SQL Injection error in php file

[NishantVadgama]

hello I have developed a module in with there is one php controller file in that file one sql query like I have written follows.

$sql = 'SELECT p.*, product_shop.*, stock.out_of_stock, IFNULL(stock.quantity, 0) as quantity, pl.`description`, pl.`description_short`, MAX(product_attribute_shop.id_product_attribute) id_product_attribute, pl.`link_rewrite`, pl.`meta_description`, pl.`meta_keywords`, pl.`meta_title`, pl.`name`, MAX(image_shop.`id_image`) id_image, il.`legend`, m.`name` AS manufacturer_name, DATEDIFF( p.`date_add`, DATE_SUB(NOW(), INTERVAL '.(Validate::isUnsignedInt(Configuration::get('PS_NB_DAYS_NEW_PRODUCT')) ? Configuration::get('PS_NB_DAYS_NEW_PRODUCT') : 20).' DAY)) > 0 AS new FROM `'._DB_PREFIX_.'product` p '.Shop::addSqlAssociation('product', 'p').' LEFT JOIN '._DB_PREFIX_.'product_attribute pa ON (pa.id_product = p.id_product) '.Shop::addSqlAssociation('product_attribute', 'pa', false, 'product_attribute_shop.default_on=1').''.Product::sqlStock('p', 0, false, $context->shop).'LEFT JOIN `'._DB_PREFIX_.'product_lang` pl ON (p.`id_product` = pl.`id_product` AND pl.`id_lang` = '.(int)$id_lang.Shop::addSqlRestrictionOnLang('pl').') LEFT JOIN `'._DB_PREFIX_.'image` i ON (i.`id_product` = p.`id_product`)'.Shop::addSqlAssociation('image', 'i', false, 'image_shop.cover=1').' LEFT JOIN `'._DB_PREFIX_.'image_lang` il ON (i.`id_image` = il.`id_image` AND il.`id_lang` = '.(int)$id_lang.') LEFT JOIN `'._DB_PREFIX_.'manufacturer` m ON (m.`id_manufacturer` = p.`id_manufacturer`) WHERE product_shop.`active` = 1 AND product_shop.`show_price` = 1';

if ($this->context->cookie->__isset('shortlist'))
	$sql = $sql.' AND p.`id_product` IN ('.pSQL(implode(', ', unserialize($this->context->cookie->__get('shortlist')))).')';

$sql = $sql.' GROUP BY product_shop.id_product ';

$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);

prestashop reject my module by telling that sql injection error in line no 4. so how can I resolve this as well as how can I check either online or offline that in my file this kind of sql injection exist or not..?

Edited July 16, 2015 by NishantVadgama (see edit history)

[vekia]

its because of $this->context->cookie->__get('shortlist')

someone can prepare cookie shortlist value to be with apostrophes and based on this it is possible to create sql injection attack

escape this variable 

[NishantVadgama]

so how can I resolve this ..? this variable contains only array of product id that i want to store temporarily. or can I used it in function call if I write above code in one function and pass that cookie as array..!

Edited July 16, 2015 by NishantVadgama (see edit history)