additional array checking

Zotlabs/Module/Profiles.php

@@ -117,13 +117,7 @@ class Profiles extends \Zotlabs\Web\Controller {
 			$r1[0]['profile_name'] = dbesc($name);
 			$r1[0]['profile_guid'] = dbesc(random_string());
 	
-			dbesc_array($r1[0]);
-	
-			$r2 = dbq("INSERT INTO profile (" . TQUOT 
-				. implode(TQUOT . ", " . TQUOT, array_keys($r1[0])) 
-				. TQUOT . ") VALUES ('" 
-				. implode("', '", array_values($r1[0])) 
-				. "')" );
+			create_table_from_array('profile', $r1[0]);
 	
 			$r3 = q("SELECT id FROM profile WHERE uid = %d AND profile_name = '%s' LIMIT 1",
 				intval(local_channel()),

include/dba/dba_driver.php

@@ -391,9 +391,22 @@ function dbesc_array_cb(&$item, $key) {
 
 
 function dbesc_array(&$arr) {
+	$bogus_key = false;
 	if(is_array($arr) && count($arr)) {
+		$matches = false;
+		foreach($arr as $k => $v) {
+			if(preg_match('/([^a-zA-Z0-9\-\_\.])/',$k,$matches)) {
+				logger('bogus key: ' . $k);
+				$bogus_key = true;
+			}
+		}
 		array_walk($arr,'dbesc_array_cb');
+		if($bogus_key) {
+			$arr['BOGUS.KEY'] = 1;
+			return false;
+		}
 	}
+	return true;
 }
 
 function db_getfunc($f) {

include/import.php

@@ -1026,7 +1026,8 @@ function sync_files($channel,$files) {
 
 					if($attach_exists) {
 						logger('sync_files attach exists: ' . print_r($att,true), LOGGER_DEBUG);
-						dbesc_array($att);
+						if(! dbesc_array($att))
+							continue;
 						$str = '';
     					foreach($att as $k => $v) {
 			        		if($str)
@@ -1140,7 +1141,8 @@ function sync_files($channel,$files) {
 
 
 					if($exists) {
-						dbesc_array($p);
+						if(! dbesc_array($p))
+							continue;
 					    $str = '';
     					foreach($p as $k => $v) {
 				        	if($str)

include/items.php

@@ -2161,7 +2161,10 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) {
 	}
 
 
-	dbesc_array($arr);
+	if(! dbesc_array($arr)) {
+		$ret['message'] = 'DB array malformed';
+		return $ret;
+	}
 
 	logger('item_store_update: ' . print_r($arr,true), LOGGER_DATA);
 

include/text.php

@@ -3035,13 +3035,14 @@ function create_table_from_array($table,$arr) {
 	if(! ($arr && $table))
 		return false;
 
-	dbesc_array($arr);
-
-	$r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
+	if(dbesc_array($arr)) {
+		$r = dbq("INSERT INTO " . TQUOT . $table . TQUOT . " (" . TQUOT
 			. implode(TQUOT . ', ' . TQUOT, array_keys($arr))
 			. TQUOT . ") VALUES ('"
 			. implode("', '", array_values($arr))
-			. "')" );
+			. "')" 
+		);
+	}
 	return $r;
 
 }