02-24-2026, 12:52 PM
Update!
Version 4.0
----------
+ Added Drag/Drop picture uploader via DropZone more user friendly.
- Fixed SQL injection vulnerability in UpdateGallerySettings() — $variable and $value are now escaped with $db->escape_string()
- Added CSRF protection (verify_post_check) to 6 admin actions: UnApprovePicture, ApprovePicture, DeleteComment, DeleteReport, CatUp, CatDown
- Replaced all $_REQUEST/$_GET usage with $mybb->get_input() across all files for proper MyBB input handling
- Removed @ error suppression on input variables
- Fixed double HTML encoding on database writes — removed htmlspecialchars_uni() wrapping around $db->escape_string() for stored values (titles, descriptions, keywords, comments, category fields). This prevents & artifacts on display.
- Fixed $context['character_set'] leftover replaced with $lang->settings['charset'] in EditPicture, AddCategory, and EditCategory forms
- Fixed race condition in image uploads — replaced shared /img.tmp temp filename with unique per-user filenames (img_{uid}_{random}.tmp) in AddPicture2 and EditPicture2, with cleanup on failure
- Added explicit parentheses for operator precedence clarity in 8 permission check conditions across mainview, MyImages, Search2, and ViewPicture
- Removed MyISAM engine specification from gallery_settings CREATE TABLE — now uses server default (InnoDB on modern MySQL)
Version 4.0
----------
+ Added Drag/Drop picture uploader via DropZone more user friendly.
- Fixed SQL injection vulnerability in UpdateGallerySettings() — $variable and $value are now escaped with $db->escape_string()
- Added CSRF protection (verify_post_check) to 6 admin actions: UnApprovePicture, ApprovePicture, DeleteComment, DeleteReport, CatUp, CatDown
- Replaced all $_REQUEST/$_GET usage with $mybb->get_input() across all files for proper MyBB input handling
- Removed @ error suppression on input variables
- Fixed double HTML encoding on database writes — removed htmlspecialchars_uni() wrapping around $db->escape_string() for stored values (titles, descriptions, keywords, comments, category fields). This prevents & artifacts on display.
- Fixed $context['character_set'] leftover replaced with $lang->settings['charset'] in EditPicture, AddCategory, and EditCategory forms
- Fixed race condition in image uploads — replaced shared /img.tmp temp filename with unique per-user filenames (img_{uid}_{random}.tmp) in AddPicture2 and EditPicture2, with cleanup on failure
- Added explicit parentheses for operator precedence clarity in 8 permission check conditions across mainview, MyImages, Search2, and ViewPicture
- Removed MyISAM engine specification from gallery_settings CREATE TABLE — now uses server default (InnoDB on modern MySQL)
Like what I do? Support me at https://www.patreon.com/vbgamer45/