diff options
Diffstat (limited to 'central/trunk/xmlrpc.php')
-rw-r--r-- | central/trunk/xmlrpc.php | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/central/trunk/xmlrpc.php b/central/trunk/xmlrpc.php index cd0bb06..5ac5868 100644 --- a/central/trunk/xmlrpc.php +++ b/central/trunk/xmlrpc.php | |||
@@ -21,12 +21,12 @@ function deleteItem($username, $verification, $verificationID, $id) | |||
21 | { | 21 | { |
22 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 22 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
23 | { | 23 | { |
24 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; | 24 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id; |
25 | $getitem2 = mysql_query($getitem); | 25 | $getitem2 = mysql_query($getitem); |
26 | $getitem3 = mysql_fetch_array($getitem2); | 26 | $getitem3 = mysql_fetch_array($getitem2); |
27 | if ($getitem3['id'] == $id) | 27 | if ($getitem3['id'] == $id) |
28 | { | 28 | { |
29 | $delitem = "DELETE FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; | 29 | $delitem = "DELETE FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id; |
30 | $delitem2 = mysql_query($delitem); | 30 | $delitem2 = mysql_query($delitem); |
31 | 31 | ||
32 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 32 | return new xmlrpcresp(new xmlrpcval(0, "int")); |
@@ -40,7 +40,7 @@ function resendItem($username, $verification, $verificationID, $id) | |||
40 | { | 40 | { |
41 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 41 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
42 | { | 42 | { |
43 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; | 43 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id; |
44 | $getitem2 = mysql_query($getitem); | 44 | $getitem2 = mysql_query($getitem); |
45 | $getitem3 = mysql_fetch_array($getitem2); | 45 | $getitem3 = mysql_fetch_array($getitem2); |
46 | if ($getitem3['id'] == $id) | 46 | if ($getitem3['id'] == $id) |
@@ -58,7 +58,7 @@ function requestRetained($username, $verification, $veriicationID) | |||
58 | { | 58 | { |
59 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 59 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
60 | { | 60 | { |
61 | $getitems = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\""; | 61 | $getitems = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\""; |
62 | $getitems2 = mysql_query($getitems); | 62 | $getitems2 = mysql_query($getitems); |
63 | $i=0; | 63 | $i=0; |
64 | while ($getitems3[$i] = mysql_fetch_array($getitems2)) | 64 | while ($getitems3[$i] = mysql_fetch_array($getitems2)) |
@@ -77,13 +77,13 @@ function sendFromUpdate($username, $verification, $verificationID, $subscription | |||
77 | { | 77 | { |
78 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 78 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
79 | { | 79 | { |
80 | $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\" AND uri = \"" . mysql_escape_string($subscription) . "\" AND owner = \"true\""; | 80 | $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_real_escape_string($username) . "\" AND uri = \"" . mysql_real_escape_string($subscription) . "\" AND owner = \"true\""; |
81 | $getusubs2 = mysql_query($getusubs); | 81 | $getusubs2 = mysql_query($getusubs); |
82 | $getusubs3 = mysql_fetch_array($getusubs2); | 82 | $getusubs3 = mysql_fetch_array($getusubs2); |
83 | if ($getusubs['username'] == $username) | 83 | if ($getusubs['username'] == $username) |
84 | { | 84 | { |
85 | $cserver = $_SERVER['HTTP_HOST']; | 85 | $cserver = $_SERVER['HTTP_HOST']; |
86 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver) . "\""; | 86 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver) . "\""; |
87 | $getuk2 = mysql_query($getuk); | 87 | $getuk2 = mysql_query($getuk); |
88 | $getuk3 = mysql_fetch_array($getuk2); | 88 | $getuk3 = mysql_fetch_array($getuk2); |
89 | 89 | ||
@@ -126,7 +126,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
126 | } else if ($softwareVersion < instaDisc_getConfig('softwareVersion')) | 126 | } else if ($softwareVersion < instaDisc_getConfig('softwareVersion')) |
127 | { | 127 | { |
128 | $cserver2 = $_SERVER['HTTP_HOST']; | 128 | $cserver2 = $_SERVER['HTTP_HOST']; |
129 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; | 129 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver2) . "\""; |
