Add Signature in ticket reply POST dont add a signature if Internal

johnnyq · johnnyq · commit e3e7c2e38bd4 · 2025-10-08T14:48:13.000-04:00
diff --git a/agent/post/ticket.php b/agent/post/ticket.php
@@ -1567,7 +1567,7 @@
     enforceUserPermission('module_support', 2);
 
     $ticket_id = intval($_POST['ticket_id']);
-    $ticket_reply = mysqli_real_escape_string($mysqli, $_POST['ticket_reply']);
+    $ticket_reply = $_POST['ticket_reply']; // Reply is SQL escaped below
     $ticket_status = intval($_POST['status']);
     $client_id = intval($_POST['client_id']);
 
@@ -1588,6 +1588,12 @@
     } else {
         $ticket_reply_type = 'Internal';
     }
+    // Add Signature to the end of the ticket reply if not Internal and if there is reply
+    if ($ticket_reply !== '' && $ticket_reply_type !== 'Internal') {
+        $ticket_reply .= getFieldById('user_settings',$session_user_id,'user_config_signature', 'raw');
+    }
+    
+    $ticket_reply = mysqli_escape_string($mysqli, $ticket_reply); // SQL Escape Ticket Reply
 
     // Update Ticket Status & updated at (in case status didn't change)
     mysqli_query($mysqli, "UPDATE tickets SET ticket_status = $ticket_status, ticket_updated_at = NOW() WHERE ticket_id = $ticket_id");
diff --git a/agent/ticket.php b/agent/ticket.php
@@ -620,7 +620,6 @@ class="ajax-modal"
                                 <textarea
                                     class="form-control tinymceTicket" name="ticket_reply"
                                     placeholder="Type a response">
-                                    <?php echo getFieldById('user_settings',$session_user_id,'user_config_signature','html'); ?>
                                 </textarea>
                             </div>
 
diff --git a/functions.php b/functions.php
@@ -1607,6 +1607,8 @@ function getFieldById($table, $id, $field, $escape_method = 'sql') {
 
         // Apply the desired escaping method or auto-detect integer type if using SQL escaping
         switch ($escape_method) {
+            case 'raw':
+                return $value; // Return as-is from the database
             case 'html':
                 return htmlspecialchars($value ?? '', ENT_QUOTES, 'UTF-8'); // Escape for HTML
             case 'json':
