What exactly does the $this->db->escape() line do?
I assume this executes htmlentities on the string?
-------------------------------------------------
Opencart v.1.5.4 (clean install)
Reference: http://ellislab.com/codeigniter/user-gu ... eries.htmlThis function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to:
UPDATE:
It does the following exactly: (Found in system->database->mysql.php)
Code: Select all
public function escape($value) {
if ($this->link) {
return mysql_real_escape_string($value, $this->link);
}
}http://us.php.net/mysql%5Freal%5Fescape%5Fstring
*Disclaimer: I hope I have been as clear as possible and helpful. If you are unsure of anything please ask I will be happy to help - I do frequently watch the posts I have posted in previously.
How to change prices across a whole multi-store, with a baseline price for each product:
http://forum.opencart.com/viewtopic.php ... 24#p406793
Thanks for your answer.. I've got one more additional related question though.
I'm sure opencart is pretty safe, but what if I add some custom fields to the registration page.
Basicly the validation part of the controller register.php file only checks whether the variables ain't empty and then the variables are being written to the database, ofcourse escaped by the line.
Is this the only protection or am I overseeing something? And does this protection protect against sql injections, xss and so on?
sorry if this has been asked before, i'm kinda new to this forum.
I'm sure opencart is pretty safe, but what if I add some custom fields to the registration page.
Basicly the validation part of the controller register.php file only checks whether the variables ain't empty and then the variables are being written to the database, ofcourse escaped by the
Code: Select all
$this->db->escape($variable)Is this the only protection or am I overseeing something? And does this protection protect against sql injections, xss and so on?
sorry if this has been asked before, i'm kinda new to this forum.
Escaping a variable upon SQL insertion is for mySQL server libraries to avoid confusion between static and dynamic functions when initiated from query strings.
Without escaping:
Escaping:
which also avoids confusion when using spaces since multiple languages, not just for PHP, does NOT use spaces when static functions are implied. 
Note: The addslashes function can also be used with PHP when using other database libraries.
Without escaping:
Code: Select all
test123
Code: Select all
\test123\
Note: The addslashes function can also be used with PHP when using other database libraries.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
The database escape method is only useful if you've enclosed the variable with single quotes. If you don't then you're still susceptible to SQL injection.Goliath wrote:Is this the only protection or am I overseeing something? And does this protection protect against sql injections, xss and so on?
http://johnroach.info/2011/02/17/why-my ... n-attacks/
-Ryan
I will go through what register.php doesGoliath wrote:Thanks for your answer.. I've got one more additional related question though.
I'm sure opencart is pretty safe, but what if I add some custom fields to the registration page.
Basicly the validation part of the controller register.php file only checks whether the variables ain't empty and then the variables are being written to the database, ofcourse escaped by theline.Code: Select all
$this->db->escape($variable)
Is this the only protection or am I overseeing something? And does this protection protect against sql injections, xss and so on?
Code: Select all
if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {The function validate: (Example of first name)
Code: Select all
if ((utf8_strlen($this->request->post['firstname']) < 1) || (utf8_strlen($this->request->post['firstname']) > 32)) {And then the code is escaped in the db.
As for
Code: Select all
mysql_real_escape_string()-----
Security is a huge thing for an online shop and if you search the forums you will find this topic has been bought up several times. Reputation for having weak security (just google famous ones) is a killer for an application like this. Which is one of the reasons I believe Daniel will only allow certain people add/change code. It slows down development obviously with one or two people working on the code. But thats whilst a weakness is also its security strength.
*This is just opinion and I do not speak for Daniel or know of his intentions.
The last security update I could find with a quick search is:
http://forum.opencart.com/viewtopic.php?t=62257
*Disclaimer: I hope I have been as clear as possible and helpful. If you are unsure of anything please ask I will be happy to help - I do frequently watch the posts I have posted in previously.
How to change prices across a whole multi-store, with a baseline price for each product:
http://forum.opencart.com/viewtopic.php ... 24#p406793
Which can be seen in the 'model->account->customer.php' addCustomer() function.rph wrote:The database escape method is only useful if you've enclosed the variable with single quotes. If you don't then you're still susceptible to SQL injection.Goliath wrote:Is this the only protection or am I overseeing something? And does this protection protect against sql injections, xss and so on?
http://johnroach.info/2011/02/17/why-my ... n-attacks/
Code: Select all
$this->db->query("INSERT INTO " . DB_PREFIX . "customer SET store_id = '" . (int)$this->config->get('config_store_id') . "', firstname = '" . $this->db->escape($data['firstname']) . "', lastname = '" . $this->db->escape($data['lastname']) . "', email = '" . $this->db->escape($data['email']) . "', telephone = '" . $this->db->escape($data['telephone']) . "', fax = '" . $this->db->escape($data['fax']) . "', salt = '" . $this->db->escape($salt = substr(md5(uniqid(rand(), true)), 0, 9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($data['password'])))) . "', newsletter = '" . (isset($data['newsletter']) ? (int)$data['newsletter'] : 0) . "', customer_group_id = '" . (int)$customer_group_id . "', ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "', status = '1', approved = '" . (int)!$customer_group_info['approval'] . "', date_added = NOW()");Code: Select all
...'" . $this->db->escape($data['firstname']) . "'...*Disclaimer: I hope I have been as clear as possible and helpful. If you are unsure of anything please ask I will be happy to help - I do frequently watch the posts I have posted in previously.
