From 3d9b00c1115aab758fbf6597bc8bdc34bf941768 Mon Sep 17 00:00:00 2001 From: elmahdiabbassi Date: Mon, 17 Oct 2022 13:47:32 +0100 Subject: [PATCH 1/3] sanitize queries in service groups and change acl->queryBuilder by bindValuee --- .../servicegroup/listServiceGroup.php | 43 ++++++++++++++----- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/www/include/configuration/configObject/servicegroup/listServiceGroup.php b/www/include/configuration/configObject/servicegroup/listServiceGroup.php index e3d84573351..8ffb554878f 100644 --- a/www/include/configuration/configObject/servicegroup/listServiceGroup.php +++ b/www/include/configuration/configObject/servicegroup/listServiceGroup.php @@ -55,19 +55,40 @@ $search = $centreon->historySearch[$url]["search"] ?? null; } +$conditionStr = ""; +$sgStrParams = []; +if (!$acl->admin && $sgString) { + $sgStrList = explode(',', $sgString); + foreach ($sgStrList as $index => $sg_id) { + $sgStrParams[':sg_' . $index] = $sg_id; + } + $queryParams = implode(',', array_keys($sgStrParams)); + + if ($search) { + $conditionStr = "AND sg_id IN (" . $queryParams . ")"; + } else { + $conditionStr = "WHERE sg_id IN (" . $queryParams . ")"; + } +} + if ($search) { - $rq = "SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " . - "WHERE (sg_name LIKE '%" . $search . "%' " . - "OR sg_alias LIKE '%" . $search . "%') " . - $acl->queryBuilder('AND', 'sg_id', $sgString) . - " ORDER BY sg_name LIMIT " . $num * $limit . ", " . $limit; + $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " . + "WHERE (sg_name LIKE :search " . + "OR sg_alias LIKE :search) " . $conditionStr . + " ORDER BY sg_name LIMIT :offset, :limit"); + + $statement->bindValue(':search', '%' . $search . '%', \PDO::PARAM_STR); } else { - $rq = "SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " . - $acl->queryBuilder('WHERE', 'sg_id', $sgString) . - " ORDER BY sg_name LIMIT " . $num * $limit . ", " . $limit; + $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " + . $conditionStr . + " ORDER BY sg_name LIMIT :offset, :limit"); } - -$dbResult = $pearDB->query($rq); +foreach ($sgStrParams as $key => $sg_id) { + $statement->bindValue($key, str_replace("'", "", $sg_id), \PDO::PARAM_INT); +} +$statement->bindValue(':offset', $num * $limit, \PDO::PARAM_INT); +$statement->bindValue(':limit', $limit, \PDO::PARAM_INT); +$statement->execute(); $rows = $pearDB->query("SELECT FOUND_ROWS()")->fetchColumn(); include "./include/common/checkPagination.php"; @@ -101,7 +122,7 @@ $elemArr = array(); $centreonToken = createCSRFToken(); -for ($i = 0; $sg = $dbResult->fetch(); $i++) { +for ($i = 0; $sg = $statement->fetch(\PDO::FETCH_ASSOC); $i++) { $selectedElements = $form->addElement('checkbox', "select[" . $sg['sg_id'] . "]"); $moptions = ""; if ($sg["sg_activate"]) { From 3265d78247170de375a7fa8001c140cc7b3137ad Mon Sep 17 00:00:00 2001 From: elmahdiabbassi Date: Mon, 17 Oct 2022 17:30:22 +0100 Subject: [PATCH 2/3] refactoring querry and fis camel case variables --- .../servicegroup/listServiceGroup.php | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/www/include/configuration/configObject/servicegroup/listServiceGroup.php b/www/include/configuration/configObject/servicegroup/listServiceGroup.php index 8ffb554878f..def3c3097c2 100644 --- a/www/include/configuration/configObject/servicegroup/listServiceGroup.php +++ b/www/include/configuration/configObject/servicegroup/listServiceGroup.php @@ -59,8 +59,8 @@ $sgStrParams = []; if (!$acl->admin && $sgString) { $sgStrList = explode(',', $sgString); - foreach ($sgStrList as $index => $sg_id) { - $sgStrParams[':sg_' . $index] = $sg_id; + foreach ($sgStrList as $index => $sgId) { + $sgStrParams[':sg_' . $index] = (int) str_replace("'", "", $sgId); } $queryParams = implode(',', array_keys($sgStrParams)); @@ -71,22 +71,20 @@ } } -if ($search) { - $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " . - "WHERE (sg_name LIKE :search " . - "OR sg_alias LIKE :search) " . $conditionStr . +if ($search != "") { + $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate" . + " FROM servicegroup WHERE (sg_name LIKE :search OR sg_alias LIKE :search) " . $conditionStr . " ORDER BY sg_name LIMIT :offset, :limit"); $statement->bindValue(':search', '%' . $search . '%', \PDO::PARAM_STR); } else { - $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate FROM servicegroup " - . $conditionStr . - " ORDER BY sg_name LIMIT :offset, :limit"); + $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate" . + " FROM servicegroup " . $conditionStr . " ORDER BY sg_name LIMIT :offset, :limit"); } -foreach ($sgStrParams as $key => $sg_id) { - $statement->bindValue($key, str_replace("'", "", $sg_id), \PDO::PARAM_INT); +foreach ($sgStrParams as $key => $sgId) { + $statement->bindValue($key, $sgId, \PDO::PARAM_INT); } -$statement->bindValue(':offset', $num * $limit, \PDO::PARAM_INT); +$statement->bindValue(':offset', (int) $num * (int) $limit, \PDO::PARAM_INT); $statement->bindValue(':limit', $limit, \PDO::PARAM_INT); $statement->execute(); $rows = $pearDB->query("SELECT FOUND_ROWS()")->fetchColumn(); From c865f5db821aeda593fc69424392a587358a91ae Mon Sep 17 00:00:00 2001 From: elmahdiabbassi Date: Mon, 24 Oct 2022 08:42:57 +0100 Subject: [PATCH 3/3] fix condition operator --- .../configObject/servicegroup/listServiceGroup.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/www/include/configuration/configObject/servicegroup/listServiceGroup.php b/www/include/configuration/configObject/servicegroup/listServiceGroup.php index def3c3097c2..7f87df0d262 100644 --- a/www/include/configuration/configObject/servicegroup/listServiceGroup.php +++ b/www/include/configuration/configObject/servicegroup/listServiceGroup.php @@ -64,14 +64,14 @@ } $queryParams = implode(',', array_keys($sgStrParams)); - if ($search) { + if ($search !== '') { $conditionStr = "AND sg_id IN (" . $queryParams . ")"; } else { $conditionStr = "WHERE sg_id IN (" . $queryParams . ")"; } } -if ($search != "") { +if ($search !== '') { $statement = $pearDB->prepare("SELECT SQL_CALC_FOUND_ROWS sg_id, sg_name, sg_alias, sg_activate" . " FROM servicegroup WHERE (sg_name LIKE :search OR sg_alias LIKE :search) " . $conditionStr . " ORDER BY sg_name LIMIT :offset, :limit");