PrestaShop Validator：SQL安全问题

Good evening, I'm validating PrestaShop on my form. The mistake is reflected:

Your module contains security issues. - Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an explicit (int) cast, and that text is protected against SQL injections thanks to the pSQL() method. - Be careful (string) is not a secured cast, you must pSQL.

The insert query I use are as follows:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'.  str_replace('"', '\"', serialize($t)).'")');

Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');

Have you ever seen anything like that?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duan5362 2016-12-01 16:17
关注
Prestashop Addons validation process is very exquisite. This error means that you should cast all the external parameters you use in your SQL statement. Should be like this:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');

If you have params with type is other than string you should cast directly to corresponding type:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');

Additional suggestion. You could use more Prestashop's DB class in insert, update and delete sentences. This way avoid simple quotes errors or similar:

Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"', serialize($t)))));

Good luck.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PrestaShop Validator：SQL安全问题 mysql php
2016-12-01 15:49

回答 1 已采纳 Prestashop Addons validation process is very exquisite. This error means that you should cast all
Prestashop Tools :: getValue（）函数不能转义sql注入？ php sql
2016-08-07 19:24

回答 1 已采纳 Tools::getValue() only retrieves POST or GET value. To prevent SQL injection you can use pSQL()
Prestashop Webservice：多个购物车行 php
2017-11-02 03:08

回答 1 已采纳 Why id product are same? Same id product with different quantity will not be accepted in multiple
PrestaShop module : RAZ-开源
2021-06-30 05:23

PrestaShop (http://www.prestashop.com) 模块用于擦除您的数据库，有很多选项。 PrestaShop 论坛上有关此模块的主题：http://www.prestashop.com/forums/viewthread/15449/
无法在prestashop Context :: getContext（） - > cookie中找到cookie值但是它在$ _COOKIE中显示？ php
2019-03-28 05:47

回答 1 已采纳 This is because you are most likely writing to a cookie with different name or different domain/su
Prestashop模块：产品页面上的产品类别 php
2013-08-04 16:29

回答 2 已采纳 Ok. It was easier than i thought. I did it in .tpl. {foreach from=$products item=product} {if $pr
PrestaShop：从XLS导入？ php
2015-05-21 14:43

回答 2 已采纳 PrestaShop doesn't support excel files, only simple data tables like .csv. This is because excel f
PrestaShop module : products also bought-开源
2021-06-30 06:27

PrestaShop (http://www.prestashop.com) 模块，在产品详细信息页面上显示其他客户也购买的产品。 PrestaShop 论坛上有关此模块的主题：http://www.prestashop.com/forums/viewthread/19623/
Prestashop 1.6：无法在制造商页面中显示制造商徽标 php
2016-01-30 21:51

回答 1 已采纳 Issue solved: the problem was related to the logo image size. I had to set the height and width of
PrestaShop 1.6：在CMS页面上显示模块内容（中心列） php
2015-10-02 06:16

回答 1 已采纳 Why can't you, try to display it in a separate page instead of cms page and add a url link in bloc
安装prestashop模块的问题：mymodule（/中缺少类） php
2016-02-01 10:49

回答 2 已采纳 If your module as for Class name CookiesPresta you should name the directory /cookiespresta and yo
PrestaShop module : jQuery Gallery View-开源
2021-06-04 16:30

PrestaShop 模块，用于在您的主页上显示 jQuery 画廊视图 (http://spaceforaname.com/galleryview)，可在 BO 中进行广泛编辑。 PrestaShop 论坛上的相关主题：http://www.prestashop.com/forums/viewthread/49128/
Prestashop：如果产品库存缺货（允许订购），如何显示默认标签？ php
2018-06-08 18:47

回答 1 已采纳 Try this code :  <p id="availability_statut"{if !$P
PrestaShop module : send to my friend-开源
2021-05-15 10:35

PrestaShop（http://www.prestashop.com）模块：将文章发送给朋友。它是“发送给朋友”基本模块的高级版本。 PrestaShop论坛上的相关主题（法语）：http://www.prestashop.com/forums/viewthread/42609/
PrestaShop module : IE6 update-开源
2021-05-15 10:10

PrestaShop开源电子商务解决方案的模块，用于“帮助杀死” Internet Explorer6。该模块使用来自http://www.ie6update.com的代码，有关PrestaShop论坛上此模块的主题：...
prestashop：Prestashop模块添加PagaMasTarde
2021-02-25 05:08

Prestashop安装 :floppy_disk: 安装在您的Prestashop实例中安装Pagantis模块。常用步骤导航到模块仪表板点击“添加新” 使用市场进行安装搜索“ Pagantis” 点击“安装” 使用zip文件安装从下载压缩文件 ...
cart-prestashop：用于Prestashop的Mercado Pago插件
2021-03-02 01:51

下载Prestashop 您可以通过单击链接下载Prestashop： : 在Prestashop Addons上下载Mercado Pago 您可以通过单击以下链接在Prestashop附加组件（适用于Prestashop 1.6.x或1.7.x）上下载Mercado Pago插件： ://addons....
gulp-prestashop：Gulp prestashop构建系统
2021-02-03 19:14

但是，该问题之前没有人使用过，并且没有记录工作流程。我想提供一种简便的方法来立即构建您的SASS文件。您可以注意更改，并且gulp会自动重新编译您的文件。还支持lint的javascript文件。该项目尚处于初期阶段...
PrestaShop Template: Electronics (Blue):ModuleBazaar提供的免费PrestaShop模板。-开源
2021-05-12 15:41

您是否正在为电子商店寻找简单专业的模板？ ModuleBazaar为与所有浏览器兼容的prestashop商店提供外观丰富的模板。
prestashop：PrestaShop的免费PWA和SPA
2021-02-05 15:16

用于PrestaShop的CMS Connect应用程序显示你的 :red_heart: -给我们一个 :star: 帮助我们将这个项目发展到最好！ VueFront是CMS不可知的SPA和PWA前端，适用于您的老式Blog和电子商务网站。 PrestaShop是一种高效...
没有解决我的问题, 去提问

悬赏问题

¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
¥20 BAPI_PR_CHANGE how to add account assignment information for service line
¥500 火焰左右视图、视差（基于双目相机）
¥100 set_link_state
¥15 虚幻5 UE美术毛发渲染
¥15 CVRP 图论物流运输优化
¥15 Tableau online 嵌入ppt失败
¥100 支付宝网页转账系统不识别账号
¥15 基于单片机的靶位控制系统
¥15 真我手机蓝牙传输进度消息被关闭了，怎么打开？(关键词-消息通知)

PrestaShop Validator：SQL安全问题

1条回答 默认 最新

悬赏问题

1条回答默认最新