I am missing something with SQL injection

[gostbuster]

Hi guys, 

 

I know that prestashop is protected against SQL injections, I read that on forums and have no probleme trusting that point. But I was playing with code I there is a basic thing I should miss, but I'm able to do a SQL injection, at least to get hacked result from the database.

 

Imagine I hava a customer table like : customer(id, username,email,firstname,lastname)

 

And on the other hand a form asking for username (field added and classe overrided) and email (to get firstname and lastname)

 

The code for sql request should be :

 

$query = new DbQuery();
$query->select('firstname');
$query->from('customer');
$query->where('username = "'.(string)$username.'"');
$query->where('email = "'.(string)$email.'"');

return Db::getInstance(_PS_USE_SQL_SLAVE_)->getValue($query);

 

 

In the form I Typed :

 

login : testuser

password: " OR '1' = '1' OR ""="

 

The SQL query passed to the server is :

 

SELECT firstname,lastname 

FROM `vdh_customer`

WHERE (username = "testuser") AND (email = "" OR '1' = '1' OR ""="")

 

And gives me back result....

 

Is that considered as SQL INJECTION ? Or Am I doing something really bad like a newbie ?

 

Thanks for your advices, I'm getting lost with that and troubling my mind.

 

 

 

[Simone Salerno]

You MUSTN'T use (string)$username, you MUST use pSQL($username) that escapes raw input for you.

[vekia]

prestashop by default escaping strings

[gostbuster]

Hi Guys

 

You MUSTN'T use (string)$username, you MUST use pSQL($username) that escapes raw input for you.

 

This is what I was actually missing ! Using this function  secures from sql injection. Thanks so much for you help.