diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index f52a4341205f6c0e66e12ffff07ebff15d14767f..1b901041a9b983b2af497f70d82b2c70cb10a562 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -211,10 +211,11 @@ class TicketsAjaxAPI extends AjaxController {
foreach (TicketForm::getInstance()->getFields() as $f) {
if (isset($req[$f->getFormName()])
&& ($val = $req[$f->getFormName()])) {
- $name = $f->get('name') ? $f->get('name') : 'field_'.$f->get('id');
- $cwhere = "cdata.`$name` LIKE '%".db_real_escape($val)."%'";
+ $name = $f->get('name') ? db_real_escape($f->get('name'))
+ : 'field_'.$f->get('id');
+ $cwhere = "cdata.\"$name\" LIKE '%".db_real_escape($val)."%'";
if ($f->getImpl()->hasIdValue() && is_numeric($val))
- $cwhere .= " OR cdata.`{$name}_id` = ".db_input($val);
+ $cwhere .= " OR cdata.\"{$name}_id\" = ".db_input($val);
$where .= ' AND ('.$cwhere.')';
$cdata_search = true;
}
diff --git a/include/class.dynamic_forms.php b/include/class.dynamic_forms.php
index f164138994cc1846eec67baccc16b99f1fe49c97..ca09066889eb2d6d6fae72b8ca916bdad2a929ea 100644
--- a/include/class.dynamic_forms.php
+++ b/include/class.dynamic_forms.php
@@ -244,9 +244,9 @@ class TicketForm extends DynamicForm {
$fields = static::getDynamicDataViewFields();
$sql = 'CREATE TABLE `'.TABLE_PREFIX.'ticket__cdata` (PRIMARY KEY (ticket_id)) AS
SELECT entry.`object_id` AS ticket_id, '.implode(',', $fields)
- .' FROM ost_form_entry entry
- JOIN ost_form_entry_values ans ON ans.entry_id = entry.id
- JOIN ost_form_field field ON field.id=ans.field_id
+ .' FROM '.FORM_ENTRY_TABLE.' entry
+ JOIN '.FORM_ANSWER_TABLE.' ans ON ans.entry_id = entry.id
+ JOIN '.FORM_FIELD_TABLE.' field ON field.id=ans.field_id
WHERE entry.object_type=\'T\' GROUP BY entry.object_id';
db_query($sql);
}
@@ -261,17 +261,17 @@ class TicketForm extends DynamicForm {
if (!($e = $answer->getEntry()) || $e->get('object_type') != 'T')
return;
- // If the `name` column is in the dirty list, we would be renaming a
- // column. Delete the view instead.
- if (isset($data['dirty']) && isset($data['dirty']['name']))
- return self::dropDynamicDataView();
-
// $record = array();
// $record[$f] = $answer->value'
// TicketFormData::objects()->filter(array('ticket_id'=>$a))
// ->merge($record);
+ $sql = 'SHOW TABLES LIKE \''.TABLE_PREFIX.'ticket__cdata\'';
+ if (!db_num_rows(db_query($sql)))
+ return;
+
$f = $answer->getField();
- $name = $f->get('name') ? $f->get('name') : 'field_'.$f->get('id');
+ $name = $f->get('name') ? $f->get('name')
+ : 'field_'.$f->get('id');
$ids = $f->hasIdValue();
$fields = sprintf('`%s`=', $name) . db_input($answer->get('value'));
if ($f->hasIdValue())
@@ -279,7 +279,8 @@ class TicketForm extends DynamicForm {
$sql = 'INSERT INTO `'.TABLE_PREFIX.'ticket__cdata` SET '.$fields
.', `ticket_id`='.db_input($answer->getEntry()->get('object_id'))
.' ON DUPLICATE KEY UPDATE '.$fields;
- db_query($sql);
+ if (!db_query($sql) || !db_affected_rows())
+ return self::dropDynamicDataView();
}
}
// Add fields from the standard ticket form to the ticket filterable fields
@@ -309,6 +310,13 @@ Signal::connect('model.deleted',
array('TicketForm', 'dropDynamicDataView'),
'DynamicFormField',
function($o) { return $o->getForm()->get('type') == 'T'; });
+// If the `name` column is in the dirty list, we would be renaming a
+// column. Delete the view instead.
