fix issue 54 and 55 + missing index

- 54: fix weakness to sql injection
- 55: remove vies re-checks when on the admin cart list page

- missing index on the vatchecker table, vat_number used in all select queries on this table, this requires a new version number

config.xml

@@ -2,10 +2,10 @@
 <module>
     <name>vatchecker</name>
     <displayName><![CDATA[VAT Checker]]></displayName>
-    <version><![CDATA[2.1.2]]></version>
+    <version><![CDATA[2.1.3]]></version>
     <description><![CDATA[The module verifies whether a customer possesses a valid VAT EU number through the VIES VAT online service. Upon validation, it automatically applies a 0% tax rate to customers from the EU who are not from the same country as the shop.]]></description>
     <author><![CDATA[Inform-All & Keraweb]]></author>
     <tab><![CDATA[billing_invoicing]]></tab>
     <is_configurable>1</is_configurable>
     <need_instance>1</need_instance>
-</module>
+</module>

upgrade/upgrade-2.1.3.php

@@ -0,0 +1,16 @@
+<?php
+if ( ! defined( '_PS_VERSION_' ) ) {
+	exit;
+}
+
+/**
+ * This function updates your module from previous versions to the version 2.1.3,
+ * usefull when you modify your database, or register a new hook ...
+ * Don't forget to create one file per version.
+ */
+function upgrade_module_2_1_3( $module )
+{
+	return Db::getInstance()->Execute(
+		'ALTER TABLE `' . _DB_PREFIX_ . 'vatchecker` ADD INDEX(`vat_number`);'
+	);
+}

vatchecker.php

@@ -94,7 +94,7 @@ public function __construct()
 	{
 		$this->name          = 'vatchecker';
 		$this->tab           = 'billing_invoicing';
-		$this->version       = '3.0.0';
+		$this->version       = '2.1.3';
 		$this->author        = 'Inform-All & Keraweb';
 		$this->need_instance = 1;
 
@@ -561,10 +561,16 @@ public function isValidVat( $address, $error = false )
 			 */
 			$result = $this->getVatValidation( $address );
 
+			$checkIfTimedOut = true;
+			// the cart list on the admin page recalculates prices, this can be many outdated carts at once, just use the db data instead of spamming VIES
+			if(isset($this->context->controller) && (get_class($this->context->controller) == 'AdminCartsController')){
+				$checkIfTimedOut = false;
+			}
+
 			if ( $result ) {
 
-				// VIES API already ran successfully within 24 hours.
-				if ( strtotime( $result['date_modified'] ) > strtotime( '-1 day' ) ) {
+				// if we need to check, find if the VIES API already ran successfully within 24 hours.
+				if ( $checkIfTimedOut && (strtotime( $result['date_modified'] ) > strtotime( '-1 day' )) ) {
 					$checkVat = [
 						'valid' => (bool) $result['valid'],
 						'error' => '',
@@ -632,9 +638,9 @@ private function getVatValidation( $address )
 		$table = _DB_PREFIX_ . 'vatchecker';
 
 		$sql = "SELECT * FROM {$table}
-			WHERE id_address = {$address->id}
-				AND id_country = {$address->id_country}
-				AND vat_number = '{$address->vat_number}'
+			WHERE id_address = ".((int)$address->id)."
+				AND id_country = ".((int)$address->id_country)."
+				AND vat_number =  '".pSQL($address->vat_number)."'
 			";
 
 		$result = Db::getInstance()->executeS( $sql );
@@ -698,10 +704,10 @@ private function setVatValidation( $record )
 		$values = [];
 		foreach ( $record as $key => $value ) {
 			$keys[ $key ] = "`{$key}`";
-			if ( is_bool( $value ) ) {
+			if ( is_bool( $value ) || is_int($value) ) {
 				$values[ $key ] = (int) $value;
 			} else {
-				$values[ $key ] = "'{$value}'";
+				$values[ $key ] = "'".pSQL($value)."'";
 			}
 		}
 
@@ -895,9 +901,8 @@ private function getPreviousValidation( $params )
 		$countryId = Country::getByIso( $params['countryCode'] );
 
 		$sql = "SELECT * FROM {$table}
-			WHERE id_country = {$countryId}
-				AND vat_number = '{$params['vatNumber']}'
-			";
+			WHERE id_country = ".((int)$countryId)."
+				AND vat_number = '".pSQL($params['vatNumber'])."'";
 
 		$result = Db::getInstance()->executeS( $sql );
 		if ( ! $result ) {