Browse Source

Rename dbesc to DBA::escape

pull/5439/head
Hypolite Petovan 2 years ago
committed by Hypolite Petovan
parent
commit
a6fb3568f9
79 changed files with 665 additions and 670 deletions
  1. +29
    -29
      include/api.php
  2. +15
    -15
      include/enotify.php
  3. +1
    -1
      include/items.php
  4. +4
    -4
      include/security.php
  5. +11
    -11
      include/text.php
  6. +10
    -10
      mod/acl.php
  7. +3
    -3
      mod/admin.php
  8. +1
    -1
      mod/api.php
  9. +1
    -1
      mod/attach.php
  10. +5
    -5
      mod/contacts.php
  11. +9
    -9
      mod/crepair.php
  12. +3
    -3
      mod/delegate.php
  13. +17
    -17
      mod/dfrn_confirm.php
  14. +8
    -8
      mod/dfrn_notify.php
  15. +27
    -27
      mod/dfrn_poll.php
  16. +16
    -16
      mod/dfrn_request.php
  17. +1
    -1
      mod/directory.php
  18. +6
    -6
      mod/dirfind.php
  19. +6
    -6
      mod/fbrowser.php
  20. +2
    -2
      mod/follow.php
  21. +2
    -2
      mod/friendica.php
  22. +8
    -8
      mod/fsuggest.php
  23. +1
    -1
      mod/group.php
  24. +2
    -2
      mod/invite.php
  25. +5
    -5
      mod/lockview.php
  26. +3
    -3
      mod/manage.php
  27. +2
    -2
      mod/match.php
  28. +5
    -5
      mod/message.php
  29. +1
    -1
      mod/modexp.php
  30. +2
    -2
      mod/msearch.php
  31. +10
    -10
      mod/network.php
  32. +3
    -3
      mod/noscrape.php
  33. +1
    -1
      mod/openid.php
  34. +2
    -2
      mod/photo.php
  35. +39
    -39
      mod/photos.php
  36. +5
    -5
      mod/ping.php
  37. +17
    -17
      mod/poco.php
  38. +4
    -4
      mod/profile.php
  39. +7
    -7
      mod/profile_photo.php
  40. +43
    -43
      mod/profiles.php
  41. +2
    -2
      mod/profperm.php
  42. +8
    -8
      mod/register.php
  43. +3
    -3
      mod/regmod.php
  44. +2
    -2
      mod/repair_ostatus.php
  45. +9
    -9
      mod/salmon.php
  46. +1
    -1
      mod/search.php
  47. +30
    -30
      mod/settings.php
  48. +6
    -6
      mod/tagger.php
  49. +4
    -7
      mod/videos.php
  50. +7
    -7
      mod/viewcontacts.php
  51. +3
    -3
      mod/wall_attach.php
  52. +2
    -2
      mod/wall_upload.php
  53. +2
    -2
      mod/wallmessage.php
  54. +1
    -1
      src/Core/ACL.php
  55. +3
    -3
      src/Core/NotificationsManager.php
  56. +3
    -3
      src/Core/UserImport.php
  57. +2
    -2
      src/Database/DBA.php
  58. +17
    -17
      src/Database/DBStructure.php
  59. +3
    -3
      src/Database/PostUpdate.php
  60. +23
    -23
      src/Model/Contact.php
  61. +6
    -6
      src/Model/Event.php
  62. +29
    -29
      src/Model/GContact.php
  63. +2
    -2
      src/Model/Mail.php
  64. +4
    -4
      src/Model/Photo.php
  65. +4
    -4
      src/Model/Profile.php
  66. +50
    -50
      src/Protocol/DFRN.php
  67. +48
    -48
      src/Protocol/Diaspora.php
  68. +3
    -3
      src/Protocol/OStatus.php
  69. +9
    -9
      src/Protocol/PortableContact.php
  70. +1
    -1
      src/Worker/CheckVersion.php
  71. +5
    -5
      src/Worker/Cron.php
  72. +3
    -4
      src/Worker/CronJobs.php
  73. +2
    -2
      src/Worker/DiscoverPoCo.php
  74. +2
    -2
      src/Worker/GProbe.php
  75. +5
    -5
      src/Worker/Notifier.php
  76. +12
    -12
      src/Worker/UpdateGContact.php
  77. +6
    -6
      update.php
  78. +4
    -4
      view/theme/frio/theme.php
  79. +2
    -3
      view/theme/vier/theme.php

