aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/import.php13
-rw-r--r--include/text.php28
2 files changed, 28 insertions, 13 deletions
diff --git a/include/import.php b/include/import.php
index ae6a0ab6a..91a26b23b 100644
--- a/include/import.php
+++ b/include/import.php
@@ -1326,20 +1326,23 @@ function sync_files($channel, $files) {
);
if($exists) {
- if(! dbesc_array($p))
- continue;
$str = '';
foreach($p as $k => $v) {
+ $matches = false;
+ if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
+ continue;
+ }
+
if($str)
$str .= ",";
-
- $str .= " " . TQUOT . $k . TQUOT . " = '" . $v . "' ";
+
+ $str .= " " . TQUOT . $k . TQUOT . " = '" . (($k === 'content') ? dbescbin($v) : dbesc($v)) . "' ";
}
$r = dbq("update photo set " . $str . " where id = " . intval($exists[0]['id']) );
}
else {
- create_table_from_array('photo',$p);
+ create_table_from_array('photo',$p, [ 'content' ] );
}
}
}
diff --git a/include/text.php b/include/text.php
index 4a84c09f8..a8c28d7bd 100644
--- a/include/text.php
+++ b/include/text.php
@@ -3186,21 +3186,33 @@ function array2XML($obj, $array) {
*
* @param string $table
* @param array $arr
+ * @param array $binary_fields - fields which will be cleansed with dbescbin rather than dbesc; this is critical for postgres
* @return boolean|PDOStatement
*/
-function create_table_from_array($table, $arr) {
+function create_table_from_array($table, $arr, $binary_fields = []) {
if(! ($arr && $table))
return false;
- if(dbesc_array($arr)) {
- $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
- . implode(TQUOT . ', ' . TQUOT, array_keys($arr))
- . TQUOT . ") VALUES ('"
- . implode("', '", array_values($arr))
- . "')"
- );
+ $clean = [];
+ foreach($arr as $k => $v) {
+ $matches = false;
+ if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
+ return false;
+ }
+ if(in_array($k,$binary_fields)) {
+ $clean[$k] = dbescbin($v);
+ }
+ else {
+ $clean[$k] = dbesc($v);
+ }
}
+ $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
+ . implode(TQUOT . ', ' . TQUOT, array_keys($clean))
+ . TQUOT . ") VALUES ('"
+ . implode("', '", array_values($clean))
+ . "')"
+ );
return $r;
}