From 048794a3200dd0252f89ae5f1110688983407011 Mon Sep 17 00:00:00 2001
From: Stefan Brannfjell <braste10@nith.no>
Date: Sat, 6 Sep 2014 16:10:00 +0200
Subject: [PATCH] Improved the helpdesk code.

---
 admin_helpdesk.php | 193 ++++++++++-----------
 helpdesk.php       | 424 +++++++++++++++++++++------------------------
 2 files changed, 291 insertions(+), 326 deletions(-)
diff --git a/admin_helpdesk.php b/admin_helpdesk.php
index 9a4c27c..46f4304 100644
--- a/admin_helpdesk.php
+++ b/admin_helpdesk.php
@@ -3,122 +3,107 @@ protect_page();
 admin_only($user_data);
 
 // Declare as int
-$view = (int)$_GET['view'];
-if ($view){
-
+$view = (isset($_GET['view']) && (int)$_GET['view'] > 0) ? (int)$_GET['view'] : false;
+if ($view !== false){
 	if (!empty($_POST['reply_text'])) {
-	sanitize($_POST['reply_text']);
+		sanitize($_POST['reply_text']);
 
 		// Save ticket reply on database
 		$query = array(
-			'tid'   =>	$_GET['view'],
-			'username'=>	$_POST['username'],
-			'message' =>	$_POST['reply_text'],
+			'tid'   =>	$view,
+			'username'=>	getValue($_POST['username']),
+			'message' =>	getValue($_POST['reply_text']),
 			'created' =>	time(),
 		);
+		$fields = '`'. implode('`, `', array_keys($query)) .'`';
+		$data = '\''. implode('\', \'', $query) .'\'';
 
-		//Sanitize array
-		array_walk($query, 'array_sanitize');
-		
-	$fields = '`'. implode('`, `', array_keys($query)) .'`';
-	$data = '\''. implode('\', \'', $query) .'\'';
-	mysql_insert("INSERT INTO `znote_tickets_replies` ($fields) VALUES ($data)");
-	mysql_update("UPDATE `znote_tickets` SET `status`='Staff-Reply' WHERE `id`=". $_GET['view']);
-
-		}
-
-$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes((int)$_GET['view']));
+		mysql_insert("INSERT INTO `znote_tickets_replies` ($fields) VALUES ($data)");
+		mysql_update("UPDATE `znote_tickets` SET `status`='Staff-Reply' WHERE `id`='$view' LIMIT 1;");
+	}
 
