From 38567ecb356b785729190134f2d259b52f0bdbbf Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Thu, 11 Aug 2022 11:27:21 +0100
Subject: [PATCH] SNYK: Sanitize and bind Meta-Services dependency queries
 (#11554)

* sanityze 2 insert queries

* spaces removed in a query
---
 .../metaservice_dependency/DB-Func.php           | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/www/include/configuration/configObject/metaservice_dependency/DB-Func.php b/www/include/configuration/configObject/metaservice_dependency/DB-Func.php
index 94fc2cde99b..65c42c120cc 100644
--- a/www/include/configuration/configObject/metaservice_dependency/DB-Func.php
+++ b/www/include/configuration/configObject/metaservice_dependency/DB-Func.php
@@ -114,19 +114,23 @@ function multipleMetaServiceDependencyInDB($dependencies = array(), $nbrDup = ar
                     $query = "SELECT DISTINCT meta_service_meta_id FROM dependency_metaserviceParent_relation " .
                         "WHERE dependency_dep_id = '" . $key . "'";
                     $dbResult = $pearDB->query($query);
+                    $statement = $pearDB->prepare("INSERT INTO dependency_metaserviceParent_relation " .
+                        "VALUES (:maxId, :metaId)");
                     while ($ms = $dbResult->fetch()) {
-                        $query = "INSERT INTO dependency_metaserviceParent_relation " .
-                            "VALUES ('" . $maxId["MAX(dep_id)"] . "', '" . $ms["meta_service_meta_id"] . "')";
-                        $pearDB->query($query);
+                        $statement->bindValue(':maxId', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
+                        $statement->bindValue(':metaId', (int) $ms["meta_service_meta_id"], \PDO::PARAM_INT);
+                        $statement->execute();
                     }
                     $dbResult->closeCursor();
                     $query = "SELECT DISTINCT meta_service_meta_id FROM dependency_metaserviceChild_relation " .
                         "WHERE dependency_dep_id = '" . $key . "'";
                     $dbResult = $pearDB->query($query);
+                    $childStatement = $pearDB->prepare("INSERT INTO dependency_metaserviceChild_relation " .
+                        "VALUES (:maxId, :metaId)");
                     while ($ms = $dbResult->fetch()) {
-                        $query = "INSERT INTO dependency_metaserviceChild_relation VALUES ('" .
-                            $maxId["MAX(dep_id)"] . "', '" . $ms["meta_service_meta_id"] . "')";
-                        $pearDB->query($query);
+                        $childStatement->bindValue(':maxId', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
+                        $childStatement->bindValue(':metaId', (int) $ms["meta_service_meta_id"], \PDO::PARAM_INT);
+                        $childStatement->execute();
                     }
                     $dbResult->closeCursor();
                 }