130 | $getuk2 = mysql_query($getuk); | 130 | $getuk2 = mysql_query($getuk); |
131 | $getuk3 = mysql_fetch_array($getuk2); | 131 | $getuk3 = mysql_fetch_array($getuk2); |
132 | 132 | ||
@@ -143,7 +143,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
143 | if ($databaseVersion > instaDisc_getConfig('databaseVersion')) | 143 | if ($databaseVersion > instaDisc_getConfig('databaseVersion')) |
144 | { | 144 | { |
145 | $cserver2 = $_SERVER['HTTP_HOST']; | 145 | $cserver2 = $_SERVER['HTTP_HOST']; |
146 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; | 146 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver2) . "\""; |
147 | $getuk2 = mysql_query($getuk); | 147 | $getuk2 = mysql_query($getuk); |
148 | $getuk3 = mysql_fetch_array($getuk2); | 148 | $getuk3 = mysql_fetch_array($getuk2); |
149 | 149 | ||
@@ -160,7 +160,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
160 | instaDisc_sendDatabase($cserver); | 160 | instaDisc_sendDatabase($cserver); |
161 | } | 161 | } |
162 | 162 | ||
163 | $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . mysql_escape_string($subscription) . "\""; | 163 | $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . mysql_real_escape_string($subscription) . "\""; |
164 | $getsed2 = mysql_query($getsed); | 164 | $getsed2 = mysql_query($getsed); |
165 | $i=0; | 165 | $i=0; |
166 | while ($getsed3[$i] = mysql_fetch_array($getsed2)) | 166 | while ($getsed3[$i] = mysql_fetch_array($getsed2)) |
@@ -209,12 +209,12 @@ function deleteSubscription($username, $verification, $verificationID, $subscrip | |||
209 | { | 209 | { |
210 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 210 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
211 | { | 211 | { |
212 | $getsub = "SELECT * FROM subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username) . "\" AND owner = \"false\""; | 212 | $getsub = "SELECT * FROM subscriptions WHERE url = \"" . mysql_real_escape_string($subscription) . "\" AND username = \"" . mysql_real_escape_string($username) . "\" AND owner = \"false\""; |
213 | $getsub2 = mysql_query($getsub); | 213 | $getsub2 = mysql_query($getsub); |
214 | $getsub3 = mysql_fetch_array($getsub2); | 214 | $getsub3 = mysql_fetch_array($getsub2); |
215 | if ($getsub3['url'] == $subscription) | 215 | if ($getsub3['url'] == $subscription) |
216 | { | 216 | { |
217 | $delsub = "DELETE FROM subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username) . "\" AND owner = \"false\""; | 217 | $delsub = "DELETE FROM subscriptions WHERE url = \"" . mysql_real_escape_string($subscription) . "\" AND username = \"" . mysql_real_escape_string($username) . "\" AND owner = \"false\""; |
218 | $delsub2 = mysql_query($delsub); | 218 | $delsub2 = mysql_query($delsub); |
219 | 219 | ||
220 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 220 | return new xmlrpcresp(new xmlrpcval(0, "int")); |
@@ -228,7 +228,7 @@ function addSubscription($username, $verification, $verificationID, $subscriptio | |||
228 | { | 228 | { |
229 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 229 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
230 | { | 230 | { |
231 | $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($username) . "\", \"false\")"; | 231 | $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . mysql_real_escape_string($subscription) . "\", \"" . mysql_real_escape_string($username) . "\", \"false\")"; |
232 | $inssub2 = mysql_query($inssub); | 232 | $inssub2 = mysql_query($inssub); |
233 | 233 | ||
234 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 234 | return new xmlrpcresp(new xmlrpcval(0, "int")); |
@@ -254,7 +254,7 @@ function sendDatabase($cserver, $verification, $verificationID, $db) | |||
254 | 254 | ||
255 | foreach($db as $name => $value) | 255 | foreach($db as $name => $value) |
256 | { | 256 | { |
257 | $insdb = "INSERT INTO centralServers (url, key, xmlrpc) VALUES (\"" . mysql_escape_string($name) . "\", \"" . mysql_escape_string($value['key']) . "\", \"" . mysql_escape_string($value['xmlrpc']) . "\")"; | 257 | $insdb = "INSERT INTO centralServers (url, key, xmlrpc) VALUES (\"" . mysql_real_escape_string($name) . "\", \"" . mysql_real_escape_string($value['key']) . "\", \"" . mysql_real_escape_string($value['xmlrpc']) . "\")"; |
258 | $insdb2 = mysql_query($insdb); | 258 | $insdb2 = mysql_query($insdb); |
259 | } | 259 | } |
260 | 260 | ||