Package: piwigo Version: 2.1.2-2 Severity: important Tags: patch Hi,
I have make a small patch fixing this bug by just adding mysql_real_escape_string() variable encapsulation. (see patch in attachment) I send a email to upstream about this issue. Regards, Thomas PIERSON
--- a/piwigo/web/admin/include/functions_upload.inc.php 2010-10-07 02:40:51.886961921 +0200
+++ b/piwigo/web/admin/include/functions_upload.inc.php 2010-10-07 22:58:10.000000000 +0200
@@ -103,7 +103,7 @@
// database registration
$insert = array(
- 'file' => isset($original_filename) ? $original_filename : basename($file_path),
+ 'file' => mysql_real_escape_string(isset($original_filename) ? $original_filename : basename($file_path)),
'date_available' => $dbnow,
'tn_ext' => 'jpg',
'path' => preg_replace('#^'.preg_quote(PHPWG_ROOT_PATH).'#', '', $file_path),
\ No newline at end of file
signature.asc
Description: This is a digitally signed message part.
