From 226fb89c96b9282e31a507175f04478102dc25b6 Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Thu, 11 Aug 2022 11:25:35 +0100
Subject: [PATCH] MON-14501 - sanitize query in centreonXmlbgRequest class
 (#11559)

* sanitize query in centreonXmlbgRequest class

* add closeCursor func to resolve conv
---
 www/class/centreonXMLBGRequest.class.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/www/class/centreonXMLBGRequest.class.php b/www/class/centreonXMLBGRequest.class.php
index d47d22a08ad..49e25bbf15a 100644
--- a/www/class/centreonXMLBGRequest.class.php
+++ b/www/class/centreonXMLBGRequest.class.php
@@ -221,12 +221,13 @@ public function __construct(
 
     private function isUserAdmin()
     {
-        $query = "SELECT contact_admin, contact_id FROM contact " .
-            "WHERE contact.contact_id = '" . CentreonDB::escape($this->user_id) . "' LIMIT 1";
-        $dbResult = $this->DB->query($query);
-        $admin = $dbResult->fetchRow();
-        $dbResult->closeCursor();
-        if ($admin["contact_admin"]) {
+        $statement = $this->DB->prepare("SELECT contact_admin, contact_id FROM contact " .
+            "WHERE contact.contact_id = :userId LIMIT 1");
+        $statement->bindValue(":userId", (int) $this->user_id, \PDO::PARAM_INT);
+        $statement->execute();
+        $admin = $statement->fetchRow();
+        $statement->closeCursor();
+        if ($admin !== false && $admin["contact_admin"]) {
             $this->is_admin = 1;
         } else {
             $this->is_admin = 0;
@@ -330,7 +331,7 @@ public function setHostGroupsHistory($hg)
 
     public function setServiceGroupsHistory($sg)
     {
-        $_SESSION['monitoring_default_servicegroups'] = sg;
+        $_SESSION['monitoring_default_servicegroups'] = $sg;
     }
 
     public function setCriticality($criticality)