From ea22828d371f08defb2959ab52d7b76c920c7946 Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 28 Jan 2017 12:19:04 +0000 Subject: [PATCH] Alternate solution for pull request 3124 --- include/dbm.php | 37 +++++++++++++++++++++++++++++++++++++ include/dfrn.php | 4 ++-- include/items.php | 8 ++++---- mod/dfrn_request.php | 6 ++---- mod/profiles.php | 8 ++++---- 5 files changed, 49 insertions(+), 14 deletions(-) diff --git a/include/dbm.php b/include/dbm.php index 6098dce73..00cb153fb 100644 --- a/include/dbm.php +++ b/include/dbm.php @@ -49,5 +49,42 @@ class dbm { } return (is_array($array) && count($array) > 0); } + + /** + * @brief Callback function for "esc_array" + * + * @param mixed $value Array value + * @param string $key Array key + * @param boolean $add_quotation add quoatation marks for string values + */ + private static function esc_array_callback(&$value, $key, $add_quotation) { + + if (!$add_quotation) { + if (is_bool($value)) { + $value = ($value ? '1' : '0'); + } else { + $value = dbesc($value); + } + return; + } + + if (is_bool($value)) { + $value = ($value ? 'true' : 'false'); + } elseif (is_numeric($value)) { + $value = (string)$value; + } else { + $value = "'".dbesc($value)."'"; + } + } + + /** + * @brief Escapes a whole array + * + * @param mixed $arr Array with values to be escaped + * @param boolean $add_quotation add quoatation marks for string values + */ + public static function esc_array(&$arr, $add_quotation = false) { + array_walk($arr, 'self::esc_array_callback', $add_quotation); + } } ?> diff --git a/include/dfrn.php b/include/dfrn.php index e9bdaec66..702fbb15f 100644 --- a/include/dfrn.php +++ b/include/dfrn.php @@ -1421,9 +1421,9 @@ class dfrn { $msg["seen"] = 0; $msg["replied"] = 0; - dbesc_array($msg); + dbm::esc_array($msg, true); - $r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES ('".implode("', '", array_values($msg))."')"); + $r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES (".implode(", ", array_values($msg)).")"); // send notifications. diff --git a/include/items.php b/include/items.php index fa4f3290b..2b6fb9a1f 100644 --- a/include/items.php +++ b/include/items.php @@ -820,7 +820,7 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa // Store the unescaped version $unescaped = $arr; - dbesc_array($arr); + dbm::esc_array($arr, true); logger('item_store: ' . print_r($arr,true), LOGGER_DATA); @@ -829,9 +829,9 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa $r = dbq("INSERT INTO `item` (`" . implode("`, `", array_keys($arr)) - . "`) VALUES ('" - . implode("', '", array_values($arr)) - . "')"); + . "`) VALUES (" + . implode(", ", array_values($arr)) + . ")"); // And restore it $arr = $unescaped; diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php index 9e5f022d1..6480f2c75 100644 --- a/mod/dfrn_request.php +++ b/mod/dfrn_request.php @@ -145,9 +145,7 @@ function dfrn_request_post(App $a) { $photo = $parms["photo"]; // Escape the entire array - - dbesc_array($parms); - + dbm::esc_array($parms); /* * Create a contact record on our site for the other person @@ -547,7 +545,7 @@ function dfrn_request_post(App $a) { $parms['issued-id'] = $issued_id; $photo = $parms["photo"]; - dbesc_array($parms); + dbm::esc_array($parms); $r = q("INSERT INTO `contact` ( `uid`, `created`, `url`, `nurl`, `addr`, `name`, `nick`, `issued-id`, `photo`, `site-pubkey`, `request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` ) VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )", diff --git a/mod/profiles.php b/mod/profiles.php index d8475eecc..4c6ff926b 100644 --- a/mod/profiles.php +++ b/mod/profiles.php @@ -103,13 +103,13 @@ function profiles_init(App $a) { $r1[0]['net-publish'] = 0; $r1[0]['profile-name'] = dbesc($name); - dbesc_array($r1[0]); + dbm::esc_array($r1[0], true); $r2 = dbq("INSERT INTO `profile` (`" . implode("`, `", array_keys($r1[0])) - . "`) VALUES ('" - . implode("', '", array_values($r1[0])) - . "')" ); + . "`) VALUES (" + . implode(", ", array_values($r1[0])) + . ")" ); $r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1", intval(local_user()),