Alternate solution for pull request 3124

diff --git a/include/dbm.php b/include/dbm.php
index 6098dce739feec494587391382643249e39d4b4c..00cb153fb1ecf482892130e994091ef0057ca035 100644 (file)
--- a/include/dbm.php
+++ b/include/dbm.php
@@ -49,5 +49,42 @@ class dbm {
                }
                return (is_array($array) && count($array) > 0);
        }
+
+       /**
+        * @brief Callback function for "esc_array"
+        *
+        * @param mixed $value Array value
+        * @param string $key Array key
+        * @param boolean $add_quotation add quoatation marks for string values
+        */
+       private static function esc_array_callback(&$value, $key, $add_quotation) {
+
+               if (!$add_quotation) {
+                       if (is_bool($value)) {
+                               $value = ($value ? '1' : '0');
+                       } else {
+                               $value = dbesc($value);
+                       }
+                       return;
+               }
+
+               if (is_bool($value)) {
+                       $value = ($value ? 'true' : 'false');
+               } elseif (is_numeric($value)) {
+                       $value = (string)$value;
+               } else {
+                        $value = "'".dbesc($value)."'";
+               }
+       }
+
+       /**
+        * @brief Escapes a whole array
+        *
+        * @param mixed $arr Array with values to be escaped
+        * @param boolean $add_quotation add quoatation marks for string values
+        */
+       public static function esc_array(&$arr, $add_quotation = false) {
+               array_walk($arr, 'self::esc_array_callback', $add_quotation);
+       }
 }
 ?>

diff --git a/include/dfrn.php b/include/dfrn.php
index e9bdaec6649772abaf5b8ebfe7da6666c5c5bd0a..702fbb15fe0f31a19c5eb831f4a0cb8d91b17f03 100644 (file)
--- a/include/dfrn.php
+++ b/include/dfrn.php
@@ -1421,9 +1421,9 @@ class dfrn {
                $msg["seen"] = 0;
                $msg["replied"] = 0;
 
-               dbesc_array($msg);
+               dbm::esc_array($msg, true);
 
-               $r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES ('".implode("', '", array_values($msg))."')");
+               $r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES (".implode(", ", array_values($msg)).")");
 
                // send notifications.
 

diff --git a/include/items.php b/include/items.php
index fa4f3290b142090168fbd36222e13d9f4b75840f..2b6fb9a1fe046a1c5b3966dda84cb4520799dcc7 100644 (file)
--- a/include/items.php
+++ b/include/items.php
@@ -820,7 +820,7 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
        // Store the unescaped version
        $unescaped = $arr;
 
-       dbesc_array($arr);
+       dbm::esc_array($arr, true);
 
        logger('item_store: ' . print_r($arr,true), LOGGER_DATA);
 
@@ -829,9 +829,9 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
 
        $r = dbq("INSERT INTO `item` (`"
                        . implode("`, `", array_keys($arr))
-                       . "`) VALUES ('"
-                       . implode("', '", array_values($arr))
-                       . "')");
+                       . "`) VALUES ("
+                       . implode(", ", array_values($arr))
+                       . ")");
 
        // And restore it
        $arr = $unescaped;

diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php
index 9e5f022d1bf12f398512603da6d53120a426f830..6480f2c756c9125d80ef6155ad9a12461ec6f70e 100644 (file)
--- a/mod/dfrn_request.php
+++ b/mod/dfrn_request.php
@@ -145,9 +145,7 @@ function dfrn_request_post(App $a) {
                                        $photo = $parms["photo"];
 
                                        // Escape the entire array
-
-                                       dbesc_array($parms);
-
+                                       dbm::esc_array($parms);
 
                                        /*
                                         * Create a contact record on our site for the other person
@@ -547,7 +545,7 @@ function dfrn_request_post(App $a) {
                                $parms['issued-id'] = $issued_id;
                                $photo = $parms["photo"];
 
-                               dbesc_array($parms);
+                               dbm::esc_array($parms);
                                $r = q("INSERT INTO `contact` ( `uid`, `created`, `url`, `nurl`, `addr`, `name`, `nick`, `issued-id`, `photo`, `site-pubkey`,
                                        `request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` )
                                        VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )",

diff --git a/mod/profiles.php b/mod/profiles.php
index d8475eeccb89d28a207f9b0af502068d17a1144b..4c6ff926b63072d470f6c7eb8c488314ecf9565f 100644 (file)
--- a/mod/profiles.php
+++ b/mod/profiles.php
@@ -103,13 +103,13 @@ function profiles_init(App $a) {
                $r1[0]['net-publish'] = 0;
                $r1[0]['profile-name'] = dbesc($name);
 
-               dbesc_array($r1[0]);
+               dbm::esc_array($r1[0], true);
 
                $r2 = dbq("INSERT INTO `profile` (`"
                        . implode("`, `", array_keys($r1[0]))
-                       . "`) VALUES ('"
-                       . implode("', '", array_values($r1[0]))
-                       . "')" );
+                       . "`) VALUES ("
+                       . implode(", ", array_values($r1[0]))
+                       . ")" );
 
                $r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1",
                        intval(local_user()),