Fix: Sanitize and bind CALPI Centreon service class (#11836)

* sanitize and bine clapi centreon service class * Update www/class/centreon-clapi/centreonService.class.php space added into query Co-authored-by: Kevin Duret <kduret@centreon.com> Co-authored-by: Kevin Duret <kduret@centreon.com> Co-authored-by: Kevin Duret <kduret@centreon.com>
centreon · Sep 22, 2022 · 627c093 · 627c093
1 parent 1aee7fe
commit 627c093
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/www/class/centreon-clapi/centreonService.class.php b/www/class/centreon-clapi/centreonService.class.php
@@ -1584,12 +1584,12 @@ public function getCustomMacroInDb($serviceId = null, $template = null)
         $arr = array();
         $i = 0;
         if ($serviceId) {
-            $res = $this->db->query("SELECT svc_macro_name, svc_macro_value, is_password, description
-                                FROM on_demand_macro_service
-                                WHERE svc_svc_id = " .
-                $serviceId . "
-                                ORDER BY macro_order ASC");
-            while ($row = $res->fetch()) {
+            $statement = $this->db->prepare("SELECT svc_macro_name, svc_macro_value, is_password, description " .
+                "FROM on_demand_macro_service " .
+                "WHERE svc_svc_id = :serviceId ORDER BY macro_order ASC");
+            $statement->bindValue(':serviceId', (int) $serviceId, \PDO::PARAM_INT);
+            $statement->execute();
+            while ($row = $statement->fetch()) {
                 if (preg_match('/\$_SERVICE(.*)\$$/', $row['svc_macro_name'], $matches)) {
                     $arr[$i]['svc_macro_name'] = $matches[1];
                     $arr[$i]['svc_macro_value'] = $row['svc_macro_value'];