diff options
| author | plegall <plg@piwigo.org> | 2005-12-25 22:37:07 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2005-12-25 22:37:07 +0000 |
| commit | 9bc452537eb28a00a3d89fce4d859cf12f4d58c6 (patch) | |
| tree | 29c0ea193dc89e58081f9075fedbb4fae629650b | |
| parent | 7bdb132ffc9b143b177725c479090a7563ed3218 (diff) | |
bug 247 fixed : image_id GET parameter was not checked for sanity before
usage in SQL queries. Now, image_id must be a numeric value.
git-svn-id: http://piwigo.org/svn/branches/branch-1_5@989 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | picture.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/picture.php b/picture.php index a57ed9552..b59cb1a87 100644 --- a/picture.php +++ b/picture.php @@ -42,6 +42,12 @@ if ( isset( $page['cat'] ) and is_numeric( $page['cat'] ) ) { check_restrictions( $page['cat'] ); } + +if (!is_numeric($_GET['image_id'])) +{ + die('Hacking attempt on "image_id" GET parameter'); +} + //---------------------------------------- incrementation of the number of hits $query = ' UPDATE '.IMAGES_TABLE.' |