Merge branch 'master', remote-tracking branch 'remotes/upstream/master'

* remotes/upstream/master:
  turn registration code into a standalone function for re-use
  query using both `id` and `parent`
  prevent email from leaking in feeds
  y didn't i think of this b4?
  some zero theming on settings page
  missing delimiter
  transition to beta for private forums
  rev update
  Friendicaland - you can't 'live' on a demo server.
  Create a "potential default group" called "Friends" on registration.
  fix private photos that also have a size specification
  private group tests, cont.
  hide private group if desired
  prvgroup should see intros
  private group fix
  possible sql injection in search
  bugfixes: private photo embeds and search for strings with %

* master:

9 files changed, 90 insertions, 343 deletions

diff --git a/mod/acl.php b/mod/acl.php
index 168b1f59f..1e8898ab6 100644
--- a/mod/acl.php
+++ b/mod/acl.php
@@ -135,7 +135,7 @@ function acl_init(&$a){
 			foreach($r as $g) {
 				$x['photos'][] = $g['micro'];
 				$x['links'][] = $g['url'];
-				$x['suggestions'][] = $g['name']; // sprintf( t('%s [%s]'),$g['name'],$g['url']);
+				$x['suggestions'][] = $g['name'];
 				$x['data'][] = intval($g['id']);
 			}
 		}
diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php
index 564ae5ca2..76b99cbca 100644
--- a/mod/dfrn_confirm.php
+++ b/mod/dfrn_confirm.php
@@ -202,6 +202,8 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 
 			if($user[0]['page-flags'] == PAGE_COMMUNITY)
 				$params['page'] = 1;
+			if($user[0]['page-flags'] == PAGE_PRVGROUP)
+				$params['page'] = 2;
 
 			logger('dfrn_confirm: Confirm: posting data to ' . $dfrn_confirm . ': ' . print_r($params,true), LOGGER_DATA);
 
@@ -537,6 +539,9 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 		$page       = ((x($_POST,'page'))         ? intval($_POST['page'])         : 0 );
 		$version_id = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0);
 	
+		$forum = (($page == 1) ? 1 : 0);
+		$prv   = (($page == 2) ? 1 : 0);
+
 		logger('dfrn_confirm: requestee contacted: ' . $node);
 
 		logger('dfrn_confirm: request: POST=' . print_r($_POST,true), LOGGER_DATA);
@@ -691,6 +696,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			`pending` = 0,
 			`duplex` = %d, 
 			`forum` = %d,
+			`prv` = %d,
 			`network` = '%s' WHERE `id` = %d LIMIT 1
 		",
 			dbesc($photos[0]),
@@ -701,7 +707,8 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			dbesc(datetime_convert()),
 			dbesc(datetime_convert()),
 			intval($duplex),
-			intval($page),
+			intval($forum),
+			intval($prv),
 			dbesc(NETWORK_DFRN),
 			intval($dfrn_record)
 		);
diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 65d39d5fe..e55da5572 100644
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -17,6 +17,9 @@ function dfrn_notify_post(&$a) {
 	$ssl_policy   = ((x($_POST,'ssl_policy'))   ? notags(trim($_POST['ssl_policy'])): 'none');
 	$page         = ((x($_POST,'page'))         ? intval($_POST['page'])            :  0);
 
+	$forum = (($page == 1) ? 1 : 0);
+	$prv   = (($page == 2) ? 1 : 0);
+
 	$writable = (-1);
 	if($dfrn_version >= 2.21) {
 		$writable = (($perm === 'rw') ? 1 : 0);
@@ -88,10 +91,11 @@ function dfrn_notify_post(&$a) {
 
 	$importer = $r[0];
 
