Fixing SQL-incjection found by tomreyn and general ticket-search, fixes #674
Signed-off-by: Florian Aders (EleRas) <eleras@froxlor.org>
This commit is contained in:
Florian Aders (EleRas)
@@ -597,8 +597,7 @@ elseif($page == 'archive'
|
||||
{
|
||||
$categories[$x] = isset($_POST['category' . $x]) ? $_POST['category' . $x] : '';
|
||||
}
|
||||
|
||||
$query = ticket::getArchiveSearchStatement($subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
|
||||
$query = ticket::getArchiveSearchStatement($db, $subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
|
||||
$fields = array(
|
||||
'lastchange' => $lng['ticket']['lastchange'],
|
||||
'ticket_answers' => $lng['ticket']['ticket_answers'],
|
||||
|
||||
@@ -508,18 +508,18 @@ class ticket
|
||||
* Returns a sql-statement to search the archive
|
||||
*/
|
||||
|
||||
static public function getArchiveSearchStatement($subject = NULL, $priority = NULL, $fromdate = NULL, $todate = NULL, $message = NULL, $customer = - 1, $admin = 1, $categories = NULL)
|
||||
static public function getArchiveSearchStatement($db, $subject = NULL, $priority = NULL, $fromdate = NULL, $todate = NULL, $message = NULL, $customer = - 1, $admin = 1, $categories = NULL)
|
||||
{
|
||||
$query = 'SELECT `main`.*,
|
||||
(SELECT COUNT(`sub`.`id`) FROM `' . TABLE_PANEL_TICKETS . '` `sub`
|
||||
WHERE `sub`.`answerto` = `main`.`id`) as `ticket_answers`
|
||||
FROM `' . TABLE_PANEL_TICKETS . '` `main`
|
||||
WHERE `main`.`archived` = "1" AND `main`.`answerto` = "0" AND `main`.`adminid` = "' . (int)$admin . '"';
|
||||
WHERE `main`.`archived` = "1" AND `main`.`adminid` = "' . (int)$admin . '" ';
|
||||
|
||||
if($subject != NULL
|
||||
&& $subject != '')
|
||||
{
|
||||
$query.= 'AND `main`.`subject` LIKE "%' . $subject . '%" ';
|
||||
$query.= 'AND `main`.`subject` LIKE "' . $db->escape("%$subject%") . '" ';
|
||||
}
|
||||
|
||||
if($priority != NULL
|
||||
@@ -560,8 +560,7 @@ class ticket
|
||||
if(isset($priority[2])
|
||||
&& $priority[2] != '')
|
||||
{
|
||||
$query.= 'AND (`main`.`priority` = "2"
|
||||
OR `main`.`priority` = "3") ';
|
||||
$query.= 'AND (`main`.`priority` = "2" OR `main`.`priority` = "3") ';
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -580,43 +579,52 @@ class ticket
|
||||
if($fromdate != NULL
|
||||
&& $fromdate > 0)
|
||||
{
|
||||
$query.= 'AND `main`.`lastchange` > "' . $fromdate . '" ';
|
||||
$query.= 'AND `main`.`lastchange` > "' . $db->escape(strtotime($fromdate)) . '" ';
|
||||
}
|
||||
|
||||
if($todate != NULL
|
||||
&& $todate > 0)
|
||||
{
|
||||
$query.= 'AND `main`.`lastchange` < "' . $todate . '" ';
|
||||
$query.= 'AND `main`.`lastchange` < "' . $db->escape(strtotime($todate)) . '" ';
|
||||
}
|
||||
|
||||
if($message != NULL
|
||||
&& $message != '')
|
||||
{
|
||||
$query.= 'AND `main`.`message` LIKE "%' . $message . '%" ';
|
||||
$query.= 'AND `main`.`message` LIKE "' . $db->escape("%$message%") . '" ';
|
||||
}
|
||||
|
||||
if($customer != - 1)
|
||||
{
|
||||
$query.= 'AND `main`.`customerid` = "' . $customer . '" ';
|
||||
$query.= 'AND `main`.`customerid` = "' . (int)$customer . '" ';
|
||||
}
|
||||
|
||||
if($categories != NULL)
|
||||
{
|
||||
if($categories[0] != '')
|
||||
$cats = array();
|
||||
foreach($categories as $index => $catid)
|
||||
{
|
||||
if ($catid != "")
|
||||
{
|
||||
$cats[] = $catid;
|
||||
}
|
||||
}
|
||||
|
||||
if (count($cats) > 0)
|
||||
{
|
||||
$query.= 'AND (';
|
||||
}
|
||||
|
||||
foreach($categories as $catid)
|
||||
foreach($cats as $catid)
|
||||
{
|
||||
if(isset($catid)
|
||||
&& $catid > 0)
|
||||
{
|
||||
$query.= '`main`.`category` = "' . $catid . '" OR ';
|
||||
$query.= '`main`.`category` = "' . (int)$catid . '" OR ';
|
||||
}
|
||||
}
|
||||
|
||||
if($categories[0] != '')
|
||||
if (count($cats) > 0)
|
||||
{
|
||||
$query = substr($query, 0, strlen($query) - 3);
|
||||
$query.= ') ';
|
||||
|
||||
@@ -5,7 +5,7 @@ $header
|
||||
<input type="hidden" name="send" value="send" />
|
||||
<table cellpadding="5" cellspacing="0" border="0" align="center" class="maintable">
|
||||
<tr>
|
||||
<td class="maintitle_search_left" colspan="5"><b><img src="images/title.gif" alt="" /> {$lng['ticket']['archivesearch']}</b></td>
|
||||
<td class="maintitle_search_left" colspan="5"><b><img src="images/Froxlor/icons/ticket_archive.png" alt="" /> {$lng['ticket']['archivesearch']}</b></td>
|
||||
<td class="maintitle_search_right"> </td>
|
||||
</tr>
|
||||
<if 0 < $tickets_count >
|
||||
@@ -28,4 +28,4 @@ $header
|
||||
</form>
|
||||
<br />
|
||||
<br />
|
||||
$footer
|
||||
$footer
|
||||
|
||||
Reference in New Issue
Block a user