From 4a1ba0b2c2ae1b5c23ae298adf3e38804969f8b6 Mon Sep 17 00:00:00 2001
From: Rhuan Gonzaga <rhuangonzaga@gmail.com>
Date: Tue, 1 Jul 2014 10:39:16 -0300
Subject: [PATCH] Security vulnerability

---
 admin_helpdesk.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/admin_helpdesk.php b/admin_helpdesk.php
index 925a497..9a4c27c 100644
--- a/admin_helpdesk.php
+++ b/admin_helpdesk.php
@@ -2,9 +2,12 @@
 protect_page();
 admin_only($user_data);
 
-if (isset($_GET['view'])) {
+// Declare as int
+$view = (int)$_GET['view'];
+if ($view){
 
 	if (!empty($_POST['reply_text'])) {
+	sanitize($_POST['reply_text']);
 
 		// Save ticket reply on database
 		$query = array(
@@ -13,6 +16,9 @@ if (isset($_GET['view'])) {
 			'message' =>	$_POST['reply_text'],
 			'created' =>	time(),
 		);
+
+		//Sanitize array
+		array_walk($query, 'array_sanitize');
 		
 	$fields = '`'. implode('`, `', array_keys($query)) .'`';
 	$data = '\''. implode('\', \'', $query) .'\'';
@@ -21,7 +27,7 @@ if (isset($_GET['view'])) {
 
 		}
 
-$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes($_GET['view']));
+$ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addslashes((int)$_GET['view']));
 
 	?>
 <h1>View Ticket #<?php echo $ticketData['id']; ?></h1>
@@ -46,7 +52,7 @@ $ticketData = mysql_select_single("SELECT * FROM znote_tickets WHERE id=". addsl
 				</table>
 
 				<?php
-				$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". $_GET['view'] ."' ORDER BY `created`;");
+				$replies = mysql_select_multi("SELECT * FROM znote_tickets_replies WHERE tid='". addslashes((int)$_GET['view']) ."' ORDER BY `created`;");
 				if ($replies !== false) {
 					foreach($replies as $reply) {
 						?>
@@ -115,4 +121,4 @@ $tickets = mysql_select_multi("SELECT id,subject,creation,status FROM znote_tick
 <?php
 }
 include 'layout/overall/footer.php'; 
-?>
\ No newline at end of file
+?>