Fix potential sql injection in delete_file if param add_location was also specified - post.php

2026-03-11 00:04:50 +00:00 · 2022-03-28 20:45:31 +01:00
parent d83906508d
commit 4ba313f752
1 changed files with 1 additions and 0 deletions
--- a/post.php
+++ b/post.php
@@ -6804,6 +6804,7 @@ if(isset($_GET['delete_file'])){
    $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
    $row = mysqli_fetch_array($sql_file);
    $client_id = $row['file_client_id'];
    $file_name = $row['file_name'];
    $file_reference_name = $row['file_reference_name'];
    unlink("uploads/clients/$session_company_id/$client_id/$file_reference_name");