晚上好 我正在验证我的表单上的 PrestaShop。 错误反射(reflect):
Your module contains security issues. - Make sure that your data is always protected when doing an insertion. For instance, make sure that you do have an integer with an explicit (int) cast, and that text is protected against SQL injections thanks to the pSQL() method. - Be careful (string) is not a secured cast, you must pSQL.
我使用的插入查询如下:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'.$t['filter_template_name'].'","'. str_replace('"', '\"', serialize($t)).'")');
或
Db::getInstance()->execute('INSERT IGNORE INTO `'._DB_PREFIX_.'ff_people` (`field`,`list`) VALUES ("'.$c->email.'",'.$listId.')');
或
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_custom_field (field, list) VALUES ("'.$field.'"," ","'.$list.'")');
你见过这样的事吗?
最佳答案
Prestashop Addons 验证过程非常精巧。此错误意味着您应该强制转换您在 SQL 语句中使用的所有外部参数。应该是这样的:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. pSQL($t['filter_template_name']).'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
如果您的参数类型不是字符串,您应该直接转换为相应的类型:
Db::getInstance()->execute('INSERT IGNORE INTO '._DB_PREFIX_.'ff_list_filter (name, content) VALUES ("'. (int) $t['id_int'].'","'. pSQL(str_replace('"', '\"', serialize($t))).'")');
补充建议。您可以在插入、更新和删除语句中使用更多 Prestashop 的 DB 类。这样可以避免简单的引号错误或类似错误:
Db::getInstance()->insert('ff_list_filter', array('name' => pSQL($t['filter_template_name']), 'content' => pSQL(str_replace('"', '\"', serialize($t)))));
祝你好运。
关于php - PrestaShop 验证程序 : SQL security issues,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40914957/