+	$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id='$view' LIMIT 1;");
 	?>
-<h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
-
-				<table class="znoteTable ThreadTable table table-striped">
-					<tr class="yellow">
-						<th>
-							<?php 
-								echo getClock($ticketData['creation'], true); 
-							?>
-							 - Created by: 
-							 <?php 
-							 	echo $ticketData['username'];
-							 ?>
-						</th>
-					</tr>
-					<tr>
-						<td>
-							<p><?php echo nl2br($ticketData['message']); ?></p>
-						</td>
-					</tr>
-				</table>
-
-				<?php
-				$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". addslashes((int)$_GET['view']) ."' ORDER BY `created`;");
-				if ($replies !== false) {
-					foreach($replies as $reply) {
+	<h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
+	<table class="znoteTable ThreadTable table table-striped">
+		<tr class="yellow">
+			<th>
+				<?php 
+					echo getClock($ticketData['creation'], true); 
+				?>
+				 - Created by: 
+				 <?php 
+				 	echo $ticketData['username'];
+				 ?>
+			</th>
+		</tr>
+		<tr>
+			<td>
+				<p><?php echo nl2br($ticketData['message']); ?></p>
+			</td>
+		</tr>
+	</table>
+	<?php
+	$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='$view' ORDER BY `created`;");
+	if ($replies !== false) {
+		foreach($replies as $reply) {
+			?>
+			<table class="znoteTable ThreadTable table table-striped">
+				<tr class="yellow">
+					<th>
+						<?php 
+							echo getClock($reply['created'], true); 
 						?>
-						<table class="znoteTable ThreadTable table table-striped">
-							<tr class="yellow">
-								<th>
-									<?php 
-										echo getClock($reply['created'], true); 
-									?>
-									 - Posted by: 
-									 <?php 
-									 	echo $reply['username'];
-									 ?>
-								</th>
-							</tr>
-							<tr>
-								<td>
-									<p><?php echo nl2br($reply['message']); ?></p>
-								</td>
-							</tr>
-						</table>
-						<hr class="bighr">
-<?php
-					}
-					}
-?>
-					
-											<form action="" method="post">
-							<input type="hidden" name="username" value="ADMIN"><br>
-
-							<textarea class="forumReply" name="reply_text" style="width: 610px; height: 150px"></textarea><br>
-
-							<input name="" type="submit" value="Post Reply" class="btn btn-primary">
-
-						</form>
-<?php
-}else{
-?> 
-
-<h1>Latest Tickets</h1>
-
+						 - Posted by: 
+						 <?php 
+						 	echo $reply['username'];
+						 ?>
+					</th>
+				</tr>
+				<tr>
+					<td>
+						<p><?php echo nl2br($reply['message']); ?></p>
+					</td>
+				</tr>
+			</table>
+			<hr class="bighr">
 		<?php
-
-$tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tickets ORDER BY creation DESC");
-		if ($tickets !== false) {
+		}
+	}
+	?>
+	<form action="" method="post">
+		<input type="hidden" name="username" value="ADMIN"><br>
+		<textarea class="forumReply" name="reply_text" style="width: 610px; height: 150px"></textarea><br>
+		<input name="" type="submit" value="Post Reply" class="btn btn-primary">
+	</form>
+	<?php
+} else {
+	?> 
+	<h1>Latest Tickets</h1>
+	<?php
+	$tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tickets ORDER BY creation DESC");
+	if ($tickets !== false) {
 		?>
-
-<table>
-	<tr class="yellow">
-		<td>ID:</td>
-		<td>Subject:</td>
-		<td>Creation:</td>
-		<td>Status:</td>
-	</tr>
+		<table>
+			<tr class="yellow">
+				<td>ID:</td>
+				<td>Subject:</td>
+				<td>Creation:</td>
+				<td>Status:</td>
+			</tr>
+				<?php
+				foreach ($tickets as $ticket) {
+					echo '<tr class="special">';
+						echo '<td>'. $ticket['id'] .'</td>';
+						echo '<td><a href="admin_helpdesk.php?view='. $ticket['id'] .'">'. $ticket['subject'] .'</a></td>';
+						echo '<td>'. getClock($ticket['creation'], true) .'</td>';
+						echo '<td>'. $ticket['status'] .'</td>';
+					echo '</tr>';
+				}
+				?>
+		</table>
 		<?php
-		foreach ($tickets as $ticket) {
-		echo '<tr class="special">';
-		echo '<td>'. $ticket['id'] .'</td>';
-		echo '<td><a href="admin_helpdesk.php?view='. $ticket['id'] .'">'. $ticket['subject'] .'</a></td>';
-		echo '<td>'. getClock($ticket['creation'], true) .'</td>';
-		echo '<td>'. $ticket['status'] .'</td>';
-		}}
-		?>
-</table>
-
-<?php
+	} else echo 'No helpdesk tickets has been submitted.';
 }
 include 'layout/overall/footer.php'; 
-?>
+?>
\ No newline at end of file
diff --git a/helpdesk.php b/helpdesk.php
index df1f22e..5704c55 100644
--- a/helpdesk.php
+++ b/helpdesk.php
@@ -1,243 +1,223 @@
 <?php
 require_once 'engine/init.php';
-
 if (user_logged_in() === false) {
 	header('Location: register.php');
 }
-
 include 'layout/overall/header.php';
 
-$view = (int)$_GET['view'];
-if ($view) {
-
+$view = (isset($_GET['view']) && (int)$_GET['view'] > 0) ? (int)$_GET['view'] : false;
+if ($view !== false) {
 	if (!empty($_POST['reply_text'])) {
-	sanitize($_POST['reply_text']);
 
 		// Save ticket reply on database
 		$query = array(
-			'tid'   =>	$_GET['view'],
-			'username'=>	$_POST['username'],
-			'message' =>	$_POST['reply_text'],
+			'tid'   =>	$view,
+			'username'=>	getValue($_POST['username']),
+			'message' =>	getValue($_POST['reply_text']),
 			'created' =>	time(),
 		);
+		$fields = '`'. implode('`, `', array_keys($query)) .'`';
+		$data = '\''. implode('\', \'', $query) .'\'';
+		mysql_insert("INSERT INTO `znote_tickets_replies` ($fields) VALUES ($data)");
+		mysql_update("UPDATE `znote_tickets` SET `status`='Player-Reply' WHERE `id`='$view' LIMIT 1;");
+	}
+	$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id='$view' LIMIT 1;");
 
