Digitalstack/ZnoteAAC
2
0
Fork 0
mirror of https://github.com/Znote/ZnoteAAC.git synced 2025-04-29 18:59:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Security vulnerability

Browse Source
This commit is contained in:
Rhuan Gonzaga 2014-07-01 10:39:16 -03:00
parent 93c42dfe04
commit 4a1ba0b2c2
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
admin_helpdesk.php
View File

@ -2,9 +2,12 @@
protect_page();
admin_only($user_data);
if (isset($_GET['view'])) {
// Declare as int
$view = (int)$_GET['view'];
if ($view){
if (!empty($_POST['reply_text'])) {
sanitize($_POST['reply_text']);
// Save ticket reply on database
$query = array(
@ -13,6 +16,9 @@ if (isset($_GET['view'])) {
'message' => $_POST['reply_text'],
'created' => time(),
);
//Sanitize array
array_walk($query, 'array_sanitize');
$fields = '`'. implode('`, `', array_keys($query)) .'`';
$data = '\''. implode('\', \'', $query) .'\'';
@ -21,7 +27,7 @@ if (isset($_GET['view'])) {
}
$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes($_GET['view']));
$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes((int)$_GET['view']));
?>
<h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
@ -46,7 +52,7 @@ $ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addsl
</table>
<?php
$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". $_GET['view'] ."' ORDER BY `created`;");
$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". addslashes((int)$_GET['view']) ."' ORDER BY `created`;");
if ($replies !== false) {
foreach($replies as $reply) {
?>
@ -115,4 +121,4 @@ $tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tick
<?php
}
include 'layout/overall/footer.php';
?>
?>