From e25808dbe40fe31f04dfdb109eeefc97dfd04976 Mon Sep 17 00:00:00 2001
From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Date: Wed, 17 Aug 2022 14:45:43 +0100
Subject: [PATCH] =?UTF-8?q?sanitize=20and=20bind=20host=20categories=20que?=
 =?UTF-8?q?ry=C3=83=20(#11591)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../configuration/configObject/host_categories/DB-Func.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/www/include/configuration/configObject/host_categories/DB-Func.php b/www/include/configuration/configObject/host_categories/DB-Func.php
index 63473a17c6c..a544e74d90c 100644
--- a/www/include/configuration/configObject/host_categories/DB-Func.php
+++ b/www/include/configuration/configObject/host_categories/DB-Func.php
@@ -249,10 +249,11 @@ function multipleHostCategoriesInDB($hostCategories = [], $nbrDup = [])
                     $statement3->bindValue(':hc_id', $hcId, \PDO::PARAM_INT);
                     $statement3->execute();
                     $fields["hc_hosts"] = "";
+                    $hrstatement = $pearDB->prepare("INSERT INTO hostcategories_relation VALUES (:maxId, :hostId)");
                     while ($host = $statement3->fetch()) {
-                        $query = "INSERT INTO hostcategories_relation VALUES ('" . $maxId["MAX(hc_id)"] .
-                            "', '" . $host["host_host_id"] . "')";
-                        $pearDB->query($query);
+                        $hrstatement->bindValue(':maxId', (int) $maxId["MAX(hc_id)"], \PDO::PARAM_INT);
+                        $hrstatement->bindValue(':hostId', (int) $host["host_host_id"], \PDO::PARAM_INT);
+                        $hrstatement->execute();
                         $fields["hc_hosts"] .= $host["host_host_id"] . ",";
                     }
                     $fields["hc_hosts"] = trim($fields["hc_hosts"], ",");