Merge pull request #5439 from MrPetovan/task/5410-remove-dbesc

Move DBA to src/ part 4.1: Remove dbesc()
This commit is contained in:
Michael Vogel 2018-07-23 21:51:49 +02:00 committed by GitHub
commit 413424064c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
80 changed files with 674 additions and 687 deletions

View file

@ -525,7 +525,7 @@ function api_get_user(App $a, $contact_id = null)
// Searching for contact URL // Searching for contact URL
if (!is_null($contact_id) && (intval($contact_id) == 0)) { if (!is_null($contact_id) && (intval($contact_id) == 0)) {
$user = dbesc(normalise_link($contact_id)); $user = DBA::escape(normalise_link($contact_id));
$url = $user; $url = $user;
$extra_query = "AND `contact`.`nurl` = '%s' "; $extra_query = "AND `contact`.`nurl` = '%s' ";
if (api_user() !== false) { if (api_user() !== false) {
@ -535,7 +535,7 @@ function api_get_user(App $a, $contact_id = null)
// Searching for contact id with uid = 0 // Searching for contact id with uid = 0
if (!is_null($contact_id) && (intval($contact_id) != 0)) { if (!is_null($contact_id) && (intval($contact_id) != 0)) {
$user = dbesc(api_unique_id_to_nurl(intval($contact_id))); $user = DBA::escape(api_unique_id_to_nurl(intval($contact_id)));
if ($user == "") { if ($user == "") {
throw new BadRequestException("User ID ".$contact_id." not found."); throw new BadRequestException("User ID ".$contact_id." not found.");
@ -549,7 +549,7 @@ function api_get_user(App $a, $contact_id = null)
} }
if (is_null($user) && x($_GET, 'user_id')) { if (is_null($user) && x($_GET, 'user_id')) {
$user = dbesc(api_unique_id_to_nurl($_GET['user_id'])); $user = DBA::escape(api_unique_id_to_nurl($_GET['user_id']));
if ($user == "") { if ($user == "") {
throw new BadRequestException("User ID ".$_GET['user_id']." not found."); throw new BadRequestException("User ID ".$_GET['user_id']." not found.");
@ -562,7 +562,7 @@ function api_get_user(App $a, $contact_id = null)
} }
} }
if (is_null($user) && x($_GET, 'screen_name')) { if (is_null($user) && x($_GET, 'screen_name')) {
$user = dbesc($_GET['screen_name']); $user = DBA::escape($_GET['screen_name']);
$extra_query = "AND `contact`.`nick` = '%s' "; $extra_query = "AND `contact`.`nick` = '%s' ";
if (api_user() !== false) { if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=".intval(api_user()); $extra_query .= "AND `contact`.`uid`=".intval(api_user());
@ -570,7 +570,7 @@ function api_get_user(App $a, $contact_id = null)
} }
if (is_null($user) && x($_GET, 'profileurl')) { if (is_null($user) && x($_GET, 'profileurl')) {
$user = dbesc(normalise_link($_GET['profileurl'])); $user = DBA::escape(normalise_link($_GET['profileurl']));
$extra_query = "AND `contact`.`nurl` = '%s' "; $extra_query = "AND `contact`.`nurl` = '%s' ";
if (api_user() !== false) { if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=".intval(api_user()); $extra_query .= "AND `contact`.`uid`=".intval(api_user());
@ -584,7 +584,7 @@ function api_get_user(App $a, $contact_id = null)
list($user, $null) = explode(".", $a->argv[$argid]); list($user, $null) = explode(".", $a->argv[$argid]);
} }
if (is_numeric($user)) { if (is_numeric($user)) {
$user = dbesc(api_unique_id_to_nurl(intval($user))); $user = DBA::escape(api_unique_id_to_nurl(intval($user)));
if ($user != "") { if ($user != "") {
$url = $user; $url = $user;
@ -594,7 +594,7 @@ function api_get_user(App $a, $contact_id = null)
} }
} }
} else { } else {
$user = dbesc($user); $user = DBA::escape($user);
$extra_query = "AND `contact`.`nick` = '%s' "; $extra_query = "AND `contact`.`nick` = '%s' ";
if (api_user() !== false) { if (api_user() !== false) {
$extra_query .= "AND `contact`.`uid`=" . intval(api_user()); $extra_query .= "AND `contact`.`uid`=" . intval(api_user());
@ -634,7 +634,7 @@ function api_get_user(App $a, $contact_id = null)
$r = []; $r = [];
if ($url != "") { if ($url != "") {
$r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", dbesc(normalise_link($url))); $r = q("SELECT * FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' LIMIT 1", DBA::escape(normalise_link($url)));
} }
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1437,10 +1437,10 @@ function api_users_search($type)
$userlist = []; $userlist = [];
if (x($_GET, 'q')) { if (x($_GET, 'q')) {
$r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", dbesc($_GET["q"])); $r = q("SELECT id FROM `contact` WHERE `uid` = 0 AND `name` = '%s'", DBA::escape($_GET["q"]));
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
$r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", dbesc($_GET["q"])); $r = q("SELECT `id` FROM `contact` WHERE `uid` = 0 AND `nick` = '%s'", DBA::escape($_GET["q"]));
} }
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -3482,7 +3482,7 @@ function api_direct_messages_new($type)
$r = q( $r = q(
"SELECT `id`, `nurl`, `network` FROM `contact` WHERE `uid`=%d AND `nick`='%s'", "SELECT `id`, `nurl`, `network` FROM `contact` WHERE `uid`=%d AND `nick`='%s'",
intval(api_user()), intval(api_user()),
dbesc($_POST['screen_name']) DBA::escape($_POST['screen_name'])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -3579,7 +3579,7 @@ function api_direct_messages_destroy($type)
} }
// add parent-uri to sql command if specified by calling app // add parent-uri to sql command if specified by calling app
$sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . dbesc($parenturi) . "'" : ""); $sql_extra = ($parenturi != "" ? " AND `parent-uri` = '" . DBA::escape($parenturi) . "'" : "");
// get data of the specified message id // get data of the specified message id
$r = q( $r = q(
@ -3668,13 +3668,13 @@ function api_direct_messages_box($type, $box, $verbose)
// filters // filters
if ($box=="sentbox") { if ($box=="sentbox") {
$sql_extra = "`mail`.`from-url`='" . dbesc($profile_url) . "'"; $sql_extra = "`mail`.`from-url`='" . DBA::escape($profile_url) . "'";
} elseif ($box == "conversation") { } elseif ($box == "conversation") {
$sql_extra = "`mail`.`parent-uri`='" . dbesc(defaults($_GET, 'uri', '')) . "'"; $sql_extra = "`mail`.`parent-uri`='" . DBA::escape(defaults($_GET, 'uri', '')) . "'";
} elseif ($box == "all") { } elseif ($box == "all") {
$sql_extra = "true"; $sql_extra = "true";
} elseif ($box == "inbox") { } elseif ($box == "inbox") {
$sql_extra = "`mail`.`from-url`!='" . dbesc($profile_url) . "'"; $sql_extra = "`mail`.`from-url`!='" . DBA::escape($profile_url) . "'";
} }
if ($max_id > 0) { if ($max_id > 0) {
@ -3684,7 +3684,7 @@ function api_direct_messages_box($type, $box, $verbose)
if ($user_id != "") { if ($user_id != "") {
$sql_extra .= ' AND `mail`.`contact-id` = ' . intval($user_id); $sql_extra .= ' AND `mail`.`contact-id` = ' . intval($user_id);
} elseif ($screen_name !="") { } elseif ($screen_name !="") {
$sql_extra .= " AND `contact`.`nick` = '" . dbesc($screen_name). "'"; $sql_extra .= " AND `contact`.`nick` = '" . DBA::escape($screen_name). "'";
} }
$r = q( $r = q(
@ -3847,7 +3847,7 @@ function api_fr_photoalbum_delete($type)
$r = q( $r = q(
"SELECT DISTINCT `resource-id` FROM `photo` WHERE `uid` = %d AND `album` = '%s'", "SELECT DISTINCT `resource-id` FROM `photo` WHERE `uid` = %d AND `album` = '%s'",
intval(api_user()), intval(api_user()),
dbesc($album) DBA::escape($album)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
throw new BadRequestException("album not available"); throw new BadRequestException("album not available");
@ -4008,8 +4008,8 @@ function api_fr_photo_create_update($type)
$r = q( $r = q(
"SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' AND `album` = '%s'", "SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' AND `album` = '%s'",
intval(api_user()), intval(api_user()),
dbesc($photo_id), DBA::escape($photo_id),
dbesc($album) DBA::escape($album)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
throw new BadRequestException("photo not available"); throw new BadRequestException("photo not available");
@ -4078,8 +4078,8 @@ function api_fr_photo_create_update($type)
$sql_extra, $sql_extra,
DateTimeFormat::utcNow(), // update edited timestamp DateTimeFormat::utcNow(), // update edited timestamp
intval(api_user()), intval(api_user()),
dbesc($photo_id), DBA::escape($photo_id),
dbesc($album) DBA::escape($album)
); );
} else { } else {
$nothingtodo = true; $nothingtodo = true;
@ -4132,7 +4132,7 @@ function api_fr_photo_delete($type)
$r = q( $r = q(
"SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'", "SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'",
intval(api_user()), intval(api_user()),
dbesc($photo_id) DBA::escape($photo_id)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
throw new BadRequestException("photo not available"); throw new BadRequestException("photo not available");
@ -4596,7 +4596,7 @@ function prepare_photo_data($type, $scale, $photo_id)
FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' %s GROUP BY `resource-id`", FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' %s GROUP BY `resource-id`",
$data_sql, $data_sql,
intval(local_user()), intval(local_user()),
dbesc($photo_id), DBA::escape($photo_id),
$scale_sql $scale_sql
); );
@ -4850,7 +4850,7 @@ function api_get_nick($profile)
$r = q( $r = q(
"SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'", "SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'",
dbesc(normalise_link($profile)) DBA::escape(normalise_link($profile))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -4860,7 +4860,7 @@ function api_get_nick($profile)
if (!$nick == "") { if (!$nick == "") {
$r = q( $r = q(
"SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'", "SELECT `nick` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s'",
dbesc(normalise_link($profile)) DBA::escape(normalise_link($profile))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -5205,7 +5205,7 @@ function api_friendica_group_delete($type)
"SELECT * FROM `group` WHERE `uid` = %d AND `id` = %d AND `name` = '%s'", "SELECT * FROM `group` WHERE `uid` = %d AND `id` = %d AND `name` = '%s'",
intval($uid), intval($uid),
intval($gid), intval($gid),
dbesc($name) DBA::escape($name)
); );
// error message if specified gid is not in database // error message if specified gid is not in database
if (!DBA::isResult($rname)) { if (!DBA::isResult($rname)) {
@ -5290,7 +5290,7 @@ function group_create($name, $uid, $users = [])
$rname = q( $rname = q(
"SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 0", "SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 0",
intval($uid), intval($uid),
dbesc($name) DBA::escape($name)
); );
// error message if specified group name already exists // error message if specified group name already exists
if (DBA::isResult($rname)) { if (DBA::isResult($rname)) {
@ -5301,7 +5301,7 @@ function group_create($name, $uid, $users = [])
$rname = q( $rname = q(
"SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 1", "SELECT * FROM `group` WHERE `uid` = %d AND `name` = '%s' AND `deleted` = 1",
intval($uid), intval($uid),
dbesc($name) DBA::escape($name)
); );
// error message if specified group name already exists // error message if specified group name already exists
if (DBA::isResult($rname)) { if (DBA::isResult($rname)) {
@ -5728,7 +5728,7 @@ function api_friendica_direct_messages_search($type, $box = "")
$r = q( $r = q(
"SELECT `mail`.*, `contact`.`nurl` AS `contact-url` FROM `mail`,`contact` WHERE `mail`.`contact-id` = `contact`.`id` AND `mail`.`uid`=%d AND `body` LIKE '%s' ORDER BY `mail`.`id` DESC", "SELECT `mail`.*, `contact`.`nurl` AS `contact-url` FROM `mail`,`contact` WHERE `mail`.`contact-id` = `contact`.`id` AND `mail`.`uid`=%d AND `body` LIKE '%s' ORDER BY `mail`.`id` DESC",
intval($uid), intval($uid),
dbesc('%'.$searchstring.'%') DBA::escape('%'.$searchstring.'%')
); );
$profile_url = $user_info["url"]; $profile_url = $user_info["url"];

View file

@ -2,14 +2,6 @@
use Friendica\Database\DBA; use Friendica\Database\DBA;
function dbesc($str) {
if (DBA::$connected) {
return(DBA::escape($str));
} else {
return(str_replace("'","\\'",$str));
}
}
/** /**
* @brief execute SQL query with printf style args - deprecated * @brief execute SQL query with printf style args - deprecated
* *
@ -49,7 +41,3 @@ function q($sql) {
return $data; return $data;
} }
function dba_timer() {
return microtime(true);
}

View file

@ -118,7 +118,7 @@ function notification($params)
intval(NOTIFY_TAGSELF), intval(NOTIFY_TAGSELF),
intval(NOTIFY_COMMENT), intval(NOTIFY_COMMENT),
intval(NOTIFY_SHARE), intval(NOTIFY_SHARE),
dbesc($params['link']), DBA::escape($params['link']),
intval($params['uid']) intval($params['uid'])
); );
if ($p && count($p)) { if ($p && count($p)) {
@ -436,7 +436,7 @@ function notification($params)
$dups = false; $dups = false;
$hash = random_string(); $hash = random_string();
$r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' LIMIT 1", $r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' LIMIT 1",
dbesc($hash)); DBA::escape($hash));
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$dups = true; $dups = true;
} }
@ -469,23 +469,23 @@ function notification($params)
// create notification entry in DB // create notification entry in DB
q("INSERT INTO `notify` (`hash`, `name`, `url`, `photo`, `date`, `uid`, `link`, `iid`, `parent`, `type`, `verb`, `otype`, `name_cache`) q("INSERT INTO `notify` (`hash`, `name`, `url`, `photo`, `date`, `uid`, `link`, `iid`, `parent`, `type`, `verb`, `otype`, `name_cache`)
values('%s', '%s', '%s', '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s')", values('%s', '%s', '%s', '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s')",
dbesc($datarray['hash']), DBA::escape($datarray['hash']),
dbesc($datarray['name']), DBA::escape($datarray['name']),
dbesc($datarray['url']), DBA::escape($datarray['url']),
dbesc($datarray['photo']), DBA::escape($datarray['photo']),
dbesc($datarray['date']), DBA::escape($datarray['date']),
intval($datarray['uid']), intval($datarray['uid']),
dbesc($datarray['link']), DBA::escape($datarray['link']),
intval($datarray['iid']), intval($datarray['iid']),
intval($datarray['parent']), intval($datarray['parent']),
intval($datarray['type']), intval($datarray['type']),
dbesc($datarray['verb']), DBA::escape($datarray['verb']),
dbesc($datarray['otype']), DBA::escape($datarray['otype']),
dbesc($datarray["name_cache"]) DBA::escape($datarray["name_cache"])
); );
$r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT `id` FROM `notify` WHERE `hash` = '%s' AND `uid` = %d LIMIT 1",
dbesc($hash), DBA::escape($hash),
intval($params['uid']) intval($params['uid'])
); );
if ($r) { if ($r) {
@ -500,7 +500,7 @@ function notification($params)
$p = q("SELECT `id` FROM `notify` WHERE `type` IN (%d, %d) AND `link` = '%s' AND `uid` = %d ORDER BY `id`", $p = q("SELECT `id` FROM `notify` WHERE `type` IN (%d, %d) AND `link` = '%s' AND `uid` = %d ORDER BY `id`",
intval(NOTIFY_TAGSELF), intval(NOTIFY_TAGSELF),
intval(NOTIFY_COMMENT), intval(NOTIFY_COMMENT),
dbesc($params['link']), DBA::escape($params['link']),
intval($params['uid']) intval($params['uid'])
); );
if ($p && (count($p) > 1)) { if ($p && (count($p) > 1)) {
@ -519,8 +519,8 @@ function notification($params)
$msg = replace_macros($epreamble, ['$itemlink' => $itemlink]); $msg = replace_macros($epreamble, ['$itemlink' => $itemlink]);
$msg_cache = format_notification_message($datarray['name_cache'], strip_tags(BBCode::convert($msg))); $msg_cache = format_notification_message($datarray['name_cache'], strip_tags(BBCode::convert($msg)));
q("UPDATE `notify` SET `msg` = '%s', `msg_cache` = '%s' WHERE `id` = %d AND `uid` = %d", q("UPDATE `notify` SET `msg` = '%s', `msg_cache` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($msg), DBA::escape($msg),
dbesc($msg_cache), DBA::escape($msg_cache),
intval($notify_id), intval($notify_id),
intval($params['uid']) intval($params['uid'])
); );

View file

@ -263,7 +263,7 @@ function consume_feed($xml, $importer, $contact, &$hub, $datedir = 0, $pass = 0)
FROM `contact` FROM `contact`
LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`id` = %d AND `user`.`uid` = %d", WHERE `contact`.`id` = %d AND `user`.`uid` = %d",
dbesc($contact["id"]), dbesc($importer["uid"]) DBA::escape($contact["id"]), DBA::escape($importer["uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
logger("Now import the DFRN feed"); logger("Now import the DFRN feed");

View file

@ -322,9 +322,9 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null)
) )
", ",
intval($remote_user), intval($remote_user),
dbesc($gs), DBA::escape($gs),
intval($remote_user), intval($remote_user),
dbesc($gs) DBA::escape($gs)
); );
} }
} }
@ -385,9 +385,9 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = ''))))) AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = '')))))
", ",
intval($remote_user), intval($remote_user),
dbesc($gs), DBA::escape($gs),
intval($remote_user), intval($remote_user),
dbesc($gs) DBA::escape($gs)
); );
} }
} }

View file

@ -755,9 +755,9 @@ function contact_block() {
AND NOT `pending` AND NOT `hidden` AND NOT `archive` AND NOT `pending` AND NOT `hidden` AND NOT `archive`
AND `network` IN ('%s', '%s', '%s')", AND `network` IN ('%s', '%s', '%s')",
intval($a->profile['uid']), intval($a->profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_DIASPORA) DBA::escape(NETWORK_DIASPORA)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$total = intval($r[0]['total']); $total = intval($r[0]['total']);
@ -773,9 +773,9 @@ function contact_block() {
AND `network` IN ('%s', '%s', '%s') AND `network` IN ('%s', '%s', '%s')
ORDER BY RAND() LIMIT %d", ORDER BY RAND() LIMIT %d",
intval($a->profile['uid']), intval($a->profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
intval($shown) intval($shown)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -784,7 +784,7 @@ function contact_block() {
$contacts[] = $contact["id"]; $contacts[] = $contact["id"];
} }
$r = q("SELECT `id`, `uid`, `addr`, `url`, `name`, `thumb`, `network` FROM `contact` WHERE `id` IN (%s)", $r = q("SELECT `id`, `uid`, `addr`, `url`, `name`, `thumb`, `network` FROM `contact` WHERE `id` IN (%s)",
dbesc(implode(",", $contacts))); DBA::escape(implode(",", $contacts)));
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$contacts = L10n::tt('%d Contact', '%d Contacts', $total); $contacts = L10n::tt('%d Contact', '%d Contacts', $total);
@ -1467,7 +1467,7 @@ function generate_user_guid() {
do { do {
$guid = System::createGUID(32); $guid = System::createGUID(32);
$x = q("SELECT `uid` FROM `user` WHERE `guid` = '%s' LIMIT 1", $x = q("SELECT `uid` FROM `user` WHERE `guid` = '%s' LIMIT 1",
dbesc($guid) DBA::escape($guid)
); );
if (!DBA::isResult($x)) { if (!DBA::isResult($x)) {
$found = false; $found = false;
@ -1659,7 +1659,7 @@ function file_tag_file_query($table,$s,$type = 'file') {
} else { } else {
$str = preg_quote('<' . str_replace('%', '%%', file_tag_encode($s)) . '>'); $str = preg_quote('<' . str_replace('%', '%%', file_tag_encode($s)) . '>');
} }
return " AND " . (($table) ? dbesc($table) . '.' : '') . "file regexp '" . dbesc($str) . "' "; return " AND " . (($table) ? DBA::escape($table) . '.' : '') . "file regexp '" . DBA::escape($str) . "' ";
} }
// ex. given music,video return <music><video> or [music][video] // ex. given music,video return <music><video> or [music][video]
@ -1753,7 +1753,7 @@ function file_tag_update_pconfig($uid, $file_old, $file_new, $type = 'file') {
foreach ($deleted_tags as $key => $tag) { foreach ($deleted_tags as $key => $tag) {
$r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d", $r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d",
dbesc($tag), DBA::escape($tag),
intval(TERM_OBJ_POST), intval(TERM_OBJ_POST),
intval($termtype), intval($termtype),
intval($uid)); intval($uid));
@ -1819,7 +1819,7 @@ function file_tag_unsave_file($uid, $item_id, $file, $cat = false)
Item::update($fields, ['id' => $item_id]); Item::update($fields, ['id' => $item_id]);
$r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d", $r = q("SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d",
dbesc($file), DBA::escape($file),
intval(TERM_OBJ_POST), intval(TERM_OBJ_POST),
intval($termtype), intval($termtype),
intval($uid) intval($uid)

View file

@ -36,8 +36,8 @@ function acl_content(App $a)
logger("Searching for ".$search." - type ".$type." conversation ".$conv_id, LOGGER_DEBUG); logger("Searching for ".$search." - type ".$type." conversation ".$conv_id, LOGGER_DEBUG);
if ($search != '') { if ($search != '') {
$sql_extra = "AND `name` LIKE '%%" . dbesc($search) . "%%'"; $sql_extra = "AND `name` LIKE '%%" . DBA::escape($search) . "%%'";
$sql_extra2 = "AND (`attag` LIKE '%%" . dbesc($search) . "%%' OR `name` LIKE '%%" . dbesc($search) . "%%' OR `nick` LIKE '%%" . dbesc($search) . "%%')"; $sql_extra2 = "AND (`attag` LIKE '%%" . DBA::escape($search) . "%%' OR `name` LIKE '%%" . DBA::escape($search) . "%%' OR `nick` LIKE '%%" . DBA::escape($search) . "%%')";
} else { } else {
/// @TODO Avoid these needless else blocks by putting variable-initialization atop of if() /// @TODO Avoid these needless else blocks by putting variable-initialization atop of if()
$sql_extra = $sql_extra2 = ''; $sql_extra = $sql_extra2 = '';
@ -84,8 +84,8 @@ function acl_content(App $a)
AND `success_update` >= `failure_update` AND `success_update` >= `failure_update`
AND `network` IN ('%s', '%s') $sql_extra2", AND `network` IN ('%s', '%s') $sql_extra2",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA) DBA::escape(NETWORK_DIASPORA)
); );
$contact_count = (int) $r[0]['c']; $contact_count = (int) $r[0]['c'];
} elseif ($type == 'a') { } elseif ($type == 'a') {
@ -143,8 +143,8 @@ function acl_content(App $a)
$sql_extra2 $sql_extra2
ORDER BY `name` ASC ", ORDER BY `name` ASC ",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
} elseif ($type == 'c') { } elseif ($type == 'c') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact` $r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`
@ -153,7 +153,7 @@ function acl_content(App $a)
$sql_extra2 $sql_extra2
ORDER BY `name` ASC ", ORDER BY `name` ASC ",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
} elseif ($type == 'f') { } elseif ($type == 'f') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact` $r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`
@ -163,7 +163,7 @@ function acl_content(App $a)
$sql_extra2 $sql_extra2
ORDER BY `name` ASC ", ORDER BY `name` ASC ",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
} elseif ($type == 'm') { } elseif ($type == 'm') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr` FROM `contact` $r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr` FROM `contact`
@ -172,8 +172,8 @@ function acl_content(App $a)
$sql_extra2 $sql_extra2
ORDER BY `name` ASC ", ORDER BY `name` ASC ",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA) DBA::escape(NETWORK_DIASPORA)
); );
} elseif ($type == 'a') { } elseif ($type == 'a') {
$r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact` $r = q("SELECT `id`, `name`, `nick`, `micro`, `network`, `url`, `attag`, `addr`, `forum`, `prv` FROM `contact`