+ 29
- 29
include/api.php View File

@ -525,7 +525,7 @@ function api_get_user(App $a, $contact_id = null)
// Searching for contact URL
if (!is_null($contact_id) && (intval($contact_id) == 0)) {
$user = dbesc(normalise_link($contact_id));
$user = DBA::escape(normalise_link($contact_id));
$url = $user;
$extra_query = "AND `contact`.`nurl` = '%s' ";
if (api_user() !== false) {
@ -535,7 +535,7 @@ function api_get_user(App $a, $contact_id = null)
// Searching for contact id with uid = 0
if (!is_null($contact_id) && (intval($contact_id) != 0)) {
$user = dbesc(api_unique_id_to_nurl(intval($contact_id)));
$user = DBA::escape(api_unique_id_to_nurl(intval($contact_id)));
if ($user == "") {
throw new BadRequestException("User ID ".$contact_id." not found.");
@ -549,7 +549,7 @@ function api_get_user(App $a, $contact_id = null)
}
if (is_null($user) && x($_GET, 'user_id')) {
$user = dbesc(api_unique_id_to_nurl($_GET['user_id']));
$user = DBA::escape(api_unique_id_to_nurl($_GET['user_id']));
if ($user == "") {
throw new BadRequestException("User ID ".$_GET['user_id']." not found.");
@ -562,7 +562,7 @@ function api_get_user(App $a, $contact_id = null)
}
}
if (is_null($user) && x($_GET, 'screen_name')) {
$user = dbesc($_GET['screen_name']);
$user = DBA::escape($_GET['screen_name']);
$extra_query = "AND `contact`.`nick` = '%s' ";
if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=".intval(api_user());
@ -570,7 +570,7 @@ function api_get_user(App $a, $contact_id = null)
}
if (is_null($user) && x($_GET, 'profileurl')) {
$user = dbesc(normalise_link($_GET['profileurl']));
$user = DBA::escape(normalise_link($_GET['profileurl']));
$extra_query = "AND `contact`.`nurl` = '%s' ";
if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=".intval(api_user());
@ -584,7 +584,7 @@ function api_get_user(App $a, $contact_id = null)
list($user, $null) = explode(".", $a->argv[$argid]);
}
if (is_numeric($user)) {
$user = dbesc(api_unique_id_to_nurl(intval($user)));
$user = DBA::escape(api_unique_id_to_nurl(intval($user)));
if ($user != "") {
$url = $user;
@ -594,7 +594,7 @@ function api_get_user(App $a, $contact_id = null)
}
}
} else {
$user = dbesc($user);
$user = DBA::escape($user);
$extra_query = "AND `contact`.`nick` = '%s' ";
if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=" . intval(api_user());
@ -634,7 +634,7 @@ function api_get_user(App $a, $contact_id = null)
$r = [];
if ($url != "") {
$r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", dbesc(normalise_link($url)));
$r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", DBA::escape(normalise_link($url)));
}
if (DBA::isResult($r)) {
@ -1437,10 +1437,10 @@ function api_users_search($type)
$userlist = [];
if (x($_GET, 'q')) {
$r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", dbesc($_GET["q"]));
$r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", DBA::escape($_GET["q"]));
if (!DBA::isResult($r)) {
$r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", dbesc($_GET["q"]));
$r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", DBA::escape($_GET["q"]));
}
if (DBA::isResult($r)) {
@ -3482,7 +3482,7 @@ function api_direct_messages_new($type)
$r = q(
"SELECT `id`, `nurl`, `network` FROM `contact` WHERE `uid`=%d AND `nick`='%s'",
intval(api_user()),
dbesc($_POST['screen_name'])
DBA::escape($_POST['screen_name'])
);
if (DBA::isResult($r)) {
@ -3579,7 +3579,7 @@ function api_direct_messages_destroy($type)
}
// add parent-uri to sql command if specified by calling app
$sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . dbesc($parenturi) . "'" : "");
$sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . DBA::escape($parenturi) . "'" : "");
// get data of the specified message id
$r = q(
@ -3668,13 +3668,13 @@ function api_direct_messages_box($type, $box, $verbose)
// filters
if ($box=="sentbox") {
$sql_extra = "`mail`.`from-url`='" . dbesc($profile_url) . "'";
$sql_extra = "`mail`.`from-url`='" . DBA::escape($profile_url) . "'";
} elseif ($box == "conversation") {
$sql_extra = "`mail`.`parent-uri`='" . dbesc(defaults($_GET, 'uri', '')) . "'";
$sql_extra = "`mail`.`parent-uri`='" . DBA::escape(defaults($_GET, 'uri', '')) . "'";
} elseif ($box == "all") {
$sql_extra = "true";
} elseif ($box == "inbox") {
$sql_extra = "`mail`.`from-url`!='" . dbesc($profile_url) . "'";
$sql_extra = "`mail`.`from-url`!='" . DBA::escape($profile_url) . "'";
}
if ($max_id > 0) {
@ -3684,7 +3684,7 @@ function api_direct_messages_box($type, $box, $verbose)
if ($user_id != "") {
$sql_extra .= ' AND `mail`.`contact-id` = ' . intval($user_id);
} elseif ($screen_name !="") {
$sql_extra .= " AND `contact`.`nick` = '" . dbesc($screen_name). "'";
$sql_extra .= " AND `contact`.`nick` = '" . DBA::escape($screen_name). "'";
}
$r = q(
@ -3847,7 +3847,7 @@ function api_fr_photoalbum_delete($type)
$r = q(
"SELECT DISTINCT `resource-id` FROM `photo` WHERE `uid` = %d AND `album` = '%s'",
intval(api_user()),
dbesc($album)
DBA::escape($album)
);
if (!DBA::isResult($r)) {
throw new BadRequestException("album not available");
@ -4008,8 +4008,8 @@ function api_fr_photo_create_update($type)
$r = q(
"SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' AND `album` = '%s'",
intval(api_user()),
dbesc($photo_id),
dbesc($album)
DBA::escape($photo_id),
DBA::escape($album)
);
if (!DBA::isResult($r)) {
throw new BadRequestException("photo not available");
@ -4078,8 +4078,8 @@ function api_fr_photo_create_update($type)
$sql_extra,
DateTimeFormat::utcNow(), // update edited timestamp
intval(api_user()),
dbesc($photo_id),
dbesc($album)
DBA::escape($photo_id),
DBA::escape($album)
);
} else {
$nothingtodo = true;
@ -4132,7 +4132,7 @@ function api_fr_photo_delete($type)
$r = q(
"SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'",
intval(api_user()),
dbesc($photo_id)
DBA::escape($photo_id)
);
if (!DBA::isResult($r)) {
throw new BadRequestException("photo not available");
@ -4596,7 +4596,7 @@ function prepare_photo_data($type, $scale, $photo_id)
FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' %s GROUP BY `resource-id`",
$data_sql,
intval(local_user()),
dbesc($photo_id),
DBA::escape($photo_id),
$scale_sql
);
@ -4850,7 +4850,7 @@ function api_get_nick($profile)
$r = q(
"SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'",
dbesc(normalise_link($profile))
DBA::escape(normalise_link($profile))
);
if (DBA::isResult($r)) {
@ -4860,7 +4860,7 @@ function api_get_nick($profile)
if (!$nick == "") {
$r = q(
"SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'",
dbesc(normalise_link($profile))
DBA::escape(normalise_link($profile))
);
if (DBA::isResult($r)) {
@ -5205,7 +5205,7 @@ function api_friendica_group_delete($type)
"SELECT * FROM `group` WHERE `uid` = %d AND `id` = %d AND `name` = '%s'",
intval($uid),
intval($gid),
dbesc($name)
DBA::escape($name)
);
// error message if specified gid is not in database
if (!DBA::isResult($rname)) {
@ -5290,7 +5290,7 @@ function group_create($name, $uid, $users = [])
$rname = q(
"SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 0",
intval($uid),
dbesc($name)
DBA::escape($name)
);
// error message if specified group name already exists
if (DBA::isResult($rname)) {
@ -5301,7 +5301,7 @@ function group_create($name, $uid, $users = [])
$rname = q(
"SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 1",
intval($uid),
dbesc($name)
DBA::escape($name)
);
// error message if specified group name already exists
if (DBA::isResult($rname)) {
@ -5728,7 +5728,7 @@ function api_friendica_direct_messages_search($type, $box = "")
$r = q(
"SELECT `mail`.*, `contact`.`nurl` AS `contact-url` FROM `mail`,`contact` WHERE `mail`.`contact-id` = `contact`.`id` AND `mail`.`uid`=%d AND `body` LIKE '%s' ORDER BY `mail`.`id` DESC",
intval($uid),
dbesc('%'.$searchstring.'%')
DBA::escape('%'.$searchstring.'%')
);
$profile_url = $user_info["url"];

