Skip to content

Instantly share code, notes, and snippets.

@krisives

krisives/PrestaShopHaterList.md

Last active January 4, 2016 10:19
Show Gist options
  • Save krisives/8607740 to your computer and use it in GitHub Desktop.
Save krisives/8607740 to your computer and use it in GitHub Desktop.
Download ZIP
Things I don't like about PrestaShop
Raw
PrestaShopHaterList.md

A list of things I don't like about PrestaShop

This is a list of things I don't like about PrestaShop while working with it. I keep it around with the hopes it will over time help me improve the software or other software projects. It's not meant to be "mean" or a dig at any developers, because no project is perfect.

Maybe I know something in PrestaShop incorrectly? Most of everything I know comes from the official documentation:

Note: At time of writing the documentation Wiki has some linking issues and cannot link to chapters within the documentation

Framework

Static methods

PrestaShop makes extensive use of static methods to get instances of classes in a global-like context:

Configuration::getInstance();
Database::getInstance();
Manufacturer::getManufacturers();

These reduce testability of methods that use them and create unneeded couplings.

Security

E-mails customer password by default

When a customer signs up it sends their password in plain text to the e-mail address. This has been reported as #PSXXX and is a bad reason because:

  • Someone might expose their password accidentally to the wrong email address.

  • Compromised e-mail accounts reveal plain text password which is likely used by other websites.

  • Parties in-between can gain access to accounts they should not have access to. Without revealing plain-text this attack would be reduced to a window of time.

Uses constant salt for each user

Entries into the ps_customer table by default store an MD5 hash which is salted, but the salt is a constant created at install time by PrestaShop. This has been reported as #PSXXX and is a bad idea because:

  • Two customers with the same password will have the same hash

  • With a large dataset the original salt can be derived much easier (pre-image attack)

Database

Unsafe SQL

Many things in PrestaShop use unsafe SQL by default. For example, delete:

$db->delete('target_table', 'myField < 15', 3); // From DB best practices example

The delete method signature does not have any safe way to pass arguments to the query, so a programmer will:

 $db->delete('target_table', "myField = $someID");

A programmer is expected to do the cast correctly, which should be one of the main goals of the database abstraction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment