diff options
| author | moehm | 2014-03-19 14:42:47 +0100 |
|---|---|---|
| committer | moehm | 2014-03-19 14:42:47 +0100 |
| commit | 716707414f1ef931ba33abb4f508bf53a5b3564c (patch) | |
| tree | e49469d9afe80f0c31b156f3f19322c7ce91d495 /www | |
| parent | 7313f1b72659777e0c08d089293433109940d788 (diff) | |
| download | files.iamfabulous.de-716707414f1ef931ba33abb4f508bf53a5b3564c.tar.gz | |
Fixed possible SQL injection.
Diffstat (limited to 'www')
| -rwxr-xr-x | www/functions/func_select.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/www/functions/func_select.php b/www/functions/func_select.php index 1599b9b..2acfb93 100755 --- a/www/functions/func_select.php +++ b/www/functions/func_select.php @@ -10,10 +10,10 @@ function select_file_id($db, $owner, $folder_path){ $folder_array_unsafe = explode("/",$folder_path); $length = count($folder_array_unsafe); - $root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . $owner . " AND folder='DIRECTORY' " . $share . ";"); + $root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . SQLite3::escapeString($owner) . " AND folder='DIRECTORY' " . $share . ";"); $root_ar = $root_db->fetchArray(SQLITE3_NUM); $root_id = $root_ar[0]; - if(empty($root_ar)){ + if(empty($root_ar[0])){ failure("Seems like the user doesn't want to show his tree: " . $root_id); } $parentdir = SQLite3::escapeString($root_id); |