diff --git a/classes/pref/labels.php b/classes/pref/labels.php index 5720a1f4b..8f1f70be9 100644 --- a/classes/pref/labels.php +++ b/classes/pref/labels.php @@ -8,80 +8,80 @@ class Pref_Labels extends Handler_Protected { } function edit() { - $label_id = $this->dbh->escape_string($_REQUEST['id']); + $label_id = $_REQUEST['id']; - $result = $this->dbh->query("SELECT * FROM ttrss_labels2 WHERE - id = '$label_id' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE + id = ? AND owner_uid = ?"); + $sth->execute([$label_id, $_SESSION['uid']]); - $line = $this->dbh->fetch_assoc($result); + if ($line = $sth->fetch()) { - print_hidden("id", "$label_id"); - print_hidden("op", "pref-labels"); - print_hidden("method", "save"); + print_hidden("id", "$label_id"); + print_hidden("op", "pref-labels"); + print_hidden("method", "save"); - print "
".__("Caption")."
"; + print "
".__("Caption")."
"; - print "
"; + print "
"; - $fg_color = $line['fg_color']; - $bg_color = $line['bg_color']; + $fg_color = $line['fg_color']; + $bg_color = $line['bg_color']; - print "α"; + print "α"; - print ""; - print "
"; - print "
" . __("Colors") . "
"; - print "
"; + print "
"; + print "
" . __("Colors") . "
"; + print "
"; - print ""; + print "
"; - print ""; + print ""; - print "
".__("Foreground:")."".__("Background:"). - "
".__("Foreground:")."".__("Background:"). + "
"; + print "
"; - print ""; - print ""; - print "
+ print "
-
"; - print "
"; + "; + print ""; - print "		"; + print ""; - print "
+ print "
-
"; - print "
"; + "; + print ""; - print "
"; - print "
"; + print ""; + print "
"; # print ""; - print "
"; - print ""; - print ""; - print "
"; - - return; + print "
"; + print ""; + print ""; + print "
"; + } } function getlabeltree() { @@ -90,12 +90,13 @@ class Pref_Labels extends Handler_Protected { $root['name'] = __('Labels'); $root['items'] = array(); - $result = $this->dbh->query("SELECT * + $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 - WHERE owner_uid = ".$_SESSION["uid"]." + WHERE owner_uid = ? ORDER BY caption"); + $sth->execute([$_SESSION['uid']]); - while ($line = $this->dbh->fetch_assoc($result)) { + while ($line = $sth->fetch()) { $label = array(); $label['id'] = 'LABEL:' . $line['id']; $label['bare_id'] = $line['id']; @@ -118,84 +119,92 @@ class Pref_Labels extends Handler_Protected { } function colorset() { - $kind = $this->dbh->escape_string($_REQUEST["kind"]); - $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"])); - $color = $this->dbh->escape_string($_REQUEST["color"]); - $fg = $this->dbh->escape_string($_REQUEST["fg"]); - $bg = $this->dbh->escape_string($_REQUEST["bg"]); + $kind = $_REQUEST["kind"]; + $ids = explode(',', $_REQUEST["ids"]); + $color = $_REQUEST["color"]; + $fg = $_REQUEST["fg"]; + $bg = $_REQUEST["bg"]; foreach ($ids as $id) { if ($kind == "fg" || $kind == "bg") { - $this->dbh->query("UPDATE ttrss_labels2 SET - ${kind}_color = '$color' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + ${kind}_color = ? WHERE id = ? + AND owner_uid = ?"); + + $sth->execute([$color, $id, $_SESSION['uid']]); + } else { - $this->dbh->query("UPDATE ttrss_labels2 SET - fg_color = '$fg', bg_color = '$bg' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + fg_color = ?, bg_color = ? WHERE id = ? + AND owner_uid = ?"); + + $sth->execute([$fg, $bg, $id, $_SESSION['uid']]); } - $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"])); + $caption = Labels::find_caption($id, $_SESSION["uid"]); /* Remove cached data */ - $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = '' - WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]); - + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = '' + WHERE