From: Adam Magness Date: Thu, 8 Nov 2018 15:30:45 +0000 (-0500) Subject: protect_sprintf calls X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=0efcbe5d158ed7673c8a9a70936deb5eb707dc63;p=friendica.git protect_sprintf calls implement protectSprintf function --- diff --git a/mod/network.php b/mod/network.php index e1c077b6c5..ec87e4c87e 100644 --- a/mod/network.php +++ b/mod/network.php @@ -650,7 +650,7 @@ function networkThreadedView(App $a, $update, $parent) $sql_post_table .= " INNER JOIN `item` AS `temp1` ON `temp1`.`id` = " . $sql_table . "." . $sql_parent; $sql_extra3 .= " AND (`thread`.`contact-id` IN ($contact_str) "; - $sql_extra3 .= " OR (`thread`.`contact-id` = '$contact_str_self' AND `temp1`.`allow_gid` LIKE '" . protect_sprintf('%<' . intval($gid) . '>%') . "' AND `temp1`.`private`))"; + $sql_extra3 .= " OR (`thread`.`contact-id` = '$contact_str_self' AND `temp1`.`allow_gid` LIKE '" . Strings::protectSprintf('%<' . intval($gid) . '>%') . "' AND `temp1`.`private`))"; } else { $sql_extra3 .= " AND false "; info(L10n::t('Group is empty')); @@ -698,11 +698,11 @@ function networkThreadedView(App $a, $update, $parent) } if ($datequery) { - $sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created <= '%s' ", + $sql_extra3 .= Strings::protectSprintf(sprintf(" AND $sql_table.created <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get())))); } if ($datequery2) { - $sql_extra3 .= protect_sprintf(sprintf(" AND $sql_table.created >= '%s' ", + $sql_extra3 .= Strings::protectSprintf(sprintf(" AND $sql_table.created >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get())))); } diff --git a/mod/profile.php b/mod/profile.php index d07631dced..f520ef94b7 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -273,19 +273,19 @@ function profile_content(App $a, $update = 0) if (!empty($category)) { $sql_post_table = sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", - DBA::escape(protect_sprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid'])); + DBA::escape(Strings::protectSprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($a->profile['profile_uid'])); } if (!empty($hashtags)) { $sql_post_table .= sprintf("INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", - DBA::escape(protect_sprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid'])); + DBA::escape(Strings::protectSprintf($hashtags)), intval(TERM_OBJ_POST), intval(TERM_HASHTAG), intval($a->profile['profile_uid'])); } if (!empty($datequery)) { - $sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get())))); + $sql_extra2 .= Strings::protectSprintf(sprintf(" AND `thread`.`created` <= '%s' ", DBA::escape(DateTimeFormat::convert($datequery, 'UTC', date_default_timezone_get())))); } if (!empty($datequery2)) { - $sql_extra2 .= protect_sprintf(sprintf(" AND `thread`.`created` >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get())))); + $sql_extra2 .= Strings::protectSprintf(sprintf(" AND `thread`.`created` >= '%s' ", DBA::escape(DateTimeFormat::convert($datequery2, 'UTC', date_default_timezone_get())))); } // Does the profile page belong to a forum? diff --git a/src/Module/Contact.php b/src/Module/Contact.php index 8600b115d6..faf1ecad5f 100644 --- a/src/Module/Contact.php +++ b/src/Module/Contact.php @@ -766,7 +766,7 @@ class Contact extends BaseModule if ($search) { $searching = true; $search_hdr = $search; - $search_txt = DBA::escape(protect_sprintf(preg_quote($search))); + $search_txt = DBA::escape(Strings::protectSprintf(preg_quote($search))); $sql_extra .= " AND (name REGEXP '$search_txt' OR url REGEXP '$search_txt' OR nick REGEXP '$search_txt') "; } diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index a6efeb76a2..96ed32010e 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -241,7 +241,7 @@ class DFRN if (isset($category)) { $sql_post_table = sprintf( "INNER JOIN (SELECT `oid` FROM `term` WHERE `term` = '%s' AND `otype` = %d AND `type` = %d AND `uid` = %d ORDER BY `tid` DESC) AS `term` ON `item`.`id` = `term`.`oid` ", - DBA::escape(protect_sprintf($category)), + DBA::escape(Strings::protectSprintf($category)), intval(TERM_OBJ_POST), intval(TERM_CATEGORY), intval($owner_id) diff --git a/view/theme/frio/theme.php b/view/theme/frio/theme.php index 411e143611..6621fd5540 100644 --- a/view/theme/frio/theme.php +++ b/view/theme/frio/theme.php @@ -311,7 +311,7 @@ function frio_acl_lookup(App $a, &$results) $sql_extra = ''; if ($results['search']) { - $search_txt = DBA::escape(protect_sprintf(preg_quote($results['search']))); + $search_txt = DBA::escape(Strings::protectSprintf(preg_quote($results['search']))); $sql_extra .= " AND (`attag` LIKE '%%" . $search_txt . "%%' OR `name` LIKE '%%" . $search_txt . "%%' OR `nick` LIKE '%%" . $search_txt . "%%') "; }