db_prefs: PDO

classes/db/prefs.php

@@ -1,11 +1,11 @@
 <?php
 class Db_Prefs {
-	private $dbh;
+	private $pdo;
 	private static $instance;
 	private $cache;
 
 	function __construct() {
-		$this->dbh = Db::get();
+		$this->pdo = Db::pdo();
 		$this->cache = array();
 
 		if ($_SESSION["uid"]) $this->cache();
@@ -26,26 +26,22 @@ class Db_Prefs {
 		$user_id = $_SESSION["uid"];
 		@$profile = $_SESSION["profile"];
 
-		if ($profile) {
-			$profile_qpart = "profile = '$profile' AND";
-		} else {
-			$profile_qpart = "profile IS NULL AND";
-		}
+		if (!$profile || get_schema_version() < 63) $profile = null;
 
-		if (get_schema_version() < 63) $profile_qpart = "";
-
-		$result = db_query("SELECT
+		$sth = $this->pdo->prepare("SELECT
 			value,ttrss_prefs_types.type_name as type_name,ttrss_prefs.pref_name AS pref_name
 			FROM
 				ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types
 			WHERE
-				$profile_qpart
+				profile = :profile OR (:profile IS NULL AND profile IS NULL) AND
 				ttrss_prefs.pref_name NOT LIKE '_MOBILE%' AND
 				ttrss_prefs_types.id = type_id AND
-				owner_uid = '$user_id' AND
+				owner_uid = :uid AND
 				ttrss_user_prefs.pref_name = ttrss_prefs.pref_name");
 
-		while ($line = db_fetch_assoc($result)) {
+		$sth->execute([":profile" => $profile, ":uid" => $user_id]);
+
+		while ($line = $sth->fetch()) {
 			if ($user_id == $_SESSION["uid"]) {
 				$pref_name = $line["pref_name"];
 
@@ -57,7 +53,6 @@ class Db_Prefs {
 
 	function read($pref_name, $user_id = false, $die_on_error = false) {
 
-		$pref_name = db_escape_string($pref_name);
 		$profile = false;
 
 		if (!$user_id) {
@@ -72,28 +67,23 @@ class Db_Prefs {
 			return $this->convert($tuple["value"], $tuple["type"]);
 		}
 
-		if ($profile) {
-			$profile_qpart = "profile = '$profile' AND";
-		} else {
-			$profile_qpart = "profile IS NULL AND";
-		}
-
-		if (get_schema_version() < 63) $profile_qpart = "";
+		if (!$profile || get_schema_version() < 63) $profile = null;
 
-		$result = db_query("SELECT
+		$sth = $this->pdo->prepare("SELECT
 			value,ttrss_prefs_types.type_name as type_name
 			FROM
 				ttrss_user_prefs,ttrss_prefs,ttrss_prefs_types
 			WHERE
-				$profile_qpart
-				ttrss_user_prefs.pref_name = '$pref_name' AND
+				profile = :profile OR (:profile IS NULL AND profile IS NULL) AND
+				ttrss_user_prefs.pref_name = :pref_name AND
 				ttrss_prefs_types.id = type_id AND
-				owner_uid = '$user_id' AND
+				owner_uid = :uid AND
 				ttrss_user_prefs.pref_name = ttrss_prefs.pref_name");
+		$sth->execute([":uid" => $user_id, ":profile" => $profile, ":pref_name" => $pref_name]);
 
-		if (db_num_rows($result) > 0) {
-			$value = db_fetch_result($result, 0, "value");
-			$type_name = db_fetch_result($result, 0, "type_name");
+		if ($row = $sth->fetch()) {
+			$value = $row["value"];
+			$type_name = $row["type_name"];
 
 			if ($user_id == $_SESSION["uid"]) {
 				$this->cache[$pref_name]["type"] = $type_name;
@@ -119,8 +109,7 @@ class Db_Prefs {
 	}
 
 	function write($pref_name, $value, $user_id = false, $strip_tags = true) {
-		$pref_name = db_escape_string($pref_name);
-		$value = db_escape_string($value, $strip_tags);
+		if ($strip_tags) $value = strip_tags($value);
 
 		if (!$user_id) {
 			$user_id = $_SESSION["uid"];
@@ -135,7 +124,7 @@ class Db_Prefs {
 			$profile_qpart = "AND profile IS NULL";
 		}
 
-		if (get_schema_version() < 63) $profile_qpart = "";
+		if (!$profile || get_schema_version() < 63) $profile = null;
 
 		$type_name = "";
 		$current_value = "";
@@ -146,12 +135,14 @@ class Db_Prefs {
 		}
 
 		if (!$type_name) {
-			$result = db_query("SELECT type_name
+			$sth = $this->pdo->prepare("SELECT type_name
 				FROM ttrss_prefs,ttrss_prefs_types
-				WHERE pref_name = '$pref_name' AND type_id = ttrss_prefs_types.id");
+				WHERE pref_name = ? AND type_id = ttrss_prefs_types.id");
+			$sth->execute([$pref_name]);
+
+			if ($row = $sth->fetch())
+				$type_name = $row["type_name"];
 
-			if (db_num_rows($result) > 0)
-				$type_name = db_fetch_result($result, 0, "type_name");
 		} else if ($current_value == $value) {
 			return;
 		}
@@ -171,10 +162,12 @@ class Db_Prefs {
 				$value = 'UTC';
 			}
 
-			db_query("UPDATE ttrss_user_prefs SET
-				value = '$value' WHERE pref_name = '$pref_name'
-					$profile_qpart
-					AND owner_uid = " . $user_id);
+			$sth = $this->pdo->prepare("UPDATE ttrss_user_prefs SET
+				value = :value WHERE pref_name = :pref_name
+					AND (profile = :profile OR (:profile IS NULL AND profile IS NULL))
+					AND owner_uid = :uid");
+
+			$sth->execute([":pref_name" => $pref_name, ":value" => $value, ":uid" => $user_id, ":profile" => $profile]);
 
 			if ($user_id == $_SESSION["uid"]) {
 				$this->cache[$pref_name]["type"] = $type_name;