Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

[Fix]:Sanitize and bind queries in template of service listing #11746

Merged
merged 2 commits into from
Sep 13, 2022
Merged

[Fix]:Sanitize and bind queries in template of service listing #11746

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
47c4ec6
[Fix]:Sanitize and bind queries in template of service listing
emabassi-ext Sep 12, 2022
1b413ce
work on tamazC suggestion
emabassi-ext Sep 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions www/include/configuration/configObject/service_template_model/listServiceTemplateModel.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,22 +77,22 @@

//Service Template Model list
if ($search) {
$query = "SELECT SQL_CALC_FOUND_ROWS sv.service_id, sv.service_description, sv.service_alias, " .
"sv.service_activate, sv.service_template_model_stm_id " .
"FROM service sv " .
"WHERE (sv.service_description LIKE '%" . $search . "%' OR sv.service_alias LIKE '%" . $search . "%') " .
$statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sv.service_id, sv.service_description," .
" sv.service_alias, sv.service_activate, sv.service_template_model_stm_id FROM service sv " .
"WHERE (sv.service_description LIKE :search OR sv.service_alias LIKE :search) " .
"AND sv.service_register = '0' " .
$lockedFilter .
"ORDER BY service_description LIMIT " . $num * $limit . ", " . $limit;
"ORDER BY service_description LIMIT :scope, :limit");
emabassi-ext marked this conversation as resolved.
Show resolved Hide resolved
$statement->bindValue(':search', '%' . $search . '%', \PDO::PARAM_STR);
} else {
$query = "SELECT SQL_CALC_FOUND_ROWS sv.service_id, sv.service_description, sv.service_alias, " .
"sv.service_activate, sv.service_template_model_stm_id " .
"FROM service sv " .
"WHERE sv.service_register = '0' " .
$lockedFilter .
"ORDER BY service_description LIMIT " . $num * $limit . ", " . $limit;
$statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sv.service_id, sv.service_description," .
" sv.service_alias, sv.service_activate, sv.service_template_model_stm_id FROM service sv " .
"WHERE sv.service_register = '0' " . $lockedFilter .
"ORDER BY service_description LIMIT :scope, :limit");
}
$dbResult = $pearDB->query($query);
$statement->bindValue(':limit', (int) $limit, \PDO::PARAM_INT);
$statement->bindValue(':scope', (int) $num * (int) $limit, \PDO::PARAM_INT);
$statement->execute();
$rows = $pearDB->query("SELECT FOUND_ROWS()")->fetchColumn();

include "./include/common/checkPagination.php";
Expand Down Expand Up @@ -137,7 +137,7 @@

$centreonToken = createCSRFToken();

for ($i = 0; $service = $dbResult->fetch(); $i++) {
for ($i = 0; $service = $statement->fetch(); $i++) {
$moptions = "";
$selectedElements = $form->addElement('checkbox', "select[" . $service['service_id'] . "]");
if (isset($lockedElements[$service['service_id']])) {
Expand Down