gostbuster Posted January 21, 2015 Posted January 21, 2015 Hi guys, I know that prestashop is protected against SQL injections, I read that on forums and have no probleme trusting that point. But I was playing with code I there is a basic thing I should miss, but I'm able to do a SQL injection, at least to get hacked result from the database. Imagine I hava a customer table like : customer(id, username,email,firstname,lastname) And on the other hand a form asking for username (field added and classe overrided) and email (to get firstname and lastname) The code for sql request should be : $query = new DbQuery();$query->select('firstname');$query->from('customer');$query->where('username = "'.(string)$username.'"');$query->where('email = "'.(string)$email.'"');return Db::getInstance(_PS_USE_SQL_SLAVE_)->getValue($query); In the form I Typed : login : testuser password: " OR '1' = '1' OR ""=" The SQL query passed to the server is : SELECT firstname,lastname FROM `vdh_customer` WHERE (username = "testuser") AND (email = "" OR '1' = '1' OR ""="") And gives me back result.... Is that considered as SQL INJECTION ? Or Am I doing something really bad like a newbie ? Thanks for your advices, I'm getting lost with that and troubling my mind. Share this post Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now