about summary refs log tree commit diff stats
path: root/central
diff options
context:
space:
mode:
Diffstat (limited to 'central')
-rw-r--r--central/trunk/instadisc.php60
-rw-r--r--central/trunk/xmlrpc.php26
2 files changed, 43 insertions, 43 deletions
diff --git a/central/trunk/instadisc.php b/central/trunk/instadisc.php index de0a90e..0edbd82 100644 --- a/central/trunk/instadisc.php +++ b/central/trunk/instadisc.php
@@ -7,12 +7,12 @@ include_once('class.phpmailer.php');
7 7
8function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField) 8function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField)
9{ 9{
10 $getverid = "SELECT * FROM oldVerID WHERE name = \"" . mysql_escape_string($username) . "\" AND verID = " . $verificationID; 10 $getverid = "SELECT * FROM oldVerID WHERE name = \"" . mysql_real_escape_string($username) . "\" AND verID = " . $verificationID;
11 $getverid2 = mysql_query($getverid); 11 $getverid2 = mysql_query($getverid);
12 $getverid3 = mysql_fetch_array($getverid2); 12 $getverid3 = mysql_fetch_array($getverid2);
13 if ($getverid3['id'] != $verificationID) 13 if ($getverid3['id'] != $verificationID)
14 { 14 {
15 $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_escape_string($username) . "\""; 15 $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_real_escape_string($username) . "\"";
16 $getitem2 = mysql_query($getitem); 16 $getitem2 = mysql_query($getitem);
17 $getitem3 = mysql_fetch_array($getitem2); 17 $getitem3 = mysql_fetch_array($getitem2);
18 if ($getitem3[$nameField] == $username) 18 if ($getitem3[$nameField] == $username)
@@ -21,16 +21,16 @@ function instaDisc_checkVerification($username, $verification, $verificationID,
21 21
22 if (md5($test) == $verification) 22 if (md5($test) == $verification)
23 { 23 {
24 $cntverid = "SELECT COUNT(*) FROM oldVerID WHERE username = \"" . mysql_escape_string($username) . "\""; 24 $cntverid = "SELECT COUNT(*) FROM oldVerID WHERE username = \"" . mysql_real_escape_string($username) . "\"";
25 $cntverid2 = mysql_query($cntverid); 25 $cntverid2 = mysql_query($cntverid);
26 $cntverid3 = mysql_fetch_array($cntverid2); 26 $cntverid3 = mysql_fetch_array($cntverid2);
27 if ($cntverid3[0] >= intval(instaDisc_getConfig('verIDBufferSize'))) 27 if ($cntverid3[0] >= intval(instaDisc_getConfig('verIDBufferSize')))
28 { 28 {
29 $delverid = "DELETE FROM oldVerID WHERE username = \"" . mysql_escape_string($username) . "\""; 29 $delverid = "DELETE FROM oldVerID WHERE username = \"" . mysql_real_escape_string($username) . "\"";
30 $delverid2 = mysql_query($delverid); 30 $delverid2 = mysql_query($delverid);
31 } 31 }
32 32
33 $insverid = "INSERT INTO oldVerID (name, verID) VALUES (\"" . mysql_escape_string($username) . "\", " . $verificationID . ")"; 33 $insverid = "INSERT INTO oldVerID (name, verID) VALUES (\"" . mysql_real_escape_string($username) . "\", " . $verificationID . ")";
34 $insverid2 = mysql_query($insverid); 34 $insverid2 = mysql_query($insverid);
35 35
36 return true; 36 return true;
@@ -43,12 +43,12 @@ function instaDisc_checkVerification($username, $verification, $verificationID,
43 43
44function instaDisc_sendItem($username, $id) 44function instaDisc_sendItem($username, $id)
45{ 45{
46 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; 46 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id;
47 $getitem2 = mysql_query($getitem); 47 $getitem2 = mysql_query($getitem);
48 $getitem3 = mysql_fetch_array($getitem2); 48 $getitem3 = mysql_fetch_array($getitem2);
49 if ($getitem3['username'] == $username) 49 if ($getitem3['username'] == $username)
50 { 50 {
