diff options
author | nikrou <nikrou@piwigo.org> | 2006-08-14 20:56:10 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2006-08-14 20:56:10 +0000 |
commit | 8c9741dd5684e51d5b09d73e7b74df4843a11747 (patch) | |
tree | 5a047e4b400b048e95f655d9a639e7160c3d9eea /comments.php | |
parent | f784cae8158b41f8cfe2bb1615e285b55828777b (diff) |
fix bug 518: anyone can delete or validate a comment
comment_id must be int: use of intval function to use it in the query.
git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1535 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r-- | comments.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/comments.php b/comments.php index bd332b46e..829a7055e 100644 --- a/comments.php +++ b/comments.php @@ -148,8 +148,9 @@ if (isset($_GET['keyword']) and !empty($_GET['keyword'])) // | comments management | // +-----------------------------------------------------------------------+ // comments deletion -if (isset($_POST['delete']) and count($_POST['comment_id']) > 0) +if (isset($_POST['delete']) and count($_POST['comment_id']) > 0 and is_admin()) { + $_POST['comment_id'] = array_map('intval', $_POST['comment_id']); $query = ' DELETE FROM '.COMMENTS_TABLE.' WHERE id IN ('.implode(',', $_POST['comment_id']).') @@ -157,8 +158,10 @@ DELETE FROM '.COMMENTS_TABLE.' pwg_query($query); } // comments validation -if (isset($_POST['validate']) and count($_POST['comment_id']) > 0) +if (isset($_POST['validate']) and count($_POST['comment_id']) > 0 + and is_admin()) { + $_POST['comment_id'] = array_map('intval', $_POST['comment_id']); $query = ' UPDATE '.COMMENTS_TABLE.' SET validated = \'true\' |