+ 15
- 15
include/enotify.php View File

@ -118,7 +118,7 @@ function notification($params)
intval(NOTIFY_TAGSELF),
intval(NOTIFY_COMMENT),
intval(NOTIFY_SHARE),
dbesc($params['link']),
DBA::escape($params['link']),
intval($params['uid'])
);
if ($p && count($p)) {
@ -436,7 +436,7 @@ function notification($params)
$dups = false;
$hash = random_string();
$r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' LIMIT 1",
dbesc($hash));
DBA::escape($hash));
if (DBA::isResult($r)) {
$dups = true;
}
@ -469,23 +469,23 @@ function notification($params)
// create notification entry in DB
q("INSERT INTO `notify` (`hash`, `name`, `url`, `photo`, `date`, `uid`, `link`, `iid`, `parent`, `type`, `verb`, `otype`, `name_cache`)
values('%s', '%s', '%s', '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s')",
dbesc($datarray['hash']),
dbesc($datarray['name']),
dbesc($datarray['url']),
dbesc($datarray['photo']),
dbesc($datarray['date']),
DBA::escape($datarray['hash']),
DBA::escape($datarray['name']),
DBA::escape($datarray['url']),
DBA::escape($datarray['photo']),
DBA::escape($datarray['date']),
intval($datarray['uid']),
dbesc($datarray['link']),
DBA::escape($datarray['link']),
intval($datarray['iid']),
intval($datarray['parent']),
intval($datarray['type']),
dbesc($datarray['verb']),
dbesc($datarray['otype']),
dbesc($datarray["name_cache"])
DBA::escape($datarray['verb']),
DBA::escape($datarray['otype']),
DBA::escape($datarray["name_cache"])
);
$r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' AND `uid` = %d LIMIT 1",
dbesc($hash),
DBA::escape($hash),
intval($params['uid'])
);
if ($r) {
@ -500,7 +500,7 @@ function notification($params)
$p = q("SELECT `id` FROM `notify` WHERE `type` IN (%d, %d) AND `link` = '%s' AND `uid` = %d ORDER BY `id`",
intval(NOTIFY_TAGSELF),
intval(NOTIFY_COMMENT),
dbesc($params['link']),
DBA::escape($params['link']),
intval($params['uid'])
);
if ($p && (count($p) > 1)) {
@ -519,8 +519,8 @@ function notification($params)
$msg = replace_macros($epreamble, ['$itemlink' => $itemlink]);
$msg_cache = format_notification_message($datarray['name_cache'], strip_tags(BBCode::convert($msg)));
q("UPDATE `notify` SET `msg` = '%s', `msg_cache` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($msg),
dbesc($msg_cache),
DBA::escape($msg),
DBA::escape($msg_cache),
intval($notify_id),
intval($params['uid'])
);

+ 1
- 1
include/items.php View File

@ -263,7 +263,7 @@ function consume_feed($xml, $importer, $contact, &$hub, $datedir = 0, $pass = 0)
FROM `contact`
LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`id` = %d AND `user`.`uid` = %d",
dbesc($contact["id"]), dbesc($importer["uid"])
DBA::escape($contact["id"]), DBA::escape($importer["uid"])
);
if (DBA::isResult($r)) {
logger("Now import the DFRN feed");

+ 4
- 4
include/security.php View File

@ -322,9 +322,9 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null)
)
",
intval($remote_user),
dbesc($gs),
DBA::escape($gs),
intval($remote_user),
dbesc($gs)
DBA::escape($gs)
);
}
}
@ -385,9 +385,9 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = '')))))
",
intval($remote_user),
dbesc($gs),
DBA::escape($gs),
intval($remote_user),
dbesc($gs)
DBA::escape($gs)
);
}
}