-	if((($writable != (-1)) && ($writable != $importer['writable'])) || ($importer['forum'] != $page)) {
-		q("UPDATE `contact` SET `writable` = %d, forum = %d WHERE `id` = %d LIMIT 1",
+	if((($writable != (-1)) && ($writable != $importer['writable'])) || ($importer['forum'] != $forum) || ($importer['prv'] != $prv)) {
+		q("UPDATE `contact` SET `writable` = %d, forum = %d, prv = %d WHERE `id` = %d LIMIT 1",
 			intval(($writable == (-1)) ? $importer['writable'] : $writable),
-			intval($page),
+			intval($forum),
+			intval($prv),
 			intval($importer['id'])
 		);
 		if($writable != (-1))
diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php
index b809929d7..896fe1792 100644
--- a/mod/dfrn_request.php
+++ b/mod/dfrn_request.php
@@ -68,7 +68,7 @@ function dfrn_request_post(&$a) {
 			$dfrn_url    = notags(trim($_POST['dfrn_url']));
 			$aes_allow   = (((x($_POST,'aes_allow')) && ($_POST['aes_allow'] == 1)) ? 1 : 0);
 			$confirm_key = ((x($_POST,'confirm_key')) ? $_POST['confirm_key'] : "");
-
+			$hidden = ((x($_POST,'hidden-contact')) ? intval($_POST['hidden-contact']) : 0);
 			$contact_record = null;
 	
 			if(x($dfrn_url)) {
@@ -98,8 +98,9 @@ function dfrn_request_post(&$a) {
 				}
 	
 				if(is_array($contact_record)) {
-					$r = q("UPDATE `contact` SET `ret-aes` = %d WHERE `id` = %d LIMIT 1",
+					$r = q("UPDATE `contact` SET `ret-aes` = %d, hidden = %d WHERE `id` = %d LIMIT 1",
 						intval($aes_allow),
+						intval($hidden),
 						intval($contact_record['id'])
 					);
 				}
@@ -144,8 +145,8 @@ function dfrn_request_post(&$a) {
 					 */
 
 					$r = q("INSERT INTO `contact` ( `uid`, `created`,`url`, `nurl`, `name`, `nick`, `photo`, `site-pubkey`,
-						`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `aes_allow`) 
-						VALUES ( %d, '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d)",
+						`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `aes_allow`, `hidden`) 
+						VALUES ( %d, '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d)",
 						intval(local_user()),
 						datetime_convert(),
 						dbesc($dfrn_url),
@@ -160,7 +161,8 @@ function dfrn_request_post(&$a) {
 						$parms['dfrn-poll'],
 						$parms['dfrn-poco'],
 						dbesc(NETWORK_DFRN),
-						intval($aes_allow)
+						intval($aes_allow),
+						intval($hidden)
 					);
 				}
 
@@ -649,6 +651,8 @@ function dfrn_request_content(&$a) {
 		$o  = replace_macros($tpl,array(
 			'$dfrn_url' => $dfrn_url,
 			'$aes_allow' => (($aes_allow) ? '<input type="hidden" name="aes_allow" value="1" />' : "" ),
+			'$hidethem' => t('Hide this contact'),
+			'$hidechecked' => '',
 			'$confirm_key' => $confirm_key,
 			'$welcome' => sprintf( t('Welcome home %s.'), $a->user['username']),
 			'$please' => sprintf( t('Please confirm your introduction/connection request to %s.'), $dfrn_url),
@@ -680,7 +684,7 @@ function dfrn_request_content(&$a) {
 			$auto_confirm = false;
 
 			if(count($r)) {
-				if($r[0]['page-flags'] != PAGE_NORMAL)
+				if(($r[0]['page-flags'] != PAGE_NORMAL) && ($r[0]['page-flags'] != PAGE_PRVGROUP))
 					$auto_confirm = true;				
 
 				if(! $auto_confirm) {
diff --git a/mod/item.php b/mod/item.php
index df242d6f7..497cf5daa 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -262,17 +262,17 @@ function item_post(&$a) {
 		}
 	}
 
