Changeset 4729

Timestamp:

11/30/07 01:19:43 (12 months ago)

Author:

inureyes

Message:

#711

• escape부분은 DB 종속적이므로 전부 분리함.
  

Location:

trunk

Files:

• blog/checkup/index.php (modified) (5 diffs)
• blog/owner/data/correct/index.php (modified) (2 diffs)
• blog/owner/plugin/tableSetting/delete/index.php (modified) (2 diffs)
• lib/auth.php (modified) (2 diffs)
• lib/model/blog.api.php (modified) (3 diffs)
• lib/model/blog.attachment.php (modified) (8 diffs)
• lib/model/blog.blogSetting.php (modified) (5 diffs)
• lib/model/blog.category.php (modified) (7 diffs)
• lib/model/blog.comment.php (modified) (6 diffs)
• lib/model/blog.entry.php (modified) (13 diffs)
• lib/model/blog.keyword.php (modified) (3 diffs)
• lib/model/blog.skin.php (modified) (2 diffs)
• lib/model/blog.statistics.php (modified) (1 diff)
• lib/model/blog.tag.php (modified) (5 diffs)
• lib/model/blog.trackback.php (modified) (3 diffs)
• lib/model/blog.trash.php (modified) (2 diffs)
• lib/model/common.plugin.php (modified) (8 diffs)
• lib/model/common.setting.php (modified) (8 diffs)
• lib/model/reader.common.php (modified) (6 diffs)
• lib/piece/owner/libForControl.php (modified) (1 diff)
• lib/session.php (modified) (1 diff)

trunk/blog/checkup/index.php

@@ -19 +19 @@
 function setBlogSettingForMigration($blogid, $name, $value, $mig = null) {
     global $database;
-    $name = tc_escape_string($name);
-    $value = tc_escape_string($value);
+    $name = DBQuery::escapeString($name);
+    $value = DBQuery::escapeString($value);
     if($mig == null) 
         return DBQuery::execute("REPLACE INTO {$database['prefix']}BlogSettingsMig VALUES('$blogid', '$name', '$value')");
@@ -32 +32 @@
         FROM {$database['prefix']}BlogSettingsMig 
         WHERE blogid = '$blogid'
-        AND name = '".tc_escape_string($name)."'");
+        AND name = '".DBQuery::escapeString($name)."'");
     return ($value === null) ? $default : $value;
 }
@@ -334 +334 @@
                 $query->setQualifier('draft', $entry['draft']);
                 $originalEntry = $query->getCell('content');
-                $newContent = tc_escape_string(nl2brWithHTML($originalEntry));
+                $newContent = DBQuery::escapeString(nl2brWithHTML($originalEntry));
                 DBQuery::execute("UPDATE {$database['prefix']}Entries SET content = '$newContent' WHERE owner = {$entry['owner']} AND id = {$entry['id']} AND draft = {$entry['draft']}");
                 $query->resetQualifiers();
@@ -500 +500 @@
     $result =
         DBQuery::execute("ALTER TABLE {$database['prefix']}Entries ADD contentEditor VARCHAR(32) DEFAULT '' NOT NULL AFTER content, ADD contentFormatter VARCHAR(32) DEFAULT '' NOT NULL AFTER content") &&
-        DBQuery::execute("UPDATE {$database['prefix']}Entries SET contentEditor = '".tc_escape_string($defaulteditor)."', contentFormatter = '".tc_escape_string($defaultformatter)."'");
+        DBQuery::execute("UPDATE {$database['prefix']}Entries SET contentEditor = '".DBQuery::escapeString($defaulteditor)."', contentFormatter = '".DBQuery::escapeString($defaultformatter)."'");
     if ($result)
         echo '<span style="color:#33CC33;">', _text('성공'), '</span></li>';
@@ -512 +512 @@
     $defaultformatter = 'ttml';
     $defaulteditor = 'modern';
-    $result = DBQuery::execute("UPDATE {$database['prefix']}Entries SET contentEditor = '".tc_escape_string($defaulteditor)."', contentFormatter = '".tc_escape_string($defaultformatter)."'");
+    $result = DBQuery::execute("UPDATE {$database['prefix']}Entries SET contentEditor = '".DBQuery::escapeString($defaulteditor)."', contentFormatter = '".DBQuery::escapeString($defaultformatter)."'");
     if ($result)
         echo '<span style="color:#33CC33;">', _text('성공'), '</span></li>';

