create a generic bool_escape function, use that

core/util.inc.php

@@ -47,6 +47,25 @@ function sql_escape($input) {
 	return $database->db->Quote($input);
 }
 
+
+/**
+ * Turn all manner of HTML / INI / JS / DB booleans into a PHP one
+ *
+ * @retval boolean
+ */
+function bool_escape($input) {
+	$input = strtolower($input);
+	return (
+		$input == "y" ||
+		$input == "yes" ||
+		$input == "t" ||
+		$input == "true" ||
+		$input == "on" ||
+		$input == 1 ||
+		$input == true
+	);
+}
+
 /**
  * Some functions require a callback function for escaping,
  * but we might not want to alter the data

ext/upload/main.php

@@ -313,12 +313,7 @@ class Upload implements Extension {
 		
 		// Checks if user is admin > check if you want locked.
 		if($user->is_admin()){
-			// There must be a less messy way to do this..
+			$locked = bool_escape($_GET['locked']);
-			if($_GET['locked'] == "y" || $_GET['locked'] == "yes" || $_GET['locked'] == "true" || $_GET['locked'] == "on" || $_GET['locked'] == "n" || $_GET['locked'] == "no" || $_GET['locked'] == "false" || $_GET['locked'] == "off"){	
-				if($_GET['locked'] == "y" || $_GET['locked'] == "yes" || $_GET['locked'] == "true" || $_GET['locked'] == "on"){
-					$locked = "on";
-				}
-			}
 		}
 		
 		// Checks if url contains rating, also checks if the rating extension is enabled.
@@ -391,7 +386,7 @@ class Upload implements Extension {
 			
 			/* check for locked > adds to metadata if it has */
 			if(!empty($locked)){
-			$metadata['locked'] = $locked;
+				$metadata['locked'] = $locked ? "on" : "";
 			}
 						
 			/* check for rating > adds to metadata if it has */