-		//Sanitize array
-		array_walk($query, 'array_sanitize');
-		
-	$fields = '`'. implode('`, `', array_keys($query)) .'`';
-	$data = '\''. implode('\', \'', $query) .'\'';
-	mysql_insert("INSERT INTO `znote_tickets_replies` ($fields) VALUES ($data)");
-	mysql_update("UPDATE `znote_tickets` SET `status`='Player-Reply' WHERE `id`=". $_GET['view']);
-
-		}
-
-$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes((int)$_GET['view']));
-
-if($ticketData['owner'] != $session_user_id){
-echo 'You can not view this ticket!';
-die;
-}
+	if($ticketData['owner'] != $session_user_id) {
+		echo 'You can not view this ticket!';
+		include 'layout/overall/footer.php';
+		die;
+	}
 	?>
-<h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
-
-				<table class="znoteTable ThreadTable table table-striped">
-					<tr class="yellow">
-						<th>
-							<?php 
-								echo getClock($ticketData['creation'], true); 
-							?>
-							 - Created by: 
-							 <?php 
-							 	echo $ticketData['username'];
-							 ?>
-						</th>
-					</tr>
-					<tr>
-						<td>
-							<p><?php echo nl2br($ticketData['message']); ?></p>
-						</td>
-					</tr>
-				</table>
-
+	<h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
+	<table class="znoteTable ThreadTable table table-striped">
+		<tr class="yellow">
+			<th>
 				<?php
-				$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". (int)$_GET['view'] ."' ORDER BY `created`;");
-				if ($replies !== false) {
-					foreach($replies as $reply) {
-						?>
-						<table class="znoteTable ThreadTable table table-striped">
-							<tr class="yellow">
-								<th>
-									<?php 
-										echo getClock($reply['created'], true); 
-									?>
-									 - Posted by: 
-									 <?php 
-									 	echo $reply['username'];
-									 ?>
-								</th>
-							</tr>
-							<tr>
-								<td>
-									<p><?php echo nl2br($reply['message']); ?></p>
-								</td>
-							</tr>
-						</table>
-						<hr class="bighr">
-<?php
-					}
-					}
-?>
-					
-											<form action="" method="post">
-							<input type="hidden" name="username" value="<?php echo $ticketData['username']; ?>"><br>
-
-							<textarea class="forumReply" name="reply_text" style="width: 610px; height: 150px"></textarea><br>
-
-							<input name="" type="submit" value="Post Reply" class="btn btn-primary">
-						</form>
-<?php
-
-}else{ 
-
-$account = mysql_select_single("SELECT name,email FROM accounts WHERE id = $session_user_id");
-
-if (empty($_POST) === false) {
-	// $_POST['']
-	$required_fields = array('username', 'email', 'subject', 'message');
-	foreach($_POST as $key=>$value) {
-		if (empty($value) && in_array($key, $required_fields) === true) {
-			$errors[] = 'You need to fill in all fields.';
-			break 1;
-		}
-	}
-	
-	// check errors (= user exist, pass long enough
-	if (empty($errors) === true) {
-		/* Token used for cross site scripting security */
-		if (!Token::isValid($_POST['token'])) {
-			$errors[] = 'Token is invalid.';
-		}
-		if ($config['use_captcha']) {
-			include_once 'captcha/securimage.php';
-			$securimage = new Securimage();
-			if ($securimage->check($_POST['captcha_code']) == false) {
-			  $errors[] = 'Captcha image verification was submitted wrong.';
-			}
-		}		
-		if (validate_ip(getIP()) === false && $config['validate_IP'] === true) {
-			$errors[] = 'Failed to recognize your IP address. (Not a valid IPv4 address).';
-		}
-	}
-}
-
-?>
-<h1>Latest Tickets</h1>
-
-		<?php
-
-$tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tickets WHERE owner=$session_user_id ORDER BY creation DESC");
-		if ($tickets !== false) {
-		?>
-
-<table>
-	<tr class="yellow">
-		<td>ID:</td>
-		<td>Subject:</td>
-		<td>Creation:</td>
-		<td>Status:</td>
-	</tr>
-		<?php
-		foreach ($tickets as $ticket) {
-		echo '<tr class="special">';
-		echo '<td>'. $ticket['id'] .'</td>';
-		echo '<td><a href="helpdesk.php?view='. $ticket['id'] .'">'. $ticket['subject'] .'</a></td>';
