I have to write a custom module in the admin area which finds orders which have a certain order status. I have an array of the order statuses that should be returned. The issue I have is that the only SQL syntax I know to achieve this is...
Code: Select all
$sql = "SELECT o.order_id FROM `" . DB_PREFIX . "order` o WHERE o.order_status_id in (" . $auto_order_ids . ")";Now obviously this syntax is wide open to SQL injection. Even if this is run on the admin side it clearly needs to be cleansed or secured. $this->db->escape($auto_order_ids) does not work because it added slashes into the string which means that the SQL syntax fails.
My solution is to check each array element that stores the required order statuses to return and then builds $auto_order_ids with the cleansed values...
Code: Select all
$auto_order_ids = '';
$is_start = true;
foreach ($array_of_auto_order_ids as $auto_order_id) {
if (is_numeric($auto_order_id)) {
if ($is_start) {
$auto_order_ids = $auto_order_id;
$is_start = false;
} else {
$auto_order_ids = $auto_order_ids . ',' . $auto_order_id;
}
}
}Anyone have a view on this and whether it can be done better? I know about cleansing SQL but not building my own functions to do this. In testing the above did seem to only pass through values like 3, '4' and not 'evil SQL'.