-        if(strlen($categories)) {
-	        // get the "fileas" tags for this post
-                $filedas = file_tag_file_to_list($categories, 'file');
+	if(strlen($categories)) {
+		// get the "fileas" tags for this post
+		$filedas = file_tag_file_to_list($categories, 'file');
 	}
-        // save old and new categories, so we can determine what needs to be deleted from pconfig
-        $categories_old = $categories;
-        $categories = file_tag_list_to_file(trim($_REQUEST['category']), 'category');
-        $categories_new = $categories;
-        if(strlen($filedas)) {
-	        // append the fileas stuff to the new categories list
-	        $categories .= file_tag_list_to_file($filedas, 'file');
+	// save old and new categories, so we can determine what needs to be deleted from pconfig
+	$categories_old = $categories;
+	$categories = file_tag_list_to_file(trim($_REQUEST['category']), 'category');
+	$categories_new = $categories;
+	if(strlen($filedas)) {
+		// append the fileas stuff to the new categories list
+		$categories .= file_tag_list_to_file($filedas, 'file');
 	}
 
 	// Work around doubled linefeeds in Tinymce 3.5b2
@@ -453,6 +453,7 @@ function item_post(&$a) {
 
 	$tagged = array();
 
+	$private_forum = false;
 
 	if(count($tags)) {
 		foreach($tags as $tag) {
@@ -471,11 +472,22 @@ function item_post(&$a) {
 				continue;
 
 			$success = handle_tag($a, $body, $inform, $str_tags, (local_user()) ? local_user() : $profile_uid , $tag); 
-			if($success)
+			if($success['replaced'])
 				$tagged[] = $tag;
+			if(is_array($success['contact']) && intval($success['contact']['prv'])) {
+				$private_forum = true;
+				$private_id = $success['contact']['id'];
+			}
 		}
 	}
 
+	if(($private_forum) && (! $parent) && (! $private)) {
+		// we tagged a private forum in a top level post and the message was public.
+		// Restrict it.
+		$private = 1;
+		$str_contact_allow = '<' . $private_id . '>'; 
+	}
+
 	$attachments = '';
 	$match = false;
 
@@ -893,6 +905,7 @@ function item_content(&$a) {
 function handle_tag($a, &$body, &$inform, &$str_tags, $profile_uid, $tag) {
 
 	$replaced = false;
+	$r = null;
 
 	//is it a hash tag? 
 	if(strpos($tag,'#') === 0) {
@@ -1023,5 +1036,5 @@ function handle_tag($a, &$body, &$inform, &$str_tags, $profile_uid, $tag) {
 		}
 	}
 
-	return $replaced;	
+	return array('replaced' => $replaced, 'contact' => $r[0]);	
 }
diff --git a/mod/network.php b/mod/network.php
index a94272a42..7c4c1ac04 100644
--- a/mod/network.php
+++ b/mod/network.php
@@ -437,8 +437,8 @@ function network_content(&$a, $update = 0) {
 		else
 			$sql_extra .= sprintf(" AND `item`.`parent` IN (SELECT distinct(`parent`) from item where ( `author-link` like '%s' or `tag` like '%s' or tag like '%s' )) ",
 				dbesc(protect_sprintf('%' . $myurl)),
-				dbesc(protect_sprintf('%' . $myurl . '\\]%')),
-				dbesc(protect_sprintf('%' . $diasp_url . '\\]%'))
+				dbesc(protect_sprintf('%' . $myurl . ']%')),
+				dbesc(protect_sprintf('%' . $diasp_url . ']%'))
 			);
 
 	}
diff --git a/mod/register.php b/mod/register.php
index 58bba8533..b162f62be 100644
--- a/mod/register.php
+++ b/mod/register.php
@@ -43,326 +43,44 @@ function register_post(&$a) {
 		break;
 	}
 
