Since there is no topic on SQL Injection, I thought I would start one.
SQL Injection attacks occur when a user enters something malicious into an input field in a form to take control over a SQL statement. The field usually has special characters like single quote, slashes and SQL commands.
In OpenCart, I do not see any protection against SQL injection attacks in the database abstraction layer (/library /database /database.php). I think this is a very important issue to address - especially when it comes to e-commerce applications like OpenCart.
I did some internet searching and found that these attacks can be protected against by using a built-in PHP function like mysql_real_escape_string() or PDO's prepared statement or a third party database abstraction layer (DAL). Since OpenCart is PHP 5 (OOP), then I recommend taking advantage of the open source DAL's of PEAR:MDB2 or ADOdb. Here are some links:
mysql_real_escape_string() - http://www.php.net/manual/en/function.m ... string.php
PDO's prepared statements - http://php.net/pdo-prepare
PEAR:MDB2 - http://pear.php.net/package/MDB2/
ADOdb (Fast and open source !) - http://adodb.sourceforge.net/
These solutions will give a performance decrease, but at least the system is protected.
Also, I have done some snooping inside the Drupal (http://api.drupal.org) code and found that they use preg_replace_callback() . Drupal uses their own DAL... maybe it would be a good idea to get ideas from their code. The two files in Drupal to look at are: /includes/database.inc and /includes/database.mysql.inc
I hope this is good discussion for everyone.
this is very important. The lack of injection protection can wipe out everything.
Also - adding transactions - at least to order processing. What if error occurs while processing an order - which consists of several separate queries?
Also - adding transactions - at least to order processing. What if error occurs while processing an order - which consists of several separate queries?
Last edited by gary on Thu Nov 08, 2007 5:22 am, edited 1 time in total.
There is plently of protection against SQL injection attacks in opencart!
Checkout the database::parse method. All SQL that needs protection go though this method.
Cross site scripting and all the other hacks out there have been taken care of!
I have even had security companies contacting me and go over the code with me.
Checkout the database::parse method. All SQL that needs protection go though this method.
Cross site scripting and all the other hacks out there have been taken care of!
I have even had security companies contacting me and go over the code with me.
Last edited by Daniel on Thu Nov 08, 2007 9:50 pm, edited 1 time in total.
OpenCart®
Project Owner & Developer.
that sounds very good.Daniel wrote: The is plently of protection against SQL injection attacks in opencart!
Checkout the database::parse method. All SQL that needs protection go though this method.
Cross site scripting and all the other hacks out there have been taken care of!
I have even had security companies contacting me and go over the code with me.
Who is online
Users browsing this forum: DuckDuckGo [Bot] and 27 guests