51 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\""; 51 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($username) . "\"";
52 $getuser2 = mysql_query($getuser); 52 $getuser2 = mysql_query($getuser);
53 $getuser3 = mysql_fetch_array($getuser2); 53 $getuser3 = mysql_fetch_array($getuser2);
54 54
@@ -97,7 +97,7 @@ function instaDisc_sendDatabase($cserver)
97 } 97 }
98 98
99 $cserver2 = $_SERVER['HTTP_HOST']; 99 $cserver2 = $_SERVER['HTTP_HOST'];
100 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; 100 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver2) . "\"";
101 $getuk2 = mysql_query($getuk); 101 $getuk2 = mysql_query($getuk);
102 $getuk3 = mysql_fetch_array($getuk2); 102 $getuk3 = mysql_fetch_array($getuk2);
103 103
@@ -113,16 +113,16 @@ function instaDisc_sendDatabase($cserver)
113 113
114function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics) 114function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics)
115{ 115{
116 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\""; 116 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($username) . "\"";
117 $getuser2 = mysql_query($getuser); 117 $getuser2 = mysql_query($getuser);
118 $getuser3 = mysql_fetch_array($getuser2); 118 $getuser3 = mysql_fetch_array($getuser2);
119 if ($getuser3['username'] == $username) 119 if ($getuser3['username'] == $username)
120 { 120 {
121 $itemID = $getuser3['nextItemID']; 121 $itemID = $getuser3['nextItemID'];
122 $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . mysql_escape_string($username) . "\""; 122 $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . mysql_real_escape_string($username) . "\"";
123 $setuser2 = mysql_query($setuser); 123 $setuser2 = mysql_query($setuser);
124 124
125 $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . mysql_escape_string($username) . "\", " . $itemID . ", \"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($title) . "\", \"" . mysql_escape_string($author) . "\", \"" . mysql_escape_string($url) . "\", \"" . mysql_escape_string(serialize($semantics)) . "\")"; 125 $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . mysql_real_escape_string($username) . "\", " . $itemID . ", \"" . mysql_real_escape_string($subscription) . "\", \"" . mysql_real_escape_string($title) . "\", \"" . mysql_real_escape_string($author) . "\", \"" . mysql_real_escape_string($url) . "\", \"" . mysql_real_escape_string(serialize($semantics)) . "\")";
126 $insitem2 = mysql_query($insitem); 126 $insitem2 = mysql_query($insitem);
127 127
128 instaDisc_sendItem($username, $itemID); 128 instaDisc_sendItem($username, $itemID);
@@ -152,7 +152,7 @@ function instaDisc_sendActivationEmail($username, $password, $email)
152{ 152{
153 $penKey = md5(rand(1,65536)); 153 $penKey = md5(rand(1,65536));
154 154
155 $inspending = "INSERT INTO pending (username, password, email, key) VALUES (\"" . mysql_escape_string($username) . "\", \"" . mysql_escape_string($password) . "\", \"" . mysql_escape_string($email) . "\", \"" . mysql_escape_string($penKey) . "\")"; 155 $inspending = "INSERT INTO pending (username, password, email, key) VALUES (\"" . mysql_real_escape_string($username) . "\", \"" . mysql_real_escape_string($password) . "\", \"" . mysql_real_escape_string($email) . "\", \"" . mysql_real_escape_string($penKey) . "\")";
156 $inspending2 = mysql_query($inspending); 156 $inspending2 = mysql_query($inspending);
157 157
158 $mail = instaDisc_phpMailer(); 158 $mail = instaDisc_phpMailer();
@@ -165,15 +165,15 @@ function instaDisc_sendActivationEmail($username, $password, $email)
165 165
