Private GIT

Skip to content
Snippets Groups Projects
Commit 4e4d8e6d authored by Maximilien Bersoult's avatar Maximilien Bersoult Committed by Stephane Chapron
Browse files

fix(sec): Fix SQL injection on graphs 

* Fix SQL injection when export metrics to CSV from graphs
parent 1b59cdb7
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
www/include/views/graphs/exportData/ExportCSVServiceData.php
+ 6
3
View file @ 4e4d8e6d
...@@ -66,10 +66,13 @@ if (isset($_GET['chartId'])) { ...@@ -66,10 +66,13 @@ if (isset($_GET['chartId'])) {
if (false === isset($hostId) || false === isset($serviceId)) { if (false === isset($hostId) || false === isset($serviceId)) {
die('Resource not found'); die('Resource not found');
} }
if (!is_numeric($hostId) || !is_numeric($serviceId)) {
die('Bad resource id format');
}
$res = $pearDBO->query('SELECT id $res = $pearDBO->query('SELECT id
FROM index_data FROM index_data
WHERE host_id = ' . $pearDBO->escape($hostId) . WHERE host_id = "' . $pearDBO->escape($hostId) .
' AND service_id = ' . $pearDBO->escape($serviceId)); '" AND service_id = "' . $pearDBO->escape($serviceId) . '"');
if ($res->numRows()) { if ($res->numRows()) {
$row = $res->fetchRow(); $row = $res->fetchRow();
$index = $row['id']; $index = $row['id'];
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Another place to be (or not)