diff --git a/api/assign_ticket.php b/api/assign_ticket.php
index 0b21348..7c34d04 100644
--- a/api/assign_ticket.php
+++ b/api/assign_ticket.php
@@ -14,14 +14,15 @@ if (!is_array($data)) {
     exit;
 }
 
-$ticketId = isset($data['ticket_id']) ? (int)$data['ticket_id'] : 0;
+$ticketIdRaw = isset($data['ticket_id']) ? trim((string)$data['ticket_id']) : '';
 $assignedTo = $data['assigned_to'] ?? null;
 
-if ($ticketId <= 0) {
+if (!ctype_digit($ticketIdRaw) || (int)$ticketIdRaw <= 0) {
     http_response_code(400);
     echo json_encode(['success' => false, 'error' => 'Ticket ID required']);
     exit;
 }
+$ticketId = $ticketIdRaw;
 
 $ticketModel = new TicketModel($conn);
 $auditLogModel = new AuditLogModel($conn);
diff --git a/api/delete_attachment.php b/api/delete_attachment.php
index 4345d71..9a111da 100644
--- a/api/delete_attachment.php
+++ b/api/delete_attachment.php
@@ -67,7 +67,7 @@ try {
 
     // Verify user can access the parent ticket
     $ticketModel = new TicketModel(Database::getConnection());
-    $ticket = $ticketModel->getTicketById((int)$attachment['ticket_id']);
+    $ticket = $ticketModel->getTicketById($attachment['ticket_id']);
     if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
         ResponseHelper::notFound('Attachment not found');
     }
@@ -80,7 +80,7 @@ try {
 
     // Delete the file — use realpath() to prevent path traversal
     $uploadDir = realpath($GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads');
-    $filePath  = $uploadDir . '/' . (int)$attachment['ticket_id'] . '/' . $attachment['filename'];
+    $filePath  = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];
     $realPath  = realpath($filePath);
 
     if ($realPath !== false) {