From 1d6fa83e4ead80098e5fa938cff11dd660e89763 Mon Sep 17 00:00:00 2001 From: RaphaelL Date: Mon, 9 Oct 2023 08:49:00 +0200 Subject: [PATCH] secure int list #2 Thanks to @jf-viguier --- classes/cartCleaner.php | 3 ++- classes/customerCleaner.php | 2 +- classes/orderCleaner.php | 21 ++++++++++--------- classes/productCleaner.php | 2 +- classes/resetCleaner.php | 10 +++++---- .../admin/AdminCleanCartController.php | 2 +- .../admin/AdminCleanCustomerController.php | 2 +- .../admin/AdminCleanOrderController.php | 4 ++-- .../admin/AdminCleanProductController.php | 4 ++-- 9 files changed, 27 insertions(+), 23 deletions(-) diff --git a/classes/cartCleaner.php b/classes/cartCleaner.php index b0d19c7..d23243e 100644 --- a/classes/cartCleaner.php +++ b/classes/cartCleaner.php @@ -120,9 +120,10 @@ public function processDelete($id_carts) { $tables = self::getCartsRelatedTables(); $res = true; + $carts_list = implode(',', array_map('intval', $id_carts)); foreach ($tables as $table) { - $res &= $this->db->delete(bqSQL($table), 'id_cart IN (' . pSQL(implode(',', $id_carts)) . ')'); + $res &= $this->db->delete(bqSQL($table), 'id_cart IN (' . pSQL($carts_list) . ')'); if ($affected_rows = $this->db->Affected_Rows()) { $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . bqSQL($table)); $this->output[$table] = (int) $affected_rows; diff --git a/classes/customerCleaner.php b/classes/customerCleaner.php index 30c711a..0b284f0 100644 --- a/classes/customerCleaner.php +++ b/classes/customerCleaner.php @@ -97,7 +97,7 @@ public function deleteCustomers($id_customers = null) $logs = ''; $this->context->controller->confirmations[] = $this->module->l('Success!', 'customerCleaner'); - $this->context->controller->confirmations[] = sprintf($this->module->l('%s customer(s) deleted.'), $nbDeleted); + $this->context->controller->confirmations[] = sprintf($this->module->l('%s customer(s) deleted.', 'customerCleaner'), $nbDeleted); return; } diff --git a/classes/orderCleaner.php b/classes/orderCleaner.php index ce0ccb5..ea42fbb 100644 --- a/classes/orderCleaner.php +++ b/classes/orderCleaner.php @@ -131,44 +131,45 @@ public function processDelete($id_orders) { $tables = self::getOrdersRelatedTables(); $res = true; + $orders_list = implode(',', array_map('intval', $id_orders)); foreach ($tables as $table) { if ($table == 'orders') { - $res &= $this->db->delete('order_payment', 'order_reference IN (SELECT reference FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_payment', 'order_reference IN (SELECT reference FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_payment'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_payment'); - $res &= $this->db->delete('cart', 'id_cart IN (SELECT id_cart FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('cart', 'id_cart IN (SELECT id_cart FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['cart'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'cart'); - $res &= $this->db->delete('cart_product', 'id_cart IN (SELECT id_cart FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('cart_product', 'id_cart IN (SELECT id_cart FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['cart_product'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'cart_product'); } elseif ($table == 'order_detail') { - $res &= $this->db->delete('order_detail_tax', 'id_order_detail IN (SELECT id_order_detail FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_detail_tax', 'id_order_detail IN (SELECT id_order_detail FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_detail_tax'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_detail_tax'); } elseif ($table == 'order_invoice') { - $res &= $this->db->delete('order_invoice_payment', 'id_order_invoice IN (SELECT id_order_invoice FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_invoice_payment', 'id_order_invoice IN (SELECT id_order_invoice FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_invoice_payment'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_invoice_payment'); - $res &= $this->db->delete('order_invoice_tax', 'id_order_invoice IN (SELECT id_order_invoice FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_invoice_tax', 'id_order_invoice IN (SELECT id_order_invoice FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_invoice_tax'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_invoice_tax'); } elseif ($table == 'order_return') { - $res &= $this->db->delete('order_return_detail', 'id_order_return IN (SELECT id_order_return FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_return_detail', 'id_order_return IN (SELECT id_order_return FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_return_detail'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_return_detail'); } elseif ($table == 'order_slip') { - $res &= $this->db->delete('order_slip_detail', 'id_order_slip IN (SELECT id_order_slip FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('order_slip_detail', 'id_order_slip IN (SELECT id_order_slip FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['order_slip_detail'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'order_slip_detail'); } elseif ($table == 'message') { - $res &= $this->db->delete('message_readed', 'id_message IN (SELECT id_message FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . bqSQL(implode(',', $id_orders)) . '))'); + $res &= $this->db->delete('message_readed', 'id_message IN (SELECT id_message FROM ' . _DB_PREFIX_ . bqSQL($table) . ' WHERE id_order IN (' . pSQL($orders_list) . '))'); $this->output['message_readed'] = $this->db->numRows(); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'message_readed'); } - $res &= $this->db->delete(bqSQL($table), 'id_order IN (' . bqSQL(implode(',', $id_orders)) . ')'); + $res &= $this->db->delete(bqSQL($table), 'id_order IN (' . pSQL($orders_list) . ')'); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . bqSQL($table)); $this->output[$table] = $this->db->numRows(); diff --git a/classes/productCleaner.php b/classes/productCleaner.php index 65c0d2d..faa671e 100644 --- a/classes/productCleaner.php +++ b/classes/productCleaner.php @@ -103,7 +103,7 @@ public function deleteProducts($id_products = null) if ($productsDelete) { $logs = ''; $this->context->controller->confirmations[] = $this->module->l('Success!', 'productCleaner'); - $this->context->controller->confirmations[] = sprintf($this->module->l('%s product(s) deleted.'), $nbDeleted); + $this->context->controller->confirmations[] = sprintf($this->module->l('%s product(s) deleted.', 'productCleaner'), $nbDeleted); return; } diff --git a/classes/resetCleaner.php b/classes/resetCleaner.php index 39ed648..527012c 100644 --- a/classes/resetCleaner.php +++ b/classes/resetCleaner.php @@ -78,11 +78,13 @@ private function resetCatalog() $id_home = Configuration::getMultiShopValues('PS_HOME_CATEGORY'); $id_root = Configuration::getMultiShopValues('PS_ROOT_CATEGORY'); + $ids_home = implode(',', array_map('intval', $id_home)); + $ids_root = implode(',', array_map('intval', $id_root)); - $res &= $this->db->delete('category', 'id_category NOT IN (' . pSQL(implode(',', array_map('intval', $id_home))) . ', ' . pSQL(implode(',', array_map('intval', $id_root))) . ')'); - $res &= $this->db->delete('category_lang', 'id_category NOT IN (' . pSQL(implode(',', array_map('intval', $id_home))) . ', ' . pSQL(implode(',', array_map('intval', $id_root))) . ')'); - $res &= $this->db->delete('category_shop', 'id_category NOT IN (' . pSQL(implode(',', array_map('intval', $id_home))) . ', ' . pSQL(implode(',', array_map('intval', $id_root))) . ')'); - $res &= $this->db->delete('category_group', 'id_category NOT IN (' . pSQL(implode(',', array_map('intval', $id_home))) . ', ' . pSQL(implode(',', array_map('intval', $id_root))) . ')'); + $res &= $this->db->delete('category', 'id_category NOT IN (' . pSQL($ids_home) . ', ' . pSQL($ids_root) . ')'); + $res &= $this->db->delete('category_lang', 'id_category NOT IN (' . pSQL($ids_home) . ', ' . pSQL($ids_root) . ')'); + $res &= $this->db->delete('category_shop', 'id_category NOT IN (' . pSQL($ids_home) . ', ' . pSQL($ids_root) . ')'); + $res &= $this->db->delete('category_group', 'id_category NOT IN (' . pSQL($ids_home) . ', ' . pSQL($ids_root) . ')'); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'category'); $this->db->execute('ANALYZE TABLE ' . _DB_PREFIX_ . 