Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[TiM's] Safer Database Input Method


snights

Recommended Posts

After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on,

 

 

http://addons.oscommerce.com/info/6546

 

catalog/includes/functions/database.php

catalog/admin/includes/functions/database.php

 

Find

function tep_db_input($string, $link = 'db_link') {
   global $$link;
   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }
   return addslashes($string);
 }  

 

Change to

 

 // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false
 // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags.
 function tep_db_input($string, $link = 'db_link', $allowable_tags = false) {
   global $$link;

 // BOF: [TiM's osC Solutions] Safer Database Input Method
   if ($allowable_tags === false || is_string($allowable_tags)) {
     $string = strip_tags($string, $allowable_tags);
   }
 // EOF: [TiM's osC Solutions] Safer Database Input Method

   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }

   return addslashes($string);
 }  

 

Then more info:

 

If you for any good reason need to store HTML code in the database, you need to

edit the tep_db_input() command like the following examples.

*** Original code (example): ***

$example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");

*** To allow all tags, change to: ***

$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");

*** To allow only <b> and <i>, change to: ***

$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', '<b><i>') ."' where this='that' limit 1;");

 

 

And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description.

 

But right now I feel like a dumb blonde, Where do I actually enter this example_query

Link to comment
Share on other sites

  • 2 weeks later...

The is a problem when with products description in categories.php because this use tep_db_perform instead of tep_db_query, so it's not possible to have a html formated description

 

             tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array);
           } elseif ($action == 'update_product') {
             tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array, 'update', "products_id = '" . (int)$products_id . "' and language_id = '" . (int)$language_id . "'");
           }

 

Can you help me to solve this ?

 

Thanks

Link to comment
Share on other sites

Its perfectly safe to store html with the dBase when you have created it, the risk is should you allow your visitors to input the code within forms, the best way to ensure that cant happen is through input sanitising. So remove any of the [TiM's] Safer Database Input Method thats causing you issues & add Security Pro http://addons.oscommerce.com/info/5752 and Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 1 year later...

Safer Database Input Method is not purposely developed for being an Anti XSS contribution. Of all the thounsands of columns in mysql not many are purposely made for storing html content. I wouldn't say anyone is but several people use products_description for this, which is convenient. Of course you can instead plug all vulnerabilitites i.e. whos online vulnerability, or any other core functions or add-ons letting users post form data to database.

 

But instead of the method Allow from all - deny from some, and relying on the scripts to clean input, this reverses the method Deny from all, allow from some.

 

Website owners who have experience from spam links, hotlinked images, or malicious code knows the headache from this if users posts html code to script.

 

So instead of spending days making sure all scripts passing data cleans input from undesired content, you can use this 5 min add-on.

 

I am aware that some may find this useful and some may not, just like any other add-on.

Link to comment
Share on other sites

  • 1 year later...

After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on,

 

 

http://addons.oscommerce.com/info/6546

 

catalog/includes/functions/database.php

catalog/admin/includes/functions/database.php

 

Find

function tep_db_input($string, $link = 'db_link') {
global $$link;
if (function_exists('mysql_real_escape_string')) {
  return mysql_real_escape_string($string, $$link);
} elseif (function_exists('mysql_escape_string')) {
  return mysql_escape_string($string);
}
return addslashes($string);
 }  

 

Change to

 

 // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false
 // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags.
 function tep_db_input($string, $link = 'db_link', $allowable_tags = false) {
global $$link;

 // BOF: [TiM's osC Solutions] Safer Database Input Method
if ($allowable_tags === false || is_string($allowable_tags)) {
  $string = strip_tags($string, $allowable_tags);
}
 // EOF: [TiM's osC Solutions] Safer Database Input Method

if (function_exists('mysql_real_escape_string')) {
  return mysql_real_escape_string($string, $$link);
} elseif (function_exists('mysql_escape_string')) {
  return mysql_escape_string($string);
}

return addslashes($string);
 }  

 

Then more info:

 

 

 

 

And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description.

 

But right now I feel like a dumb blonde, Where do I actually enter this example_query

my problem, is in the order no text price shipping when change this lines in includes/functions/database.php i can do? thanks for the reply
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...