aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2016-10-13 00:30:41 -0700
committerzotlabs <mike@macgirvin.com>2016-10-13 00:30:41 -0700
commit6532972e61a2aa5e8517ebcca3113adb3c8f336d (patch)
tree1bb8dba43eee1c57746987aee05814d135235a2f
parent48026efddfdf063fad7c7bd7a86dd7fc4ca4a0a7 (diff)
downloadvolse-hubzilla-6532972e61a2aa5e8517ebcca3113adb3c8f336d.tar.gz
volse-hubzilla-6532972e61a2aa5e8517ebcca3113adb3c8f336d.tar.bz2
volse-hubzilla-6532972e61a2aa5e8517ebcca3113adb3c8f336d.zip
additional array checking
-rw-r--r--Zotlabs/Module/Profiles.php8
-rwxr-xr-xinclude/dba/dba_driver.php13
-rw-r--r--include/import.php6
-rwxr-xr-xinclude/items.php5
-rw-r--r--include/text.php9
5 files changed, 27 insertions, 14 deletions
diff --git a/Zotlabs/Module/Profiles.php b/Zotlabs/Module/Profiles.php
index 6f76cd1cf..127304f92 100644
--- a/Zotlabs/Module/Profiles.php
+++ b/Zotlabs/Module/Profiles.php
@@ -117,13 +117,7 @@ class Profiles extends \Zotlabs\Web\Controller {
$r1[0]['profile_name'] = dbesc($name);
$r1[0]['profile_guid'] = dbesc(random_string());
- dbesc_array($r1[0]);
-
- $r2 = dbq("INSERT INTO profile (" . TQUOT
- . implode(TQUOT . ", " . TQUOT, array_keys($r1[0]))
- . TQUOT . ") VALUES ('"
- . implode("', '", array_values($r1[0]))
- . "')" );
+ create_table_from_array('profile', $r1[0]);
$r3 = q("SELECT id FROM profile WHERE uid = %d AND profile_name = '%s' LIMIT 1",
intval(local_channel()),
diff --git a/include/dba/dba_driver.php b/include/dba/dba_driver.php
index 36353354c..34597bec4 100755
--- a/include/dba/dba_driver.php
+++ b/include/dba/dba_driver.php
@@ -391,9 +391,22 @@ function dbesc_array_cb(&$item, $key) {
function dbesc_array(&$arr) {
+ $bogus_key = false;
if(is_array($arr) && count($arr)) {
+ $matches = false;
+ foreach($arr as $k => $v) {
+ if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
+ logger('bogus key: ' . $k);
+ $bogus_key = true;
+ }
+ }
array_walk($arr,'dbesc_array_cb');
+ if($bogus_key) {
+ $arr['BOGUS.KEY'] = 1;
+ return false;
+ }
}
+ return true;
}
function db_getfunc($f) {
diff --git a/include/import.php b/include/import.php
index 4225fe493..d5f6e5c8a 100644
--- a/include/import.php
+++ b/include/import.php
@@ -1026,7 +1026,8 @@ function sync_files($channel,$files) {
if($attach_exists) {
logger('sync_files attach exists: ' . print_r($att,true), LOGGER_DEBUG);
- dbesc_array($att);
+ if(! dbesc_array($att))
+ continue;
$str = '';
foreach($att as $k => $v) {
if($str)
@@ -1140,7 +1141,8 @@ function sync_files($channel,$files) {
if($exists) {
- dbesc_array($p);
+ if(! dbesc_array($p))
+ continue;
$str = '';
foreach($p as $k => $v) {
if($str)
diff --git a/include/items.php b/include/items.php
index a682fafaa..aaa51fc8b 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2161,7 +2161,10 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) {
}
- dbesc_array($arr);
+ if(! dbesc_array($arr)) {
+ $ret['message'] = 'DB array malformed';
+ return $ret;
+ }
logger('item_store_update: ' . print_r($arr,true), LOGGER_DATA);
diff --git a/include/text.php b/include/text.php
index f23458db0..fcd5dbc0c 100644
--- a/include/text.php
+++ b/include/text.php
@@ -3035,13 +3035,14 @@ function create_table_from_array($table,$arr) {
if(! ($arr && $table))
return false;
- dbesc_array($arr);
-
- $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
+ if(dbesc_array($arr)) {
+ $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
. implode(TQUOT . ', ' . TQUOT, array_keys($arr))
. TQUOT . ") VALUES ('"
. implode("', '", array_values($arr))
- . "')" );
+ . "')"
+ );
+ }
return $r;
} \ No newline at end of file