label_cache LIKE ? AND owner_uid = ?"); + $sth->execute(["%$caption%", $_SESSION['uid']]); } - - return; } function colorreset() { - $ids = explode(',', $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(',', $_REQUEST["ids"]); foreach ($ids as $id) { - $this->dbh->query("UPDATE ttrss_labels2 SET - fg_color = '', bg_color = '' WHERE id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + fg_color = '', bg_color = '' WHERE id = ? + AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - $caption = $this->dbh->escape_string(Labels::find_caption($id, $_SESSION["uid"])); + $caption = Labels::find_caption($id, $_SESSION["uid"]); /* Remove cached data */ - $this->dbh->query("UPDATE ttrss_user_entries SET label_cache = '' - WHERE label_cache LIKE '%$caption%' AND owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET label_cache = '' + WHERE label_cache LIKE ? AND owner_uid = ?"); + $sth->execute(["%$caption%", $_SESSION['uid']]); } - } function save() { - $id = $this->dbh->escape_string($_REQUEST["id"]); - $caption = $this->dbh->escape_string(trim($_REQUEST["caption"])); + $id = $_REQUEST["id"]; + $caption = trim($_REQUEST["caption"]); - $this->dbh->query("BEGIN"); + $this->pdo->beginTransaction(); - $result = $this->dbh->query("SELECT caption FROM ttrss_labels2 - WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT caption FROM ttrss_labels2 + WHERE id = ? AND owner_uid = ?"); + $sth->execute([$id, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) != 0) { - $old_caption = $this->dbh->fetch_result($result, 0, "caption"); + if ($row = $sth->fetch()) { + $old_caption = $row["caption"]; - $result = $this->dbh->query("SELECT id FROM ttrss_labels2 - WHERE caption = '$caption' AND owner_uid = ". $_SESSION["uid"]); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_labels2 + WHERE caption = ? AND owner_uid = ?"); + $sth->execute([$caption, $_SESSION['uid']]); - if ($this->dbh->num_rows($result) == 0) { + if (!$sth->fetch()) { if ($caption) { - $result = $this->dbh->query("UPDATE ttrss_labels2 SET - caption = '$caption' WHERE id = '$id' AND - owner_uid = " . $_SESSION["uid"]); + $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET + caption = ? WHERE id = ? AND + owner_uid = ?"); + $sth->execute([$caption, $id, $_SESSION['uid']]); /* Update filters that reference label being renamed */ - $old_caption = $this->dbh->escape_string($old_caption); - - $this->dbh->query("UPDATE ttrss_filters2_actions SET - action_param = '$caption' WHERE action_param = '$old_caption' + $sth = $this->pdo->prepare("UPDATE ttrss_filters2_actions SET + action_param = ? WHERE action_param = ? AND action_id = 7 - AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ".$_SESSION["uid"].")"); + AND filter_id IN (SELECT id FROM ttrss_filters2 WHERE owner_uid = ?)"); + + $sth->execute([$caption, $old_caption, $_SESSION['uid']]); print $_REQUEST["value"]; } else { @@ -206,14 +215,13 @@ class Pref_Labels extends Handler_Protected { } } - $this->dbh->query("COMMIT"); + $this->pdo->commit(); - return; } function remove() { - $ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"])); + $ids = explode(",", $_REQUEST["ids"]); foreach ($ids as $id) { Labels::remove($id, $_SESSION["uid"]); @@ -222,8 +230,8 @@ class Pref_Labels extends Handler_Protected { } function add() { - $caption = $this->dbh->escape_string($_REQUEST["caption"]); - $output = $this->dbh->escape_string($_REQUEST["output"]); + $caption = $_REQUEST["caption"]; + $output = $_REQUEST["output"]; if ($caption) {