+ 11
- 11
include/text.php View File

@ -755,9 +755,9 @@ function contact_block() {
AND NOT `pending` AND NOT `hidden` AND NOT `archive`
AND `network` IN ('%s', '%s', '%s')",
intval($a->profile['uid']),
dbesc(NETWORK_DFRN),
dbesc(NETWORK_OSTATUS),
dbesc(NETWORK_DIASPORA)
DBA::escape(NETWORK_DFRN),
DBA::escape(NETWORK_OSTATUS),
DBA::escape(NETWORK_DIASPORA)
);
if (DBA::isResult($r)) {
$total = intval($r[0]['total']);
@ -773,9 +773,9 @@ function contact_block() {
AND `network` IN ('%s', '%s', '%s')
ORDER BY RAND() LIMIT %d",
intval($a->profile['uid']),
dbesc(NETWORK_DFRN),
dbesc(NETWORK_OSTATUS),
dbesc(NETWORK_DIASPORA),
DBA::escape(NETWORK_DFRN),
DBA::escape(NETWORK_OSTATUS),
DBA::escape(NETWORK_DIASPORA),
intval($shown)
);
if (DBA::isResult($r)) {
@ -784,7 +784,7 @@ function contact_block() {
$contacts[] = $contact["id"];
}
$r = q("SELECT `id`, `uid`, `addr`, `url`, `name`, `thumb`, `network` FROM `contact` WHERE `id` IN (%s)",
dbesc(implode(",", $contacts)));
DBA::escape(implode(",", $contacts)));
if (DBA::isResult($r)) {
$contacts = L10n::tt('%d Contact', '%d Contacts', $total);
@ -1467,7 +1467,7 @@ function generate_user_guid() {
do {
$guid = System::createGUID(32);
$x = q("SELECT `uid` FROM `user` WHERE `guid` = '%s' LIMIT 1",
dbesc($guid)
DBA::escape($guid)
);
if (!DBA::isResult($x)) {
$found = false;
@ -1659,7 +1659,7 @@ function file_tag_file_query($table,$s,$type = 'file') {
} else {
$str = preg_quote('<' . str_replace('%', '%%', file_tag_encode($s)) . '>');
}
return " AND " . (($table) ? dbesc($table) . '.' : '') . "file regexp '" . dbesc($str) . "' ";
return " AND " . (($table) ? DBA::escape($table) . '.' : '') . "file regexp '" . DBA::escape($str) . "' ";
}
// ex. given music,video return <music><video> or [music][video]
@ -1753,7 +1753,7 @@ function file_tag_update_pconfig($uid, $file_old, $file_new, $type = 'file') {
foreach ($deleted_tags as $key => $tag) {
$r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d",
dbesc($tag),
DBA::escape($tag),
intval(TERM_OBJ_POST),
intval($termtype),
intval($uid));
@ -1819,7 +1819,7 @@ function file_tag_unsave_file($uid, $item_id, $file, $cat = false)
Item::update($fields, ['id' => $item_id]);
$r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d",
dbesc($file),
DBA::escape($file),
intval(TERM_OBJ_POST),
intval($termtype),
intval($uid)

+ 10
- 10
mod/acl.php View File

@ -36,8 +36,8 @@ function acl_content(App $a)
logger("Searching for ".$search." - type ".$type." conversation ".$conv_id, LOGGER_DEBUG);
if ($search != '') {
$sql_extra = "AND `name` LIKE '%%" . dbesc($search) . "%%'";
$sql_extra2 = "AND (`attag` LIKE '%%" . dbesc($search) . "%%' OR `name` LIKE '%%" . dbesc($search) . "%%' OR `nick` LIKE '%%" . dbesc($search) . "%%')";
$sql_extra = "AND `name` LIKE '%%" . DBA::escape($search) . "%%'";
$sql_extra2 = "AND (`attag` LIKE '%%" . DBA::escape($search) . "%%' OR `name` LIKE '%%" . DBA::escape($search) . "%%' OR `nick` LIKE '%%" . DBA::escape($search) . "%%')";
} else {
/// @TODO Avoid these needless else blocks by putting variable-initialization atop of if()
$sql_extra = $sql_extra2 = '';
@ -84,8 +84,8 @@ function acl_content(App $a)
AND `success_update` >= `failure_update`
AND `network` IN ('%s', '%s') $sql_extra2",
intval(local_user()),
dbesc(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA)
DBA::escape(NETWORK_DFRN),
DBA::escape(NETWORK_DIASPORA)
);
$contact_count = (int) $r[0]['c'];
} elseif ($type == 'a') {
@ -143,8 +143,8 @@ function acl_content(App $a)
$sql_extra2
ORDER BY `name` ASC ",
intval(local_user()),
dbesc(NETWORK_OSTATUS),
dbesc(NETWORK_STATUSNET)
DBA::escape(NETWORK_OSTATUS),
DBA::escape(NETWORK_STATUSNET)
);
} elseif ($type == 'c') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`
@ -153,7 +153,7 @@ function acl_content(App $a)
$sql_extra2
ORDER BY `name` ASC ",
intval(local_user()),
dbesc(NETWORK_STATUSNET)
DBA::escape(NETWORK_STATUSNET)
);
} elseif ($type == 'f') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`
@ -163,7 +163,7 @@ function acl_content(App $a)
$sql_extra2
ORDER BY `name` ASC ",
intval(local_user()),
dbesc(NETWORK_STATUSNET)
DBA::escape(NETWORK_STATUSNET)
);
} elseif ($type == 'm') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr` FROM `contact`
@ -172,8 +172,8 @@ function acl_content(App $a)
$sql_extra2
ORDER BY `name` ASC ",
intval(local_user()),
dbesc(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA)
DBA::escape(NETWORK_DFRN),
DBA::escape(NETWORK_DIASPORA)
);
} elseif ($type == 'a') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`

+ 3
- 3
mod/admin.php View File

@ -815,7 +815,7 @@ function admin_page_workerqueue(App $a)
function admin_page_summary(App $a)
{
// are there MyISAM tables in the DB? If so, trigger a warning message
$r = q("SELECT `engine` FROM `information_schema`.`tables` WHERE `engine` = 'myisam' AND `table_schema` = '%s' LIMIT 1", dbesc(DBA::databaseName()));
$r = q("SELECT `engine` FROM `information_schema`.`tables` WHERE `engine` = 'myisam' AND `table_schema` = '%s' LIMIT 1", DBA::escape(DBA::databaseName()));
$showwarning = false;
$warningtext = [];
if (DBA::isResult($r)) {
@ -948,8 +948,8 @@ function admin_page_site_post(App $a)
function update_table($table_name, $fields, $old_url, $new_url)
{
$dbold = dbesc($old_url);
$dbnew = dbesc($new_url);
$dbold = DBA::escape($old_url);
$dbnew = DBA::escape($new_url);
$upd = [];
foreach ($fields as $f) {

