aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMike Macgirvin <mike@macgirvin.com>2010-07-19 06:58:03 -0700
committerMike Macgirvin <mike@macgirvin.com>2010-07-19 06:58:03 -0700
commit6695b4a203ab03941c8b3305a3e55cc02b85a5ac (patch)
tree47af4ee89d71b4c0584ae30da1883d5ae9e933a2
parentbbe53699f26bfa4e4d17da097fd8f2fc14da47dd (diff)
downloadvolse-hubzilla-6695b4a203ab03941c8b3305a3e55cc02b85a5ac.tar.gz
volse-hubzilla-6695b4a203ab03941c8b3305a3e55cc02b85a5ac.tar.bz2
volse-hubzilla-6695b4a203ab03941c8b3305a3e55cc02b85a5ac.zip
more bugs
-rw-r--r--boot.php6
-rw-r--r--include/items.php4
-rw-r--r--include/notifier.php2
-rw-r--r--include/security.php2
-rw-r--r--mod/contacts.php6
-rw-r--r--mod/dfrn_confirm.php4
-rw-r--r--mod/dfrn_notify.php4
-rw-r--r--mod/dfrn_poll.php2
-rw-r--r--mod/item.php4
-rw-r--r--mod/network.php4
-rw-r--r--mod/profile.php4
-rw-r--r--mod/register.php4
-rw-r--r--view/acl_selectors.php4
13 files changed, 25 insertions, 25 deletions
diff --git a/boot.php b/boot.php
index 1a60ee173..56d85f638 100644
--- a/boot.php
+++ b/boot.php
@@ -205,12 +205,10 @@ function notags($string) {
return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}}
-// The PHP built-in tag escape function has traditionally been buggy
if(! function_exists('escape_tags')) {
function escape_tags($string) {
- return(str_replace(
- array('&', '"', "'", '<', '>'),
- array('&amp;', '&quot;', '&#39;', '&lt;', '&gt;'), $string));
+
+ return(htmlspecialchars($string));
}}
if(! function_exists('login')) {
diff --git a/include/items.php b/include/items.php
index d583ffecc..937fc39fd 100644
--- a/include/items.php
+++ b/include/items.php
@@ -63,7 +63,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) {
`contact`.`id` AS `contact-id`, `contact`.`uid` AS `contact-uid`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
- AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0
+ AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `item`.`edited` > '%s'
$sql_extra
ORDER BY `parent` ASC, `created` ASC LIMIT 0, 300",
@@ -114,7 +114,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) {
'$published' => xmlify(datetime_convert('UTC', 'UTC', $item['created'] . '+00:00' , 'Y-m-d\TH:i:s\Z')),
'$updated' => xmlify(datetime_convert('UTC', 'UTC', $item['edited'] . '+00:00' , 'Y-m-d\TH:i:s\Z')),
'$content' =>xmlify($item['body']),
- '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'] && (! $contact['blocked']))) ? 1 : 0)
+ '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'])) ? 1 : 0)
));
}
else {
diff --git a/include/notifier.php b/include/notifier.php
index b8eef3971..bd787dbfb 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -96,7 +96,7 @@ dbg(3);
$conversant_str = dbesc(implode(', ',$conversants));
}
- $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 ");
+ $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 AND `pending` = 0");
if( ! count($r))
killme();
diff --git a/include/security.php b/include/security.php
index 8b3452534..a71391dba 100644
--- a/include/security.php
+++ b/include/security.php
@@ -6,7 +6,7 @@ function can_write_wall(&$a,$owner) {
if((local_user()) && ($_SESSION['uid'] == $owner))
return true;
- $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0",
+ $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
intval($owner),
intval($_SESSION['visitor_id'])
);
diff --git a/mod/contacts.php b/mod/contacts.php
index 585ac1423..4f48c1c3d 100644
--- a/mod/contacts.php
+++ b/mod/contacts.php
@@ -119,7 +119,7 @@ function contacts_content(&$a) {
$p['id']);
}
}
- if($intval($contact_id))
+ if(intval($contact_id))
q("DELETE FROM `item` WHERE `contact-id` = %d LIMIT 1",
intval($contact_id)
);
@@ -184,7 +184,7 @@ function contacts_content(&$a) {
return $o;
}
-dbg(2);
+
if(($a->argc == 2) && ($a->argv[1] == 'all'))
$sql_extra = '';
else
@@ -212,7 +212,7 @@ dbg(2);
break;
}
- $r = q("SELECT * FROM `contact` WHERE `uid` = %d $sql_extra $sql_extra2 ",
+ $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `pending` = 0 $sql_extra $sql_extra2 ",
intval($_SESSION['uid']));
if(count($r)) {
diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php
index e02fbf3d0..1a3947d97 100644
--- a/mod/dfrn_confirm.php
+++ b/mod/dfrn_confirm.php
@@ -136,7 +136,7 @@ function dfrn_confirm_post(&$a) {
$thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg';
}
- $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1",
+ $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1",
dbesc($photo),
dbesc($thumb),
intval($dfrn_record)
