Avoid using default db prefix ps_

[SebSept]

@PululuK pointed the fact that using ps_ as prefix is not recommended here :
#13 (review)

Maybe we should change it ?
I have no information on that subject.

Any official source for that recommendation @PululuK ?

[PululuK]

@SebSept Changing it will help protect your shop against any attacks (some SQL injection for example) targeting the default table names

[SebSept]

anybody with database access, it could also process a SHOW TABLES; request and find them.
If the attacker can only perform queries without retrieving results, it could also try some brute force process to find the prefix.
With a big prefix, it will be a kind of protection. ok.
Maybe we could have a word on the subject on the readme and let scripts unchanged...

[ghost]

Désolé FOP mais mon niveau d'anglais ne me permet de répondre en anglais.

Pour avoir fait enlever les modules avis vérifiés, géodis et autres de addons la seule faille étant un drop table ( variable dans un array qui bloquait les INSERT ) dans ces modules si on ne connait pas le prefix pas de faille ...

Je ne vois pas en pourquoi une DB prestashop avec un user devrait avoir accès à SHOW ce n'est pas sécure comme avoir accès à DROP

Les noms des tables sont product order ... et pas ps_product et ps_order ne pas connaitre le préfix protège les shops.

[ghost]

[SebSept]

So in brief, with module with vulnerability, having a different prefix is a security.
✅ We should add a notice or maybe better, a link to good practices to secure database.

❔ The other point is "should we change the contents of queries in this repository" ?

[ghost]

I don't think we need to change all the querys.

But add an information like : https://github.com/PrestaShop/docs/pull/966/files it's a good way.