+ 1
- 1
mod/api.php View File

@ -20,7 +20,7 @@ function oauth_get_client($request)
$r = q("SELECT `clients`.*
FROM `clients`, `tokens`
WHERE `clients`.`client_id`=`tokens`.`client_id`
AND `tokens`.`id`='%s' AND `tokens`.`scope`='request'", dbesc($token));
AND `tokens`.`id`='%s' AND `tokens`.`scope`='request'", DBA::escape($token));
if (!DBA::isResult($r)) {
return null;

+ 1
- 1
mod/attach.php View File

@ -32,7 +32,7 @@ function attach_init(App $a)
// Now we'll see if we can access the attachment
$r = q("SELECT * FROM `attach` WHERE `id` = '%d' $sql_extra LIMIT 1",
dbesc($item_id)
DBA::escape($item_id)
);
if (!DBA::isResult($r)) {

+ 5
- 5
mod/contacts.php View File

@ -216,11 +216,11 @@ function contacts_post(App $a)
`ffi_keyword_blacklist` = '%s' WHERE `id` = %d AND `uid` = %d",
intval($profile_id),
intval($priority),
dbesc($info),
DBA::escape($info),
intval($hidden),
intval($notify),
intval($fetch_further_information),
dbesc($ffi_keyword_blacklist),
DBA::escape($ffi_keyword_blacklist),
intval($contact_id),
intval(local_user())
);
@ -308,7 +308,7 @@ function _contact_update_profile($contact_id)
$query .= ", ";
}
$query .= "`" . $key . "` = '" . dbesc($value) . "'";
$query .= "`" . $key . "` = '" . DBA::escape($value) . "'";
}
if ($query == "") {
@ -773,12 +773,12 @@ function contacts_content(App $a)
if ($search) {
$searching = true;
$search_hdr = $search;
$search_txt = dbesc(protect_sprintf(preg_quote($search)));
$search_txt = DBA::escape(protect_sprintf(preg_quote($search)));
$sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') ";
}
if ($nets) {
$sql_extra .= sprintf(" AND network = '%s' ", dbesc($nets));
$sql_extra .= sprintf(" AND network = '%s' ", DBA::escape($nets));
}
$sql_extra2 = ((($sort_type > 0) && ($sort_type <= CONTACT_IS_FRIEND)) ? sprintf(" AND `rel` = %d ", intval($sort_type)) : '');

+ 9
- 9
mod/crepair.php View File

@ -64,15 +64,15 @@ function crepair_post(App $a)
$r = q("UPDATE `contact` SET `name` = '%s', `nick` = '%s', `url` = '%s', `nurl` = '%s', `request` = '%s', `confirm` = '%s', `notify` = '%s', `poll` = '%s', `attag` = '%s' , `remote_self` = %d
WHERE `id` = %d AND `uid` = %d",
dbesc($name),
dbesc($nick),
dbesc($url),
dbesc($nurl),
dbesc($request),
dbesc($confirm),
dbesc($notify),
dbesc($poll),
dbesc($attag),
DBA::escape($name),
DBA::escape($nick),
DBA::escape($url),
DBA::escape($nurl),
DBA::escape($request),
DBA::escape($confirm),
DBA::escape($notify),
DBA::escape($poll),
DBA::escape($attag),
intval($remote_self),
intval($contact['id']),
local_user()

+ 3
- 3
mod/delegate.php View File

@ -110,14 +110,14 @@ function delegate_content(App $a)
AND SUBSTRING_INDEX(`nurl`, '/', 3) = '%s'
AND `uid` = %d
AND `network` = '%s' ",
dbesc(normalise_link(System::baseUrl())),
DBA::escape(normalise_link(System::baseUrl())),
intval(local_user()),
dbesc(NETWORK_DFRN)
DBA::escape(NETWORK_DFRN)
);
if (DBA::isResult($r)) {
$nicknames = [];
foreach ($r as $rr) {
$nicknames[] = "'" . dbesc(basename($rr['nurl'])) . "'";
$nicknames[] = "'" . DBA::escape(basename($rr['nurl'])) . "'";
}
$nicks = implode(',', $nicknames);

+ 17
- 17
mod/dfrn_confirm.php View File

@ -117,7 +117,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
AND `uid` = %d
AND `duplex` = 0
LIMIT 1",
dbesc($dfrn_id),
DBA::escape($dfrn_id),
intval($cid),
intval($uid)
);
@ -157,7 +157,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
// Save the private key. Send them the public key.
q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($private_key),
DBA::escape($private_key),
intval($contact_id),
intval($uid)
);
@ -261,7 +261,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
// birthday paradox - generate new dfrn-id and fall through.
$new_dfrn_id = random_string();
q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($new_dfrn_id),
DBA::escape($new_dfrn_id),
intval($contact_id),
intval($uid)
);
@ -324,11 +324,11 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`network` = '%s' WHERE `id` = %d
",
intval($new_relation),
dbesc(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
intval($duplex),
intval($hidden),
dbesc(NETWORK_DFRN),
DBA::escape(NETWORK_DFRN),
intval($contact_id)
);
} else {
@ -372,12 +372,12 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`rel` = %d
WHERE `id` = %d
",
dbesc(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()),
dbesc($addr),
dbesc($notify),
dbesc($poll),
dbesc($network),
DBA::escape(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
DBA::escape($addr),
DBA::escape($notify),
DBA::escape($poll),
DBA::escape($network),
intval($writable),
intval($hidden),
intval($new_relation),
@ -517,8 +517,8 @@ function dfrn_confirm_post(App $a, $handsfree = null)
}
$r = q("UPDATE `contact` SET `dfrn-id` = '%s', `pubkey` = '%s' WHERE `id` = %d",
dbesc($decrypted_dfrn_id),
dbesc($dfrn_pubkey),
DBA::escape($decrypted_dfrn_id),
DBA::escape($dfrn_pubkey),
intval($dfrn_record)
);
if (!DBA::isResult($r)) {
@ -568,12 +568,12 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`network` = '%s' WHERE `id` = %d
",
intval($new_relation),
dbesc(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
intval($duplex),
intval($forum),
intval($prv),
dbesc(NETWORK_DFRN),
DBA::escape(NETWORK_DFRN),
intval($dfrn_record)
);
if (!DBA::isResult($r)) { // indicates schema is messed up or total db failure