-		echo '<td>'. getClock($ticket['creation'], true) .'</td>';
-		echo '<td>'. $ticket['status'] .'</td>';
-		}}
-		?>
-</table>
-
-
-
-
-<h1>Helpdesk</h1>
-<?php
-if (isset($_GET['success']) && empty($_GET['success'])) {
-	echo 'Congratulations! Your ticket has been created. We will reply up to 24 hours.';
-} else {
-	if (empty($_POST) === false && empty($errors) === true) {
-		if ($config['log_ip']) {
-			znote_visitor_insert_detailed_data(1);
-		}
-		//Save ticket on database
-		$query = array(
-			'owner'   =>	$session_user_id,
-			'username'=>	$_POST['username'],
-			'subject' =>	$_POST['subject'],
-			'message' =>	$_POST['message'],
-			'ip'	  =>	ip2long(getIP()),
-			'creation' =>	time(),
-			'status'  =>	'Open'
-		);
-
-
-		//Sanitize array
-		array_walk($query, 'array_sanitize');
-		
-	$fields = '`'. implode('`, `', array_keys($query)) .'`';
-	$data = '\''. implode('\', \'', $query) .'\'';
-	mysql_insert("INSERT INTO `znote_tickets` ($fields) VALUES ($data)");
-
-		header('Location: helpdesk.php?success');
-		exit();
-		
-	} else if (empty($errors) === false){
-		echo '<font color="red"><b>';
-		echo output_errors($errors);
-		echo '</b></font>';
-	}
-?>
-	<form action="" method="post">
-		<ul>
-			<li>
-				Account Name:<br>
-				<input type="text" name="username" size="40" value="<?php echo $account['name']; ?>" disabled>
-			</li>
-			<li>
-				Email:<br>
-				<input type="text" name="email" size="40" value="<?php echo $account['email']; ?>" disabled>
-			</li>
-			<li>
-				Subject:<br>
-				<input type="text" name="subject" size="40">
-			</li>
-			<li>
-				Message:<br>
-				<textarea name="message" rows="7" cols="30"></textarea>
-			</li>
-			<?php
-			if ($config['use_captcha']) {
+					echo getClock($ticketData['creation'], true); 
 				?>
+				 - Created by: 
+				 <?php 
+				 	echo $ticketData['username'];
+				 ?>
+			</th>
+		</tr>
+		<tr>
+			<td>
+				<p><?php echo nl2br($ticketData['message']); ?></p>
+			</td>
+		</tr>
+	</table>
+	<?php
+	$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='$view' ORDER BY `created`;");
+	if ($replies !== false) {
+		foreach($replies as $reply) {
+			?>
+			<table class="znoteTable ThreadTable table table-striped">
+				<tr class="yellow">
+					<th>
+						<?php 
+							echo getClock($reply['created'], true); 
+						?>
+						 - Posted by: 
+						 <?php 
+						 	echo $reply['username'];
+						 ?>
+					</th>
+				</tr>
+				<tr>
+					<td>
+						<p><?php echo nl2br($reply['message']); ?></p>
+					</td>
+				</tr>
+			</table>
+			<hr class="bighr">
+		<?php
+		}
+	}
+	?>
+	<form action="" method="post">
+		<input type="hidden" name="username" value="<?php echo $ticketData['username']; ?>"><br>
+		<textarea class="forumReply" name="reply_text" style="width: 610px; height: 150px"></textarea><br>
+		<input name="" type="submit" value="Post Reply" class="btn btn-primary">
+	</form>
+	<?php
+} else {
+
+	$account = mysql_select_single("SELECT name,email FROM accounts WHERE id = $session_user_id");
+	if (!empty($_POST)) {
+		$required_fields = array('username', 'email', 'subject', 'message');
+		foreach($_POST as $key=>$value) {
+			if (empty($value) && in_array($key, $required_fields) === true) {
+				$errors[] = 'You need to fill in all fields.';
+				break 1;
+			}
+		}
+		
+		// check errors (= user exist, pass long enough
+		if (empty($errors) === true) {
+			/* Token used for cross site scripting security */
+			if (!Token::isValid($_POST['token'])) {
+				$errors[] = 'Token is invalid.';
+			}
+			if ($config['use_captcha']) {
+				include_once 'captcha/securimage.php';
+				$securimage = new Securimage();
+				if ($securimage->check($_POST['captcha_code']) == false) {
+				  $errors[] = 'Captcha image verification was submitted wrong.';
+				}
+			}
+			// Reversed this if, so: first check if you need to validate, then validate. 
+			if ($config['validate_IP'] === true && validate_ip(getIP()) === false) {