@@ -361,7 +361,7 @@ function dfrn_confirm_post(&$a) {
$thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg';
}
- $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1",
+ $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1",
dbesc($photo),
dbesc($thumb),
intval($contact_id)
diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 1d7ca3a50..ead49982b 100644
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -143,7 +143,7 @@ dbg(3);
$datarray = get_atom_elements($item);
- $datarray['parent-uri'] = $item['uri']
+ $datarray['parent-uri'] = $item_id;
$datarray['uid'] = $importer['uid'];
$datarray['contact-id'] = $importer['id'];
$r = post_remote($a,$datarray);
@@ -176,7 +176,7 @@ function dfrn_notify_content(&$a) {
intval(time() + 60 )
);
- $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1",
+ $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
dbesc($_GET['dfrn_id']));
if((! count($r)) || (! strlen($r[0]['prvkey'])))
$status = 1;
diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index 6b4c50ad2..e3da6c952 100644
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -165,7 +165,7 @@ function dfrn_poll_content(&$a) {
dbesc($last_update)
);
- $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1",
+ $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
dbesc($_GET['dfrn_id']));
if((! count($r)) || (! strlen($r[0]['prvkey'])))
$status = 1;
diff --git a/mod/item.php b/mod/item.php
index 4de9dc59f..e0497af7a 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -5,7 +5,7 @@ function sanitise_acl(&$item) {
}
function item_post(&$a) {
-dbg(3);
+
if((! local_user()) && (! remote_user()))
return;
@@ -170,6 +170,6 @@ dbg(3);
array(),$foo));
}
-// goaway($a->get_baseurl() . "/" . $_POST['return'] );
+ goaway($a->get_baseurl() . "/" . $_POST['return'] );
return; // NOTREACHED
} \ No newline at end of file
diff --git a/mod/network.php b/mod/network.php
index 3ccd8be48..51b528832 100644
--- a/mod/network.php
+++ b/mod/network.php
@@ -40,7 +40,7 @@ function network_content(&$a) {
$r = q("SELECT COUNT(*) AS `total`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
- AND `contact`.`blocked` = 0
+ AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
$sql_extra ",
intval($_SESSION['uid'])
);
@@ -54,7 +54,7 @@ function network_content(&$a) {
`contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
- AND `contact`.`blocked` = 0
+ AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
$sql_extra
ORDER BY `parent` DESC, `created` ASC LIMIT %d ,%d ",
intval($_SESSION['uid']),
diff --git a/mod/profile.php b/mod/profile.php
index 7a3858ba2..5cd13d596 100644
--- a/mod/profile.php
+++ b/mod/profile.php
@@ -155,7 +155,7 @@ function profile_content(&$a) {
$r = q("SELECT COUNT(*) AS `total`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
- AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0
+ AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
$sql_extra ",
intval($a->profile['uid'])
@@ -171,7 +171,7 @@ function profile_content(&$a) {
`contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
- AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0
+ AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
$sql_extra
ORDER BY `parent` DESC, `id` ASC LIMIT %d ,%d ",
intval($a->profile['uid']),
diff --git a/mod/register.php b/mod/register.php
index 2e5d02273..53ead682f 100644
--- a/mod/register.php
+++ b/mod/register.php
@@ -123,9 +123,9 @@ function register_post(&$a) {
intval($newuid));
return;
}
- $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `url`,
+ $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `pending`, `url`,
`request`, `notify`, `poll`, `confirm` )
- VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, '%s', '%s', '%s', '%s', '%s' ) ",
+ VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, 0, '%s', '%s', '%s', '%s', '%s' ) ",
intval($newuid),
datetime_convert(),
dbesc($username),
diff --git a/view/acl_selectors.php b/view/acl_selectors.php
index e3ee8c879..09ce24d0e 100644
--- a/view/acl_selectors.php
+++ b/view/acl_selectors.php
@@ -36,7 +36,9 @@ function contact_select($selname,$selclass,$preselected = false,$size = 4) {
$o .= "<select name=\"{$selname}[]\" class=\"$selclass\" multiple=\"multiple\" size=\"$size\" />\r\n";
- $r = q("SELECT `id`, `name` FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 ORDER BY `name` ASC ",
+ $r = q("SELECT `id`, `name` FROM `contact`
+ WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0
+ ORDER BY `name` ASC ",
$_SESSION['uid']
);