From 4276708e1c7ddca09718bff7bf1a270b19fceadc Mon Sep 17 00:00:00 2001
From: Roman Pyrih <NoNTvonG@gmail.com>
Date: Wed, 4 Feb 2026 14:18:37 +0100
Subject: [PATCH] FIX: appagebuilder SQL Injections

---
 modules/appagebuilder/apajax.php        | 13 +++++++++----
 modules/appagebuilder/appagebuilder.php | 24 ++++++++++++------------
 2 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/modules/appagebuilder/apajax.php b/modules/appagebuilder/apajax.php
index 5d896f6a..e7c7358f 100644
--- a/modules/appagebuilder/apajax.php
+++ b/modules/appagebuilder/apajax.php
@@ -101,10 +101,11 @@ if (Tools::getValue('leoajax') == 1)
 
     $sql = 'SELECT COUNT(cp.`id_product`) AS total, cp.`id_category` FROM `' . _DB_PREFIX_ . 'product` p ' . Shop::addSqlAssociation('product', 'p') . '
                 LEFT JOIN `' . _DB_PREFIX_ . 'category_product` cp ON p.`id_product` = cp.`id_product`
-				WHERE cp.`id_category` IN (' . pSQL($list_cat) . ')
-                AND product_shop.`visibility` IN ("both", "catalog")
-                AND product_shop.`active` = 1
-                GROUP BY cp.`id_category`';
+                WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
+              AND product_shop.`visibility` IN ("both", "catalog")
+              AND product_shop.`active` = 1
+              GROUP BY cp.`id_category`';
+    
     $cat = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);
     if ($cat)
     {
@@ -116,6 +117,7 @@ if (Tools::getValue('leoajax') == 1)
   {
     $leo_pro_cdown = explode(',', $leo_pro_cdown);
     $leo_pro_cdown = array_unique($leo_pro_cdown);
+    $leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
     $leo_pro_cdown = implode(',', $leo_pro_cdown);
     $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
   }
@@ -124,6 +126,7 @@ if (Tools::getValue('leoajax') == 1)
   {
     $leo_pro_color = explode(',', $leo_pro_color);
     $leo_pro_color = array_unique($leo_pro_color);
+    $leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
     $leo_pro_color = implode(',', $leo_pro_color);
     $result['pro_color'] = $module->hookProductColor($leo_pro_color);
   }
@@ -132,6 +135,7 @@ if (Tools::getValue('leoajax') == 1)
   {
     $product_list_image = explode(',', $product_list_image);
     $product_list_image = array_unique($product_list_image);
+    $product_list_image = array_map('intval', $product_list_image); // fix sql injection
     $product_list_image = implode(',', $product_list_image);
 
     # $leocustomajax = new Leocustomajax();
@@ -141,6 +145,7 @@ if (Tools::getValue('leoajax') == 1)
   {
     $product_one_img = explode(',', $product_one_img);
     $product_one_img = array_unique($product_one_img);
+    $product_one_img = array_map('intval', $product_one_img); // fix sql injection
     $product_one_img = implode(',', $product_one_img);
 
     $result['product_one_img'] = $module->hookProductOneImg($product_one_img);
diff --git a/modules/appagebuilder/appagebuilder.php b/modules/appagebuilder/appagebuilder.php
index 0d96e800..98d2d285 100644
--- a/modules/appagebuilder/appagebuilder.php
+++ b/modules/appagebuilder/appagebuilder.php
@@ -1317,18 +1317,18 @@ class APPageBuilder extends Module
             $id_categories = apPageHelper::addonValidInt( $id_categories );         # We validate id_categories in apPageHelper::addonValidInt function . This function is used at any where
 
             if (isset($params['category_type']) && $params['category_type'] == 'default') {
-                $where .= ' AND product_shop.`id_category_default` IN ('.pSQL($id_categories).')';
+                $where .= ' AND product_shop.`id_category_default` IN ('.implode(', ', array_map('intval', explode(',', $id_categories))).')';
             } else {
                 $sql_join .= ' INNER JOIN '._DB_PREFIX_.'category_product cp ON (cp.id_product= p.`id_product` )';
 
