Guest Posted October 13, 2005 Share Posted October 13, 2005 (edited) Using this script, you can avoid trivial verification of php scripts deployed on your store those not checking the data types when accessing the database thus having potential security holes in your store?s code. This module filters parameters passed during page transitions through the HTTP_GET_VARS and HTTP_POST_VARS arrays. This reduces the risk of sql string injection to the parameters with scripts that do not explicitly check for an integer data type thus allowing malicious code to run uncontrolled. The current implementation targets table identifiers but also provides a custom array for specific parameters that require integer data type verification. Such parameters can be used by other contributions for comparisons before setting/retrieving information to/from the dbase. Contribution Link: http://www.oscommerce.com/community/contributions,3656 Edited October 13, 2005 by enigma1 Quote Link to comment Share on other sites More sharing options...
Guest Posted October 13, 2005 Share Posted October 13, 2005 There is a problem when the _id parameter passed is an array. This may happend when for example removing items from the shopping cart. To get around it for the moment extend the check in the first 2 statement to eliminate arrays. There are 2 statements in the code processing the get/post variables. Replace these lines: if( stristr($numeric_sec, '_id') !== false ) { with this: if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) { Furthermore to sanitize other parameters passed as strings in application_top.php right after // make a connection to the database... now tep_db_connect() or die('Unable to connect to database server!'); Add this code: $magic_quotes = get_magic_quotes_gpc()?true:false; foreach($HTTP_GET_VARS as $numeric_sec => $string) { if ($magic_quotes) { $HTTP_GET_VARS[$numeric_sec] = stripslashes($string); } // Quote if not integer if (!is_numeric($string) && !is_array($string) ) { $HTTP_GET_VARS[$numeric_sec] = mysql_real_escape_string($string); } } reset($HTTP_GET_VARS); foreach($HTTP_POST_VARS as $numeric_sec => $string) { if ($magic_quotes) { $HTTP_POST_VARS[$numeric_sec] = stripslashes($string); } // Quote if not integer if (!is_numeric($string) && !is_array($string) ) { $HTTP_POST_VARS[$numeric_sec] = mysql_real_escape_string($string); } } reset($HTTP_POST_VARS); Quote Link to comment Share on other sites More sharing options...
Guest Posted October 14, 2005 Share Posted October 14, 2005 using the nimmit sef contribution, i'm gettng "product cannot be found" for everything. i did every step, (except i do not understand what the code after Here is also a version with a couple of debug strings showing the parameters passed. If an invalid parameter is passed the script simply exits displaying the parameters passed. is for... but i did the fixes you mentioned in this topic Quote Link to comment Share on other sites More sharing options...
Guest Posted October 14, 2005 Share Posted October 14, 2005 Ok if you get the time here is the updated version (code to for application_top.php) foreach($HTTP_GET_VARS as $numeric_sec => $string) { if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) { settype($HTTP_GET_VARS[$numeric_sec], 'integer'); } } reset($HTTP_GET_VARS); foreach($HTTP_POST_VARS as $numeric_sec => $string) { if( stristr($numeric_sec, '_id') !== false && !is_array($string) ) { settype($HTTP_POST_VARS[$numeric_sec], 'integer'); } } reset($HTTP_POST_VARS); $numeric_sec_array = array('page','edit','id','ID','pid'); for($i=0,$j=count($numeric_sec_array); $i<$j; $i++ ) { if( isset($HTTP_GET_VARS[$numeric_sec_array[$i]]) ) { settype($HTTP_GET_VARS[$numeric_sec_array[$i]], 'integer'); } if( isset($HTTP_POST_VARS[$numeric_sec_array[$i]]) ) { settype($HTTP_POST_VARS[$numeric_sec_array[$i]], 'integer'); } } The second part I posted previously was giving a similar problem with the shopping cart. Now if this code gives the "no product found" message with seo contributions, I would have to install one of the seo urls to see what exactly is going on. I guess they may use strings for ID parameters, in which case the filtering will force the names to integers. The 2nd part of the code in the readme was for debugging purposes. When it fails the script stops and prints the parameter and value passed. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 15, 2005 Share Posted October 15, 2005 Version 1.01 is available with updates/fixes - Code added to check identifiers within arrays. - Fix when removing items from the shopping cart. - Fix adding items with product attributes (default custom array modified to exclude straight id strings. - Escape string filtering added. - Added instructions for those using SEO url contributions. Quote Link to comment Share on other sites More sharing options...
Guest Posted December 19, 2005 Share Posted December 19, 2005 This is a great contribution but there is a problem i dont if it was found or fixed yet. Go to Advanced Search in your shop and type anything like "Matrix" and dont choose no catagory or manufacturer to search in. It will return a plain page with only the text "categories_id=" in it. If i remove the catagories_id from the url and refresh it returns another blank page with "manufacturers_id=". /advanced_search_result.php?keywords=Matrix&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=0&y=0 Just wondering if anyone have noticed or fixed this. Thanks Quote Link to comment Share on other sites More sharing options...
lrparr Posted December 23, 2005 Share Posted December 23, 2005 This is a great contribution but there is a problem i dont if it was found or fixed yet. Go to Advanced Search in your shop and type anything like "Matrix" and dont choose no catagory or manufacturer to search in. It will return a plain page with only the text "categories_id=" in it. If i remove the catagories_id from the url and refresh it returns another blank page with "manufacturers_id=". /advanced_search_result.php?keywords=Matrix&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=0&y=0 Just wondering if anyone have noticed or fixed this. Thanks I've noticed it, but have not figured out a fix for it yet. Quote Link to comment Share on other sites More sharing options...
Guest Posted December 23, 2005 Share Posted December 23, 2005 are you using the debugging code (the one at the end of the readme)? There is code to stop the script in that case. Also the function tep_real_escape_array has a problem detecting the magic quotes because that can be controlled by other server parameters. With the introduction of the later osc upgrade the tep_real_escape_array should not be necessary as the strings are sanitized in all cases properly. So steps 1.2 and 2 should not be there. Quote Link to comment Share on other sites More sharing options...
lrparr Posted December 26, 2005 Share Posted December 26, 2005 are you using the debugging code (the one at the end of the readme)? There is code to stop the script in that case. Also the function tep_real_escape_array has a problem detecting the magic quotes because that can be controlled by other server parameters. With the introduction of the later osc upgrade the tep_real_escape_array should not be necessary as the strings are sanitized in all cases properly. So steps 1.2 and 2 should not be there. Thanks Mark, removing steps 1.2 and 2 did the trick. The advanced search seems to be working fine now. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.