Prestashop Tools::getValue() function do not escape sql injection?
Question
I read in prestashop forum that the function Tools::getValue() do not escape sql injection. Now I wonder how I can prevent this function from sql injection when I want to get string or int value?
Can somebody show me example?
1 answers
solution1
9 ACCPTED 2016-08-07 20:15:36
Tools::getValue() only retrieves POST or GET value.
To prevent SQL injection you can use pSQL() function or for int values you can do typecasting.
$int_val = (int)Tools::getValue('someValue');
$string_val = pSQL(Tools::getValue('someValue'));
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Post Prestashop Form with Ajax - Tools::getValue()
Make a Legacy Escape Function SQL injection Safe in PHP?
How to escape sql injection from HANA placeholder
Do I need mysqli_string_escape statement to avoid sql injection
Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?
Prevent SQL Injection: Do I need to escape input before binding values into a PDO query
Sql injection mysql_real_escape_string
Is this function vulnerable to SQL injection?
SQL Injection function of ' — +'
Do i have to escape input using mysqli_real_escape_string even though i check it using is_numeric to prevent sql injection
Related Tags