The much better solution to fix this would be keeping the include block over the input_validate_* calls in graph.php (which without more modifications would reopen the sql injection vuln) and then fix this in
/usr/share/cacti/site/include/top_graph_header.php where you just have to add the lineinput_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
in the input validation block.
