PrestaShop 验证器:SQL 安全问题 [英] PrestaShop Validator: SQL security issues

问题描述

晚上好，我正在验证我的表单上的 PrestaShop.错误反映:

Good evening, I'm validating PrestaShop on my form. The mistake is reflected:

您的模块存在安全问题.- 确保您的数据在进行插入时始终受到保护.例如，确保您确实有一个整数显式 (int) 转换，并且该文本受保护免受 SQL 注入感谢 pSQL() 方法.- 小心(字符串)不是一个安全的演员，你必须pSQL.

Your module contains security issues. - Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an explicit (int) cast, and that text is protected against SQL injections thanks to the pSQL() method. - Be careful (string) is not a secured cast, you must pSQL.

我使用的插入查询如下:

The insert query I use are as follows:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'.  str_replace('"', '\"', serialize($t)).'")');

或

Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');

或

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');

你见过这样的东西吗?

推荐答案

Prestashop Addons 验证过程非常精致.此错误意味着您应该强制转换您在 SQL 语句中使用的所有外部参数.应该是这样的:

Prestashop Addons validation process is very exquisite. This error means that you should cast all the external parameters you use in your SQL statement. Should be like this:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'.  pSQL(str_replace('"', '\"',  serialize($t))).'")');

如果你的参数类型不是字符串，你应该直接转换为相应的类型:

If you have params with type is other than string you should cast directly to corresponding type:

Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'.  pSQL(str_replace('"', '\"',  serialize($t))).'")');

补充建议.您可以在插入、更新和删除语句中使用更多 Prestashop 的 DB 类.这样可以避免简单的引号错误或类似错误:

Additional suggestion. You could use more Prestashop's DB class in insert, update and delete sentences. This way avoid simple quotes errors or similar:

Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"',  serialize($t)))));

祝你好运.

这篇关于PrestaShop 验证器:SQL 安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！