Jump to content

XSS and SQL Injection prevention for new developers


Recommended Posts



I would like to start developing prestashop and have a few questions to make sure any mods I make will be secure from SQL injection and XSS attacks.


Here are my questions:


1. Directly echoing user input

Does smarty deal with cleaning up user input in _GET and _POST ?

So I can safely echo the user input using:


Do I need to do anything else with the data to safely echo it onto the page?


2. Storing user input into a cookie and echoing or adding to database

To safely store data into a cookie should I use:

$cookie->my_field =Tools::getValue('my_field');


What do I need to do to the data to echo it back onto a page? Is this method secure?


$smarty->assign('my_field', $cookie->my_field)

Should I use Tools::safeOutput() here?



If I want to add the data in the cookie into the database is this fine?





3. To store the user input into a database is it safe to use this?

$my_field =Tools::getValue('my_field');
$my_field =pSQL($my_field);
$sql ="insert into "._DB_PREFIX_."table ( my_field_col) values('$my_field')";



Or should I be cleaning up the input in another way?



Sorry if this is covered elsewhere, I know it seems a little basic but I would like to make sure security is covered before I start thinking about any real development.


Many thanks, any other advice or help about this would be appreciated or if you would like to add anything I have not covered.

Edited by martynj1980 (see edit history)
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...