Jump to content

XSS and SQL Injection prevention for new developers


martynj1980

Recommended Posts

Hi,

 

I would like to start developing prestashop and have a few questions to make sure any mods I make will be secure from SQL injection and XSS attacks.

 

Here are my questions:

 

1. Directly echoing user input

Does smarty deal with cleaning up user input in _GET and _POST ?

So I can safely echo the user input using:

{$smarty.post.my_field|escape:'htmlall':'UTF-8'}

Do I need to do anything else with the data to safely echo it onto the page?

 

2. Storing user input into a cookie and echoing or adding to database

To safely store data into a cookie should I use:

$cookie->my_field =Tools::getValue('my_field');

 

What do I need to do to the data to echo it back onto a page? Is this method secure?

 

$smarty->assign('my_field', $cookie->my_field)

Should I use Tools::safeOutput() here?

{$my_field|escape:'htmlall':'UTF-8'}

 

If I want to add the data in the cookie into the database is this fine?

 

pSQL($cookie->my_field)

 

 

3. To store the user input into a database is it safe to use this?

$my_field =Tools::getValue('my_field');
$my_field =pSQL($my_field);
$sql ="insert into "._DB_PREFIX_."table ( my_field_col) values('$my_field')";

 

 

Or should I be cleaning up the input in another way?

 

 

Sorry if this is covered elsewhere, I know it seems a little basic but I would like to make sure security is covered before I start thinking about any real development.

 

Many thanks, any other advice or help about this would be appreciated or if you would like to add anything I have not covered.

Edited by martynj1980 (see edit history)
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...