Explicitly cast id to int & escape in header

cluebotng · Aug 23, 2021 · 5d7cd9e · 5d7cd9e
1 parent 397a2fc
commit 5d7cd9e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pages/View.page.php b/pages/View.page.php
@@ -11,7 +11,7 @@ class ViewPage extends Page
     public function __construct()
     {
         global $mysql;
-        $this->id = $_REQUEST['id'];
+        $this->id = (int)$_REQUEST['id'];
         $result = mysqli_query($mysql, 'SELECT * FROM `vandalism` WHERE `id` = \'' . mysqli_real_escape_string($mysql, $this->id) . '\'');
         $this->row = mysqli_fetch_assoc($result);
         $this->data = getReport($this->id);
@@ -52,7 +52,7 @@ public function __construct()
 
     public function writeHeader()
     {
-        echo 'Viewing ' . $this->id;
+        echo 'Viewing ' . htmlspecialchars($this->id);
     }
 
     public function writeContent()