-	$using_invites = get_config('system','invitation_only');
-	$num_invites = get_config('system','number_invites');
-
-
-	$invite_id  = ((x($_POST,'invite_id'))  ? notags(trim($_POST['invite_id']))  : '');
-	$username   = ((x($_POST,'username'))   ? notags(trim($_POST['username']))   : '');
-	$nickname   = ((x($_POST,'nickname'))   ? notags(trim($_POST['nickname']))   : '');
-	$email      = ((x($_POST,'email'))      ? notags(trim($_POST['email']))      : '');
-	$openid_url = ((x($_POST,'openid_url')) ? notags(trim($_POST['openid_url'])) : '');
-	$photo      = ((x($_POST,'photo'))      ? notags(trim($_POST['photo']))      : '');
-	$publish    = ((x($_POST,'profile_publish_reg') && intval($_POST['profile_publish_reg'])) ? 1 : 0);
-
-	$netpublish = ((strlen(get_config('system','directory_submit_url'))) ? $publish : 0);
-		
-	$tmp_str = $openid_url;
-
-	if($using_invites) {
-		if(! $invite_id) {
-			notice( t('An invitation is required.') . EOL);
-			return;
-		}
-		$r = q("select * from register where `hash` = '%s' limit 1", dbesc($invite_id));
-		if(! results($r)) {
-			notice( t('Invitation could not be verified.') . EOL);
-			return;
-		}
-	} 
-
-	if((! x($username)) || (! x($email)) || (! x($nickname))) {
-		if($openid_url) {
-			if(! validate_url($tmp_str)) {
-				notice( t('Invalid OpenID url') . EOL);
-				return;
-			}
-			$_SESSION['register'] = 1;
-			$_SESSION['openid'] = $openid_url;
-			require_once('library/openid.php');
-			$openid = new LightOpenID;
-			$openid->identity = $openid_url;
-			$openid->returnUrl = $a->get_baseurl() . '/openid'; 
-			$openid->required = array('namePerson/friendly', 'contact/email', 'namePerson');
-			$openid->optional = array('namePerson/first','media/image/aspect11','media/image/default');
-			goaway($openid->authUrl());
-			// NOTREACHED	
-		}
-
-		notice( t('Please enter the required information.') . EOL );
-		return;
-	}
-
-	if(! validate_url($tmp_str))
-		$openid_url = '';
-
-
-	$err = '';
-
-	// collapse multiple spaces in name
-	$username = preg_replace('/ +/',' ',$username);
-
-	if(mb_strlen($username) > 48)
-		$err .= t('Please use a shorter name.') . EOL;
-	if(mb_strlen($username) < 3)
-		$err .= t('Name too short.') . EOL;
-
-	// I don't really like having this rule, but it cuts down
-	// on the number of auto-registrations by Russian spammers
-	
-	//  Using preg_match was completely unreliable, due to mixed UTF-8 regex support
-	//	$no_utf = get_config('system','no_utf');
-	//	$pat = (($no_utf) ? '/^[a-zA-Z]* [a-zA-Z]*$/' : '/^\p{L}* \p{L}*$/u' ); 
+	require_once('include/user.php');
 
-	// So now we are just looking for a space in the full name. 
-	
-	$loose_reg = get_config('system','no_regfullname');
-	if(! $loose_reg) {
-		$username = mb_convert_case($username,MB_CASE_TITLE,'UTF-8');
-		if(! strpos($username,' '))
-			$err .= t("That doesn't appear to be your full \x28First Last\x29 name.") . EOL;
-	}
-
-
-	if(! allowed_email($email))
-			$err .= t('Your email domain is not among those allowed on this site.') . EOL;
-
-	if((! valid_email($email)) || (! validate_email($email)))
-		$err .= t('Not a valid email address.') . EOL;
-
-	// Disallow somebody creating an account using openid that uses the admin email address,
-	// since openid bypasses email verification. We'll allow it if there is not yet an admin account.
-
-	if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0) && strlen($openid_url)) {
-		$r = q("SELECT * FROM `user` WHERE `email` = '%s' LIMIT 1",
-			dbesc($email)
-		);
-		if(count($r))
-			$err .= t('Cannot use that email.') . EOL;
-	}
+	$result = create_user($_POST);
 
