From 3c70b55ae36de4c33de9c78fda7417d7c53245ee Mon Sep 17 00:00:00 2001
From: Mark Samman <mark.samman@gmail.com>
Date: Wed, 29 Oct 2014 19:32:48 +0100
Subject: [PATCH] Fix SQL injection in admin_reports.php

---
 admin_reports.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/admin_reports.php b/admin_reports.php
index 1f735e7..2185b95 100644
--- a/admin_reports.php
+++ b/admin_reports.php
@@ -41,9 +41,9 @@ if (!empty($_POST)) {
     $customPoints = getValue($_POST['customPoints']);
     $reportId = getValue($_POST['id']);
 
-    $changelogReportId = &$_POST['changelogReportId'];
+    $changelogReportId = (int)$_POST['changelogReportId'];
     $changelogValue = &$_POST['changelogValue'];
-    $changelogText = &$_POST['changelogText'];
+    $changelogText = getValue($_POST['changelogText']);
     $changelogStatus = ($changelogReportId !== false && $changelogValue === '2' && $changelogText !== false) ? true : false;
 
     if ($customPoints !== false) $price = (int)($price + $customPoints);