Fix: Sanitize and bind CLAPI poller configuration 22.04.x (#11731)

* sanitize and bind CLAPI poller config * remove unecessary comment * revert deleted imports
centreon · Sep 13, 2022 · 9e28662 · 9e28662
1 parent 2aebf3e
commit 9e28662
Showing 1 changed file with 22 additions and 14 deletions.
diff --git a/www/class/centreon-clapi/centreon.Config.Poller.class.php b/www/class/centreon-clapi/centreon.Config.Poller.class.php
@@ -192,11 +192,13 @@ public function pollerReload($variables)
         $poller_id = $this->getPollerId($variables);
         $this->testPollerId($poller_id);
 
-        $result = $this->DB->query(
-            "SELECT * FROM `nagios_server` WHERE `id` = '" . $this->DB->escape($poller_id) . "'  LIMIT 1"
+        $statement = $this->DB->prepare(
+            "SELECT * FROM `nagios_server` WHERE `id` = :poller_id  LIMIT 1"
         );
-        $host = $result->fetch();
-        $result->closeCursor();
+        $statement->bindValue(':poller_id', (int) $poller_id, \PDO::PARAM_INT);
+        $statement->execute();
+        $host = $statement->fetch(\PDO::FETCH_ASSOC);
+        $statement->closeCursor();
 
         $this->commandGenerator = $this->container->get(EngineCommandGenerator::class);
         $reloadCommand = $this->commandGenerator->getEngineCommand('RELOAD');
@@ -208,10 +210,12 @@ public function pollerReload($variables)
         exec("echo 'RELOADBROKER:" . $host["id"] . "' >> " . $this->centcore_pipe, $stdout, $return_code);
         $msg_restart = _("OK: A reload signal has been sent to '" . $host["name"] . "'");
         print $msg_restart . "\n";
-        $this->DB->query(
-            "UPDATE `nagios_server` SET `last_restart` = '" . time()
-            . "' WHERE `id` = '" . $this->DB->escape($poller_id) . "' LIMIT 1"
+        $statement = $this->DB->prepare(
+            "UPDATE `nagios_server` SET `last_restart` = :last_restart WHERE `id` = :poller_id LIMIT 1"
         );
+        $statement->bindValue(':last_restart', time(), \PDO::PARAM_INT);
+        $statement->bindValue(':poller_id', (int) $poller_id, \PDO::PARAM_INT);
+        $statement->execute();
         return $return_code;
     }
 
@@ -266,11 +270,13 @@ public function pollerRestart($variables)
         $this->testPollerId($variables);
         $poller_id = $this->getPollerId($variables);
 
-        $result = $this->DB->query(
-            "SELECT * FROM `nagios_server` WHERE `id` = '" . $this->DB->escape($poller_id) . "'  LIMIT 1"
+        $statement = $this->DB->prepare(
+            "SELECT * FROM `nagios_server` WHERE `id` = :poller_id  LIMIT 1"
         );
-        $host = $result->fetch();
-        $result->closeCursor();
+        $statement->bindValue(':poller_id', (int) $poller_id, \PDO::PARAM_INT);
+        $statement->execute();
+        $host = $statement->fetch(\PDO::FETCH_ASSOC);
+        $statement->closeCursor();
 
         $this->commandGenerator = $this->container->get(EngineCommandGenerator::class);
         $restartCommand = $this->commandGenerator->getEngineCommand('RESTART');
@@ -282,10 +288,12 @@ public function pollerRestart($variables)
         exec("echo 'RELOADBROKER:" . $host["id"] . "' >> " . $this->centcore_pipe, $stdout, $return_code);
         $msg_restart = _("OK: A restart signal has been sent to '" . $host["name"] . "'");
         print $msg_restart . "\n";
-        $this->DB->query(
-            "UPDATE `nagios_server` SET `last_restart` = '" . time()
-            . "' WHERE `id` = '" . $this->DB->escape($poller_id) . "' LIMIT 1"
+        $statement = $this->DB->prepare(
+            "UPDATE `nagios_server` SET `last_restart` = :last_restart WHERE `id` = :poller_id LIMIT 1"
         );
+        $statement->bindValue(':last_restart', time(), \PDO::PARAM_INT);
+        $statement->bindValue(':poller_id', (int) $poller_id, \PDO::PARAM_INT);
+        $statement->execute();
         return $return_code;
     }