diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index cf27a72df..cf1322f45 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -99,14 +99,15 @@ class Pref_Prefs extends Handler_Protected {
foreach (array_keys($_POST) as $pref_name) {
- $pref_name = $this->dbh->escape_string($pref_name);
- $value = $this->dbh->escape_string($_POST[$pref_name]);
+ $pref_name = $pref_name;
+ $value = $_POST[$pref_name];
if ($pref_name == 'DIGEST_PREFERRED_TIME') {
if (get_pref('DIGEST_PREFERRED_TIME') != $value) {
- $this->dbh->query("UPDATE ttrss_users SET
- last_digest_sent = NULL WHERE id = " . $_SESSION['uid']);
+ $sth = $this->pdo->prepare("UPDATE ttrss_users SET
+ last_digest_sent = NULL WHERE id = ?");
+ $sth->execute([$_SESSION['uid']]);
}
}
@@ -129,13 +130,13 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() {
- $email = $this->dbh->escape_string($_POST["email"]);
- $full_name = $this->dbh->escape_string($_POST["full_name"]);
-
+ $email = $_POST["email"];
+ $full_name = $_POST["full_name"];
$active_uid = $_SESSION["uid"];
- $this->dbh->query("UPDATE ttrss_users SET email = '$email',
- full_name = '$full_name' WHERE id = '$active_uid'");
+ $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
+ full_name = ? WHERE id = ?");
+ $sth->execute([$email, $full_name, $active_uid]);
print __("Your personal data has been saved.");
@@ -146,14 +147,10 @@ class Pref_Prefs extends Handler_Protected {
$_SESSION["prefs_op_result"] = "reset-to-defaults";
- if ($_SESSION["profile"]) {
- $profile_qpart = "profile = '" . $_SESSION["profile"] . "'";
- } else {
- $profile_qpart = "profile IS NULL";
- }
-
- $this->dbh->query("DELETE FROM ttrss_user_prefs
- WHERE $profile_qpart AND owner_uid = ".$_SESSION["uid"]);
+ $sth = $this->pdo->query("DELETE FROM ttrss_user_prefs
+ WHERE (profile = :profile OR (:profile IS NULL AND profile IS NULL))
+ AND owner_uid = :uid");
+ $sth->execute([":profile" => $_SESSION['profile'], ":uid" => $_SESSION['uid']]);
initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]);
@@ -202,13 +199,15 @@ class Pref_Prefs extends Handler_Protected {
print "" . __("Personal data") . "
";
- $result = $this->dbh->query("SELECT email,full_name,otp_enabled,
+ $sth = $this->pdo->prepare("SELECT email,full_name,otp_enabled,
access_level FROM ttrss_users
- WHERE id = ".$_SESSION["uid"]);
+ WHERE id = ?");
+ $sth->execute([$_SESSION["uid"]]);
+ $row = $sth->fetch();
- $email = htmlspecialchars($this->dbh->fetch_result($result, 0, "email"));
- $full_name = htmlspecialchars($this->dbh->fetch_result($result, 0, "full_name"));
- $otp_enabled = sql_bool_to_bool($this->dbh->fetch_result($result, 0, "otp_enabled"));
+ $email = htmlspecialchars($row["email"]);
+ $full_name = htmlspecialchars($row["full_name"]);
+ $otp_enabled = sql_bool_to_bool($row["otp_enabled"]);
print "| ".__('Full name')." | ";
print "dbh->fetch_result($result, 0, "access_level");
+ $access_level = $row["access_level"];
print " |
| ".__('Access level')." | ";
print "" . $access_level_names[$access_level] . " |
";
}
@@ -246,14 +245,6 @@ class Pref_Prefs extends Handler_Protected {
print "";
- $result = $this->dbh->query("SELECT id FROM ttrss_users
- WHERE id = ".$_SESSION["uid"]." AND pwd_hash
- = 'SHA1:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'");
-
- if ($this->dbh->num_rows($result) != 0) {
- print format_warning(__("Your password is at default value, please change it."), "default_pass_warning");
- }
-
print "