From 259317de5b7a41dc45e79ec857183a4b31e0344d Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Thu, 3 Jan 2013 14:52:42 -0500
Subject: [PATCH] Sanitize user input.
---
include/ajax.tickets.php | 12 ++++++------
include/class.faq.php | 2 +-
include/class.staff.php | 4 +++-
include/class.team.php | 2 +-
include/class.ticket.php | 4 ++--
include/staff/directory.inc.php | 2 +-
include/staff/tickets.inc.php | 8 ++++----
scp/staff.php | 2 +-
8 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index be878efbe..de6610dd6 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -37,10 +37,10 @@ class TicketsAjaxAPI extends AjaxController {
$sql.=' AND ( staff_id='.db_input($thisstaff->getId());
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
+ $sql.=' OR team_id IN('.implode(',', db_input(array_filter($teams))).')';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
- $sql.=' OR dept_id IN ('.implode(',', $depts).')';
+ $sql.=' OR dept_id IN ('.implode(',', db_input($depts)).')';
$sql.=' ) '
.' ORDER BY created LIMIT '.$limit;
@@ -67,10 +67,10 @@ class TicketsAjaxAPI extends AjaxController {
$sql.=' AND ( staff_id='.db_input($thisstaff->getId());
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $sql.=' OR team_id IN('.implode(',', array_filter($teams)).')';
+ $sql.=' OR team_id IN('.implode(',', db_input(array_filter($teams))).')';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
- $sql.=' OR dept_id IN ('.implode(',', $depts).')';
+ $sql.=' OR dept_id IN ('.implode(',', db_input($depts)).')';
$sql.=' ) '
.' GROUP BY email '
@@ -96,10 +96,10 @@ class TicketsAjaxAPI extends AjaxController {
$where.=' AND ( ticket.staff_id='.db_input($thisstaff->getId());
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $where.=' OR ticket.team_id IN('.implode(',', array_filter($teams)).')';
+ $where.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
if(!$thisstaff->showAssignedOnly() && ($depts=$thisstaff->getDepts()))
- $where.=' OR ticket.dept_id IN ('.implode(',', $depts).')';
+ $where.=' OR ticket.dept_id IN ('.implode(',', db_input($depts)).')';
$where.=' ) ';
diff --git a/include/class.faq.php b/include/class.faq.php
index 2197bbac1..61901f3e9 100644
--- a/include/class.faq.php
+++ b/include/class.faq.php
@@ -146,7 +146,7 @@ class FAQ {
$sql='DELETE FROM '.FAQ_TOPIC_TABLE.' WHERE faq_id='.db_input($this->getId());
if($ids)
- $sql.=' AND topic_id NOT IN('.implode(',',$ids).')';
+ $sql.=' AND topic_id NOT IN('.implode(',', db_input($ids)).')';
db_query($sql);
diff --git a/include/class.staff.php b/include/class.staff.php
index 102e79ecd..edac10a08 100644
--- a/include/class.staff.php
+++ b/include/class.staff.php
@@ -484,9 +484,10 @@ class Staff {
db_query($sql);
}
}
+
$sql='DELETE FROM '.TEAM_MEMBER_TABLE.' WHERE staff_id='.db_input($this->getId());
if($teams)
- $sql.=' AND team_id NOT IN('.implode(',', $teams).')';
+ $sql.=' AND team_id NOT IN('.implode(',', db_input($teams)).')';
db_query($sql);
@@ -494,6 +495,7 @@ class Staff {
}
function update($vars, &$errors) {
+
if(!$this->save($this->getId(), $vars, $errors))
return false;
diff --git a/include/class.team.php b/include/class.team.php
index 367815b96..72c3c4483 100644
--- a/include/class.team.php
+++ b/include/class.team.php
@@ -138,7 +138,7 @@ class Team {
$sql='DELETE FROM '.TEAM_MEMBER_TABLE
.' WHERE team_id='.db_input($this->getId())
.' AND staff_id IN ('
- .implode(',', array_map('db_input', $_POST['remove']))
+ .implode(',', db_input($vars['remove']))
.')';
db_query($sql);
}
diff --git a/include/class.ticket.php b/include/class.ticket.php
index 5a3fd83f3..a4fd602e1 100644
--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -1970,10 +1970,10 @@ class Ticket {
.' WHERE (ticket.staff_id='.db_input($staff->getId());
if(($teams=$staff->getTeams()))
- $sql.=' OR ticket.team_id IN('.implode(',', array_filter($teams)).')';
+ $sql.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).')';
if(!$staff->showAssignedOnly() && ($depts=$staff->getDepts())) //Staff with limited access just see Assigned tickets.
- $sql.=' OR ticket.dept_id IN('.implode(',', $depts).') ';
+ $sql.=' OR ticket.dept_id IN('.implode(',', db_input($depts)).') ';
$sql.=')';
diff --git a/include/staff/directory.inc.php b/include/staff/directory.inc.php
index c9d11a3d4..22c19bdd9 100644
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -63,7 +63,7 @@ $query="$select $from $where GROUP BY staff.staff_id ORDER BY $order_by LIMIT ".
<h2>Staff Members</h2>
<div style="width:700; float:left;">
<form action="directory.php" method="GET" name="filter">
- <input type="text" name="q" value="<?php echo $_REQUEST['q']; ?>" >
+ <input type="text" name="q" value="<?php echo Format::htmlchars($_REQUEST['q']); ?>" >
<select name="did" id="did">
<option value="0">— All Department —</option>
<?php
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index d6fab690c..a8db757b1 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -65,15 +65,15 @@ $qwhere =' WHERE ( '
.' ticket.staff_id='.db_input($thisstaff->getId());
if(!$thisstaff->showAssignedOnly())
- $qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',',$depts):0).')';
+ $qwhere.=' OR ticket.dept_id IN ('.($depts?implode(',', db_input($depts)):0).')';
if(($teams=$thisstaff->getTeams()) && count(array_filter($teams)))
- $qwhere.=' OR ticket.team_id IN('.implode(',',array_filter($teams)).') ';
+ $qwhere.=' OR ticket.team_id IN('.implode(',', db_input(array_filter($teams))).') ';
$qwhere .= ' )';
//STATUS
-if($status){
+if($status) {
$qwhere.=' AND status='.db_input(strtolower($status));
}
@@ -307,7 +307,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting..
<a class="refresh" href="<?php echo $_SERVER['REQUEST_URI']; ?>">Refresh</a>
<input type="hidden" name="a" value="mass_process" >
<input type="hidden" name="do" id="action" value="" >
- <input type="hidden" name="status" value="<?php echo $_REQUEST['status']; ?>" >
+ <input type="hidden" name="status" value="<?php echo Format::htmlchars($_REQUEST['status']); ?>" >
<table class="list" border="0" cellspacing="1" cellpadding="2" width="940">
<caption><?php echo $showing; ?> <?php echo $results_type; ?></caption>
<thead>
diff --git a/scp/staff.php b/scp/staff.php
index 65f80dcc8..904708dea 100644
--- a/scp/staff.php
+++ b/scp/staff.php
@@ -60,7 +60,7 @@ if($_POST){
break;
case 'disable':
$sql='UPDATE '.STAFF_TABLE.' SET isactive=0 '
- .' WHERE staff_id IN ('.implode(',',$_POST['ids']).') AND staff_id!='.db_input($thisstaff->getId());
+ .' WHERE staff_id IN ('.implode(',', db_input($_POST['ids'])).') AND staff_id!='.db_input($thisstaff->getId());
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
--
GitLab