diff --git a/media.module b/media.module
index 6d3f5ec..03bebb6 100644
--- a/media.module
+++ b/media.module
@@ -1119,3 +1119,46 @@ function media_load_all_exports($module, $directory, $extension, $name = NULL) {
 
   return $return;
 }
+
+/**
+ * Implements hook_views_query_alter().
+ *
+ * Alter the media browser library view to exclude files based on the media
+ * browser parameters. Note that the parameters come from the HTTP query and
+ * should be treated as user input.
+ */
+function media_views_query_alter(&$view, &$query) {
+  if ($view->name == 'media_default') {
+    module_load_include('inc', 'media', 'includes/media.browser');
+    $params = media_get_browser_params();
+
+    // Restrict files by type.
+    if (!empty($params['types'])) {
+      $where_group = $query->set_where_group();
+      $field = $query->base_table . '.type';
+      $query->add_where($where_group, $field, $params['types'], 'IN');
+    }
+
+    // Restrict files by URI scheme.
+    if (!empty($params['schemes'])) {
+      $where_group = $query->set_where_group('OR');
+      $field = $query->base_table . '.uri';
+      foreach ($params['schemes'] as $scheme) {
+        $value = db_like($scheme) . '%';
+        $query->add_where($where_group, $field, $value, 'LIKE');
+      }
+    }
+
+    // Restrict files by extension.
+    if (!empty($params['file_extensions'])) {
+      $where_group = $query->set_where_group('OR');
+      $field = $query->base_table . '.uri';
+      foreach (explode(' ', $params['file_extensions']) as $extension) {
+        // @todo MySQL is generally case insensitve, but case may be a problem
+        //   on other databases.
+        $value = '%.' . db_like(trim($extension, '.'));
+        $query->add_where($where_group, $field, $value, 'LIKE');
+      }
+    }
+  }
+}