From 344c95febae7882affeaaa808e50080b3ac73087 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 20 Jan 2014 11:48:58 -0600
Subject: [PATCH] Ensure staff lookups are based on valid inputs

If something fishy, like an Array is received into the password reset system
or any part of the Staff management system, it should be rejected.

References:
http://osticket.com/forum/discussion/76003/sql-attack
---
 include/class.staff.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/class.staff.php b/include/class.staff.php
index 93708bc0c..1f1de5ce6 100644
--- a/include/class.staff.php
+++ b/include/class.staff.php
@@ -52,8 +52,10 @@ class Staff {
             $sql .= 'staff_id='.db_input($var);
         elseif (Validator::is_email($var))
             $sql .= 'email='.db_input($var);
-        else
+        elseif (is_string($var))
             $sql .= 'username='.db_input($var);
+        else
+            return null;
 
         if(!($res=db_query($sql)) || !db_num_rows($res))
             return NULL;
-- 
GitLab