From afe87b044dc20ceb104b31213543c14b562facd7 Mon Sep 17 00:00:00 2001
From: Dominik <info@profi-webdesign.com>
Date: Sat, 25 Apr 2015 08:26:02 -0400
Subject: [PATCH] Merge branch 'reject_sender_login_mismatch' into mdbox-format

---
 interface/web/help/support_message_edit.php |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/interface/web/help/support_message_edit.php b/interface/web/help/support_message_edit.php
index 2d47bbf..4fcf5da 100644
--- a/interface/web/help/support_message_edit.php
+++ b/interface/web/help/support_message_edit.php
@@ -33,8 +33,8 @@
 
 		//* Get recipient email address
 		if($this->dataRecord['recipient_id'] > 1){
-			$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." AND sys_user.client_id = client.client_id";
-			$client = $app->db->queryOneRecord($sql);
+			$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id";
+			$client = $app->db->queryOneRecord($sql, $this->dataRecord['recipient_id']);
 			$recipient_email = $client['email'];
 		} else {
 			$app->uses('ini_parser,getconf');
@@ -44,8 +44,8 @@
 
 		//* Get sender email address
 		if($this->dataRecord['sender_id'] > 1){
-			$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['sender_id'])." AND sys_user.client_id = client.client_id";
-			$client = $app->db->queryOneRecord($sql);
+			$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id";
+			$client = $app->db->queryOneRecord($sql, $this->dataRecord['sender_id']);
 			$sender_email = $client['email'];
 		} else {
 			$app->uses('ini_parser,getconf');
@@ -91,7 +91,7 @@
 		//*  read only template  if a existing message is loaded
 		if($this->id > 0) {
 			$app->tform->formDef['tabs']['message']['template'] = 'templates/support_message_view.htm';
-			$record = $app->db->queryOneRecord("SELECT * FROM support_message WHERE support_message_id = ".$this->id);
+			$record = $app->db->queryOneRecord("SELECT * FROM support_message WHERE support_message_id = ?", $this->id);
 			if ($record['tstamp'] > 0) {
 				// is value int?
 				if (preg_match("/^[0-9]+[\.]?[0-9]*$/", $record['tstamp'], $p)) {
@@ -113,7 +113,7 @@
 		global $app, $conf;
 
 		if($_SESSION['s']['user']['typ'] == 'admin') {
-			$app->db->query("UPDATE support_message SET sys_userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." WHERE support_message_id = ".$this->id);
+			$app->db->query("UPDATE support_message SET sys_userid = ? WHERE support_message_id = ?", $this->dataRecord['recipient_id'], $this->id);
 		}
 
 	}

--
Gitblit v1.9.1