Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BP-3353 Refactor SQL query for enhanced security #121

Merged
merged 1 commit into from
Jan 15, 2024
Merged

BP-3353 Refactor SQL query for enhanced security #121

merged 1 commit into from
Jan 15, 2024

Conversation

vegimcarkaxhija
Copy link
Contributor

  • Replaced direct string concatenation with DbQuery class in the query.
  • Added input sanitization using pSQL to prevent SQL injection vulnerabilities.

The update ensures that the query handling adheres to PrestaShop's best practices, enhancing both code maintainability and security.

Also fixed Idin, after testing the new changes I saw that idin was not appearing at all in checkout

@vegimcarkaxhija
Refactor SQL query for enhanced security
1eddc6a 
- Replaced direct string concatenation with DbQuery class in the query.
- Added input sanitization using pSQL to prevent SQL injection vulnerabilities.

The update ensures that the query handling adheres to PrestaShop's best practices, enhancing both code maintainability and security.

Also fixed Idin, after testing the new changes I saw that idin was not appearing at all in checkout
harli91
harli91 suggested changes Jan 15, 2024
View reviewed changes
src/Form/Modifier/ProductFormModifier.php

$sql->select('buckaroo_idin');
$sql->from('bk_product_idin');
$sql->where('product_id = ' . pSQL($productId));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why aren't you using prepared statements?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can use $sql->where('product_id = :product_id')->setParameter('product_id ', pSQL($productId));

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Method 'setParameter' not found in \DbQuery

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont see setParameter.

https://devdocs.prestashop-project.org/8/development/components/database/dbquery/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, saw this code https://github.com/buckaroo-it/PrestaShop/blob/develop/src/Repository/PaymentMethodRepository.php#L43-L44, but from what I see this uses the entity manager query builder not the \DbQuery class

@vegimcarkaxhija vegimcarkaxhija merged commit b6527ba into develop Jan 15, 2024
1 check passed
@vegimcarkaxhija vegimcarkaxhija deleted the BP-3351-Prestashop-SQL-fix branch January 15, 2024 12:12
@Buckaroo-Rene Buckaroo-Rene changed the title Refactor SQL query for enhanced security BP-3353 Refactor SQL query for enhanced security Jan 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harli91 harli91 harli91 requested changes

@ShuCh3n ShuCh3n ShuCh3n approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vegimcarkaxhija @harli91 @ShuCh3n