trunk/blog/owner/data/correct/index.php

@@ -113 +113 @@
         $correction = '';
         if (!UTF8::validate($comment['name']))
-            $correction .= ' name = \'' . tc_escape_string(UTF8::correct($comment['name'], '?')) . '\'';
+            $correction .= ' name = \'' . DBQuery::escapeString(UTF8::correct($comment['name'], '?')) . '\'';
         if (!UTF8::validate($comment['homepage']))
-            $correction .= ' homepage = \'' . tc_escape_string(UTF8::correct($comment['homepage'], '?')) . '\'';
+            $correction .= ' homepage = \'' . DBQuery::escapeString(UTF8::correct($comment['homepage'], '?')) . '\'';
         if (!UTF8::validate($comment['comment']))
-            $correction .= ' comment = \'' . tc_escape_string(UTF8::correct($comment['comment'], '?')) . '\'';
+            $correction .= ' comment = \'' . DBQuery::escapeString(UTF8::correct($comment['comment'], '?')) . '\'';
         if (strlen($correction) > 0) {
             DBQuery::query("UPDATE {$database['prefix']}Comments SET $correction WHERE blogid = $blogid AND id = {$comment['id']}");
@@ -138 +138 @@
         $correction = '';
         if (!UTF8::validate($trackback['url']))
-            $correction .= ' url = \'' . tc_escape_string(UTF8::correct($trackback['url'], '?')) . '\'';
+            $correction .= ' url = \'' . DBQuery::escapeString(UTF8::correct($trackback['url'], '?')) . '\'';
         if (!UTF8::validate($trackback['site']))
-            $correction .= ' site = \'' . tc_escape_string(UTF8::correct($trackback['site'], '?')) . '\'';
+            $correction .= ' site = \'' . DBQuery::escapeString(UTF8::correct($trackback['site'], '?')) . '\'';
         if (!UTF8::validate($trackback['subject']))
-            $correction .= ' subject = \'' . tc_escape_string(UTF8::correct($trackback['subject'], '?')) . '\'';
+            $correction .= ' subject = \'' . DBQuery::escapeString(UTF8::correct($trackback['subject'], '?')) . '\'';
         if (!UTF8::validate($trackback['excerpt']))
-            $correction .= ' excerpt = \'' . tc_escape_string(UTF8::correct($trackback['excerpt'], '?')) . '\'';
+            $correction .= ' excerpt = \'' . DBQuery::escapeString(UTF8::correct($trackback['excerpt'], '?')) . '\'';
         if (strlen($correction) > 0) {
             DBQuery::query("UPDATE {$database['prefix']}Trackbacks SET $correction WHERE blogid = $blogid AND id = {$trackback['id']}");

trunk/blog/owner/plugin/tableSetting/delete/index.php

@@ -26 +26 @@
     $version = $values[1];
 
-    $query = "select name from {$database['prefix']}ServiceSettings WHERE value = '" . tc_escape_string($_REQUEST['name']) . "'";
+    $query = "select name from {$database['prefix']}ServiceSettings WHERE value = '" . DBQuery::escapeString($_REQUEST['name']) . "'";
     