+Signal::connect('model.updated',
+ array('TicketForm', 'dropDynamicDataView'),
+ 'DynamicFormField',
+ // TODO: Lookup the dynamic form to verify {type == 'T'}
+ function($o, $d) { return isset($d['dirty']) && isset($d['dirty']['name']); });
require_once(INCLUDE_DIR . "class.json.php");
diff --git a/include/class.forms.php b/include/class.forms.php
index 9d0bdc87e460396ee901a708b6e1ff31948fb767..daf67fa72cc50747aab1478f50df6adff075c688 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -290,7 +290,7 @@ class FormField {
* $value - PHP value of the field's content
*/
function toString($value) {
- return $value;
+ return (string) $value;
}
/**
diff --git a/include/class.ticket.php b/include/class.ticket.php
index 97d83f293029e7c916afafabe510b414431fe5c7..9d0b621af858d68c0390a67ce4fbcdcaa0640173 100644
--- a/include/class.ticket.php
+++ b/include/class.ticket.php
@@ -1925,7 +1925,7 @@ class Ticket {
if(!$staff || (!is_object($staff) && !($staff=Staff::lookup($staff))) || !$staff->isStaff())
return null;
- $where = array();
+ $where = array('ticket.staff_id='.db_input($staff->getId()));
$where2 = '';
if(($teams=$staff->getTeams()))
@@ -1935,7 +1935,7 @@ class Ticket {
$where[] = 'ticket.dept_id IN('.implode(',', db_input($depts)).') ';
if(!$cfg || !($cfg->showAssignedTickets() || $staff->showAssignedTickets()))
- $where2 =' AND (ticket.staff_id=0 OR ticket.staff_id='.db_input($staff->getId()).') ';
+ $where2 =' AND ticket.staff_id=0 ';
$where = implode(' OR ', $where);
if ($where) $where = 'AND ( '.$where.' ) ';
diff --git a/include/staff/dynamic-form.inc.php b/include/staff/dynamic-form.inc.php
index a5019a722707d7941a731033eccd48be1abde9fd..a565e1be5bf5e0b8e51523afaaf8be4d181460b7 100644
--- a/include/staff/dynamic-form.inc.php
+++ b/include/staff/dynamic-form.inc.php
@@ -123,7 +123,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
<tr>
<td><i class="icon-sort"></i></td>
<td><input type="text" size="32" name="label-<?php echo $id; ?>"
- value="<?php echo $f->get('label'); ?>"/>
+ value="<?php echo Format::htmlchars($f->get('label')); ?>"/>
<font class="error"><?php
if ($ferrors['label']) echo '<br/>'; echo $ferrors['label']; ?>
</td>
@@ -161,7 +161,8 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
</td>
<td>
<input type="text" size="20" name="name-<?php echo $id; ?>"
- value="<?php echo $f->get('name'); ?>" <?php echo $force_name ?>/>
+ value="<?php echo Format::htmlchars($f->get('name'));
+ ?>" <?php echo $force_name ?>/>
<font class="error"><?php
if ($ferrors['name']) echo '<br/>'; echo $ferrors['name'];
?></font>
diff --git a/scp/forms.php b/scp/forms.php
index 6f14be6c1a2bec06aea87c6f1c4c97d9db177efd..077b3e0ff409c5b84b0fa6babd4751ad775efad1 100644
--- a/scp/forms.php
+++ b/scp/forms.php
@@ -43,6 +43,8 @@ if($_POST) {
}
if (in_array($field->get('name'), $names))
$field->addError('Field variable name is not unique', 'name');
+ if (preg_match('/[.{}\'"`; ]/u', $field->get('name')))
+ $field->addError('Invalid character in variable name. Please use letters and numbers only.', 'name');
if ($field->get('name'))
$names[] = $field->get('name');
if ($field->isValid())