166function instaDisc_activateAccount($username, $penKey) 166function instaDisc_activateAccount($username, $penKey)
167{ 167{
168 $getuser = "SELECT * FROM pending WHERE username = \"" . mysql_escape_string($username) . "\" AND key = \"" . mysql_escape_string($penKey) . "\""; 168 $getuser = "SELECT * FROM pending WHERE username = \"" . mysql_real_escape_string($username) . "\" AND key = \"" . mysql_real_escape_string($penKey) . "\"";
169 $getuser2 = mysql_query($getuser); 169 $getuser2 = mysql_query($getuser);
170 $getuser3 = mysql_fetch_array($getuser2); 170 $getuser3 = mysql_fetch_array($getuser2);
171 if ($getuser3['username'] == $username) 171 if ($getuser3['username'] == $username)
172 { 172 {
173 $insuser = "INSERT INTO users (username, password, email) VALUES (\"" . mysql_escape_string($username) . "\", \"" . mysql_escape_string($password) . "\", \"" . mysql_escape_string($email) . "\")"; 173 $insuser = "INSERT INTO users (username, password, email) VALUES (\"" . mysql_real_escape_string($username) . "\", \"" . mysql_real_escape_string($password) . "\", \"" . mysql_real_escape_string($email) . "\")";
174 $insuser2 = mysql_query($insuser); 174 $insuser2 = mysql_query($insuser);
175 175
176 $delpending = "DELETE FROM pending WHERE username = \"" . mysql_escape_string($username) . "\""; 176 $delpending = "DELETE FROM pending WHERE username = \"" . mysql_real_escape_string($username) . "\"";
177 $delpending2 = mysql_query($delpending); 177 $delpending2 = mysql_query($delpending);
178 178
179 $mail = instaDisc_phpMailer(); 179 $mail = instaDisc_phpMailer();
@@ -189,12 +189,12 @@ function instaDisc_activateAccount($username, $penKey)
189 189
190function instaDisc_deactivateAccount($username, $penKey) 190function instaDisc_deactivateAccount($username, $penKey)
191{ 191{
192 $getuser = "SELECT * FROM pending WHERE username = \"" . mysql_escape_string($username) . "\" AND key = \"" . mysql_escape_string($penKey) . "\""; 192 $getuser = "SELECT * FROM pending WHERE username = \"" . mysql_real_escape_string($username) . "\" AND key = \"" . mysql_real_escape_string($penKey) . "\"";
193 $getuser2 = mysql_query($getuser); 193 $getuser2 = mysql_query($getuser);
194 $getuser3 = mysql_fetch_array($getuser2); 194 $getuser3 = mysql_fetch_array($getuser2);
195 if ($getuser3['username'] == $username) 195 if ($getuser3['username'] == $username)
196 { 196 {
197 $delpending = "DELETE FROM pending WHERE username = \"" . mysql_escape_string($username) . "\""; 197 $delpending = "DELETE FROM pending WHERE username = \"" . mysql_real_escape_string($username) . "\"";
198 $delpending2 = mysql_query($delpending); 198 $delpending2 = mysql_query($delpending);
199 199
200 return true; 200 return true;
@@ -210,18 +210,18 @@ function instaDisc_verifyUser($username, $password)
210 210
211function instaDisc_deleteAccount($username) 211function instaDisc_deleteAccount($username)
212{ 212{
213 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\""; 213 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_real_escape_string($username) . "\"";
214 $getuser2 = mysql_query($getuser); 214 $getuser2 = mysql_query($getuser);
215 $getuser3 = mysql_fetch_array($getuser2); 215 $getuser3 = mysql_fetch_array($getuser2);
216 if ($getuser3['username'] == $username) 216 if ($getuser3['username'] == $username)
217 { 217 {
218 $deluser = "DELETE FROM users WHERE username = \"" . mysql_escape_string($username) . "\""; 218 $deluser = "DELETE FROM users WHERE username = \"" . mysql_real_escape_string($username) . "\"";
219 $deluser2 = mysql_query($deluser); 219 $deluser2 = mysql_query($deluser);
220 220