     $plugintablesraw = DBQuery::queryColumn($query);
@@ -46 +46 @@
         }
         array_push($plugintables, $dbname);
-        $query = "delete from {$database['prefix']}ServiceSettings WHERE name = '$origname' AND value = '" . tc_escape_string($_REQUEST['name']) . "'";
+        $query = "delete from {$database['prefix']}ServiceSettings WHERE name = '$origname' AND value = '" . DBQuery::escapeString($_REQUEST['name']) . "'";
         DBQuery::execute($query);
     }

trunk/lib/auth.php

@@ -6 +6 @@
 function login($loginid, $password, $preKnownPassword = null) {
     global $service;
-    $loginid = tc_escape_string($loginid);
+    $loginid = DBQuery::escapeString($loginid);
     $blogid = getBlogId();
     $userid = Auth::authenticate($blogid , $loginid, $password );
@@ -110 +110 @@
 function isLoginId($blogid, $loginid) {
     global $database;
-    $loginid = tc_escape_string($loginid);
+    $loginid = DBQuery::escapeString($loginid);
     
     // 팀블로그 :: 팀원 확인

trunk/lib/model/blog.api.php

@@ -325 +325 @@
     $attachment['parent']=$parent?$parent:0;
     $attachment['label']=Path::getBaseName($file['name']);
-    $label=tc_escape_string(UTF8::lessenAsEncoding($attachment['label'],64));
+    $label=DBQuery::escapeString(UTF8::lessenAsEncoding($attachment['label'],64));
     $attachment['size']=$file['size'];
     $extension=Path::getExtension($attachment['label']);
@@ -414 +414 @@
         foreach( $attaches as $att )
         {
-            $att = tc_escape_string($att);
+            $att = DBQuery::escapeString($att);
             DBQuery::query( "update {$database['prefix']}Attachments set parent=$parent where owner=".getBlogId()." and parent=0 and name='" . $att . "'");
         }
@@ -427 +427 @@
     $newFiles = DBQuery::queryAll("SELECT name, label FROM {$database['prefix']}Attachments WHERE owner=".getBlogId()." AND parent=0");
     foreach($newFiles as $newfile) {
-        $newfile['label'] = tc_escape_string(UTF8::lessenAsEncoding($newfile['label'], 64));
+        $newfile['label'] = DBQuery::escapeString(UTF8::lessenAsEncoding($newfile['label'], 64));
         $oldFile = DBQuery::queryCell("SELECT name FROM {$database['prefix']}Attachments WHERE owner=".getBlogId()." AND parent=$entryId AND label='{$newfile['label']}'");
     

trunk/lib/model/blog.attachment.php

@@ -62 +62 @@
     } else {
         $newAttachment = DBQuery::queryRow("SELECT * FROM {$database['prefix']}Attachments 
-            WHERE blogid = $blogid AND name = '".tc_escape_string($name)."'");
+            WHERE blogid = $blogid AND name = '".DBQuery::escapeString($name)."'");
         array_push($__gCacheAttachment,$newAttachment);
         return $newAttachment;
@@ -72 +72 @@
     if ($parent === false)
         $parent = 0;
-    $label = tc_escape_string($label);
+    $label = DBQuery::escapeString($label);
     return DBQuery::queryRow("SELECT * FROM {$database['prefix']}Attachments WHERE blogid = $blogid AND parent = $parent AND label = '$label'");
 }
@@ -97 +97 @@
     if (empty($file['name']) || ($file['error'] != 0))
         return false;
-    $filename = tc_escape_string($file['name']);
+    $filename = DBQuery::escapeString($file['name']);
     if (DBQuery::queryCell("SELECT count(*) 
         FROM {$database['prefix']}Attachments 
@@ -141 +141 @@
         return false;
     @chmod($attachment['path'], 0666);
-    $name = tc_escape_string($attachment['name']);
-    $label = tc_escape_string(UTF8::lessenAsEncoding($attachment['label'], 64));
+    $name = DBQuery::escapeString($attachment['name']);
+    $label = DBQuery::escapeString(UTF8::lessenAsEncoding($attachment['label'], 64));
     $attachment['mime'] = UTF8::lessenAsEncoding($attachment['mime'], 32);
     
