From d5204752cadafd74ab51d05b74c77bd94a5e28f1 Mon Sep 17 00:00:00 2001
From: Maximilien Bersoult <mbersoult@centreon.com>
Date: Wed, 2 May 2018 09:28:51 +0200
Subject: [PATCH] fix(sec): Change query method

* Use prepare statement on queries
---
 .../reporting/dashboard/xmlInformations/GetXmlHost.php    | 8 +++-----
 .../reporting/dashboard/xmlInformations/GetXmlService.php | 8 +++-----
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php b/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php
index 1bdc4218a4..495a6b337a 100644
--- a/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php
+++ b/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php
@@ -69,11 +69,9 @@ if (isset($_GET["id"]) && isset($_GET["color"])) {
     }
 
     if ($accessHost) {
-        $DBRESULT = $pearDBO->query(
-            "SELECT  * FROM `log_archive_host` WHERE host_id = '"
-            . $pearDBO->escape($_GET["id"])
-            . "' order by date_start desc"
-        );
+        $query = 'SELECT  * FROM `log_archive_host` WHERE host_id = ? ORDER BY date_start DESC';
+        $stmt = $pearDBO->prepare($query);
+        $DBRESULT = $pearDBO->execute($stmt, array($_GET['id']));
         while ($row = $DBRESULT->fetchRow()) {
             fillBuffer($statesTab, $row, $color);
         }
diff --git a/www/include/reporting/dashboard/xmlInformations/GetXmlService.php b/www/include/reporting/dashboard/xmlInformations/GetXmlService.php
index 43c323bfe9..1f029de913 100644
--- a/www/include/reporting/dashboard/xmlInformations/GetXmlService.php
+++ b/www/include/reporting/dashboard/xmlInformations/GetXmlService.php
@@ -68,11 +68,9 @@ if (isset($_GET["host_id"]) && isset($_GET["id"]) && isset($_GET["color"])) {
     }
 
     if ($accessService) {
-        $DBRESULT = $pearDBO->query(
-            "SELECT  * FROM `log_archive_service` WHERE host_id = '".
-            $pearDBO->escape($_GET["host_id"])."' AND service_id = '".
-            $pearDBO->escape($_GET["id"])."' ORDER BY `date_start` DESC"
-        );
+        $query = 'SELECT * FROM `log_archive_service` WHERE host_id = ? AND service_id = ? ORDER BY date_start DESC';
+        $stmt = $pearDBO->prepare($query);
+        $DBRESULT = $pearDBO->execute($stmt, array($_GET['host_id'], $_GET['id']));
         while ($row = $DBRESULT->fetchRow()) {
             fillBuffer($statesTab, $row, $color);
         }
-- 
GitLab