FIX: Sanitize and bind graph configuration queries (#11723)

centreon · Sep 9, 2022 · 70fecb8 · 70fecb8
1 parent 62198b1
commit 70fecb8
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/www/class/centreonGraph.class.php b/www/class/centreonGraph.class.php
@@ -1133,13 +1133,15 @@ public function setTemplate($template_id = null)
         } else {
             $this->templateId = htmlentities($_GET["template_id"], ENT_QUOTES, "UTF-8");
         }
-        $DBRESULT = $this->DB->query(
+        $statement = $this->DB->prepare(
             "SELECT *
                 FROM giv_graphs_template
-                WHERE graph_id = '" . $this->templateId . "' LIMIT 1"
+                WHERE graph_id = :graph_id LIMIT 1"
         );
-        $this->templateInformations = $DBRESULT->fetch();
-        $DBRESULT->closeCursor();
+        $statement->bindValue(':graph_id', (int) $this->templateId, \PDO::PARAM_INT);
+        $statement->execute();
+        $this->templateInformations = $statement->fetch(\PDO::FETCH_ASSOC);
+        $statement->closeCursor();
     }
 
     /**