diff options
Diffstat (limited to 'include')
| -rwxr-xr-x | include/dba/dba_driver.php | 13 | ||||
| -rw-r--r-- | include/import.php | 6 | ||||
| -rwxr-xr-x | include/items.php | 5 | ||||
| -rw-r--r-- | include/text.php | 9 |
4 files changed, 26 insertions, 7 deletions
diff --git a/include/dba/dba_driver.php b/include/dba/dba_driver.php index 36353354c..34597bec4 100755 --- a/include/dba/dba_driver.php +++ b/include/dba/dba_driver.php @@ -391,9 +391,22 @@ function dbesc_array_cb(&$item, $key) { function dbesc_array(&$arr) { + $bogus_key = false; if(is_array($arr) && count($arr)) { + $matches = false; + foreach($arr as $k => $v) { + if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) { + logger('bogus key: ' . $k); + $bogus_key = true; + } + } array_walk($arr,'dbesc_array_cb'); + if($bogus_key) { + $arr['BOGUS.KEY'] = 1; + return false; + } } + return true; } function db_getfunc($f) { diff --git a/include/import.php b/include/import.php index 4225fe493..d5f6e5c8a 100644 --- a/include/import.php +++ b/include/import.php @@ -1026,7 +1026,8 @@ function sync_files($channel,$files) { if($attach_exists) { logger('sync_files attach exists: ' . print_r($att,true), LOGGER_DEBUG); - dbesc_array($att); + if(! dbesc_array($att)) + continue; $str = ''; foreach($att as $k => $v) { if($str) @@ -1140,7 +1141,8 @@ function sync_files($channel,$files) { if($exists) { - dbesc_array($p); + if(! dbesc_array($p)) + continue; $str = ''; foreach($p as $k => $v) { if($str) diff --git a/include/items.php b/include/items.php index a682fafaa..aaa51fc8b 100755 --- a/include/items.php +++ b/include/items.php @@ -2161,7 +2161,10 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) { } - dbesc_array($arr); + if(! dbesc_array($arr)) { + $ret['message'] = 'DB array malformed'; + return $ret; + } logger('item_store_update: ' . print_r($arr,true), LOGGER_DATA); diff --git a/include/text.php b/include/text.php index f23458db0..fcd5dbc0c 100644 --- a/include/text.php +++ b/include/text.php @@ -3035,13 +3035,14 @@ function create_table_from_array($table,$arr) { if(! ($arr && $table)) return false; - dbesc_array($arr); - - $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT + if(dbesc_array($arr)) { + $r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT . implode(TQUOT . ', ' . TQUOT, array_keys($arr)) . TQUOT . ") VALUES ('" . implode("', '", array_values($arr)) - . "')" ); + . "')" + ); + } return $r; }
\ No newline at end of file |