Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[Contribution] Filter ID


Guest

Recommended Posts

Using this script, you can avoid trivial verification of php scripts deployed on your store those not checking the data types when accessing the database thus having potential security holes in your store?s code.

 

This module filters parameters passed during page transitions through the HTTP_GET_VARS and HTTP_POST_VARS arrays. This reduces the risk of sql string injection to the parameters with scripts that do not explicitly check for an integer data type thus allowing malicious code to run uncontrolled. The current implementation targets table identifiers but also provides a custom array for specific parameters that require integer data type verification. Such parameters can be used by other contributions for comparisons before setting/retrieving information to/from the dbase.

 

Contribution Link:

http://www.oscommerce.com/community/contributions,3656

Edited by enigma1
Link to comment
Share on other sites

There is a problem when the _id parameter passed is an array. This may happend when for example removing items from the shopping cart. To get around it for the moment extend the check in the first 2 statement to eliminate arrays.

 

There are 2 statements in the code processing the get/post variables.

Replace these lines:

	if( stristr($numeric_sec, '_id') !== false ) {

 

 

with this:

	if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) {

 

 

Furthermore to sanitize other parameters passed as strings in application_top.php right after

// make a connection to the database... now
 tep_db_connect() or die('Unable to connect to database server!');

 

Add this code:

  $magic_quotes = get_magic_quotes_gpc()?true:false;
 foreach($HTTP_GET_VARS as $numeric_sec => $string) {

if ($magic_quotes) {
  $HTTP_GET_VARS[$numeric_sec] = stripslashes($string);
}
// Quote if not integer
if (!is_numeric($string) && !is_array($string) ) {
  $HTTP_GET_VARS[$numeric_sec] = mysql_real_escape_string($string);
}

 }
 reset($HTTP_GET_VARS);

 foreach($HTTP_POST_VARS as $numeric_sec => $string) {
if ($magic_quotes) {
  $HTTP_POST_VARS[$numeric_sec] = stripslashes($string);
}
// Quote if not integer
if (!is_numeric($string) && !is_array($string) ) {
  $HTTP_POST_VARS[$numeric_sec] = mysql_real_escape_string($string);
}
 }
 reset($HTTP_POST_VARS);

Link to comment
Share on other sites

using the nimmit sef contribution, i'm gettng "product cannot be found" for everything. i did every step, (except i do not understand what the code after

Here is also a version with a couple of debug strings showing the parameters passed. If an invalid parameter is passed the script simply exits displaying the parameters passed.
is for...

 

 

but i did the fixes you mentioned in this topic

Link to comment
Share on other sites

Ok if you get the time here is the updated version (code to for application_top.php)

 

  foreach($HTTP_GET_VARS as $numeric_sec => $string) {
if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) {
  settype($HTTP_GET_VARS[$numeric_sec], 'integer');
}
 }
 reset($HTTP_GET_VARS);

 foreach($HTTP_POST_VARS as $numeric_sec => $string) {
if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) {
  settype($HTTP_POST_VARS[$numeric_sec], 'integer');
}
 }
 reset($HTTP_POST_VARS);

 $numeric_sec_array = array('page','edit','id','ID','pid');
 for($i=0,$j=count($numeric_sec_array); $i<$j; $i++ ) {
if( isset($HTTP_GET_VARS[$numeric_sec_array[$i]]) ) {
  settype($HTTP_GET_VARS[$numeric_sec_array[$i]], 'integer');
}
if( isset($HTTP_POST_VARS[$numeric_sec_array[$i]]) ) {
  settype($HTTP_POST_VARS[$numeric_sec_array[$i]], 'integer');
}
 }

 

The second part I posted previously was giving a similar problem with the shopping cart. Now if this code gives the "no product found" message with seo contributions, I would have to install one of the seo urls to see what exactly is going on. I guess they may use strings for ID parameters, in which case the filtering will force the names to integers.

 

The 2nd part of the code in the readme was for debugging purposes. When it fails the script stops and prints the parameter and value passed.

Link to comment
Share on other sites

Version 1.01 is available with updates/fixes

 

- Code added to check identifiers within arrays.

- Fix when removing items from the shopping cart.

- Fix adding items with product attributes (default custom array modified to exclude straight id strings.

- Escape string filtering added.

- Added instructions for those using SEO url contributions.

Link to comment
Share on other sites

  • 2 months later...

This is a great contribution but there is a problem i dont if it was found or fixed yet.

 

Go to Advanced Search in your shop and type anything like "Matrix" and dont choose no catagory or manufacturer to search in.

It will return a plain page with only the text "categories_id=" in it.

 

If i remove the catagories_id from the url and refresh it returns another blank page with "manufacturers_id=".

 

/advanced_search_result.php?keywords=Matrix&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=0&y=0

 

Just wondering if anyone have noticed or fixed this.

 

Thanks

Link to comment
Share on other sites

This is a great contribution but there is a problem i dont if it was found or fixed yet.

 

Go to Advanced Search in your shop and type anything like "Matrix" and dont choose no catagory or manufacturer to search in.

It will return a plain page with only the text "categories_id=" in it.

 

If i remove the catagories_id from the url and refresh it returns another blank page with "manufacturers_id=".

 

/advanced_search_result.php?keywords=Matrix&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=0&y=0

 

Just wondering if anyone have noticed or fixed this.

 

Thanks

 

I've noticed it, but have not figured out a fix for it yet.

Link to comment
Share on other sites

are you using the debugging code (the one at the end of the readme)? There is code to stop the script in that case.

 

Also the function tep_real_escape_array has a problem detecting the magic quotes because that can be controlled by other server parameters. With the introduction of the later osc upgrade the tep_real_escape_array should not be necessary as the strings are sanitized in all cases properly. So steps 1.2 and 2 should not be there.

Link to comment
Share on other sites

are you using the debugging code (the one at the end of the readme)? There is code to stop the script in that case.

 

Also the function tep_real_escape_array has a problem detecting the magic quotes because that can be controlled by other server parameters. With the introduction of the later osc upgrade the tep_real_escape_array should not be necessary as the strings are sanitized in all cases properly. So steps 1.2 and 2 should not be there.

 

Thanks Mark, removing steps 1.2 and 2 did the trick. The advanced search seems to be working fine now.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...