From 42a61b5cb839fbb86a5a91faa8f3d0419e045554 Mon Sep 17 00:00:00 2001 From: plegall Date: Fri, 29 Oct 2010 22:53:26 +0000 Subject: merge r7489 from branch 2.1 to trunk bug 1908 fixed: protect the uploaded photo filename against SQL injection. git-svn-id: http://piwigo.org/svn/trunk@7490 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions_upload.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/include/functions_upload.inc.php b/admin/include/functions_upload.inc.php index 8fcfac4f0..94116a3b4 100644 --- a/admin/include/functions_upload.inc.php +++ b/admin/include/functions_upload.inc.php @@ -103,7 +103,7 @@ function add_uploaded_file($source_filepath, $original_filename=null, $categorie // database registration $insert = array( - 'file' => isset($original_filename) ? $original_filename : basename($file_path), + 'file' => pwg_db_real_escape_string(isset($original_filename) ? $original_filename : basename($file_path)), 'date_available' => $dbnow, 'tn_ext' => 'jpg', 'path' => preg_replace('#^'.preg_quote(PHPWG_ROOT_PATH).'#', '', $file_path), -- cgit v1.2.3