Fix path traversal, closed-connection, and ticket ID validation bugs

- download_attachment.php: path traversal check used strpos() without
  trailing DIRECTORY_SEPARATOR, allowing /uploads_evil/* to pass when
  upload dir is /uploads — now checks realPath + DIRECTORY_SEPARATOR prefix
- bulk_operation.php: $conn->close() was called before StatsModel($conn)
  construction; moved close() inside each branch to after all DB use
- upload_attachment.php: ticket ID validated as /^\d{9}$/ (exactly 9
  digits) breaking all tickets below ID 1,000,000,000 — changed to
  /^\d+$/ for any positive integer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/upload_attachment.php

@@ -41,8 +41,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         ResponseHelper::error('Ticket ID is required');
     }
 
-    // Validate ticket ID format (9-digit number)
-    if (!preg_match('/^\d{9}$/', $ticketId)) {
+    // Validate ticket ID format (positive integer)
+    if (!preg_match('/^\d+$/', $ticketId)) {
         ResponseHelper::error('Invalid ticket ID format');
     }
 
@@ -86,8 +86,8 @@ if (empty($ticketId)) {
     ResponseHelper::error('Ticket ID is required');
 }
 
-// Validate ticket ID format (9-digit number)
-if (!preg_match('/^\d{9}$/', $ticketId)) {
+// Validate ticket ID format (positive integer)
+if (!preg_match('/^\d+$/', $ticketId)) {
     ResponseHelper::error('Invalid ticket ID format');
 }