api/updateArticle: validate article_ids parameter (refs #375)

52ebaf93 · Andrew Dolgov · e894e97f · 52ebaf93
Commit 52ebaf93 authored 13 years ago by Andrew Dolgov
--- a/api/index.php
+++ b/api/index.php
@@ -207,7 +207,7 @@
 			break;
 		case "updateArticle":
-			$article_ids = split(",", db_escape_string($_REQUEST["article_ids"]));
+			$article_ids = array_filter(explode(",", db_escape_string($_REQUEST["article_ids"])), is_numeric);
 			$mode = (int) db_escape_string($_REQUEST["mode"]);
 			$field_raw = (int)db_escape_string($_REQUEST["field"]);