = "test_qqq";
@@ -60,14 +60,14 @@ class Auth_Remote extends Plugin implements IAuthModule {
 					// update user name
 					$fullname = $_SERVER['HTTP_USER_NAME'] ? $_SERVER['HTTP_USER_NAME'] : $_SERVER['AUTHENTICATE_CN'];
 					if ($fullname){
-						$fullname = db_escape_string($fullname);
+						$fullname = db_escape_string($this->link, $fullname);
 						db_query($this->link, "UPDATE ttrss_users SET full_name = '$fullname' WHERE id = " .
 							$user_id);
 					}
 					// update user mail
 					$email = $_SERVER['HTTP_USER_MAIL'] ? $_SERVER['HTTP_USER_MAIL'] : $_SERVER['AUTHENTICATE_MAIL'];
 					if ($email){
-						$email = db_escape_string($email);
+						$email = db_escape_string($this->link, $email);
 						db_query($this->link, "UPDATE ttrss_users SET email = '$email' WHERE id = " .
 							$user_id);
 					}

+ 4 - 4
plugins/digest/init.php

@@ -47,7 +47,7 @@ class Digest extends Plugin implements IHandler {
 	}
 
 	function digestgetcontents() {
-		$article_id = db_escape_string($_REQUEST['article_id']);
+		$article_id = db_escape_string($this->link, $_REQUEST['article_id']);
 
 		$result = db_query($this->link, "SELECT content,title,link,marked,published
 			FROM ttrss_entries, ttrss_user_entries
@@ -67,9 +67,9 @@ class Digest extends Plugin implements IHandler {
 	}
 
 	function digestupdate() {
-		$feed_id = db_escape_string($_REQUEST['feed_id']);
-		$offset = db_escape_string($_REQUEST['offset']);
-		$seq = db_escape_string($_REQUEST['seq']);
+		$feed_id = db_escape_string($this->link, $_REQUEST['feed_id']);
+		$offset = db_escape_string($this->link, $_REQUEST['offset']);
+		$seq = db_escape_string($this->link, $_REQUEST['seq']);
 
 		if (!$feed_id) $feed_id = -4;
 		if (!$offset) $offset = 0;

+ 1 - 1
plugins/embed_original/init.php

@@ -36,7 +36,7 @@ class Embed_Original extends Plugin {
 	}
 
 	function getUrl() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT link
 				FROM ttrss_entries, ttrss_user_entries

+ 1 - 1
plugins/example/init.php

@@ -21,7 +21,7 @@ class Example extends Plugin {
 	}
 
 	function save() {
-		$example_value = db_escape_string($_POST["example_value"]);
+		$example_value = db_escape_string($this->link, $_POST["example_value"]);
 
 		$this->host->set($this, "example", $example_value);
 

+ 1 - 1
plugins/googleplus/init.php

@@ -32,7 +32,7 @@ class GooglePlus extends Plugin {
 	}
 
 	function getInfo() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT title, link
 				FROM ttrss_entries, ttrss_user_entries

+ 1 - 1
plugins/identica/init.php

@@ -32,7 +32,7 @@ class Identica extends Plugin {
 	}
 
 	function getInfo() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT title, link
 				FROM ttrss_entries, ttrss_user_entries

+ 4 - 4
plugins/import_export/init.php

@@ -49,7 +49,7 @@ class Import_Export extends Plugin implements IHandler {
 	}
 
 	function save() {
-		$example_value = db_escape_string($_POST["example_value"]);
+		$example_value = db_escape_string($this->link, $_POST["example_value"]);
 
 		echo "Value set to $example_value (not really)";
 	}
@@ -122,7 +122,7 @@ class Import_Export extends Plugin implements IHandler {
 	}
 
 	function exportrun() {
-		$offset = (int) db_escape_string($_REQUEST['offset']);
+		$offset = (int) db_escape_string($this->link, $_REQUEST['offset']);
 		$exported = 0;
 		$limit = 250;
 
@@ -238,7 +238,7 @@ class Import_Export extends Plugin implements IHandler {
 
 					foreach ($article_node->childNodes as $child) {
 						if ($child->nodeName != 'label_cache')
-							$article[$child->nodeName] = db_escape_string($child->nodeValue);
+							$article[$child->nodeName] = db_escape_string($this->link, $child->nodeValue);
 						else
 							$article[$child->nodeName] = $child->nodeValue;
 					}
@@ -346,7 +346,7 @@ class Import_Export extends Plugin implements IHandler {
 								$score = (int) $article['score'];
 
 								$tag_cache = $article['tag_cache'];
-								$label_cache = db_escape_string($article['label_cache']);
+								$label_cache = db_escape_string($this->link, $article['label_cache']);
 								$note = $article['note'];
 
 								//print "Importing " . $article['title'] . "<br/>";

