diff --git a/file_upload_security.module b/file_upload_security.module
index 296bed8..ce3a9ba 100644
--- a/file_upload_security.module
+++ b/file_upload_security.module
@@ -302,7 +302,7 @@ function file_upload_security_fix_fields(&$files = array()) {
 function file_upload_security_fix_webforms(&$files = array()) {
   $query = db_select('webform_component', 'c')
     ->fields('c', array('cid'))
-    ->condition('extra', '%s:6:"scheme";s:6:"public"%', 'LIKE')
+    ->condition('extra', '%s:6:"scheme";s:7:"private"%', 'NOT LIKE')
     ->condition('type', 'file');
 
   $query->leftJoin('webform_submitted_data', 's', 's.cid = c.cid AND s.nid = c.nid');
@@ -315,13 +315,20 @@ function file_upload_security_fix_webforms(&$files = array()) {
     $files = $files + $fids;
   }
 
-  $update = db_update('webform_component')
-    ->expression('extra', 'REPLACE(extra, :public_scheme, :private_scheme)', array(
-      ':public_scheme' => 's:6:"scheme";s:6:"public"',
-      ':private_scheme' => 's:6:"scheme";s:7:"private"',
-    ))
-    ->condition('type', 'file')
-    ->execute();
+  $select = db_select('webform_component', 'c')
+    ->fields('c', array('cid', 'extra'))
+    ->condition('extra', '%s:6:"scheme";s:7:"private"%', 'NOT LIKE')
+    ->condition('type', 'file');
+
+  foreach ($select->execute() as $component) {
+    $extra = unserialize($component->extra);
+    $extra['scheme'] = 'private';
+    $component->extra = serialize($extra);
+    db_update('webform_component')
+      ->condition('cid', $component->cid)
+      ->fields(array('extra' => $component->extra))
+      ->execute();
+  }
 }
 
 /**