Kerm Posted June 10, 2016 Share Posted June 10, 2016 I trying to place my module on addons, and got "Technical Validation Declined" message with this explanation: You have security issues, please review all your SQL requests and cast all the variables in it (pSQL, int...) Eg: INET_ATON("'.(empty($ip)?'':$ip).'"), And i did not understand what I should do, all the variables in sql queries must be like that '.(empty($ip)?'':$ip).' ? Link to comment Share on other sites More sharing options...
rocky Posted June 12, 2016 Share Posted June 12, 2016 You need to sanitise the variables in your SQL queries. Cast each variable using (int) if it is an integer, (float) if it is a decimal number or use the pSQL function if it is a string. For example: Db::getInstance()->ExecuteS('INSERT INTO `'._DB_PREFIX_.'cms_lang` (`id_cms`, `id_lang`, `id_shop`, `meta_title`, `meta_description`, `meta_keywords`, `content`, `link_rewrite`) VALUES ('.(int)$id_cms.', '.(int)$id_lang.', '.(int)$id_shop.', "'.pSQL($meta_title).'", "'.pSQL($meta_description).'", "'.pSQL($meta_keywords).'", "'.pSQL($content).'", "'.pSQL($link_rewrite).'")'); 2 Link to comment Share on other sites More sharing options...
Kerm Posted June 14, 2016 Author Share Posted June 14, 2016 Thx rocky I've just never seen such solutions in prestashop original code.. Link to comment Share on other sites More sharing options...
Kerm Posted June 14, 2016 Author Share Posted June 14, 2016 Here is no error in your code? '.pSQL($content).' Dont need double quotes? "'.pSQL($content).'" ? Link to comment Share on other sites More sharing options...
rocky Posted June 14, 2016 Share Posted June 14, 2016 Oh, you're right. My mistake. I've updated my post. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now