Child pages
  • Best Practices of the Db Class

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add explanation about pSQL and update functions that require manual escaping.

...

Parameter

Description

$where

Takes the update's WHERE clause.

$limit

You can limit the number of records that you will update.

Note

update() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself.
One PrestaShop-specific securization method is pSQL($value): it helps protect your database against SQL injections.

delete()

Method signature: delete($table, $where = '', $limit = 0, $use_cache = true, $add_prefix = true).

...

Code Block
DELETE FROM `prefix_target_table` WHERE myField < 15 LIMIT 3
Note

delete() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself.
One PrestaShop-specific securization method is pSQL($value): it helps protect your database against SQL injections.

execute()

Method signature: execute($sql, $use_cache = 1).

...

Tip

You should use insert(), update() et and delete() as much as possible, and only use execute() if the query gets too complex.
Please note that this method returns a boolean value (true or false), not a database resource that can then be used.

Note

execute() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself.
One PrestaShop-specific securization method is pSQL($value): it helps protect your database against SQL injections.

query()

Method signature: query($sql).

...

Code Block
$sql = 'SELECT * FROM '._DB_PREFIX_.'shop';
if ($results = Db::getInstance()->ExecuteS($sql))
	foreach ($results as $row)
		echo $row['id_shop'].' :: '.$row['name'].'<br />';
Note

executeS() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself.
One PrestaShop-specific securization method is pSQL($value): it helps protect your database against SQL injections.

getRow()

Method signature: getRow($sql, $use_cache = 1).

...

Code Block
$sql = 'SELECT * FROM '._DB_PREFIX_.'shop
	WHERE id_shop = 42’;
if ($row = Db::getInstance()->getRow($sql))
	echo $row['id_shop'].' :: '.$row['name'];
Note

getRow() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself.
One PrestaShop-specific securization method is pSQL($value): it helps protect your database against SQL injections.

getValue()

Method signature: getValue($sql, $use_cache = 1).

...

  • Insert_ID(): returns the ID created during the latest INSERT query.
  • Affected_Rows(): returns the number of lines impacted by the latest UPDATE or DELETE query.
  • getMsgError(): returns the latest error message, if the query has failed.
  • getNumberError(): returns the latest error number, if the query has failed.

Security

Note that none of the above methods escape the query itself. You will have to do that using either pSQL() or bqSQL().

pSQL() is an alias for Db::getInstance()->escape($string, $htmlOK);

It has the following PHPDoc comment:

Code Block
/**
 * Sanitize data which will be injected into SQL query
 *
 * @param string $string SQL data which will be injected into SQL query
 * @param bool $htmlOK Does data contain HTML code ? (optional)
 * @return string Sanitized data
 */

It accepts a string that will be sanitized by the function. If your string contains HTML-code, be sure to pass the argument $htmlOK = true as well.

bqSQL() can also be used. Note that besides escaping the ` character, it also calls pSQL() afterwards, but without the option to sanitize HTML.