From 844717fe36c4b6489d4097a7792d0f800ca799c7 Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Mon, 17 Oct 2022 10:01:35 +0100 Subject: [PATCH 1/2] sanitize and bind list of commands queries --- .../configObject/command/listCommand.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/www/include/configuration/configObject/command/listCommand.php b/www/include/configuration/configObject/command/listCommand.php index c8511cc18a9..3686a721de6 100755 --- a/www/include/configuration/configObject/command/listCommand.php +++ b/www/include/configuration/configObject/command/listCommand.php @@ -89,14 +89,21 @@ $lockedFilter = $displayLocked ? "" : "AND command_locked = 0 "; // Type filter -$typeFilter = $type ? "AND `command_type` = " . $type . " " : ""; +$typeFilter = $type ? "AND `command_type` = :command_type " : ""; $search = tidySearchKey($search, $advanced_search); $rq = "SELECT SQL_CALC_FOUND_ROWS `command_id`, `command_name`, `command_line`, `command_type`, " . - "`command_activate` FROM `command` WHERE `command_name` LIKE '%" . $search . "%' " . - $typeFilter . $lockedFilter . " ORDER BY `command_name` LIMIT " . $num * $limit . ", " . $limit; - -$dbResult = $pearDB->query($rq); + "`command_activate` FROM `command` WHERE `command_name` LIKE :command_name " . + $typeFilter . $lockedFilter . " ORDER BY `command_name` LIMIT :offset, :limit"; + +$statement = $pearDB->prepare($rq); +$statement->bindValue(':command_name', '%' . $search . '%', \PDO::PARAM_STR); +$statement->bindValue(':offset', (int) $num * (int) $limit, \PDO::PARAM_INT); +$statement->bindValue(':limit', (int) $limit, \PDO::PARAM_INT); +if ($type) { + $statement->bindValue(':command_type', $type, \PDO::PARAM_INT); +} +$statement->execute(); $rows = $pearDB->query("SELECT FOUND_ROWS()")->fetchColumn(); include_once "./include/common/checkPagination.php"; @@ -143,7 +150,7 @@ $elemArr = array(); $centreonToken = createCSRFToken(); -for ($i = 0; $cmd = $dbResult->fetch(); $i++) { +for ($i = 0; $cmd = $statement->fetch(\PDO::FETCH_ASSOC); $i++) { $selectedElements = $form->addElement('checkbox', "select[" . $cmd['command_id'] . "]"); if ($cmd["command_activate"]) { From 696dd9ac377322c871d9f67de55384493dc4f55e Mon Sep 17 00:00:00 2001 From: YAHIAOUI Hamza Date: Tue, 18 Oct 2022 10:45:41 +0100 Subject: [PATCH 2/2] adding some changes --- .../configuration/configObject/command/listCommand.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/www/include/configuration/configObject/command/listCommand.php b/www/include/configuration/configObject/command/listCommand.php index 3686a721de6..faf5b6f7da0 100755 --- a/www/include/configuration/configObject/command/listCommand.php +++ b/www/include/configuration/configObject/command/listCommand.php @@ -93,15 +93,15 @@ $search = tidySearchKey($search, $advanced_search); $rq = "SELECT SQL_CALC_FOUND_ROWS `command_id`, `command_name`, `command_line`, `command_type`, " . - "`command_activate` FROM `command` WHERE `command_name` LIKE :command_name " . + "`command_activate` FROM `command` WHERE `command_name` LIKE :search " . $typeFilter . $lockedFilter . " ORDER BY `command_name` LIMIT :offset, :limit"; $statement = $pearDB->prepare($rq); -$statement->bindValue(':command_name', '%' . $search . '%', \PDO::PARAM_STR); +$statement->bindValue(':search', '%' . $search . '%', \PDO::PARAM_STR); $statement->bindValue(':offset', (int) $num * (int) $limit, \PDO::PARAM_INT); $statement->bindValue(':limit', (int) $limit, \PDO::PARAM_INT); if ($type) { - $statement->bindValue(':command_type', $type, \PDO::PARAM_INT); + $statement->bindValue(':command_type', (int) $type, \PDO::PARAM_INT); } $statement->execute(); $rows = $pearDB->query("SELECT FOUND_ROWS()")->fetchColumn();