221 $delsubs = "DELETE FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\""; 221 $delsubs = "DELETE FROM subscriptions WHERE username = \"" . mysql_real_escape_string($username) . "\"";
222 $delsubs2 = mysql_query($delsubs); 222 $delsubs2 = mysql_query($delsubs);
223 223
224 $delitems = "DELETE FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\""; 224 $delitems = "DELETE FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\"";
225 $delitems2 = mysql_query($delitems); 225 $delitems2 = mysql_query($delitems);
226 226
227 return true; 227 return true;
@@ -232,7 +232,7 @@ function instaDisc_deleteAccount($username)
232 232
233function instaDisc_getConfig($key) 233function instaDisc_getConfig($key)
234{ 234{
235 $getconfig = "SELECT * FROM config WHERE name = \"" . mysql_escape_string($key) . "\""; 235 $getconfig = "SELECT * FROM config WHERE name = \"" . mysql_real_escape_string($key) . "\"";
236 $getconfig2 = mysql_query($getconfig); 236 $getconfig2 = mysql_query($getconfig);
237 $getconfig3 = mysql_fetch_array($getconfig2); 237 $getconfig3 = mysql_fetch_array($getconfig2);
238 238
@@ -241,7 +241,7 @@ function instaDisc_getConfig($key)
241 241
242function instaDisc_listSubscriptions($username) 242function instaDisc_listSubscriptions($username)
243{ 243{
244 $getsubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\" AND owner = \"true\""; 244 $getsubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_real_escape_string($username) . "\" AND owner = \"true\"";
245 $getsubs2 = mysql_query($getsubs); 245 $getsubs2 = mysql_query($getsubs);
246 $i=0; 246 $i=0;
247 while ($getsubs3[$i] = mysql_fetch_array($getsubs2)) 247 while ($getsubs3[$i] = mysql_fetch_array($getsubs2))
@@ -257,12 +257,12 @@ function instaDisc_listSubscriptions($username)
257 257
258function instaDisc_addSubscription($username, $url) 258function instaDisc_addSubscription($username, $url)
259{ 259{
260 $getcode = "SELECT * FROM pending2 WHERE username = \"" . mysql_escape_string($username) . "\" AND url = \"" . mysql_escape_string($url) . "\""; 260 $getcode = "SELECT * FROM pending2 WHERE username = \"" . mysql_real_escape_string($username) . "\" AND url = \"" . mysql_real_escape_string($url) . "\"";
261 $getcode2 = mysql_query($getcode); 261 $getcode2 = mysql_query($getcode);
262 $getcode3 = mysql_fetch_array($getcode2); 262 $getcode3 = mysql_fetch_array($getcode2);
263 if ($getcode3['username'] == $username) 263 if ($getcode3['username'] == $username)
264 { 264 {
265 $delcode = "DELETE FROM pending2 WHERE username = \"" . mysql_escape_string($username) . "\" AND url = \"" . mysql_escape_string($url) . "\""; 265 $delcode = "DELETE FROM pending2 WHERE username = \"" . mysql_real_escape_string($username) . "\" AND url = \"" . mysql_real_escape_string($url) . "\"";
266 $delcode2 = mysql_query($delcode); 266 $delcode2 = mysql_query($delcode);
267 267
268 $c = curl_init(); 268 $c = curl_init();
@@ -289,7 +289,7 @@ function instaDisc_addSubscription($username, $url)
289 { 289 {
290 if ($header['Key'] == $getcode3['code']) 290 if ($header['Key'] == $getcode3['code'])
291 { 291 {
292 $inssub = "INSERT INTO subscriptions (username,url,owner) VALUES (\"" . mysql_escape_string($username) . "\", \"" . mysql_escape_string($header['Subscription']) . "\", \"true\")"; 292 $inssub = "INSERT INTO subscriptions (username,url,owner) VALUES (\"" . mysql_real_escape_string($username) . "\", \"" . mysql_real_escape_string($header['Subscription']) . "\", \"true\")";
293 $inssub2 = mysql_query($inssub); 293 $inssub2 = mysql_query($inssub);
294 294
295 return true; 295 return true;
