diff options
Diffstat (limited to 'central/trunk/xmlrpc.php')
-rw-r--r-- | central/trunk/xmlrpc.php | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/central/trunk/xmlrpc.php b/central/trunk/xmlrpc.php index 16a2c29..68ff92d 100644 --- a/central/trunk/xmlrpc.php +++ b/central/trunk/xmlrpc.php | |||
@@ -21,12 +21,12 @@ function deleteItem($username, $verification, $verificationID, $id) | |||
21 | { | 21 | { |
22 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 22 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
23 | { | 23 | { |
24 | $getitem = "SELECT * FROM inbox WHERE username = \"" . $username . "\" AND itemID = " . $id; | 24 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; |
25 | $getitem2 = mysql_query($getitem); | 25 | $getitem2 = mysql_query($getitem); |
26 | $getitem3 = mysql_fetch_array($getitem2); | 26 | $getitem3 = mysql_fetch_array($getitem2); |
27 | if ($getitem3['id'] == $id) | 27 | if ($getitem3['id'] == $id) |
28 | { | 28 | { |
29 | $delitem = "DELETE inbox WHERE username = \"" . $username . "\" AND itemID = " . $id; | 29 | $delitem = "DELETE inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; |
30 | $delitem2 = mysql_query($delitem); | 30 | $delitem2 = mysql_query($delitem); |
31 | 31 | ||
32 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 32 | return new xmlrpcresp(new xmlrpcval(0, "int")); |
@@ -40,7 +40,7 @@ function resendItem($username, $verification, $verificationID, $id) | |||
40 | { | 40 | { |
41 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 41 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
42 | { | 42 | { |
43 | $getitem = "SELECT * FROM inbox WHERE username = \"" . $username . "\" AND itemID = " . $id; | 43 | $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; |
44 | $getitem2 = mysql_query($getitem); | 44 | $getitem2 = mysql_query($getitem); |
45 | $getitem3 = mysql_fetch_array($getitem2); | 45 | $getitem3 = mysql_fetch_array($getitem2); |
46 | if ($getitem3['id'] == $id) | 46 | if ($getitem3['id'] == $id) |
@@ -58,13 +58,13 @@ function sendFromUpdate($username, $verification, $verificationID, $subscription | |||
58 | { | 58 | { |
59 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 59 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
60 | { | 60 | { |
61 | $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . $username . "\" AND uri = \"" . $subscription . "\" AND owner = \"true\""; | 61 | $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\" AND uri = \"" . mysql_escape_string($subscription) . "\" AND owner = \"true\""; |
62 | $getusubs2 = mysql_query($getusubs); | 62 | $getusubs2 = mysql_query($getusubs); |
63 | $getusubs3 = mysql_fetch_array($getusubs2); | 63 | $getusubs3 = mysql_fetch_array($getusubs2); |
64 | if ($getusubs['username'] == $username) | 64 | if ($getusubs['username'] == $username) |
65 | { | 65 | { |
66 | $cserver = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; | 66 | $cserver = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; |
67 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . $cserver . "\""; | 67 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver) . "\""; |
68 | $getuk2 = mysql_query($getuk); | 68 | $getuk2 = mysql_query($getuk); |
69 | $getuk3 = mysql_fetch_array($getuk2); | 69 | $getuk3 = mysql_fetch_array($getuk2); |
70 | 70 | ||
@@ -107,7 +107,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
107 | } else if ($softwareVersion < getConfig('softwareVersion')) | 107 | } else if ($softwareVersion < getConfig('softwareVersion')) |
108 | { | 108 | { |
109 | $cserver2 = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; | 109 | $cserver2 = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; |
110 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . $cserver2 . "\""; | 110 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; |
111 | $getuk2 = mysql_query($getuk); | 111 | $getuk2 = mysql_query($getuk); |
112 | $getuk3 = mysql_fetch_array($getuk2); | 112 | $getuk3 = mysql_fetch_array($getuk2); |
113 | 113 | ||
@@ -124,7 +124,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
124 | if ($databaseVersion > getConfig('databaseVersion')) | 124 | if ($databaseVersion > getConfig('databaseVersion')) |
125 | { | 125 | { |
126 | $cserver2 = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; | 126 | $cserver2 = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; |
127 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . $cserver2 . "\""; | 127 | $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; |
128 | $getuk2 = mysql_query($getuk); | 128 | $getuk2 = mysql_query($getuk); |
129 | $getuk3 = mysql_fetch_array($getuk2); | 129 | $getuk3 = mysql_fetch_array($getuk2); |
130 | 130 | ||
@@ -141,7 +141,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription | |||
141 | instaDisc_sendDatabase($cserver); | 141 | instaDisc_sendDatabase($cserver); |
142 | } | 142 | } |
143 | 143 | ||
144 | $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . $subscription . "\""; | 144 | $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . mysql_escape_string($subscription) . "\""; |
145 | $getsed2 = mysql_query($getsed); | 145 | $getsed2 = mysql_query($getsed); |
146 | $i=0; | 146 | $i=0; |
147 | while ($getsed3[$i] = mysql_fetch_array($getsed2)) | 147 | while ($getsed3[$i] = mysql_fetch_array($getsed2)) |
@@ -190,12 +190,12 @@ function deleteSubscription($username, $verification, $verificationID, $subscrip | |||
190 | { | 190 | { |
191 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 191 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
192 | { | 192 | { |
193 | $getsub = "SELECT * FROM subscriptions WHERE url = \"" . $subscription . "\" AND username = \"" . $username . "\" AND owner = \"false\""; | 193 | $getsub = "SELECT * FROM subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username) . "\" AND owner = \"false\""; |
194 | $getsub2 = mysql_query($getsub); | 194 | $getsub2 = mysql_query($getsub); |
195 | $getsub3 = mysql_fetch_array($getsub2); | 195 | $getsub3 = mysql_fetch_array($getsub2); |
196 | if ($getsub3['url'] == $subscription) | 196 | if ($getsub3['url'] == $subscription) |
197 | { | 197 | { |
198 | $delsub = "DELETE subscriptions WHERE url = \"" . $subscription . "\" AND username = \"" . $username . "\" AND owner = \"false\""; | 198 | $delsub = "DELETE subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username . "\" AND owner = \"false\""; |
199 | $delsub2 = mysql_query($delsub); | 199 | $delsub2 = mysql_query($delsub); |
200 | 200 | ||
201 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 201 | return new xmlrpcresp(new xmlrpcval(0, "int")); |
@@ -209,7 +209,7 @@ function addSubscription($username, $verification, $verificationID, $subscriptio | |||
209 | { | 209 | { |
210 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) | 210 | if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) |
211 | { | 211 | { |
212 | $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . $subscription . "\", \"" . $username . "\", \"false\")"; | 212 | $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($username) . "\", \"false\")"; |
213 | $inssub2 = mysql_query($inssub); | 213 | $inssub2 = mysql_query($inssub); |
214 | 214 | ||
215 | return new xmlrpcresp(new xmlrpcval(0, "int")); | 215 | return new xmlrpcresp(new xmlrpcval(0, "int")); |