FIX: Sanitize and bind default configuration queries (#11748)

centreon · Sep 19, 2022 · 1a241b8 · 1a241b8
1 parent 0180c02
commit 1a241b8
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/www/install/steps/process/insertBaseConf.php b/www/install/steps/process/insertBaseConf.php
@@ -124,18 +124,21 @@
 
 // Manage timezone
 $timezone = date_default_timezone_get();
-$resTimezone = $link->query("SELECT timezone_id FROM timezone WHERE timezone_name= '" . $timezone . "'");
-if (!$resTimezone) {
+$statement = $link->prepare("SELECT timezone_id FROM timezone WHERE timezone_name= :timezone_name");
+$statement->bindValue(':timezone_name', $timezone, \PDO::PARAM_STR);
+if (!$statement->execute()) {
     $return['msg'] = _('Cannot get timezone information');
     echo json_encode($return);
     exit;
 }
-if ($row = $resTimezone->fetch()) {
+if ($row = $statement->fetch(\PDO::FETCH_ASSOC)) {
     $timezoneId = $row['timezone_id'];
 } else {
     $timezoneId = '334'; # Europe/London timezone
 }
-$link->exec("INSERT INTO `options` (`key`, `value`) VALUES ('gmt','" . $timezoneId . "')");
+$statement = $link->prepare("INSERT INTO `options` (`key`, `value`) VALUES ('gmt', :value)");
+$statement->bindValue(':value', $timezoneId, \PDO::PARAM_STR);
+$statement->execute();
 
 # Generate random key for this instance and set it to be not central and not remote
 $informationsTableInsert = "INSERT INTO `informations` (`key`,`value`) VALUES