[Media] Fix SQL injection vulnerability (#3349)

Fixed query in media module to use a prepared statement.
aces · Dec 20, 2017 · e7fcfb1 · e7fcfb1
1 parent 8ffba39
commit e7fcfb1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/modules/media/php/NDB_Form_media.class.inc b/modules/media/php/NDB_Form_media.class.inc
@@ -52,8 +52,8 @@ class NDB_Form_Media extends NDB_Form
         // Check if media file exists, if not redirect to /media/ page
         if (isset($idMediaFile)) {
             $result = $db->pselectRow(
-                "SELECT id FROM media WHERE id = $idMediaFile",
-                []
+                "SELECT id FROM media WHERE id = :mid",
+                array('mid' => $idMediaFile)
             );
             if (count($result) < 1) {
                 header('Location: ' . $baseURL . '/media/');