Post by robnardo » Fri Oct 12, 2007 2:22 am

Since there is no topic on SQL Injection, I thought I would start one.

SQL Injection attacks occur when a user enters something malicious into an input field in a form to take control over a SQL statement.  The field usually has special characters like single quote, slashes and SQL commands.

In OpenCart, I do not see any protection against SQL injection attacks in the database abstraction layer (/library /database /database.php).  I think this is a very important issue to address - especially when it comes to e-commerce applications like OpenCart.

I did some internet searching and found that these attacks can be protected against by using a built-in PHP function like mysql_real_escape_string() or PDO's prepared statement or a third party database abstraction layer (DAL).  Since OpenCart is PHP 5 (OOP), then I recommend taking advantage of the open source DAL's of PEAR:MDB2 or ADOdb.  Here are some links:

mysql_real_escape_string() - http://www.php.net/manual/en/function.m ... string.php
PDO's prepared statements - http://php.net/pdo-prepare
PEAR:MDB2 - http://pear.php.net/package/MDB2/
ADOdb (Fast and open source !) - http://adodb.sourceforge.net/

These solutions will give a performance decrease, but at least the system is protected. 

Also, I have done some snooping inside the Drupal (http://api.drupal.org) code and found that they use preg_replace_callback() .  Drupal uses their own DAL... maybe it would be a good idea to get ideas from their code.  The two files in Drupal to look at are: /includes/database.inc and /includes/database.mysql.inc

I hope this is good discussion for everyone. 

Newbie

Posts

Joined
Sat Sep 08, 2007 1:01 am

Post by rYno » Thu Oct 25, 2007 4:31 pm

I'm with ya on this one... this is pretty important

rangers lead the way


User avatar
Newbie

Posts

Joined
Thu Oct 25, 2007 4:15 pm
Location - Az

Post by gary » Thu Nov 08, 2007 12:33 am

this is very important. The lack of injection protection can wipe out everything.

Also - adding transactions - at least to order processing. What if error occurs while processing an order - which consists of several separate queries?
Last edited by gary on Thu Nov 08, 2007 5:22 am, edited 1 time in total.

New member

Posts

Joined
Sun Nov 04, 2007 11:55 pm

Post by Daniel » Thu Nov 08, 2007 6:44 am

There is plently of protection against SQL injection attacks in opencart!

Checkout the database::parse method. All SQL that needs protection go though this method.

Cross site scripting and all the other hacks out there have been taken care of!

I have even had security companies contacting me and go over the code with me.
Last edited by Daniel on Thu Nov 08, 2007 9:50 pm, edited 1 time in total.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by gary » Thu Nov 08, 2007 7:51 am

Daniel wrote: The is plently of protection against SQL injection attacks in opencart!

Checkout the database::parse method. All SQL that needs protection go though this method.

Cross site scripting and all the other hacks out there have been taken care of!

I have even had security companies contacting me and go over the code with me.
that sounds very good.

New member

Posts

Joined
Sun Nov 04, 2007 11:55 pm
Who is online

Users browsing this forum: No registered users and 0 guests