-	$nickname = $_POST['nickname'] = strtolower($nickname);
-
-	if(! preg_match("/^[a-z][a-z0-9\-\_]*$/",$nickname))
-		$err .= t('Your "nickname" can only contain "a-z", "0-9", "-", and "_", and must also begin with a letter.') . EOL;
-	$r = q("SELECT `uid` FROM `user`
-               	WHERE `nickname` = '%s' LIMIT 1",
-               	dbesc($nickname)
-	);
-	if(count($r))
-		$err .= t('Nickname is already registered. Please choose another.') . EOL;
-
-	// Check deleted accounts that had this nickname. Doesn't matter to us,
-	// but could be a security issue for federated platforms.
-
-	$r = q("SELECT * FROM `userd`
-               	WHERE `username` = '%s' LIMIT 1",
-               	dbesc($nickname)
-	);
-	if(count($r))
-		$err .= t('Nickname was once registered here and may not be re-used. Please choose another.') . EOL;
-
-	if(strlen($err)) {
-		notice( $err );
+	if(! $result['success']) {
+		notice($result['message']);
 		return;
 	}
 
-
-	$new_password = autoname(6) . mt_rand(100,9999);
-	$new_password_encoded = hash('whirlpool',$new_password);
-
-	require_once('include/crypto.php');
-
-	$result = new_keypair(1024);
-
-	if($result === false) {
-		notice( t('SERIOUS ERROR: Generation of security keys failed.') . EOL);
-		return;
-	}
-
-	$prvkey = $result['prvkey'];
-	$pubkey = $result['pubkey'];
-
-	/**
-	 *
-	 * Create another keypair for signing/verifying
-	 * salmon protocol messages. We have to use a slightly
-	 * less robust key because this won't be using openssl
-	 * but the phpseclib. Since it is PHP interpreted code
-	 * it is not nearly as efficient, and the larger keys
-	 * will take several minutes each to process.
-	 *
-	 */
-	
-	$sres    = new_keypair(512);
-	$sprvkey = $sres['prvkey'];
-	$spubkey = $sres['pubkey'];
-
-	$r = q("INSERT INTO `user` ( `guid`, `username`, `password`, `email`, `openid`, `nickname`,
-		`pubkey`, `prvkey`, `spubkey`, `sprvkey`, `register_date`, `verified`, `blocked`, `timezone` )
-		VALUES ( '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, 'UTC' )",
-		dbesc(generate_user_guid()),
-		dbesc($username),
-		dbesc($new_password_encoded),
-		dbesc($email),
-		dbesc($openid_url),
-		dbesc($nickname),
-		dbesc($pubkey),
-		dbesc($prvkey),
-		dbesc($spubkey),
-		dbesc($sprvkey),
-		dbesc(datetime_convert()),
-		intval($verified),
-		intval($blocked)
-		);
-
-	if($r) {
-		$r = q("SELECT `uid` FROM `user` 
-			WHERE `username` = '%s' AND `password` = '%s' LIMIT 1",
-			dbesc($username),
-			dbesc($new_password_encoded)
-			);
-		if($r !== false && count($r))
-			$newuid = intval($r[0]['uid']);
-	}
-	else {
-		notice( t('An error occurred during registration. Please try again.') . EOL );
-		return;
-	} 		
-
-	/**
-	 * if somebody clicked submit twice very quickly, they could end up with two accounts 
-	 * due to race condition. Remove this one.
-	 */
-
-	$r = q("SELECT `uid` FROM `user`
-               	WHERE `nickname` = '%s' ",
-               	dbesc($nickname)
-	);
-	if((count($r) > 1) && $newuid) {
-		$err .= t('Nickname is already registered. Please choose another.') . EOL;
-		q("DELETE FROM `user` WHERE `uid` = %d LIMIT 1",
-			intval($newuid)
-		);
-		notice ($err);
