Fixing Issue #4022

SQL Injection in data_debug.php

CHANGELOG

@@ -1,6 +1,8 @@
 Cacti CHANGELOG
 
 1.2.17
+-security#4019: In a recent audit of core Cacti code, there were a few stored XSS issues that can be exposed
+-security#4022: SQL Injection in data_debug.php
 -issue#3981: PHP ERROR: Call to undefined function api_data_source_cache_crc_update()
 -issue#3879: Graph/Data Source creation with custom fields not prompting during 1st creation
 -issue#3969: SNMPv3 Password Length Limit
@@ -15,7 +17,6 @@ Cacti CHANGELOG
 -issue#4005: Automation raises errors when default snmp options is set to none
 -issue#4008: Fix #3808 causes a massive decrease in poller performance
 -issue#4009: The function number_format_i18n() should consider null to align with standard number_format() function
--issue#4019: In a recent audit of core Cacti code, there were a few stored XSS issues that can be exposed
 -feature#3513: Add hooks for plugins to show customize graph source and customize template url
 -feature#4012: Provide CLI script to renew the CSRF security key for CSRF protection
 -feature#4013: Remote Poller - reset avg/max polling time

data_debug.php

@@ -35,6 +35,8 @@
 
 set_default_action();
 
+validate_request_vars();
+
 switch (get_request_var('action')) {
 	case 'actions':
 		form_actions();
@@ -123,8 +125,6 @@
 
 		break;
 	default:
-		validate_request_vars();
-
 		$refresh = array(
 			'seconds' => get_request_var('refresh'),
 			'page'    => 'data_debug.php?header=false',