@@ -159 +159 @@
         return false;
     $origname = $name;
-    $name = tc_escape_string($name);
+    $name = DBQuery::escapeString($name);
     if (DBQuery::execute("DELETE FROM {$database['prefix']}Attachments WHERE blogid = $blogid AND name = '$name'")) {
         @unlink(ROOT . "/attach/$blogid/$origname");
@@ -228 +228 @@
             continue;
         $origname = $name;
-        $name = tc_escape_string($name);
+        $name = DBQuery::escapeString($name);
         if (DBQuery::execute("DELETE FROM {$database['prefix']}Attachments WHERE blogid = $blogid AND parent = $parent AND name = '$name'")) {
             unlink(ROOT . "/attach/$blogid/$origname");
@@ -249 +249 @@
     requireModel('blog.rss');
     global $database;
-    $name = tc_escape_string($name);
+    $name = DBQuery::escapeString($name);
     DBQuery::query("UPDATE {$database['prefix']}Attachments SET downloads = downloads + 1 WHERE blogid = ".getBlogId()." AND name = '$name'");
 }
@@ -257 +257 @@
     requireModel('blog.rss');
     requireModel('blog.attachment');
-    $name = tc_escape_string($name);
+    $name = DBQuery::escapeString($name);
     if (($parent = DBQuery::queryCell("SELECT parent FROM {$database['prefix']}Attachments WHERE blogid = ".getBlogId()." AND name = '$name'")) !== null) {
         DBQuery::execute("UPDATE {$database['prefix']}Attachments SET enclosure = 0 WHERE parent = $parent AND blogid = ".getBlogId());

trunk/lib/model/blog.blogSetting.php

@@ -218 +218 @@
     global $database;
     if (strcmp($email, UTF8::lessenAsEncoding($email, 64)) != 0) return false;
-    $email = tc_escape_string(UTF8::lessenAsEncoding($email, 64));
-    $nickname = tc_escape_string(UTF8::lessenAsEncoding($nickname, 32));
+    $email = DBQuery::escapeString(UTF8::lessenAsEncoding($email, 64));
+    $nickname = DBQuery::escapeString(UTF8::lessenAsEncoding($nickname, 32));
     if ($email == '' || $nickname == '') {
         return false;
@@ -241 +241 @@
     if (strcmp($email, UTF8::lessenAsEncoding($email, 64)) != 0) return 11;
 
-    $loginid = tc_escape_string(UTF8::lessenAsEncoding($email, 64));    
-    $name = tc_escape_string(UTF8::lessenAsEncoding($name, 32));
+    $loginid = DBQuery::escapeString(UTF8::lessenAsEncoding($email, 64));   
+    $name = DBQuery::escapeString(UTF8::lessenAsEncoding($name, 32));
     $password = generatePassword();
     $authtoken = md5(generatePassword());
@@ -288 +288 @@
         if (!preg_match('/^[a-zA-Z0-9]+$/', $identify))
             return 4; // Wrong Blog name
-        $identify = tc_escape_string(UTF8::lessenAsEncoding($identify, 32));
+        $identify = DBQuery::escapeString(UTF8::lessenAsEncoding($identify, 32));
 
         $blogName = $identify;
@@ -306 +306 @@
         $blogid = DBQuery::queryCell("SELECT max(blogid)
             FROM `{$database['prefix']}BlogSettings`") + 1;
-        $baseTimezone = tc_escape_string($service['timezone']);
+        $baseTimezone = DBQuery::escapeString($service['timezone']);
         $basicInformation = array(
             'name'         => $identify,
@@ -404 +404 @@
     if (strcmp($email, UTF8::lessenAsEncoding($email, 64)) != 0) return 11;
 
-    $loginid = tc_escape_string(UTF8::lessenAsEncoding($email, 64));    
-    $name = tc_escape_string(UTF8::lessenAsEncoding($name, 32));
+    $loginid = DBQuery::escapeString(UTF8::lessenAsEncoding($email, 64));   
+    $name = DBQuery::escapeString(UTF8::lessenAsEncoding($name, 32));
 
