Fix path traversal, closed-connection, and ticket ID validation bugs

- download_attachment.php: path traversal check used strpos() without
  trailing DIRECTORY_SEPARATOR, allowing /uploads_evil/* to pass when
  upload dir is /uploads — now checks realPath + DIRECTORY_SEPARATOR prefix
- bulk_operation.php: $conn->close() was called before StatsModel($conn)
  construction; moved close() inside each branch to after all DB use
- upload_attachment.php: ticket ID validated as /^\d{9}$/ (exactly 9
  digits) breaking all tickets below ID 1,000,000,000 — changed to
  /^\d+$/ for any positive integer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/bulk_operation.php

@@ -101,9 +101,8 @@ if (!$operationId) {
 // Process the bulk operation
 $result = $bulkOpsModel->processBulkOperation($operationId);
 
-$conn->close();
-
 if (isset($result['error'])) {
+    $conn->close();
     echo json_encode([
         'success' => false,
         'error' => $result['error']
@@ -112,6 +111,7 @@ if (isset($result['error'])) {
     // Invalidate stats cache so dashboard tiles reflect changes immediately
     require_once dirname(__DIR__) . '/models/StatsModel.php';
     (new StatsModel($conn))->invalidateCache();
+    $conn->close();
 
     $message = "Bulk operation completed: {$result['processed']} succeeded, {$result['failed']} failed";
     if ($inaccessibleCount > 0) {