feeds: handle escaping

This commit is contained in:
Andrew Dolgov 2017-12-01 20:52:30 +03:00
parent c9b6ca8b70
commit 3623ebb1a1
1 changed files with 13 additions and 13 deletions

View File

@ -1829,7 +1829,7 @@ class Feeds extends Handler_Protected {
} }
if ($since_id) { if ($since_id) {
$since_id_part = "ttrss_entries.id > $since_id AND "; $since_id_part = "ttrss_entries.id > ".$pdo->quote($since_id)." AND ";
} else { } else {
$since_id_part = ""; $since_id_part = "";
} }
@ -1869,7 +1869,7 @@ class Feeds extends Handler_Protected {
} }
if ($limit > 0) { if ($limit > 0) {
$limit_query_part = "LIMIT " . $limit; $limit_query_part = "LIMIT " . $pdo->quote($limit);
} }
$allow_archived = false; $allow_archived = false;
@ -1895,7 +1895,7 @@ class Feeds extends Handler_Protected {
implode(",", $subcats).")"; implode(",", $subcats).")";
} else { } else {
$query_strategy_part = "cat_id = '$feed'"; $query_strategy_part = "cat_id = " . $pdo->quote($feed);
} }
} else { } else {
@ -1905,7 +1905,7 @@ class Feeds extends Handler_Protected {
$vfeed_query_part = "ttrss_feeds.title AS feed_title,"; $vfeed_query_part = "ttrss_feeds.title AS feed_title,";
} else { } else {
$query_strategy_part = "feed_id = '$feed'"; $query_strategy_part = "feed_id = " . $pdo->quote($feed);
} }
} else if ($feed == 0 && !$cat_view) { // archive virtual feed } else if ($feed == 0 && !$cat_view) { // archive virtual feed
$query_strategy_part = "feed_id IS NULL"; $query_strategy_part = "feed_id IS NULL";
@ -1960,7 +1960,7 @@ class Feeds extends Handler_Protected {
} else if ($feed == -3) { // fresh virtual feed } else if ($feed == -3) { // fresh virtual feed
$query_strategy_part = "unread = true AND score >= 0"; $query_strategy_part = "unread = true AND score >= 0";
$intl = get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid); $intl = (int) get_pref("FRESH_ARTICLE_MAX_AGE", $owner_uid);
if (DB_TYPE == "pgsql") { if (DB_TYPE == "pgsql") {
$query_strategy_part .= " AND date_entered > NOW() - INTERVAL '$intl hour' "; $query_strategy_part .= " AND date_entered > NOW() - INTERVAL '$intl hour' ";
@ -1976,7 +1976,7 @@ class Feeds extends Handler_Protected {
} else if ($feed <= LABEL_BASE_INDEX) { // labels } else if ($feed <= LABEL_BASE_INDEX) { // labels
$label_id = Labels::feed_to_label_id($feed); $label_id = Labels::feed_to_label_id($feed);
$query_strategy_part = "label_id = '$label_id' AND $query_strategy_part = "label_id = ".$pdo->quote($label_id)." AND
ttrss_labels2.id = ttrss_user_labels2.label_id AND ttrss_labels2.id = ttrss_user_labels2.label_id AND
ttrss_user_labels2.article_id = ref_id"; ttrss_user_labels2.article_id = ref_id";
@ -2027,7 +2027,7 @@ class Feeds extends Handler_Protected {
$content_query_part = "content, "; $content_query_part = "content, ";
if ($limit_query_part) { if ($limit_query_part) {
$offset_query_part = "OFFSET $offset"; $offset_query_part = "OFFSET " . $pdo->quote($offset);
} else { } else {
$offset_query_part = ""; $offset_query_part = "";
} }
@ -2036,9 +2036,9 @@ class Feeds extends Handler_Protected {
// proper override_order applied above // proper override_order applied above
if ($vfeed_query_part && !$ignore_vfeed_group && get_pref('VFEED_GROUP_BY_FEED', $owner_uid)) { if ($vfeed_query_part && !$ignore_vfeed_group && get_pref('VFEED_GROUP_BY_FEED', $owner_uid)) {
if (!$override_order) { if (!$override_order) {
$order_by = "ttrss_feeds.title, $order_by"; $order_by = "ttrss_feeds.title, ".$pdo->quote($order_by);
} else { } else {
$order_by = "ttrss_feeds.title, $override_order"; $order_by = "ttrss_feeds.title, ".$pdo->quote($override_order);
} }
} }
@ -2091,7 +2091,7 @@ class Feeds extends Handler_Protected {
$from_qpart $from_qpart
WHERE WHERE
$feed_check_qpart $feed_check_qpart
ttrss_user_entries.owner_uid = '$owner_uid' AND ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND
$search_query_part $search_query_part
$start_ts_query_part $start_ts_query_part
$since_id_part $since_id_part
@ -2138,7 +2138,7 @@ class Feeds extends Handler_Protected {
$from_qpart $from_qpart
WHERE WHERE
$feed_check_qpart $feed_check_qpart
ttrss_user_entries.owner_uid = '$owner_uid' AND ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND
$search_query_part $search_query_part
$start_ts_query_part $start_ts_query_part
$view_query_part $view_query_part
@ -2182,9 +2182,9 @@ class Feeds extends Handler_Protected {
FROM ttrss_entries, ttrss_user_entries, ttrss_tags FROM ttrss_entries, ttrss_user_entries, ttrss_tags
WHERE WHERE
ref_id = ttrss_entries.id AND ref_id = ttrss_entries.id AND
ttrss_user_entries.owner_uid = $owner_uid AND ttrss_user_entries.owner_uid = ".$pdo->quote($owner_uid)." AND
post_int_id = int_id AND post_int_id = int_id AND
tag_name = '$feed' AND tag_name = ".$pdo->quote($feed)." AND
$view_query_part $view_query_part
$search_query_part $search_query_part
$query_strategy_part ORDER BY $order_by $query_strategy_part ORDER BY $order_by