     $headers = 'From: ' . encodeMail($senderName) . '<' . $senderEmail . ">\n" . 'X-Mailer: ' . TEXTCUBE_NAME . "\n" . "MIME-Version: 1.0\nContent-Type: text/html; charset=utf-8\n";

trunk/lib/model/blog.category.php

@@ -37 +37 @@
         return 0;
 
-    $label = tc_escape_string($label);
+    $label = DBQuery::escapeString($label);
     if(empty($__gCacheCategoryRaw)) getCategories($blogid, 'raw'); //To cache category information.
     if($result = MMCache::queryRow($__gCacheCategoryRaw,'label',$label))
@@ -220 +220 @@
     }
 
-    $label = tc_escape_string(UTF8::lessenAsEncoding($label, 255));
-    $name = tc_escape_string(UTF8::lessenAsEncoding($name, 127));
+    $label = DBQuery::escapeString(UTF8::lessenAsEncoding($label, 255));
+    $name = DBQuery::escapeString(UTF8::lessenAsEncoding($name, 127));
 
     if($parent == 'NULL') {
@@ -288 +288 @@
     } else
         $parentStr = 'AND parent is null';
-    $name = tc_escape_string(UTF8::lessenAsEncoding($name, 127));
+    $name = DBQuery::escapeString(UTF8::lessenAsEncoding($name, 127));
     if(DBQuery::queryExistence("SELECT name
         FROM {$database['prefix']}Categories
         WHERE blogid = $blogid AND name = '".$name."'"))
         return false;
-    $label = tc_escape_string(UTF8::lessenAsEncoding(empty($label) ? $name : "$label/$name", 255));
+    $label = DBQuery::escapeString(UTF8::lessenAsEncoding(empty($label) ? $name : "$label/$name", 255));
     $sql = "SELECT * 
         FROM {$database['prefix']}Categories 
@@ -301 +301 @@
     if(DBQuery::queryExistence($sql) == false)
         return false;
-    $bodyid = tc_escape_string(UTF8::lessenAsEncoding($bodyid, 20));
+    $bodyid = DBQuery::escapeString(UTF8::lessenAsEncoding($bodyid, 20));
     
     $result = DBQuery::query("UPDATE {$database['prefix']}Categories 
@@ -322 +322 @@
         $parent = $row['id'];
         $parentName = UTF8::lessenAsEncoding($row['name'], 127);
-        $row['name'] = tc_escape_string($parentName);
+        $row['name'] = DBQuery::escapeString($parentName);
         $countParent = DBQuery::queryCell("SELECT COUNT(id) FROM {$database['prefix']}Entries WHERE blogid = $blogid AND draft = 0 AND visibility > 0 AND category = $parent");
         $countInLoginParent = DBQuery::queryCell("SELECT COUNT(id) FROM {$database['prefix']}Entries WHERE blogid = $blogid AND draft = 0 AND category = $parent");
         $result2 = DBQuery::queryAll("SELECT * FROM {$database['prefix']}Categories WHERE blogid = $blogid AND parent = $parent");
         foreach ($result2 as $rowChild) {
-            $label = tc_escape_string(UTF8::lessenAsEncoding($parentName . '/' . $rowChild['name'], 255));
-            $rowChild['name'] = tc_escape_string(UTF8::lessenAsEncoding($rowChild['name'], 127));
+            $label = DBQuery::escapeString(UTF8::lessenAsEncoding($parentName . '/' . $rowChild['name'], 255));
+            $rowChild['name'] = DBQuery::escapeString(UTF8::lessenAsEncoding($rowChild['name'], 127));
             $countChild = DBQuery::queryCell("SELECT COUNT(id) FROM {$database['prefix']}Entries WHERE blogid = $blogid AND draft = 0 AND visibility > 0 AND category = {$rowChild['id']}");
             $countInLogInChild = DBQuery::queryCell("SELECT COUNT(id) FROM {$database['prefix']}Entries WHERE blogid = $blogid AND draft = 0 AND category = {$rowChild['id']}");
@@ -452 +452 @@
         // 위치를 바꿀 대상이 1 depth이면.
         if ($nextId == 'NULL') {
-            $myName = tc_escape_string(DBQuery::queryCell("SELECT `name` FROM `{$database['prefix']}Categories` WHERE `id` = $myId and `blogid` = $blogid"));
+            $myName = DBQuery::escapeString(DBQuery::queryCell("SELECT `name` FROM `{$database['prefix']}Categories` WHERE `id` = $myId and `blogid` = $blogid"));
             $overlapCount = DBQuery::queryCell("SELECT count(*) FROM `{$database['prefix']}Categories` WHERE `name` = '$myName' AND `parent` IS NULL AND `blogid` = $blogid");
             // 1 depth에 같은 이름이 있으면 2 depth로 직접 이동.
@@ -464 +464 @@
                     
