Merge remote-tracking branch 'mike/master' into dev

include/import.php

@@ -1326,20 +1326,23 @@ function sync_files($channel, $files) {
 					);
 
 					if($exists) {
-						if(! dbesc_array($p))
-							continue;
 
 						$str = '';
 						foreach($p as $k => $v) {
+							$matches = false;
+							if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
+								continue;
+							}
+
 							if($str)
 								$str .= ",";
 							
-							$str .= " " . TQUOT . $k . TQUOT . " = '" . $v . "' ";
+							$str .= " " . TQUOT . $k . TQUOT . " = '" . (($k === 'content') ? dbescbin($v) : dbesc($v)) . "' ";
 						}
 						$r = dbq("update photo set " . $str . " where id = " . intval($exists[0]['id']) );
 					}
 					else {
-						create_table_from_array('photo',$p);
+						create_table_from_array('photo',$p, [ 'content' ] );
 					}
 				}
 			}

include/text.php

@@ -3186,21 +3186,33 @@ function array2XML($obj, $array) {
  *
  * @param string $table
  * @param array $arr
+ * @param array $binary_fields - fields which will be cleansed with dbescbin rather than dbesc; this is critical for postgres
  * @return boolean|PDOStatement
  */
-function create_table_from_array($table, $arr) {
+function create_table_from_array($table, $arr, $binary_fields = []) {
 
 	if(! ($arr && $table))
 		return false;
 
-	if(dbesc_array($arr)) {
+	$clean = [];
-		$r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
+	foreach($arr as $k => $v) {
-			. implode(TQUOT . ', ' . TQUOT, array_keys($arr))
+		$matches = false;
-			. TQUOT . ") VALUES ('"
+		if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
-			. implode("', '", array_values($arr))
+			return false;
-			. "')"
+		}
-		);
+		if(in_array($k,$binary_fields)) {
+			$clean[$k] = dbescbin($v);
+		}
+		else {
+			$clean[$k] = dbesc($v);
+		}
 	}
+	$r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
+		. implode(TQUOT . ', ' . TQUOT, array_keys($clean))
+		. TQUOT . ") VALUES ('"
+		. implode("', '", array_values($clean))
+		. "')"
+	);
 
 	return $r;
 }