Post by haosmark » Fri Dec 28, 2012 8:25 am

I'm adding a field where customers will be typing in a zip code to get a tax estimate. When I use $query = $this->db->query($sql);
$sql will have a variable passed by a customer, is the variable already safe to use or do I need to write in precautions to avoid getting hacked?

New member

Posts

Joined
Wed Oct 10, 2012 1:59 am

Post by JNeuhoff » Fri Dec 28, 2012 9:08 pm

haosmark wrote:I'm adding a field where customers will be typing in a zip code to get a tax estimate. When I use $query = $this->db->query($sql);
$sql will have a variable passed by a customer, is the variable already safe to use or do I need to write in precautions to avoid getting hacked?
You should add a zip code validation to your controller, you can't assume any variable is safe unless validated.

MHC Web Design
Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * TrustPilot Reviews * Google Rich Snippets * Google Tag Manager * Export/Import Tool * Template Switcher PHP/Twig


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ChetanCx » Fri Dec 28, 2012 11:48 pm

It is very important to validate input ,especially when you are using your own queries.
Better safe than Sorry lol

User avatar
Active Member

Posts

Joined
Sat Dec 08, 2012 8:12 pm

Post by haosmark » Sat Dec 29, 2012 1:44 am

I have some html restrictions, but they are easy to bypass of course. So will this be sufficient to make the variable safe:

Code: Select all

$zip = $this->db->escape($zip);
?

New member

Posts

Joined
Wed Oct 10, 2012 1:59 am

Post by rph » Sat Dec 29, 2012 3:12 am

It's worth noting here the subtle difference between validation and sanitation.

Controller level validation is for ensuring the data is in the form you want it. Sanitation is running input data through $this->db->escape (mysql_real_escape_string) or casting. Regardless of whether you validate, you should always sanitize as input that's validated is not necessarily safe.

Your example works, haosmark. From a style standpoint OpenCart sanitizes input in the query like.

Code: Select all

$query = $this->db->query("SELECT FROM `" . DB_PREFIX . "custom_table` WHERE zip = '" . $this->db->escape($zip) . "'");
It's easy to check for issues that way than backtracking to wherever the variable may be.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska
Who is online

Users browsing this forum: No registered users and 3 guests