                     // 위치를 바꿀 대상 카테고리에 같은 이름이 존재하는지 판별.
-                    $myName = tc_escape_string(DBQuery::queryCell("SELECT `name` FROM `{$database['prefix']}Categories` WHERE `id` = $myId AND `blogid` = $blogid"));
+                    $myName = DBQuery::escapeString(DBQuery::queryCell("SELECT `name` FROM `{$database['prefix']}Categories` WHERE `id` = $myId AND `blogid` = $blogid"));
                     $overlapCount = DBQuery::queryCell("SELECT count(*) FROM `{$database['prefix']}Categories` WHERE `name` = '$myName' AND `parent` = $nextId AND `blogid` = $blogid");
                     // 같은 이름이 없으면 이동 시작.

trunk/lib/model/blog.comment.php

@@ -56 +56 @@
         $sql .= ' AND e.category >= 0';
     if (!empty($name)) {
-        $sql .= ' AND c.name = \'' . tc_escape_string($name) . '\'';
+        $sql .= ' AND c.name = \'' . DBQuery::escapeString($name) . '\'';
         $postfix .= '&name=' . rawurlencode($name);
     }
     if (!empty($ip)) {
-        $sql .= ' AND c.ip = \'' . tc_escape_string($ip) . '\'';
+        $sql .= ' AND c.ip = \'' . DBQuery::escapeString($ip) . '\'';
         $postfix .= '&ip=' . rawurlencode($ip);
     }
@@ -102 +102 @@
         $preQuery = "SELECT parent FROM {$database['prefix']}CommentsNotified WHERE blogid = $blogid AND parent is NOT NULL";
         if (!empty($name))
-            $preQuery .= ' AND name = \''. tc_escape_string($name) . '\' ';
+            $preQuery .= ' AND name = \''. DBQuery::escapeString($name) . '\' ';
         if (!empty($ip))
-            $preQuery .= ' AND ip = \''. tc_escape_string($ip) . '\' ';
+            $preQuery .= ' AND ip = \''. DBQuery::escapeString($ip) . '\' ';
         if (!empty($search)) {
             $preQuery .= " AND ((name LIKE '%$search%') OR (homepage LIKE '%$search%') OR (comment LIKE '%$search%'))";
@@ -127 +127 @@
             WHERE c.blogid = $blogid AND (c.parent is null) ";
         if (!empty($name))
-            $sql .= ' AND ( c.name = \'' . tc_escape_string($name) . '\') ' ;
+            $sql .= ' AND ( c.name = \'' . DBQuery::escapeString($name) . '\') ' ;
         if (!empty($ip))
-            $sql .= ' AND ( c.ip = \'' . tc_escape_string($ip) . '\') ';
+            $sql .= ' AND ( c.ip = \'' . DBQuery::escapeString($ip) . '\') ';
         if (!empty($search)) {
             $sql .= " AND ((c.name LIKE '%$search%') OR (c.homepage LIKE '%$search%') OR (c.comment LIKE '%$search%')) ";
@@ -371 +371 @@
     if ($user !== null) {
         $comment['replier'] = getUserId();
-        $name = tc_escape_string($user['name']);
+        $name = DBQuery::escapeString($user['name']);
         $password = '';
-        $homepage = tc_escape_string($user['homepage']);
+        $homepage = DBQuery::escapeString($user['homepage']);
     } else {
         $comment['replier'] = 'null';
-        $name = tc_escape_string($comment['name']);
+        $name = DBQuery::escapeString($comment['name']);
         $password = empty($comment['password']) ? '' : md5($comment['password']);
-        $homepage = tc_escape_string($comment['homepage']);
-    }
-    $comment0 = tc_escape_string($comment['comment']);
+        $homepage = DBQuery::escapeString($comment['homepage']);
+    }
+    $comment0 = DBQuery::escapeString($comment['comment']);
     $filteredAux = ($filtered == 1 ? "UNIX_TIMESTAMP()" : 0);
     $insertId = getCommentsMaxId() + 1;
@@ -445 +445 @@
     if ($user !== null) {
         $comment['replier'] = getUserId();
-        $name = tc_escape_string($user['name']);
