aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-08-30 21:45:54 -0700
committerzotlabs <mike@macgirvin.com>2017-08-30 21:45:54 -0700
commit74f55d15042d04b530e22ed57bcb56520bca3e72 (patch)
treef7e109f6721dbd92785fcc2a44e32cb1f9023334
parentf436ec6f2176c3b367cee2d40b78fae267ee779a (diff)
downloadvolse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.tar.gz
volse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.tar.bz2
volse-hubzilla-74f55d15042d04b530e22ed57bcb56520bca3e72.zip
check input is hex before sending it to hex2bin
-rw-r--r--include/photos.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/photos.php b/include/photos.php
index f5d5fdb48..c7c8fc0a4 100644
--- a/include/photos.php
+++ b/include/photos.php
@@ -595,7 +595,7 @@ function photos_album_exists($channel_id, $observer_hash, $album) {
// partial backward compatibility with Hubzilla < 2.4 when we used the filename only
// (ambiguous which would get chosen if you had two albums of the same name in different directories)
- if(!$r) {
+ if(!$r && ctype_xdigit($album)) {
$r = q("SELECT folder, hash, is_dir, filename, os_path, display_path FROM attach WHERE filename = '%s' AND is_dir = 1 AND uid = %d $sql_extra limit 1",
dbesc(hex2bin($album)),
intval($channel_id)