From 27972906be22af08b9cc6a1c598cf75146bd67e8 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Thu, 12 Jun 2014 09:33:20 +0000
Subject: bug 3089: prevent SQL injection on photo edition

git-svn-id: http://piwigo.org/svn/trunk@28678 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 admin/picture_modify.php | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'admin/picture_modify.php')

diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index 3e88bf61a..57d98276a 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -155,6 +155,7 @@ if (isset($_POST['submit']))
   {
     $_POST['associate'] = array();
   }
+  check_input_parameter('associate', $_POST, true, PATTERN_ID);
   move_images_to_categories(array($_GET['image_id']), $_POST['associate']);
 
   invalidate_user_cache();
@@ -164,6 +165,7 @@ if (isset($_POST['submit']))
   {
     $_POST['represent'] = array();
   }
+  check_input_parameter('represent', $_POST, true, PATTERN_ID);
 
   $no_longer_thumbnail_for = array_diff($represented_albums, $_POST['represent']);
   if (count($no_longer_thumbnail_for) > 0)
-- 
cgit v1.2.3