+        $name = DBQuery::escapeString($user['name']);
         $setPassword = 'password = \'\',';
-        $homepage = tc_escape_string($user['homepage']);
+        $homepage = DBQuery::escapeString($user['homepage']);
     } else {
-        $name = tc_escape_string($comment['name']);
+        $name = DBQuery::escapeString($comment['name']);
         if ($comment['password'] !== true)
             $setPassword = 'password = \'' . (empty($comment['password']) ? '' : md5($comment['password'])) . '\', ';
-        $homepage = tc_escape_string($comment['homepage']);
-    }
-    $comment0 = tc_escape_string($comment['comment']);
+        $homepage = DBQuery::escapeString($comment['homepage']);
+    }
+    $comment0 = DBQuery::escapeString($comment['comment']);
     
     $guestcomment = false;
@@ -809 +809 @@
     
     $blogid = getBlogId();
-    $title = tc_escape_string(UTF8::lessenAsEncoding($post['s_home_title'], 255));
-    $name = tc_escape_string(UTF8::lessenAsEncoding($post['s_name'], 255));
-    $entryId = tc_escape_string($post['s_no']);
-    $homepage = tc_escape_string(UTF8::lessenAsEncoding($post['url'], 255));
-    $entryUrl = tc_escape_string($post['s_url']);
-    $entryTitle = tc_escape_string($post['s_post_title']);
+    $title = DBQuery::escapeString(UTF8::lessenAsEncoding($post['s_home_title'], 255));
+    $name = DBQuery::escapeString(UTF8::lessenAsEncoding($post['s_name'], 255));
+    $entryId = DBQuery::escapeString($post['s_no']);
+    $homepage = DBQuery::escapeString(UTF8::lessenAsEncoding($post['url'], 255));
+    $entryUrl = DBQuery::escapeString($post['s_url']);
+    $entryTitle = DBQuery::escapeString($post['s_post_title']);
     $parent_id = $post['r1_no'];
-    $parent_name = tc_escape_string(UTF8::lessenAsEncoding($post['r1_name'], 80));
+    $parent_name = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r1_name'], 80));
     $parent_parent = $post['r1_rno'];
-    $parent_homepage = tc_escape_string(UTF8::lessenAsEncoding($post['r1_homepage'], 80));
+    $parent_homepage = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r1_homepage'], 80));
     $parent_written = $post['r1_regdate'];
-    $parent_comment = tc_escape_string(UTF8::lessenAsEncoding($post['r1_body'], 255));
-    $parent_url = tc_escape_string(UTF8::lessenAsEncoding($post['r1_url'], 255));
+    $parent_comment = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r1_body'], 255));
+    $parent_url = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r1_url'], 255));
     $child_id = $post['r2_no'];
-    $child_name = tc_escape_string(UTF8::lessenAsEncoding($post['r2_name'], 80));
+    $child_name = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r2_name'], 80));
     $child_parent = $post['r2_rno'];
-    $child_homepage = tc_escape_string(UTF8::lessenAsEncoding($post['r2_homepage'], 80));
+    $child_homepage = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r2_homepage'], 80));
     $child_written = $post['r2_regdate'];
-    $child_comment = tc_escape_string(UTF8::lessenAsEncoding($post['r2_body'], 255));
-    $child_url = tc_escape_string(UTF8::lessenAsEncoding($post['r2_url'], 255));
+    $child_comment = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r2_body'], 255));
+    $child_url = DBQuery::escapeString(UTF8::lessenAsEncoding($post['r2_url'], 255));
     $siteId = DBQuery::queryCell("SELECT id FROM {$database['prefix']}CommentsNotifiedSiteInfo WHERE url = '$homepage'");
     $insertId = getCommentsNotifiedSiteInfoMaxId() + 1;

