From 98f93779c7188fb47d33fc441f7282a3b5cc4bab Mon Sep 17 00:00:00 2001
From: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Date: Mon, 26 Sep 2022 16:20:55 +0100
Subject: [PATCH] FIX: SQLi in contact groups form (#11869)

---
 .../configObject/contactgroup/formContactGroup.php          | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/include/configuration/configObject/contactgroup/formContactGroup.php b/www/include/configuration/configObject/contactgroup/formContactGroup.php
index 4112ceb27b7..fa2bfb9215a 100644
--- a/www/include/configuration/configObject/contactgroup/formContactGroup.php
+++ b/www/include/configuration/configObject/contactgroup/formContactGroup.php
@@ -64,12 +64,14 @@
     /*
      * Get host Group information
      */
-    $DBRESULT = $pearDB->query("SELECT * FROM `contactgroup` WHERE `cg_id` = '" . $cg_id . "' LIMIT 1");
+    $statement = $pearDB->prepare("SELECT * FROM `contactgroup` WHERE `cg_id` = :cg_id LIMIT 1");
+    $statement->bindValue(':cg_id', (int) $cg_id, \PDO::PARAM_INT);
+    $statement->execute();
 
     /*
      * Set base value
      */
-    $cg = array_map("myDecode", $DBRESULT->fetchRow());
+    $cg = array_map("myDecode", $statement->fetch(\PDO::FETCH_ASSOC));
 }
 
 $attrsText = array("size" => "30");