snights Posted February 28, 2010 Share Posted February 28, 2010 After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on, http://addons.oscommerce.com/info/6546 catalog/includes/functions/database.php catalog/admin/includes/functions/database.php Find function tep_db_input($string, $link = 'db_link') { global $$link; if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } Change to // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags. function tep_db_input($string, $link = 'db_link', $allowable_tags = false) { global $$link; // BOF: [TiM's osC Solutions] Safer Database Input Method if ($allowable_tags === false || is_string($allowable_tags)) { $string = strip_tags($string, $allowable_tags); } // EOF: [TiM's osC Solutions] Safer Database Input Method if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } Then more info: If you for any good reason need to store HTML code in the database, you need toedit the tep_db_input() command like the following examples. *** Original code (example): *** $example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;"); *** To allow all tags, change to: *** $example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;"); *** To allow only <b> and <i>, change to: *** $example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', '<b><i>') ."' where this='that' limit 1;"); And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description. But right now I feel like a dumb blonde, Where do I actually enter this example_query Link to comment Share on other sites More sharing options...
Joel Garcin Posted March 9, 2010 Share Posted March 9, 2010 The is a problem when with products description in categories.php because this use tep_db_perform instead of tep_db_query, so it's not possible to have a html formated description tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array); } elseif ($action == 'update_product') { tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array, 'update', "products_id = '" . (int)$products_id . "' and language_id = '" . (int)$language_id . "'"); } Can you help me to solve this ? Thanks Link to comment Share on other sites More sharing options...
spooks Posted March 9, 2010 Share Posted March 9, 2010 Its perfectly safe to store html with the dBase when you have created it, the risk is should you allow your visitors to input the code within forms, the best way to ensure that cant happen is through input sanitising. So remove any of the [TiM's] Safer Database Input Method thats causing you issues & add Security Pro http://addons.oscommerce.com/info/5752 and Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
timint Posted May 13, 2011 Share Posted May 13, 2011 Safer Database Input Method is not purposely developed for being an Anti XSS contribution. Of all the thounsands of columns in mysql not many are purposely made for storing html content. I wouldn't say anyone is but several people use products_description for this, which is convenient. Of course you can instead plug all vulnerabilitites i.e. whos online vulnerability, or any other core functions or add-ons letting users post form data to database. But instead of the method Allow from all - deny from some, and relying on the scripts to clean input, this reverses the method Deny from all, allow from some. Website owners who have experience from spam links, hotlinked images, or malicious code knows the headache from this if users posts html code to script. So instead of spending days making sure all scripts passing data cleans input from undesired content, you can use this 5 min add-on. I am aware that some may find this useful and some may not, just like any other add-on. Link to comment Share on other sites More sharing options...
roneada Posted May 17, 2012 Share Posted May 17, 2012 After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on, http://addons.oscommerce.com/info/6546 catalog/includes/functions/database.php catalog/admin/includes/functions/database.php Find function tep_db_input($string, $link = 'db_link') { global $$link; if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } Change to // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags. function tep_db_input($string, $link = 'db_link', $allowable_tags = false) { global $$link; // BOF: [TiM's osC Solutions] Safer Database Input Method if ($allowable_tags === false || is_string($allowable_tags)) { $string = strip_tags($string, $allowable_tags); } // EOF: [TiM's osC Solutions] Safer Database Input Method if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } Then more info: And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description. But right now I feel like a dumb blonde, Where do I actually enter this example_query my problem, is in the order no text price shipping when change this lines in includes/functions/database.php i can do? thanks for the reply Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.