PrestaShop 验证程序:SQL 个安全问题
PrestaShop Validator: SQL security issues
晚上好,
我正在验证我的表单上的 PrestaShop。
错误反映:
Your module contains security issues.
- Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an
explicit (int) cast, and that text is protected against SQL injections
thanks to the pSQL() method.
- Be careful (string) is not a secured cast, you must pSQL.
我使用的插入查询如下:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'. str_replace('"', '\"', serialize($t)).'")');
或
Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');
或
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');
你见过这样的事吗?
Prestashop Addons 的验证过程非常讲究。此错误意味着您应该转换在 SQL 语句中使用的所有外部参数。应该是这样的:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
如果您的参数类型不是字符串,您应该直接转换为相应的类型:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
补充建议。您可以在插入、更新和删除语句中使用更多 Prestashop 的 DB class。这样可以避免简单的引号错误或类似错误:
Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"', serialize($t)))));
祝你好运。
晚上好, 我正在验证我的表单上的 PrestaShop。 错误反映:
Your module contains security issues. - Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an explicit (int) cast, and that text is protected against SQL injections thanks to the pSQL() method. - Be careful (string) is not a secured cast, you must pSQL.
我使用的插入查询如下:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'. str_replace('"', '\"', serialize($t)).'")');
或
Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');
或
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');
你见过这样的事吗?
Prestashop Addons 的验证过程非常讲究。此错误意味着您应该转换在 SQL 语句中使用的所有外部参数。应该是这样的:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
如果您的参数类型不是字符串,您应该直接转换为相应的类型:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
补充建议。您可以在插入、更新和删除语句中使用更多 Prestashop 的 DB class。这样可以避免简单的引号错误或类似错误:
Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"', serialize($t)))));
祝你好运。