'category_lang'); diff --git a/controllers/admin/AdminCleanCartController.php b/controllers/admin/AdminCleanCartController.php index ba548c5..209fcdc 100644 --- a/controllers/admin/AdminCleanCartController.php +++ b/controllers/admin/AdminCleanCartController.php @@ -77,7 +77,7 @@ public function postProcess() $cartCleaner = new CartCleaner(); $cartCleaner->date_from = Tools::getValue($this->module->config_name . '_DATE_FROM', null); $cartCleaner->date_to = Tools::getValue($this->module->config_name . '_DATE_TO', null); - $cartCleaner->shops = implode(',', Tools::getValue($this->module->config_name . '_SHOP_CARTS', [])); + $cartCleaner->shops = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_SHOP_CARTS', []))); $cartCleaner->deleteCarts(); } diff --git a/controllers/admin/AdminCleanCustomerController.php b/controllers/admin/AdminCleanCustomerController.php index 6d882a4..ac99c58 100644 --- a/controllers/admin/AdminCleanCustomerController.php +++ b/controllers/admin/AdminCleanCustomerController.php @@ -77,7 +77,7 @@ public function postProcess() $customerCleaner = new CustomerCleaner(); $customerCleaner->date_from = Tools::getValue($this->module->config_name . '_CUSTOMER_DATE_FROM', null); $customerCleaner->date_to = Tools::getValue($this->module->config_name . '_CUSTOMER_DATE_TO', null); - $customerCleaner->shops = implode(',', Tools::getValue($this->module->config_name . '_CUSTOMER_SHOP', [])); + $customerCleaner->shops = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_CUSTOMER_SHOP', []))); $customerCleaner->guest = Tools::getValue($this->module->config_name . '_CUSTOMER_GUEST', null); $customerCleaner->never_ordered = Tools::getValue($this->module->config_name . '_CUSTOMER_NEVER_ORDERED', null); $customerCleaner->deleteCustomers(); diff --git a/controllers/admin/AdminCleanOrderController.php b/controllers/admin/AdminCleanOrderController.php index a9335a0..963798f 100644 --- a/controllers/admin/AdminCleanOrderController.php +++ b/controllers/admin/AdminCleanOrderController.php @@ -77,8 +77,8 @@ public function postProcess() $orderCleaner = new OrderCleaner(); $orderCleaner->date_from = Tools::getValue($this->module->config_name . '_DATE_FROM', null); $orderCleaner->date_to = Tools::getValue($this->module->config_name . '_DATE_TO', null); - $orderCleaner->status = implode(',', Tools::getValue($this->module->config_name . '_STATUS', [])); - $orderCleaner->shops = implode(',', Tools::getValue($this->module->config_name . '_SHOP_ORDERS', [])); + $orderCleaner->status = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_STATUS', []))); + $orderCleaner->shops = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_SHOP_ORDERS', []))); $orderCleaner->deleteOrders(); } diff --git a/controllers/admin/AdminCleanProductController.php b/controllers/admin/AdminCleanProductController.php index eae26ac..ba5afe9 100644 --- a/controllers/admin/AdminCleanProductController.php +++ b/controllers/admin/AdminCleanProductController.php @@ -77,9 +77,9 @@ public function postProcess() $productCleaner = new ProductCleaner(); $productCleaner->date_from = Tools::getValue($this->module->config_name . '_PRODUCT_DATE_FROM', null); $productCleaner->date_to = Tools::getValue($this->module->config_name . '_PRODUCT_DATE_TO', null); - $productCleaner->shops = implode(',', Tools::getValue($this->module->config_name . '_PRODUCT_SHOP', [])); + $productCleaner->shops = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_PRODUCT_SHOP', []))); $productCleaner->types = Tools::getValue($this->module->config_name . '_PRODUCT_TYPE', []); - $productCleaner->categories = implode(',', Tools::getValue($this->module->config_name . '_PRODUCT_CATEGORIES', [])); + $productCleaner->categories = implode(',', array_map('intval', Tools::getValue($this->module->config_name . '_PRODUCT_CATEGORIES', []))); $productCleaner->active = Tools::getValue($this->module->config_name . '_PRODUCT_ACTIVE', null); $productCleaner->deleteProducts(); }