From 372fd7ed55b0d595f8616f5b7f8d21db30dd9091 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Wed, 14 Sep 2022 10:52:16 +0100 Subject: [PATCH 1/2] sanitize and bind pollers broker config queries --- www/class/centreonConfigCentreonBroker.php | 8 +- .../configCentreonBroker/DB-Func.php | 83 ++++++++++++++----- 2 files changed, 67 insertions(+), 24 deletions(-) diff --git a/www/class/centreonConfigCentreonBroker.php b/www/class/centreonConfigCentreonBroker.php index 78619cc3062..e3fc4588d55 100644 --- a/www/class/centreonConfigCentreonBroker.php +++ b/www/class/centreonConfigCentreonBroker.php @@ -790,13 +790,15 @@ public function insertConfig(array $values): bool /* * Get the ID */ - $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = '" . $values['name'] . "'"; + $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = :config_name"; try { - $res = $this->db->query($query); + $statement = $this->db->prepare($query); + $statement->bindValue(':config_name', (string) $values['name'], \PDO::PARAM_STR); + $statement->execute(); } catch (\PDOException $e) { return false; } - $row = $res->fetch(); + $row = $statement->fetch(\PDO::FETCH_ASSOC); $id = $row['config_id']; /* diff --git a/www/include/configuration/configCentreonBroker/DB-Func.php b/www/include/configuration/configCentreonBroker/DB-Func.php index 5c8566ca17b..975c6ec2a59 100644 --- a/www/include/configuration/configCentreonBroker/DB-Func.php +++ b/www/include/configuration/configCentreonBroker/DB-Func.php @@ -74,8 +74,10 @@ function enableCentreonBrokerInDB($id) return; } - $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = " . $id; - $pearDB->query($query); + $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = :config_id"; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT); + $statement->execute(); } /** @@ -91,8 +93,10 @@ function disablCentreonBrokerInDB($id) return; } - $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = " . $id; - $pearDB->query($query); + $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = :config_id"; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT); + $statement->execute(); } /** @@ -104,8 +108,10 @@ function deleteCentreonBrokerInDB($ids = array()) { global $pearDB; + $statement = $pearDB->prepare("DELETE FROM cfg_centreonbroker WHERE config_id = :config_id"); foreach ($ids as $key => $value) { - $pearDB->query("DELETE FROM cfg_centreonbroker WHERE config_id = " . $key); + $statement->bindValue(':config_id', (int) $key, \PDO::PARAM_INT); + $statement->execute(); } } @@ -195,13 +201,7 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) foreach ($ids as $id => $value) { $cbObj = new CentreonConfigCentreonBroker($pearDB); - $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server, - event_queue_max_size, cache_directory, daemon " - . "FROM cfg_centreonbroker " - . "WHERE config_id = " . $id . " "; - $dbResult = $pearDB->query($query); - $row = $dbResult->fetch(); - $dbResult->closeCursor(); + $row = getCfgBrokerData((int) $id); # Prepare values $values = array(); @@ -211,13 +211,10 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) $values['event_queue_max_size'] = $row['event_queue_max_size']; $values['cache_directory'] = $row['cache_directory']; $values['activate_watchdog']['activate_watchdog'] = $row['daemon']; - $query = "SELECT config_key, config_value, config_group, config_group_id " - . "FROM cfg_centreonbroker_info " - . "WHERE config_id = " . $id . " "; - $dbResult = $pearDB->query($query); $values['output'] = array(); $values['input'] = array(); - while ($rowOpt = $dbResult->fetch()) { + $brokerCfgInfoData = getCfgBrokerInfoData((int) $id); + foreach ($brokerCfgInfoData as $rowOpt) { if ($rowOpt['config_key'] == 'filters') { continue; } elseif ($rowOpt['config_key'] == 'category') { @@ -228,7 +225,6 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) $rowOpt['config_value']; } } - $dbResult->closeCursor(); # Convert values radio button foreach ($values as $group => $groups) { @@ -254,6 +250,8 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) # Copy the configuration $j = 1; + $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = :config_name"; + $statement = $pearDB->prepare($query); for ($i = 1; $i <= $nbrDup[$id]; $i++) { $nameNOk = true; @@ -261,9 +259,9 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) while ($nameNOk) { $newname = $row['config_name'] . '_' . $j; $newfilename = $j . '_' . $row['config_filename']; - $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = '" . $newname . "'"; - $res = $pearDB->query($query); - $rowNb = $res->fetch(); + $statement->bindValue(':config_name', $newname, \PDO::PARAM_STR); + $statement->execute(); + $rowNb = $statement->fetch(\PDO::FETCH_ASSOC); if ($rowNb['nb'] == 0) { $nameNOk = false; } @@ -293,3 +291,46 @@ function isPositiveNumeric($size): bool } return $isPositive; } + +/** + * Getting Centreon CFG broker data + * + * @param int $configId + * @return array + */ +function getCfgBrokerData(int $configId): array +{ + global $pearDB; + + $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server, + event_queue_max_size, cache_directory, daemon " + . "FROM cfg_centreonbroker " + . "WHERE config_id = :config_id "; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerData = $statement->fetch(\PDO::FETCH_ASSOC); + $statement->closeCursor(); + return $cfgBrokerData; +} + +/** + * Getting Centreon CFG broker Info data + * + * @param int $configId + * @return array + */ +function getCfgBrokerInfoData(int $configId): array +{ + global $pearDB; + + $query = "SELECT config_key, config_value, config_group, config_group_id " + . "FROM cfg_centreonbroker_info " + . "WHERE config_id = :config_id"; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerInfoData = $statement->fetchAll(\PDO::FETCH_ASSOC); + $statement->closeCursor(); + return $cfgBrokerInfoData; +} From a1a8cd0a0fd94bab3b45abef93750a723778f6c6 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Wed, 14 Sep 2022 15:11:20 +0100 Subject: [PATCH 2/2] applying suggested changes --- www/class/centreonConfigCentreonBroker.php | 2 +- .../configCentreonBroker/DB-Func.php | 24 ++++++++++++------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/www/class/centreonConfigCentreonBroker.php b/www/class/centreonConfigCentreonBroker.php index e3fc4588d55..60ca6a87fae 100644 --- a/www/class/centreonConfigCentreonBroker.php +++ b/www/class/centreonConfigCentreonBroker.php @@ -793,7 +793,7 @@ public function insertConfig(array $values): bool $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = :config_name"; try { $statement = $this->db->prepare($query); - $statement->bindValue(':config_name', (string) $values['name'], \PDO::PARAM_STR); + $statement->bindValue(':config_name', $values['name'], \PDO::PARAM_STR); $statement->execute(); } catch (\PDOException $e) { return false; diff --git a/www/include/configuration/configCentreonBroker/DB-Func.php b/www/include/configuration/configCentreonBroker/DB-Func.php index 975c6ec2a59..d522e6487e8 100644 --- a/www/include/configuration/configCentreonBroker/DB-Func.php +++ b/www/include/configuration/configCentreonBroker/DB-Func.php @@ -306,10 +306,14 @@ function getCfgBrokerData(int $configId): array event_queue_max_size, cache_directory, daemon " . "FROM cfg_centreonbroker " . "WHERE config_id = :config_id "; - $statement = $pearDB->prepare($query); - $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); - $statement->execute(); - $cfgBrokerData = $statement->fetch(\PDO::FETCH_ASSOC); + try { + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerData = $statement->fetch(\PDO::FETCH_ASSOC); + } catch (PDOException $exception) { + throw new \Exception("Cannot fetch Broker config data"); + } $statement->closeCursor(); return $cfgBrokerData; } @@ -327,10 +331,14 @@ function getCfgBrokerInfoData(int $configId): array $query = "SELECT config_key, config_value, config_group, config_group_id " . "FROM cfg_centreonbroker_info " . "WHERE config_id = :config_id"; - $statement = $pearDB->prepare($query); - $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); - $statement->execute(); - $cfgBrokerInfoData = $statement->fetchAll(\PDO::FETCH_ASSOC); + try { + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerInfoData = $statement->fetchAll(\PDO::FETCH_ASSOC); + } catch (\PDOException $exception) { + throw new \Exception("Cannot fetch Broker info config data"); + } $statement->closeCursor(); return $cfgBrokerInfoData; }