Even though PrestaShop has been using the PDO library since version 1.5, it still does not call some important methods, such as bindParam() or bindValue(), which are designed to protect SQL queries. So we have to protect them manually.
Cast all your integers with (int), for example:
$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->getRow('
SELECT `id_country`, `id_state`, `vat_number`, `postcode` FROM `' . _DB_PREFIX_ . 'address`
WHERE `id_address` = ' . (int) $id_address);Cast your non-integer numeric values with (float), for the same reason as for integers.
Protect your character strings with the pSQL function.
This will protect your queries against SQL injections containing ' (called quotes).
For example, authentication, in the Employee.php class, is done as follows:
$result = Db::getInstance()->getRow('
SELECT * FROM `'._DB_PREFIX_.'employee`
WHERE `active` = 1
AND `email` = \''.pSQL($email).'\'
AND `passwd` = \''.Tools::encrypt($passwd).'\'');Here is an example of a possible flaw:
The $email variable is of type POST. Therefore, if it were not protected with pSQL, it would be possible to inject the following code into the POST value:
contact@medalibouk.com' OR `email` != 'contact@medalibouk.com' OR `passwd` ='testThe query would then become:
SELECT * FROM `ps_employee`
WHERE `active` = 1
AND `email` ='contact@medalibouk.com' OR `email` != 'contact@medalibouk.com' OR `passwd` = 'test'
AND `passwd` = 'ddcdaee0a606202f4641ae3e8d5d7be7'Protect your field strings with the bqSQL function.
This will protect your queries against SQL injections containing “`” (called backquotes) when you use a character string to define a field, , then it calls pSQL()
