From c048bf1ef360c82c55f0b01d7c835a704e9a4302 Mon Sep 17 00:00:00 2001
From: YAHIAOUI Hamza <hyahiaoui-ext@centreon.com>
Date: Thu, 8 Sep 2022 00:09:32 +0100
Subject: [PATCH 1/2] sanitize and bind meta service config

---
 www/class/centreonMeta.class.php | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/www/class/centreonMeta.class.php b/www/class/centreonMeta.class.php
index ed279a68e88..6298d38968c 100644
--- a/www/class/centreonMeta.class.php
+++ b/www/class/centreonMeta.class.php
@@ -304,9 +304,12 @@ public function insertVirtualService($metaId, $metaName)
         if ($res->rowCount()) {
             $row = $res->fetchRow();
             $serviceId = $row['service_id'];
+            $query = 'UPDATE service SET display_name = :display_name WHERE service_id = :service_id';
+            $statement = $this->db->prepare($query);
             if ($row['display_name'] !== $metaName) {
-                $query = 'UPDATE service SET display_name = "' . $metaName . '" WHERE service_id = ' . $serviceId;
-                $this->db->query($query);
+                $statement->bindValue(':display_name', $metaName, \PDO::PARAM_STR);
+                $statement->bindValue(':service_id', (int) $serviceId, \PDO::PARAM_INT);
+                $statement->execute();
             }
         } else {
             $query = 'INSERT INTO service (service_description, display_name, service_register) '
@@ -314,11 +317,15 @@ public function insertVirtualService($metaId, $metaName)
                 . '("' . $composedName . '", "' . $metaName . '", "2")';
             $this->db->query($query);
             $query = 'INSERT INTO host_service_relation(host_host_id, service_service_id) '
-                . 'VALUES ('
-                . $hostId . ','
-                . '(SELECT service_id FROM service WHERE service_description = "' . $composedName . '" AND service_register = "2" LIMIT 1)'
+                . 'VALUES (:host_id,'
+                . '(SELECT service_id 
+                    FROM service 
+                    WHERE service_description = :service_description AND service_register = "2" LIMIT 1)'
                 . ')';
-            $this->db->query($query);
+            $statement = $this->db->prepare($query);
+            $statement->bindValue(':host_id', (int) $hostId, \PDO::PARAM_INT);
+            $statement->bindValue(':service_description', $composedName, \PDO::PARAM_STR);
+            $statement->execute();
             $res = $this->db->query($queryService);
             if ($res->rowCount()) {
                 $row = $res->fetchRow();

From 07c2d59405a5bfaafc7c4a4394c64ea603cd8ce6 Mon Sep 17 00:00:00 2001
From: YAHIAOUI Hamza <hyahiaoui-ext@centreon.com>
Date: Fri, 9 Sep 2022 11:11:57 +0100
Subject: [PATCH 2/2] applying suggested changes

---
 www/class/centreonMeta.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/class/centreonMeta.class.php b/www/class/centreonMeta.class.php
index 6298d38968c..3290127b337 100644
--- a/www/class/centreonMeta.class.php
+++ b/www/class/centreonMeta.class.php
@@ -304,9 +304,9 @@ public function insertVirtualService($metaId, $metaName)
         if ($res->rowCount()) {
             $row = $res->fetchRow();
             $serviceId = $row['service_id'];
-            $query = 'UPDATE service SET display_name = :display_name WHERE service_id = :service_id';
-            $statement = $this->db->prepare($query);
             if ($row['display_name'] !== $metaName) {
+                $query = 'UPDATE service SET display_name = :display_name WHERE service_id = :service_id';
+                $statement = $this->db->prepare($query);
                 $statement->bindValue(':display_name', $metaName, \PDO::PARAM_STR);
                 $statement->bindValue(':service_id', (int) $serviceId, \PDO::PARAM_INT);
                 $statement->execute();