+ 8
- 8
mod/dfrn_notify.php View File

@ -74,13 +74,13 @@ function dfrn_notify_post(App $a) {
$sql_extra = '';
switch ($direction) {
case (-1):
$sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id));
$sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
break;
case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
break;
case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
break;
default:
System::xmlExit(3, 'Invalid direction');
@ -104,7 +104,7 @@ function dfrn_notify_post(App $a) {
LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1",
dbesc($a->argv[1])
DBA::escape($a->argv[1])
);
if (!DBA::isResult($r)) {
@ -312,15 +312,15 @@ function dfrn_notify_content(App $a) {
$sql_extra = '';
switch($direction) {
case (-1):
$sql_extra = sprintf(" AND (`issued-id` = '%s' OR `dfrn-id` = '%s') ", dbesc($dfrn_id), dbesc($dfrn_id));
$sql_extra = sprintf(" AND (`issued-id` = '%s' OR `dfrn-id` = '%s') ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
$my_id = $dfrn_id;
break;
case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id;
break;
case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id;
break;
default:
@ -331,7 +331,7 @@ function dfrn_notify_content(App $a) {
$r = q("SELECT `contact`.*, `user`.`nickname`, `user`.`page-flags` FROM `contact` LEFT JOIN `user` ON `user`.`uid` = `contact`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `user`.`nickname` = '%s'
AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1",
dbesc($a->argv[1])
DBA::escape($a->argv[1])
);
if (!DBA::isResult($r)) {

+ 27
- 27
mod/dfrn_poll.php View File

@ -56,7 +56,7 @@ function dfrn_poll_init(App $a)
$user = '';
if ($a->argc > 1) {
$r = q("SELECT `hidewall`,`nickname` FROM `user` WHERE `user`.`nickname` = '%s' LIMIT 1",
dbesc($a->argv[1])
DBA::escape($a->argv[1])
);
if (!$r) {
System::httpExit(404);
@ -77,15 +77,15 @@ function dfrn_poll_init(App $a)
$sql_extra = '';
switch ($direction) {
case -1:
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id));
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
$my_id = $dfrn_id;
break;
case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id;
break;
case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id;
break;
default:
@ -97,7 +97,7 @@ function dfrn_poll_init(App $a)
FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
dbesc($a->argv[1])
DBA::escape($a->argv[1])
);
if (DBA::isResult($r)) {
@ -129,8 +129,8 @@ function dfrn_poll_init(App $a)
$session_id = session_id();
$expire = time() + 86400;
q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
dbesc($expire),
dbesc($session_id)
DBA::escape($expire),
DBA::escape($session_id)
);
}
}
@ -144,7 +144,7 @@ function dfrn_poll_init(App $a)
if ((strlen($challenge)) && (strlen($sec))) {
DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
dbesc($sec)
DBA::escape($sec)
);
if (!DBA::isResult($r)) {
System::xmlExit(3, 'No ticket');
@ -209,7 +209,7 @@ function dfrn_poll_init(App $a)
DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
dbesc($dfrn_id));
DBA::escape($dfrn_id));
if (DBA::isResult($r)) {
System::xmlExit(1);
return; // NOTREACHED
@ -236,7 +236,7 @@ function dfrn_poll_post(App $a)
DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
dbesc($sec)
DBA::escape($sec)
);
if (!DBA::isResult($r)) {
System::xmlExit(3, 'No ticket');
@ -296,8 +296,8 @@ function dfrn_poll_post(App $a)
}
$r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1",
dbesc($dfrn_id),
dbesc($challenge)
DBA::escape($dfrn_id),
DBA::escape($challenge)
);
if (!DBA::isResult($r)) {
@ -312,15 +312,15 @@ function dfrn_poll_post(App $a)
$sql_extra = '';
switch ($direction) {
case -1:
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
$my_id = $dfrn_id;
break;
case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id;
break;
case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id;
break;
default:
@ -339,7 +339,7 @@ function dfrn_poll_post(App $a)
if ($type === 'reputation' && strlen($url)) {
$r = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1",
dbesc($url),
DBA::escape($url),
intval($owner_uid)
);
$reputation = 0;
@ -417,11 +417,11 @@ function dfrn_poll_content(App $a)
if ($type !== 'profile') {
$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
dbesc($hash),
dbesc($dfrn_id),
DBA::escape($hash),
DBA::escape($dfrn_id),
intval(time() + 60 ),
dbesc($type),
dbesc($last_update)
DBA::escape($type),
DBA::escape($last_update)
);
}
@ -429,19 +429,19 @@ function dfrn_poll_content(App $a)
switch ($direction) {
case -1:
if ($type === 'profile') {
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id));
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
} else {
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
}
$my_id = $dfrn_id;
break;
case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id;
break;
case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id;
break;
default:
@ -455,7 +455,7 @@ function dfrn_poll_content(App $a)
FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
dbesc($nickname)
DBA::escape($nickname)
);
if (DBA::isResult($r)) {
$challenge = '';
@ -546,8 +546,8 @@ function dfrn_poll_content(App $a)
$session_id = session_id();
$expire = time() + 86400;
q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
dbesc($expire),
dbesc($session_id)
DBA::escape($expire),
DBA::escape($session_id)
);
}

