From d3a598f589a44c62817664f20d0d548697e631c5 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sat, 21 Jul 2018 09:07:20 -0400 Subject: [PATCH 1/3] Update DBA::escape to match dbesc() --- src/Database/DBA.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/Database/DBA.php b/src/Database/DBA.php index 8e5a621b3..87b2476d4 100644 --- a/src/Database/DBA.php +++ b/src/Database/DBA.php @@ -251,11 +251,15 @@ class DBA } public static function escape($str) { - switch (self::$driver) { - case 'pdo': - return substr(@self::$connection->quote($str, PDO::PARAM_STR), 1, -1); - case 'mysqli': - return @self::$connection->real_escape_string($str); + if (self::$connected) { + switch (self::$driver) { + case 'pdo': + return substr(@self::$connection->quote($str, PDO::PARAM_STR), 1, -1); + case 'mysqli': + return @self::$connection->real_escape_string($str); + } + } else { + return str_replace("'", "\\'", $str); } } From a6fb3568f989f72164b435baafc63a174397b542 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sat, 21 Jul 2018 09:10:13 -0400 Subject: [PATCH 2/3] Rename dbesc to DBA::escape --- include/api.php | 58 ++++++++--------- include/enotify.php | 30 ++++----- include/items.php | 2 +- include/security.php | 8 +-- include/text.php | 22 +++---- mod/acl.php | 20 +++--- mod/admin.php | 6 +- mod/api.php | 2 +- mod/attach.php | 2 +- mod/contacts.php | 10 +-- mod/crepair.php | 18 +++--- mod/delegate.php | 6 +- mod/dfrn_confirm.php | 34 +++++----- mod/dfrn_notify.php | 16 ++--- mod/dfrn_poll.php | 54 ++++++++-------- mod/dfrn_request.php | 32 +++++----- mod/directory.php | 2 +- mod/dirfind.php | 12 ++-- mod/fbrowser.php | 12 ++-- mod/follow.php | 4 +- mod/friendica.php | 4 +- mod/fsuggest.php | 16 ++--- mod/group.php | 2 +- mod/invite.php | 4 +- mod/lockview.php | 10 +-- mod/manage.php | 6 +- mod/match.php | 4 +- mod/message.php | 10 +-- mod/modexp.php | 2 +- mod/msearch.php | 4 +- mod/network.php | 20 +++--- mod/noscrape.php | 6 +- mod/openid.php | 2 +- mod/photo.php | 4 +- mod/photos.php | 78 +++++++++++------------ mod/ping.php | 10 +-- mod/poco.php | 34 +++++----- mod/profile.php | 8 +-- mod/profile_photo.php | 14 ++--- mod/profiles.php | 86 ++++++++++++------------- mod/profperm.php | 4 +- mod/register.php | 16 ++--- mod/regmod.php | 6 +- mod/repair_ostatus.php | 4 +- mod/salmon.php | 18 +++--- mod/search.php | 2 +- mod/settings.php | 60 +++++++++--------- mod/tagger.php | 12 ++-- mod/videos.php | 11 ++-- mod/viewcontacts.php | 14 ++--- mod/wall_attach.php | 6 +- mod/wall_upload.php | 4 +- mod/wallmessage.php | 4 +- src/Core/ACL.php | 2 +- src/Core/NotificationsManager.php | 6 +- src/Core/UserImport.php | 6 +- src/Database/DBA.php | 4 +- src/Database/DBStructure.php | 34 +++++----- src/Database/PostUpdate.php | 6 +- src/Model/Contact.php | 46 +++++++------- src/Model/Event.php | 12 ++-- src/Model/GContact.php | 58 ++++++++--------- src/Model/Mail.php | 4 +- src/Model/Photo.php | 8 +-- src/Model/Profile.php | 8 +-- src/Protocol/DFRN.php | 100 +++++++++++++++--------------- src/Protocol/Diaspora.php | 96 ++++++++++++++-------------- src/Protocol/OStatus.php | 6 +- src/Protocol/PortableContact.php | 18 +++--- src/Worker/CheckVersion.php | 2 +- src/Worker/Cron.php | 10 +-- src/Worker/CronJobs.php | 7 +-- src/Worker/DiscoverPoCo.php | 4 +- src/Worker/GProbe.php | 4 +- src/Worker/Notifier.php | 10 +-- src/Worker/UpdateGContact.php | 24 +++---- update.php | 12 ++-- view/theme/frio/theme.php | 8 +-- view/theme/vier/theme.php | 5 +- 79 files changed, 665 insertions(+), 670 deletions(-) diff --git a/include/api.php b/include/api.php index 486805f97..35e2c480c 100644 --- a/include/api.php +++ b/include/api.php @@ -525,7 +525,7 @@ function api_get_user(App $a, $contact_id = null) // Searching for contact URL if (!is_null($contact_id) && (intval($contact_id) == 0)) { - $user = dbesc(normalise_link($contact_id)); + $user = DBA::escape(normalise_link($contact_id)); $url = $user; $extra_query = "AND `contact`.`nurl` = '%s' "; if (api_user() !== false) { @@ -535,7 +535,7 @@ function api_get_user(App $a, $contact_id = null) // Searching for contact id with uid = 0 if (!is_null($contact_id) && (intval($contact_id) != 0)) { - $user = dbesc(api_unique_id_to_nurl(intval($contact_id))); + $user = DBA::escape(api_unique_id_to_nurl(intval($contact_id))); if ($user == "") { throw new BadRequestException("User ID ".$contact_id." not found."); @@ -549,7 +549,7 @@ function api_get_user(App $a, $contact_id = null) } if (is_null($user) && x($_GET, 'user_id')) { - $user = dbesc(api_unique_id_to_nurl($_GET['user_id'])); + $user = DBA::escape(api_unique_id_to_nurl($_GET['user_id'])); if ($user == "") { throw new BadRequestException("User ID ".$_GET['user_id']." not found."); @@ -562,7 +562,7 @@ function api_get_user(App $a, $contact_id = null) } } if (is_null($user) && x($_GET, 'screen_name')) { - $user = dbesc($_GET['screen_name']); + $user = DBA::escape($_GET['screen_name']); $extra_query = "AND `contact`.`nick` = '%s' "; if (api_user() !== false) { $extra_query .= "AND `contact`.`uid`=".intval(api_user()); @@ -570,7 +570,7 @@ function api_get_user(App $a, $contact_id = null) } if (is_null($user) && x($_GET, 'profileurl')) { - $user = dbesc(normalise_link($_GET['profileurl'])); + $user = DBA::escape(normalise_link($_GET['profileurl'])); $extra_query = "AND `contact`.`nurl` = '%s' "; if (api_user() !== false) { $extra_query .= "AND `contact`.`uid`=".intval(api_user()); @@ -584,7 +584,7 @@ function api_get_user(App $a, $contact_id = null) list($user, $null) = explode(".", $a->argv[$argid]); } if (is_numeric($user)) { - $user = dbesc(api_unique_id_to_nurl(intval($user))); + $user = DBA::escape(api_unique_id_to_nurl(intval($user))); if ($user != "") { $url = $user; @@ -594,7 +594,7 @@ function api_get_user(App $a, $contact_id = null) } } } else { - $user = dbesc($user); + $user = DBA::escape($user); $extra_query = "AND `contact`.`nick` = '%s' "; if (api_user() !== false) { $extra_query .= "AND `contact`.`uid`=" . intval(api_user()); @@ -634,7 +634,7 @@ function api_get_user(App $a, $contact_id = null) $r = []; if ($url != "") { - $r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", dbesc(normalise_link($url))); + $r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", DBA::escape(normalise_link($url))); } if (DBA::isResult($r)) { @@ -1437,10 +1437,10 @@ function api_users_search($type) $userlist = []; if (x($_GET, 'q')) { - $r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", dbesc($_GET["q"])); + $r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", DBA::escape($_GET["q"])); if (!DBA::isResult($r)) { - $r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", dbesc($_GET["q"])); + $r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", DBA::escape($_GET["q"])); } if (DBA::isResult($r)) { @@ -3482,7 +3482,7 @@ function api_direct_messages_new($type) $r = q( "SELECT `id`, `nurl`, `network` FROM `contact` WHERE `uid`=%d AND `nick`='%s'", intval(api_user()), - dbesc($_POST['screen_name']) + DBA::escape($_POST['screen_name']) ); if (DBA::isResult($r)) { @@ -3579,7 +3579,7 @@ function api_direct_messages_destroy($type) } // add parent-uri to sql command if specified by calling app - $sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . dbesc($parenturi) . "'" : ""); + $sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . DBA::escape($parenturi) . "'" : ""); // get data of the specified message id $r = q( @@ -3668,13 +3668,13 @@ function api_direct_messages_box($type, $box, $verbose) // filters if ($box=="sentbox") { - $sql_extra = "`mail`.`from-url`='" . dbesc($profile_url) . "'"; + $sql_extra = "`mail`.`from-url`='" . DBA::escape($profile_url) . "'"; } elseif ($box == "conversation") { - $sql_extra = "`mail`.`parent-uri`='" . dbesc(defaults($_GET, 'uri', '')) . "'"; + $sql_extra = "`mail`.`parent-uri`='" . DBA::escape(defaults($_GET, 'uri', '')) . "'"; } elseif ($box == "all") { $sql_extra = "true"; } elseif ($box == "inbox") { - $sql_extra = "`mail`.`from-url`!='" . dbesc($profile_url) . "'"; + $sql_extra = "`mail`.`from-url`!='" . DBA::escape($profile_url) . "'"; } if ($max_id > 0) { @@ -3684,7 +3684,7 @@ function api_direct_messages_box($type, $box, $verbose) if ($user_id != "") { $sql_extra .= ' AND `mail`.`contact-id` = ' . intval($user_id); } elseif ($screen_name !="") { - $sql_extra .= " AND `contact`.`nick` = '" . dbesc($screen_name). "'"; + $sql_extra .= " AND `contact`.`nick` = '" . DBA::escape($screen_name). "'"; } $r = q( @@ -3847,7 +3847,7 @@ function api_fr_photoalbum_delete($type) $r = q( "SELECT DISTINCT `resource-id` FROM `photo` WHERE `uid` = %d AND `album` = '%s'", intval(api_user()), - dbesc($album) + DBA::escape($album) ); if (!DBA::isResult($r)) { throw new BadRequestException("album not available"); @@ -4008,8 +4008,8 @@ function api_fr_photo_create_update($type) $r = q( "SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' AND `album` = '%s'", intval(api_user()), - dbesc($photo_id), - dbesc($album) + DBA::escape($photo_id), + DBA::escape($album) ); if (!DBA::isResult($r)) { throw new BadRequestException("photo not available"); @@ -4078,8 +4078,8 @@ function api_fr_photo_create_update($type) $sql_extra, DateTimeFormat::utcNow(), // update edited timestamp intval(api_user()), - dbesc($photo_id), - dbesc($album) + DBA::escape($photo_id), + DBA::escape($album) ); } else { $nothingtodo = true; @@ -4132,7 +4132,7 @@ function api_fr_photo_delete($type) $r = q( "SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'", intval(api_user()), - dbesc($photo_id) + DBA::escape($photo_id) ); if (!DBA::isResult($r)) { throw new BadRequestException("photo not available"); @@ -4596,7 +4596,7 @@ function prepare_photo_data($type, $scale, $photo_id) FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' %s GROUP BY `resource-id`", $data_sql, intval(local_user()), - dbesc($photo_id), + DBA::escape($photo_id), $scale_sql ); @@ -4850,7 +4850,7 @@ function api_get_nick($profile) $r = q( "SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'", - dbesc(normalise_link($profile)) + DBA::escape(normalise_link($profile)) ); if (DBA::isResult($r)) { @@ -4860,7 +4860,7 @@ function api_get_nick($profile) if (!