2020-12-14, 11:55 AM
In our file handling function script
. PID is actually provided in function through third parameter
In few functions, such as
functions_upload.php following issues are found:function upload_avatar() : $db is declared global but never used in function.function upload_file() : $mybb is declared global but never used in function.function upload_attachment() : $theme & $templates are declared global but never used in function. In the same function variable $allowed_mime_types = array(); is declared, but never used. Also, this function globalizes $pid but never checks the availability of it, resulting inserting 0 value in pid column of attachment table often. $pid should be required parameter, IMO.function add_attachments() : $editdraftpid is declared global but never used in function. In this same function, the first required parameter is $pid which is never used inside the function . PID is actually provided in function through third parameter $attachwhere.In few functions, such as
function remove_attachments() there is no fallback for unavailability of $pid not even triggering any error.function remove_attachments() has two parameters, $pid & $posthash whereas only one is required (either of the two) to remove all attachments from a post. If you go through the codebase you will see $posthash is never provided while calling this function.