fix(mon)vunerability in customViews_MASTER

Update SQL query to prevent SQL injection in setRotate form Refs: MON-2129
centreon · Nov 27, 2017 · b76dc49 · b76dc49
1 parent c9cb217
commit b76dc49
Showing 1 changed file with 20 additions and 17 deletions.
diff --git a/www/class/centreonUser.class.php b/www/class/centreonUser.class.php
@@ -433,26 +433,29 @@ public function setContactParameters($db, $parameters = array())
         if (!count($parameters)) {
             return null;
         }
-
+        $queryValues = array();
         $keys = array_keys($parameters);
-
-        $deleteQuery = 'DELETE FROM contact_param '
-            . 'WHERE cp_contact_id = ' . $this->user_id . ' '
-            . 'AND  cp_key IN("'
-            . implode('","', $keys)
-            . '") ';
-        $db->query($deleteQuery);
-
-        $insertQuery = 'INSERT INTO contact_param (cp_key, cp_value, cp_contact_id) VALUES ';
-        $first = true;
+        $deleteQuery = 'DELETE FROM contact_param WHERE cp_contact_id = :cp_contact_id AND cp_key IN( ';
+        $queryValues[':cp_contact_id'] = $this->user_id;
+        $queryKey ='';
+        foreach ($keys as $key) {
+            $queryKey .=' :cp_key'.$key.',';
+            $queryValues[':cp_key'.$key] = $key;
+        }
+        $queryKey = rtrim($queryKey, ',');
+        $deleteQuery .= $queryKey .' )';
+        $stmt = $db->prepare($deleteQuery);
+        $stmt->execute($queryValues);
+
+        $insertQuery = 'INSERT INTO contact_param (cp_key, cp_value, cp_contact_id) VALUES '
+            . '(:cp_key, :cp_value, :cp_contact_id)';
+        $sth = $db->prepare($insertQuery);
         foreach ($parameters as $key => $value) {
-            if (!$first) {
-                $insertQuery .= ',';
-            }
-            $insertQuery .= '("' . $key . '","' . $value . '", ' . $this->user_id . ')';
-            $first = false;
+            $sth->bindParam(':cp_key', $key, PDO::PARAM_STR);
+            $sth->bindParam(':cp_value', $value, PDO::PARAM_STR);
+            $sth->bindParam(':cp_contact_id', $this->user_id, PDO::PARAM_INT);
+            $sth->execute();
         }
-        $db->query($insertQuery);
     }
 
     /**