Edge_jr Posted June 14, 2015 Share Posted June 14, 2015 I am facing error regarding sql injection and casting variable in sql statement. How to cast variable to avoid sql injection. Example 1 $some_varible = Tools::getValue('some_text'); if (!Db::getInstance()->Execute(' UPDATE `'._DB_PREFIX_.'table` SET column ="'.$some_varible.'" ')) Example 2 $single = "'"; $double = '"'; $sql = 'UPDATE `'._DB_PREFIX_.'table` SET column1 = '.$single.$double.$column1.$double.$single.' , column2 = '.$single.$double.$column2.$double.$single.' WHERE id_table='.$row['id_table'].' '; Any Idea? -Thanks Link to comment Share on other sites More sharing options...
Vipul Hadiya Posted June 14, 2015 Share Posted June 14, 2015 (edited) Nice question. Thanks for such good question to generate explicit problem with query. But Prestashop has very nice solution for this, use pSQL function to avoid any manual casting of string variable. For float you can use (float) and for Integer you can use (int). But, in your case pSQL is the best solution.It is in /config/alias.php like this function pSQL($string, $htmlOK = false) { // Avoid thousands of "Db::getInstance()"... static $db = false; if (!$db) $db = Db::getInstance(); return $db->escape($string, $htmlOK); } Edited June 14, 2015 by Vipul Hadiya (see edit history) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now