diff --git a/www/include/Administration/configChangelog/viewLogs.ihtml b/www/include/Administration/configChangelog/viewLogs.ihtml index 70deff5242e0a1d27822c8c2d2151ee1a5292bde..0d76a131fefed1a0a13000b4ae8d2984d539868d 100644 --- a/www/include/Administration/configChangelog/viewLogs.ihtml +++ b/www/include/Administration/configChangelog/viewLogs.ihtml @@ -11,8 +11,8 @@ <td></td> </tr> <tr> - <td><input type='text' name='searchO' value='{$searchO}' /></td> - <td><input type='text' name='searchU' value='{$searchU}' /></td> + <td><input type='text' name='searchO' value="{$searchO}" /></td> + <td><input type='text' name='searchU' value="{$searchU}" /></td> <td><select name='otype'>{$obj_type}</select></td> <td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search}' /></td> </tr> @@ -29,7 +29,7 @@ <table class="ListTable"> <tr class="ListHeader"> <td class="ListColHeaderCenter" style='width:120px'>{t}Date{/t}</td> - <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Modificaton type{/t}</td> + <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Modificaton type{/t}</td> <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Objects{/t}</td> <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Object Name{/t}</td> <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Authors{/t}</td> diff --git a/www/include/Administration/configChangelog/viewLogs.php b/www/include/Administration/configChangelog/viewLogs.php index 83312fa182a2e848b5a00c42dc5eabb03e351d41..5df5fec59b3b6c4b306e1b8b9423d974d032459e 100644 --- a/www/include/Administration/configChangelog/viewLogs.php +++ b/www/include/Administration/configChangelog/viewLogs.php @@ -43,8 +43,11 @@ function searchUserName($user_name) { global $pearDB; $str = ""; - - $DBRES = $pearDB->query("SELECT contact_id FROM contact WHERE contact_name LIKE '%".$user_name."%' OR contact_alias LIKE '%".$user_name."%'"); + + $DBRES = $pearDB->query("SELECT contact_id + FROM contact + WHERE contact_name LIKE '%" . $pearDB->escape($user_name) . "%' + OR contact_alias LIKE '%" . $pearDB->escape($user_name) . "%'"); while ($row = $DBRES->fetchRow()) { if ($str != "") { $str .= ", "; @@ -166,7 +169,7 @@ if ($searchO) { } else { $query .= " AND "; } - $query .= " object_name LIKE '%".$searchO."%' "; + $query .= " object_name LIKE '%" . $pearDB->escape($searchO) . "%' "; } if ($searchU) { if ($where_flag) { @@ -313,8 +316,8 @@ $tpl->assign('form', $renderer->toArray()); $tpl->assign('search_object_str', _("Object")); $tpl->assign('search_user_str', _("User")); $tpl->assign('Search', _('Search')); -$tpl->assign('searchO', $searchO); -$tpl->assign('searchU', $searchU); +$tpl->assign('searchO', htmlentities($searchO)); +$tpl->assign('searchU', htmlentities($searchU)); $tpl->assign('obj_str', _("Object Type")); $tpl->assign('type_id', $otype); @@ -322,8 +325,8 @@ $tpl->assign('event_type', _("Event Type")); $tpl->assign('time', _("Time")); $tpl->assign('contact', _("Contact")); -/* - * Pagination +/* + * Pagination */ $tpl->assign('limit', $limit); $tpl->assign('rows', $rows); @@ -339,13 +342,13 @@ if (isset($_POST['searchO']) || isset($_POST['searchU']) || isset($_POST['otype' $listAction = $centreon->CentreonLogAction->listAction($_GET['object_id'], $_GET['object_type']); $listModification = array(); $listModification = $centreon->CentreonLogAction->listModification($_GET['object_id'], $_GET['object_type']); - + if (isset($listAction)) { $tpl->assign("action", $listAction); } if (isset($listModification)) { $tpl->assign("modification", $listModification); } - + $tpl->display("viewLogsDetails.ihtml"); }