Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

[SNYK] Sanitize and bind service arguments xml queries #11654

Merged
merged 1 commit into from
Aug 30, 2022
Merged

[SNYK] Sanitize and bind service arguments xml queries #11654

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions www/include/configuration/configObject/service/xml/argumentsXml.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,13 @@
}
}

$query3 = "SELECT command_command_id_arg " .
$cmdStatement = $db->prepare("SELECT command_command_id_arg " .
"FROM service " .
"WHERE service_id = '" . $svcId . "' LIMIT 1";
$res3 = $db->query($query3);
if ($res3->rowCount()) {
$row3 = $res3->fetchRow();
"WHERE service_id = :svcId LIMIT 1");
$cmdStatement->bindValue(':svcId', (int) $svcId, PDO::PARAM_INT);
$cmdStatement->execute();
if ($cmdStatement->rowCount()) {
$row3 = $cmdStatement->fetchRow();
$valueTab = preg_split('/(?<!\\\)\!/', $row3['command_command_id_arg']);
if (is_array($valueTab)) {
foreach ($valueTab as $key => $value) {
Expand All @@ -151,14 +152,15 @@
}
}

$query = "SELECT macro_name, macro_description " .
$macroStatement = $db->prepare("SELECT macro_name, macro_description " .
"FROM command_arg_description " .
"WHERE cmd_id = '" . $cmdId . "' ORDER BY macro_name";
$res = $db->query($query);
while ($row = $res->fetchRow()) {
"WHERE cmd_id = :cmdId ORDER BY macro_name");
$macroStatement->bindValue(':cmdId', (int) $cmdId, \PDO::PARAM_INT);
$macroStatement->execute();
while ($row = $macroStatement->fetchRow()) {
$argTab[$row['macro_name']] = $row['macro_description'];
}
$res->closeCursor();
$macroStatement->closeCursor();

/*
* Write XML
Expand Down