View file

@ -816,7 +816,7 @@ function admin_page_workerqueue(App $a)
function admin_page_summary(App $a) function admin_page_summary(App $a)
{ {
// are there MyISAM tables in the DB? If so, trigger a warning message // are there MyISAM tables in the DB? If so, trigger a warning message
$r = q("SELECT `engine` FROM `information_schema`.`tables` WHERE `engine` = 'myisam' AND `table_schema` = '%s' LIMIT 1", dbesc(DBA::databaseName())); $r = q("SELECT `engine` FROM `information_schema`.`tables` WHERE `engine` = 'myisam' AND `table_schema` = '%s' LIMIT 1", DBA::escape(DBA::databaseName()));
$showwarning = false; $showwarning = false;
$warningtext = []; $warningtext = [];
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -949,8 +949,8 @@ function admin_page_site_post(App $a)
function update_table($table_name, $fields, $old_url, $new_url) function update_table($table_name, $fields, $old_url, $new_url)
{ {
$dbold = dbesc($old_url); $dbold = DBA::escape($old_url);
$dbnew = dbesc($new_url); $dbnew = DBA::escape($new_url);
$upd = []; $upd = [];
foreach ($fields as $f) { foreach ($fields as $f) {

View file

@ -20,7 +20,7 @@ function oauth_get_client($request)
$r = q("SELECT `clients`.* $r = q("SELECT `clients`.*
FROM `clients`, `tokens` FROM `clients`, `tokens`
WHERE `clients`.`client_id`=`tokens`.`client_id` WHERE `clients`.`client_id`=`tokens`.`client_id`
AND `tokens`.`id`='%s' AND `tokens`.`scope`='request'", dbesc($token)); AND `tokens`.`id`='%s' AND `tokens`.`scope`='request'", DBA::escape($token));
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
return null; return null;

View file

@ -32,7 +32,7 @@ function attach_init(App $a)
// Now we'll see if we can access the attachment // Now we'll see if we can access the attachment
$r = q("SELECT * FROM `attach` WHERE `id` = '%d' $sql_extra LIMIT 1", $r = q("SELECT * FROM `attach` WHERE `id` = '%d' $sql_extra LIMIT 1",
dbesc($item_id) DBA::escape($item_id)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {

View file

@ -216,11 +216,11 @@ function contacts_post(App $a)
`ffi_keyword_blacklist` = '%s' WHERE `id` = %d AND `uid` = %d", `ffi_keyword_blacklist` = '%s' WHERE `id` = %d AND `uid` = %d",
intval($profile_id), intval($profile_id),
intval($priority), intval($priority),
dbesc($info), DBA::escape($info),
intval($hidden), intval($hidden),
intval($notify), intval($notify),
intval($fetch_further_information), intval($fetch_further_information),
dbesc($ffi_keyword_blacklist), DBA::escape($ffi_keyword_blacklist),
intval($contact_id), intval($contact_id),
intval(local_user()) intval(local_user())
); );
@ -308,7 +308,7 @@ function _contact_update_profile($contact_id)
$query .= ", "; $query .= ", ";
} }
$query .= "`" . $key . "` = '" . dbesc($value) . "'"; $query .= "`" . $key . "` = '" . DBA::escape($value) . "'";
} }
if ($query == "") { if ($query == "") {
@ -773,12 +773,12 @@ function contacts_content(App $a)
if ($search) { if ($search) {
$searching = true; $searching = true;
$search_hdr = $search; $search_hdr = $search;
$search_txt = dbesc(protect_sprintf(preg_quote($search))); $search_txt = DBA::escape(protect_sprintf(preg_quote($search)));
$sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') "; $sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') ";
} }
if ($nets) { if ($nets) {
$sql_extra .= sprintf(" AND network = '%s' ", dbesc($nets)); $sql_extra .= sprintf(" AND network = '%s' ", DBA::escape($nets));
} }
$sql_extra2 = ((($sort_type > 0) && ($sort_type <= CONTACT_IS_FRIEND)) ? sprintf(" AND `rel` = %d ", intval($sort_type)) : ''); $sql_extra2 = ((($sort_type > 0) && ($sort_type <= CONTACT_IS_FRIEND)) ? sprintf(" AND `rel` = %d ", intval($sort_type)) : '');

View file

@ -64,15 +64,15 @@ function crepair_post(App $a)
$r = q("UPDATE `contact` SET `name` = '%s', `nick` = '%s', `url` = '%s', `nurl` = '%s', `request` = '%s', `confirm` = '%s', `notify` = '%s', `poll` = '%s', `attag` = '%s' , `remote_self` = %d $r = q("UPDATE `contact` SET `name` = '%s', `nick` = '%s', `url` = '%s', `nurl` = '%s', `request` = '%s', `confirm` = '%s', `notify` = '%s', `poll` = '%s', `attag` = '%s' , `remote_self` = %d
WHERE `id` = %d AND `uid` = %d", WHERE `id` = %d AND `uid` = %d",
dbesc($name), DBA::escape($name),
dbesc($nick), DBA::escape($nick),
dbesc($url), DBA::escape($url),
dbesc($nurl), DBA::escape($nurl),
dbesc($request), DBA::escape($request),
dbesc($confirm), DBA::escape($confirm),
dbesc($notify), DBA::escape($notify),
dbesc($poll), DBA::escape($poll),
dbesc($attag), DBA::escape($attag),
intval($remote_self), intval($remote_self),
intval($contact['id']), intval($contact['id']),
local_user() local_user()

View file

@ -110,14 +110,14 @@ function delegate_content(App $a)
AND SUBSTRING_INDEX(`nurl`, '/', 3) = '%s' AND SUBSTRING_INDEX(`nurl`, '/', 3) = '%s'
AND `uid` = %d AND `uid` = %d
AND `network` = '%s' ", AND `network` = '%s' ",
dbesc(normalise_link(System::baseUrl())), DBA::escape(normalise_link(System::baseUrl())),
intval(local_user()), intval(local_user()),
dbesc(NETWORK_DFRN) DBA::escape(NETWORK_DFRN)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$nicknames = []; $nicknames = [];
foreach ($r as $rr) { foreach ($r as $rr) {
$nicknames[] = "'" . dbesc(basename($rr['nurl'])) . "'"; $nicknames[] = "'" . DBA::escape(basename($rr['nurl'])) . "'";
} }
$nicks = implode(',', $nicknames); $nicks = implode(',', $nicknames);

View file

@ -117,7 +117,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
AND `uid` = %d AND `uid` = %d
AND `duplex` = 0 AND `duplex` = 0
LIMIT 1", LIMIT 1",
dbesc($dfrn_id), DBA::escape($dfrn_id),
intval($cid), intval($cid),
intval($uid) intval($uid)
); );
@ -157,7 +157,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
// Save the private key. Send them the public key. // Save the private key. Send them the public key.
q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d", q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($private_key), DBA::escape($private_key),
intval($contact_id), intval($contact_id),
intval($uid) intval($uid)
); );
@ -261,7 +261,7 @@ function dfrn_confirm_post(App $a, $handsfree = null)
// birthday paradox - generate new dfrn-id and fall through. // birthday paradox - generate new dfrn-id and fall through.
$new_dfrn_id = random_string(); $new_dfrn_id = random_string();
q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d", q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($new_dfrn_id), DBA::escape($new_dfrn_id),
intval($contact_id), intval($contact_id),
intval($uid) intval($uid)
); );
@ -324,11 +324,11 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`network` = '%s' WHERE `id` = %d `network` = '%s' WHERE `id` = %d
", ",
intval($new_relation), intval($new_relation),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval($duplex), intval($duplex),
intval($hidden), intval($hidden),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval($contact_id) intval($contact_id)
); );
} else { } else {
@ -372,12 +372,12 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`rel` = %d `rel` = %d
WHERE `id` = %d WHERE `id` = %d
", ",
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc($addr), DBA::escape($addr),
dbesc($notify), DBA::escape($notify),
dbesc($poll), DBA::escape($poll),
dbesc($network), DBA::escape($network),
intval($writable), intval($writable),
intval($hidden), intval($hidden),
intval($new_relation), intval($new_relation),
@ -517,8 +517,8 @@ function dfrn_confirm_post(App $a, $handsfree = null)
} }
$r = q("UPDATE `contact` SET `dfrn-id` = '%s', `pubkey` = '%s' WHERE `id` = %d", $r = q("UPDATE `contact` SET `dfrn-id` = '%s', `pubkey` = '%s' WHERE `id` = %d",
dbesc($decrypted_dfrn_id), DBA::escape($decrypted_dfrn_id),
dbesc($dfrn_pubkey), DBA::escape($dfrn_pubkey),
intval($dfrn_record) intval($dfrn_record)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -568,12 +568,12 @@ function dfrn_confirm_post(App $a, $handsfree = null)
`network` = '%s' WHERE `id` = %d `network` = '%s' WHERE `id` = %d
", ",
intval($new_relation), intval($new_relation),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval($duplex), intval($duplex),
intval($forum), intval($forum),
intval($prv), intval($prv),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval($dfrn_record) intval($dfrn_record)
); );
if (!DBA::isResult($r)) { // indicates schema is messed up or total db failure if (!DBA::isResult($r)) { // indicates schema is messed up or total db failure

View file

@ -74,13 +74,13 @@ function dfrn_notify_post(App $a) {
$sql_extra = ''; $sql_extra = '';
switch ($direction) { switch ($direction) {
case (-1): case (-1):
$sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id)); $sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
break; break;
default: default:
System::xmlExit(3, 'Invalid direction'); System::xmlExit(3, 'Invalid direction');
@ -104,7 +104,7 @@ function dfrn_notify_post(App $a) {
LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1", AND `user`.`nickname` = '%s' AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1",
dbesc($a->argv[1]) DBA::escape($a->argv[1])
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -312,15 +312,15 @@ function dfrn_notify_content(App $a) {
$sql_extra = ''; $sql_extra = '';
switch($direction) { switch($direction) {
case (-1): case (-1):
$sql_extra = sprintf(" AND (`issued-id` = '%s' OR `dfrn-id` = '%s') ", dbesc($dfrn_id), dbesc($dfrn_id)); $sql_extra = sprintf(" AND (`issued-id` = '%s' OR `dfrn-id` = '%s') ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id; $my_id = '1:' . $dfrn_id;
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id; $my_id = '0:' . $dfrn_id;
break; break;
default: default:
@ -331,7 +331,7 @@ function dfrn_notify_content(App $a) {
$r = q("SELECT `contact`.*, `user`.`nickname`, `user`.`page-flags` FROM `contact` LEFT JOIN `user` ON `user`.`uid` = `contact`.`uid` $r = q("SELECT `contact`.*, `user`.`nickname`, `user`.`page-flags` FROM `contact` LEFT JOIN `user` ON `user`.`uid` = `contact`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `user`.`nickname` = '%s' WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `user`.`nickname` = '%s'
AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1", AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 $sql_extra LIMIT 1",
dbesc($a->argv[1]) DBA::escape($a->argv[1])
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {

View file

@ -56,7 +56,7 @@ function dfrn_poll_init(App $a)
$user = ''; $user = '';
if ($a->argc > 1) { if ($a->argc > 1) {
$r = q("SELECT `hidewall`,`nickname` FROM `user` WHERE `user`.`nickname` = '%s' LIMIT 1", $r = q("SELECT `hidewall`,`nickname` FROM `user` WHERE `user`.`nickname` = '%s' LIMIT 1",
dbesc($a->argv[1]) DBA::escape($a->argv[1])
); );
if (!$r) { if (!$r) {
System::httpExit(404); System::httpExit(404);
@ -77,15 +77,15 @@ function dfrn_poll_init(App $a)
$sql_extra = ''; $sql_extra = '';
switch ($direction) { switch ($direction) {
case -1: case -1:
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id)); $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id; $my_id = '1:' . $dfrn_id;
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id; $my_id = '0:' . $dfrn_id;
break; break;
default: default:
@ -97,7 +97,7 @@ function dfrn_poll_init(App $a)
FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' $sql_extra LIMIT 1", AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
dbesc($a->argv[1]) DBA::escape($a->argv[1])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -129,8 +129,8 @@ function dfrn_poll_init(App $a)
$session_id = session_id(); $session_id = session_id();
$expire = time() + 86400; $expire = time() + 86400;
q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'", q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
dbesc($expire), DBA::escape($expire),
dbesc($session_id) DBA::escape($session_id)
); );
} }
} }
@ -144,7 +144,7 @@ function dfrn_poll_init(App $a)
if ((strlen($challenge)) && (strlen($sec))) { if ((strlen($challenge)) && (strlen($sec))) {
DBA::delete('profile_check', ["`expire` < ?", time()]); DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1", $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
dbesc($sec) DBA::escape($sec)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
System::xmlExit(3, 'No ticket'); System::xmlExit(3, 'No ticket');
@ -209,7 +209,7 @@ function dfrn_poll_init(App $a)
DBA::delete('profile_check', ["`expire` < ?", time()]); DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC", $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
dbesc($dfrn_id)); DBA::escape($dfrn_id));
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
System::xmlExit(1); System::xmlExit(1);
return; // NOTREACHED return; // NOTREACHED
@ -236,7 +236,7 @@ function dfrn_poll_post(App $a)
DBA::delete('profile_check', ["`expire` < ?", time()]); DBA::delete('profile_check', ["`expire` < ?", time()]);
$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1", $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
dbesc($sec) DBA::escape($sec)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
System::xmlExit(3, 'No ticket'); System::xmlExit(3, 'No ticket');
@ -296,8 +296,8 @@ function dfrn_poll_post(App $a)
} }
$r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1",
dbesc($dfrn_id), DBA::escape($dfrn_id),
dbesc($challenge) DBA::escape($challenge)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -312,15 +312,15 @@ function dfrn_poll_post(App $a)
$sql_extra = ''; $sql_extra = '';
switch ($direction) { switch ($direction) {
case -1: case -1:
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id; $my_id = '1:' . $dfrn_id;
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id; $my_id = '0:' . $dfrn_id;
break; break;
default: default:
@ -339,7 +339,7 @@ function dfrn_poll_post(App $a)
if ($type === 'reputation' && strlen($url)) { if ($type === 'reputation' && strlen($url)) {
$r = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1",
dbesc($url), DBA::escape($url),
intval($owner_uid) intval($owner_uid)
); );
$reputation = 0; $reputation = 0;
@ -417,11 +417,11 @@ function dfrn_poll_content(App $a)
if ($type !== 'profile') { if ($type !== 'profile') {
$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` ) $r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
VALUES( '%s', '%s', '%s', '%s', '%s' ) ", VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
dbesc($hash), DBA::escape($hash),
dbesc($dfrn_id), DBA::escape($dfrn_id),
intval(time() + 60 ), intval(time() + 60 ),
dbesc($type), DBA::escape($type),
dbesc($last_update) DBA::escape($last_update)
); );
} }
@ -429,19 +429,19 @@ function dfrn_poll_content(App $a)
switch ($direction) { switch ($direction) {
case -1: case -1:
if ($type === 'profile') { if ($type === 'profile') {
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id)); $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
} else { } else {
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
} }
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id; $my_id = '1:' . $dfrn_id;
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id; $my_id = '0:' . $dfrn_id;
break; break;
default: default:
@ -455,7 +455,7 @@ function dfrn_poll_content(App $a)
FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' $sql_extra LIMIT 1", AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
dbesc($nickname) DBA::escape($nickname)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$challenge = ''; $challenge = '';
@ -546,8 +546,8 @@ function dfrn_poll_content(App $a)
$session_id = session_id(); $session_id = session_id();
$expire = time() + 86400; $expire = time() + 86400;
q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'", q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
dbesc($expire), DBA::escape($expire),
dbesc($session_id) DBA::escape($session_id)
); );
} }

View file

@ -84,7 +84,7 @@ function dfrn_request_post(App $a)
// Lookup the contact based on their URL (which is the only unique thing we have at the moment) // Lookup the contact based on their URL (which is the only unique thing we have at the moment)
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND NOT `self` LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND NOT `self` LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc(normalise_link($dfrn_url)) DBA::escape(normalise_link($dfrn_url))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -137,8 +137,8 @@ function dfrn_request_post(App $a)
VALUES ( %d, '%s', '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d)", VALUES ( %d, '%s', '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d)",
intval(local_user()), intval(local_user()),
DateTimeFormat::utcNow(), DateTimeFormat::utcNow(),
dbesc($dfrn_url), DBA::escape($dfrn_url),
dbesc(normalise_link($dfrn_url)), DBA::escape(normalise_link($dfrn_url)),
$parms['addr'], $parms['addr'],
$parms['fn'], $parms['fn'],
$parms['nick'], $parms['nick'],
@ -149,7 +149,7 @@ function dfrn_request_post(App $a)
$parms['dfrn-notify'], $parms['dfrn-notify'],
$parms['dfrn-poll'], $parms['dfrn-poll'],
$parms['dfrn-poco'], $parms['dfrn-poco'],
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval($aes_allow), intval($aes_allow),
intval($hidden), intval($hidden),
intval($blocked), intval($blocked),
@ -163,7 +163,7 @@ function dfrn_request_post(App $a)
$r = q("SELECT `id`, `network` FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `site-pubkey` = '%s' LIMIT 1", $r = q("SELECT `id`, `network` FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `site-pubkey` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($dfrn_url), DBA::escape($dfrn_url),
$parms['key'] // this was already escaped $parms['key'] // this was already escaped
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -239,7 +239,7 @@ function dfrn_request_post(App $a)
// Block friend request spam // Block friend request spam
if ($maxreq) { if ($maxreq) {
$r = q("SELECT * FROM `intro` WHERE `datetime` > '%s' AND `uid` = %d", $r = q("SELECT * FROM `intro` WHERE `datetime` > '%s' AND `uid` = %d",
dbesc(DateTimeFormat::utc('now - 24 hours')), DBA::escape(DateTimeFormat::utc('now - 24 hours')),
intval($uid) intval($uid)
); );
if (DBA::isResult($r) && count($r) > $maxreq) { if (DBA::isResult($r) && count($r) > $maxreq) {
@ -302,7 +302,7 @@ function dfrn_request_post(App $a)
if ($network === NETWORK_DFRN) { if ($network === NETWORK_DFRN) {
$ret = q("SELECT * FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `self` = 0 LIMIT 1", $ret = q("SELECT * FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `self` = 0 LIMIT 1",
intval($uid), intval($uid),
dbesc($url) DBA::escape($url)
); );
if (DBA::isResult($ret)) { if (DBA::isResult($ret)) {
@ -324,7 +324,7 @@ function dfrn_request_post(App $a)
// There is a contact record but no issued-id, so this // There is a contact record but no issued-id, so this
// is a reciprocal introduction from a known contact // is a reciprocal introduction from a known contact
$r = q("UPDATE `contact` SET `issued-id` = '%s' WHERE `id` = %d", $r = q("UPDATE `contact` SET `issued-id` = '%s' WHERE `id` = %d",
dbesc($issued_id), DBA::escape($issued_id),
intval($contact_record['id']) intval($contact_record['id'])
); );
} else { } else {
@ -376,9 +376,9 @@ function dfrn_request_post(App $a)
`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` ) `request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` )
VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )", VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )",
intval($uid), intval($uid),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
$parms['url'], $parms['url'],
dbesc(normalise_link($url)), DBA::escape(normalise_link($url)),
$parms['addr'], $parms['addr'],
$parms['fn'], $parms['fn'],
$parms['nick'], $parms['nick'],
@ -390,7 +390,7 @@ function dfrn_request_post(App $a)
$parms['dfrn-notify'], $parms['dfrn-notify'],
$parms['dfrn-poll'], $parms['dfrn-poll'],
$parms['dfrn-poco'], $parms['dfrn-poco'],
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval($blocked), intval($blocked),
intval($pending) intval($pending)
); );
@ -422,9 +422,9 @@ function dfrn_request_post(App $a)
intval($uid), intval($uid),
intval($contact_record['id']), intval($contact_record['id']),
((x($_POST,'knowyou') && ($_POST['knowyou'] == 1)) ? 1 : 0), ((x($_POST,'knowyou') && ($_POST['knowyou'] == 1)) ? 1 : 0),
dbesc(notags(trim($_POST['dfrn-request-message']))), DBA::escape(notags(trim($_POST['dfrn-request-message']))),
dbesc($hash), DBA::escape($hash),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
} }
@ -534,7 +534,7 @@ function dfrn_request_content(App $a)
// We could just unblock it, but first we have to jump through a few hoops to // We could just unblock it, but first we have to jump through a few hoops to
// send an email, or even to find out if we need to send an email. // send an email, or even to find out if we need to send an email.
$intro = q("SELECT * FROM `intro` WHERE `hash` = '%s' LIMIT 1", $intro = q("SELECT * FROM `intro` WHERE `hash` = '%s' LIMIT 1",
dbesc($_GET['confirm_key']) DBA::escape($_GET['confirm_key'])
); );
if (DBA::isResult($intro)) { if (DBA::isResult($intro)) {
@ -586,7 +586,7 @@ function dfrn_request_content(App $a)
// in dfrn_confirm_post() // in dfrn_confirm_post()
$r = q("UPDATE `intro` SET `blocked` = 0 WHERE `hash` = '%s'", $r = q("UPDATE `intro` SET `blocked` = 0 WHERE `hash` = '%s'",
dbesc($_GET['confirm_key']) DBA::escape($_GET['confirm_key'])
); );
} }
} }

View file

@ -60,7 +60,7 @@ function directory_content(App $a)
} }
if ($search) { if ($search) {
$search = dbesc($search); $search = DBA::escape($search);
$sql_extra = " AND ((`profile`.`name` LIKE '%$search%') OR $sql_extra = " AND ((`profile`.`name` LIKE '%$search%') OR
(`user`.`nickname` LIKE '%$search%') OR (`user`.`nickname` LIKE '%$search%') OR

View file

@ -118,9 +118,9 @@ function dirfind_content(App $a, $prefix = "") {
((`last_contact` >= `last_failure`) OR (`updated` >= `last_failure`)) AND ((`last_contact` >= `last_failure`) OR (`updated` >= `last_failure`)) AND
(`url` LIKE '%s' OR `name` LIKE '%s' OR `location` LIKE '%s' OR (`url` LIKE '%s' OR `name` LIKE '%s' OR `location` LIKE '%s' OR
`addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql", `addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql",
dbesc(NETWORK_DFRN), dbesc($ostatus), dbesc($diaspora), DBA::escape(NETWORK_DFRN), DBA::escape($ostatus), DBA::escape($diaspora),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2))); DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)));
$results = q("SELECT `nurl` $results = q("SELECT `nurl`
FROM `gcontact` FROM `gcontact`
@ -130,9 +130,9 @@ function dirfind_content(App $a, $prefix = "") {
`addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql `addr` LIKE '%s' OR `about` LIKE '%s' OR `keywords` LIKE '%s') $extra_sql
GROUP BY `nurl` GROUP BY `nurl`
ORDER BY `updated` DESC LIMIT %d, %d", ORDER BY `updated` DESC LIMIT %d, %d",
dbesc(NETWORK_DFRN), dbesc($ostatus), dbesc($diaspora), DBA::escape(NETWORK_DFRN), DBA::escape($ostatus), DBA::escape($diaspora),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), dbesc(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)), DBA::escape(escape_tags($search2)),
intval($startrec), intval($perpage)); intval($startrec), intval($perpage));
$j = new stdClass(); $j = new stdClass();
$j->total = $count[0]["total"]; $j->total = $count[0]["total"];

