Matteo Enna Matteo Enna - 7 days ago 4
MySQL Question

PrestaShop Validator: SQL security issues

Good evening,
I'm validating PrestaShop on my form.
The mistake is reflected:


Your module contains security issues.
- Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an
explicit (int) cast, and that text is protected against SQL injections
thanks to the pSQL() method.
- Be careful (string) is not a secured cast, you must pSQL.


The insert query I use are as follows:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'. str_replace('"', '\"', serialize($t)).'")');


or

Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');


or

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');


Have you ever seen anything like that?

Answer

Prestashop Addons validation process is very exquisite. This error means that you should cast all the external parameters you use in your SQL statement. Should be like this:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'.  pSQL(str_replace('"', '\"',  serialize($t))).'")');

If you have params with type is other than string you should cast directly to corresponding type:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'.  pSQL(str_replace('"', '\"',  serialize($t))).'")');

Additional suggestion. You could use more Prestashop's DB class in insert, update and delete sentences. This way avoid simple quotes errors or similar:

Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"',  serialize($t)))));

Good luck.