+ 14 - 14
plugins/instances/init.php

@@ -92,10 +92,10 @@ class Instances extends Plugin implements IHandler {
 								WHERE instance_id = '$id'");
 
 							foreach ($feeds['feeds'] as $feed) {
-								$feed_url = db_escape_string($feed['feed_url']);
-								$title = db_escape_string($feed['title']);
-								$subscribers = db_escape_string($feed['subscribers']);
-								$site_url = db_escape_string($feed['site_url']);
+								$feed_url = db_escape_string($this->link, $feed['feed_url']);
+								$title = db_escape_string($this->link, $feed['title']);
+								$subscribers = db_escape_string($this->link, $feed['subscribers']);
+								$site_url = db_escape_string($this->link, $feed['site_url']);
 
 								db_query($link, "INSERT INTO ttrss_linked_feeds
 									(feed_url, site_url, title, subscribers, instance_id, created, updated)
@@ -167,16 +167,16 @@ class Instances extends Plugin implements IHandler {
 	}
 
 	function remove() {
-		$ids = db_escape_string($_REQUEST['ids']);
+		$ids = db_escape_string($this->link, $_REQUEST['ids']);
 
 		db_query($this->link, "DELETE FROM ttrss_linked_instances WHERE
 			id IN ($ids)");
 	}
 
 	function add() {
-		$id = db_escape_string($_REQUEST["id"]);
-		$access_url = db_escape_string($_REQUEST["access_url"]);
-		$access_key = db_escape_string($_REQUEST["access_key"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$access_url = db_escape_string($this->link, $_REQUEST["access_url"]);
+		$access_key = db_escape_string($this->link, $_REQUEST["access_key"]);
 
 		db_query($this->link, "BEGIN");
 
@@ -195,7 +195,7 @@ class Instances extends Plugin implements IHandler {
 	}
 
 	function edit() {
-		$id = db_escape_string($_REQUEST["id"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
 
 		$result = db_query($this->link, "SELECT * FROM ttrss_linked_instances WHERE
 			id = '$id'");
@@ -253,9 +253,9 @@ class Instances extends Plugin implements IHandler {
 	}
 
 	function editSave() {
-		$id = db_escape_string($_REQUEST["id"]);
-		$access_url = db_escape_string($_REQUEST["access_url"]);
-		$access_key = db_escape_string($_REQUEST["access_key"]);
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$access_url = db_escape_string($this->link, $_REQUEST["access_url"]);
+		$access_key = db_escape_string($this->link, $_REQUEST["access_key"]);
 
 		db_query($this->link, "UPDATE ttrss_linked_instances SET
 			access_key = '$access_key', access_url = '$access_url',
@@ -277,7 +277,7 @@ class Instances extends Plugin implements IHandler {
 
 		print "<div id=\"pref-instance-toolbar\" dojoType=\"dijit.Toolbar\">";
 
-		$sort = db_escape_string($_REQUEST["sort"]);
+		$sort = db_escape_string($this->link, $_REQUEST["sort"]);
 
 		if (!$sort || $sort == "undefined") {
 			$sort = "access_url";
@@ -364,7 +364,7 @@ class Instances extends Plugin implements IHandler {
 
 	function fbexport() {
 
-		$access_key = db_escape_string($_POST["key"]);
+		$access_key = db_escape_string($this->link, $_POST["key"]);
 
 		// TODO: rate limit checking using last_connected
 		$result = db_query($this->link, "SELECT id FROM ttrss_linked_instances

+ 3 - 3
plugins/mail/init.php

@@ -30,7 +30,7 @@ class Mail extends Plugin {
 
 	function emailArticle() {
 
-		$param = db_escape_string($_REQUEST['param']);
+		$param = db_escape_string($this->link, $_REQUEST['param']);
 
 		$secretkey = sha1(uniqid(rand(), true));
 
@@ -181,7 +181,7 @@ class Mail extends Plugin {
 			if (!$rc) {
 				$reply['error'] =  $mail->ErrorInfo;
 			} else {
-				save_email_address($this->link, db_escape_string($destination));
+				save_email_address($this->link, db_escape_string($this->link, $destination));
 				$reply['message'] = "UPDATE_COUNTERS";
 			}
 
@@ -193,7 +193,7 @@ class Mail extends Plugin {
 	}
 
 	function completeEmails() {
-		$search = db_escape_string($_REQUEST["search"]);
+		$search = db_escape_string($this->link, $_REQUEST["search"]);
 
 		print "<ul>";
 

+ 1 - 1
plugins/mailto/init.php

@@ -30,7 +30,7 @@ class MailTo extends Plugin {
 
 	function emailArticle() {
 
-		$param = db_escape_string($_REQUEST['param']);
+		$param = db_escape_string($this->link, $_REQUEST['param']);
 
 		require_once "lib/MiniTemplator.class.php";
 

+ 3 - 3
plugins/note/init.php

@@ -29,7 +29,7 @@ class Note extends Plugin {
 	}
 
 	function edit() {
-		$param = db_escape_string($_REQUEST['param']);
+		$param = db_escape_string($this->link, $_REQUEST['param']);
 