trunk/lib/model/blog.entry.php

@@ -154 +154 @@
     if ($tag === null)
         return array(array(), array('url'=>'','prefix'=>'','postfix'=>'')); 
-    $tag = tc_escape_string($tag);
+    $tag = DBQuery::escapeString($tag);
     $visibility = doesHaveOwnership() ? '' : 'AND e.visibility > 0'.getPrivateCategoryExclusionQuery($blogid);
     $sql = "SELECT e.blogid, e.userid, e.id, e.title, e.comments, e.slogan, e.published
@@ -224 +224 @@
     if ($tag === null)
         return fetchWithPaging(null, $page, $count, "$folderURL/{$suri['value']}");
-    $tag = tc_escape_string($tag);
+    $tag = DBQuery::escapeString($tag);
     $visibility = doesHaveOwnership() ? '' : 'AND e.visibility > 0'.getPrivateCategoryExclusionQuery($blogid);
     $sql = "SELECT e.*, c.label categoryLabel 
@@ -390 +390 @@
         LEFT JOIN {$database['prefix']}Categories c ON e.blogid = c.blogid AND e.category = c.id 
         WHERE e.blogid = $blogid 
-            AND e.slogan = '".tc_escape_string($slogan)."' 
+            AND e.slogan = '".DBQuery::escapeString($slogan)."' 
             AND e.draft = 0 $visibility AND $category");
 
@@ -470 +470 @@
     }
 
-    $slogan = tc_escape_string(UTF8::lessenAsEncoding($slogan, 255));
-    $title = tc_escape_string($entry['title']);
+    $slogan = DBQuery::escapeString(UTF8::lessenAsEncoding($slogan, 255));
+    $title = DBQuery::escapeString($entry['title']);
 
     if($entry['category'] == -1) {
@@ -492 +492 @@
         if ($i > 1000)
             return false;
-        $slogan = tc_escape_string(UTF8::lessenAsEncoding($slogan0, 245) . '-' . $i);
+        $slogan = DBQuery::escapeString(UTF8::lessenAsEncoding($slogan0, 245) . '-' . $i);
         $result = DBQuery::queryCount("SELECT slogan FROM {$database['prefix']}Entries WHERE blogid = $blogid AND slogan = '$slogan' AND draft = 0 LIMIT 1");
     }
     $userid = $entry['userid'];
-    $content = tc_escape_string($entry['content']);
-    $contentFormatter = tc_escape_string($entry['contentFormatter']);
-    $contentEditor = tc_escape_string($entry['contentEditor']);
-    $password = tc_escape_string(generatePassword());
-    $location = tc_escape_string($entry['location']);
+    $content = DBQuery::escapeString($entry['content']);
+    $contentFormatter = DBQuery::escapeString($entry['contentFormatter']);