+				$errors[] = 'Failed to recognize your IP address. (Not a valid IPv4 address).';
+			}
+		}
+	}
+	?>
+	<h1>Latest Tickets</h1>
+	<?php
+	$tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tickets WHERE owner=$session_user_id ORDER BY creation DESC");
+	if ($tickets !== false) {
+		?>
+		<table>
+			<tr class="yellow">
+				<td>ID:</td>
+				<td>Subject:</td>
+				<td>Creation:</td>
+				<td>Status:</td>
+			</tr>
+				<?php
+				foreach ($tickets as $ticket) {
+					echo '<tr class="special">';
+						echo '<td>'. $ticket['id'] .'</td>';
+						echo '<td><a href="helpdesk.php?view='. $ticket['id'] .'">'. $ticket['subject'] .'</a></td>';
+						echo '<td>'. getClock($ticket['creation'], true) .'</td>';
+						echo '<td>'. $ticket['status'] .'</td>';
+					echo '</tr>';
+				}
+				?>
+		</table>
+		<?php
+	}
+	?>
+
+	<h1>Helpdesk</h1>
+	<?php
+	if (isset($_GET['success']) && empty($_GET['success'])) {
+		echo 'Congratulations! Your ticket has been created. We will reply up to 24 hours.';
+	} else {
+
+		if (empty($_POST) === false && empty($errors) === true) {
+			if ($config['log_ip']) {
+				znote_visitor_insert_detailed_data(1);
+			}
+
+			//Save ticket on database
+			$query = array(
+				'owner'   =>	$session_user_id,
+				'username'=>	getValue($_POST['username']),
+				'subject' =>	getValue($_POST['subject']),
+				'message' =>	getValue($_POST['message']),
+				'ip'	  =>	ip2long(getIP()),
+				'creation' =>	time(),
+				'status'  =>	'Open'
+			);
+		
+			$fields = '`'. implode('`, `', array_keys($query)) .'`';
+			$data = '\''. implode('\', \'', $query) .'\'';
+			mysql_insert("INSERT INTO `znote_tickets` ($fields) VALUES ($data)");
+
+			header('Location: helpdesk.php?success');
+			exit();
+		
+		} else if (empty($errors) === false) {
+			echo '<font color="red"><b>';
+			echo output_errors($errors);
+			echo '</b></font>';
+		}
+		?>
+		<form action="" method="post">
+			<ul>
 				<li>
-					<b>Write the image symbols in the text field to verify that you are a human:</b>
-					<img id="captcha" src="captcha/securimage_show.php" alt="CAPTCHA Image" /><br>
-					<input type="text" name="captcha_code" size="10" maxlength="6" />
-					<a href="#" onclick="document.getElementById('captcha').src = 'captcha/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a><br><br>
+					Account Name:<br>
+					<input type="text" name="username" size="40" value="<?php echo $account['name']; ?>" disabled>
+				</li>
+				<li>
+					Email:<br>
+					<input type="text" name="email" size="40" value="<?php echo $account['email']; ?>" disabled>
+				</li>
+				<li>
+					Subject:<br>
+					<input type="text" name="subject" size="40">
+				</li>
+				<li>
+					Message:<br>
+					<textarea name="message" rows="7" cols="30"></textarea>
 				</li>
 				<?php
-			}
-			?>
-			<?php
-				/* Form file */
-				Token::create();
-			?>
-			<li>
-				<input type="hidden" name="username" value="<?php echo $account['name']; ?>">
-				<input type="submit" value="Submit ticket">
-			</li>
-		</ul>
-	</form>
-<?php 
-}}
+				if ($config['use_captcha']) {
+					?>
+					<li>
+						<b>Write the image symbols in the text field to verify that you are a human:</b>
+						<img id="captcha" src="captcha/securimage_show.php" alt="CAPTCHA Image" /><br>
+						<input type="text" name="captcha_code" size="10" maxlength="6" />
+						<a href="#" onclick="document.getElementById('captcha').src = 'captcha/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a><br><br>
+					</li>
+					<?php
+				}
+				?>
+				<?php
+					/* Form file */
+					Token::create();
+				?>
+				<li>
+					<input type="hidden" name="username" value="<?php echo $account['name']; ?>">
+					<input type="submit" value="Submit ticket">
+				</li>
+			</ul>
+		</form>
+		<?php 
+	}
+}
 include 'layout/overall/footer.php';
-?>
+?>
\ No newline at end of file

ID:	Subject:	Creation:	Status:
'. $ticket['id'] .'	'. $ticket['subject'] .'	'. getClock($ticket['creation'], true) .'	'. $ticket['status'] .'