Merge branch 'hotfix/escape-queries'

Nosto · Dec 21, 2016 · 5e25cda · 5e25cda
2 parents 4ac32c9 + f50038e
commit 5e25cda
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 40 deletions.
diff --git a/classes/helpers/config.php b/classes/helpers/config.php
@@ -111,8 +111,8 @@ public function exists($name, $lang_id = null, $id_shop_group = null, $id_shop =
      */
     public function purge()
     {
-        $config_table = _DB_PREFIX_ . 'configuration';
-        $config_lang_table = $config_table . '_lang';
+        $config_table = pSQL(_DB_PREFIX_ . 'configuration');
+        $config_lang_table = pSQL($config_table . '_lang');
 
         Db::getInstance()->execute(
             'DELETE `' . $config_lang_table . '` FROM `' . $config_lang_table . '`

diff --git a/classes/helpers/customer.php b/classes/helpers/customer.php
@@ -41,7 +41,7 @@ class NostoTaggingHelperCustomer
      */
     public static function getCustomerLinkTableName()
     {
-        return _DB_PREFIX_.self::TABLE_NAME_CUSTOMER_LINK;
+        return pSQL(_DB_PREFIX_.self::TABLE_NAME_CUSTOMER_LINK);
     }
 
     /**
@@ -171,9 +171,9 @@ public function getNostoId(Order $order)
     public function getCustomerReference(Customer $customer)
     {
         $sql = sprintf(
-            'SELECT `customer_reference` FROM `%s` WHERE `id_customer` = \'%s\'',
+            'SELECT `customer_reference` FROM `%s` WHERE `id_customer` = \'%d\'',
             self::getCustomerReferenceTableName(),
-            $customer->id
+            (int)$customer->id
         );
 
         return Db::getInstance()->getValue($sql);
@@ -191,15 +191,16 @@ public function saveCustomerReference(Customer $customer, $reference)
     {
         $table = self::getCustomerReferenceTableName();
         $customer_reference = pSQL($reference);
+        $customer_id = (int)$customer->id;
         $data = array(
-            'id_customer' => $customer->id,
+            'id_customer' => $customer_id,
             'customer_reference' => $customer_reference
         );
         $existing_id = Db::getInstance()->getRow(
             sprintf(
-                'SELECT id_customer FROM `%s` WHERE id_customer = \'%s\'',
+                'SELECT id_customer FROM `%s` WHERE id_customer = \'%d\'',
                 $table,
-                $customer->id
+                $customer_id
             )
         );
         if (empty($existing_id)) {
@@ -211,8 +212,8 @@ public function saveCustomerReference(Customer $customer, $reference)
         } else {
             unset($data['id_customer']);
             $where = sprintf(
-                'id_customer=\'%s\'',
-                $customer->id
+                'id_customer=\'%d\'',
+                $customer_id
             );
             if (_PS_VERSION_ >= '1.5') {
                 return Db::getInstance()->update($table, $data, $where, 0, false, true, false);

diff --git a/classes/helpers/url.php b/classes/helpers/url.php
@@ -85,7 +85,7 @@ public function getPreviewUrlCategory($id_category = null, $id_lang = null)
             // Find a category that is active, not the root category and has a parent category.
                 $sql = '
                     SELECT `id_category`
-                    FROM `'._DB_PREFIX_.'category`
+                    FROM `'.pSQL(_DB_PREFIX_).'category`
                     WHERE `active` = 1
                     AND `id_parent` > 0
 				';

diff --git a/classes/models/order.php b/classes/models/order.php
@@ -451,7 +451,7 @@ protected function getProductAttributeCombinationsById($product, $id_product_att
             return $product->getAttributeCombinationsById($id_product_attribute, $id_lang);
         }
 
