diff --git a/admin/admin_reply_ticket.php b/admin/admin_reply_ticket.php
index 81e485f1..96ab9f9f 100644
--- a/admin/admin_reply_ticket.php
+++ b/admin/admin_reply_ticket.php
@@ -234,7 +234,7 @@ if ($ticket['locked']) {
if ($ticket['status'] != $new_status) {
// Does this status close the ticket?
- $newStatusRs = hesk_dbQuery('SELECT `IsClosed`, `Key` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . hesk_dbEscape($new_status));
+ $newStatusRs = hesk_dbQuery('SELECT `IsClosed`, `Key` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `ID` = ' . intval($new_status));
$newStatus = hesk_dbFetchAssoc($newStatusRs);
if ($newStatus['IsClosed'] && hesk_checkPermission('can_resolve', 0)) {
diff --git a/admin/admin_ticket.php b/admin/admin_ticket.php
index 58014f08..b7fcfcb2 100644
--- a/admin/admin_ticket.php
+++ b/admin/admin_ticket.php
@@ -470,12 +470,12 @@ if (($can_reply || $can_edit) && isset($_POST['childTrackingId'])) {
}
//-- Check if the ticket is already a child.
- $childRs = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` WHERE `parent` = ' . $ticket['id'] . ' AND `trackid` = \'' . $_POST['childTrackingId'] . '\'');
+ $childRs = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` WHERE `parent` = ' . intval($ticket['id']) . ' AND `trackid` = \'' . hesk_dbEscape(hesk_POST(['childTrackingId'])) . '\'');
if (hesk_dbNumRows($childRs) > 0) {
hesk_process_messages(sprintf($hesklang['is_already_linked'], $_POST['childTrackingId']), 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999), 'NOTICE');
}
- hesk_dbQuery('UPDATE `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` SET `parent` = ' . $ticket['id'] . ' WHERE `trackid` = \'' . $_POST['childTrackingId'] . '\'');
+ hesk_dbQuery('UPDATE `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets` SET `parent` = ' . intval($ticket['id']) . ' WHERE `trackid` = \'' . hesk_dbEscape(hesk_POST['childTrackingId']) . '\'');
hesk_process_messages(sprintf($hesklang['link_added'], $_POST['childTrackingId']), 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999), 'SUCCESS');
}
@@ -746,7 +746,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
if ($ticket['parent'] != null) {
//-- Get the tracking ID of the parent
$parentRs = hesk_dbQuery('SELECT `trackid` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets`
- WHERE `ID` = ' . hesk_dbEscape($ticket['parent']));
+ WHERE `ID` = ' . intval($ticket['parent']));
$parent = hesk_dbFetchAssoc($parentRs);
echo '
';
@@ -755,7 +755,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
//-- Check if any tickets have a parent set to this tracking ID
$hasRows = false;
$childrenRS = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'tickets`
- WHERE `parent` = ' . hesk_dbEscape($ticket['id']));
+ WHERE `parent` = ' . intval($ticket['id']));
while ($row = hesk_dbFetchAssoc($childrenRS)) {
$hasRows = true;
echo '
@@ -916,7 +916,24 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
?>
';
echo isset($admins[$ticket['owner']]) ? $admins[$ticket['owner']] :
($can_assign_self ? $hesklang['unas'] . ' [' . $hesklang['asss'] . ']' : $hesklang['unas']);
echo ' ' . $hesklang['category'] . '
' . $hesklang['operating_system'] . ' + | ++ + |
' . $hesklang['browser'] . ' | ++ + |
' . $hesklang['screen_resolution'] . ' + | ++ + |