View file

@ -39,8 +39,8 @@ function fbrowser_content(App $a)
if ($a->argc==2) { if ($a->argc==2) {
$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' ", $albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' ",
intval(local_user()), intval(local_user()),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')) DBA::escape(L10n::t('Contact Photos'))
); );
function _map_folder1($el) function _map_folder1($el)
@ -54,7 +54,7 @@ function fbrowser_content(App $a)
$album = ""; $album = "";
if ($a->argc==3) { if ($a->argc==3) {
$album = hex2bin($a->argv[2]); $album = hex2bin($a->argv[2]);
$sql_extra = sprintf("AND `album` = '%s' ", dbesc($album)); $sql_extra = sprintf("AND `album` = '%s' ", DBA::escape($album));
$sql_extra2 = ""; $sql_extra2 = "";
$path[]=[$a->argv[2], $album]; $path[]=[$a->argv[2], $album];
} }
@ -64,8 +64,8 @@ function fbrowser_content(App $a)
FROM `photo` WHERE `uid` = %d $sql_extra AND `album` != '%s' AND `album` != '%s' FROM `photo` WHERE `uid` = %d $sql_extra AND `album` != '%s' AND `album` != '%s'
GROUP BY `resource-id` $sql_extra2", GROUP BY `resource-id` $sql_extra2",
intval(local_user()), intval(local_user()),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')) DBA::escape(L10n::t('Contact Photos'))
); );
function _map_files1($rr) function _map_files1($rr)
@ -77,7 +77,7 @@ function fbrowser_content(App $a)
// Take the largest picture that is smaller or equal 640 pixels // Take the largest picture that is smaller or equal 640 pixels
$p = q("SELECT `scale` FROM `photo` WHERE `resource-id` = '%s' AND `height` <= 640 AND `width` <= 640 ORDER BY `resource-id`, `scale` LIMIT 1", $p = q("SELECT `scale` FROM `photo` WHERE `resource-id` = '%s' AND `height` <= 640 AND `width` <= 640 ORDER BY `resource-id`, `scale` LIMIT 1",
dbesc($rr['resource-id'])); DBA::escape($rr['resource-id']));
if ($p) { if ($p) {
$scale = $p[0]["scale"]; $scale = $p[0]["scale"];
} else { } else {

View file

@ -65,8 +65,8 @@ function follow_content(App $a)
$r = q("SELECT `pending` FROM `contact` WHERE `uid` = %d AND ((`rel` != %d) OR (`network` = '%s')) AND $r = q("SELECT `pending` FROM `contact` WHERE `uid` = %d AND ((`rel` != %d) OR (`network` = '%s')) AND
(`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s') AND (`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s') AND
`network` != '%s' LIMIT 1", `network` != '%s' LIMIT 1",
intval(local_user()), dbesc(CONTACT_IS_FOLLOWER), dbesc(NETWORK_DFRN), dbesc(normalise_link($url)), intval(local_user()), DBA::escape(CONTACT_IS_FOLLOWER), DBA::escape(NETWORK_DFRN), DBA::escape(normalise_link($url)),
dbesc(normalise_link($url)), dbesc($url), dbesc(NETWORK_STATUSNET)); DBA::escape(normalise_link($url)), DBA::escape($url), DBA::escape(NETWORK_STATUSNET));
if ($r) { if ($r) {
if ($r[0]['pending']) { if ($r[0]['pending']) {

View file

@ -17,12 +17,12 @@ function friendica_init(App $a)
$sql_extra = ''; $sql_extra = '';
if (x($a->config, 'admin_nickname')) { if (x($a->config, 'admin_nickname')) {
$sql_extra = sprintf(" AND `nickname` = '%s' ", dbesc(Config::get('config', 'admin_nickname'))); $sql_extra = sprintf(" AND `nickname` = '%s' ", DBA::escape(Config::get('config', 'admin_nickname')));
} }
if (!empty(Config::get('config', 'admin_email'))) { if (!empty(Config::get('config', 'admin_email'))) {
$adminlist = explode(",", str_replace(" ", "", Config::get('config', 'admin_email'))); $adminlist = explode(",", str_replace(" ", "", Config::get('config', 'admin_email')));
$r = q("SELECT `username`, `nickname` FROM `user` WHERE `email` = '%s' $sql_extra", dbesc($adminlist[0])); $r = q("SELECT `username`, `nickname` FROM `user` WHERE `email` = '%s' $sql_extra", DBA::escape($adminlist[0]));
$admin = [ $admin = [
'name' => $r[0]['username'], 'name' => $r[0]['username'],
'profile'=> System::baseUrl() . '/profile/' . $r[0]['nickname'], 'profile'=> System::baseUrl() . '/profile/' . $r[0]['nickname'],

View file

@ -48,21 +48,21 @@ function fsuggest_post(App $a)
VALUES ( %d, %d, '%s','%s','%s','%s','%s','%s')", VALUES ( %d, %d, '%s','%s','%s','%s','%s','%s')",
intval(local_user()), intval(local_user()),
intval($contact_id), intval($contact_id),
dbesc($r[0]['name']), DBA::escape($r[0]['name']),
dbesc($r[0]['url']), DBA::escape($r[0]['url']),
dbesc($r[0]['request']), DBA::escape($r[0]['request']),
dbesc($r[0]['photo']), DBA::escape($r[0]['photo']),
dbesc($hash), DBA::escape($hash),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
$r = q("SELECT `id` FROM `fsuggest` WHERE `note` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT `id` FROM `fsuggest` WHERE `note` = '%s' AND `uid` = %d LIMIT 1",
dbesc($hash), DBA::escape($hash),
intval(local_user()) intval(local_user())
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$fsuggest_id = $r[0]['id']; $fsuggest_id = $r[0]['id'];
q("UPDATE `fsuggest` SET `note` = '%s' WHERE `id` = %d AND `uid` = %d", q("UPDATE `fsuggest` SET `note` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($note), DBA::escape($note),
intval($fsuggest_id), intval($fsuggest_id),
intval(local_user()) intval(local_user())
); );

View file

@ -61,7 +61,7 @@ function group_post(App $a) {
$groupname = notags(trim($_POST['groupname'])); $groupname = notags(trim($_POST['groupname']));
if ((strlen($groupname)) && ($groupname != $group['name'])) { if ((strlen($groupname)) && ($groupname != $group['name'])) {
$r = q("UPDATE `group` SET `name` = '%s' WHERE `uid` = %d AND `id` = %d", $r = q("UPDATE `group` SET `name` = '%s' WHERE `uid` = %d AND `id` = %d",
dbesc($groupname), DBA::escape($groupname),
intval(local_user()), intval(local_user()),
intval($group['id']) intval($group['id'])
); );

View file

@ -61,8 +61,8 @@ function invite_post(App $a)
$nmessage = str_replace('$invite_code', $code, $message); $nmessage = str_replace('$invite_code', $code, $message);
$r = q("INSERT INTO `register` (`hash`,`created`) VALUES ('%s', '%s') ", $r = q("INSERT INTO `register` (`hash`,`created`) VALUES ('%s', '%s') ",
dbesc($code), DBA::escape($code),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
if (! is_site_admin()) { if (! is_site_admin()) {

View file

@ -24,7 +24,7 @@ function lockview_content(App $a) {
killme(); killme();
$r = q("SELECT * FROM `%s` WHERE `id` = %d LIMIT 1", $r = q("SELECT * FROM `%s` WHERE `id` = %d LIMIT 1",
dbesc($type), DBA::escape($type),
intval($item_id) intval($item_id)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
@ -57,7 +57,7 @@ function lockview_content(App $a) {
if(count($allowed_groups)) { if(count($allowed_groups)) {
$r = q("SELECT `name` FROM `group` WHERE `id` IN ( %s )", $r = q("SELECT `name` FROM `group` WHERE `id` IN ( %s )",
dbesc(implode(', ', $allowed_groups)) DBA::escape(implode(', ', $allowed_groups))
); );
if (DBA::isResult($r)) if (DBA::isResult($r))
foreach($r as $rr) foreach($r as $rr)
@ -65,7 +65,7 @@ function lockview_content(App $a) {
} }
if(count($allowed_users)) { if(count($allowed_users)) {
$r = q("SELECT `name` FROM `contact` WHERE `id` IN ( %s )", $r = q("SELECT `name` FROM `contact` WHERE `id` IN ( %s )",
dbesc(implode(', ',$allowed_users)) DBA::escape(implode(', ',$allowed_users))
); );
if (DBA::isResult($r)) if (DBA::isResult($r))
foreach($r as $rr) foreach($r as $rr)
@ -75,7 +75,7 @@ function lockview_content(App $a) {
if(count($deny_groups)) { if(count($deny_groups)) {
$r = q("SELECT `name` FROM `group` WHERE `id` IN ( %s )", $r = q("SELECT `name` FROM `group` WHERE `id` IN ( %s )",
dbesc(implode(', ', $deny_groups)) DBA::escape(implode(', ', $deny_groups))
); );
if (DBA::isResult($r)) if (DBA::isResult($r))
foreach($r as $rr) foreach($r as $rr)
@ -83,7 +83,7 @@ function lockview_content(App $a) {
} }
if(count($deny_users)) { if(count($deny_users)) {
$r = q("SELECT `name` FROM `contact` WHERE `id` IN ( %s )", $r = q("SELECT `name` FROM `contact` WHERE `id` IN ( %s )",
dbesc(implode(', ',$deny_users)) DBA::escape(implode(', ',$deny_users))
); );
if (DBA::isResult($r)) if (DBA::isResult($r))
foreach($r as $rr) foreach($r as $rr)

View file

@ -60,14 +60,14 @@ function manage_post(App $a) {
// Check if the target user is one of our children // Check if the target user is one of our children
$r = q("SELECT * FROM `user` WHERE `uid` = %d AND `parent-uid` = %d LIMIT 1", $r = q("SELECT * FROM `user` WHERE `uid` = %d AND `parent-uid` = %d LIMIT 1",
intval($identity), intval($identity),
dbesc($orig_record['uid']) DBA::escape($orig_record['uid'])
); );
// Check if the target user is one of our siblings // Check if the target user is one of our siblings
if (!DBA::isResult($r) && ($orig_record['parent-uid'] != 0)) { if (!DBA::isResult($r) && ($orig_record['parent-uid'] != 0)) {
$r = q("SELECT * FROM `user` WHERE `uid` = %d AND `parent-uid` = %d LIMIT 1", $r = q("SELECT * FROM `user` WHERE `uid` = %d AND `parent-uid` = %d LIMIT 1",
intval($identity), intval($identity),
dbesc($orig_record['parent-uid']) DBA::escape($orig_record['parent-uid'])
); );
} }
@ -143,7 +143,7 @@ function manage_content(App $a) {
//getting additinal information for each identity //getting additinal information for each identity
foreach ($identities as $key=>$id) { foreach ($identities as $key=>$id) {
$thumb = q("SELECT `thumb` FROM `contact` WHERE `uid` = '%s' AND `self` = 1", $thumb = q("SELECT `thumb` FROM `contact` WHERE `uid` = '%s' AND `self` = 1",
dbesc($id['uid']) DBA::escape($id['uid'])
); );
$identities[$key]['thumb'] = $thumb[0]['thumb']; $identities[$key]['thumb'] = $thumb[0]['thumb'];

View file

@ -2,6 +2,7 @@
/** /**
* @file mod/match.php * @file mod/match.php
*/ */
use Friendica\App; use Friendica\App;
use Friendica\Content\Widget; use Friendica\Content\Widget;
use Friendica\Core\Config; use Friendica\Core\Config;
@ -9,7 +10,6 @@ use Friendica\Core\L10n;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Model\Contact; use Friendica\Model\Contact;
use Friendica\Model\Profile;
use Friendica\Util\Network; use Friendica\Util\Network;
require_once 'include/text.php'; require_once 'include/text.php';
@ -79,7 +79,7 @@ function match_content(App $a)
$match = q( $match = q(
"SELECT `nurl` FROM `contact` WHERE `uid` = '%d' AND nurl='%s' LIMIT 1", "SELECT `nurl` FROM `contact` WHERE `uid` = '%d' AND nurl='%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($match_nurl) DBA::escape($match_nurl)
); );
if (!count($match)) { if (!count($match)) {

View file

@ -217,14 +217,14 @@ function message_content(App $a)
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
$r = q("SELECT `name`, `url`, `id` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' LIMIT 1", $r = q("SELECT `name`, `url`, `id` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc(normalise_link(base64_decode($a->argv[2]))) DBA::escape(normalise_link(base64_decode($a->argv[2])))
); );
} }
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
$r = q("SELECT `name`, `url`, `id` FROM `contact` WHERE `uid` = %d AND `addr` = '%s' LIMIT 1", $r = q("SELECT `name`, `url`, `id` FROM `contact` WHERE `uid` = %d AND `addr` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc(base64_decode($a->argv[2])) DBA::escape(base64_decode($a->argv[2]))
); );
} }
@ -311,10 +311,10 @@ function message_content(App $a)
$contact_id = $r[0]['contact-id']; $contact_id = $r[0]['contact-id'];
$convid = $r[0]['convid']; $convid = $r[0]['convid'];
$sql_extra = sprintf(" and `mail`.`parent-uri` = '%s' ", dbesc($r[0]['parent-uri'])); $sql_extra = sprintf(" and `mail`.`parent-uri` = '%s' ", DBA::escape($r[0]['parent-uri']));
if ($convid) if ($convid)
$sql_extra = sprintf(" and ( `mail`.`parent-uri` = '%s' OR `mail`.`convid` = '%d' ) ", $sql_extra = sprintf(" and ( `mail`.`parent-uri` = '%s' OR `mail`.`convid` = '%d' ) ",
dbesc($r[0]['parent-uri']), DBA::escape($r[0]['parent-uri']),
intval($convid) intval($convid)
); );
@ -332,7 +332,7 @@ function message_content(App $a)
} }
$r = q("UPDATE `mail` SET `seen` = 1 WHERE `parent-uri` = '%s' AND `uid` = %d", $r = q("UPDATE `mail` SET `seen` = 1 WHERE `parent-uri` = '%s' AND `uid` = %d",
dbesc($r[0]['parent-uri']), DBA::escape($r[0]['parent-uri']),
intval(local_user()) intval(local_user())
); );

View file

@ -10,7 +10,7 @@ function modexp_init(App $a) {
$nick = $a->argv[1]; $nick = $a->argv[1];
$r = q("SELECT `spubkey` FROM `user` WHERE `nickname` = '%s' LIMIT 1", $r = q("SELECT `spubkey` FROM `user` WHERE `nickname` = '%s' LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {

View file

@ -15,7 +15,7 @@ function msearch_post(App $a) {
killme(); killme();
$r = q("SELECT COUNT(*) AS `total` FROM `profile` LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 AND `user`.`hidewall` = 0 AND MATCH `pub_keywords` AGAINST ('%s') ", $r = q("SELECT COUNT(*) AS `total` FROM `profile` LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 AND `user`.`hidewall` = 0 AND MATCH `pub_keywords` AGAINST ('%s') ",
dbesc($search) DBA::escape($search)
); );
if (DBA::isResult($r)) if (DBA::isResult($r))
@ -24,7 +24,7 @@ function msearch_post(App $a) {
$results = []; $results = [];
$r = q("SELECT `pub_keywords`, `username`, `nickname`, `user`.`uid` FROM `user` LEFT JOIN `profile` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 AND `user`.`hidewall` = 0 AND MATCH `pub_keywords` AGAINST ('%s') LIMIT %d , %d ", $r = q("SELECT `pub_keywords`, `username`, `nickname`, `user`.`uid` FROM `user` LEFT JOIN `profile` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 AND `user`.`hidewall` = 0 AND MATCH `pub_keywords` AGAINST ('%s') LIMIT %d , %d ",
dbesc($search), DBA::escape($search),
intval($startrec), intval($startrec),
intval($perpage) intval($perpage)
); );

View file

@ -604,8 +604,8 @@ function networkThreadedView(App $a, $update, $parent)
$sql_post_table = " INNER JOIN `thread` ON `thread`.`iid` = `item`.`parent`"; $sql_post_table = " INNER JOIN `thread` ON `thread`.`iid` = `item`.`parent`";
} }
$sql_nets = (($nets) ? sprintf(" AND $sql_table.`network` = '%s' ", dbesc($nets)) : ''); $sql_nets = (($nets) ? sprintf(" AND $sql_table.`network` = '%s' ", DBA::escape($nets)) : '');
$sql_tag_nets = (($nets) ? sprintf(" AND `item`.`network` = '%s' ", dbesc($nets)) : ''); $sql_tag_nets = (($nets) ? sprintf(" AND `item`.`network` = '%s' ", DBA::escape($nets)) : '');
if ($gid) { if ($gid) {
$group = DBA::selectFirst('group', ['name'], ['id' => $gid, 'uid' => local_user()]); $group = DBA::selectFirst('group', ['name'], ['id' => $gid, 'uid' => local_user()]);
@ -680,11 +680,11 @@ function networkThreadedView(App $a, $update, $parent)
if ($datequery) { if ($datequery) {
$sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created <= '%s' ", $sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created <= '%s' ",
dbesc(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get())))); DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
} }
if ($datequery2) { if ($datequery2) {
$sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created >= '%s' ", $sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created >= '%s' ",
dbesc(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get())))); DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
} }
if ($conv) { if ($conv) {
@ -703,7 +703,7 @@ function networkThreadedView(App $a, $update, $parent)
$sql_order = "$sql_table.$ordering"; $sql_order = "$sql_table.$ordering";
if (x($_GET, 'offset')) { if (x($_GET, 'offset')) {
$sql_range = sprintf(" AND $sql_order <= '%s'", dbesc($_GET['offset'])); $sql_range = sprintf(" AND $sql_order <= '%s'", DBA::escape($_GET['offset']));
} else { } else {
$sql_range = ''; $sql_range = '';
} }
@ -716,7 +716,7 @@ function networkThreadedView(App $a, $update, $parent)
case 'received': case 'received':
if ($last_received != '') { if ($last_received != '') {
$last_date = $last_received; $last_date = $last_received;
$sql_range .= sprintf(" AND $sql_table.`received` < '%s'", dbesc($last_received)); $sql_range .= sprintf(" AND $sql_table.`received` < '%s'", DBA::escape($last_received));
$a->set_pager_page(1); $a->set_pager_page(1);
$pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage']));
} }
@ -724,7 +724,7 @@ function networkThreadedView(App $a, $update, $parent)
case 'commented': case 'commented':
if ($last_commented != '') { if ($last_commented != '') {
$last_date = $last_commented; $last_date = $last_commented;
$sql_range .= sprintf(" AND $sql_table.`commented` < '%s'", dbesc($last_commented)); $sql_range .= sprintf(" AND $sql_table.`commented` < '%s'", DBA::escape($last_commented));
$a->set_pager_page(1); $a->set_pager_page(1);
$pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage']));
} }
@ -732,14 +732,14 @@ function networkThreadedView(App $a, $update, $parent)
case 'created': case 'created':
if ($last_created != '') { if ($last_created != '') {
$last_date = $last_created; $last_date = $last_created;
$sql_range .= sprintf(" AND $sql_table.`created` < '%s'", dbesc($last_created)); $sql_range .= sprintf(" AND $sql_table.`created` < '%s'", DBA::escape($last_created));
$a->set_pager_page(1); $a->set_pager_page(1);
$pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage']));
} }
break; break;
case 'id': case 'id':
if (($last_id > 0) && ($sql_table == '`thread`')) { if (($last_id > 0) && ($sql_table == '`thread`')) {
$sql_range .= sprintf(" AND $sql_table.`iid` < '%s'", dbesc($last_id)); $sql_range .= sprintf(" AND $sql_table.`iid` < '%s'", DBA::escape($last_id));
$a->set_pager_page(1); $a->set_pager_page(1);
$pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ", intval($a->pager['start']), intval($a->pager['itemspage']));
} }
@ -902,7 +902,7 @@ function networkThreadedView(App $a, $update, $parent)
$condition = ['unseen' => true, 'uid' => local_user()]; $condition = ['unseen' => true, 'uid' => local_user()];
networkSetSeen($condition); networkSetSeen($condition);
} elseif ($parents_str) { } elseif ($parents_str) {
$condition = ["`uid` = ? AND `unseen` AND `parent` IN (" . dbesc($parents_str) . ")", local_user()]; $condition = ["`uid` = ? AND `unseen` AND `parent` IN (" . DBA::escape($parents_str) . ")", local_user()];
networkSetSeen($condition); networkSetSeen($condition);
} }

View file

@ -61,9 +61,9 @@ function noscrape_init(App $a)
$r = q("SELECT COUNT(*) AS `total` FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 and `pending` = 0 AND `hidden` = 0 AND `archive` = 0 $r = q("SELECT COUNT(*) AS `total` FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 and `pending` = 0 AND `hidden` = 0 AND `archive` = 0
AND `network` IN ('%s', '%s', '%s', '')", AND `network` IN ('%s', '%s', '%s', '')",
intval($a->profile['uid']), intval($a->profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS) DBA::escape(NETWORK_OSTATUS)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$json_info["contacts"] = intval($r[0]['total']); $json_info["contacts"] = intval($r[0]['total']);

