From d251509bebc4d94d64fea8e0e8f929c4a8c334c9 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Thu, 7 Nov 2013 10:26:54 +0100
Subject: [PATCH] fix two queries and corrected escaping of ticket-category,
 thx to vali

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 admin_customers.php | 4 ++--
 admin_tickets.php   | 3 +++
 admin_traffic.php   | 6 +++++-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/admin_customers.php b/admin_customers.php
index 39468b91..a93a9db9 100644
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -933,7 +933,7 @@ if ($page == 'customers'
 							`caneditdomain` = '0',
 							`openbasedir` = '1',
 							`speciallogfile` = '0',
-							`specialsettings` = ''
+							`specialsettings` = '',
 							`add_date` = :adddate"
 						);
 						Database::pexecute($ins_stmt, $ins_data);
@@ -1285,7 +1285,7 @@ if ($page == 'customers'
 							`caneditdomain` = '0',
 							`openbasedir` = '1',
 							`speciallogfile` = '0',
-							`specialsettings` = ''
+							`specialsettings` = '',
 							`add_date` = :adddate"
 						);
 						Database::pexecute($ins_stmt, $ins_data);
diff --git a/admin_tickets.php b/admin_tickets.php
index 92d34424..54c7810d 100644
--- a/admin_tickets.php
+++ b/admin_tickets.php
@@ -372,6 +372,8 @@ if ($page == 'tickets'
 
 				$subject = $subticket->Get('subject');
 				$message = $subticket->Get('message');
+
+				$row2 = htmlentities_array($row2);
 				eval("\$ticket_replies.=\"" . getTemplate("tickets/tickets_tickets_list") . "\";");
 			}
 
@@ -574,6 +576,7 @@ if ($page == 'tickets'
 				SELECT * FROM `' . TABLE_PANEL_TICKET_CATS . '` WHERE `id` = :id'
 			);
 			$row = Database::pexecute_first($row_stmt, array('id' => $id));
+			$row = htmlentities_array($row);
 			$category_edit_data = include_once dirname(__FILE__).'/lib/formfields/admin/tickets/formfield.category_edit.php';
 			$category_edit_form = htmlform::genHTMLForm($category_edit_data);
 
diff --git a/admin_traffic.php b/admin_traffic.php
index 99947220..9937a025 100644
--- a/admin_traffic.php
+++ b/admin_traffic.php
@@ -62,7 +62,11 @@ if ($page == 'overview' || $page == 'customers') {
 			WHERE `customerid` = :id" . 
 			($userinfo['customers_see_all'] ? '' : " AND `adminid` = :adminid")
 		);
-		Database::pexecute($result_stmt, array('id' => $id, 'adminid' => $userinfo['adminid']));
+		$params = array('id' => $id);
+		if ($userinfo['customers_see_all'] == '0') {
+			$params['adminid'] = $userinfo['adminid'];
+		}
+		Database::pexecute($result_stmt, params);
 		$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
 
 		if ($result['loginname'] != '') {