From 9028c75c1f03c43a0c96fe80e5742f6c040fe905 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 18 Dec 2017 16:44:42 +0100
Subject: [PATCH] fixes #825, check user input on Batch Manager, unit mode, to
 prevent SQL injection

---
 admin/batch_manager_unit.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/admin/batch_manager_unit.php b/admin/batch_manager_unit.php
index 2e4475262..d417c62f7 100644
--- a/admin/batch_manager_unit.php
+++ b/admin/batch_manager_unit.php
@@ -47,6 +47,7 @@ trigger_notify('loc_begin_element_set_unit');
 
 if (isset($_POST['submit']))
 {
+  check_input_parameter('element_ids', $_POST, false, '/^\d+(,\d+)*$/');
   $collection = explode(',', $_POST['element_ids']);
 
   $datas = array();