-		return;
-	}
-
-	if(x($newuid) !== false) {
-		$r = q("INSERT INTO `profile` ( `uid`, `profile-name`, `is-default`, `name`, `photo`, `thumb`, `publish`, `net-publish` )
-			VALUES ( %d, '%s', %d, '%s', '%s', '%s', %d, %d ) ",
-			intval($newuid),
-			'default',
-			1,
-			dbesc($username),
-			dbesc($a->get_baseurl() . "/photo/profile/{$newuid}.jpg"),
-			dbesc($a->get_baseurl() . "/photo/avatar/{$newuid}.jpg"),
-			intval($publish),
-			intval($netpublish)
-
-		);
-		if($r === false) {
-			notice( t('An error occurred creating your default profile. Please try again.') . EOL );
-			// Start fresh next time.
-			$r = q("DELETE FROM `user` WHERE `uid` = %d",
-				intval($newuid));
-			return;
-		}
-		$r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `nick`, `photo`, `thumb`, `micro`, `blocked`, `pending`, `url`, `nurl`,
-			`request`, `notify`, `poll`, `confirm`, `poco`, `name-date`, `uri-date`, `avatar-date`, `closeness` )
-			VALUES ( %d, '%s', 1, '%s', '%s', '%s', '%s', '%s', 0, 0, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', 0 ) ",
-			intval($newuid),
-			datetime_convert(),
-			dbesc($username),
-			dbesc($nickname),
-			dbesc($a->get_baseurl() . "/photo/profile/{$newuid}.jpg"),
-			dbesc($a->get_baseurl() . "/photo/avatar/{$newuid}.jpg"),
-			dbesc($a->get_baseurl() . "/photo/micro/{$newuid}.jpg"),
-			dbesc($a->get_baseurl() . "/profile/$nickname"),
-			dbesc(normalise_link($a->get_baseurl() . "/profile/$nickname")),
-			dbesc($a->get_baseurl() . "/dfrn_request/$nickname"),
-			dbesc($a->get_baseurl() . "/dfrn_notify/$nickname"),
-			dbesc($a->get_baseurl() . "/dfrn_poll/$nickname"),
-			dbesc($a->get_baseurl() . "/dfrn_confirm/$nickname"),
-			dbesc($a->get_baseurl() . "/poco/$nickname"),
-			dbesc(datetime_convert()),
-			dbesc(datetime_convert()),
-			dbesc(datetime_convert())
-		);
-
-
-	}
-
-	// if we have no OpenID photo try to look up an avatar
-	if(! strlen($photo))
-		$photo = avatar_img($email);
-
-	// unless there is no avatar-plugin loaded
-	if(strlen($photo)) {
-		require_once('include/Photo.php');
-		$photo_failure = false;
-
-		$filename = basename($photo);
-		$img_str = fetch_url($photo,true);
-		$img = new Photo($img_str);
-		if($img->is_valid()) {
-
-			$img->scaleImageSquare(175);
-
-			$hash = photo_new_resource();
-
-			$r = $img->store($newuid, 0, $hash, $filename, t('Profile Photos'), 4 );
-
-			if($r === false)
-				$photo_failure = true;
-
-			$img->scaleImage(80);
-
-			$r = $img->store($newuid, 0, $hash, $filename, t('Profile Photos'), 5 );
-
-			if($r === false)
-				$photo_failure = true;
-
-			$img->scaleImage(48);
-
-			$r = $img->store($newuid, 0, $hash, $filename, t('Profile Photos'), 6 );
-
-			if($r === false)
-				$photo_failure = true;
-
-			if(! $photo_failure) {
-				q("UPDATE `photo` SET `profile` = 1 WHERE `resource-id` = '%s' ",
-					dbesc($hash)
-				);
-			}
-		}
-	}
-
+	$user = $result['user'];
+ 
 	if($netpublish && $a->config['register_policy'] != REGISTER_APPROVE) {
-		$url = $a->get_baseurl() . "/profile/$nickname";
+		$url = $a->get_baseurl() . '/profile/' . $user['nickname'];
 		proc_run('php',"include/directory.php","$url");
 	}
 
