Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
Sanitized and bound queries in service argumentsXml fil (#11653)
Browse files Browse the repository at this point in the history 
MON-14669
  • Loading branch information
@emabassi-ext
emabassi-ext authored Sep 5, 2022
1 parent d86b34b commit 391dd57
Showing 1 changed file with 12 additions and 10 deletions.
22 changes: 12 additions & 10 deletions www/include/configuration/configObject/service/xml/argumentsXml.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,13 @@
}
}

$query3 = "SELECT command_command_id_arg " .
$cmdStatement = $db->prepare("SELECT command_command_id_arg " .
"FROM service " .
"WHERE service_id = '" . $svcId . "' LIMIT 1";
$res3 = $db->query($query3);
if ($res3->rowCount()) {
$row3 = $res3->fetchRow();
"WHERE service_id = :svcId LIMIT 1");
$cmdStatement->bindValue(':svcId', (int) $svcId, PDO::PARAM_INT);
$cmdStatement->execute();
if ($cmdStatement->rowCount()) {
$row3 = $cmdStatement->fetchRow();
$valueTab = preg_split('/(?<!\\\)\!/', $row3['command_command_id_arg']);
if (is_array($valueTab)) {
foreach ($valueTab as $key => $value) {
Expand All @@ -151,14 +152,15 @@
}
}

$query = "SELECT macro_name, macro_description " .
$macroStatement = $db->prepare("SELECT macro_name, macro_description " .
"FROM command_arg_description " .
"WHERE cmd_id = '" . $cmdId . "' ORDER BY macro_name";
$res = $db->query($query);
while ($row = $res->fetchRow()) {
"WHERE cmd_id = :cmdId ORDER BY macro_name");
$macroStatement->bindValue(':cmdId', (int) $cmdId, \PDO::PARAM_INT);
$macroStatement->execute();
while ($row = $macroStatement->fetchRow()) {
$argTab[$row['macro_name']] = $row['macro_description'];
}
$res->closeCursor();
$macroStatement->closeCursor();

/*
* Write XML
Expand Down

0 comments on commit 391dd57

Please sign in to comment.