 		$result = db_query($this->link, "SELECT note FROM ttrss_user_entries WHERE
 			ref_id = '$param' AND owner_uid = " . $_SESSION['uid']);
@@ -58,8 +58,8 @@ class Note extends Plugin {
 	}
 
 	function setNote() {
-		$id = db_escape_string($_REQUEST["id"]);
-		$note = trim(strip_tags(db_escape_string($_REQUEST["note"])));
+		$id = db_escape_string($this->link, $_REQUEST["id"]);
+		$note = trim(strip_tags(db_escape_string($this->link, $_REQUEST["note"])));
 
 		db_query($this->link, "UPDATE ttrss_user_entries SET note = '$note'
 			WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);

+ 1 - 1
plugins/nsfw/init.php

@@ -91,7 +91,7 @@ class NSFW extends Plugin {
 	}
 
 	function save() {
-		$tags = explode(",", db_escape_string($_POST["tags"]));
+		$tags = explode(",", db_escape_string($this->link, $_POST["tags"]));
 		$tags = array_map("trim", $tags);
 		$tags = array_map("mb_strtolower", $tags);
 		$tags = join(", ", $tags);

+ 2 - 2
plugins/owncloud/init.php

@@ -20,7 +20,7 @@ class OwnCloud extends Plugin {
   }
 
   function save() {
-    $owncloud_url = db_escape_string($_POST["owncloud_url"]);
+    $owncloud_url = db_escape_string($this->link, $_POST["owncloud_url"]);
     $this->host->set($this, "owncloud", $owncloud_url);
     echo "Value set to $owncloud_url";
   }
@@ -75,7 +75,7 @@ class OwnCloud extends Plugin {
   }
 
   function getOwnCloud() {
-    $id = db_escape_string($_REQUEST['id']);
+    $id = db_escape_string($this->link, $_REQUEST['id']);
 
     $result = db_query($this->link, "SELECT title, link
 		      FROM ttrss_entries, ttrss_user_entries

+ 1 - 1
plugins/pinterest/init.php

@@ -32,7 +32,7 @@ class Pinterest extends Plugin {
 	}
 
 	function getInfo() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT title, link
 				FROM ttrss_entries, ttrss_user_entries

+ 1 - 1
plugins/pocket/init.php

@@ -33,7 +33,7 @@ class Pocket extends Plugin {
 	}
 
 	function getInfo() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT title, link
 				FROM ttrss_entries, ttrss_user_entries

+ 2 - 2
plugins/share/init.php

@@ -28,7 +28,7 @@ class Share extends Plugin {
 	}
 
 	function shareArticle() {
-		$param = db_escape_string($_REQUEST['param']);
+		$param = db_escape_string($this->link, $_REQUEST['param']);
 
 		$result = db_query($this->link, "SELECT uuid, ref_id FROM ttrss_user_entries WHERE int_id = '$param'
 			AND owner_uid = " . $_SESSION['uid']);
@@ -41,7 +41,7 @@ class Share extends Plugin {
 			$ref_id = db_fetch_result($result, 0, "ref_id");
 
 			if (!$uuid) {
-				$uuid = db_escape_string(sha1(uniqid(rand(), true)));
+				$uuid = db_escape_string($this->link, sha1(uniqid(rand(), true)));
 				db_query($this->link, "UPDATE ttrss_user_entries SET uuid = '$uuid' WHERE int_id = '$param'
 					AND owner_uid = " . $_SESSION['uid']);
 			}

+ 1 - 1
plugins/tweet/init.php

@@ -32,7 +32,7 @@ class Tweet extends Plugin {
 	}
 
 	function getInfo() {
-		$id = db_escape_string($_REQUEST['id']);
+		$id = db_escape_string($this->link, $_REQUEST['id']);
 
 		$result = db_query($this->link, "SELECT title, link
 				FROM ttrss_entries, ttrss_user_entries

+ 4 - 4
register.php

@@ -74,7 +74,7 @@
 	if ($action == "check") {
 		header("Content-Type: application/xml");
 
-		$login = trim(db_escape_string($_REQUEST['login']));
+		$login = trim(db_escape_string($link, $_REQUEST['login']));
 
 		$result = db_query($link, "SELECT id FROM ttrss_users WHERE
 			LOWER(login) = LOWER('$login')");
@@ -242,9 +242,9 @@
 	<?php } else if ($action == "do_register") { ?>
 
 	<?php
-		$login = mb_strtolower(trim(db_escape_string($_REQUEST["login"])));
-		$email = trim(db_escape_string($_REQUEST["email"]));
-		$test = trim(db_escape_string($_REQUEST["turing_test"]));
+		$login = mb_strtolower(trim(db_escape_string($link, $_REQUEST["login"])));
+		$email = trim(db_escape_string($link, $_REQUEST["email"]));
+		$test = trim(db_escape_string($link, $_REQUEST["turing_test"]));
 
 		if (!$login || !$email || !$test) {
 			print_error(__("Your registration information is incomplete."));