$nick == "") { $r = q( "SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'", - dbesc(normalise_link($profile)) + DBA::escape(normalise_link($profile)) ); if (DBA::isResult($r)) { @@ -5205,7 +5205,7 @@ function api_friendica_group_delete($type) "SELECT * FROM `group` WHERE `uid` = %d AND `id` = %d AND `name` = '%s'", intval($uid), intval($gid), - dbesc($name) + DBA::escape($name) ); // error message if specified gid is not in database if (!DBA::isResult($rname)) { @@ -5290,7 +5290,7 @@ function group_create($name, $uid, $users = []) $rname = q( "SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 0", intval($uid), - dbesc($name) + DBA::escape($name) ); // error message if specified group name already exists if (DBA::isResult($rname)) { @@ -5301,7 +5301,7 @@ function group_create($name, $uid, $users = []) $rname = q( "SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 1", intval($uid), - dbesc($name) + DBA::escape($name) ); // error message if specified group name already exists if (DBA::isResult($rname)) { @@ -5728,7 +5728,7 @@ function api_friendica_direct_messages_search($type, $box = "") $r = q( "SELECT `mail`.*, `contact`.`nurl` AS `contact-url` FROM `mail`,`contact` WHERE `mail`.`contact-id` = `contact`.`id` AND `mail`.`uid`=%d AND `body` LIKE '%s' ORDER BY `mail`.`id` DESC", intval($uid), - dbesc('%'.$searchstring.'%') + DBA::escape('%'.$searchstring.'%') ); $profile_url = $user_info["url"]; diff --git a/include/enotify.php b/include/enotify.php index 4dfb53f8c..f678fa01f 100644 --- a/include/enotify.php +++ b/include/enotify.php @@ -118,7 +118,7 @@ function notification($params) intval(NOTIFY_TAGSELF), intval(NOTIFY_COMMENT), intval(NOTIFY_SHARE), - dbesc($params['link']), + DBA::escape($params['link']), intval($params['uid']) ); if ($p && count($p)) { @@ -436,7 +436,7 @@ function notification($params) $dups = false; $hash = random_string(); $r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' LIMIT 1", - dbesc($hash)); + DBA::escape($hash)); if (DBA::isResult($r)) { $dups = true; } @@ -469,23 +469,23 @@ function notification($params) // create notification entry in DB q("INSERT INTO `notify` (`hash`, `name`, `url`, `photo`, `date`, `uid`, `link`, `iid`, `parent`, `type`, `verb`, `otype`, `name_cache`) values('%s', '%s', '%s', '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s')", - dbesc($datarray['hash']), - dbesc($datarray['name']), - dbesc($datarray['url']), - dbesc($datarray['photo']), - dbesc($datarray['date']), + DBA::escape($datarray['hash']), + DBA::escape($datarray['name']), + DBA::escape($datarray['url']), + DBA::escape($datarray['photo']), + DBA::escape($datarray['date']), intval($datarray['uid']), - dbesc($datarray['link']), + DBA::escape($datarray['link']), intval($datarray['iid']), intval($datarray['parent']), intval($datarray['type']), - dbesc($datarray['verb']), - dbesc($datarray['otype']), - dbesc($datarray["name_cache"]) + DBA::escape($datarray['verb']), + DBA::escape($datarray['otype']), + DBA::escape($datarray["name_cache"]) ); $r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' AND `uid` = %d LIMIT 1", - dbesc($hash), + DBA::escape($hash), intval($params['uid']) ); if ($r) { @@ -500,7 +500,7 @@ function notification($params) $p = q("SELECT `id` FROM `notify` WHERE `type` IN (%d, %d) AND `link` = '%s' AND `uid` = %d ORDER BY `id`", intval(NOTIFY_TAGSELF), intval(NOTIFY_COMMENT), - dbesc($params['link']), + DBA::escape($params['link']), intval($params['uid']) ); if ($p && (count($p) > 1)) { @@ -519,8 +519,8 @@ function notification($params) $msg = replace_macros($epreamble, ['$itemlink' => $itemlink]); $msg_cache = format_notification_message($datarray['name_cache'], strip_tags(BBCode::convert($msg))); q("UPDATE `notify` SET `msg` = '%s', `msg_cache` = '%s' WHERE `id` = %d AND `uid` = %d", - dbesc($msg), - dbesc($msg_cache), + DBA::escape($msg), + DBA::escape($msg_cache), intval($notify_id), intval($params['uid']) ); diff --git a/include/items.php b/include/items.php index 55c69a041..5e250284c 100644 --- a/include/items.php +++ b/include/items.php @@ -263,7 +263,7 @@ function consume_feed($xml, $importer, $contact, &$hub, $datedir = 0, $pass = 0) FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` WHERE `contact`.`id` = %d AND `user`.`uid` = %d", - dbesc($contact["id"]), dbesc($importer["uid"]) + DBA::escape($contact["id"]), DBA::escape($importer["uid"]) ); if (DBA::isResult($r)) { logger("Now import the DFRN feed"); diff --git a/include/security.php b/include/security.php index ad76509fd..cd2427911 100644 --- a/include/security.php +++ b/include/security.php @@ -322,9 +322,9 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) ) ", intval($remote_user), - dbesc($gs), + DBA::escape($gs), intval($remote_user), - dbesc($gs) + DBA::escape($gs) ); } } @@ -385,9 +385,9 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = ''))))) ", intval($remote_user), - dbesc($gs), + DBA::escape($gs), intval($remote_user), - dbesc($gs) + DBA::escape($gs) ); } } diff --git a/include/text.php b/include/text.php index b791480d8..aee0a7034 100644 --- a/include/text.php +++ b/include/text.php @@ -755,9 +755,9 @@ function contact_block() { AND NOT `pending` AND NOT `hidden` AND NOT `archive` AND `network` IN ('%s', '%s', '%s')", intval($a->profile['uid']), - dbesc(NETWORK_DFRN), - dbesc(NETWORK_OSTATUS), - dbesc(NETWORK_DIASPORA) + DBA::escape(NETWORK_DFRN), + DBA::escape(NETWORK_OSTATUS), + DBA::escape(NETWORK_DIASPORA) ); if (DBA::isResult($r)) { $total = intval($r[0]['total']); @@ -773,9 +773,9 @@ function contact_block() { AND `network` IN ('%s', '%s', '%s') ORDER BY RAND() LIMIT %d", intval($a->profile['uid']), - dbesc(NETWORK_DFRN), - dbesc(NETWORK_OSTATUS), - dbesc(NETWORK_DIASPORA), + DBA::escape(NETWORK_DFRN), + DBA::escape(NETWORK_OSTATUS), + DBA::escape(NETWORK_DIASPORA), intval($shown) ); if (DBA::isResult($r)) { @@ -784,7 +784,7 @@ function contact_block() { $contacts[] = $contact["id"]; } $r = q("SELECT `id`, `uid`, `addr`, `url`, `name`, `thumb`, `network` FROM `contact` WHERE `id` IN (%s)", - dbesc(implode(",", $contacts))); + DBA::escape(implode(",", $contacts))); if (DBA::isResult($r)) { $contacts = L10n::tt('%d Contact', '%d Contacts', $total); @@ -1467,7 +1467,7 @@ function generate_user_guid() { do { $guid = System::createGUID(32); $x = q("SELECT `uid` FROM `user` WHERE `guid` = '%s' LIMIT 1", - dbesc($guid) + DBA::escape($guid) ); if (!DBA::isResult($x)) { $found = false; @@ -1659,7 +1659,7 @@ function file_tag_file_query($table,$s,$type = 'file') { } else { $str = preg_quote('<' . str_replace('%', '%%', file_tag_encode($s)) . '>'); } - return " AND " . (($table) ? dbesc($table) . '.' : '') . "file regexp '" . dbesc($str) . "' "; + return " AND " . (($table) ? DBA::escape($table) . '.' : '') . "file regexp '" . DBA::escape($str) . "' "; } // ex. given music,video return