From c22ab199a4c75cf8a92d0189c9074dde7ee3d8bb Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Thu, 22 Sep 2022 16:16:11 +0100
Subject: [PATCH] Fix: Sanitize and bind Media import (#11788)

---
 www/class/centreonMedia.class.php | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/www/class/centreonMedia.class.php b/www/class/centreonMedia.class.php
index 37e1a14319a..f9a3377f89c 100644
--- a/www/class/centreonMedia.class.php
+++ b/www/class/centreonMedia.class.php
@@ -410,14 +410,12 @@ public function addImage($parameters, $binary = null)
             $imageId = $row['img_id'];
 
             // Insert relation between directory and image
-            $query = 'INSERT INTO view_img_dir_relation '
-                . '(dir_dir_parent_id, img_img_id) '
-                . 'VALUES ('
-                . $directoryId . ', '
-                . $imageId . ' '
-                . ') ';
+            $statement = $this->db->prepare("INSERT INTO view_img_dir_relation (dir_dir_parent_id, img_img_id) " .
+                "VALUES (:dirId, :imgId) ");
+            $statement->bindValue(':dirId', (int) $directoryId, \PDO::PARAM_INT);
+            $statement->bindValue(':imgId', (int) $imageId, \PDO::PARAM_INT);
             try {
-                $this->db->query($query);
+                $statement->execute();
             } catch (\PDOException $e) {
                 throw new \Exception('Error while inserting relation between' . $imageName . ' and ' . $directoryName);
             }