From 69527766f66c1c4559a232e4b4f0a0f9514d3162 Mon Sep 17 00:00:00 2001
From: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Date: Thu, 22 Sep 2022 09:23:56 +0100
Subject: [PATCH] FIX: Sanitize and bind Knowledge Base host listing (#11847)

---
 www/class/centreon-knowledge/procedures.class.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/www/class/centreon-knowledge/procedures.class.php b/www/class/centreon-knowledge/procedures.class.php
index c20a0a99f7e..cc4feac9351 100644
--- a/www/class/centreon-knowledge/procedures.class.php
+++ b/www/class/centreon-knowledge/procedures.class.php
@@ -139,13 +139,15 @@ public function getMyHostMultipleTemplateModels($host_id = null)
             "WHERE host_host_id = '" . $host_id . "' " .
             "ORDER BY `order`"
         );
+        $statement = $this->centreon_DB->prepare(
+            "SELECT host_name " .
+            "FROM host " .
+            "WHERE host_id = :host_id LIMIT 1"
+        );
         while ($row = $dbResult->fetch()) {
-            $dbResult2 = $this->centreon_DB->query(
-                "SELECT host_name " .
-                "FROM host " .
-                "WHERE host_id = '" . $row['host_tpl_id'] . "' LIMIT 1"
-            );
-            $hTpl = $dbResult2->fetch();
+            $statement->bindValue(':host_id', $row['host_tpl_id'], \PDO::PARAM_INT);
+            $statement->execute();
+            $hTpl = $statement->fetch(\PDO::FETCH_ASSOC);
             $tplArr[$row['host_tpl_id']] = html_entity_decode($hTpl["host_name"], ENT_QUOTES);
         }
         unset($row);