-        return Db::getInstance()->ExecuteS(
+        return Db::getInstance()->executeS(
             'SELECT
                 pa.*,
                 ag.`id_attribute_group`,
@@ -460,32 +460,32 @@ protected function getProductAttributeCombinationsById($product, $id_product_att
                 al.`name` attribute_name,
                 a.`id_attribute`,
                 pa.`unit_price_impact`
-			FROM
-			  `'._DB_PREFIX_.'product_attribute` pa
-			LEFT JOIN
-			    `'._DB_PREFIX_.'product_attribute_combination` pac
-			    ON pac.`id_product_attribute` = pa.`id_product_attribute`
-			LEFT JOIN
-			    `'._DB_PREFIX_.'attribute` a ON a.`id_attribute` = pac.`id_attribute`
-			LEFT JOIN
-			    `'._DB_PREFIX_.'attribute_group` ag
-			    ON ag.`id_attribute_group` = a.`id_attribute_group`
-			LEFT JOIN
-			    `'._DB_PREFIX_.'attribute_lang` al
-			    ON (a.`id_attribute` = al.`id_attribute` AND al.`id_lang` = '.(int)($id_lang).')
-			LEFT JOIN
-			    `'._DB_PREFIX_.'attribute_group_lang` agl
-			    ON (
-			        ag.`id_attribute_group` = agl.`id_attribute_group`
-			        AND agl.`id_lang` = '.(int)($id_lang).'
-			    )
-			WHERE
-			    pa.`id_product` = '.(int)($product->id).'
-			AND
-			    pa.`id_product_attribute` = '.(int)$id_product_attribute.'
-			GROUP BY
-			    pa.`id_product_attribute`, ag.`id_attribute_group`
-			ORDER BY pa.`id_product_attribute`'
+            FROM
+              `'._DB_PREFIX_.'product_attribute` pa
+            LEFT JOIN
+                `'._DB_PREFIX_.'product_attribute_combination` pac
+                ON pac.`id_product_attribute` = pa.`id_product_attribute`
+            LEFT JOIN
+                `'._DB_PREFIX_.'attribute` a ON a.`id_attribute` = pac.`id_attribute`
+            LEFT JOIN
+                `'._DB_PREFIX_.'attribute_group` ag
+                ON ag.`id_attribute_group` = a.`id_attribute_group`
+            LEFT JOIN
+                `'._DB_PREFIX_.'attribute_lang` al
+                ON (a.`id_attribute` = al.`id_attribute` AND al.`id_lang` = '.(int)($id_lang).')
+            LEFT JOIN
+                `'._DB_PREFIX_.'attribute_group_lang` agl
+                ON (
+                    ag.`id_attribute_group` = agl.`id_attribute_group`
+                    AND agl.`id_lang` = '.(int)($id_lang).'
+                )
+            WHERE
+                pa.`id_product` = '.(int)($product->id).'
+            AND
+                pa.`id_product_attribute` = '.(int)$id_product_attribute.'
+            GROUP BY
+                pa.`id_product_attribute`, ag.`id_attribute_group`
+            ORDER BY pa.`id_product_attribute`'
         );
     }
 }
diff --git a/controllers/front/order.php b/controllers/front/order.php
@@ -98,7 +98,7 @@ protected function getOrderIds()
                 LIMIT %d
                 OFFSET %d
             ',
-            _DB_PREFIX_,
+            pSQL(_DB_PREFIX_),
             $where,
             $this->limit,
             $this->offset
@@ -109,6 +109,7 @@ protected function getOrderIds()
         foreach ($rows as $row) {
             $order_ids[] = (int)$row['id_order'];
         }
+
         return $order_ids;
     }
 }
diff --git a/controllers/front/product.php b/controllers/front/product.php
@@ -81,7 +81,7 @@ protected function getProductIds()
                 LIMIT %d
                 OFFSET %d
             ',
-            _DB_PREFIX_,
+            pSQL(_DB_PREFIX_),
             $this->limit,
             $this->offset
         );
@@ -90,6 +90,7 @@ protected function getProductIds()
         foreach ($rows as $row) {
             $product_ids[] = (int)$row['id_product'];
         }
+
         return $product_ids;
     }
 }