From 9bc452537eb28a00a3d89fce4d859cf12f4d58c6 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Sun, 25 Dec 2005 22:37:07 +0000
Subject: bug 247 fixed : image_id GET parameter was not checked for sanity
 before usage in SQL queries. Now, image_id must be a numeric value.

git-svn-id: http://piwigo.org/svn/branches/branch-1_5@989 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 picture.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/picture.php b/picture.php
index a57ed9552..b59cb1a87 100644
--- a/picture.php
+++ b/picture.php
@@ -42,6 +42,12 @@ if ( isset( $page['cat'] ) and is_numeric( $page['cat'] ) )
 {
   check_restrictions( $page['cat'] );
 }
+
+if (!is_numeric($_GET['image_id']))
+{
+  die('Hacking attempt on "image_id" GET parameter');
+}
+
 //---------------------------------------- incrementation of the number of hits
 $query = '
 UPDATE '.IMAGES_TABLE.'
-- 
cgit v1.2.3