How to change prices across a whole multi-store, with a baseline price for each product:
http://forum.opencart.com/viewtopic.php ... 24#p406793
Thanks for all the answers, I really appreciate it.
So let's say I want to build in a textarea within the registration form, so people can tell about themselves (for example).
And I write this in the validation:
And I write it to the database with:
Will that be safe ? If not what do I have to add to make it safe?
Ps: please note the 255 characters in the validation part
So let's say I want to build in a textarea within the registration form, so people can tell about themselves (for example).
And I write this in the validation:
Code: Select all
if ((utf8_strlen($this->request->post['exampletext']) < 1) || (utf8_strlen($this->request->post['exampletext']) > 255)) {
$this->error['exampletext'] = $this->language->get('error_exampletext');
}Code: Select all
$this->db->escape($this->request->post['exampletext'])Ps: please note the 255 characters in the validation part
Pretty much.
You will need to add this field/column to the database as well.
Where you want to display this information is something you may have not had a chance to think about yet. But this will involve changing some database query code.
You will need to add this field/column to the database as well.
Where you want to display this information is something you may have not had a chance to think about yet. But this will involve changing some database query code.
*Disclaimer: I hope I have been as clear as possible and helpful. If you are unsure of anything please ask I will be happy to help - I do frequently watch the posts I have posted in previously.
How to change prices across a whole multi-store, with a baseline price for each product:
http://forum.opencart.com/viewtopic.php ... 24#p406793
Text area fields in the database can be tricky sometimes when inserting data into the database. There can be many ways to insert data, in that case.Will that be safe ? If not what do I have to add to make it safe?
Adding images into the database is, of course, different in OC. It would be done like this:
Code: Select all
$this->db->escape(html_entity_decode($this->request->post['image'], ENT_QUOTES, 'UTF-8'))
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Yeah I know, I think I'm gonna play it safe and add strip_tags to it.. like this:straightlight wrote:
Text area fields in the database can be tricky sometimes when inserting data into the database. There can be many ways to insert data, in that case.
Code: Select all
$this->db->escape(strip_tags(trim($this->request->post['exampletext'])))This would be the one you'd be looking for since OpenCart uses utf8_bin structure to insert data into the database:
Code: Select all
$this->db->escape(strip_tags(html_entity_decode(trim($this->request->post['exampletext']), ENT_QUOTES, 'UTF-8'))
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Just make sure to enclose your data with single quotes.Goliath wrote:And I write it to the database with:
Will that be safe ? If not what do I have to add to make it safe?Code: Select all
$this->db->escape($this->request->post['exampletext'])
Ps: please note the 255 characters in the validation part
Code: Select all
$this->db->query("INSERT INTO `" . DB_PREFIX . "table` SET text = '" . $this->db->escape($this->request->post['exampletext']) . "'");Code: Select all
1; UPDATE user SET password = 123;Code: Select all
<?php
class Request {
public $get = array();
public $post = array();
public $cookie = array();
public $files = array();
public $server = array();
public function __construct() {
$_GET = $this->clean($_GET);
$_POST = $this->clean($_POST);
$_REQUEST = $this->clean($_REQUEST);
$_COOKIE = $this->clean($_COOKIE);
$_FILES = $this->clean($_FILES);
$_SERVER = $this->clean($_SERVER);
$this->get = $_GET;
$this->post = $_POST;
$this->request = $_REQUEST;
$this->cookie = $_COOKIE;
$this->files = $_FILES;
$this->server = $_SERVER;
}
public function clean($data) {
if (is_array($data)) {
foreach ($data as $key => $value) {
unset($data[$key]);
$data[$this->clean($key)] = $this->clean($value);
}
} else {
$data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8');
}
return $data;
}
}
?>-Ryan
Okay, I'm gonna use this:
Thanks everybody!
Have a nice weekend!
Code: Select all
$this->db->query("INSERT INTO `" . DB_PREFIX . "table` SET text = '" . $this->db->escape(strip_tags(html_entity_decode(trim($this->request->post['exampletext']), ENT_QUOTES, 'UTF-8')) . "'");Have a nice weekend!
Code: Select all
$this->db->query("INSERT INTO `" . DB_PREFIX . "table` SET `text` = '" . $this->db->escape(strip_tags(html_entity_decode(trim($this->request->post['exampletext']), ENT_QUOTES, 'UTF-8')) . "'");
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
@straightlight
I'm getting an sql error with your example..
I've got this coding:
Where exampletext contains 60 (value submitted by the user) then I'm getting this error:
How can I solve this sql error?
I'm getting an sql error with your example..
I've got this coding:
Code: Select all
$this->db->query("INSERT INTO `" . DB_PREFIX . "table` SET `text` = '" . $this->db->escape(strip_tags(html_entity_decode(trim($this->request->post['exampletext']), ENT_QUOTES, 'UTF-8')) . "'"));
Code: Select all
Notice: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''60\'' at line 1
Error No: 1064
INSERT INTO `table` SET `text` = '60\'I just tried with:
I don't get any errors. If you still get errors with this replacement, would it be possible to know your PHP version?
Code: Select all
$this->db->query("INSERT INTO `" . DB_PREFIX . "table` SET `text` = '" . $this->db->escape(html_entity_decode(trim(strip_tags($this->request->post['exampletext'])), ENT_QUOTES, 'UTF-8')) . "'");
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Who is online
Users browsing this forum: Semrush [Bot] and 26 guests
