From 716707414f1ef931ba33abb4f508bf53a5b3564c Mon Sep 17 00:00:00 2001
From: moehm
Date: Wed, 19 Mar 2014 14:42:47 +0100
Subject: Fixed possible SQL injection.

---
 www/functions/func_select.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'www')

diff --git a/www/functions/func_select.php b/www/functions/func_select.php
index 1599b9b..2acfb93 100755
--- a/www/functions/func_select.php
+++ b/www/functions/func_select.php
@@ -10,10 +10,10 @@ function select_file_id($db, $owner, $folder_path){
 	$folder_array_unsafe = explode("/",$folder_path);
 	$length = count($folder_array_unsafe);
 
-	$root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . $owner . " AND folder='DIRECTORY' " . $share . ";");
+	$root_db = $db->query("SELECT id FROM files WHERE parent=0 AND owner=" . SQLite3::escapeString($owner) . " AND folder='DIRECTORY' " . $share . ";");
 	$root_ar = $root_db->fetchArray(SQLITE3_NUM);
 	$root_id = $root_ar[0];
-	if(empty($root_ar)){
+	if(empty($root_ar[0])){
 		failure("Seems like the user doesn't want to show his tree: " . $root_id);
 	}
 	$parentdir = SQLite3::escapeString($root_id);
-- 
cgit v1.2.3