From c62d667287f2d76c81e03a740a581eb3c51249b6 Mon Sep 17 00:00:00 2001
From: Garvin Hicking <blog@garv.in>
Date: Mon, 16 Jan 2017 11:29:15 +0100
Subject: [PATCH]   * [Security] Fix missing integer casting for inserting new
 categories     (thanks to cdxy)

---
 docs/NEWS                         | 3 +++
 include/functions_entries.inc.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/NEWS b/docs/NEWS
index 1cba2d21..cd799fe0 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -20,6 +20,9 @@ Version 2.1 ()
       
     * [Security] Redirection of comment.php now checks the referrer
       and only allows the blog's host (thanks to Lee Sheldon Victor)
+      
+    * [Security] Fix missing integer casting for inserting new categories
+      (thanks to cdxy)
 
     * Disabled Selenium test files unless enabled
 
diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php
index 45453c80..59bdf81a 100644
--- a/include/functions_entries.inc.php
+++ b/include/functions_entries.inc.php
@@ -1523,7 +1523,7 @@ function serendipity_updertEntry($entry) {
         if (is_array($categories)) {
             serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entrycat WHERE entryid={$entry['id']}");
             foreach ($categories as $cat) {
-                serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}entrycat (entryid, categoryid) VALUES ({$entry['id']}, {$cat})");
+                serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}entrycat (entryid, categoryid) VALUES ({$entry['id']}, " . (int)$cat . ")");
             }
         } elseif ($had_categories) {
             // This case actually only happens if an existing entry is edited, and its category assignments are all removed.