From 17eed166a33dd575ff98806cb58517926344c33b Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Thu, 15 Jan 2026 21:29:05 +0000 Subject: [PATCH] Prevent SQL injection in get_user_by_id by casting user_id to integer --- include/functions.inc.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions.inc.php b/include/functions.inc.php index 95b99eb247..d3334f4b1d 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -32,6 +32,8 @@ */ function get_user_by_id($user_id) { + // Ensure user_id is an integer to prevent SQL injection + $user_id = intval($user_id); $query = 'SELECT * FROM '.USERS_TABLE.' WHERE id = '.$user_id; $result = pwg_query($query); return pwg_db_fetch_assoc($result);