diff options
| author | rvelices <rv-github@modusoptimus.com> | 2008-10-18 00:45:45 +0000 |
|---|---|---|
| committer | rvelices <rv-github@modusoptimus.com> | 2008-10-18 00:45:45 +0000 |
| commit | 90be9fbb84623095a360cfa6e9c1955a891eeba5 (patch) | |
| tree | 0b61f9e6a0372b6662866a3bd0dd9b746b0f430a /include/ws_functions.inc.php | |
| parent | faa543851ba9fc25ffb0d25a7876d4486757f21a (diff) | |
- merge rev 2765,2769 from branch 2.0
* 2765 mysql potential injection paranoia + code compaction in common.inc.php
* 2769 added an image sort order by privacy level (admins only)
* 2769 fix an IE6 display issue with quick search on index page
git-svn-id: http://piwigo.org/svn/trunk@2770 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/ws_functions.inc.php')
| -rw-r--r-- | include/ws_functions.inc.php | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index a41212f5f..e61a4b2d6 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -187,6 +187,7 @@ function ws_caddie_add($params, &$service) { return new PwgError(401, 'Access denied'); } + $params['image_id'] = array_map( 'intval',$params['image_id'] ); if ( empty($params['image_id']) ) { return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id"); @@ -291,7 +292,7 @@ SELECT i.*, GROUP_CONCAT(category_id) cat_ids AND ', $where_clauses).' GROUP BY i.id '.$order_by.' -LIMIT '.$params['per_page']*$params['page'].','.$params['per_page']; +LIMIT '.(int)($params['per_page']*$params['page']).','.(int)$params['per_page']; $result = pwg_query($query); while ($row = mysql_fetch_assoc($result)) @@ -683,8 +684,8 @@ SELECT id, date, author, content FROM '.COMMENTS_TABLE.' WHERE '.$where_comments.' ORDER BY date - LIMIT '.$params['comments_per_page']*(int)$params['comments_page']. - ','.$params['comments_per_page']; + LIMIT '.(int)($params['comments_per_page']*$params['comments_page']). + ','.(int)$params['comments_per_page']; $result = pwg_query($query); while ($row = mysql_fetch_assoc($result)) @@ -857,6 +858,7 @@ function ws_images_setPrivacyLevel($params, &$service) { return new PwgError(401, 'Access denied'); } + $params['image_id'] = array_map( 'intval',$params['image_id'] ); if ( empty($params['image_id']) ) { return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id"); @@ -1342,7 +1344,7 @@ SELECT DISTINCT i.* FROM '.IMAGES_TABLE.' i WHERE '. implode(' AND ', $where_clauses).' '.$order_by.' -LIMIT '.$params['per_page']*$params['page'].','.$params['per_page']; +LIMIT '.(int)($params['per_page']*$params['page']).','.(int)$params['per_page']; $result = pwg_query($query); while ($row = mysql_fetch_assoc($result)) |