From 19e24b4fe2905656ea1c8576e00389396ec3a14e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 6 Dec 2018 07:08:54 +0300
Subject: force cast profile id to integer when assigning to session variable

---
 classes/handler/public.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'classes/handler/public.php')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index e216d7a36..2ad18fa1f 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -509,7 +509,7 @@ class Handler_Public extends Handler {
 
 				if (clean($_POST["profile"])) {
 
-					$profile = clean($_POST["profile"]);
+					$profile = (int) clean($_POST["profile"]);
 
 					$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
 						WHERE id = ? AND owner_uid = ?");
@@ -517,7 +517,9 @@ class Handler_Public extends Handler {
 
 					if ($sth->fetch()) {
 						$_SESSION["profile"] = $profile;
-					}
+ 					} else {
+					    $_SESSION["profile"] = null;
+                    }
 				}
 			} else {
 
-- 
cgit v1.2.3-54-g00ecf