Jump to content

SQL Injection error in php file


Recommended Posts

hello I have developed a module in with there is one php controller file in that file one sql query like I have written follows.

$sql = 'SELECT p.*, product_shop.*, stock.out_of_stock, IFNULL(stock.quantity, 0) as quantity, pl.`description`, pl.`description_short`, MAX(product_attribute_shop.id_product_attribute) id_product_attribute, pl.`link_rewrite`, pl.`meta_description`, pl.`meta_keywords`, pl.`meta_title`, pl.`name`, MAX(image_shop.`id_image`) id_image, il.`legend`, m.`name` AS manufacturer_name, DATEDIFF( p.`date_add`, DATE_SUB(NOW(), INTERVAL '.(Validate::isUnsignedInt(Configuration::get('PS_NB_DAYS_NEW_PRODUCT')) ? Configuration::get('PS_NB_DAYS_NEW_PRODUCT') : 20).' DAY)) > 0 AS new FROM `'._DB_PREFIX_.'product` p '.Shop::addSqlAssociation('product', 'p').' LEFT JOIN '._DB_PREFIX_.'product_attribute pa ON (pa.id_product = p.id_product) '.Shop::addSqlAssociation('product_attribute', 'pa', false, 'product_attribute_shop.default_on=1').''.Product::sqlStock('p', 0, false, $context->shop).'LEFT JOIN `'._DB_PREFIX_.'product_lang` pl ON (p.`id_product` = pl.`id_product` AND pl.`id_lang` = '.(int)$id_lang.Shop::addSqlRestrictionOnLang('pl').') LEFT JOIN `'._DB_PREFIX_.'image` i ON (i.`id_product` = p.`id_product`)'.Shop::addSqlAssociation('image', 'i', false, 'image_shop.cover=1').' LEFT JOIN `'._DB_PREFIX_.'image_lang` il ON (i.`id_image` = il.`id_image` AND il.`id_lang` = '.(int)$id_lang.') LEFT JOIN `'._DB_PREFIX_.'manufacturer` m ON (m.`id_manufacturer` = p.`id_manufacturer`) WHERE product_shop.`active` = 1 AND product_shop.`show_price` = 1';

if ($this->context->cookie->__isset('shortlist'))
	$sql = $sql.' AND p.`id_product` IN ('.pSQL(implode(', ', unserialize($this->context->cookie->__get('shortlist')))).')';

$sql = $sql.' GROUP BY product_shop.id_product ';

$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);

prestashop reject my module by telling that sql injection error in line no 4. so how can I resolve this as well as how can I check either online or offline that in my file this kind of sql injection exist or not..?

Edited by NishantVadgama (see edit history)
Link to comment
Share on other sites

its because of $this->context->cookie->__get('shortlist')

someone can prepare cookie shortlist value to be with apostrophes and based on this it is possible to create sql injection attack

escape this variable 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...