-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid using default db prefix ps_
#14
Comments
@SebSept Changing it will help protect your shop against any attacks (some SQL injection for example) targeting the default table names |
anybody with database access, it could also process a |
Désolé FOP mais mon niveau d'anglais ne me permet de répondre en anglais. Pour avoir fait enlever les modules avis vérifiés, géodis et autres de addons la seule faille étant un drop table ( variable dans un array qui bloquait les INSERT ) dans ces modules si on ne connait pas le prefix pas de faille ... Je ne vois pas en pourquoi une DB prestashop avec un user devrait avoir accès à SHOW ce n'est pas sécure comme avoir accès à DROP Les noms des tables sont product order ... et pas ps_product et ps_order ne pas connaitre le préfix protège les shops. |
So in brief, with module with vulnerability, having a different prefix is a security. ❔ The other point is "should we change the contents of queries in this repository" ? |
I don't think we need to change all the querys. But add an information like : https://github.com/PrestaShop/docs/pull/966/files it's a good way. |
@PululuK pointed the fact that using
ps_
as prefix is not recommended here :#13 (review)
Maybe we should change it ?
I have no information on that subject.
Any official source for that recommendation @PululuK ?
The text was updated successfully, but these errors were encountered: