Fixing SQL-incjection found by tomreyn and general ticket-search, fixes #674

Signed-off-by: Florian Aders (EleRas) <eleras@froxlor.org>
2011-03-19 12:22:34 +01:00
parent 6258b53a04
commit 0f4695a43f
3 changed files with 24 additions and 17 deletions
--- a/admin_tickets.php
+++ b/admin_tickets.php
@@ -597,8 +597,7 @@ elseif($page == 'archive'
 			{
 				$categories[$x] = isset($_POST['category' . $x]) ? $_POST['category' . $x] : '';
 			}
-
-			$query = ticket::getArchiveSearchStatement($subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
+			$query = ticket::getArchiveSearchStatement($db, $subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
 			$fields = array(
 				'lastchange' => $lng['ticket']['lastchange'],
 				'ticket_answers' => $lng['ticket']['ticket_answers'],