use raw db queries wherever query items could contain '%'

include/dba.php

@@ -134,6 +134,16 @@ function q($sql) {
 	return $ret;
 }}
 
+// raw db query, no arguments
+
+if(! function_exists('dbq')) { 
+function dbq($sql) {
+
+	global $db;
+	$ret = $db->q($sql);
+	return $ret;
+}}
+
 
 // Caller is responsible for ensuring that any integer arguments to 
 // dbesc_array are actually integers and not malformed strings containing

include/items.php

@@ -550,7 +550,7 @@ function item_store($arr) {
 
 	logger('item_store: ' . print_r($arr,true), LOGGER_DATA);
 
-	$r = q("INSERT INTO `item` (`" 
+	$r = dbq("INSERT INTO `item` (`" 
 			. implode("`, `", array_keys($arr)) 
 			. "`) VALUES ('" 
 			. implode("', '", array_values($arr)) 

mod/dfrn_notify.php

@@ -106,7 +106,7 @@ function dfrn_notify_post(&$a) {
 		
 		dbesc_array($msg);
 
-		$r = q("INSERT INTO `mail` (`" . implode("`, `", array_keys($msg)) 
+		$r = dbq("INSERT INTO `mail` (`" . implode("`, `", array_keys($msg)) 
 			. "`) VALUES ('" . implode("', '", array_values($msg)) . "')" );
 
 		// send email notification if requested.

mod/profiles.php

@@ -249,7 +249,7 @@ function profiles_content(&$a) {
 
 		dbesc_array($r1[0]);
 
-		$r2 = q("INSERT INTO `profile` (`" 
+		$r2 = dbq("INSERT INTO `profile` (`" 
 			. implode("`, `", array_keys($r1[0])) 
 			. "`) VALUES ('" 
 			. implode("', '", array_values($r1[0]))