View file

@ -41,7 +41,7 @@ function openid_content(App $a) {
AND `blocked` = 0 AND `account_expired` = 0 AND `blocked` = 0 AND `account_expired` = 0
AND `account_removed` = 0 AND `verified` = 1 AND `account_removed` = 0 AND `verified` = 1
LIMIT 1", LIMIT 1",
dbesc($authid), dbesc(normalise_openid($authid)) DBA::escape($authid), DBA::escape(normalise_openid($authid))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -107,7 +107,7 @@ function photo_init(App $a)
// check if the photo exists and get the owner of the photo // check if the photo exists and get the owner of the photo
$r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' LIMIT 1", $r = q("SELECT `uid` FROM `photo` WHERE `resource-id` = '%s' LIMIT 1",
dbesc($photo), DBA::escape($photo),
intval($resolution) intval($resolution)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -115,7 +115,7 @@ function photo_init(App $a)
// Now we'll see if we can access the photo // Now we'll see if we can access the photo
$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` <= %d $sql_extra ORDER BY scale DESC LIMIT 1", $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` <= %d $sql_extra ORDER BY scale DESC LIMIT 1",
dbesc($photo), DBA::escape($photo),
intval($resolution) intval($resolution)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -45,7 +45,7 @@ function photos_init(App $a) {
if ($a->argc > 1) { if ($a->argc > 1) {
$nick = $a->argv[1]; $nick = $a->argv[1];
$user = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1", $user = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (!DBA::isResult($user)) { if (!DBA::isResult($user)) {
@ -198,7 +198,7 @@ function photos_post(App $a)
} }
$r = q("SELECT `album` FROM `photo` WHERE `album` = '%s' AND `uid` = %d", $r = q("SELECT `album` FROM `photo` WHERE `album` = '%s' AND `uid` = %d",
dbesc($album), DBA::escape($album),
intval($page_owner_uid) intval($page_owner_uid)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -216,8 +216,8 @@ function photos_post(App $a)
$newalbum = notags(trim($_POST['albumname'])); $newalbum = notags(trim($_POST['albumname']));
if ($newalbum != $album) { if ($newalbum != $album) {
q("UPDATE `photo` SET `album` = '%s' WHERE `album` = '%s' AND `uid` = %d", q("UPDATE `photo` SET `album` = '%s' WHERE `album` = '%s' AND `uid` = %d",
dbesc($newalbum), DBA::escape($newalbum),
dbesc($album), DBA::escape($album),
intval($page_owner_uid) intval($page_owner_uid)
); );
// Update the photo albums cache // Update the photo albums cache
@ -262,17 +262,17 @@ function photos_post(App $a)
$r = q("SELECT distinct(`resource-id`) as `rid` FROM `photo` WHERE `contact-id` = %d AND `uid` = %d AND `album` = '%s'", $r = q("SELECT distinct(`resource-id`) as `rid` FROM `photo` WHERE `contact-id` = %d AND `uid` = %d AND `album` = '%s'",
intval($visitor), intval($visitor),
intval($page_owner_uid), intval($page_owner_uid),
dbesc($album) DBA::escape($album)
); );
} else { } else {
$r = q("SELECT distinct(`resource-id`) as `rid` FROM `photo` WHERE `uid` = %d AND `album` = '%s'", $r = q("SELECT distinct(`resource-id`) as `rid` FROM `photo` WHERE `uid` = %d AND `album` = '%s'",
intval(local_user()), intval(local_user()),
dbesc($album) DBA::escape($album)
); );
} }
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
foreach ($r as $rr) { foreach ($r as $rr) {
$res[] = "'" . dbesc($rr['rid']) . "'" ; $res[] = "'" . DBA::escape($rr['rid']) . "'" ;
} }
} else { } else {
goaway($_SESSION['photo_return']); goaway($_SESSION['photo_return']);
@ -327,19 +327,19 @@ function photos_post(App $a)
$r = q("SELECT `id`, `resource-id` FROM `photo` WHERE `contact-id` = %d AND `uid` = %d AND `resource-id` = '%s' LIMIT 1", $r = q("SELECT `id`, `resource-id` FROM `photo` WHERE `contact-id` = %d AND `uid` = %d AND `resource-id` = '%s' LIMIT 1",
intval($visitor), intval($visitor),
intval($page_owner_uid), intval($page_owner_uid),
dbesc($a->argv[2]) DBA::escape($a->argv[2])
); );
} else { } else {
$r = q("SELECT `id`, `resource-id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' LIMIT 1", $r = q("SELECT `id`, `resource-id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($a->argv[2]) DBA::escape($a->argv[2])
); );
} }
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
q("DELETE FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'", q("DELETE FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'",
intval($page_owner_uid), intval($page_owner_uid),
dbesc($r[0]['resource-id']) DBA::escape($r[0]['resource-id'])
); );
Item::deleteForUser(['resource-id' => $r[0]['resource-id'], 'uid' => $page_owner_uid], $page_owner_uid); Item::deleteForUser(['resource-id' => $r[0]['resource-id'], 'uid' => $page_owner_uid], $page_owner_uid);
@ -374,7 +374,7 @@ function photos_post(App $a)
logger('rotate'); logger('rotate');
$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 0 LIMIT 1", $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 0 LIMIT 1",
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
@ -389,10 +389,10 @@ function photos_post(App $a)
$height = $image->getHeight(); $height = $image->getHeight();
$x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 0", $x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 0",
dbesc($image->asString()), DBA::escape($image->asString()),
intval($height), intval($height),
intval($width), intval($width),
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
@ -402,10 +402,10 @@ function photos_post(App $a)
$height = $image->getHeight(); $height = $image->getHeight();
$x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 1", $x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 1",
dbesc($image->asString()), DBA::escape($image->asString()),
intval($height), intval($height),
intval($width), intval($width),
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
} }
@ -416,10 +416,10 @@ function photos_post(App $a)
$height = $image->getHeight(); $height = $image->getHeight();
$x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 2", $x = q("UPDATE `photo` SET `data` = '%s', `height` = %d, `width` = %d WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = 2",
dbesc($image->asString()), DBA::escape($image->asString()),
intval($height), intval($height),
intval($width), intval($width),
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
} }
@ -428,19 +428,19 @@ function photos_post(App $a)
} }
$p = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d ORDER BY `scale` DESC", $p = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d ORDER BY `scale` DESC",
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
if (DBA::isResult($p)) { if (DBA::isResult($p)) {
$ext = $phototypes[$p[0]['type']]; $ext = $phototypes[$p[0]['type']];
$r = q("UPDATE `photo` SET `desc` = '%s', `album` = '%s', `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' WHERE `resource-id` = '%s' AND `uid` = %d", $r = q("UPDATE `photo` SET `desc` = '%s', `album` = '%s', `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' WHERE `resource-id` = '%s' AND `uid` = %d",
dbesc($desc), DBA::escape($desc),
dbesc($albname), DBA::escape($albname),
dbesc($str_contact_allow), DBA::escape($str_contact_allow),
dbesc($str_group_allow), DBA::escape($str_group_allow),
dbesc($str_contact_deny), DBA::escape($str_contact_deny),
dbesc($str_group_deny), DBA::escape($str_group_deny),
dbesc($resource_id), DBA::escape($resource_id),
intval($page_owner_uid) intval($page_owner_uid)
); );
@ -554,15 +554,15 @@ function photos_post(App $a)
//select someone from this user's contacts by name //select someone from this user's contacts by name
$r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1",
dbesc($newname), DBA::escape($newname),
intval($page_owner_uid) intval($page_owner_uid)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
//select someone by attag or nick and the name passed in //select someone by attag or nick and the name passed in
$r = q("SELECT * FROM `contact` WHERE `attag` = '%s' OR `nick` = '%s' AND `uid` = %d ORDER BY `attag` DESC LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `attag` = '%s' OR `nick` = '%s' AND `uid` = %d ORDER BY `attag` DESC LIMIT 1",
dbesc($name), DBA::escape($name),
dbesc($name), DBA::escape($name),
intval($page_owner_uid) intval($page_owner_uid)
); );
} }
@ -707,7 +707,7 @@ function photos_post(App $a)
*/ */
$r = q("SELECT * FROM `photo` WHERE `album` = '%s' AND `uid` = %d AND `created` > UTC_TIMESTAMP() - INTERVAL 3 HOUR ", $r = q("SELECT * FROM `photo` WHERE `album` = '%s' AND `uid` = %d AND `created` > UTC_TIMESTAMP() - INTERVAL 3 HOUR ",
dbesc($album), DBA::escape($album),
intval($page_owner_uid) intval($page_owner_uid)
); );
@ -1111,7 +1111,7 @@ function photos_content(App $a)
$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` = '%s' $r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` = '%s'
AND `scale` <= 4 $sql_extra GROUP BY `resource-id`", AND `scale` <= 4 $sql_extra GROUP BY `resource-id`",
intval($owner_uid), intval($owner_uid),
dbesc($album) DBA::escape($album)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$a->set_pager_total(count($r)); $a->set_pager_total(count($r));
@ -1132,7 +1132,7 @@ function photos_content(App $a)
FROM `photo` WHERE `uid` = %d AND `album` = '%s' FROM `photo` WHERE `uid` = %d AND `album` = '%s'
AND `scale` <= 4 $sql_extra GROUP BY `resource-id` ORDER BY `created` $order LIMIT %d , %d", AND `scale` <= 4 $sql_extra GROUP BY `resource-id` ORDER BY `created` $order LIMIT %d , %d",
intval($owner_uid), intval($owner_uid),
dbesc($album), DBA::escape($album),
intval($a->pager['start']), intval($a->pager['start']),
intval($a->pager['itemspage']) intval($a->pager['itemspage'])
); );
@ -1216,14 +1216,14 @@ function photos_content(App $a)
$ph = q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' $ph = q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'
$sql_extra ORDER BY `scale` ASC ", $sql_extra ORDER BY `scale` ASC ",
intval($owner_uid), intval($owner_uid),
dbesc($datum) DBA::escape($datum)
); );
if (!DBA::isResult($ph)) { if (!DBA::isResult($ph)) {
$ph = q("SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' $ph = q("SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'
LIMIT 1", LIMIT 1",
intval($owner_uid), intval($owner_uid),
dbesc($datum) DBA::escape($datum)
); );
if (DBA::isResult($ph)) { if (DBA::isResult($ph)) {
notice(L10n::t('Permission denied. Access to this item may be restricted.')); notice(L10n::t('Permission denied. Access to this item may be restricted.'));
@ -1252,7 +1252,7 @@ function photos_content(App $a)
$prvnxt = q("SELECT `resource-id` FROM `photo` WHERE `album` = '%s' AND `uid` = %d AND `scale` = 0 $prvnxt = q("SELECT `resource-id` FROM `photo` WHERE `album` = '%s' AND `uid` = %d AND `scale` = 0
$sql_extra ORDER BY `created` $order ", $sql_extra ORDER BY `created` $order ",
dbesc($ph[0]['album']), DBA::escape($ph[0]['album']),
intval($owner_uid) intval($owner_uid)
); );
@ -1347,7 +1347,7 @@ function photos_content(App $a)
/// @todo Rewrite this query. To do so, $sql_extra must be changed /// @todo Rewrite this query. To do so, $sql_extra must be changed
$linked_items = q("SELECT `id` FROM `item` WHERE `resource-id` = '%s' $sql_extra LIMIT 1", $linked_items = q("SELECT `id` FROM `item` WHERE `resource-id` = '%s' $sql_extra LIMIT 1",
dbesc($datum) DBA::escape($datum)
); );
$map = null; $map = null;
@ -1615,8 +1615,8 @@ function photos_content(App $a)
$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' $r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s'
$sql_extra GROUP BY `resource-id`", $sql_extra GROUP BY `resource-id`",
intval($a->data['user']['uid']), intval($a->data['user']['uid']),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')) DBA::escape(L10n::t('Contact Photos'))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1630,8 +1630,8 @@ function photos_content(App $a)
WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s'
$sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d", $sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
intval($a->data['user']['uid']), intval($a->data['user']['uid']),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')), DBA::escape(L10n::t('Contact Photos')),
intval($a->pager['start']), intval($a->pager['start']),
intval($a->pager['itemspage']) intval($a->pager['itemspage'])
); );

View file

@ -197,7 +197,7 @@ function ping_init(App $a)
"SELECT `id`, `from-name`, `from-url`, `from-photo`, `created` FROM `mail` "SELECT `id`, `from-name`, `from-url`, `from-photo`, `created` FROM `mail`
WHERE `uid` = %d AND `seen` = 0 AND `from-url` != '%s' ", WHERE `uid` = %d AND `seen` = 0 AND `from-url` != '%s' ",
intval(local_user()), intval(local_user()),
dbesc($myurl) DBA::escape($myurl)
); );
$mail_count = count($mails); $mail_count = count($mails);
@ -221,8 +221,8 @@ function ping_init(App $a)
WHERE `event`.`uid` = %d AND `start` < '%s' AND `finish` > '%s' and `ignore` = 0 WHERE `event`.`uid` = %d AND `start` < '%s' AND `finish` > '%s' and `ignore` = 0
ORDER BY `start` ASC ", ORDER BY `start` ASC ",
intval(local_user()), intval(local_user()),
dbesc(DateTimeFormat::utc('now + 7 days')), DBA::escape(DateTimeFormat::utc('now + 7 days')),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
if (DBA::isResult($ev)) { if (DBA::isResult($ev)) {
Cache::set($cachekey, $ev, CACHE_HOUR); Cache::set($cachekey, $ev, CACHE_HOUR);
@ -481,8 +481,8 @@ function ping_get_notifications($uid)
q( q(
"UPDATE `notify` SET `name_cache` = '%s', `msg_cache` = '%s' WHERE `id` = %d", "UPDATE `notify` SET `name_cache` = '%s', `msg_cache` = '%s' WHERE `id` = %d",
dbesc($notification["name"]), DBA::escape($notification["name"]),
dbesc($notification["message"]), DBA::escape($notification["message"]),
intval($notification["id"]) intval($notification["id"])
); );
} }

View file

@ -65,7 +65,7 @@ function poco_init(App $a) {
if (! $system_mode && ! $global) { if (! $system_mode && ! $global) {
$users = q("SELECT `user`.*,`profile`.`hide-friends` from user left join profile on `user`.`uid` = `profile`.`uid` $users = q("SELECT `user`.*,`profile`.`hide-friends` from user left join profile on `user`.`uid` = `profile`.`uid`
where `user`.`nickname` = '%s' and `profile`.`is-default` = 1 limit 1", where `user`.`nickname` = '%s' and `profile`.`is-default` = 1 limit 1",
dbesc($user) DBA::escape($user)
); );
if (! DBA::isResult($users) || $users[0]['hidewall'] || $users[0]['hide-friends']) { if (! DBA::isResult($users) || $users[0]['hidewall'] || $users[0]['hide-friends']) {
System::httpExit(404); System::httpExit(404);
@ -88,10 +88,10 @@ function poco_init(App $a) {
} }
if ($global) { if ($global) {
$contacts = q("SELECT count(*) AS `total` FROM `gcontact` WHERE `updated` >= '%s' AND `updated` >= `last_failure` AND NOT `hide` AND `network` IN ('%s', '%s', '%s')", $contacts = q("SELECT count(*) AS `total` FROM `gcontact` WHERE `updated` >= '%s' AND `updated` >= `last_failure` AND NOT `hide` AND `network` IN ('%s', '%s', '%s')",
dbesc($update_limit), DBA::escape($update_limit),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS) DBA::escape(NETWORK_OSTATUS)
); );
} elseif ($system_mode) { } elseif ($system_mode) {
$contacts = q("SELECT count(*) AS `total` FROM `contact` WHERE `self` = 1 $contacts = q("SELECT count(*) AS `total` FROM `contact` WHERE `self` = 1
@ -101,10 +101,10 @@ function poco_init(App $a) {
AND (`success_update` >= `failure_update` OR `last-item` >= `failure_update`) AND (`success_update` >= `failure_update` OR `last-item` >= `failure_update`)
AND `network` IN ('%s', '%s', '%s', '%s') $sql_extra", AND `network` IN ('%s', '%s', '%s', '%s') $sql_extra",
intval($user['uid']), intval($user['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
} }
if (DBA::isResult($contacts)) { if (DBA::isResult($contacts)) {
@ -123,10 +123,10 @@ function poco_init(App $a) {
logger("Start global query", LOGGER_DEBUG); logger("Start global query", LOGGER_DEBUG);
$contacts = q("SELECT * FROM `gcontact` WHERE `updated` > '%s' AND NOT `hide` AND `network` IN ('%s', '%s', '%s') AND `updated` > `last_failure` $contacts = q("SELECT * FROM `gcontact` WHERE `updated` > '%s' AND NOT `hide` AND `network` IN ('%s', '%s', '%s') AND `updated` > `last_failure`
ORDER BY `updated` DESC LIMIT %d, %d", ORDER BY `updated` DESC LIMIT %d, %d",
dbesc($update_limit), DBA::escape($update_limit),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
intval($startIndex), intval($startIndex),
intval($itemsPerPage) intval($itemsPerPage)
); );
@ -148,10 +148,10 @@ function poco_init(App $a) {
AND (`success_update` >= `failure_update` OR `last-item` >= `failure_update`) AND (`success_update` >= `failure_update` OR `last-item` >= `failure_update`)
AND `network` IN ('%s', '%s', '%s', '%s') $sql_extra LIMIT %d, %d", AND `network` IN ('%s', '%s', '%s', '%s') $sql_extra LIMIT %d, %d",
intval($user['uid']), intval($user['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_STATUSNET), DBA::escape(NETWORK_STATUSNET),
intval($startIndex), intval($startIndex),
intval($itemsPerPage) intval($itemsPerPage)
); );

View file

@ -257,19 +257,19 @@ function profile_content(App $a, $update = 0)
if (x($category)) { if (x($category)) {
$sql_post_table = sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", $sql_post_table = sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
dbesc(protect_sprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid'])); DBA::escape(protect_sprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid']));
} }
if (x($hashtags)) { if (x($hashtags)) {
$sql_post_table .= sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", $sql_post_table .= sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
dbesc(protect_sprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid'])); DBA::escape(protect_sprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid']));
} }
if ($datequery) { if ($datequery) {
$sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` <= '%s' ", dbesc(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get())))); $sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
} }
if ($datequery2) { if ($datequery2) {
$sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` >= '%s' ", dbesc(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get())))); $sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
} }
// Belongs the profile page to a forum? // Belongs the profile page to a forum?

View file

@ -69,8 +69,8 @@ function profile_photo_post(App $a)
$srcW = $_POST['xfinal'] - $srcX; $srcW = $_POST['xfinal'] - $srcX;
$srcH = $_POST['yfinal'] - $srcY; $srcH = $_POST['yfinal'] - $srcY;
$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = %d LIMIT 1", dbesc($image_id), $r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d AND `scale` = %d LIMIT 1", DBA::escape($image_id),
dbesc(local_user()), intval($scale)); DBA::escape(local_user()), intval($scale));
$url = System::baseUrl() . '/profile/' . $a->user['nickname']; $url = System::baseUrl() . '/profile/' . $a->user['nickname'];
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -109,12 +109,12 @@ function profile_photo_post(App $a)
if ($is_default_profile) { if ($is_default_profile) {
$r = q("UPDATE `photo` SET `profile` = 0 WHERE `profile` = 1 AND `resource-id` != '%s' AND `uid` = %d", $r = q("UPDATE `photo` SET `profile` = 0 WHERE `profile` = 1 AND `resource-id` != '%s' AND `uid` = %d",
dbesc($base_image['resource-id']), intval(local_user()) DBA::escape($base_image['resource-id']), intval(local_user())
); );
} else { } else {
$r = q("update profile set photo = '%s', thumb = '%s' where id = %d and uid = %d", $r = q("update profile set photo = '%s', thumb = '%s' where id = %d and uid = %d",
dbesc(System::baseUrl() . '/photo/' . $base_image['resource-id'] . '-4.' . $Image->getExt()), DBA::escape(System::baseUrl() . '/photo/' . $base_image['resource-id'] . '-4.' . $Image->getExt()),
dbesc(System::baseUrl() . '/photo/' . $base_image['resource-id'] . '-5.' . $Image->getExt()), DBA::escape(System::baseUrl() . '/photo/' . $base_image['resource-id'] . '-5.' . $Image->getExt()),
intval($_REQUEST['profile']), intval(local_user()) intval($_REQUEST['profile']), intval(local_user())
); );
} }
@ -191,7 +191,7 @@ function profile_photo_content(App $a)
$resource_id = $a->argv[2]; $resource_id = $a->argv[2];
//die(":".local_user()); //die(":".local_user());
$r = q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' ORDER BY `scale` ASC", intval(local_user()), $r = q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' ORDER BY `scale` ASC", intval(local_user()),
dbesc($resource_id) DBA::escape($resource_id)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -212,7 +212,7 @@ function profile_photo_content(App $a)
$r = q("UPDATE `photo` SET `profile`=0 WHERE `profile`=1 AND `uid`=%d", intval(local_user())); $r = q("UPDATE `photo` SET `profile`=0 WHERE `profile`=1 AND `uid`=%d", intval(local_user()));
$r = q("UPDATE `photo` SET `profile`=1 WHERE `uid` = %d AND `resource-id` = '%s'", intval(local_user()), $r = q("UPDATE `photo` SET `profile`=1 WHERE `uid` = %d AND `resource-id` = '%s'", intval(local_user()),
dbesc($resource_id) DBA::escape($resource_id)
); );
Contact::updateSelfFromUserID(local_user(), true); Contact::updateSelfFromUserID(local_user(), true);

View file

@ -78,15 +78,15 @@ function profiles_init(App $a) {
$r2 = q("INSERT INTO `profile` (`uid` , `profile-name` , `name`, `photo`, `thumb`) $r2 = q("INSERT INTO `profile` (`uid` , `profile-name` , `name`, `photo`, `thumb`)
VALUES ( %d, '%s', '%s', '%s', '%s' )", VALUES ( %d, '%s', '%s', '%s', '%s' )",
intval(local_user()), intval(local_user()),
dbesc($name), DBA::escape($name),
dbesc($r1[0]['name']), DBA::escape($r1[0]['name']),
dbesc($r1[0]['photo']), DBA::escape($r1[0]['photo']),
dbesc($r1[0]['thumb']) DBA::escape($r1[0]['thumb'])
); );
$r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1", $r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($name) DBA::escape($name)
); );
info(L10n::t('New profile created.') . EOL); info(L10n::t('New profile created.') . EOL);
@ -120,13 +120,13 @@ function profiles_init(App $a) {
$r1[0]['is-default'] = 0; $r1[0]['is-default'] = 0;
$r1[0]['publish'] = 0; $r1[0]['publish'] = 0;
$r1[0]['net-publish'] = 0; $r1[0]['net-publish'] = 0;
$r1[0]['profile-name'] = dbesc($name); $r1[0]['profile-name'] = DBA::escape($name);
DBA::insert('profile', $r1[0]); DBA::insert('profile', $r1[0]);
$r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1", $r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($name) DBA::escape($name)
); );
info(L10n::t('New profile created.') . EOL); info(L10n::t('New profile created.') . EOL);
if ((DBA::isResult($r3)) && (count($r3) == 1)) { if ((DBA::isResult($r3)) && (count($r3) == 1)) {
@ -283,12 +283,12 @@ function profiles_post(App $a) {
$newname = $lookup; $newname = $lookup;
$r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1",
dbesc($newname), DBA::escape($newname),
intval(local_user()) intval(local_user())
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
$r = q("SELECT * FROM `contact` WHERE `nick` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `nick` = '%s' AND `uid` = %d LIMIT 1",
dbesc($lookup), DBA::escape($lookup),
intval(local_user()) intval(local_user())
); );
} }
@ -440,39 +440,39 @@ function profiles_post(App $a) {
`education` = '%s', `education` = '%s',
`hide-friends` = %d `hide-friends` = %d
WHERE `id` = %d AND `uid` = %d", WHERE `id` = %d AND `uid` = %d",
dbesc($profile_name), DBA::escape($profile_name),
dbesc($name), DBA::escape($name),
dbesc($pdesc), DBA::escape($pdesc),
dbesc($gender), DBA::escape($gender),
dbesc($dob), DBA::escape($dob),
dbesc($address), DBA::escape($address),
dbesc($locality), DBA::escape($locality),
dbesc($region), DBA::escape($region),
dbesc($postal_code), DBA::escape($postal_code),
dbesc($country_name), DBA::escape($country_name),
dbesc($marital), DBA::escape($marital),
dbesc($with), DBA::escape($with),
dbesc($howlong), DBA::escape($howlong),
dbesc($sexual), DBA::escape($sexual),
dbesc($xmpp), DBA::escape($xmpp),
dbesc($homepage), DBA::escape($homepage),
dbesc($hometown), DBA::escape($hometown),
dbesc($politic), DBA::escape($politic),
dbesc($religion), DBA::escape($religion),
dbesc($pub_keywords), DBA::escape($pub_keywords),
dbesc($prv_keywords), DBA::escape($prv_keywords),
dbesc($likes), DBA::escape($likes),
dbesc($dislikes), DBA::escape($dislikes),
dbesc($about), DBA::escape($about),
dbesc($interest), DBA::escape($interest),
dbesc($contact), DBA::escape($contact),
dbesc($music), DBA::escape($music),
dbesc($book), DBA::escape($book),
dbesc($tv), DBA::escape($tv),
dbesc($film), DBA::escape($film),
dbesc($romance), DBA::escape($romance),
dbesc($work), DBA::escape($work),
dbesc($education), DBA::escape($education),
intval($hide_friends), intval($hide_friends),
intval($a->argv[1]), intval($a->argv[1]),
intval(local_user()) intval(local_user())
@ -486,7 +486,7 @@ function profiles_post(App $a) {
if ($is_default) { if ($is_default) {
if ($namechanged) { if ($namechanged) {
$r = q("UPDATE `user` set `username` = '%s' where `uid` = %d", $r = q("UPDATE `user` set `username` = '%s' where `uid` = %d",
dbesc($name), DBA::escape($name),
intval(local_user()) intval(local_user())
); );
} }

View file

@ -47,7 +47,7 @@ function profperm_content(App $a) {
if(($a->argc > 2) && intval($a->argv[1]) && intval($a->argv[2])) { if(($a->argc > 2) && intval($a->argv[1]) && intval($a->argv[2])) {
$r = q("SELECT `id` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `self` = 0 $r = q("SELECT `id` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `self` = 0
AND `network` = '%s' AND `id` = %d AND `uid` = %d LIMIT 1", AND `network` = '%s' AND `id` = %d AND `uid` = %d LIMIT 1",
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval($a->argv[2]), intval($a->argv[2]),
intval(local_user()) intval(local_user())
); );
@ -144,7 +144,7 @@ function profperm_content(App $a) {
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `blocked` = 0 and `pending` = 0 and `self` = 0 $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `blocked` = 0 and `pending` = 0 and `self` = 0
AND `network` = '%s' ORDER BY `name` ASC", AND `network` = '%s' ORDER BY `name` ASC",
intval(local_user()), intval(local_user()),
dbesc(NETWORK_DFRN) DBA::escape(NETWORK_DFRN)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -85,7 +85,7 @@ function register_post(App $a)
if (intval(Config::get('config', 'register_policy')) === REGISTER_OPEN) { if (intval(Config::get('config', 'register_policy')) === REGISTER_OPEN) {
if ($using_invites && $invite_id) { if ($using_invites && $invite_id) {
q("delete * from register where hash = '%s' limit 1", dbesc($invite_id)); q("delete * from register where hash = '%s' limit 1", DBA::escape($invite_id));
PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites); PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites);
} }
@ -117,22 +117,22 @@ function register_post(App $a)
$hash = random_string(); $hash = random_string();
$r = q("INSERT INTO `register` ( `hash`, `created`, `uid`, `password`, `language`, `note` ) VALUES ( '%s', '%s', %d, '%s', '%s', '%s' ) ", $r = q("INSERT INTO `register` ( `hash`, `created`, `uid`, `password`, `language`, `note` ) VALUES ( '%s', '%s', %d, '%s', '%s', '%s' ) ",
dbesc($hash), DBA::escape($hash),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval($user['uid']), intval($user['uid']),
dbesc($result['password']), DBA::escape($result['password']),
dbesc(Config::get('system', 'language')), DBA::escape(Config::get('system', 'language')),
dbesc($_POST['permonlybox']) DBA::escape($_POST['permonlybox'])
); );
// invite system // invite system
if ($using_invites && $invite_id) { if ($using_invites && $invite_id) {
q("DELETE * FROM `register` WHERE `hash` = '%s' LIMIT 1", dbesc($invite_id)); q("DELETE * FROM `register` WHERE `hash` = '%s' LIMIT 1", DBA::escape($invite_id));
PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites); PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites);
} }
// send email to admins // send email to admins
$admin_mail_list = "'" . implode("','", array_map("dbesc", explode(",", str_replace(" ", "", Config::get('config', 'admin_email'))))) . "'"; $admin_mail_list = "'" . implode("','", array_map(['Friendica\Database\DBA', 'escape'], explode(",", str_replace(" ", "", Config::get('config', 'admin_email'))))) . "'";
$adminlist = q("SELECT uid, language, email FROM user WHERE email IN (%s)", $adminlist = q("SELECT uid, language, email FROM user WHERE email IN (%s)",
$admin_mail_list $admin_mail_list
); );

View file

@ -19,7 +19,7 @@ function user_allow($hash)
$a = get_app(); $a = get_app();
$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1", $register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
dbesc($hash) DBA::escape($hash)
); );
@ -36,7 +36,7 @@ function user_allow($hash)
} }
$r = q("DELETE FROM `register` WHERE `hash` = '%s'", $r = q("DELETE FROM `register` WHERE `hash` = '%s'",
dbesc($register[0]['hash']) DBA::escape($register[0]['hash'])
); );
@ -77,7 +77,7 @@ function user_allow($hash)
function user_deny($hash) function user_deny($hash)
{ {
$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1", $register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
dbesc($hash) DBA::escape($hash)
); );
if (!DBA::isResult($register)) { if (!DBA::isResult($register)) {

View file

@ -26,7 +26,7 @@ function repair_ostatus_content(App $a) {
$r = q("SELECT COUNT(*) AS `total` FROM `contact` WHERE $r = q("SELECT COUNT(*) AS `total` FROM `contact` WHERE
`uid` = %d AND `network` = '%s' AND `rel` IN (%d, %d)", `uid` = %d AND `network` = '%s' AND `rel` IN (%d, %d)",
intval($uid), intval($uid),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
intval(CONTACT_IS_FRIEND), intval(CONTACT_IS_FRIEND),
intval(CONTACT_IS_SHARING)); intval(CONTACT_IS_SHARING));
@ -40,7 +40,7 @@ function repair_ostatus_content(App $a) {
ORDER BY `url` ORDER BY `url`
LIMIT %d, 1", LIMIT %d, 1",
intval($uid), intval($uid),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
intval(CONTACT_IS_FRIEND), intval(CONTACT_IS_FRIEND),
intval(CONTACT_IS_SHARING), $counter++); intval(CONTACT_IS_SHARING), $counter++);

View file

@ -25,7 +25,7 @@ function salmon_post(App $a, $xml = '') {
$mentions = (($a->argc > 2 && $a->argv[2] === 'mention') ? true : false); $mentions = (($a->argc > 2 && $a->argv[2] === 'mention') ? true : false);
$r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `account_expired` = 0 AND `account_removed` = 0 LIMIT 1", $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `account_expired` = 0 AND `account_removed` = 0 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
System::httpExit(500); System::httpExit(500);
@ -145,11 +145,11 @@ function salmon_post(App $a, $xml = '') {
$r = q("SELECT * FROM `contact` WHERE `network` IN ('%s', '%s') $r = q("SELECT * FROM `contact` WHERE `network` IN ('%s', '%s')
AND (`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s') AND (`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s')
AND `uid` = %d LIMIT 1", AND `uid` = %d LIMIT 1",
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(normalise_link($author_link)), DBA::escape(normalise_link($author_link)),
dbesc($author_link), DBA::escape($author_link),
dbesc(normalise_link($author_link)), DBA::escape(normalise_link($author_link)),
intval($importer['uid']) intval($importer['uid'])
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
@ -159,9 +159,9 @@ function salmon_post(App $a, $xml = '') {
if($result['success']) { if($result['success']) {
$r = q("SELECT * FROM `contact` WHERE `network` = '%s' AND ( `url` = '%s' OR `alias` = '%s') $r = q("SELECT * FROM `contact` WHERE `network` = '%s' AND ( `url` = '%s' OR `alias` = '%s')
AND `uid` = %d LIMIT 1", AND `uid` = %d LIMIT 1",
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc($author_link), DBA::escape($author_link),
dbesc($author_link), DBA::escape($author_link),
intval($importer['uid']) intval($importer['uid'])
); );
} }

View file

@ -65,7 +65,7 @@ function search_init(App $a) {
if (x($_GET,'save') && $search) { if (x($_GET,'save') && $search) {
$r = q("SELECT * FROM `search` WHERE `uid` = %d AND `term` = '%s' LIMIT 1", $r = q("SELECT * FROM `search` WHERE `uid` = %d AND `term` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($search) DBA::escape($search)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
DBA::insert('search', ['uid' => local_user(), 'term' => $search]); DBA::insert('search', ['uid' => local_user(), 'term' => $search]);

View file

@ -175,23 +175,23 @@ function settings_post(App $a)
icon='%s', icon='%s',
uid=%d uid=%d
WHERE client_id='%s'", WHERE client_id='%s'",
dbesc($key), DBA::escape($key),
dbesc($secret), DBA::escape($secret),
dbesc($name), DBA::escape($name),
dbesc($redirect), DBA::escape($redirect),
dbesc($icon), DBA::escape($icon),
local_user(), local_user(),
dbesc($key) DBA::escape($key)
); );
} else { } else {
q("INSERT INTO clients q("INSERT INTO clients
(client_id, pw, name, redirect_uri, icon, uid) (client_id, pw, name, redirect_uri, icon, uid)
VALUES ('%s', '%s', '%s', '%s', '%s',%d)", VALUES ('%s', '%s', '%s', '%s', '%s',%d)",
dbesc($key), DBA::escape($key),
dbesc($secret), DBA::escape($secret),
dbesc($name), DBA::escape($name),
dbesc($redirect), DBA::escape($redirect),
dbesc($icon), DBA::escape($icon),
local_user() local_user()
); );
} }
@ -250,13 +250,13 @@ function settings_post(App $a)
$r = q("UPDATE `mailacct` SET `server` = '%s', `port` = %d, `ssltype` = '%s', `user` = '%s', $r = q("UPDATE `mailacct` SET `server` = '%s', `port` = %d, `ssltype` = '%s', `user` = '%s',
`action` = %d, `movetofolder` = '%s', `action` = %d, `movetofolder` = '%s',
`mailbox` = 'INBOX', `reply_to` = '%s', `pubmail` = %d WHERE `uid` = %d", `mailbox` = 'INBOX', `reply_to` = '%s', `pubmail` = %d WHERE `uid` = %d",
dbesc($mail_server), DBA::escape($mail_server),
intval($mail_port), intval($mail_port),
dbesc($mail_ssl), DBA::escape($mail_ssl),
dbesc($mail_user), DBA::escape($mail_user),
intval($mail_action), intval($mail_action),
dbesc($mail_movetofolder), DBA::escape($mail_movetofolder),
dbesc($mail_replyto), DBA::escape($mail_replyto),
intval($mail_pubmail), intval($mail_pubmail),
intval(local_user()) intval(local_user())
); );
@ -356,7 +356,7 @@ function settings_post(App $a)
Theme::install($theme); Theme::install($theme);
$r = q("UPDATE `user` SET `theme` = '%s' WHERE `uid` = %d", $r = q("UPDATE `user` SET `theme` = '%s' WHERE `uid` = %d",
dbesc($theme), DBA::escape($theme),
intval(local_user()) intval(local_user())
); );
@ -579,29 +579,29 @@ function settings_post(App $a)
`def_gid` = %d, `blockwall` = %d, `hidewall` = %d, `blocktags` = %d, `def_gid` = %d, `blockwall` = %d, `hidewall` = %d, `blocktags` = %d,
`unkmail` = %d, `cntunkmail` = %d, `language` = '%s' `unkmail` = %d, `cntunkmail` = %d, `language` = '%s'
WHERE `uid` = %d", WHERE `uid` = %d",
dbesc($username), DBA::escape($username),
dbesc($email), DBA::escape($email),
dbesc($openid), DBA::escape($openid),
dbesc($timezone), DBA::escape($timezone),
dbesc($str_contact_allow), DBA::escape($str_contact_allow),
dbesc($str_group_allow), DBA::escape($str_group_allow),
dbesc($str_contact_deny), DBA::escape($str_contact_deny),
dbesc($str_group_deny), DBA::escape($str_group_deny),
intval($notify), intval($notify),
intval($page_flags), intval($page_flags),
intval($account_type), intval($account_type),
dbesc($defloc), DBA::escape($defloc),
intval($allow_location), intval($allow_location),
intval($maxreq), intval($maxreq),
intval($expire), intval($expire),
dbesc($openidserver), DBA::escape($openidserver),
intval($def_gid), intval($def_gid),
intval($blockwall), intval($blockwall),
intval($hidewall), intval($hidewall),
intval($blocktags), intval($blocktags),
intval($unkmail), intval($unkmail),
intval($cntunkmail), intval($cntunkmail),
dbesc($language), DBA::escape($language),
intval(local_user()) intval(local_user())
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -618,7 +618,7 @@ function settings_post(App $a)
`hide-friends` = %d `hide-friends` = %d
WHERE `is-default` = 1 AND `uid` = %d", WHERE `is-default` = 1 AND `uid` = %d",
intval($publish), intval($publish),
dbesc($username), DBA::escape($username),
intval($net_publish), intval($net_publish),
intval($hide_friends), intval($hide_friends),
intval(local_user()) intval(local_user())
@ -678,7 +678,7 @@ function settings_content(App $a)
if (($a->argc > 3) && ($a->argv[2] === 'edit')) { if (($a->argc > 3) && ($a->argv[2] === 'edit')) {
$r = q("SELECT * FROM clients WHERE client_id='%s' AND uid=%d", $r = q("SELECT * FROM clients WHERE client_id='%s' AND uid=%d",
dbesc($a->argv[3]), DBA::escape($a->argv[3]),
local_user()); local_user());
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {

View file

@ -159,7 +159,7 @@ EOT;
$t = q("SELECT count(tid) as tcount FROM term WHERE oid=%d AND term='%s'", $t = q("SELECT count(tid) as tcount FROM term WHERE oid=%d AND term='%s'",
intval($item['id']), intval($item['id']),
dbesc($term) DBA::escape($term)
); );
if (!$blocktags && $t[0]['tcount'] == 0) { if (!$blocktags && $t[0]['tcount'] == 0) {
@ -167,8 +167,8 @@ EOT;
intval($item['id']), intval($item['id']),
$term_objtype, $term_objtype,
TERM_HASHTAG, TERM_HASHTAG,
dbesc($term), DBA::escape($term),
dbesc(System::baseUrl() . '/search?tag=' . $term), DBA::escape(System::baseUrl() . '/search?tag=' . $term),
intval($owner_uid) intval($owner_uid)
); );
} }
@ -181,7 +181,7 @@ EOT;
); );
$t = q("SELECT COUNT(`tid`) AS `tcount` FROM `term` WHERE `oid`=%d AND `term`='%s'", $t = q("SELECT COUNT(`tid`) AS `tcount` FROM `term` WHERE `oid`=%d AND `term`='%s'",
intval($original_item['id']), intval($original_item['id']),
dbesc($term) DBA::escape($term)
); );
if (DBA::isResult($x) && !$x[0]['blocktags'] && $t[0]['tcount'] == 0){ if (DBA::isResult($x) && !$x[0]['blocktags'] && $t[0]['tcount'] == 0){
@ -189,8 +189,8 @@ EOT;
intval($original_item['id']), intval($original_item['id']),
$term_objtype, $term_objtype,
TERM_HASHTAG, TERM_HASHTAG,
dbesc($term), DBA::escape($term),
dbesc(System::baseUrl() . '/search?tag=' . $term), DBA::escape(System::baseUrl() . '/search?tag=' . $term),
intval($owner_uid) intval($owner_uid)
); );
} }

View file

@ -8,15 +8,12 @@ use Friendica\Content\Nav;
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Core\L10n; use Friendica\Core\L10n;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Model\Contact; use Friendica\Model\Contact;
use Friendica\Model\Group; use Friendica\Model\Group;
use Friendica\Model\Item; use Friendica\Model\Item;
use Friendica\Model\Profile; use Friendica\Model\Profile;
use Friendica\Model\Term;
use Friendica\Protocol\DFRN; use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
require_once 'include/items.php'; require_once 'include/items.php';
require_once 'include/security.php'; require_once 'include/security.php';
@ -37,7 +34,7 @@ function videos_init(App $a) {
if($a->argc > 1) { if($a->argc > 1) {
$nick = $a->argv[1]; $nick = $a->argv[1];
$user = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1", $user = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if(! count($user)) if(! count($user))
@ -155,16 +152,16 @@ function videos_post(App $a) {
$r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `id` = '%s' LIMIT 1", $r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `id` = '%s' LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($video_id) DBA::escape($video_id)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
q("DELETE FROM `attach` WHERE `uid` = %d AND `id` = '%s'", q("DELETE FROM `attach` WHERE `uid` = %d AND `id` = '%s'",
intval(local_user()), intval(local_user()),
dbesc($video_id) DBA::escape($video_id)
); );
$i = q("SELECT `id` FROM `item` WHERE `attach` like '%%attach/%s%%' AND `uid` = %d LIMIT 1", $i = q("SELECT `id` FROM `item` WHERE `attach` like '%%attach/%s%%' AND `uid` = %d LIMIT 1",
dbesc($video_id), DBA::escape($video_id),
intval(local_user()) intval(local_user())
); );

View file

@ -22,7 +22,7 @@ function viewcontacts_init(App $a)
if ($a->argc > 1) { if ($a->argc > 1) {
$nick = $a->argv[1]; $nick = $a->argv[1];
$r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1", $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
@ -63,9 +63,9 @@ function viewcontacts_content(App $a)
AND NOT `hidden` AND NOT `archive` AND NOT `hidden` AND NOT `archive`
AND `network` IN ('%s', '%s', '%s')", AND `network` IN ('%s', '%s', '%s')",
intval($a->profile['uid']), intval($a->profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS) DBA::escape(NETWORK_OSTATUS)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$a->set_pager_total($r[0]['total']); $a->set_pager_total($r[0]['total']);
@ -77,9 +77,9 @@ function viewcontacts_content(App $a)
AND `network` IN ('%s', '%s', '%s') AND `network` IN ('%s', '%s', '%s')
ORDER BY `name` ASC LIMIT %d, %d", ORDER BY `name` ASC LIMIT %d, %d",
intval($a->profile['uid']), intval($a->profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
intval($a->pager['start']), intval($a->pager['start']),
intval($a->pager['itemspage']) intval($a->pager['itemspage'])
); );

View file

@ -18,7 +18,7 @@ function wall_attach_post(App $a) {
if($a->argc > 1) { if($a->argc > 1) {
$nick = $a->argv[1]; $nick = $a->argv[1];
$r = q("SELECT `user`.*, `contact`.`id` FROM `user` LEFT JOIN `contact` on `user`.`uid` = `contact`.`uid` WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0 and `contact`.`self` = 1 LIMIT 1", $r = q("SELECT `user`.*, `contact`.`id` FROM `user` LEFT JOIN `contact` on `user`.`uid` = `contact`.`uid` WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0 and `contact`.`self` = 1 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
if ($r_json) { if ($r_json) {
@ -145,8 +145,8 @@ function wall_attach_post(App $a) {
$r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `created` = '%s' AND `hash` = '%s' LIMIT 1", $r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `created` = '%s' AND `hash` = '%s' LIMIT 1",
intval($page_owner_uid), intval($page_owner_uid),
dbesc($created), DBA::escape($created),
dbesc($hash) DBA::escape($hash)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {

View file

@ -30,7 +30,7 @@ function wall_upload_post(App $a, $desktopmode = true)
INNER JOIN `contact` on `user`.`uid` = `contact`.`uid` INNER JOIN `contact` on `user`.`uid` = `contact`.`uid`
WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0 WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0
AND `contact`.`self` = 1 LIMIT 1", AND `contact`.`self` = 1 LIMIT 1",
dbesc($nick) DBA::escape($nick)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -46,7 +46,7 @@ function wall_upload_post(App $a, $desktopmode = true)
INNER JOIN `contact` on `user`.`uid` = `contact`.`uid` INNER JOIN `contact` on `user`.`uid` = `contact`.`uid`
WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0 WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0
AND `contact`.`self` = 1 LIMIT 1", AND `contact`.`self` = 1 LIMIT 1",
dbesc($user_info['screen_name']) DBA::escape($user_info['screen_name'])
); );
} }
} else { } else {

View file

@ -26,7 +26,7 @@ function wallmessage_post(App $a) {
} }
$r = q("select * from user where nickname = '%s' limit 1", $r = q("select * from user where nickname = '%s' limit 1",
dbesc($recipient) DBA::escape($recipient)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
@ -88,7 +88,7 @@ function wallmessage_content(App $a) {
} }
$r = q("select * from user where nickname = '%s' limit 1", $r = q("select * from user where nickname = '%s' limit 1",
dbesc($recipient) DBA::escape($recipient)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {

View file

@ -85,7 +85,7 @@ class ACL extends BaseObject
if (!empty($x['networks'])) { if (!empty($x['networks'])) {
/// @TODO rewrite to foreach() /// @TODO rewrite to foreach()
array_walk($x['networks'], function (&$value) { array_walk($x['networks'], function (&$value) {
$value = "'" . dbesc($value) . "'"; $value = "'" . DBA::escape($value) . "'";
}); });
$str_nets = implode(',', $x['networks']); $str_nets = implode(',', $x['networks']);
$sql_extra .= " AND `network` IN ( $str_nets ) "; $sql_extra .= " AND `network` IN ( $str_nets ) ";

View file

@ -66,7 +66,7 @@ class NotificationsManager extends BaseObject
$filter_str = []; $filter_str = [];
$filter_sql = ""; $filter_sql = "";
foreach ($filter as $column => $value) { foreach ($filter as $column => $value) {
$filter_str[] = sprintf("`%s` = '%s'", $column, dbesc($value)); $filter_str[] = sprintf("`%s` = '%s'", $column, DBA::escape($value));
} }
if (count($filter_str) > 0) { if (count($filter_str) > 0) {
$filter_sql = "AND " . implode(" AND ", $filter_str); $filter_sql = "AND " . implode(" AND ", $filter_str);
@ -134,9 +134,9 @@ class NotificationsManager extends BaseObject
return q( return q(
"UPDATE `notify` SET `seen` = %d WHERE (`link` = '%s' OR (`parent` != 0 AND `parent` = %d AND `otype` = '%s')) AND `uid` = %d", "UPDATE `notify` SET `seen` = %d WHERE (`link` = '%s' OR (`parent` != 0 AND `parent` = %d AND `otype` = '%s')) AND `uid` = %d",
intval($seen), intval($seen),
dbesc($note['link']), DBA::escape($note['link']),
intval($note['parent']), intval($note['parent']),
dbesc($note['otype']), DBA::escape($note['otype']),
intval(local_user()) intval(local_user())
); );
} }

View file

@ -35,7 +35,7 @@ class UserImport
*/ */
private static function checkCols($table, &$arr) private static function checkCols($table, &$arr)
{ {
$query = sprintf("SHOW COLUMNS IN `%s`", dbesc($table)); $query = sprintf("SHOW COLUMNS IN `%s`", DBA::escape($table));
logger("uimport: $query", LOGGER_DEBUG); logger("uimport: $query", LOGGER_DEBUG);
$r = q($query); $r = q($query);
$tcols = []; $tcols = [];
@ -64,8 +64,8 @@ class UserImport
} }
self::checkCols($table, $arr); self::checkCols($table, $arr);
$cols = implode("`,`", array_map('dbesc', array_keys($arr))); $cols = implode("`,`", array_map(['Friendica\Database\DBA', 'escape'], array_keys($arr)));
$vals = implode("','", array_map('dbesc', array_values($arr))); $vals = implode("','", array_map(['Friendica\Database\DBA', 'escape'], array_values($arr)));
$query = "INSERT INTO `$table` (`$cols`) VALUES ('$vals')"; $query = "INSERT INTO `$table` (`$cols`) VALUES ('$vals')";
logger("uimport: $query", LOGGER_TRACE); logger("uimport: $query", LOGGER_TRACE);