+ 16
- 16
mod/dfrn_request.php View File

@ -84,7 +84,7 @@ function dfrn_request_post(App $a)
// Lookup the contact based on their URL (which is the only unique thing we have at the moment)
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND NOT `self` LIMIT 1",
intval(local_user()),
dbesc(normalise_link($dfrn_url))
DBA::escape(normalise_link($dfrn_url))
);
if (DBA::isResult($r)) {
@ -137,8 +137,8 @@ function dfrn_request_post(App $a)
VALUES ( %d, '%s', '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d)",
intval(local_user()),
DateTimeFormat::utcNow(),
dbesc($dfrn_url),
dbesc(normalise_link($dfrn_url)),
DBA::escape($dfrn_url),
DBA::escape(normalise_link($dfrn_url)),
$parms['addr'],
$parms['fn'],
$parms['nick'],
@ -149,7 +149,7 @@ function dfrn_request_post(App $a)
$parms['dfrn-notify'],
$parms['dfrn-poll'],
$parms['dfrn-poco'],
dbesc(NETWORK_DFRN),
DBA::escape(NETWORK_DFRN),
intval($aes_allow),
intval($hidden),
intval($blocked),
@ -163,7 +163,7 @@ function dfrn_request_post(App $a)
$r = q("SELECT `id`, `network` FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `site-pubkey` = '%s' LIMIT 1",
intval(local_user()),
dbesc($dfrn_url),
DBA::escape($dfrn_url),
$parms['key'] // this was already escaped
);
if (DBA::isResult($r)) {
@ -239,7 +239,7 @@ function dfrn_request_post(App $a)
// Block friend request spam
if ($maxreq) {
$r = q("SELECT * FROM `intro` WHERE `datetime` > '%s' AND `uid` = %d",
dbesc(DateTimeFormat::utc('now - 24 hours')),
DBA::escape(DateTimeFormat::utc('now - 24 hours')),
intval($uid)
);
if (DBA::isResult($r) && count($r) > $maxreq) {
@ -302,7 +302,7 @@ function dfrn_request_post(App $a)
if ($network === NETWORK_DFRN) {
$ret = q("SELECT * FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `self` = 0 LIMIT 1",
intval($uid),
dbesc($url)
DBA::escape($url)
);
if (DBA::isResult($ret)) {
@ -324,7 +324,7 @@ function dfrn_request_post(App $a)
// There is a contact record but no issued-id, so this
// is a reciprocal introduction from a known contact
$r = q("UPDATE `contact` SET `issued-id` = '%s' WHERE `id` = %d",
dbesc($issued_id),
DBA::escape($issued_id),
intval($contact_record['id'])
);
} else {
@ -376,9 +376,9 @@ function dfrn_request_post(App $a)
`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` )
VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )",
intval($uid),
dbesc(DateTimeFormat::utcNow()),
DBA::escape(DateTimeFormat::utcNow()),
$parms['url'],
dbesc(normalise_link($url)),
DBA::escape(normalise_link($url)),
$parms['addr'],
$parms['fn'],
$parms['nick'],
@ -390,7 +390,7 @@ function dfrn_request_post(App $a)
$parms['dfrn-notify'],
$parms['dfrn-poll'],
$parms['dfrn-poco'],
dbesc(NETWORK_DFRN),
DBA::escape(NETWORK_DFRN),
intval($blocked),
intval($pending)
);
@ -422,9 +422,9 @@ function dfrn_request_post(App $a)
intval($uid),
intval($contact_record['id']),
((x($_POST,'knowyou') && ($_POST['knowyou'] == 1)) ? 1 : 0),
dbesc(notags(trim($_POST['dfrn-request-message']))),
dbesc($hash),
dbesc(DateTimeFormat::utcNow())
DBA::escape(notags(trim($_POST['dfrn-request-message']))),
DBA::escape($hash),
DBA::escape(DateTimeFormat::utcNow())
);
}
@ -534,7 +534,7 @@ function dfrn_request_content(App $a)
// We could just unblock it, but first we have to jump through a few hoops to
// send an email, or even to find out if we need to send an email.
$intro = q("SELECT * FROM `intro` WHERE `hash` = '%s' LIMIT 1",
dbesc($_GET['confirm_key'])
DBA::escape($_GET['confirm_key'])
);
if (DBA::isResult($intro)) {
@ -586,7 +586,7 @@ function dfrn_request_content(App $a)
// in dfrn_confirm_post()
$r = q("UPDATE `intro` SET `blocked` = 0 WHERE `hash` = '%s'",
dbesc($_GET['confirm_key'])
DBA::escape($_GET['confirm_key'])
);
}
}

+ 1
- 1
mod/directory.php View File

@ -60,7 +60,7 @@ function directory_content(App $a)
}
if ($search) {
$search = dbesc($search);
$search = DBA::escape($search);
$sql_extra = " AND ((`profile`.`name` LIKE '%$search%') OR
(`user`.`nickname` LIKE '%$search%') OR

+ 6
- 6
mod/dirfind.php View File

@ -118,9 +118,9 @@ function dirfind_content(App $a, $prefix = "") {
((`last_contact` >= `last_failure`) OR (`updated` >= `last_failure`)) AND
(`url` LIKE '%s' OR `name` LIKE '%s' OR `location` LIKE '%s' OR
`addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql",
dbesc(NETWORK_DFRN), dbesc($ostatus), dbesc($diaspora),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)));
DBA::escape(NETWORK_DFRN), DBA::escape($ostatus), DBA::escape($diaspora),
DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)));
$results = q("SELECT `nurl`
FROM `gcontact`
@ -130,9 +130,9 @@ function dirfind_content(App $a, $prefix = "") {
`addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql
GROUP BY `nurl`
ORDER BY `updated` DESC LIMIT %d, %d",
dbesc(NETWORK_DFRN), dbesc($ostatus), dbesc($diaspora),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)),
DBA::escape(NETWORK_DFRN), DBA::escape($ostatus), DBA::escape($diaspora),
DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
intval($startrec), intval($perpage));
$j = new stdClass();
$j->total = $count[0]["total"];