+	$using_invites = get_config('system','invitation_only');
+	$num_invites   = get_config('system','number_invites');
+	$invite_id  = ((x($_POST,'invite_id'))  ? notags(trim($_POST['invite_id']))  : '');
 
-	call_hooks('register_account', $newuid);
 
 	if( $a->config['register_policy'] == REGISTER_OPEN ) {
 
 		if($using_invites && $invite_id) {
 			q("delete * from register where hash = '%s' limit 1", dbesc($invite_id));
-			set_pconfig($newuid,'system','invites_remaining',$num_invites);
+			set_pconfig($user['uid'],'system','invites_remaining',$num_invites);
 		}
 
 		$email_tpl = get_intltext_template("register_open_eml.tpl");
 		$email_tpl = replace_macros($email_tpl, array(
 				'$sitename' => $a->config['sitename'],
 				'$siteurl' =>  $a->get_baseurl(),
-				'$username' => $username,
-				'$email' => $email,
-				'$password' => $new_password,
-				'$uid' => $newuid ));
+				'$username' => $user['username'],
+				'$email' => $user['email'],
+				'$password' => $result['password'],
+				'$uid' => $user['uid'] ));
 
-		$res = mail($email, sprintf(t('Registration details for %s'), $a->config['sitename']),
+		$res = mail($user['email'], sprintf(t('Registration details for %s'), $a->config['sitename']),
 			$email_tpl, 
 				'From: ' . t('Administrator') . '@' . $_SERVER['SERVER_NAME'] . "\n"
 				. 'Content-type: text/plain; charset=UTF-8' . "\n"
@@ -387,8 +105,8 @@ function register_post(&$a) {
 		$r = q("INSERT INTO `register` ( `hash`, `created`, `uid`, `password`, `language` ) VALUES ( '%s', '%s', %d, '%s', '%s' ) ",
 			dbesc($hash),
 			dbesc(datetime_convert()),
-			intval($newuid),
-			dbesc($new_password),
+			intval($user['uid']),
+			dbesc($result['password']),
 			dbesc($lang)
 		);
 
@@ -402,17 +120,17 @@ function register_post(&$a) {
 
 		if($using_invites && $invite_id) {
 			q("delete * from register where hash = '%s' limit 1", dbesc($invite_id));
-			set_pconfig($newuid,'system','invites_remaining',$num_invites);
+			set_pconfig($user['uid'],'system','invites_remaining',$num_invites);
 		}
 
 		$email_tpl = get_intltext_template("register_verify_eml.tpl");
 		$email_tpl = replace_macros($email_tpl, array(
 				'$sitename' => $a->config['sitename'],
 				'$siteurl' =>  $a->get_baseurl(),
-				'$username' => $username,
-				'$email' => $email,
-				'$password' => $new_password,
-				'$uid' => $newuid,
+				'$username' => $user['username'],
+				'$email' => $user['email'],
+				'$password' => $result['password'],
+				'$uid' => $user['uid'],
 				'$hash' => $hash
 		 ));
 
diff --git a/mod/search.php b/mod/search.php
index d4cd9d967..466ffc4c3 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -110,18 +110,19 @@ function search_content(&$a) {
 
 	if (get_config('system','use_fulltext_engine')) {
 		if($tag)
-			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.preg_quote($search));
+			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.dbesc(protect_sprintf($search)));
 		else
-			$sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(preg_quote($search)));
+			$sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(protect_sprintf($search)));
 	} else {
 		if($tag)
-			$sql_extra = sprintf(" AND `item`.`tag` REGEXP '%s' ", 	dbesc('\\]' . preg_quote($search) . '\\['));
+			$sql_extra = sprintf(" AND `item`.`tag` REGEXP '%s' ", 	dbesc('\\]' . protect_sprintf(preg_quote($search)) . '\\['));
 		else
-			$sql_extra = sprintf(" AND `item`.`body` REGEXP '%s' ", dbesc(preg_quote($search)));
+			$sql_extra = sprintf(" AND `item`.`body` REGEXP '%s' ", dbesc(protect_sprintf(preg_quote($search))));
 	}
 
