The MySQL class have not protection!

[admin_webs]

I was shocked when I look in to MySQL.php. There where no functions that validate entering values!!! How can you write it? And mysql recommended to use mysqli extension, but you are still using msql. Version 1.4.8/

[vekia]

have you checked other classes?

there are many validation functions related to the variables used in the mysql.php

[admin_webs]

have you checked other classes?

there are many validation functions related to the variables used in the mysql.php

Yes I have. But it seems must be realize in db class, no?

Edited July 28, 2013 by admin_webs (see edit history)

[vekia]

but whole data are validated in other classes. In simple words, PrestaShop is based on "Objects" with own definition of the fields, where the validation process clean / remove dangerous data. This is how prestashop validate fields before ANY usage of the mysql class.

 

I just wanted to say that prestashop is safe script. Try to find some sql injections, vulnerabilities etc. - you will see that this isn't possible in default prestashop installation

[admin_webs]

I just wanted to say that prestashop is safe script.

I haven't check all classes, but if some developer use you class and create module where have no vars validation - it isn't safe scripte

As for me class responsible fore DB handler mast be safty!

There are many free libraries you can use.

Edited July 28, 2013 by admin_webs (see edit history)

[GrzegorzZ]

Dear admin_webs,

 

First of all, there is pSQL function used everywhere that returns a escaped string (and strips html if needed).

 

Secodnly, all numbers should be escaped with a invtal/floatval or cast to int/float.

Sorry, but you sound like you just started programming and read a bit about SQL Injection and try to be smart

 

Remember one thing: IT'S YOUR Responsibility to escape strings. Dont try to find a program that will correct all your errors. You got brain, computer not - and none can predict all mistakes.

 

+ all those functions/classes that convert arrays to escaped SQL querries are for beginners who don't give a f**** about performance.

 

 

As for me class responsible fore DB handler mast be safty!

There are many free libraries you can use.

As for me a programmer must know what he's doing

Edited July 28, 2013 by GacekSSJ4 (see edit history)

[admin_webs]

Dear admin_webs,

Sorry, but you sound like you just started programming and read a bit about SQL Injection and try to be smart

As for me a programmer must know what he's doing

I have program over six years. And I have looks many prests modules that are terrible, but users are installing them. And will be nice to have some default protection realized in class. But it is presta dev priority.

Edited July 28, 2013 by admin_webs (see edit history)

[GrzegorzZ]

Ok. Now I better understand your point. However, even if somone implements anything like that into DB class (query builders you mean I assume). That will not guarantee that anyone will use them.

 

Programming is for people who know what they do. Not for beginners who have no idea what they do! Or more like it, if they're beginners and dont know what to do they shouldn't do things for others and give their services.

 

For example PDO, you can build queries from arrays, but you can also execute your own query - and what will pervent people from using it?