+ 6
- 6
mod/fbrowser.php View File

@ -39,8 +39,8 @@ function fbrowser_content(App $a)
if ($a->argc==2) {
$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' ",
intval(local_user()),
dbesc('Contact Photos'),
dbesc(L10n::t('Contact Photos'))
DBA::escape('Contact Photos'),
DBA::escape(L10n::t('Contact Photos'))
);
function _map_folder1($el)
@ -54,7 +54,7 @@ function fbrowser_content(App $a)
$album = "";
if ($a->argc==3) {
$album = hex2bin($a->argv[2]);
$sql_extra = sprintf("AND `album` = '%s' ", dbesc($album));
$sql_extra = sprintf("AND `album` = '%s' ", DBA::escape($album));
$sql_extra2 = "";
$path[]=[$a->argv[2], $album];
}
@ -64,8 +64,8 @@ function fbrowser_content(App $a)
FROM `photo` WHERE `uid` = %d $sql_extra AND `album` != '%s' AND `album` != '%s'
GROUP BY `resource-id` $sql_extra2",
intval(local_user()),
dbesc('Contact Photos'),
dbesc(L10n::t('Contact Photos'))
DBA::escape('Contact Photos'),
DBA::escape(L10n::t('Contact Photos'))
);
function _map_files1($rr)
@ -77,7 +77,7 @@ function fbrowser_content(App $a)
// Take the largest picture that is smaller or equal 640 pixels
$p = q("SELECT `scale` FROM `photo` WHERE `resource-id` = '%s' AND `height` <= 640 AND `width` <= 640 ORDER BY `resource-id`, `scale` LIMIT 1",
dbesc($rr['resource-id']));
DBA::escape($rr['resource-id']));
if ($p) {
$scale = $p[0]["scale"];
} else {

+ 2
- 2
mod/follow.php View File

@ -65,8 +65,8 @@ function follow_content(App $a)
$r = q("SELECT `pending` FROM `contact` WHERE `uid` = %d AND ((`rel` != %d) OR (`network` = '%s')) AND
(`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s') AND
`network` != '%s' LIMIT 1",
intval(local_user()), dbesc(CONTACT_IS_FOLLOWER), dbesc(NETWORK_DFRN), dbesc(normalise_link($url)),
dbesc(normalise_link($url)), dbesc($url), dbesc(NETWORK_STATUSNET));
intval(local_user()), DBA::escape(CONTACT_IS_FOLLOWER), DBA::escape(NETWORK_DFRN), DBA::escape(normalise_link($url)),
DBA::escape(normalise_link($url)), DBA::escape($url), DBA::escape(NETWORK_STATUSNET));
if ($r) {
if ($r[0]['pending']) {

+ 2
- 2
mod/friendica.php View File

@ -17,12 +17,12 @@ function friendica_init(App $a)
$sql_extra = '';
if (x($a->config, 'admin_nickname')) {
$sql_extra = sprintf(" AND `nickname` = '%s' ", dbesc(Config::get('config', 'admin_nickname')));
$sql_extra = sprintf(" AND `nickname` = '%s' ", DBA::escape(Config::get('config', 'admin_nickname')));
}
if (!empty(Config::get('config', 'admin_email'))) {
$adminlist = explode(",", str_replace(" ", "", Config::get('config', 'admin_email')));
$r = q("SELECT `username`, `nickname` FROM `user` WHERE `email` = '%s' $sql_extra", dbesc($adminlist[0]));
$r = q("SELECT `username`, `nickname` FROM `user` WHERE `email` = '%s' $sql_extra", DBA::escape($adminlist[0]));
$admin = [
'name' => $r[0]['username'],
'profile'=> System::baseUrl() . '/profile/' . $r[0]['nickname'],

+ 8
- 8
mod/fsuggest.php View File

@ -48,21 +48,21 @@ function fsuggest_post(App $a)
VALUES ( %d, %d, '%s','%s','%s','%s','%s','%s')",
intval(local_user()),
intval($contact_id),
dbesc($r[0]['name']),
dbesc($r[0]['url']),
dbesc($r[0]['request']),
dbesc($r[0]['photo']),
dbesc($hash),
dbesc(DateTimeFormat::utcNow())
DBA::escape($r[0]['name']),
DBA::escape($r[0]['url']),
DBA::escape($r[0]['request']),
DBA::escape($r[0]['photo']),
DBA::escape($hash),
DBA::escape(DateTimeFormat::utcNow())
);
$r = q("SELECT `id` FROM `fsuggest` WHERE `note` = '%s' AND `uid` = %d LIMIT 1",
dbesc($hash),
DBA::escape($hash),
intval(local_user())
);
if (DBA::isResult($r)) {
$fsuggest_id = $r[0]['id'];
q("UPDATE `fsuggest` SET `note` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($note),
DBA::escape($note),
intval($fsuggest_id),
intval(local_user())
);

+ 1
- 1
mod/group.php View File

@ -61,7 +61,7 @@ function group_post(App $a) {
$groupname = notags(trim($_POST['groupname']));
if ((strlen($groupname)) && ($groupname != $group['name'])) {
$r = q("UPDATE `group` SET `name` = '%s' WHERE `uid` = %d AND `id` = %d",
dbesc($groupname),
DBA::escape($groupname),
intval(local_user()),
intval($group['id'])
);

+ 2
- 2
mod/invite.php View File

@ -61,8 +61,8 @@ function invite_post(App $a)
$nmessage = str_replace('$invite_code', $code, $message);
$r = q("INSERT INTO `register` (`hash`,`created`) VALUES ('%s', '%s') ",
dbesc($code),
dbesc(DateTimeFormat::utcNow())
DBA::escape($code),