View file

@ -251,11 +251,15 @@ class DBA
} }
public static function escape($str) { public static function escape($str) {
switch (self::$driver) { if (self::$connected) {
case 'pdo': switch (self::$driver) {
return substr(@self::$connection->quote($str, PDO::PARAM_STR), 1, -1); case 'pdo':
case 'mysqli': return substr(@self::$connection->quote($str, PDO::PARAM_STR), 1, -1);
return @self::$connection->real_escape_string($str); case 'mysqli':
return @self::$connection->real_escape_string($str);
}
} else {
return str_replace("'", "\\'", $str);
} }
} }
@ -1610,7 +1614,7 @@ class DBA
if (is_bool($value)) { if (is_bool($value)) {
$value = ($value ? '1' : '0'); $value = ($value ? '1' : '0');
} else { } else {
$value = dbesc($value); $value = self::escape($value);
} }
return; return;
} }
@ -1620,7 +1624,7 @@ class DBA
} elseif (is_float($value) || is_integer($value)) { } elseif (is_float($value) || is_integer($value)) {
$value = (string) $value; $value = (string) $value;
} else { } else {
$value = "'" . dbesc($value) . "'"; $value = "'" . self::escape($value) . "'";
} }
} }

View file

@ -27,7 +27,7 @@ class DBStructure
*/ */
public static function convertToInnoDB() { public static function convertToInnoDB() {
$r = q("SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `engine` = 'MyISAM' AND `table_schema` = '%s'", $r = q("SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `engine` = 'MyISAM' AND `table_schema` = '%s'",
dbesc(DBA::databaseName())); DBA::escape(DBA::databaseName()));
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
echo L10n::t('There are no tables on MyISAM.')."\n"; echo L10n::t('There are no tables on MyISAM.')."\n";
@ -35,7 +35,7 @@ class DBStructure
} }
foreach ($r AS $table) { foreach ($r AS $table) {
$sql = sprintf("ALTER TABLE `%s` engine=InnoDB;", dbesc($table['TABLE_NAME'])); $sql = sprintf("ALTER TABLE `%s` engine=InnoDB;", DBA::escape($table['TABLE_NAME']));
echo $sql."\n"; echo $sql."\n";
$result = DBA::e($sql); $result = DBA::e($sql);
@ -55,7 +55,7 @@ class DBStructure
$a = get_app(); $a = get_app();
//send the administrators an e-mail //send the administrators an e-mail
$admin_mail_list = "'".implode("','", array_map('dbesc', explode(",", str_replace(" ", "", Config::get('config', 'admin_email')))))."'"; $admin_mail_list = "'".implode("','", array_map(['Friendica\Database\DBA', 'escape'], explode(",", str_replace(" ", "", Config::get('config', 'admin_email')))))."'";
$adminlist = q("SELECT uid, language, email FROM user WHERE email IN (%s)", $adminlist = q("SELECT uid, language, email FROM user WHERE email IN (%s)",
$admin_mail_list $admin_mail_list
); );
@ -369,7 +369,7 @@ class DBStructure
if (isset($database[$name]["table_status"]["Comment"])) { if (isset($database[$name]["table_status"]["Comment"])) {
if ($database[$name]["table_status"]["Comment"] != $structure['comment']) { if ($database[$name]["table_status"]["Comment"] != $structure['comment']) {
$sql2 = "COMMENT = '".dbesc($structure['comment'])."'"; $sql2 = "COMMENT = '".DBA::escape($structure['comment'])."'";
if ($sql3 == "") { if ($sql3 == "") {
$sql3 = "ALTER" . $ignore . " TABLE `".$temp_name."` ".$sql2; $sql3 = "ALTER" . $ignore . " TABLE `".$temp_name."` ".$sql2;
@ -381,7 +381,7 @@ class DBStructure
if (isset($database[$name]["table_status"]["Engine"]) && isset($structure['engine'])) { if (isset($database[$name]["table_status"]["Engine"]) && isset($structure['engine'])) {
if ($database[$name]["table_status"]["Engine"] != $structure['engine']) { if ($database[$name]["table_status"]["Engine"] != $structure['engine']) {
$sql2 = "ENGINE = '".dbesc($structure['engine'])."'"; $sql2 = "ENGINE = '".DBA::escape($structure['engine'])."'";
if ($sql3 == "") { if ($sql3 == "") {
$sql3 = "ALTER" . $ignore . " TABLE `".$temp_name."` ".$sql2; $sql3 = "ALTER" . $ignore . " TABLE `".$temp_name."` ".$sql2;
@ -558,7 +558,7 @@ class DBStructure
} }
if (isset($parameters["comment"])) { if (isset($parameters["comment"])) {
$fieldstruct .= " COMMENT '".dbesc($parameters["comment"])."'"; $fieldstruct .= " COMMENT '".DBA::escape($parameters["comment"])."'";
} }
/*if (($parameters["primary"] != "") && $create) /*if (($parameters["primary"] != "") && $create)
@ -575,7 +575,7 @@ class DBStructure
$sql_rows = []; $sql_rows = [];
$primary_keys = []; $primary_keys = [];
foreach ($structure["fields"] AS $fieldname => $field) { foreach ($structure["fields"] AS $fieldname => $field) {
$sql_rows[] = "`".dbesc($fieldname)."` ".self::FieldCommand($field); $sql_rows[] = "`".DBA::escape($fieldname)."` ".self::FieldCommand($field);
if (x($field,'primary') && $field['primary']!='') { if (x($field,'primary') && $field['primary']!='') {
$primary_keys[] = $fieldname; $primary_keys[] = $fieldname;
} }
@ -595,12 +595,12 @@ class DBStructure
} }
if (isset($structure["comment"])) { if (isset($structure["comment"])) {
$comment = " COMMENT='" . dbesc($structure["comment"]) . "'"; $comment = " COMMENT='" . DBA::escape($structure["comment"]) . "'";
} }
$sql = implode(",\n\t", $sql_rows); $sql = implode(",\n\t", $sql_rows);
$sql = sprintf("CREATE TABLE IF NOT EXISTS `%s` (\n\t", dbesc($name)).$sql. $sql = sprintf("CREATE TABLE IF NOT EXISTS `%s` (\n\t", DBA::escape($name)).$sql.
"\n)" . $engine . " DEFAULT COLLATE utf8mb4_general_ci" . $comment; "\n)" . $engine . " DEFAULT COLLATE utf8mb4_general_ci" . $comment;
if ($verbose) { if ($verbose) {
echo $sql.";\n"; echo $sql.";\n";
@ -614,17 +614,17 @@ class DBStructure
} }
private static function addTableField($fieldname, $parameters) { private static function addTableField($fieldname, $parameters) {
$sql = sprintf("ADD `%s` %s", dbesc($fieldname), self::FieldCommand($parameters)); $sql = sprintf("ADD `%s` %s", DBA::escape($fieldname), self::FieldCommand($parameters));
return($sql); return($sql);
} }
private static function modifyTableField($fieldname, $parameters) { private static function modifyTableField($fieldname, $parameters) {
$sql = sprintf("MODIFY `%s` %s", dbesc($fieldname), self::FieldCommand($parameters, false)); $sql = sprintf("MODIFY `%s` %s", DBA::escape($fieldname), self::FieldCommand($parameters, false));
return($sql); return($sql);
} }
private static function dropIndex($indexname) { private static function dropIndex($indexname) {
$sql = sprintf("DROP INDEX `%s`", dbesc($indexname)); $sql = sprintf("DROP INDEX `%s`", DBA::escape($indexname));
return($sql); return($sql);
} }
@ -646,9 +646,9 @@ class DBStructure
} }
if (preg_match('|(.+)\((\d+)\)|', $fieldname, $matches)) { if (preg_match('|(.+)\((\d+)\)|', $fieldname, $matches)) {
$names .= "`".dbesc($matches[1])."`(".intval($matches[2]).")"; $names .= "`".DBA::escape($matches[1])."`(".intval($matches[2]).")";
} else { } else {
$names .= "`".dbesc($fieldname)."`"; $names .= "`".DBA::escape($fieldname)."`";
} }
} }
@ -657,7 +657,7 @@ class DBStructure
} }
$sql = sprintf("%s INDEX `%s` (%s)", $method, dbesc($indexname), $names); $sql = sprintf("%s INDEX `%s` (%s)", $method, DBA::escape($indexname), $names);
return($sql); return($sql);
} }
@ -675,9 +675,9 @@ class DBStructure
} }
if (preg_match('|(.+)\((\d+)\)|', $fieldname, $matches)) { if (preg_match('|(.+)\((\d+)\)|', $fieldname, $matches)) {
$names .= "`".dbesc($matches[1])."`"; $names .= "`".DBA::escape($matches[1])."`";
} else { } else {
$names .= "`".dbesc($fieldname)."`"; $names .= "`".DBA::escape($fieldname)."`";
} }
} }

View file

@ -76,7 +76,7 @@ class PostUpdate
$r = q($query1.$query2.$query3." ORDER BY `item`.`id` LIMIT 1", $r = q($query1.$query2.$query3." ORDER BY `item`.`id` LIMIT 1",
intval($start_id), intval($end_id), intval($start_id), intval($end_id),
dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS)); DBA::escape(NETWORK_DFRN), DBA::escape(NETWORK_DIASPORA), DBA::escape(NETWORK_OSTATUS));
if (!$r) { if (!$r) {
Config::set("system", "post_update_version", 1194); Config::set("system", "post_update_version", 1194);
logger("Update is done", LOGGER_DEBUG); logger("Update is done", LOGGER_DEBUG);
@ -90,7 +90,7 @@ class PostUpdate
$r = q($query1.$query2.$query3." ORDER BY `item`.`id` LIMIT 1000,1", $r = q($query1.$query2.$query3." ORDER BY `item`.`id` LIMIT 1000,1",
intval($start_id), intval($end_id), intval($start_id), intval($end_id),
dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS)); DBA::escape(NETWORK_DFRN), DBA::escape(NETWORK_DIASPORA), DBA::escape(NETWORK_OSTATUS));
if ($r) { if ($r) {
$pos_id = $r[0]["id"]; $pos_id = $r[0]["id"];
} else { } else {
@ -100,7 +100,7 @@ class PostUpdate
q("UPDATE `item` ".$query2." SET `item`.`global` = 1 ".$query3, q("UPDATE `item` ".$query2." SET `item`.`global` = 1 ".$query3,
intval($start_id), intval($pos_id), intval($start_id), intval($pos_id),
dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS)); DBA::escape(NETWORK_DFRN), DBA::escape(NETWORK_DIASPORA), DBA::escape(NETWORK_OSTATUS));
logger("Done", LOGGER_DEBUG); logger("Done", LOGGER_DEBUG);
} }

View file

@ -536,7 +536,7 @@ class Contact extends BaseObject
$r = q("SELECT `id`, `id` AS `cid`, 0 AS `gid`, 0 AS `zid`, `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, `xmpp`, $r = q("SELECT `id`, `id` AS `cid`, 0 AS `gid`, 0 AS `zid`, `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, `xmpp`,
`keywords`, `gender`, `photo`, `thumb`, `micro`, `forum`, `prv`, (`forum` | `prv`) AS `community`, `contact-type`, `bd` AS `birthday`, `self` `keywords`, `gender`, `photo`, `thumb`, `micro`, `forum`, `prv`, (`forum` | `prv`) AS `community`, `contact-type`, `bd` AS `birthday`, `self`
FROM `contact` WHERE `addr` = '%s' AND `uid` = %d", FROM `contact` WHERE `addr` = '%s' AND `uid` = %d",
dbesc($addr), DBA::escape($addr),
intval($uid) intval($uid)
); );
// Fetch the data from the contact table with "uid=0" (which is filled automatically) // Fetch the data from the contact table with "uid=0" (which is filled automatically)
@ -544,7 +544,7 @@ class Contact extends BaseObject
$r = q("SELECT `id`, 0 AS `cid`, `id` AS `zid`, 0 AS `gid`, `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, `xmpp`, $r = q("SELECT `id`, 0 AS `cid`, `id` AS `zid`, 0 AS `gid`, `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, `xmpp`,
`keywords`, `gender`, `photo`, `thumb`, `micro`, `forum`, `prv`, (`forum` | `prv`) AS `community`, `contact-type`, `bd` AS `birthday`, 0 AS `self` `keywords`, `gender`, `photo`, `thumb`, `micro`, `forum`, `prv`, (`forum` | `prv`) AS `community`, `contact-type`, `bd` AS `birthday`, 0 AS `self`
FROM `contact` WHERE `addr` = '%s' AND `uid` = 0", FROM `contact` WHERE `addr` = '%s' AND `uid` = 0",
dbesc($addr) DBA::escape($addr)
); );
} }
@ -553,7 +553,7 @@ class Contact extends BaseObject
$r = q("SELECT 0 AS `id`, 0 AS `cid`, `id` AS `gid`, 0 AS `zid`, 0 AS `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, '' AS `xmpp`, $r = q("SELECT 0 AS `id`, 0 AS `cid`, `id` AS `gid`, 0 AS `zid`, 0 AS `uid`, `url`, `nurl`, `alias`, `network`, `name`, `nick`, `addr`, `location`, `about`, '' AS `xmpp`,
`keywords`, `gender`, `photo`, `photo` AS `thumb`, `photo` AS `micro`, `community` AS `forum`, 0 AS `prv`, `community`, `contact-type`, `birthday`, 0 AS `self` `keywords`, `gender`, `photo`, `photo` AS `thumb`, `photo` AS `micro`, `community` AS `forum`, 0 AS `prv`, `community`, `contact-type`, `birthday`, 0 AS `self`
FROM `gcontact` WHERE `addr` = '%s'", FROM `gcontact` WHERE `addr` = '%s'",
dbesc($addr) DBA::escape($addr)
); );
} }
@ -1014,7 +1014,7 @@ class Contact extends BaseObject
// This speeds up the query a lot // This speeds up the query a lot
$r = q("SELECT `network`, `id` AS `author-id`, `contact-type` FROM `contact` $r = q("SELECT `network`, `id` AS `author-id`, `contact-type` FROM `contact`
WHERE `contact`.`nurl` = '%s' AND `contact`.`uid` = 0", WHERE `contact`.`nurl` = '%s' AND `contact`.`uid` = 0",
dbesc(normalise_link($contact_url)) DBA::escape(normalise_link($contact_url))
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -1297,16 +1297,16 @@ class Contact extends BaseObject
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `poll` IN ('%s', '%s') AND `network` = '%s' AND NOT `pending` LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `poll` IN ('%s', '%s') AND `network` = '%s' AND NOT `pending` LIMIT 1",
intval($uid), intval($uid),
dbesc($ret['poll']), DBA::escape($ret['poll']),
dbesc(normalise_link($ret['poll'])), DBA::escape(normalise_link($ret['poll'])),
dbesc($ret['network']) DBA::escape($ret['network'])
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND `network` = '%s' AND NOT `pending` LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND `network` = '%s' AND NOT `pending` LIMIT 1",
intval($uid), intval($uid),
dbesc(normalise_link($url)), DBA::escape(normalise_link($url)),
dbesc($ret['network']) DBA::escape($ret['network'])
); );
} }
@ -1517,13 +1517,13 @@ class Contact extends BaseObject
`blocked`, `readonly`, `pending`, `writable`) `blocked`, `readonly`, `pending`, `writable`)
VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, 0, 0, 1, 1)", VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, 0, 0, 1, 1)",
intval($importer['uid']), intval($importer['uid']),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc($url), DBA::escape($url),
dbesc(normalise_link($url)), DBA::escape(normalise_link($url)),
dbesc($name), DBA::escape($name),
dbesc($nick), DBA::escape($nick),
dbesc($photo), DBA::escape($photo),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
intval(CONTACT_IS_FOLLOWER) intval(CONTACT_IS_FOLLOWER)
); );
@ -1574,7 +1574,7 @@ class Contact extends BaseObject
} elseif (DBA::isResult($user) && in_array($user['page-flags'], [PAGE_SOAPBOX, PAGE_FREELOVE, PAGE_COMMUNITY])) { } elseif (DBA::isResult($user) && in_array($user['page-flags'], [PAGE_SOAPBOX, PAGE_FREELOVE, PAGE_COMMUNITY])) {
q("UPDATE `contact` SET `pending` = 0 WHERE `uid` = %d AND `url` = '%s' AND `pending` LIMIT 1", q("UPDATE `contact` SET `pending` = 0 WHERE `uid` = %d AND `url` = '%s' AND `pending` LIMIT 1",
intval($importer['uid']), intval($importer['uid']),
dbesc($url) DBA::escape($url)
); );
} }
} }
@ -1625,7 +1625,7 @@ class Contact extends BaseObject
// Check for duplicates // Check for duplicates
$s = q("SELECT `id` FROM `event` WHERE `uid` = %d AND `cid` = %d AND `start` = '%s' AND `type` = '%s' LIMIT 1", $s = q("SELECT `id` FROM `event` WHERE `uid` = %d AND `cid` = %d AND `start` = '%s' AND `type` = '%s' LIMIT 1",
intval($rr['uid']), intval($rr['id']), dbesc(DateTimeFormat::utc($nextbd)), dbesc('birthday')); intval($rr['uid']), intval($rr['id']), DBA::escape(DateTimeFormat::utc($nextbd)), DBA::escape('birthday'));
if (DBA::isResult($s)) { if (DBA::isResult($s)) {
continue; continue;
@ -1636,15 +1636,15 @@ class Contact extends BaseObject
q("INSERT INTO `event` (`uid`,`cid`,`created`,`edited`,`start`,`finish`,`summary`,`desc`,`type`,`adjust`) q("INSERT INTO `event` (`uid`,`cid`,`created`,`edited`,`start`,`finish`,`summary`,`desc`,`type`,`adjust`)
VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d' ) ", intval($rr['uid']), intval($rr['id']), VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d' ) ", intval($rr['uid']), intval($rr['id']),
dbesc(DateTimeFormat::utcNow()), dbesc(DateTimeFormat::utcNow()), dbesc(DateTimeFormat::utc($nextbd)), DBA::escape(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utc($nextbd)),
dbesc(DateTimeFormat::utc($nextbd . ' + 1 day ')), dbesc($bdtext), dbesc($bdtext2), dbesc('birthday'), DBA::escape(DateTimeFormat::utc($nextbd . ' + 1 day ')), DBA::escape($bdtext), DBA::escape($bdtext2), DBA::escape('birthday'),
intval(0) intval(0)
); );
// update bdyear // update bdyear
q("UPDATE `contact` SET `bdyear` = '%s', `bd` = '%s' WHERE `uid` = %d AND `id` = %d", dbesc(substr($nextbd, 0, 4)), q("UPDATE `contact` SET `bdyear` = '%s', `bd` = '%s' WHERE `uid` = %d AND `id` = %d", DBA::escape(substr($nextbd, 0, 4)),
dbesc($nextbd), intval($rr['uid']), intval($rr['id']) DBA::escape($nextbd), intval($rr['uid']), intval($rr['id'])
); );
} }
} }
@ -1661,7 +1661,7 @@ class Contact extends BaseObject
return; return;
} }
$str = dbesc(implode(',', $contact_ids)); $str = DBA::escape(implode(',', $contact_ids));
$stmt = DBA::p("SELECT `id` FROM `contact` WHERE `id` IN ( " . $str . ") AND `blocked` = 0 AND `pending` = 0 AND `archive` = 0"); $stmt = DBA::p("SELECT `id` FROM `contact` WHERE `id` IN ( " . $str . ") AND `blocked` = 0 AND `pending` = 0 AND `archive` = 0");

