protect_sprintf calls
implement protectSprintf function
This commit is contained in:
parent
46d7767fd0
commit
0efcbe5d15
5 changed files with 10 additions and 10 deletions
|
@ -650,7 +650,7 @@ function networkThreadedView(App $a, $update, $parent)
|
||||||
|
|
||||||
$sql_post_table .= " INNER JOIN `item` AS `temp1` ON `temp1`.`id` = " . $sql_table . "." . $sql_parent;
|
$sql_post_table .= " INNER JOIN `item` AS `temp1` ON `temp1`.`id` = " . $sql_table . "." . $sql_parent;
|
||||||
$sql_extra3 .= " AND (`thread`.`contact-id` IN ($contact_str) ";
|
$sql_extra3 .= " AND (`thread`.`contact-id` IN ($contact_str) ";
|
||||||
$sql_extra3 .= " OR (`thread`.`contact-id` = '$contact_str_self' AND `temp1`.`allow_gid` LIKE '" . protect_sprintf('%<' . intval($gid) . '>%') . "' AND `temp1`.`private`))";
|
$sql_extra3 .= " OR (`thread`.`contact-id` = '$contact_str_self' AND `temp1`.`allow_gid` LIKE '" . Strings::protectSprintf('%<' . intval($gid) . '>%') . "' AND `temp1`.`private`))";
|
||||||
} else {
|
} else {
|
||||||
$sql_extra3 .= " AND false ";
|
$sql_extra3 .= " AND false ";
|
||||||
info(L10n::t('Group is empty'));
|
info(L10n::t('Group is empty'));
|
||||||
|
@ -698,11 +698,11 @@ function networkThreadedView(App $a, $update, $parent)
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($datequery) {
|
if ($datequery) {
|
||||||
$sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created <= '%s' ",
|
$sql_extra3 .= Strings::protectSprintf(sprintf(" AND $sql_table.created <= '%s' ",
|
||||||
DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
|
DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
|
||||||
}
|
}
|
||||||
if ($datequery2) {
|
if ($datequery2) {
|
||||||
$sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created >= '%s' ",
|
$sql_extra3 .= Strings::protectSprintf(sprintf(" AND $sql_table.created >= '%s' ",
|
||||||
DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
|
DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -273,19 +273,19 @@ function profile_content(App $a, $update = 0)
|
||||||
|
|
||||||
if (!empty($category)) {
|
if (!empty($category)) {
|
||||||
$sql_post_table = sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
$sql_post_table = sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
||||||
DBA::escape(protect_sprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid']));
|
DBA::escape(Strings::protectSprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid']));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($hashtags)) {
|
if (!empty($hashtags)) {
|
||||||
$sql_post_table .= sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
$sql_post_table .= sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
||||||
DBA::escape(protect_sprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid']));
|
DBA::escape(Strings::protectSprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid']));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($datequery)) {
|
if (!empty($datequery)) {
|
||||||
$sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
|
$sql_extra2 .= Strings::protectSprintf(sprintf(" AND `thread`.`created` <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get()))));
|
||||||
}
|
}
|
||||||
if (!empty($datequery2)) {
|
if (!empty($datequery2)) {
|
||||||
$sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
|
$sql_extra2 .= Strings::protectSprintf(sprintf(" AND `thread`.`created` >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get()))));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Does the profile page belong to a forum?
|
// Does the profile page belong to a forum?
|
||||||
|
|
|
@ -766,7 +766,7 @@ class Contact extends BaseModule
|
||||||
if ($search) {
|
if ($search) {
|
||||||
$searching = true;
|
$searching = true;
|
||||||
$search_hdr = $search;
|
$search_hdr = $search;
|
||||||
$search_txt = DBA::escape(protect_sprintf(preg_quote($search)));
|
$search_txt = DBA::escape(Strings::protectSprintf(preg_quote($search)));
|
||||||
$sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') ";
|
$sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') ";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -241,7 +241,7 @@ class DFRN
|
||||||
if (isset($category)) {
|
if (isset($category)) {
|
||||||
$sql_post_table = sprintf(
|
$sql_post_table = sprintf(
|
||||||
"INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
"INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ",
|
||||||
DBA::escape(protect_sprintf($category)),
|
DBA::escape(Strings::protectSprintf($category)),
|
||||||
intval(TERM_OBJ_POST),
|
intval(TERM_OBJ_POST),
|
||||||
intval(TERM_CATEGORY),
|
intval(TERM_CATEGORY),
|
||||||
intval($owner_id)
|
intval($owner_id)
|
||||||
|
|
|
@ -311,7 +311,7 @@ function frio_acl_lookup(App $a, &$results)
|
||||||
|
|
||||||
$sql_extra = '';
|
$sql_extra = '';
|
||||||
if ($results['search']) {
|
if ($results['search']) {
|
||||||
$search_txt = DBA::escape(protect_sprintf(preg_quote($results['search'])));
|
$search_txt = DBA::escape(Strings::protectSprintf(preg_quote($results['search'])));
|
||||||
$sql_extra .= " AND (`attag` LIKE '%%" . $search_txt . "%%' OR `name` LIKE '%%" . $search_txt . "%%' OR `nick` LIKE '%%" . $search_txt . "%%') ";
|
$sql_extra .= " AND (`attag` LIKE '%%" . $search_txt . "%%' OR `name` LIKE '%%" . $search_txt . "%%' OR `nick` LIKE '%%" . $search_txt . "%%') ";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue