Ensure staff lookups are based on valid inputs

If something fishy, like an Array is received into the password reset system or any part of the Staff management system, it should be rejected. References: http://osticket.com/forum/discussion/76003/sql-attack

Ensure staff lookups are based on valid inputs
If something fishy, like an Array is received into the password reset system or any part of the Staff management system, it should be rejected. References: http://osticket.com/forum/discussion/76003/sql-attack
344c95fe · Jared Hancock · fd5e1d8d · 344c95fe
Commit 344c95fe authored 11 years ago by Jared Hancock
--- a/include/class.staff.php
+++ b/include/class.staff.php
@@ -52,8 +52,10 @@ class Staff {
            $sql .= 'staff_id='.db_input($var);
        elseif (Validator::is_email($var))
            $sql .= 'email='.db_input($var);
-        else
+        elseif (is_string($var))
            $sql .= 'username='.db_input($var);
+        else
+            return null;

        if(!($res=db_query($sql)) || !db_num_rows($res))
            return NULL;