View file

@ -510,12 +510,12 @@ class Event extends BaseObject
$sql_extra ", $sql_extra ",
intval($owner_uid), intval($owner_uid),
intval($event_params["ignore"]), intval($event_params["ignore"]),
dbesc($event_params["start"]), DBA::escape($event_params["start"]),
dbesc($event_params["start"]), DBA::escape($event_params["start"]),
dbesc($event_params["finish"]), DBA::escape($event_params["finish"]),
dbesc($event_params["adjust_start"]), DBA::escape($event_params["adjust_start"]),
dbesc($event_params["adjust_start"]), DBA::escape($event_params["adjust_start"]),
dbesc($event_params["adjust_finish"]) DBA::escape($event_params["adjust_finish"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -112,12 +112,12 @@ class GContact
intval($uid), intval($uid),
intval($gcid), intval($gcid),
intval($zcid), intval($zcid),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
} else { } else {
q( q(
"UPDATE `glink` SET `updated` = '%s' WHERE `cid` = %d AND `uid` = %d AND `gcid` = %d AND `zcid` = %d", "UPDATE `glink` SET `updated` = '%s' WHERE `cid` = %d AND `uid` = %d AND `gcid` = %d AND `zcid` = %d",
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval($cid), intval($cid),
intval($uid), intval($uid),
intval($gcid), intval($gcid),
@ -176,8 +176,8 @@ class GContact
if (!isset($gcontact['network'])) { if (!isset($gcontact['network'])) {
$r = q( $r = q(
"SELECT `network` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' AND `network` != '' AND `network` != '%s' LIMIT 1", "SELECT `network` FROM `contact` WHERE `uid` = 0 AND `nurl` = '%s' AND `network` != '' AND `network` != '%s' LIMIT 1",
dbesc(normalise_link($gcontact['url'])), DBA::escape(normalise_link($gcontact['url'])),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$gcontact['network'] = $r[0]["network"]; $gcontact['network'] = $r[0]["network"];
@ -186,9 +186,9 @@ class GContact
if (($gcontact['network'] == "") || ($gcontact['network'] == NETWORK_OSTATUS)) { if (($gcontact['network'] == "") || ($gcontact['network'] == NETWORK_OSTATUS)) {
$r = q( $r = q(
"SELECT `network`, `url` FROM `contact` WHERE `uid` = 0 AND `alias` IN ('%s', '%s') AND `network` != '' AND `network` != '%s' LIMIT 1", "SELECT `network`, `url` FROM `contact` WHERE `uid` = 0 AND `alias` IN ('%s', '%s') AND `network` != '' AND `network` != '%s' LIMIT 1",
dbesc($gcontact['url']), DBA::escape($gcontact['url']),
dbesc(normalise_link($gcontact['url'])), DBA::escape(normalise_link($gcontact['url'])),
dbesc(NETWORK_STATUSNET) DBA::escape(NETWORK_STATUSNET)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$gcontact['network'] = $r[0]["network"]; $gcontact['network'] = $r[0]["network"];
@ -201,7 +201,7 @@ class GContact
$x = q( $x = q(
"SELECT * FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1", "SELECT * FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1",
dbesc(normalise_link($gcontact['url'])) DBA::escape(normalise_link($gcontact['url']))
); );
if (DBA::isResult($x)) { if (DBA::isResult($x)) {
@ -489,7 +489,7 @@ class GContact
intval($uid), intval($uid),
intval($uid), intval($uid),
intval($uid), intval($uid),
dbesc(NULL_DATE), DBA::escape(NULL_DATE),
$sql_network, $sql_network,
intval($start), intval($start),
intval($limit) intval($limit)
@ -518,7 +518,7 @@ class GContact
intval($uid), intval($uid),
intval($uid), intval($uid),
intval($uid), intval($uid),
dbesc(NULL_DATE), DBA::escape(NULL_DATE),
$sql_network, $sql_network,
intval($start), intval($start),
intval($limit) intval($limit)
@ -580,8 +580,8 @@ class GContact
// Query your contacts from Friendica and Redmatrix/Hubzilla for their contacts // Query your contacts from Friendica and Redmatrix/Hubzilla for their contacts
$r = q( $r = q(
"SELECT DISTINCT(`poco`) AS `poco` FROM `contact` WHERE `network` IN ('%s', '%s')", "SELECT DISTINCT(`poco`) AS `poco` FROM `contact` WHERE `network` IN ('%s', '%s')",
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA) DBA::escape(NETWORK_DIASPORA)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -690,7 +690,7 @@ class GContact
DBA::lock('gcontact'); DBA::lock('gcontact');
$r = q( $r = q(
"SELECT `id`, `last_contact`, `last_failure`, `network` FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1", "SELECT `id`, `last_contact`, `last_failure`, `network` FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1",
dbesc(normalise_link($contact["url"])) DBA::escape(normalise_link($contact["url"]))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -708,24 +708,24 @@ class GContact
q( q(
"INSERT INTO `gcontact` (`name`, `nick`, `addr` , `network`, `url`, `nurl`, `photo`, `created`, `updated`, `location`, `about`, `hide`, `generation`) "INSERT INTO `gcontact` (`name`, `nick`, `addr` , `network`, `url`, `nurl`, `photo`, `created`, `updated`, `location`, `about`, `hide`, `generation`)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d)", VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d)",
dbesc($contact["name"]), DBA::escape($contact["name"]),
dbesc($contact["nick"]), DBA::escape($contact["nick"]),
dbesc($contact["addr"]), DBA::escape($contact["addr"]),
dbesc($contact["network"]), DBA::escape($contact["network"]),
dbesc($contact["url"]), DBA::escape($contact["url"]),
dbesc(normalise_link($contact["url"])), DBA::escape(normalise_link($contact["url"])),
dbesc($contact["photo"]), DBA::escape($contact["photo"]),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc($contact["location"]), DBA::escape($contact["location"]),
dbesc($contact["about"]), DBA::escape($contact["about"]),
intval($contact["hide"]), intval($contact["hide"]),
intval($contact["generation"]) intval($contact["generation"])
); );
$r = q( $r = q(
"SELECT `id`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 2", "SELECT `id`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 2",
dbesc(normalise_link($contact["url"])) DBA::escape(normalise_link($contact["url"]))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1048,8 +1048,8 @@ class GContact
$r = q( $r = q(
"SELECT `nurl`, `url` FROM `gserver` WHERE `last_contact` >= `last_failure` AND `network` = '%s' AND `last_poco_query` < '%s' ORDER BY RAND() LIMIT 5", "SELECT `nurl`, `url` FROM `gserver` WHERE `last_contact` >= `last_failure` AND `network` = '%s' AND `last_poco_query` < '%s' ORDER BY RAND() LIMIT 5",
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc($last_update) DBA::escape($last_update)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -1058,7 +1058,7 @@ class GContact
foreach ($r as $server) { foreach ($r as $server) {
self::fetchGsUsers($server["url"]); self::fetchGsUsers($server["url"]);
q("UPDATE `gserver` SET `last_poco_query` = '%s' WHERE `nurl` = '%s'", dbesc(DateTimeFormat::utcNow()), dbesc($server["nurl"])); q("UPDATE `gserver` SET `last_poco_query` = '%s' WHERE `nurl` = '%s'", DBA::escape(DateTimeFormat::utcNow()), DBA::escape($server["nurl"]));
} }
} }
@ -1072,7 +1072,7 @@ class GContact
AND `last_contact` >= `last_failure` AND `last_contact` >= `last_failure`
AND `updated` > UTC_TIMESTAMP - INTERVAL 1 MONTH AND `updated` > UTC_TIMESTAMP - INTERVAL 1 MONTH
ORDER BY rand() LIMIT 1", ORDER BY rand() LIMIT 1",
dbesc(NETWORK_DFRN) DBA::escape(NETWORK_DFRN)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -58,8 +58,8 @@ class Mail
$reply = true; $reply = true;
$r = q("SELECT `convid` FROM `mail` WHERE `uid` = %d AND (`uri` = '%s' OR `parent-uri` = '%s') LIMIT 1", $r = q("SELECT `convid` FROM `mail` WHERE `uid` = %d AND (`uri` = '%s' OR `parent-uri` = '%s') LIMIT 1",
intval(local_user()), intval(local_user()),
dbesc($replyto), DBA::escape($replyto),
dbesc($replyto) DBA::escape($replyto)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$convid = $r[0]['convid']; $convid = $r[0]['convid'];

View file

@ -239,8 +239,8 @@ class Photo
WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' $sql_extra WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' $sql_extra
GROUP BY `album` ORDER BY `created` DESC", GROUP BY `album` ORDER BY `created` DESC",
intval($uid), intval($uid),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')) DBA::escape(L10n::t('Contact Photos'))
); );
} else { } else {
// This query doesn't do the count and is much faster // This query doesn't do the count and is much faster
@ -248,8 +248,8 @@ class Photo
FROM `photo` USE INDEX (`uid_album_scale_created`) FROM `photo` USE INDEX (`uid_album_scale_created`)
WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' $sql_extra", WHERE `uid` = %d AND `album` != '%s' AND `album` != '%s' $sql_extra",
intval($uid), intval($uid),
dbesc('Contact Photos'), DBA::escape('Contact Photos'),
dbesc(L10n::t('Contact Photos')) DBA::escape(L10n::t('Contact Photos'))
); );
} }
Cache::set($key, $albums, CACHE_DAY); Cache::set($key, $albums, CACHE_DAY);

View file

@ -346,7 +346,7 @@ class Profile
$r = q( $r = q(
"SELECT `url` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND `rel` = %d", "SELECT `url` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND `rel` = %d",
intval($profile['uid']), intval($profile['uid']),
dbesc(normalise_link(self::getMyURL())), DBA::escape(normalise_link(self::getMyURL())),
intval(CONTACT_IS_FRIEND) intval(CONTACT_IS_FRIEND)
); );
} }
@ -463,9 +463,9 @@ class Profile
AND NOT `hidden` AND NOT `archive` AND NOT `hidden` AND NOT `archive`
AND `network` IN ('%s', '%s', '%s', '')", AND `network` IN ('%s', '%s', '%s', '')",
intval($profile['uid']), intval($profile['uid']),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS) DBA::escape(NETWORK_OSTATUS)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$contacts = intval($r[0]['total']); $contacts = intval($r[0]['total']);

View file

@ -129,7 +129,7 @@ class DFRN
"SELECT `contact`.*, `user`.`nickname`, `user`.`timezone`, `user`.`page-flags`, `user`.`account-type` "SELECT `contact`.*, `user`.`nickname`, `user`.`timezone`, `user`.`page-flags`, `user`.`account-type`
FROM `contact` INNER JOIN `user` ON `user`.`uid` = `contact`.`uid` FROM `contact` INNER JOIN `user` ON `user`.`uid` = `contact`.`uid`
WHERE `contact`.`self` AND `user`.`nickname` = '%s' LIMIT 1", WHERE `contact`.`self` AND `user`.`nickname` = '%s' LIMIT 1",
dbesc($owner_nick) DBA::escape($owner_nick)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
@ -147,15 +147,15 @@ class DFRN
$sql_extra = ''; $sql_extra = '';
switch ($direction) { switch ($direction) {
case (-1): case (-1):
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
case 0: case 0:
$sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '1:' . $dfrn_id; $my_id = '1:' . $dfrn_id;
break; break;
case 1: case 1:
$sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
$my_id = '0:' . $dfrn_id; $my_id = '0:' . $dfrn_id;
break; break;
default: default:
@ -196,8 +196,8 @@ class DFRN
", ",
intval($contact['id']), intval($contact['id']),
intval($contact['id']), intval($contact['id']),
dbesc($gs), DBA::escape($gs),
dbesc($gs) DBA::escape($gs)
); );
} }
@ -214,7 +214,7 @@ class DFRN
if (isset($category)) { if (isset($category)) {
$sql_post_table = sprintf( $sql_post_table = sprintf(
"INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", "INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
dbesc(protect_sprintf($category)), DBA::escape(protect_sprintf($category)),
intval(TERM_OBJ_POST), intval(TERM_OBJ_POST),
intval(TERM_CATEGORY), intval(TERM_CATEGORY),
intval($owner_id) intval($owner_id)
@ -236,8 +236,8 @@ class DFRN
$sql_extra $sql_extra
ORDER BY `item`.`parent` ".$sort.", `item`.`created` ASC LIMIT 0, 300", ORDER BY `item`.`parent` ".$sort.", `item`.`created` ASC LIMIT 0, 300",
intval($owner_id), intval($owner_id),
dbesc($check_date), DBA::escape($check_date),
dbesc($sort) DBA::escape($sort)
); );
$ids = []; $ids = [];
@ -1073,7 +1073,7 @@ class DFRN
$r = q( $r = q(
"SELECT `forum`, `prv` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s'", "SELECT `forum`, `prv` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s'",
intval($owner["uid"]), intval($owner["uid"]),
dbesc(normalise_link($mention)) DBA::escape(normalise_link($mention))
); );
if (DBA::isResult($r) && ($r[0]["forum"] || $r[0]["prv"])) { if (DBA::isResult($r) && ($r[0]["forum"] || $r[0]["prv"])) {
@ -1498,8 +1498,8 @@ class DFRN
"SELECT `id` FROM `event` WHERE `uid` = %d AND `cid` = %d AND `start` = '%s' AND `type` = '%s' LIMIT 1", "SELECT `id` FROM `event` WHERE `uid` = %d AND `cid` = %d AND `start` = '%s' AND `type` = '%s' LIMIT 1",
intval($contact['uid']), intval($contact['uid']),
intval($contact['id']), intval($contact['id']),
dbesc(DateTimeFormat::utc($birthday)), DBA::escape(DateTimeFormat::utc($birthday)),
dbesc('birthday') DBA::escape('birthday')
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1516,13 +1516,13 @@ class DFRN
VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s') ", VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s') ",
intval($contact['uid']), intval($contact['uid']),
intval($contact['id']), intval($contact['id']),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utc($birthday)), DBA::escape(DateTimeFormat::utc($birthday)),
dbesc(DateTimeFormat::utc($birthday . ' + 1 day ')), DBA::escape(DateTimeFormat::utc($birthday . ' + 1 day ')),
dbesc($bdtext), DBA::escape($bdtext),
dbesc($bdtext2), DBA::escape($bdtext2),
dbesc('birthday') DBA::escape('birthday')
); );
} }
@ -1744,11 +1744,11 @@ class DFRN
`addr` = '%s', `keywords` = '%s', `bdyear` = '%s', `bd` = '%s', `hidden` = %d, `addr` = '%s', `keywords` = '%s', `bdyear` = '%s', `bd` = '%s', `hidden` = %d,
`xmpp` = '%s', `name-date` = '%s', `uri-date` = '%s' `xmpp` = '%s', `name-date` = '%s', `uri-date` = '%s'
WHERE `id` = %d AND `network` = '%s'", WHERE `id` = %d AND `network` = '%s'",
dbesc($contact["name"]), dbesc($contact["nick"]), dbesc($contact["about"]), dbesc($contact["location"]), DBA::escape($contact["name"]), DBA::escape($contact["nick"]), DBA::escape($contact["about"]), DBA::escape($contact["location"]),
dbesc($contact["addr"]), dbesc($contact["keywords"]), dbesc($contact["bdyear"]), DBA::escape($contact["addr"]), DBA::escape($contact["keywords"]), DBA::escape($contact["bdyear"]),
dbesc($contact["bd"]), intval($contact["hidden"]), dbesc($contact["xmpp"]), DBA::escape($contact["bd"]), intval($contact["hidden"]), DBA::escape($contact["xmpp"]),
dbesc(DateTimeFormat::utc($contact["name-date"])), dbesc(DateTimeFormat::utc($contact["uri-date"])), DBA::escape(DateTimeFormat::utc($contact["name-date"])), DBA::escape(DateTimeFormat::utc($contact["uri-date"])),
intval($contact["id"]), dbesc($contact["network"]) intval($contact["id"]), DBA::escape($contact["network"])
); );
} }
@ -1914,8 +1914,8 @@ class DFRN
$r = q( $r = q(
"SELECT `id` FROM `contact` WHERE `name` = '%s' AND `nurl` = '%s' AND `uid` = %d LIMIT 1", "SELECT `id` FROM `contact` WHERE `name` = '%s' AND `nurl` = '%s' AND `uid` = %d LIMIT 1",
dbesc($suggest["name"]), DBA::escape($suggest["name"]),
dbesc(normalise_link($suggest["url"])), DBA::escape(normalise_link($suggest["url"])),
intval($suggest["uid"]) intval($suggest["uid"])
); );
@ -1935,9 +1935,9 @@ class DFRN
$fid = 0; $fid = 0;
$r = q( $r = q(
"SELECT `id` FROM `fcontact` WHERE `url` = '%s' AND `name` = '%s' AND `request` = '%s' LIMIT 1", "SELECT `id` FROM `fcontact` WHERE `url` = '%s' AND `name` = '%s' AND `request` = '%s' LIMIT 1",
dbesc($suggest["url"]), DBA::escape($suggest["url"]),
dbesc($suggest["name"]), DBA::escape($suggest["name"]),
dbesc($suggest["request"]) DBA::escape($suggest["request"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$fid = $r[0]["id"]; $fid = $r[0]["id"];
@ -1963,17 +1963,17 @@ class DFRN
if (!$fid) { if (!$fid) {
$r = q( $r = q(
"INSERT INTO `fcontact` (`name`,`url`,`photo`,`request`) VALUES ('%s', '%s', '%s', '%s')", "INSERT INTO `fcontact` (`name`,`url`,`photo`,`request`) VALUES ('%s', '%s', '%s', '%s')",
dbesc($suggest["name"]), DBA::escape($suggest["name"]),
dbesc($suggest["url"]), DBA::escape($suggest["url"]),
dbesc($suggest["photo"]), DBA::escape($suggest["photo"]),
dbesc($suggest["request"]) DBA::escape($suggest["request"])
); );
} }
$r = q( $r = q(
"SELECT `id` FROM `fcontact` WHERE `url` = '%s' AND `name` = '%s' AND `request` = '%s' LIMIT 1", "SELECT `id` FROM `fcontact` WHERE `url` = '%s' AND `name` = '%s' AND `request` = '%s' LIMIT 1",
dbesc($suggest["url"]), DBA::escape($suggest["url"]),
dbesc($suggest["name"]), DBA::escape($suggest["name"]),
dbesc($suggest["request"]) DBA::escape($suggest["request"])
); );
/* /*
@ -1995,9 +1995,9 @@ class DFRN
intval($suggest["uid"]), intval($suggest["uid"]),
intval($fid), intval($fid),
intval($suggest["cid"]), intval($suggest["cid"]),
dbesc($suggest["body"]), DBA::escape($suggest["body"]),
dbesc($hash), DBA::escape($hash),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval(0) intval(0)
); );
@ -2172,9 +2172,9 @@ class DFRN
AND `item`.`uid` = %d AND `item`.`uid` = %d
$sql_extra $sql_extra
LIMIT 1", LIMIT 1",
dbesc($parent["parent-uri"]), DBA::escape($parent["parent-uri"]),
dbesc($parent["parent-uri"]), DBA::escape($parent["parent-uri"]),
dbesc($parent["parent-uri"]), DBA::escape($parent["parent-uri"]),
intval($importer["importer_uid"]) intval($importer["importer_uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -2645,7 +2645,7 @@ class DFRN
$r = q( $r = q(
"SELECT `id` FROM `event` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", "SELECT `id` FROM `event` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
dbesc($item["uri"]), DBA::escape($item["uri"]),
intval($importer["importer_uid"]) intval($importer["importer_uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -2952,10 +2952,10 @@ class DFRN
/// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange. /// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange.
$r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1) $r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1)
AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1", AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1",
dbesc($contact_nick), DBA::escape($contact_nick),
dbesc($a->user['nickname']), DBA::escape($a->user['nickname']),
dbesc($baseurl), DBA::escape($baseurl),
dbesc($nurl) DBA::escape($nurl)
); );
if ((! DBA::isResult($r)) || $r[0]['id'] == remote_user()) { if ((! DBA::isResult($r)) || $r[0]['id'] == remote_user()) {
return; return;
@ -2963,10 +2963,10 @@ class DFRN
$r = q("SELECT * FROM contact WHERE nick = '%s' $r = q("SELECT * FROM contact WHERE nick = '%s'
AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1", AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1",
dbesc($contact_nick), DBA::escape($contact_nick),
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
intval(local_user()), intval(local_user()),
dbesc($baseurl) DBA::escape($baseurl)
); );
if (! DBA::isResult($r)) { if (! DBA::isResult($r)) {
return; return;

View file

@ -1016,8 +1016,8 @@ class Diaspora
$r = q( $r = q(
"SELECT `url` FROM `fcontact` WHERE `url` != '' AND `network` = '%s' AND `guid` = '%s'", "SELECT `url` FROM `fcontact` WHERE `url` != '' AND `network` = '%s' AND `guid` = '%s'",
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc($fcontact_guid) DBA::escape($fcontact_guid)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1787,7 +1787,7 @@ class Diaspora
$r = q( $r = q(
"SELECT `id` FROM `mail` WHERE `guid` = '%s' AND `uid` = %d LIMIT 1", "SELECT `id` FROM `mail` WHERE `guid` = '%s' AND `uid` = %d LIMIT 1",
dbesc($msg_guid), DBA::escape($msg_guid),
intval($importer["uid"]) intval($importer["uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1799,19 +1799,19 @@ class Diaspora
"INSERT INTO `mail` (`uid`, `guid`, `convid`, `from-name`,`from-photo`,`from-url`,`contact-id`,`title`,`body`,`seen`,`reply`,`uri`,`parent-uri`,`created`) "INSERT INTO `mail` (`uid`, `guid`, `convid`, `from-name`,`from-photo`,`from-url`,`contact-id`,`title`,`body`,`seen`,`reply`,`uri`,`parent-uri`,`created`)
VALUES (%d, '%s', %d, '%s', '%s', '%s', %d, '%s', '%s', %d, %d, '%s','%s','%s')", VALUES (%d, '%s', %d, '%s', '%s', '%s', %d, '%s', '%s', %d, %d, '%s','%s','%s')",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($msg_guid), DBA::escape($msg_guid),
intval($conversation["id"]), intval($conversation["id"]),
dbesc($person["name"]), DBA::escape($person["name"]),
dbesc($person["photo"]), DBA::escape($person["photo"]),
dbesc($person["url"]), DBA::escape($person["url"]),
intval($contact["id"]), intval($contact["id"]),
dbesc($subject), DBA::escape($subject),
dbesc($body), DBA::escape($body),
0, 0,
0, 0,
dbesc($message_uri), DBA::escape($message_uri),
dbesc($author.":".$guid), DBA::escape($author.":".$guid),
dbesc($msg_created_at) DBA::escape($msg_created_at)
); );
DBA::unlock(); DBA::unlock();
@ -1870,7 +1870,7 @@ class Diaspora
$c = q( $c = q(
"SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1", "SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($guid) DBA::escape($guid)
); );
if ($c) if ($c)
$conversation = $c[0]; $conversation = $c[0];
@ -1879,18 +1879,18 @@ class Diaspora
"INSERT INTO `conv` (`uid`, `guid`, `creator`, `created`, `updated`, `subject`, `recips`) "INSERT INTO `conv` (`uid`, `guid`, `creator`, `created`, `updated`, `subject`, `recips`)
VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s')", VALUES (%d, '%s', '%s', '%s', '%s', '%s', '%s')",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($guid), DBA::escape($guid),
dbesc($author), DBA::escape($author),
dbesc($created_at), DBA::escape($created_at),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc($subject), DBA::escape($subject),
dbesc($participants) DBA::escape($participants)
); );
if ($r) { if ($r) {
$c = q( $c = q(
"SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1", "SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($guid) DBA::escape($guid)
); );
} }
@ -2049,7 +2049,7 @@ class Diaspora
$c = q( $c = q(
"SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1", "SELECT * FROM `conv` WHERE `uid` = %d AND `guid` = '%s' LIMIT 1",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($conversation_guid) DBA::escape($conversation_guid)
); );
if ($c) { if ($c) {
$conversation = $c[0]; $conversation = $c[0];
@ -2074,7 +2074,7 @@ class Diaspora
$r = q( $r = q(
"SELECT `id` FROM `mail` WHERE `guid` = '%s' AND `uid` = %d LIMIT 1", "SELECT `id` FROM `mail` WHERE `guid` = '%s' AND `uid` = %d LIMIT 1",
dbesc($guid), DBA::escape($guid),
intval($importer["uid"]) intval($importer["uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -2086,19 +2086,19 @@ class Diaspora
"INSERT INTO `mail` (`uid`, `guid`, `convid`, `from-name`,`from-photo`,`from-url`,`contact-id`,`title`,`body`,`seen`,`reply`,`uri`,`parent-uri`,`created`) "INSERT INTO `mail` (`uid`, `guid`, `convid`, `from-name`,`from-photo`,`from-url`,`contact-id`,`title`,`body`,`seen`,`reply`,`uri`,`parent-uri`,`created`)
VALUES ( %d, '%s', %d, '%s', '%s', '%s', %d, '%s', '%s', %d, %d, '%s','%s','%s')", VALUES ( %d, '%s', %d, '%s', '%s', '%s', %d, '%s', '%s', %d, %d, '%s','%s','%s')",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($guid), DBA::escape($guid),
intval($conversation["id"]), intval($conversation["id"]),
dbesc($person["name"]), DBA::escape($person["name"]),
dbesc($person["photo"]), DBA::escape($person["photo"]),
dbesc($person["url"]), DBA::escape($person["url"]),
intval($contact["id"]), intval($contact["id"]),
dbesc($conversation["subject"]), DBA::escape($conversation["subject"]),
dbesc($body), DBA::escape($body),
0, 0,
1, 1,
dbesc($message_uri), DBA::escape($message_uri),
dbesc($author.":".$conversation["guid"]), DBA::escape($author.":".$conversation["guid"]),
dbesc($created_at) DBA::escape($created_at)
); );
DBA::unlock(); DBA::unlock();
@ -2401,18 +2401,18 @@ class Diaspora
"INSERT INTO `contact` (`uid`, `network`,`addr`,`created`,`url`,`nurl`,`batch`,`name`,`nick`,`photo`,`pubkey`,`notify`,`poll`,`blocked`,`priority`) "INSERT INTO `contact` (`uid`, `network`,`addr`,`created`,`url`,`nurl`,`batch`,`name`,`nick`,`photo`,`pubkey`,`notify`,`poll`,`blocked`,`priority`)
VALUES (%d, '%s', '%s', '%s', '%s','%s','%s','%s','%s','%s','%s','%s','%s',%d,%d)", VALUES (%d, '%s', '%s', '%s', '%s','%s','%s','%s','%s','%s','%s','%s','%s',%d,%d)",
intval($importer["uid"]), intval($importer["uid"]),
dbesc($ret["network"]), DBA::escape($ret["network"]),
dbesc($ret["addr"]), DBA::escape($ret["addr"]),
DateTimeFormat::utcNow(), DateTimeFormat::utcNow(),
dbesc($ret["url"]), DBA::escape($ret["url"]),
dbesc(normalise_link($ret["url"])), DBA::escape(normalise_link($ret["url"])),
dbesc($batch), DBA::escape($batch),
dbesc($ret["name"]), DBA::escape($ret["name"]),
dbesc($ret["nick"]), DBA::escape($ret["nick"]),
dbesc($ret["photo"]), DBA::escape($ret["photo"]),
dbesc($ret["pubkey"]), DBA::escape($ret["pubkey"]),
dbesc($ret["notify"]), DBA::escape($ret["notify"]),
dbesc($ret["poll"]), DBA::escape($ret["poll"]),
1, 1,
2 2
); );
@ -2444,9 +2444,9 @@ class Diaspora
intval($contact_record["id"]), intval($contact_record["id"]),
0, 0,
0, 0,
dbesc(L10n::t("Sharing notification from Diaspora network")), DBA::escape(L10n::t("Sharing notification from Diaspora network")),
dbesc($hash), DBA::escape($hash),
dbesc(DateTimeFormat::utcNow()) DBA::escape(DateTimeFormat::utcNow())
); );
} else { } else {
// automatic friend approval // automatic friend approval
@ -2477,8 +2477,8 @@ class Diaspora
WHERE `id` = %d WHERE `id` = %d
", ",
intval($new_relation), intval($new_relation),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
dbesc(DateTimeFormat::utcNow()), DBA::escape(DateTimeFormat::utcNow()),
intval($contact_record["id"]) intval($contact_record["id"])
); );
@ -4129,7 +4129,7 @@ class Diaspora
$recips = q( $recips = q(
"SELECT `id`,`name`,`network`,`pubkey`,`notify` FROM `contact` WHERE `network` = '%s' "SELECT `id`,`name`,`network`,`pubkey`,`notify` FROM `contact` WHERE `network` = '%s'
AND `uid` = %d AND `rel` != %d", AND `uid` = %d AND `rel` != %d",
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
intval($uid), intval($uid),
intval(CONTACT_IS_SHARING) intval(CONTACT_IS_SHARING)
); );

