Is anyone aware of any particular reason WHY product data, specifically manufacturer names and descriptions are encoded with htmlspecialchars, i.e. & becomes &, et al, in the database?
this is called 'filtering' input content. Depending on where it's used, different filters are used to prevent Hackers to enter malicious Characters and force Users to enter 'correctly written' values into the Form Fields.
Ernie
Ernie
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I understand the idea of sanitizing input, but wouldn't this be handled with basic sanitization / prepared statement / escaping? I still don't see why encoding the input adds any security at all.
Regardless of be 'liked' or not, it exists, I had my own problems with it, when trying something, I forget, what it was. So, I just replaced the 'htmlspecialchars' with something else, found in a vqmod, and it worked well. If I only would remember...,lewismedia wrote:I understand the idea of sanitizing input, but wouldn't this be handled with basic sanitization / prepared statement / escaping? I still don't see why encoding the input adds any security at all.
I left some Post about it here somewhere..
Good Luck
Ernie
ipc.li/shop/
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Thanks, Ernie. This is what we ended up doing as well. Perhaps, as OpenCart is open source and thus, can be modified by non-security minded coders, this is just an override measure to prevent them from opening a security hole unknowingly.
Sure would be nice to get some feedback from the top dev as to why this is.
Cheers.
Sure would be nice to get some feedback from the top dev as to why this is.
Cheers.
Who is online
Users browsing this forum: No registered users and 3 guests
