Jump to content

Sql injection and casting variable in sql statement help.


Recommended Posts

I am facing error regarding sql injection and casting variable in sql statement.


How to cast variable to avoid sql injection.


Example 1


$some_varible = Tools::getValue('some_text');
if (!Db::getInstance()->Execute(' UPDATE `'._DB_PREFIX_.'table` SET column ="'.$some_varible.'"  '))


Example 2


$single = "'";
$double = '"';
$sql = 'UPDATE `'._DB_PREFIX_.'table` SET column1 = '.$single.$double.$column1.$double.$single.' ,
column2 = '.$single.$double.$column2.$double.$single.' WHERE id_table='.$row['id_table'].' ';



Any Idea?



Share this post

Link to post
Share on other sites

Nice question. Thanks for such good question to generate explicit problem with query. But Prestashop has very nice solution for this, use pSQL function to avoid any manual casting of string variable. For float you can use (float) and for Integer you can use (int). But, in your case pSQL is the best solution.
It is in /config/alias.php like this

    function pSQL($string, $htmlOK = false)
        // Avoid thousands of "Db::getInstance()"...
        static $db = false;
        if (!$db)
            $db = Db::getInstance();

        return $db->escape($string, $htmlOK);

Edited by Vipul Hadiya (see edit history)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More