Merge pull request #2206 from annando/1512-diaspora-sql

Diaspora: Fixed possible SQL injection

diff --combined include/diaspora.php
index f74e7ca178a3105548be2947682bc686e7dca36a,155e07b39faa656928f9a0ae24e3e5352218ff85..75e4a7106bd064622c59401b60acf43d0ae9d2e2
--- 1/include/diaspora.php
--- 2/include/diaspora.php
+++ b/include/diaspora.php
@@@ -1,10 -1,9 +1,10 @@@
  <?php
  
 -/*
 -To-Do:
 -- GET /people/9aed8882b9f64896/stream
 -*/
 +/**
 + * @file include/diaspora.php
 + * 
 + * @todo GET /people/9aed8882b9f64896/stream
 + */
  
  require_once('include/crypto.php');
  require_once('include/items.php');
@@@ -805,7 -804,7 +805,7 @@@ function diaspora_is_redmatrix($url) 
  }
  
  function diaspora_plink($addr, $guid) {
-       $r = q("SELECT `url`, `nick`, `network` FROM `fcontact` WHERE `addr`='%s' LIMIT 1", $addr);
+       $r = q("SELECT `url`, `nick`, `network` FROM `fcontact` WHERE `addr`='%s' LIMIT 1", dbesc($addr));
  
        // Fallback
        if (!$r)
@@@ -1018,8 -1017,8 +1018,8 @@@ function diaspora_store_by_guid($guid, 
        DiasporaFetchGuid($datarray);
        $message_id = item_store($datarray);
  
 -      // To-Do:
 -      // Looking if there is some subscribe mechanism in Diaspora to get all comments for this post
 +      /// @TODO
 +      /// Looking if there is some subscribe mechanism in Diaspora to get all comments for this post
  
        return $message_id;
  }
@@@ -1089,8 -1088,8 +1089,8 @@@ function diaspora_fetch_message($guid, 
                $body = scale_external_images($body);
  
                // Add OEmbed and other information to the body
 -              // To-Do: It could be a repeated redmatrix item
 -              // Then we shouldn't add further data to it
 +              /// @TODO It could be a repeated redmatrix item
 +              /// Then we shouldn't add further data to it
                if ($item["object-type"] == ACTIVITY_OBJ_NOTE)
                        $body = add_page_info_to_body($body, false, true);
  
@@@ -2362,9 -2361,9 +2362,9 @@@ function diaspora_signed_retraction($im
                                // The first item in the `item` table with the parent id is the parent. However, MySQL doesn't always
                                // return the items ordered by `item`.`id`, in which case the wrong item is chosen as the parent.
                                // The only item with `parent` and `id` as the parent id is the parent item.
-                               $p = q("select origin from item where parent = %d and id = %d limit 1",
-                                       $r[0]['parent'],
-                                       $r[0]['parent']
+                               $p = q("SELECT `origin` FROM `item` WHERE `parent` = %d AND `id` = %d LIMIT 1",
+                                       intval($r[0]['parent']),
+                                       intval($r[0]['parent'])
                                );
                                if(count($p)) {
                                        if(($p[0]['origin']) && (! $parent_author_signature)) {
@@@ -2463,8 -2462,8 +2463,8 @@@ function diaspora_profile($importer,$xm
        if(substr($birthday,5) === substr($contact['bd'],5))
                $birthday = $contact['bd'];
  
 -      // TODO: update name on item['author-name'] if the name changed. See consume_feed()
 -      // Not doing this currently because D* protocol is scheduled for revision soon.
 +      /// @TODO Update name on item['author-name'] if the name changed. See consume_feed()
 +      /// (Not doing this currently because D* protocol is scheduled for revision soon).
  
        $r = q("UPDATE `contact` SET `name` = '%s', `name-date` = '%s', `photo` = '%s', `thumb` = '%s', `micro` = '%s', `avatar-date` = '%s' , `bd` = '%s', `location` = '%s', `about` = '%s', `keywords` = '%s', `gender` = '%s' WHERE `id` = %d AND `uid` = %d",
                dbesc($name),