-                $where .= ' AND cp.`id_category` IN ('.pSQL($id_categories).')';
+                $where .= ' AND cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $id_categories))).')';
                 $sql_group = ' GROUP BY p.id_product';
             }
         }
         $value_by_supplier = isset($params['value_by_supplier']) ? $params['value_by_supplier'] : 0;
         if ($value_by_supplier && isset($params['supplier'])) {
-            $id_suppliers = apPageHelper::addonValidInt( $params['supplier'] );          # We validate id_categories in apPageHelper::addonValidInt function. This function is used at any where
-            $where .= ' AND p.id_supplier IN ('.pSQL($id_suppliers).')';
+            $id_suppliers = apPageHelper::addonValidInt( $params['supplier'] );          # We validate id_categories
+            $where .= ' AND p.id_supplier IN ('.implode(', ', array_map('intval', explode(',', $id_suppliers))).')';
         }
         $value_by_product_id = isset($params['value_by_product_id']) ? $params['value_by_product_id'] : 0;
         if ($value_by_product_id && isset($params['product_id'])) {
@@ -1339,13 +1339,13 @@ class APPageBuilder extends Module
             }
 
             $product_id = implode(',', array_map('intval', $temp));
-            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.pSQL($product_id).')');
+            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.implode(', ', array_map('intval', explode(',', $product_id))).')');
         }
 
         $value_by_manufacture = isset($params['value_by_manufacture']) ? $params['value_by_manufacture'] : 0;
         if ($value_by_manufacture && isset($params['manufacture'])) {
-            $id_manufactures = apPageHelper::addonValidInt( $params['manufacture'] );          # We validate id_categories in apPageHelper::addonValidInt function. This function is used at any where
-            $where .= ' AND p.id_manufacturer IN ('.pSQL($id_manufactures).')';
+            $id_manufactures = apPageHelper::addonValidInt( $params['manufacture'] );          # We validate id_categories 
+            $where .= ' AND p.id_manufacturer IN ('.implode(', ', array_map('intval', explode(',', $id_manufactures))).')';
         }
         $product_type = isset($params['product_type']) ? $params['product_type'] : '';
         $value_by_product_type = isset($params['value_by_product_type']) ? $params['value_by_product_type'] : 0;
@@ -2513,7 +2513,7 @@ class APPageBuilder extends Module
         LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`)
         LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
         LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
-        WHERE pc.`id_product` in ('.pSQL($list_product).')
+        WHERE pc.`id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')
         AND pccl.`id_lang` = '.(int)$id_lang.
                         ($validate == '1' ? ' AND pc.`validate` = 1' : '')));
     }
@@ -2531,7 +2531,7 @@ class APPageBuilder extends Module
         $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS('
         SELECT COUNT(pc.`id_product`) AS nbr, pc.`id_product`
         FROM `'._DB_PREFIX_.'product_comment` pc
-        WHERE `id_product` in ('.pSQL($list_product).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
+        WHERE `id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
         AND `grade` > 0 GROUP BY pc.`id_product`');
         return $result;
     }
@@ -2599,7 +2599,7 @@ class APPageBuilder extends Module
         $link = new Link($protocol_link, $protocol_content);
 
         $id_lang = Context::getContext()->language->id;
-        $where = ' WHERE i.`id_product` IN ('.$list_pro.') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
+        $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
         $order = ' ORDER BY i.`id_product`,`position`';
         $limit = ' LIMIT 0,1';
         //get product info
@@ -2707,13 +2707,13 @@ class APPageBuilder extends Module
                                                 AND sp.`reduction` > 0
                                         )
                                 WHERE pl.`id_lang` = '.(int)$id_lang.
-                ' AND p.`id_product` in ('.pSQL($product_list).')';
+                ' AND p.`id_product` in ('.implode(', ', array_map('intval', explode(',', $product_list))).')';
         $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);
 
         if ($product_list) {
             $tmp_img = array();
             $cover_img = array();
-            $where = ' WHERE i.`id_product` IN ('.pSQL($product_list).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
+            $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $product_list))).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
             $order = ' ORDER BY i.`id_product`,`position`';
 
             switch (Configuration::get('LEO_MINFO_SORT')) {