fix(sec): Change query method

* Use prepare statement on queries

fix(sec): Change query method
d5204752 · Maximilien Bersoult · Stephane Chapron · 018ca65a · d5204752 · d5204752
Commit d5204752 authored May 2, 2018 by Maximilien Bersoult Committed by Stephane Chapron Jun 8, 2018
--- a/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php
+++ b/www/include/reporting/dashboard/xmlInformations/GetXmlHost.php
@@ -69,11 +69,9 @@ if (isset($_GET["id"]) && isset($_GET["color"])) {
    }
    if ($accessHost) {
-        $DBRESULT = $pearDBO->query(
+        $query = 'SELECT  * FROM `log_archive_host` WHERE host_id = ? ORDER BY date_start DESC';
-            "SELECT  * FROM `log_archive_host` WHERE host_id = '"
+        $stmt = $pearDBO->prepare($query);
-            . $pearDBO->escape($_GET["id"])
+        $DBRESULT = $pearDBO->execute($stmt, array($_GET['id']));
-            . "' order by date_start desc"
-        );
        while ($row = $DBRESULT->fetchRow()) {
            fillBuffer($statesTab, $row, $color);
        }

--- a/www/include/reporting/dashboard/xmlInformations/GetXmlService.php
+++ b/www/include/reporting/dashboard/xmlInformations/GetXmlService.php
@@ -68,11 +68,9 @@ if (isset($_GET["host_id"]) && isset($_GET["id"]) && isset($_GET["color"])) {
    }
    if ($accessService) {
-        $DBRESULT = $pearDBO->query(
+        $query = 'SELECT * FROM `log_archive_service` WHERE host_id = ? AND service_id = ? ORDER BY date_start DESC';
-            "SELECT  * FROM `log_archive_service` WHERE host_id = '".
+        $stmt = $pearDBO->prepare($query);
-            $pearDBO->escape($_GET["host_id"])."' AND service_id = '".
+        $DBRESULT = $pearDBO->execute($stmt, array($_GET['host_id'], $_GET['id']));
-            $pearDBO->escape($_GET["id"])."' ORDER BY `date_start` DESC"
-        );
        while ($row = $DBRESULT->fetchRow()) {
            fillBuffer($statesTab, $row, $color);
        }