Jump to content


Corporate Sponsors


Latest News: (loading..)

- - - - -

[TiM's] Safer Database Input Method

Started by snights, Feb 28 2010, 11:18

4 replies to this topic

#1 snights

  • Community Member
  • 24 posts
  • Real Name:fredrik
  • Gender:Male
  • Location:Stockholm, Sweden

Posted 28 February 2010, 11:18

After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on,


http://addons.oscommerce.com/info/6546

catalog/includes/functions/database.php
catalog/admin/includes/functions/database.php

Find
function tep_db_input($string, $link = 'db_link') {
    global $$link;
    if (function_exists('mysql_real_escape_string')) {
      return mysql_real_escape_string($string, $$link);
    } elseif (function_exists('mysql_escape_string')) {
      return mysql_escape_string($string);
    }
    return addslashes($string);
  }

Change to

 // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false
  // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags.
  function tep_db_input($string, $link = 'db_link', $allowable_tags = false) {
    global $$link;
 
  // BOF: [TiM's osC Solutions] Safer Database Input Method
    if ($allowable_tags === false || is_string($allowable_tags)) {
      $string = strip_tags($string, $allowable_tags);
    }
  // EOF: [TiM's osC Solutions] Safer Database Input Method
 
    if (function_exists('mysql_real_escape_string')) {
      return mysql_real_escape_string($string, $$link);
    } elseif (function_exists('mysql_escape_string')) {
      return mysql_escape_string($string);
    }
 
    return addslashes($string);
  }

Then more info:

Quote

If you for any good reason need to store HTML code in the database, you need to
edit the tep_db_input() command like the following examples.
*** Original code (example): ***
$example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");
*** To allow all tags, change to: ***
$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");
*** To allow only <b> and <i>, change to: ***
$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', '<b><i>') ."' where this='that' limit 1;");


And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description.

But right now I feel like a dumb blonde, Where do I actually enter this example_query

#2 menelrana

  • Community Member
  • 3 posts
  • Real Name:Joel Garcin
  • Gender:Male
  • Location:Avignon

Posted 09 March 2010, 14:52

The is a problem when with products description in categories.php because this use tep_db_perform instead of tep_db_query, so it's not possible to have a html formated description

              tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array);
            } elseif ($action == 'update_product') {
              tep_db_perform(TABLE_PRODUCTS_DESCRIPTION, $sql_data_array, 'update', "products_id = '" . (int)$products_id . "' and language_id = '" . (int)$language_id . "'");
            }

Can you help me to solve this ?

Thanks

#3 spooks

  • Community Member
  • 7,017 posts
  • Real Name:Sam
  • Gender:Male
  • Location:UK

Posted 09 March 2010, 15:45

Its perfectly safe to store html with the dBase when you have created it, the risk is should you allow your visitors to input the code within forms, the best way to ensure that cant happen is through input sanitising. So remove any of the [TiM's] Safer Database Input Method thats causing you issues & add Security Pro http://addons.oscommerce.com/info/5752 and Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:

Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#4 TiM-SE

  • Community Member
  • 14 posts
  • Real Name:TiM-SE
  • Gender:Male

Posted 13 May 2011, 18:15

Safer Database Input Method is not purposely developed for being an Anti XSS contribution. Of all the thounsands of columns in mysql not many are purposely made for storing html content. I wouldn't say anyone is but several people use products_description for this, which is convenient. Of course you can instead plug all vulnerabilitites i.e. whos online vulnerability, or any other core functions or add-ons letting users post form data to database.

But instead of the method Allow from all - deny from some, and relying on the scripts to clean input, this reverses the method Deny from all, allow from some.

Website owners who have experience from spam links, hotlinked images, or malicious code knows the headache from this if users posts html code to script.

So instead of spending days making sure all scripts passing data cleans input from undesired content, you can use this 5 min add-on.

I am aware that some may find this useful and some may not, just like any other add-on.

Edited by TiM-SE, 13 May 2011, 18:17.

#5 roneada

  • Community Member
  • 25 posts
  • Real Name:Ronmorales
  • Gender:Male

Posted 17 May 2012, 10:25

View Postsnights, on 28 February 2010, 11:18, said:

After using this contributen my products descriptions gone bananas. Becuse i do use HTML. but i do want my site to be so secure as it can be.. Please read on,


http://addons.oscommerce.com/info/6546

catalog/includes/functions/database.php
catalog/admin/includes/functions/database.php

Find
function tep_db_input($string, $link = 'db_link') {
	global $$link;
	if (function_exists('mysql_real_escape_string')) {
	  return mysql_real_escape_string($string, $$link);
	} elseif (function_exists('mysql_escape_string')) {
	  return mysql_escape_string($string);
	}
	return addslashes($string);
  }

Change to

 // Added below for [TiM's osC Solutions] Safer Database Input Method: $allowable_tags = false
  // To allow tags, either pass (boolean)true for all tags or example (string)'<b><i>' for certain tags.
  function tep_db_input($string, $link = 'db_link', $allowable_tags = false) {
	global $$link;

  // BOF: [TiM's osC Solutions] Safer Database Input Method
	if ($allowable_tags === false || is_string($allowable_tags)) {
	  $string = strip_tags($string, $allowable_tags);
	}
  // EOF: [TiM's osC Solutions] Safer Database Input Method

	if (function_exists('mysql_real_escape_string')) {
	  return mysql_real_escape_string($string, $$link);
	} elseif (function_exists('mysql_escape_string')) {
	  return mysql_escape_string($string);
	}

	return addslashes($string);
  }

Then more info:




And yes, I need to save the HTML in my database for my links to the products manuals, the size of tables etc. that I have in the product description.

But right now I feel like a dumb blonde, Where do I actually enter this example_query
my problem, is in the order no text price shipping when change this lines in includes/functions/database.php i can do? thanks for the reply
Back to General Support · Next Unread Topic →


  1. osCommerce Support Forum
  2. osCommerce Online Merchant v2.x
  3. General Support
  4. Forum Rules