In order to know how to prevent and fix vulnerabilities, we have to know the possible attacks your extension can undergo.
This is the most common attack and maybe the easiest to perform against a website that is not protected. The malicious user enters SQL statements in form fields in order to modify the way your script works.
Magento worked hard on this point, and it is fully equipped to permit you to secure all your forms and databases requests.
Here is an example of the Magento\Customer\Model\ResourceModel\Customer::_beforeSave()
method. We can see that the email
parameter isn't written directly in the request, but it is declared as something like a variable:
$bind = ['email' => $customer->getEmail()]; $select = $connection->select()->from( $this->getEntityTable(), [$this->getEntityIdField()] )->where( 'email = :email' ); $result = $connection->fetchOne($select, $bind);