From ea22828d371f08defb2959ab52d7b76c920c7946 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sat, 28 Jan 2017 12:19:04 +0000
Subject: [PATCH] Alternate solution for pull request 3124

---
 include/dbm.php      | 37 +++++++++++++++++++++++++++++++++++++
 include/dfrn.php     |  4 ++--
 include/items.php    |  8 ++++----
 mod/dfrn_request.php |  6 ++----
 mod/profiles.php     |  8 ++++----
 5 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/include/dbm.php b/include/dbm.php
index 6098dce739..00cb153fb1 100644
--- a/include/dbm.php
+++ b/include/dbm.php
@@ -49,5 +49,42 @@ class dbm {
 		}
 		return (is_array($array) && count($array) > 0);
 	}
+
+	/**
+	 * @brief Callback function for "esc_array"
+	 *
+	 * @param mixed $value Array value
+	 * @param string $key Array key
+	 * @param boolean $add_quotation add quoatation marks for string values
+	 */
+	private static function esc_array_callback(&$value, $key, $add_quotation) {
+
+		if (!$add_quotation) {
+			if (is_bool($value)) {
+				$value = ($value ? '1' : '0');
+			} else {
+				$value = dbesc($value);
+			}
+			return;
+		}
+
+		if (is_bool($value)) {
+			$value = ($value ? 'true' : 'false');
+		} elseif (is_numeric($value)) {
+			$value = (string)$value;
+		} else {
+			 $value = "'".dbesc($value)."'";
+		}
+	}
+
+	/**
+	 * @brief Escapes a whole array
+	 *
+	 * @param mixed $arr Array with values to be escaped
+	 * @param boolean $add_quotation add quoatation marks for string values
+	 */
+	public static function esc_array(&$arr, $add_quotation = false) {
+		array_walk($arr, 'self::esc_array_callback', $add_quotation);
+	}
 }
 ?>
diff --git a/include/dfrn.php b/include/dfrn.php
index e9bdaec664..702fbb15fe 100644
--- a/include/dfrn.php
+++ b/include/dfrn.php
@@ -1421,9 +1421,9 @@ class dfrn {
 		$msg["seen"] = 0;
 		$msg["replied"] = 0;
 
-		dbesc_array($msg);
+		dbm::esc_array($msg, true);
 
-		$r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES ('".implode("', '", array_values($msg))."')");
+		$r = dbq("INSERT INTO `mail` (`".implode("`, `", array_keys($msg))."`) VALUES (".implode(", ", array_values($msg)).")");
 
 		// send notifications.
 
diff --git a/include/items.php b/include/items.php
index fa4f3290b1..2b6fb9a1fe 100644
--- a/include/items.php
+++ b/include/items.php
@@ -820,7 +820,7 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
 	// Store the unescaped version
 	$unescaped = $arr;
 
-	dbesc_array($arr);
+	dbm::esc_array($arr, true);
 
 	logger('item_store: ' . print_r($arr,true), LOGGER_DATA);
 
@@ -829,9 +829,9 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
 
 	$r = dbq("INSERT INTO `item` (`"
 			. implode("`, `", array_keys($arr))
-			. "`) VALUES ('"
-			. implode("', '", array_values($arr))
-			. "')");
+			. "`) VALUES ("
+			. implode(", ", array_values($arr))
+			. ")");
 
 	// And restore it
 	$arr = $unescaped;
diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php
index 9e5f022d1b..6480f2c756 100644
--- a/mod/dfrn_request.php
+++ b/mod/dfrn_request.php
@@ -145,9 +145,7 @@ function dfrn_request_post(App $a) {
 					$photo = $parms["photo"];
 
 					// Escape the entire array
-
-					dbesc_array($parms);
-
+					dbm::esc_array($parms);
 
 					/*
 					 * Create a contact record on our site for the other person
@@ -547,7 +545,7 @@ function dfrn_request_post(App $a) {
 				$parms['issued-id'] = $issued_id;
 				$photo = $parms["photo"];
 
-				dbesc_array($parms);
+				dbm::esc_array($parms);
 				$r = q("INSERT INTO `contact` ( `uid`, `created`, `url`, `nurl`, `addr`, `name`, `nick`, `issued-id`, `photo`, `site-pubkey`,
 					`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `blocked`, `pending` )
 					VALUES ( %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d )",
diff --git a/mod/profiles.php b/mod/profiles.php
index d8475eeccb..4c6ff926b6 100644
--- a/mod/profiles.php
+++ b/mod/profiles.php
@@ -103,13 +103,13 @@ function profiles_init(App $a) {
 		$r1[0]['net-publish'] = 0;
 		$r1[0]['profile-name'] = dbesc($name);
 
-		dbesc_array($r1[0]);
+		dbm::esc_array($r1[0], true);
 
 		$r2 = dbq("INSERT INTO `profile` (`"
 			. implode("`, `", array_keys($r1[0]))
-			. "`) VALUES ('"
-			. implode("', '", array_values($r1[0]))
-			. "')" );
+			. "`) VALUES ("
+			. implode(", ", array_values($r1[0]))
+			. ")" );
 
 		$r3 = q("SELECT `id` FROM `profile` WHERE `uid` = %d AND `profile-name` = '%s' LIMIT 1",
 			intval(local_user()),
-- 
2.39.5