Fixing SQL-incjection found by tomreyn and general ticket-search, fixes #674

Signed-off-by: Florian Aders (EleRas) <eleras@froxlor.org>
2011-03-19 12:22:34 +01:00
parent 6258b53a04
commit 0f4695a43f
3 changed files with 24 additions and 17 deletions
--- a/admin_tickets.php
+++ b/admin_tickets.php
@@ -597,8 +597,7 @@ elseif($page == 'archive'
 			{
 				$categories[$x] = isset($_POST['category' . $x]) ? $_POST['category' . $x] : '';
 			}
-
+			$query = ticket::getArchiveSearchStatement($db, $subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
 			$query = ticket::getArchiveSearchStatement($subject, $priority, $fromdate, $todate, $message, $customer, $userinfo['adminid'], $categories);
 			$fields = array(
 				'lastchange' => $lng['ticket']['lastchange'],
 				'ticket_answers' => $lng['ticket']['ticket_answers'],
--- a/lib/classes/ticket/class.ticket.php
+++ b/lib/classes/ticket/class.ticket.php
@@ -508,18 +508,18 @@ class ticket
 	 * Returns a sql-statement to search the archive
 	 */
-	static public function getArchiveSearchStatement($subject = NULL, $priority = NULL, $fromdate = NULL, $todate = NULL, $message = NULL, $customer = - 1, $admin = 1, $categories = NULL)
+	static public function getArchiveSearchStatement($db, $subject = NULL, $priority = NULL, $fromdate = NULL, $todate = NULL, $message = NULL, $customer = - 1, $admin = 1, $categories = NULL)
 	{
 		$query = 'SELECT `main`.*,
                (SELECT COUNT(`sub`.`id`) FROM `' . TABLE_PANEL_TICKETS . '` `sub` 
                 WHERE `sub`.`answerto` = `main`.`id`) as `ticket_answers` 
              FROM `' . TABLE_PANEL_TICKETS . '` `main` 
-              WHERE `main`.`archived` = "1" AND `main`.`answerto` = "0" AND `main`.`adminid` = "' . (int)$admin . '"';
+              WHERE `main`.`archived` = "1" AND `main`.`adminid` = "' . (int)$admin . '" ';
 		if($subject != NULL
 		&& $subject != '')
 		{
-			$query.= 'AND `main`.`subject` LIKE "%' . $subject . '%" ';
+			$query.= 'AND `main`.`subject` LIKE "' . $db->escape("%$subject%") . '" ';
 		}
 		if($priority != NULL
@@ -560,8 +560,7 @@ class ticket
 			if(isset($priority[2])
 			&& $priority[2] != '')
 			{
-				$query.= 'AND (`main`.`priority` = "2"
+				$query.= 'AND (`main`.`priority` = "2" OR `main`.`priority` = "3") ';
                     OR `main`.`priority` = "3") ';
 			}
 			else
 			{
@@ -580,43 +579,52 @@ class ticket
 		if($fromdate != NULL
 		&& $fromdate > 0)
 		{
-			$query.= 'AND `main`.`lastchange` > "' . $fromdate . '" ';
+			$query.= 'AND `main`.`lastchange` > "' . $db->escape(strtotime($fromdate)) . '" ';
 		}
 		if($todate != NULL
 		&& $todate > 0)
 		{
-			$query.= 'AND `main`.`lastchange` < "' . $todate . '" ';
+			$query.= 'AND `main`.`lastchange` < "' . $db->escape(strtotime($todate)) . '" ';
 		}
 		if($message != NULL
 		&& $message != '')
 		{
-			$query.= 'AND `main`.`message` LIKE "%' . $message . '%" ';
+			$query.= 'AND `main`.`message` LIKE "' . $db->escape("%$message%") . '" ';
 		}
 		if($customer != - 1)
 		{
-			$query.= 'AND `main`.`customerid` = "' . $customer . '" ';
+			$query.= 'AND `main`.`customerid` = "' . (int)$customer . '" ';
 		}
 		if($categories != NULL)
 		{
-			if($categories[0] != '')
+			$cats = array();
 			foreach($categories as $index => $catid)
 			{
 				if ($catid != "")
 				{
 					$cats[] = $catid;
 				}
 			}
 			if (count($cats) > 0)
 			{
 				$query.= 'AND (';
 			}
-			foreach($categories as $catid)
+			foreach($cats as $catid)
 			{
 				if(isset($catid)
 				&& $catid > 0)
 				{
-					$query.= '`main`.`category` = "' . $catid . '" OR ';
+					$query.= '`main`.`category` = "' . (int)$catid . '" OR ';
 				}
 			}
-			if($categories[0] != '')
+			if (count($cats) > 0)
 			{
 				$query = substr($query, 0, strlen($query) - 3);
 				$query.= ') ';
--- a/templates/Froxlor/admin/ticket/archivesearch.tpl
+++ b/templates/Froxlor/admin/ticket/archivesearch.tpl
@@ -5,7 +5,7 @@ $header
 		<input type="hidden" name="send" value="send" />
 		<table cellpadding="5" cellspacing="0" border="0" align="center" class="maintable">
 			<tr>
-				<td class="maintitle_search_left" colspan="5"><b><img src="images/title.gif" alt="" />&nbsp;{$lng['ticket']['archivesearch']}</b></td>
+				<td class="maintitle_search_left" colspan="5"><b><img src="images/Froxlor/icons/ticket_archive.png" alt="" />&nbsp;{$lng['ticket']['archivesearch']}</b></td>
 				<td class="maintitle_search_right">&nbsp;</td>
 			</tr>
      		<if 0 < $tickets_count >