Jump to content


Corporate Sponsors


Latest News: (loading..)

- - - - -

Preventing XSS Attacks

Started by Terminum, Nov 20 2009, 18:50

  • You cannot reply to this topic
2 replies to this topic

#1 Terminum

  • Community Member
  • 77 posts
  • Real Name:Brien

Posted 20 November 2009, 18:50

I'm looking for an add-on that will prevent XSS attacks without diminishing functionality of the Administration Tool. I've read their are problems with Anti XSS, so I was considering [TiM's] Safer Database Input Method. But this says that it filters all html, and I would like to enter HTML in product descriptions through the administration tool.



[TiM's] Safer Database Input Method changes the following code from /catalog/includes/functions/database.php:

  function tep_db_input($string, $link = 'db_link') {
    global $$link;

    if (function_exists('mysql_real_escape_string')) {
      return mysql_real_escape_string($string, $$link);
    } elseif (function_exists('mysql_escape_string')) {
      return mysql_escape_string($string);
    }

    return addslashes($string);
  }:

Replaced with:

function tep_db_input($string, $link = 'db_link', $skip_stripping = false) {
    global $$link;
    
    // Strip HTML and PHP tags from string
    if (!$skip_stripping) $string = strip_tags($string);
    
    if (function_exists('mysql_real_escape_string')) {
      return mysql_real_escape_string($string, $$link);
    } elseif (function_exists('mysql_escape_string')) {
      return mysql_escape_string($string);
    }
    
    return addslashes($string);
  }



The README says:


If you for any reason want to store HTML in the database, make sure you
manipulate the tep_db_input() command with the third optional parameter
like the following.

This...

$example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");

Becomes...

$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");

I'm not very familiar with sql and I don't know what this means. I just want to be able to use HTML in product descriptions in the admin tool. Any ideas for what I should do?

#2 spooks

  • Community Member
  • 7,017 posts
  • Real Name:Sam
  • Gender:Male
  • Location:UK

Posted 20 November 2009, 19:08

View PostTerminum, on 20 November 2009, 18:50, said:


If you make code changes on the catalog side they do not apply to admin.


But I would use the htacess method detailed in the contrib linked in this thread. And make sure you add the other security changes too. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:

Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#3 Terminum

  • Community Member
  • 77 posts
  • Real Name:Brien

Posted 20 November 2009, 19:15

View Postspooks, on 20 November 2009, 19:08, said:

If you make code changes on the catalog side they do not apply to admin.



Ha, thanks that's great. I'm working my way through your other post right now! Thanks for the help.
Back to General Add-Ons Support · Next Unread Topic →


  1. osCommerce Support Forum
  2. osCommerce Online Merchant v2.x
  3. Add-Ons
  4. General Add-Ons Support
  5. Forum Rules