From 36677ccdcb6c960bbf9337e3885a8a144daa3dae Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Fri, 29 Jul 2022 10:29:10 +0100
Subject: [PATCH] Sanitized and bound queries (#11413) (#11445)

lines : 130 -142
---
 .../hostgroup_dependency/DB-Func.php             | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/www/include/configuration/configObject/hostgroup_dependency/DB-Func.php b/www/include/configuration/configObject/hostgroup_dependency/DB-Func.php
index ded4d3c58ff..1ddeac48d46 100644
--- a/www/include/configuration/configObject/hostgroup_dependency/DB-Func.php
+++ b/www/include/configuration/configObject/hostgroup_dependency/DB-Func.php
@@ -124,10 +124,12 @@ function multipleHostGroupDependencyInDB($dependencies = array(), $nbrDup = arra
                         "WHERE dependency_dep_id = '" . $key . "'";
                     $dbResult = $pearDB->query($query);
                     $fields["dep_hgParents"] = "";
+                    $query = "INSERT INTO dependency_hostgroupParent_relation VALUES (:max_id, :hg_id)";
+                    $statement = $pearDB->prepare($query);
                     while ($hg = $dbResult->fetch()) {
-                        $query = "INSERT INTO dependency_hostgroupParent_relation VALUES ('" .
-                            $maxId["MAX(dep_id)"] . "', '" . $hg["hostgroup_hg_id"] . "')";
-                        $pearDB->query($query);
+                        $statement->bindValue(':max_id', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
+                        $statement->bindValue(':hg_id', (int) $hg["hostgroup_hg_id"], \PDO::PARAM_INT);
+                        $statement->execute();
                         $fields["dep_hgParents"] .= $hg["hostgroup_hg_id"] . ",";
                     }
                     $fields["dep_hgParents"] = trim($fields["dep_hgParents"], ",");
@@ -136,10 +138,12 @@ function multipleHostGroupDependencyInDB($dependencies = array(), $nbrDup = arra
                         "WHERE dependency_dep_id = '" . $key . "'";
                     $dbResult = $pearDB->query($query);
                     $fields["dep_hgChilds"] = "";
+                    $query = "INSERT INTO dependency_hostgroupChild_relation VALUES (:max_id, :hg_id)";
+                    $statement = $pearDB->prepare($query);
                     while ($hg = $dbResult->fetch()) {
-                        $query = "INSERT INTO dependency_hostgroupChild_relation VALUES ('" .
-                            $maxId["MAX(dep_id)"] . "', '" . $hg["hostgroup_hg_id"] . "')";
-                        $pearDB->query($query);
+                        $statement->bindValue(':max_id', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
+                        $statement->bindValue(':hg_id', (int) $hg["hostgroup_hg_id"], \PDO::PARAM_INT);
+                        $statement->execute();
                         $fields["dep_hgChilds"] .= $hg["hostgroup_hg_id"] . ",";
                     }
                     $fields["dep_hgChilds"] = trim($fields["dep_hgChilds"], ",");