From d7e1b30b0e43b3ab37ab182dc94e4fc4731acc29 Mon Sep 17 00:00:00 2001
From: Benjamin Southall <applemansigloo@gmail.com>
Date: Thu, 8 Jun 2017 08:13:57 +0900
Subject: [PATCH] Partial merge of
 https://github.com/vichan-devel/vichan/commit/736e98294516955562495879210a38906750fe97
 [SECURITY] Lessen security impact

---
 post.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/post.php b/post.php
index 65f54d11..875bc12a 100644
--- a/post.php
+++ b/post.php
@@ -222,7 +222,7 @@ if (isset($_POST['delete'])) {
 		error($config['error']['nodelete']);
 		
 	foreach ($delete as &$id) {
-		$query = prepare(sprintf("SELECT `thread`, `time`,`password` FROM ``posts_%s`` WHERE `id` = :id", $board['uri']));
+		$query = prepare(sprintf("SELECT `id`,`thread`, `time`,`password` FROM ``posts_%s`` WHERE `id` = :id", $board['uri']));
 		$query->bindValue(':id', $id, PDO::PARAM_INT);
 		$query->execute() or error(db_error($query));
 		
@@ -330,6 +330,12 @@ if (isset($_POST['delete'])) {
 		
 		$thread = $query->fetch(PDO::FETCH_ASSOC);
 		
+		$error = event('report', array('ip' => $_SERVER['REMOTE_ADDR'], 'board' => $board['uri'], 'post' => $post, 'reason' => $reason,'link' => link_for($post)));
+
+		if ($error) {
+			error($error);
+		}
+
 		if ($config['syslog'])
 			_syslog(LOG_INFO, 'Reported post: ' .
 				'/' . $board['dir'] . $config['dir']['res'] . link_for($post) . ($thread['thread'] ? '#' . $id : '') .