From 64c2e182989745b337bee104a5e6ee9707520604 Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Wed, 21 Sep 2022 14:34:14 +0100
Subject: [PATCH] Fix: Sanitize and bind host category listing  (#11805)

---
 .../host_categories/listHostCategories.php           | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/www/include/configuration/configObject/host_categories/listHostCategories.php b/www/include/configuration/configObject/host_categories/listHostCategories.php
index bc454267abe..81a3ae8c25a 100644
--- a/www/include/configuration/configObject/host_categories/listHostCategories.php
+++ b/www/include/configuration/configObject/host_categories/listHostCategories.php
@@ -141,16 +141,16 @@
         $aclFrom = ", $aclDbName.centreon_acl acl ";
         $aclCond = " AND h.host_id = acl.host_id AND acl.group_id IN (" . $acl->getAccessGroupsString() . ") ";
     }
-    $DBRESULT2 = $pearDB->query(
-        "SELECT h.host_id, h.host_activate " .
+    $hcStatement = $pearDB->prepare("SELECT h.host_id, h.host_activate " .
         "FROM hostcategories_relation hcr, host h " . $aclFrom .
-        " WHERE hostcategories_hc_id = '" . $hc['hc_id'] . "'" .
+        " WHERE hostcategories_hc_id = :hcId" .
         " AND h.host_id = hcr.host_host_id " . $aclCond .
-        " AND h.host_register = '1' "
-    );
+        " AND h.host_register = '1' ");
+    $hcStatement->bindValue(':hcId', (int) $hc['hc_id'], \PDO::PARAM_INT);
+    $hcStatement->execute();
     $nbrhostActArr = array();
     $nbrhostDeactArr = array();
-    while ($row = $DBRESULT2->fetch()) {
+    while ($row = $hcStatement->fetch()) {
         if ($row['host_activate']) {
             $nbrhostActArr[$row['host_id']] = true;
         } else {