bug 247 fixed : image_id GET parameter was not checked for sanity before

usage in SQL queries. Now, image_id must be a numeric value. git-svn-id: http://piwigo.org/svn/branches/branch-1_5@989 68402e56-0260-453c-a942-63ccdbb3a9ee
2026-03-28 17:42:57 +01:00 · 2005-12-25 22:37:07 +00:00
parent 7bdb132ffc
commit 9bc452537e
1 changed files with 6 additions and 0 deletions
--- a/picture.php
+++ b/picture.php
@@ -42,6 +42,12 @@ if ( isset( $page['cat'] ) and is_numeric( $page['cat'] ) )
 {
  check_restrictions( $page['cat'] );
 }
+
+if (!is_numeric($_GET['image_id']))
+{
+  die('Hacking attempt on "image_id" GET parameter');
+}
+
 //---------------------------------------- incrementation of the number of hits
 $query = '
 UPDATE '.IMAGES_TABLE.'