From 74f55d15042d04b530e22ed57bcb56520bca3e72 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Wed, 30 Aug 2017 21:45:54 -0700
Subject: check input is hex before sending it to hex2bin

---
 include/photos.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/photos.php b/include/photos.php
index f5d5fdb48..c7c8fc0a4 100644
--- a/include/photos.php
+++ b/include/photos.php
@@ -595,7 +595,7 @@ function photos_album_exists($channel_id, $observer_hash, $album) {
 
 	// partial backward compatibility with Hubzilla < 2.4 when we used the filename only 
 	// (ambiguous which would get chosen if you had two albums of the same name in different directories)
-	if(!$r) {
+	if(!$r && ctype_xdigit($album)) {
 		$r = q("SELECT folder, hash, is_dir, filename, os_path, display_path FROM attach WHERE filename = '%s' AND is_dir = 1 AND uid = %d $sql_extra limit 1",
 			dbesc(hex2bin($album)),
 			intval($channel_id)
-- 
cgit v1.2.3