@@ -305,7 +305,7 @@ function instaDisc_addSubscription($username, $url)
305 305
306function instaDisc_listPendingSubscriptions($username) 306function instaDisc_listPendingSubscriptions($username)
307{ 307{
308 $getsubs = "SELECT * FROM pending2 WHERE username = \"" . mysql_escape_string($username) . "\""; 308 $getsubs = "SELECT * FROM pending2 WHERE username = \"" . mysql_real_escape_string($username) . "\"";
309 $getsubs2 = mysql_query($getsubs); 309 $getsubs2 = mysql_query($getsubs);
310 $i=0; 310 $i=0;
311 while ($getsubs3[$i] = mysql_fetch_array($getsubs2)) 311 while ($getsubs3[$i] = mysql_fetch_array($getsubs2))
@@ -323,7 +323,7 @@ function instaDisc_generateSubscriptionActivation($username, $url)
323{ 323{
324 $key = md5(rand(1,65536)); 324 $key = md5(rand(1,65536));
325 325
326 $inspending = "INSERT INTO pending2 (username, url, key) VALUES (\"" . mysql_escape_string($username) . "\", \"" . mysql_escape_string($url) . "\", \"" . mysql_escape_string($key) . "\")"; 326 $inspending = "INSERT INTO pending2 (username, url, key) VALUES (\"" . mysql_real_escape_string($username) . "\", \"" . mysql_real_escape_string($url) . "\", \"" . mysql_real_escape_string($key) . "\")";
327 $inspending2 = mysql_query($inspending); 327 $inspending2 = mysql_query($inspending);
328 328
329 return $key; 329 return $key;
@@ -331,7 +331,7 @@ function instaDisc_generateSubscriptionActivation($username, $url)
331 331
332function instaDisc_deleteSubscription($username, $url) 332function instaDisc_deleteSubscription($username, $url)
333{ 333{
334 $delsub = "DELETE FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\" AND url = \"" . mysql_escape_string($url) . "\")"; 334 $delsub = "DELETE FROM subscriptions WHERE username = \"" . mysql_real_escape_string($username) . "\" AND url = \"" . mysql_real_escape_string($url) . "\")";
335 $delsub2 = mysql_query($delsub); 335 $delsub2 = mysql_query($delsub);
336 336
337 return true; 337 return true;
@@ -339,7 +339,7 @@ function instaDisc_deleteSubscription($username, $url)
339 339
340function instaDisc_cancelSubscription($username, $url) 340function instaDisc_cancelSubscription($username, $url)
341{ 341{
342 $delsub = "DELETE FROM pending2 WHERE username = \"" . mysql_escape_string($username) . "\" AND url = \"" . mysql_escape_string($url) . "\")"; 342 $delsub = "DELETE FROM pending2 WHERE username = \"" . mysql_real_escape_string($username) . "\" AND url = \"" . mysql_real_escape_string($url) . "\")";
343 $delsub2 = mysql_query($delsub); 343 $delsub2 = mysql_query($delsub);
344 344
345 return true; 345 return true;
diff --git a/central/trunk/xmlrpc.php b/central/trunk/xmlrpc.php index cd0bb06..5ac5868 100644 --- a/central/trunk/xmlrpc.php +++ b/central/trunk/xmlrpc.php
@@ -21,12 +21,12 @@ function deleteItem($username, $verification, $verificationID, $id)
21{ 21{
22 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 22 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
23 { 23 {
24 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; 24 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id;
25 $getitem2 = mysql_query($getitem); 25 $getitem2 = mysql_query($getitem);
26 $getitem3 = mysql_fetch_array($getitem2); 26 $getitem3 = mysql_fetch_array($getitem2);
27 if ($getitem3['id'] == $id) 27 if ($getitem3['id'] == $id)
28 { 28 {
29 $delitem = "DELETE FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; 29 $delitem = "DELETE FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id;
30 $delitem2 = mysql_query($delitem); 30 $delitem2 = mysql_query($delitem);
31 31
32 return new xmlrpcresp(new xmlrpcval(0, "int")); 32 return new xmlrpcresp(new xmlrpcval(0, "int"));
