Page History

...

Parameter	Description
$where	Takes the update's `WHERE` clause.
$limit	You can limit the number of records that you will update.

Note
`update()` does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself. One PrestaShop-specific securization method is `pSQL($value)`: it helps protect your database against SQL injections.

delete()

Method signature: delete($table, $where = '', $limit = 0, $use_cache = true, $add_prefix = true).

...

Code Block
DELETE FROM `prefix_target_table` WHERE myField < 15 LIMIT 3

Note
`delete()` does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself. One PrestaShop-specific securization method is `pSQL($value)`: it helps protect your database against SQL injections.

execute()

Method signature: execute($sql, $use_cache = 1).

...

Tip
You should use `insert()`, `update()` et and `delete()` as much as possible, and only use `execute()` if the query gets too complex. Please note that this method returns a boolean value (`true` or `false`), not a database resource that can then be used.

Note
`execute()` does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself. One PrestaShop-specific securization method is `pSQL($value)`: it helps protect your database against SQL injections.

query()

Method signature: query($sql).

...

Code Block
$sql = 'SELECT * FROM '._DB_PREFIX_.'shop'; if ($results = Db::getInstance()->ExecuteS($sql)) foreach ($results as $row) echo $row['id_shop'].' :: '.$row['name'].'<br />';

Note
`executeS()` does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself. One PrestaShop-specific securization method is `pSQL($value)`: it helps protect your database against SQL injections.

getRow()

Method signature: getRow($sql, $use_cache = 1).

...

Code Block
$sql = 'SELECT * FROM '._DB_PREFIX_.'shop WHERE id_shop = 42’; if ($row = Db::getInstance()->getRow($sql)) echo $row['id_shop'].' :: '.$row['name'];

Note
`getRow()` does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself. One PrestaShop-specific securization method is `pSQL($value)`: it helps protect your database against SQL injections.

getValue()

Method signature: getValue($sql, $use_cache = 1).

...

Insert_ID(): returns the ID created during the latest INSERT query.
Affected_Rows(): returns the number of lines impacted by the latest UPDATE or DELETE query.
getMsgError(): returns the latest error message, if the query has failed.
getNumberError(): returns the latest error number, if the query has failed.

Security

Note that none of the above methods escape the query itself. You will have to do that using either pSQL() or bqSQL().

pSQL() is an alias for Db::getInstance()->escape($string, $htmlOK);

It has the following PHPDoc comment:

Code Block

/**
 * Sanitize data which will be injected into SQL query
 *
 * @param string $string SQL data which will be injected into SQL query
 * @param bool $htmlOK Does data contain HTML code ? (optional)
 * @return string Sanitized data
 */

It accepts a string that will be sanitized by the function. If your string contains HTML-code, be sure to pass the argument $htmlOK = true as well.

bqSQL() can also be used. Note that besides escaping the ` character, it also calls pSQL() afterwards, but without the option to sanitize HTML.

Child pages

Versions Compared

Old Version 1

New Version Current

Key