force cast profile id to integer when assigning to session variable

classes/handler/public.php

@@ -509,7 +509,7 @@ class Handler_Public extends Handler {
 
 				if (clean($_POST["profile"])) {
 
-					$profile = clean($_POST["profile"]);
+					$profile = (int) clean($_POST["profile"]);
 
 					$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
 						WHERE id = ? AND owner_uid = ?");
@@ -517,6 +517,8 @@ class Handler_Public extends Handler {
 
 					if ($sth->fetch()) {
 						$_SESSION["profile"] = $profile;
+ 					} else {
+					    $_SESSION["profile"] = null;
                     }
 				}
 			} else {

classes/pref/prefs.php

@@ -454,13 +454,9 @@ class Pref_Prefs extends Handler_Protected {
 
 		$profile = $_SESSION["profile"];
 
-		if (!is_numeric($profile) || !$profile || get_schema_version() < 63) $profile = null;
-
 		if ($profile) {
 			print_notice(__("Some preferences are only available in default profile."));
-		}
 
-		if ($_SESSION["profile"]) {
 			initialize_user_prefs($_SESSION["uid"], $profile);
 		} else {
 			initialize_user_prefs($_SESSION["uid"]);

classes/rpc.php

@@ -8,7 +8,7 @@ class RPC extends Handler_Protected {
 	}
 
 	function setprofile() {
-		$_SESSION["profile"] = clean($_REQUEST["id"]);
+		$_SESSION["profile"] = (int) clean($_REQUEST["id"]);
 
 		// default value
 		if (!$_SESSION["profile"]) $_SESSION["profile"] = null;