View file

@ -1573,7 +1573,7 @@ class OStatus
{ {
$r = q( $r = q(
"SELECT * FROM `contact` WHERE `nurl` = '%s' AND `uid` IN (0, %d) ORDER BY `uid` DESC LIMIT 1", "SELECT * FROM `contact` WHERE `nurl` = '%s' AND `uid` IN (0, %d) ORDER BY `uid` DESC LIMIT 1",
dbesc(normalise_link($url)), DBA::escape(normalise_link($url)),
intval($owner["uid"]) intval($owner["uid"])
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -1584,7 +1584,7 @@ class OStatus
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
$r = q( $r = q(
"SELECT * FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1", "SELECT * FROM `gcontact` WHERE `nurl` = '%s' LIMIT 1",
dbesc(normalise_link($url)) DBA::escape(normalise_link($url))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
$contact = $r[0]; $contact = $r[0];
@ -1790,7 +1790,7 @@ class OStatus
$r = q( $r = q(
"SELECT `id` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s'", "SELECT `id` FROM `contact` WHERE `uid` = %d AND `nurl` = '%s'",
intval($owner['uid']), intval($owner['uid']),
dbesc(normalise_link($contact["url"])) DBA::escape(normalise_link($contact["url"]))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -281,7 +281,7 @@ class PortableContact
$r = q( $r = q(
"SELECT `id` FROM `gserver` WHERE `nurl` = '%s' AND `last_contact` > `last_failure`", "SELECT `id` FROM `gserver` WHERE `nurl` = '%s' AND `last_contact` > `last_failure`",
dbesc(normalise_link($server_url)) DBA::escape(normalise_link($server_url))
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
@ -306,7 +306,7 @@ class PortableContact
{ {
$gcontacts = q( $gcontacts = q(
"SELECT * FROM `gcontact` WHERE `nurl` = '%s'", "SELECT * FROM `gcontact` WHERE `nurl` = '%s'",
dbesc(normalise_link($profile)) DBA::escape(normalise_link($profile))
); );
if (!DBA::isResult($gcontacts)) { if (!DBA::isResult($gcontacts)) {
@ -353,7 +353,7 @@ class PortableContact
if (in_array($gcontacts[0]["network"], ["", NETWORK_FEED])) { if (in_array($gcontacts[0]["network"], ["", NETWORK_FEED])) {
$server = q( $server = q(
"SELECT `network` FROM `gserver` WHERE `nurl` = '%s' AND `network` != ''", "SELECT `network` FROM `gserver` WHERE `nurl` = '%s' AND `network` != ''",
dbesc(normalise_link($server_url)) DBA::escape(normalise_link($server_url))
); );
if ($server) { if ($server) {
@ -366,7 +366,7 @@ class PortableContact
// noscrape is really fast so we don't cache the call. // noscrape is really fast so we don't cache the call.
if (($server_url != "") && ($gcontacts[0]["nick"] != "")) { if (($server_url != "") && ($gcontacts[0]["nick"] != "")) {
// Use noscrape if possible // Use noscrape if possible
$server = q("SELECT `noscrape`, `network` FROM `gserver` WHERE `nurl` = '%s' AND `noscrape` != ''", dbesc(normalise_link($server_url))); $server = q("SELECT `noscrape`, `network` FROM `gserver` WHERE `nurl` = '%s' AND `noscrape` != ''", DBA::escape(normalise_link($server_url)));
if ($server) { if ($server) {
$noscraperet = Network::curl($server[0]["noscrape"]."/".$gcontacts[0]["nick"]); $noscraperet = Network::curl($server[0]["noscrape"]."/".$gcontacts[0]["nick"]);
@ -1477,9 +1477,9 @@ class PortableContact
WHERE `network` IN ('%s', '%s', '%s') AND `last_contact` > `last_failure` WHERE `network` IN ('%s', '%s', '%s') AND `last_contact` > `last_failure`
ORDER BY `last_contact` ORDER BY `last_contact`
LIMIT 1000", LIMIT 1000",
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS) DBA::escape(NETWORK_OSTATUS)
); );
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
@ -1509,7 +1509,7 @@ class PortableContact
foreach ($serverlist as $server) { foreach ($serverlist as $server) {
$server_url = str_replace("/index.php", "", $server->url); $server_url = str_replace("/index.php", "", $server->url);
$r = q("SELECT `nurl` FROM `gserver` WHERE `nurl` = '%s'", dbesc(normalise_link($server_url))); $r = q("SELECT `nurl` FROM `gserver` WHERE `nurl` = '%s'", DBA::escape(normalise_link($server_url)));
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
logger("Call server check for server ".$server_url, LOGGER_DEBUG); logger("Call server check for server ".$server_url, LOGGER_DEBUG);
Worker::add(PRIORITY_LOW, "DiscoverPoCo", "server", $server_url); Worker::add(PRIORITY_LOW, "DiscoverPoCo", "server", $server_url);
@ -1654,7 +1654,7 @@ class PortableContact
} }
$last_update = date("c", time() - (60 * 60 * 24 * $requery_days)); $last_update = date("c", time() - (60 * 60 * 24 * $requery_days));
$r = q("SELECT `id`, `url`, `nurl`, `network` FROM `gserver` WHERE `last_contact` >= `last_failure` AND `poco` != '' AND `last_poco_query` < '%s' ORDER BY RAND()", dbesc($last_update)); $r = q("SELECT `id`, `url`, `nurl`, `network` FROM `gserver` WHERE `last_contact` >= `last_failure` AND `poco` != '' AND `last_poco_query` < '%s' ORDER BY RAND()", DBA::escape($last_update));
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
foreach ($r as $server) { foreach ($r as $server) {
if (!self::checkServer($server["url"], $server["network"])) { if (!self::checkServer($server["url"], $server["network"])) {

View file

@ -38,7 +38,7 @@ class CheckVersion
logger("Checking VERSION from: ".$checked_url, LOGGER_DEBUG); logger("Checking VERSION from: ".$checked_url, LOGGER_DEBUG);
// fetch the VERSION file // fetch the VERSION file
$gitversion = dbesc(trim(Network::fetchUrl($checked_url))); $gitversion = DBA::escape(trim(Network::fetchUrl($checked_url)));
logger("Upstream VERSION is: ".$gitversion, LOGGER_DEBUG); logger("Upstream VERSION is: ".$gitversion, LOGGER_DEBUG);
Config::set('system', 'git_friendica_version', $gitversion); Config::set('system', 'git_friendica_version', $gitversion);

View file

@ -187,11 +187,11 @@ class Cron
AND `contact`.`network` IN ('%s', '%s', '%s', '%s', '%s') $sql_extra AND `contact`.`network` IN ('%s', '%s', '%s', '%s', '%s') $sql_extra
AND NOT `contact`.`self` AND NOT `contact`.`blocked` AND NOT `contact`.`self` AND NOT `contact`.`blocked`
WHERE NOT `user`.`account_expired` AND NOT `user`.`account_removed` $abandon_sql", WHERE NOT `user`.`account_expired` AND NOT `user`.`account_removed` $abandon_sql",
dbesc(NETWORK_DFRN), DBA::escape(NETWORK_DFRN),
dbesc(NETWORK_OSTATUS), DBA::escape(NETWORK_OSTATUS),
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_FEED), DBA::escape(NETWORK_FEED),
dbesc(NETWORK_MAIL) DBA::escape(NETWORK_MAIL)
); );
if (!DBA::isResult($contacts)) { if (!DBA::isResult($contacts)) {

View file

@ -9,7 +9,6 @@ use Friendica\BaseObject;
use Friendica\Core\Cache; use Friendica\Core\Cache;
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Database\PostUpdate;
use Friendica\Model\Contact; use Friendica\Model\Contact;
use Friendica\Model\GContact; use Friendica\Model\GContact;
use Friendica\Model\Photo; use Friendica\Model\Photo;
@ -211,7 +210,7 @@ class CronJobs
// So optimize it // So optimize it
logger("Optimize Table " . $table["Name"], LOGGER_DEBUG); logger("Optimize Table " . $table["Name"], LOGGER_DEBUG);
q("OPTIMIZE TABLE `%s`", dbesc($table["Name"])); q("OPTIMIZE TABLE `%s`", DBA::escape($table["Name"]));
} }
} }
@ -229,7 +228,7 @@ class CronJobs
$r = q("SELECT `id`, `url` FROM `contact` $r = q("SELECT `id`, `url` FROM `contact`
WHERE `network` = '%s' AND (`batch` = '' OR `notify` = '' OR `poll` = '' OR pubkey = '') WHERE `network` = '%s' AND (`batch` = '' OR `notify` = '' OR `poll` = '' OR pubkey = '')
ORDER BY RAND() LIMIT 50", dbesc(NETWORK_DIASPORA)); ORDER BY RAND() LIMIT 50", DBA::escape(NETWORK_DIASPORA));
if (!DBA::isResult($r)) { if (!DBA::isResult($r)) {
return; return;
} }
@ -251,7 +250,7 @@ class CronJobs
logger("Repair contact " . $contact["id"] . " " . $contact["url"], LOGGER_DEBUG); logger("Repair contact " . $contact["id"] . " " . $contact["url"], LOGGER_DEBUG);
q("UPDATE `contact` SET `batch` = '%s', `notify` = '%s', `poll` = '%s', pubkey = '%s' WHERE `id` = %d", q("UPDATE `contact` SET `batch` = '%s', `notify` = '%s', `poll` = '%s', pubkey = '%s' WHERE `id` = %d",
dbesc($data["batch"]), dbesc($data["notify"]), dbesc($data["poll"]), dbesc($data["pubkey"]), DBA::escape($data["batch"]), DBA::escape($data["notify"]), DBA::escape($data["poll"]), DBA::escape($data["pubkey"]),
intval($contact["id"])); intval($contact["id"]));
} }
} }

View file

@ -147,8 +147,8 @@ class DiscoverPoCo
WHERE `last_contact` < UTC_TIMESTAMP - INTERVAL 1 MONTH AND WHERE `last_contact` < UTC_TIMESTAMP - INTERVAL 1 MONTH AND
`last_failure` < UTC_TIMESTAMP - INTERVAL 1 MONTH AND `last_failure` < UTC_TIMESTAMP - INTERVAL 1 MONTH AND
`network` IN ('%s', '%s', '%s', '%s', '') ORDER BY rand()", `network` IN ('%s', '%s', '%s', '%s', '') ORDER BY rand()",
dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DFRN), DBA::escape(NETWORK_DIASPORA),
dbesc(NETWORK_OSTATUS), dbesc(NETWORK_FEED)); DBA::escape(NETWORK_OSTATUS), DBA::escape(NETWORK_FEED));
if (!$users) { if (!$users) {
return; return;

View file

@ -20,7 +20,7 @@ class GProbe {
$r = q( $r = q(
"SELECT `id`, `url`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 1", "SELECT `id`, `url`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 1",
dbesc(normalise_link($url)) DBA::escape(normalise_link($url))
); );
logger("gprobe start for ".normalise_link($url), LOGGER_DEBUG); logger("gprobe start for ".normalise_link($url), LOGGER_DEBUG);
@ -49,7 +49,7 @@ class GProbe {
$r = q( $r = q(
"SELECT `id`, `url`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 1", "SELECT `id`, `url`, `network` FROM `gcontact` WHERE `nurl` = '%s' ORDER BY `id` LIMIT 1",
dbesc(normalise_link($url)) DBA::escape(normalise_link($url))
); );
} }
if (DBA::isResult($r)) { if (DBA::isResult($r)) {

View file

@ -238,7 +238,7 @@ class Notifier
// local followup to remote post // local followup to remote post
$followup = true; $followup = true;
$public_message = false; // not public $public_message = false; // not public
$conversant_str = dbesc($parent['contact-id']); $conversant_str = DBA::escape($parent['contact-id']);
$recipients = [$parent['contact-id']]; $recipients = [$parent['contact-id']];
$recipients_followup = [$parent['contact-id']]; $recipients_followup = [$parent['contact-id']];
@ -258,7 +258,7 @@ class Notifier
// Currently it is work at progress // Currently it is work at progress
$r = q("SELECT `id` FROM `contact` WHERE `uid` = %d AND `network` = '%s' AND NOT `blocked` AND NOT `pending` AND NOT `archive`", $r = q("SELECT `id` FROM `contact` WHERE `uid` = %d AND `network` = '%s' AND NOT `blocked` AND NOT `pending` AND NOT `archive`",
intval($uid), intval($uid),
dbesc(NETWORK_DFRN) DBA::escape(NETWORK_DFRN)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
foreach ($r as $rr) { foreach ($r as $rr) {
@ -331,7 +331,7 @@ class Notifier
$deny = array_unique(array_merge($deny_people,$deny_groups)); $deny = array_unique(array_merge($deny_people,$deny_groups));
$recipients = array_diff($recipients,$deny); $recipients = array_diff($recipients,$deny);
$conversant_str = dbesc(implode(', ',$conversants)); $conversant_str = DBA::escape(implode(', ',$conversants));
} }
// If the thread parent is OStatus then do some magic to distribute the messages. // If the thread parent is OStatus then do some magic to distribute the messages.
@ -385,7 +385,7 @@ class Notifier
&& intval($target_item['pubmail'])) { && intval($target_item['pubmail'])) {
$r = q("SELECT `id` FROM `contact` WHERE `uid` = %d AND `network` = '%s'", $r = q("SELECT `id` FROM `contact` WHERE `uid` = %d AND `network` = '%s'",
intval($uid), intval($uid),
dbesc(NETWORK_MAIL) DBA::escape(NETWORK_MAIL)
); );
if (DBA::isResult($r)) { if (DBA::isResult($r)) {
foreach ($r as $rr) { foreach ($r as $rr) {
@ -440,7 +440,7 @@ class Notifier
$r1 = q("SELECT `batch`, ANY_VALUE(`id`) AS `id`, ANY_VALUE(`name`) AS `name`, ANY_VALUE(`network`) AS `network` $r1 = q("SELECT `batch`, ANY_VALUE(`id`) AS `id`, ANY_VALUE(`name`) AS `name`, ANY_VALUE(`network`) AS `network`
FROM `contact` WHERE `network` = '%s' AND `batch` != '' FROM `contact` WHERE `network` = '%s' AND `batch` != ''
AND `uid` = %d AND `rel` != %d AND NOT `blocked` AND NOT `pending` AND NOT `archive` GROUP BY `batch`", AND `uid` = %d AND `rel` != %d AND NOT `blocked` AND NOT `pending` AND NOT `archive` GROUP BY `batch`",
dbesc(NETWORK_DIASPORA), DBA::escape(NETWORK_DIASPORA),
intval($owner['uid']), intval($owner['uid']),
intval(CONTACT_IS_SHARING) intval(CONTACT_IS_SHARING)
); );

View file

@ -40,7 +40,7 @@ class UpdateGContact
} }
q("UPDATE `gcontact` SET `last_failure` = '%s' WHERE `id` = %d", q("UPDATE `gcontact` SET `last_failure` = '%s' WHERE `id` = %d",
dbesc(DateTimeFormat::utcNow()), intval($contact_id)); DBA::escape(DateTimeFormat::utcNow()), intval($contact_id));
return; return;
} }
@ -63,26 +63,26 @@ class UpdateGContact
q("UPDATE `gcontact` SET `name` = '%s', `nick` = '%s', `addr` = '%s', `photo` = '%s' q("UPDATE `gcontact` SET `name` = '%s', `nick` = '%s', `addr` = '%s', `photo` = '%s'
WHERE `id` = %d", WHERE `id` = %d",
dbesc($data["name"]), DBA::escape($data["name"]),
dbesc($data["nick"]), DBA::escape($data["nick"]),
dbesc($data["addr"]), DBA::escape($data["addr"]),
dbesc($data["photo"]), DBA::escape($data["photo"]),
intval($contact_id) intval($contact_id)
); );
q("UPDATE `contact` SET `name` = '%s', `nick` = '%s', `addr` = '%s', `photo` = '%s' q("UPDATE `contact` SET `name` = '%s', `nick` = '%s', `addr` = '%s', `photo` = '%s'
WHERE `uid` = 0 AND `addr` = '' AND `nurl` = '%s'", WHERE `uid` = 0 AND `addr` = '' AND `nurl` = '%s'",
dbesc($data["name"]), DBA::escape($data["name"]),
dbesc($data["nick"]), DBA::escape($data["nick"]),
dbesc($data["addr"]), DBA::escape($data["addr"]),
dbesc($data["photo"]), DBA::escape($data["photo"]),
dbesc(normalise_link($data["url"])) DBA::escape(normalise_link($data["url"]))
); );
q("UPDATE `contact` SET `addr` = '%s' q("UPDATE `contact` SET `addr` = '%s'
WHERE `uid` != 0 AND `addr` = '' AND `nurl` = '%s'", WHERE `uid` != 0 AND `addr` = '' AND `nurl` = '%s'",
dbesc($data["addr"]), DBA::escape($data["addr"]),
dbesc(normalise_link($data["url"])) DBA::escape(normalise_link($data["url"]))
); );
} }
} }

View file

@ -49,10 +49,10 @@ function update_1178() {
$profile["pub_keywords"] = profile_clean_keywords($profile["pub_keywords"]); $profile["pub_keywords"] = profile_clean_keywords($profile["pub_keywords"]);
$r = q("UPDATE `contact` SET `about` = '%s', `location` = '%s', `keywords` = '%s', `gender` = '%s' WHERE `self` AND `uid` = %d", $r = q("UPDATE `contact` SET `about` = '%s', `location` = '%s', `keywords` = '%s', `gender` = '%s' WHERE `self` AND `uid` = %d",
dbesc($profile["about"]), DBA::escape($profile["about"]),
dbesc($profile["locality"]), DBA::escape($profile["locality"]),
dbesc($profile["pub_keywords"]), DBA::escape($profile["pub_keywords"]),
dbesc($profile["gender"]), DBA::escape($profile["gender"]),
intval($profile["uid"]) intval($profile["uid"])
); );
} }
@ -112,7 +112,7 @@ function update_1191() {
// select old formlist addon entries // select old formlist addon entries
$r = q("SELECT `uid`, `cat`, `k`, `v` FROM `pconfig` WHERE `cat` = '%s' ", $r = q("SELECT `uid`, `cat`, `k`, `v` FROM `pconfig` WHERE `cat` = '%s' ",
dbesc('forumlist') DBA::escape('forumlist')
); );
// convert old forumlist addon entries in new config entries // convert old forumlist addon entries in new config entries
@ -149,7 +149,7 @@ function update_1191() {
function update_1203() { function update_1203() {
$r = q("UPDATE `user` SET `account-type` = %d WHERE `page-flags` IN (%d, %d)", $r = q("UPDATE `user` SET `account-type` = %d WHERE `page-flags` IN (%d, %d)",
dbesc(ACCOUNT_TYPE_COMMUNITY), dbesc(PAGE_COMMUNITY), dbesc(PAGE_PRVGROUP)); DBA::escape(ACCOUNT_TYPE_COMMUNITY), DBA::escape(PAGE_COMMUNITY), DBA::escape(PAGE_PRVGROUP));
} }
function update_1244() { function update_1244() {

View file

@ -239,7 +239,7 @@ function frio_remote_nav($a, &$nav)
} elseif (Profile::getMyURL()) { } elseif (Profile::getMyURL()) {
$r = q("SELECT `name`, `nick`, `photo` FROM `gcontact` $r = q("SELECT `name`, `nick`, `photo` FROM `gcontact`
WHERE `addr` = '%s' AND `network` = 'dfrn'", WHERE `addr` = '%s' AND `network` = 'dfrn'",
dbesc($webbie)); DBA::escape($webbie));
$nav['remote'] = L10n::t('Visitor'); $nav['remote'] = L10n::t('Visitor');
} else { } else {
$r = false; $r = false;
@ -299,12 +299,12 @@ function frio_acl_lookup(App $a, &$results)
$sql_extra = ''; $sql_extra = '';
if ($results['search']) { if ($results['search']) {
$search_txt = dbesc(protect_sprintf(preg_quote($results['search']))); $search_txt = DBA::escape(protect_sprintf(preg_quote($results['search'])));
$sql_extra .= " AND (`attag` LIKE '%%" . dbesc($search_txt) . "%%' OR `name` LIKE '%%" . dbesc($search_txt) . "%%' OR `nick` LIKE '%%" . dbesc($search_txt) . "%%') "; $sql_extra .= " AND (`attag` LIKE '%%" . $search_txt . "%%' OR `name` LIKE '%%" . $search_txt . "%%' OR `nick` LIKE '%%" . $search_txt . "%%') ";
} }
if ($nets) { if ($nets) {
$sql_extra .= sprintf(" AND network = '%s' ", dbesc($nets)); $sql_extra .= sprintf(" AND network = '%s' ", DBA::escape($nets));
} }
$total = 0; $total = 0;

View file

@ -12,14 +12,13 @@
use Friendica\App; use Friendica\App;
use Friendica\Content\ForumManager; use Friendica\Content\ForumManager;
use Friendica\Core\Addon; use Friendica\Core\Addon;
use Friendica\Core\L10n;
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\PConfig; use Friendica\Core\PConfig;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Model\Contact; use Friendica\Model\Contact;
use Friendica\Model\GContact; use Friendica\Model\GContact;
use Friendica\Model\Profile;
require_once "mod/proxy.php"; require_once "mod/proxy.php";
@ -278,7 +277,7 @@ function vier_community_info()
$query .= ","; $query .= ",";
} }
$query .= "'".dbesc(normalise_link(trim($helper)))."'"; $query .= "'".DBA::escape(normalise_link(trim($helper)))."'";
} }
$r = q("SELECT `url`, `name` FROM `gcontact` WHERE `nurl` IN (%s)", $query); $r = q("SELECT `url`, `name` FROM `gcontact` WHERE `nurl` IN (%s)", $query);