FIX: SQLi in contact groups form (#11869)

centreon · Sep 28, 2022 · 98f9377 · 98f9377
1 parent 9122ac1
commit 98f9377
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/www/include/configuration/configObject/contactgroup/formContactGroup.php b/www/include/configuration/configObject/contactgroup/formContactGroup.php
@@ -64,12 +64,14 @@
     /*
      * Get host Group information
      */
-    $DBRESULT = $pearDB->query("SELECT * FROM `contactgroup` WHERE `cg_id` = '" . $cg_id . "' LIMIT 1");
+    $statement = $pearDB->prepare("SELECT * FROM `contactgroup` WHERE `cg_id` = :cg_id LIMIT 1");
+    $statement->bindValue(':cg_id', (int) $cg_id, \PDO::PARAM_INT);
+    $statement->execute();
 
     /*
      * Set base value
      */
-    $cg = array_map("myDecode", $DBRESULT->fetchRow());
+    $cg = array_map("myDecode", $statement->fetch(\PDO::FETCH_ASSOC));
 }
 
 $attrsText = array("size" => "30");