 
 
+
 	// Here is the way permissions work in the search module...
 	// Only public posts can be shown
 	// OR your own posts if you are a logged in member
diff --git a/mod/settings.php b/mod/settings.php
index b5214e917..92593d7a8 100644
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -445,7 +445,7 @@ function settings_post(&$a) {
 
 	if($page_flags == PAGE_PRVGROUP) {
 		$hidewall = 1;
-		if((! str_contact_allow) && (! str_group_allow) && (! str_contact_deny) && (! $str_group_deny)) {
+		if((! $str_contact_allow) && (! $str_group_allow) && (! $str_contact_deny) && (! $str_group_deny)) {
 			if($def_gid) {
 				info( t('Private forum has no privacy permissions. Using default privacy group.'). EOL);
 				$str_group_allow = '<' . $def_gid . '>';
@@ -837,27 +837,26 @@ function settings_content(&$a) {
 
 	$pageset_tpl = get_markup_template('pagetypes.tpl');
 	$pagetype = replace_macros($pageset_tpl,array(
-		'$page_normal' 	=> array('page-flags', t('Normal Account'), PAGE_NORMAL, 
+		'$page_normal' 	=> array('page-flags', t('Normal Account Page'), PAGE_NORMAL, 
 									t('This account is a normal personal profile'), 
 									($a->user['page-flags'] == PAGE_NORMAL)),
 								
-		'$page_soapbox' 	=> array('page-flags', t('Soapbox Account'), PAGE_SOAPBOX, 
+		'$page_soapbox' 	=> array('page-flags', t('Soapbox Page'), PAGE_SOAPBOX, 
 									t('Automatically approve all connection/friend requests as read-only fans'), 
 									($a->user['page-flags'] == PAGE_SOAPBOX)),
 									
-		'$page_community'	=> array('page-flags', t('Community/Celebrity Account'), PAGE_COMMUNITY, 
+		'$page_community'	=> array('page-flags', t('Community Forum/Celebrity Account'), PAGE_COMMUNITY, 
 									t('Automatically approve all connection/friend requests as read-write fans'), 
 									($a->user['page-flags'] == PAGE_COMMUNITY)),
 									
-		'$page_freelove' 	=> array('page-flags', t('Automatic Friend Account'), PAGE_FREELOVE, 
+		'$page_freelove' 	=> array('page-flags', t('Automatic Friend Page'), PAGE_FREELOVE, 
 									t('Automatically approve all connection/friend requests as friends'), 
 									($a->user['page-flags'] == PAGE_FREELOVE)),
 
-		'$page_prvgroup' 	=> array('page-flags', t('Private Forum'), PAGE_PRVGROUP, 
-									t('Private forum - approved members only [Experimental]'), 
+		'$page_prvgroup' 	=> array('page-flags', t('Private Forum [Experimental]'), PAGE_PRVGROUP, 
+									t('Private forum - approved members only'), 
 									($a->user['page-flags'] == PAGE_PRVGROUP)),
 
-		'$experimental' => ( (intval(get_config('system','prvgroup_testing'))) ? 'true' : ''),
 
 	));
 
@@ -1026,7 +1025,8 @@ function settings_content(&$a) {
 		'$notify7'  => array('notify7', t('You are tagged in a post'), ($notify & NOTIFY_TAGSELF), NOTIFY_TAGSELF, ''),		
 		
 		
-		'$h_advn' => t('Advanced Page Settings'),
+		'$h_advn' => t('Advanced Account/Page Type Settings'),
+		'$h_descadvn' => t('Change the behaviour of this account for special situations'),
 		'$pagetype' => $pagetype,