From cfbef029cbb6611065532fa36ef66af09e53208d Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 28 Mar 2026 22:33:48 -0400
Subject: [PATCH] Fix bind_param type mismatches and integer validation

- TemplateModel.php: fix bind_param "ssssiii" -> "sssssii" (5 strings not 4)
- manage_workflows.php: fix bind_param 'ssiiii' -> 'ssiiiii' (4 int columns)
- download_attachment.php, delete_attachment.php, get_template.php: replace is_numeric()
  with strict int cast+equality check to reject floats and scientific notation
- manage_recurring.php: validate JSON input before accessing schedule_type key

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/delete_attachment.php   | 6 ++----
 api/download_attachment.php | 6 ++----
 api/get_template.php        | 7 ++-----
 api/manage_recurring.php    | 8 ++++++++
 api/manage_workflows.php    | 2 +-
 models/TemplateModel.php    | 2 +-
 6 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/api/delete_attachment.php b/api/delete_attachment.php
index 5e7f8fc..4345d71 100644
--- a/api/delete_attachment.php
+++ b/api/delete_attachment.php
@@ -51,13 +51,11 @@ if (!CsrfMiddleware::validateToken($csrfToken)) {
 }
 
 // Get attachment ID
-$attachmentId = $input['attachment_id'] ?? null;
-if (!$attachmentId || !is_numeric($attachmentId)) {
+$attachmentId = isset($input['attachment_id']) ? (int)$input['attachment_id'] : 0;
+if ($attachmentId <= 0 || (string)$attachmentId !== (string)($input['attachment_id'] ?? '')) {
     ResponseHelper::error('Valid attachment ID is required');
 }
 
-$attachmentId = (int)$attachmentId;
-
 try {
     $attachmentModel = new AttachmentModel(Database::getConnection());
 
diff --git a/api/download_attachment.php b/api/download_attachment.php
index fecdc5c..27b9496 100644
--- a/api/download_attachment.php
+++ b/api/download_attachment.php
@@ -22,16 +22,14 @@ if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
 }
 
 // Get attachment ID
-$attachmentId = $_GET['id'] ?? null;
-if (!$attachmentId || !is_numeric($attachmentId)) {
+$attachmentId = isset($_GET['id']) ? (int)$_GET['id'] : 0;
+if ($attachmentId <= 0 || (string)$attachmentId !== (string)($_GET['id'] ?? '')) {
     http_response_code(400);
     header('Content-Type: application/json');
     echo json_encode(['success' => false, 'error' => 'Valid attachment ID is required']);
     exit;
 }
 
-$attachmentId = (int)$attachmentId;
-
 try {
     $attachmentModel = new AttachmentModel(Database::getConnection());
 
diff --git a/api/get_template.php b/api/get_template.php
index 8c1cab8..50fc3b3 100644
--- a/api/get_template.php
+++ b/api/get_template.php
@@ -24,18 +24,15 @@ try {
     }
 
     // Get template ID from query parameter
-    $templateId = $_GET['template_id'] ?? null;
+    $templateId = isset($_GET['template_id']) ? (int)$_GET['template_id'] : 0;
 
-    if (!$templateId || !is_numeric($templateId)) {
+    if ($templateId <= 0 || (string)$templateId !== (string)($_GET['template_id'] ?? '')) {
         ErrorHandler::sendValidationError(
             ['template_id' => 'Valid template ID required'],
             'Invalid request'
         );
     }
 
-    // Cast to integer for safety
-    $templateId = (int)$templateId;
-
     // Get template
     $conn = Database::getConnection();
     $templateModel = new TemplateModel($conn);
diff --git a/api/manage_recurring.php b/api/manage_recurring.php
index c77c9a7..5321a4c 100644
--- a/api/manage_recurring.php
+++ b/api/manage_recurring.php
@@ -70,6 +70,10 @@ try {
                 echo json_encode($result);
             } else {
                 $data = json_decode(file_get_contents('php://input'), true);
+                if (!is_array($data) || empty($data['schedule_type']) || empty($data['title_template'])) {
+                    echo json_encode(['success' => false, 'error' => 'schedule_type and title_template are required']);
+                    exit;
+                }
 
                 // Calculate next run time
                 $nextRun = calculateNextRun(
@@ -94,6 +98,10 @@ try {
             }
 
             $data = json_decode(file_get_contents('php://input'), true);
+            if (!is_array($data) || empty($data['schedule_type'])) {
+                echo json_encode(['success' => false, 'error' => 'Invalid request data']);
+                exit;
+            }
 
             // Recalculate next run time if schedule changed
             $nextRun = calculateNextRun(
diff --git a/api/manage_workflows.php b/api/manage_workflows.php
index 812cc81..8244a54 100644
--- a/api/manage_workflows.php
+++ b/api/manage_workflows.php
@@ -120,7 +120,7 @@ try {
             $stmt = $conn->prepare("UPDATE status_transitions SET
                                     from_status = ?, to_status = ?, requires_comment = ?, requires_admin = ?, is_active = ?
                                     WHERE transition_id = ?");
-            $stmt->bind_param('ssiiii',
+            $stmt->bind_param('ssiiiii',
                 $data['from_status'],
                 $data['to_status'],
                 $data['requires_comment'] ?? 0,
diff --git a/models/TemplateModel.php b/models/TemplateModel.php
index 3ecb567..c82d832 100644
--- a/models/TemplateModel.php
+++ b/models/TemplateModel.php
@@ -87,7 +87,7 @@ class TemplateModel {
                 default_priority = ?
                 WHERE template_id = ?";
         $stmt = $this->conn->prepare($sql);
-        $stmt->bind_param("ssssiii",
+        $stmt->bind_param("sssssii",
             $data['template_name'],
             $data['title_template'],
             $data['description_template'],