FIX: appagebuilder SQL Injections

2026-02-19 11:51:28 +01:00
parent 26dd9c7656
commit cb209fbd1e
2 changed files with 13 additions and 10 deletions
--- a/modules/appagebuilder/apajax.php
+++ b/modules/appagebuilder/apajax.php
@@ -98,7 +98,7 @@ if (Tools::getValue('leoajax') == 1) {

        $sql = 'SELECT COUNT(cp.`id_product`) AS total, cp.`id_category` FROM `'._DB_PREFIX_.'product` p '.Shop::addSqlAssociation('product', 'p').'
                LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product`
-                WHERE cp.`id_category` IN ('.pSQL($list_cat).')
+                WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
                AND product_shop.`visibility` IN ("both", "catalog")
                AND product_shop.`active` = 1
                GROUP BY cp.`id_category`';
@@ -111,6 +111,7 @@ if (Tools::getValue('leoajax') == 1) {
    if ($leo_pro_cdown) {
        $leo_pro_cdown = explode(',', $leo_pro_cdown);
        $leo_pro_cdown = array_unique($leo_pro_cdown);
+        $leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
        $leo_pro_cdown = implode(',', $leo_pro_cdown);
        $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
    }
@@ -118,6 +119,7 @@ if (Tools::getValue('leoajax') == 1) {
    if ($leo_pro_color) {
        $leo_pro_color = explode(',', $leo_pro_color);
        $leo_pro_color = array_unique($leo_pro_color);
+        $leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
        $leo_pro_color = implode(',', $leo_pro_color);
        $result['pro_color'] = $module->hookProductColor($leo_pro_color);
    }
@@ -125,6 +127,7 @@ if (Tools::getValue('leoajax') == 1) {
    if ($product_list_image) {
        $product_list_image = explode(',', $product_list_image);
        $product_list_image = array_unique($product_list_image);
+        $product_list_image = array_map('intval', $product_list_image); // fix sql injection
        $product_list_image = implode(',', $product_list_image);

        # $leocustomajax = new Leocustomajax();
@@ -135,6 +138,7 @@ if (Tools::getValue('leoajax') == 1) {
    if ($product_one_img) {
        $product_one_img = explode(',', $product_one_img);
        $product_one_img = array_unique($product_one_img);
+        $product_one_img = array_map('intval', $product_one_img); // fix sql injection
        $product_one_img = implode(',', $product_one_img);

        $result['product_one_img'] = $module->hookProductOneImg($product_one_img);
--- a/modules/appagebuilder/appagebuilder.php
+++ b/modules/appagebuilder/appagebuilder.php
@@ -1542,14 +1542,13 @@ class APPageBuilder extends Module implements WidgetInterface
            }

            $product_id = implode(',', array_map('intval', $temp));
-            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.pSQL($product_id).')');
+            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.implode(', ', array_map('intval', explode(',', $product_id))).')');
        }

        $value_by_manufacture = isset($params['value_by_manufacture']) ? $params['value_by_manufacture'] : 0;
        if ($value_by_manufacture && isset($params['manufacture'])) {
-            # We validate id_categories in apPageHelper::addonValidInt function. This function is used at any where
-            $id_manufactures = apPageHelper::addonValidInt($params['manufacture']);
-            $where .= ' AND p.id_manufacturer IN ('.pSQL($id_manufactures).')';
+            $id_manufactures = apPageHelper::addonValidInt( $params['manufacture'] );          # We validate id_categories 
+            $where .= ' AND p.id_manufacturer IN ('.implode(', ', array_map('intval', explode(',', $id_manufactures))).')';
        }
        $product_type = isset($params['product_type']) ? $params['product_type'] : '';
        $value_by_product_type = isset($params['value_by_product_type']) ? $params['value_by_product_type'] : 0;
@@ -2901,7 +2900,7 @@ class APPageBuilder extends Module implements WidgetInterface
        LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`)
        LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
        LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
-        WHERE pc.`id_product` in ('.pSQL($list_product).')
+        WHERE pc.`id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')
        AND pccl.`id_lang` = '.(int)$id_lang.
                        ($validate == '1' ? ' AND pc.`validate` = 1' : '')));
    }
@@ -2920,7 +2919,7 @@ class APPageBuilder extends Module implements WidgetInterface
        $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS('
        SELECT COUNT(pc.`id_product`) AS nbr, pc.`id_product`
        FROM `'._DB_PREFIX_.'product_comment` pc
-        WHERE `id_product` in ('.pSQL($list_product).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
+        WHERE `id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
        AND `grade` > 0 GROUP BY pc.`id_product`');
        return $result;
    }
@@ -3064,7 +3063,7 @@ class APPageBuilder extends Module implements WidgetInterface
        $link = new Link($protocol_link, $protocol_content);

        $id_lang = Context::getContext()->language->id;
-        $where = ' WHERE i.`id_product` IN ('.pSQL($list_pro).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
+        $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
        $order = ' ORDER BY i.`id_product`,`position`';
        $limit = ' LIMIT 0,1';
        //get product info
@@ -3366,13 +3365,13 @@ class APPageBuilder extends Module implements WidgetInterface
                                                AND sp.`reduction` > 0
                                        )
                                WHERE pl.`id_lang` = '.(int)$id_lang.
-                ' AND p.`id_product` in ('.pSQL($product_list).')';
+                ' AND p.`id_product` in ('.implode(', ', array_map('intval', explode(',', $product_list))).')';' AND p.`id_product` in ('.pSQL($product_list).')';
        $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);

        if ($product_list) {
            $tmp_img = array();
            $cover_img = array();
-            $where = ' WHERE i.`id_product` IN ('.pSQL($product_list).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
+            $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $product_list))).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
            $order = ' ORDER BY i.`id_product`,`position`';

            switch (Configuration::get('LEO_MINFO_SORT')) {