@@ -40,7 +40,7 @@ function resendItem($username, $verification, $verificationID, $id)
40{ 40{
41 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 41 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
42 { 42 {
43 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\" AND itemID = " . $id; 43 $getitem = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\" AND itemID = " . $id;
44 $getitem2 = mysql_query($getitem); 44 $getitem2 = mysql_query($getitem);
45 $getitem3 = mysql_fetch_array($getitem2); 45 $getitem3 = mysql_fetch_array($getitem2);
46 if ($getitem3['id'] == $id) 46 if ($getitem3['id'] == $id)
@@ -58,7 +58,7 @@ function requestRetained($username, $verification, $veriicationID)
58{ 58{
59 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 59 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
60 { 60 {
61 $getitems = "SELECT * FROM inbox WHERE username = \"" . mysql_escape_string($username) . "\""; 61 $getitems = "SELECT * FROM inbox WHERE username = \"" . mysql_real_escape_string($username) . "\"";
62 $getitems2 = mysql_query($getitems); 62 $getitems2 = mysql_query($getitems);
63 $i=0; 63 $i=0;
64 while ($getitems3[$i] = mysql_fetch_array($getitems2)) 64 while ($getitems3[$i] = mysql_fetch_array($getitems2))
@@ -77,13 +77,13 @@ function sendFromUpdate($username, $verification, $verificationID, $subscription
77{ 77{
78 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 78 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
79 { 79 {
80 $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_escape_string($username) . "\" AND uri = \"" . mysql_escape_string($subscription) . "\" AND owner = \"true\""; 80 $getusubs = "SELECT * FROM subscriptions WHERE username = \"" . mysql_real_escape_string($username) . "\" AND uri = \"" . mysql_real_escape_string($subscription) . "\" AND owner = \"true\"";
81 $getusubs2 = mysql_query($getusubs); 81 $getusubs2 = mysql_query($getusubs);
82 $getusubs3 = mysql_fetch_array($getusubs2); 82 $getusubs3 = mysql_fetch_array($getusubs2);
83 if ($getusubs['username'] == $username) 83 if ($getusubs['username'] == $username)
84 { 84 {
85 $cserver = $_SERVER['HTTP_HOST']; 85 $cserver = $_SERVER['HTTP_HOST'];
86 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver) . "\""; 86 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver) . "\"";
87 $getuk2 = mysql_query($getuk); 87 $getuk2 = mysql_query($getuk);
88 $getuk3 = mysql_fetch_array($getuk2); 88 $getuk3 = mysql_fetch_array($getuk2);
89 89
@@ -126,7 +126,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription
126 } else if ($softwareVersion < instaDisc_getConfig('softwareVersion')) 126 } else if ($softwareVersion < instaDisc_getConfig('softwareVersion'))
127 { 127 {
128 $cserver2 = $_SERVER['HTTP_HOST']; 128 $cserver2 = $_SERVER['HTTP_HOST'];
129 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; 129 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver2) . "\"";
130 $getuk2 = mysql_query($getuk); 130 $getuk2 = mysql_query($getuk);
131 $getuk3 = mysql_fetch_array($getuk2); 131 $getuk3 = mysql_fetch_array($getuk2);
132 132
@@ -143,7 +143,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription
143 if ($databaseVersion > instaDisc_getConfig('databaseVersion')) 143 if ($databaseVersion > instaDisc_getConfig('databaseVersion'))
144 { 144 {
145 $cserver2 = $_SERVER['HTTP_HOST']; 145 $cserver2 = $_SERVER['HTTP_HOST'];
146 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_escape_string($cserver2) . "\""; 146 $getuk = "SELECT * FROM centralServers WHERE url = \"" . mysql_real_escape_string($cserver2) . "\"";
