SQL: Better sanity checking and SQL generation for image display

This commit is contained in:
Solomon Peachy 2015-02-21 10:12:46 -05:00
parent 0f34f2340a
commit 396ea6c6b9
1 changed files with 19 additions and 13 deletions

View File

@ -30,21 +30,29 @@ $download = isset($_REQUEST['down']);
$photo_sel = "";
if (!$photo_id) {
if (!$version) {
/* Sanity check Photo ID -- REQUIRED argument */
if (!$photo_id || !is_numeric($photo_id)) {
header("HTTP/1.1 404 Not found");
exit();
}
} else {
if (is_numeric($photo_id))
$photo_sel = "and photo.identifier = '$photo_id'";
else
$photo_sel = "and false is true";
}
}
/* Sanity check Photo Version -- OPTIONAL argument */
if ($version && !is_numeric($version)) {
header("HTTP/1.1 404 Not found");
exit();
}
/* Sanity check Image Size -- OPTIONAL argument */
if ($image_size && !is_numeric($image_size)) {
header("HTTP/1.1 404 Not found");
exit();
}
/* Figure out SQL based on image */
$photo_sel = " photo.identifier = '$photo_id' ";
$photo_sel .= $version ? " and photo_version.identifier='$version' " : " and photo_version.master='t' ";
/* Translate image sizes */
switch ($image_size) {
case '':
case FALSE:
$image_size = 1;
break;
case 3:
@ -60,15 +68,13 @@ ini_set('zlib.output_compression', 'Off');
$database = site_prolog();
$cache_ctrl = FALSE;
$version_selector = $version ? "photo_version.identifier=$version" : "photo_version.master='t'";
$photo_data = pg_fetch_assoc(pg_query($database, "
select users, access_rights, hide_original, original_image_name,
get_image_path(photo_version.identifier, $image_size) as path,
can_access_photo(photo.identifier, $po_user[id], '{".$passwords."}') as ok
from photo left join photo_version on photo.identifier = photo_version.photo
where $version_selector
$photo_sel"));
where $photo_sel"));
if (!$photo_data) {
header("HTTP/1.1 404 Not found");
site_epilog($database);