FIX: Sanitize and bind command configuration queries 21.10.x (#11755)

centreon · Sep 13, 2022 · 36c0f9a · 36c0f9a
1 parent 095dda9
commit 36c0f9a
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/www/include/common/javascript/commandGetArgs/cmdGetExample.php b/www/include/common/javascript/commandGetArgs/cmdGetExample.php
@@ -58,13 +58,14 @@ function myDecodeService($arg)
         exit();
     }
 
-    $DBRESULT = $pearDB->query(
-        "SELECT `command_example` FROM `command` WHERE `command_id` = '". $pearDB->escape($_POST["index"]) ."'"
+    $statement = $pearDB->prepare(
+        "SELECT `command_example` FROM `command` WHERE `command_id` = :command_id"
     );
-    while ($arg = $DBRESULT->fetchRow()) {
+    $statement->bindValue(':command_id', (int) $_POST["index"], \PDO::PARAM_INT);
+    $statement->execute();
+    while ($arg = $statement->fetch(\PDO::FETCH_ASSOC)) {
         echo myDecodeService($arg["command_example"]);
     }
-    unset($arg);
-    unset($DBRESULT);
+    unset($arg, $statement);
     $pearDB = null;
 }