From 4ba313f7526fd39e9b259256fc84685052f022d1 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 28 Mar 2022 20:45:31 +0100
Subject: [PATCH] Fix potential sql injection in delete_file if param
 add_location was also specified - post.php

---
 post.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/post.php b/post.php
index 54ce0ba2..2fe355c7 100644
--- a/post.php
+++ b/post.php
@@ -6804,6 +6804,7 @@ if(isset($_GET['delete_file'])){
     $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_file);
     $client_id = $row['file_client_id'];
+    $file_name = $row['file_name'];
     $file_reference_name = $row['file_reference_name'];
 
     unlink("uploads/clients/$session_company_id/$client_id/$file_reference_name");