From ab9ae71ac70db6bd2bc93807030da36bcddc520a Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sat, 19 Oct 2024 15:56:26 -0400 Subject: [PATCH] Do not resanitize subject after passed to the create/update ticket function as its sanitized before passing to the functon, this caused unessesary slashes in the subject line if sql escape chars were used --- cron_ticket_email_parser.php | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/cron_ticket_email_parser.php b/cron_ticket_email_parser.php index 34bfdea8..566cd431 100644 --- a/cron_ticket_email_parser.php +++ b/cron_ticket_email_parser.php @@ -3,9 +3,6 @@ * CRON - Email Parser * Based on Libraries php-mime-mail-parser and PHP Extensions PHP IMAP and PHP MAilparse * Process emails and create/update tickets - * To Do: - * -- Show Mail from header in HTML Emails currently only work in text based emails - * -- When replying via email do not show original reply in Ticket Reply Body */ // Set working directory to the directory this cron script lives at. @@ -108,7 +105,6 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date $message = "Email from: $contact_name <$contact_email> at $date:-

$message
"; $ticket_prefix_esc = mysqli_real_escape_string($mysqli, $config_ticket_prefix); - $subject_esc = mysqli_real_escape_string($mysqli, $subject); $message_esc = mysqli_real_escape_string($mysqli, $message); $contact_email_esc = mysqli_real_escape_string($mysqli, $contact_email); $client_id_esc = intval($client_id); @@ -116,7 +112,7 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date //Generate a unique URL key for clients to access $url_key = randomString(156); - mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$ticket_prefix_esc', ticket_number = $ticket_number, ticket_subject = '$subject_esc', ticket_details = '$message_esc', ticket_priority = 'Low', ticket_status = 1, ticket_created_by = 0, ticket_contact_id = $contact_id, ticket_url_key = '$url_key', ticket_client_id = $client_id_esc"); + mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$ticket_prefix_esc', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$message_esc', ticket_priority = 'Low', ticket_status = 1, ticket_created_by = 0, ticket_contact_id = $contact_id, ticket_url_key = '$url_key', ticket_client_id = $client_id_esc"); $id = mysqli_insert_id($mysqli); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Email parser: Client contact $contact_email_esc created ticket $ticket_prefix_esc$ticket_number ($subject_esc) ($id)', log_client_id = $client_id_esc"); @@ -160,7 +156,7 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date 'from_name' => $config_ticket_from_name, 'recipient' => $contact_email, 'recipient_name' => $contact_name, - 'subject' => mysqli_real_escape_string($mysqli, $subject_email), + 'subject' => $subject_email, 'body' => mysqli_real_escape_string($mysqli, $body) ]; } @@ -181,7 +177,7 @@ function addTicket($contact_id, $contact_name, $contact_email, $client_id, $date 'from_name' => $config_ticket_from_name, 'recipient' => $config_ticket_new_ticket_notification_email, 'recipient_name' => $config_ticket_from_name, - 'subject' => mysqli_real_escape_string($mysqli, $email_subject), + 'subject' => $email_subject, 'body' => mysqli_real_escape_string($mysqli, $email_body) ]; } @@ -245,7 +241,7 @@ function addReply($from_email, $date, $subject, $ticket_number, $message, $attac 'from_name' => $config_ticket_from_name, 'recipient' => $from_email, 'recipient_name' => $from_email, - 'subject' => mysqli_real_escape_string($mysqli, $email_subject), + 'subject' => $email_subject, 'body' => mysqli_real_escape_string($mysqli, $email_body) ] ];