2 files changed, 14 insertions, 11 deletions

diff --git a/p/api/fever.php b/p/api/fever.php
index d1482e8a1..55baa6d16 100644
--- a/p/api/fever.php
+++ b/p/api/fever.php
@@ -69,14 +69,16 @@ class FeverDAO extends Minz_ModelPdo
 		if (!empty($entry_ids)) {
 			$bindEntryIds = $this->bindParamArray('id', $entry_ids, $values);
 			$sql .= " id IN($bindEntryIds)";
-		} else if (!empty($max_id)) {
+		} elseif ($max_id != null) {
 			$sql .= ' id < :id';
 			$values[':id'] = $max_id;
 			$order = ' ORDER BY id DESC';
-		} else {
+		} elseif ($since_id != null) {
 			$sql .= ' id > :id';
 			$values[':id'] = $since_id;
 			$order = ' ORDER BY id ASC';
+		} else {
+			$sql .= ' 1=1';
 		}
 
 		if (!empty($feed_ids)) {
@@ -204,14 +206,14 @@ class FeverAPI
 			$response_arr['saved_item_ids'] = $this->getSavedItemIds();
 		}
 
-		if (isset($_REQUEST['mark'], $_REQUEST['as'], $_REQUEST['id']) && is_numeric($_REQUEST['id'])) {
+		$id = isset($_REQUEST['id']) ? '' . $_REQUEST['id'] : '';
+		if (isset($_REQUEST['mark'], $_REQUEST['as'], $_REQUEST['id']) && ctype_digit($id)) {
 			$method_name = 'set' . ucfirst($_REQUEST['mark']) . 'As' . ucfirst($_REQUEST['as']);
 			$allowedMethods = array(
 				'setFeedAsRead', 'setGroupAsRead', 'setItemAsRead',
 				'setItemAsSaved', 'setItemAsUnread', 'setItemAsUnsaved'
 			);
 			if (in_array($method_name, $allowedMethods)) {
-				$id = intval($_REQUEST['id']);
 				switch (strtolower($_REQUEST['mark'])) {
 					case 'item':
 						$this->{$method_name}($id);
@@ -471,17 +473,18 @@ class FeverAPI
 
 		if (isset($_REQUEST['max_id'])) {
 			// use the max_id argument to request the previous $item_limit items
-			if (is_numeric($_REQUEST['max_id'])) {
-				$max = $_REQUEST['max_id'] > 0 ? intval($_REQUEST['max_id']) : 0;
-				if ($max) {
-					$max_id = $max;
-				}
+			$max_id = '' . $_REQUEST['max_id'];
+			if (!ctype_digit($max_id)) {
+				$max_id = null;
 			}
 		} else if (isset($_REQUEST['with_ids'])) {
 			$entry_ids = explode(',', $_REQUEST['with_ids']);
 		} else {
 			// use the since_id argument to request the next $item_limit items
-			$since_id = isset($_REQUEST['since_id']) && is_numeric($_REQUEST['since_id']) ? intval($_REQUEST['since_id']) : 0;
+			$since_id = '' . $_REQUEST['since_id'];
+			if (!ctype_digit($since_id)) {
+				$since_id = null;
+			}
 		}
 
 		$items = array();
diff --git a/p/api/greader.php b/p/api/greader.php
index 5ab6c8115..4affc2826 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -176,7 +176,7 @@ function authorizationToUser() {
 }
 
 function clientLogin($email, $pass) {	//http://web.archive.org/web/20130604091042/http://undoc.in/clientLogin.html
-	if (ctype_alnum($email)) {
+	if (FreshRSS_user_Controller::checkUsername($email)) {
 		if (!function_exists('password_verify')) {
 			include_once(LIB_PATH . '/password_compat.php');
 		}