force cast profile id to integer when assigning to session variable

3 files changed, 5 insertions, 7 deletions

diff --git a/classes/handler/public.php b/classes/handler/public.php
index e216d7a36..2ad18fa1f 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -509,7 +509,7 @@ class Handler_Public extends Handler {
 
 				if (clean($_POST["profile"])) {
 
-					$profile = clean($_POST["profile"]);
+					$profile = (int) clean($_POST["profile"]);
 
 					$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
 						WHERE id = ? AND owner_uid = ?");
@@ -517,7 +517,9 @@ class Handler_Public extends Handler {
 
 					if ($sth->fetch()) {
 						$_SESSION["profile"] = $profile;
-					}
+ 					} else {
+					    $_SESSION["profile"] = null;
+                    }
 				}
 			} else {
 
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index af827af58..92a5f0818 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -454,13 +454,9 @@ class Pref_Prefs extends Handler_Protected {
 
 		$profile = $_SESSION["profile"];
 
-		if (!is_numeric($profile) || !$profile || get_schema_version() < 63) $profile = null;
-
 		if ($profile) {
 			print_notice(__("Some preferences are only available in default profile."));
-		}
 
-		if ($_SESSION["profile"]) {
 			initialize_user_prefs($_SESSION["uid"], $profile);
 		} else {
 			initialize_user_prefs($_SESSION["uid"]);
diff --git a/classes/rpc.php b/classes/rpc.php
index bd4337fbe..41325d62a 100755
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -8,7 +8,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function setprofile() {
-		$_SESSION["profile"] = clean($_REQUEST["id"]);
+		$_SESSION["profile"] = (int) clean($_REQUEST["id"]);
 
 		// default value
 		if (!$_SESSION["profile"]) $_SESSION["profile"] = null;