[Solved] Changes to anti-SQL injection

My website used to have a history of SQL injection attacks by hackers last year.

The reason is that the developer did not add the (int) string,

After repair, based on more than a year of observation, The problem has been solved.

But recently we have changed the new style, I am planning to make changes to all relevant code.

E.g:

$this->request->post['product_id']."'");

Changed to

(int)$this->request->post['product_id']."'");

Or

$this->request->post

Changed to

(int)$this->request->post

Replace with "post" and "get", add (int) or $this->db->escape() to achieve anti-SQL injection.

This is my advice from a friend, Excuse me, Like this change, can I avoid being SQL injection attacked?

My current version is: OpenCart 2.3.0.2 In the future, I might plan to upgrade to 3.1.x, Can I or need such an operation?

I don't really understand, how this can save you from SQL-injections. By (int) you basically convert the value from possible string to integer. But usually integer values are inserted in database table fields, which have INT or TINYINT type. If you pass something non-integer for such value, an SQL error will be returned. And, of course, you can't (int) the whole post array.

As for escape() function, it simply escapes special characters like quotes.

Frankly, I don’t understand why, But at the time the same module, the same file, just an action, I can avoid being hacked to perform SQL injection attacks.

Change step

$this->request->post['product_id']."'");

Changed to

(int)$this->request->post['product_id']."'");

For this I also purchased Acunetix's mock attack, The same error message does not appear again.

therefore, I just want to ask if I need to change such changes to all the code?

Because I don't want to have the problem of leakage of order information again.

If such an action is useful, I might consider it.

Thank you for your reply!

The only problematic with these sanitizing changes are with the use of APIs. There are great number of engineers on the API server-end who developed their sanitizing technic stronger than others as they even insist on setting the parameter variables as is in order to validate those variables themselves automatically before submitting back a valid response.

HAO wrote: ↑

Fri Aug 31, 2018 4:33 am

Frankly, I don’t understand why, But at the time the same module, the same file, just an action, I can avoid being hacked to perform SQL injection attacks.

No, you can not. You simply sanitize the input, that's all.

This is the code I was attacked by the hacker.
What do you mean, can I solve the problem by simply adding the string (int)?

if (!$json){
$result = $this->db->query("SELECT quantity,stock_status_id from ".DB_PREFIX."product where product_id = '".(int)$this->request->post['product_id']."'");
$product_qty = $result->row['quantity'];
$stock_status_id = $result->row['stock_status_id'];
if ($stock_status == '0'){
$stock_status_id = 0;
}

if (($product_qty < $product_qty) && ($stock_status_id == $stock_status)){
$json['error'] = $this->request->post['product_id'];
}
}

It would be interesting to know, if something like this possibly has some potitive
Effect on global SQL Security ? (Regardless of seemengly only be valid for 1.5.6.x )
Ernie
---
https://dev.mysql.com/doc/refman/5.7/en ... tions.html
https://dev.mysql.com/doc/refman/8.0/en ... enssl.html
---
Mysqli w/ SSL Certs
MySQLi with SSL support. This will allow for secure database communication via SSL.
This is the best way to add a layer of protection to your cart. Please follow the steps
exactly for this to work. There is a README included in the zip and the steps can also
be found in documentation section.
https://www.opencart.com/index.php?rout ... n_id=18572

I have compared the difference between the original 1.5.6.4 and this file, The question is, can I use this file directly as my DB_DRIVER?

HAO wrote: ↑

Fri Aug 31, 2018 6:56 am

This is the code I was attacked by the hacker.
What do you mean, can I solve the problem by simply adding the string (int)?

Do you even read my replies? I explained you TWO times already, what does (int) mean.

Unfortunately, it ain't about the mount of times OPs are being told on this forum. It's … rather about the mount of times a duplicated post, a duplicated topic and a repetitive reported case as if it was the first time reported that is being encountered … on a frequent basis on this forum.

thekrotek wrote: ↑

Fri Aug 31, 2018 2:25 pm

HAO wrote: ↑

Fri Aug 31, 2018 6:56 am

This is the code I was attacked by the hacker.
What do you mean, can I solve the problem by simply adding the string (int)?

Do you even read my replies? I explained you TWO times already, what does (int) mean.

Sorry, I already understand, Thank you for your answer.