From 3b636a138ae354dbf0505f675bb5d8d94cbaf3bb Mon Sep 17 00:00:00 2001 From: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Date: Mon, 25 Jul 2022 09:16:06 +0100 Subject: [PATCH] [SNYK] Sanitize and bind centreonGraph class queries (#11409) 1122 1153 1134 --- www/class/centreonGraph.class.php | 32 ++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/www/class/centreonGraph.class.php b/www/class/centreonGraph.class.php index de97a8bfce8..1137a9fd465 100644 --- a/www/class/centreonGraph.class.php +++ b/www/class/centreonGraph.class.php @@ -1063,16 +1063,18 @@ private function getDefaultGraphTemplate() return; } else { $command_id = getMyServiceField($this->indexData["service_id"], "command_command_id"); - $DBRESULT = $this->DB->query("SELECT graph_id FROM command WHERE `command_id` = '" . $command_id . "'"); - if ($DBRESULT->rowCount()) { - $data = $DBRESULT->fetch(); + $statement = $this->DB->prepare("SELECT graph_id FROM command WHERE `command_id` = :command_id"); + $statement->bindValue(':command_id', (int) $command_id, \PDO::PARAM_INT); + $statement->execute(); + if ($statement->rowCount()) { + $data = $statement->fetch(); if ($data["graph_id"] != 0) { $this->templateId = $data["graph_id"]; unset($data); return; } } - $DBRESULT->closeCursor(); + $statement->closeCursor(); unset($command_id); } $DBRESULT = $this->DB->query("SELECT graph_id FROM giv_graphs_template WHERE default_tpl1 = '1' LIMIT 1"); @@ -1106,12 +1108,12 @@ public function setTemplate($template_id = null) /* * Graph is based on a module check point */ - $DBRESULT_meta = $this->DB->query( - "SELECT graph_id + $statement = $this->DB->prepare("SELECT graph_id FROM meta_service - WHERE `meta_name` = '" . $this->indexData["service_description"] . "'" - ); - $meta = $DBRESULT_meta->fetch(); + WHERE `meta_name` = :service_desc"); + $statement->bindValue(':service_desc', $this->indexData["service_description"], PDO::PARAM_STR); + $statement->execute(); + $meta = $statement->fetch(); $this->templateId = $meta["graph_id"]; unset($meta); } @@ -1136,14 +1138,14 @@ private function getServiceGraphID() $service_id = $this->indexData["service_id"]; $tab = array(); - while (1) { - $DBRESULT = $this->DB->query( - "SELECT esi.graph_id, service_template_model_stm_id + $statement = $this->DB->prepare("SELECT esi.graph_id, service_template_model_stm_id FROM service LEFT JOIN extended_service_information esi ON esi.service_service_id = service_id - WHERE service_id = '" . $service_id . "' LIMIT 1" - ); - $row = $DBRESULT->fetch(); + WHERE service_id = :service_id LIMIT 1"); + while (1) { + $statement->bindValue(':service_id', (int) $service_id, \PDO::PARAM_INT); + $statement->execute(); + $row = $statement->fetch(); if ($row["graph_id"]) { $this->graphID = $row["graph_id"]; return $this->graphID;