diff options
author | zotlabs <mike@macgirvin.com> | 2017-08-30 21:45:54 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2017-08-30 21:45:54 -0700 |
commit | 74f55d15042d04b530e22ed57bcb56520bca3e72 (patch) | |
tree | f7e109f6721dbd92785fcc2a44e32cb1f9023334 | |
parent | f436ec6f2176c3b367cee2d40b78fae267ee779a (diff) | |
download | volse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.tar.gz volse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.tar.bz2 volse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.zip |
check input is hex before sending it to hex2bin
-rw-r--r-- | include/photos.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/photos.php b/include/photos.php index f5d5fdb48..c7c8fc0a4 100644 --- a/include/photos.php +++ b/include/photos.php @@ -595,7 +595,7 @@ function photos_album_exists($channel_id, $observer_hash, $album) { // partial backward compatibility with Hubzilla < 2.4 when we used the filename only // (ambiguous which would get chosen if you had two albums of the same name in different directories) - if(!$r) { + if(!$r && ctype_xdigit($album)) { $r = q("SELECT folder, hash, is_dir, filename, os_path, display_path FROM attach WHERE filename = '%s' AND is_dir = 1 AND uid = %d $sql_extra limit 1", dbesc(hex2bin($album)), intval($channel_id) |