Project-Pro/lulandia.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIX: appagebuilder SQL Injections

Browse Source
This commit is contained in:
Roman Pyrih
2026-02-04 14:37:46 +01:00
parent 5a6da716a7
commit f6c0277d07
2 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/appagebuilder/apajax.php
View File

@@ -101,7 +101,7 @@ if (Tools::getValue('leoajax') == 1)
$sql = 'SELECT COUNT(cp.`id_product`) AS total, cp.`id_category` FROM `' . _DB_PREFIX_ . 'product` p ' . Shop::addSqlAssociation('product', 'p') . '
LEFT JOIN `' . _DB_PREFIX_ . 'category_product` cp ON p.`id_product` = cp.`id_product`
WHERE cp.`id_category` IN (' . pSQL($list_cat) . ')
WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
AND product_shop.`visibility` IN ("both", "catalog")
AND product_shop.`active` = 1
GROUP BY cp.`id_category`';
@@ -116,6 +116,7 @@ if (Tools::getValue('leoajax') == 1)
{
$leo_pro_cdown = explode(',', $leo_pro_cdown);
$leo_pro_cdown = array_unique($leo_pro_cdown);
$leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
$leo_pro_cdown = implode(',', $leo_pro_cdown);
$result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
}
@@ -124,6 +125,7 @@ if (Tools::getValue('leoajax') == 1)
{
$leo_pro_color = explode(',', $leo_pro_color);
$leo_pro_color = array_unique($leo_pro_color);
$leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
$leo_pro_color = implode(',', $leo_pro_color);
$result['pro_color'] = $module->hookProductColor($leo_pro_color);
}
@@ -132,6 +134,7 @@ if (Tools::getValue('leoajax') == 1)
{
$product_list_image = explode(',', $product_list_image);
$product_list_image = array_unique($product_list_image);
$product_list_image = array_map('intval', $product_list_image); // fix sql injection
$product_list_image = implode(',', $product_list_image);
# $leocustomajax = new Leocustomajax();
@@ -141,6 +144,7 @@ if (Tools::getValue('leoajax') == 1)
{
$product_one_img = explode(',', $product_one_img);
$product_one_img = array_unique($product_one_img);
$product_one_img = array_map('intval', $product_one_img); // fix sql injection
$product_one_img = implode(',', $product_one_img);
$result['product_one_img'] = $module->hookProductOneImg($product_one_img);