JoelWebsites Posted April 16, 2015 Share Posted April 16, 2015 PHP errors: You have security issues, please review all your SQL requests and cast all the variables in it (pSQL, int...) I have been given the above message when I gave my module for validation.I cannot understand the meaning of pSQl can anyone explain me and how do I cast variables like a variable that has a string for eg $name? Is it necessary for me to use string?Can someone please elaborate...thank you. Link to comment Share on other sites More sharing options...
ilmtech Posted May 1, 2015 Share Posted May 1, 2015 Hi Jeo, Did you find the solution me too facing the same problem. Link to comment Share on other sites More sharing options...
PascalVG Posted May 1, 2015 Share Posted May 1, 2015 The casting is done, so SQL injection becomes more difficult., So if the input should be an integer, make sure you cast it to an int before adding it to the SQL: "SELECT ....... WHERE age = .(int)$age; Same with a string: (string)$MyInputStringVar, booleans (bool)$MyBooleanInputVar etc. For more on type casting: http://php.net/manual/en/language.types.type-juggling.php Search the PrestaShop code for examples of pSQL. Should be loads of it. Same reason, done to reduce chance on SQL injection. pascal. 2 Link to comment Share on other sites More sharing options...
JoelWebsites Posted May 1, 2015 Author Share Posted May 1, 2015 (edited) Hi you will need to use the below format in all sql queries in your module that contain some variables see my helpful below. $sql = 'UPDATE '._DB_PREFIX_."tablename SET `colum`='".pSQL($caption1)."',`active` =".(int)$view1." WHERE id_da =".(int)$id_awesometheme1.";"; if ($results = Db::getInstance()->Execute($sql)); Thanks Edited May 1, 2015 by JoelWebsites (see edit history) 1 Link to comment Share on other sites More sharing options...
swadexi Posted October 17, 2015 Share Posted October 17, 2015 Hi you will need to use the below format in all sql queries in your module that contain some variables see my helpful below. $sql = 'UPDATE '._DB_PREFIX_."tablename SET `colum`='".pSQL($caption1)."',`active` =".(int)$view1." WHERE id_da =".(int)$id_awesometheme1.";"; if ($results = Db::getInstance()->Execute($sql)); Thanks Hi I Have Same Problem, i build modules that has same function as blockcategories, so i copied some code from it, and after my module is reviewed, i got same message, pSql is only exist on following script. this script also can be seen at blockcategories module at line 223 and 297 WHERE `id_group` IN ('.pSQL(implode(', ', Customer::getGroupsStatic((int)$this->context->customer->id))).') and AND cg.`id_group` IN ('.pSQL($groups).') i still have no idea what i have to do about this script..can anybody help me what should i do? Thanks so much Link to comment Share on other sites More sharing options...
JoelWebsites Posted December 3, 2015 Author Share Posted December 3, 2015 You will need to do to for all the sql variables... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now