147 $getuk2 = mysql_query($getuk); 147 $getuk2 = mysql_query($getuk);
148 $getuk3 = mysql_fetch_array($getuk2); 148 $getuk3 = mysql_fetch_array($getuk2);
149 149
@@ -160,7 +160,7 @@ function sendFromCentral($cserver, $verification, $verificationID, $subscription
160 instaDisc_sendDatabase($cserver); 160 instaDisc_sendDatabase($cserver);
161 } 161 }
162 162
163 $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . mysql_escape_string($subscription) . "\""; 163 $getsed = "SELECT * FROM subscriptions WHERE uri = \"" . mysql_real_escape_string($subscription) . "\"";
164 $getsed2 = mysql_query($getsed); 164 $getsed2 = mysql_query($getsed);
165 $i=0; 165 $i=0;
166 while ($getsed3[$i] = mysql_fetch_array($getsed2)) 166 while ($getsed3[$i] = mysql_fetch_array($getsed2))
@@ -209,12 +209,12 @@ function deleteSubscription($username, $verification, $verificationID, $subscrip
209{ 209{
210 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 210 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
211 { 211 {
212 $getsub = "SELECT * FROM subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username) . "\" AND owner = \"false\""; 212 $getsub = "SELECT * FROM subscriptions WHERE url = \"" . mysql_real_escape_string($subscription) . "\" AND username = \"" . mysql_real_escape_string($username) . "\" AND owner = \"false\"";
213 $getsub2 = mysql_query($getsub); 213 $getsub2 = mysql_query($getsub);
214 $getsub3 = mysql_fetch_array($getsub2); 214 $getsub3 = mysql_fetch_array($getsub2);
215 if ($getsub3['url'] == $subscription) 215 if ($getsub3['url'] == $subscription)
216 { 216 {
217 $delsub = "DELETE FROM subscriptions WHERE url = \"" . mysql_escape_string($subscription) . "\" AND username = \"" . mysql_escape_string($username) . "\" AND owner = \"false\""; 217 $delsub = "DELETE FROM subscriptions WHERE url = \"" . mysql_real_escape_string($subscription) . "\" AND username = \"" . mysql_real_escape_string($username) . "\" AND owner = \"false\"";
218 $delsub2 = mysql_query($delsub); 218 $delsub2 = mysql_query($delsub);
219 219
220 return new xmlrpcresp(new xmlrpcval(0, "int")); 220 return new xmlrpcresp(new xmlrpcval(0, "int"));
@@ -228,7 +228,7 @@ function addSubscription($username, $verification, $verificationID, $subscriptio
228{ 228{
229 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password')) 229 if (instaDisc_checkVerification($username, $verification, $verificationID, 'users', 'username', 'password'))
230 { 230 {
231 $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($username) . "\", \"false\")"; 231 $inssub = "INSERT INTO subscriptions (url, username, owner) VALUES (\"" . mysql_real_escape_string($subscription) . "\", \"" . mysql_real_escape_string($username) . "\", \"false\")";
232 $inssub2 = mysql_query($inssub); 232 $inssub2 = mysql_query($inssub);
233 233
234 return new xmlrpcresp(new xmlrpcval(0, "int")); 234 return new xmlrpcresp(new xmlrpcval(0, "int"));
@@ -254,7 +254,7 @@ function sendDatabase($cserver, $verification, $verificationID, $db)
254 254
255 foreach($db as $name => $value) 255 foreach($db as $name => $value)
256 { 256 {
257 $insdb = "INSERT INTO centralServers (url, key, xmlrpc) VALUES (\"" . mysql_escape_string($name) . "\", \"" . mysql_escape_string($value['key']) . "\", \"" . mysql_escape_string($value['xmlrpc']) . "\")"; 257 $insdb = "INSERT INTO centralServers (url, key, xmlrpc) VALUES (\"" . mysql_real_escape_string($name) . "\", \"" . mysql_real_escape_string($value['key']) . "\", \"" . mysql_real_escape_string($value['xmlrpc']) . "\")";
258 $insdb2 = mysql_query($insdb); 258 $insdb2 = mysql_query($insdb);
259 } 259 }
260 260