mblyman Posted February 7, 2008 Share Posted February 7, 2008 I was looking through Supertracker logs and notice some attempted hacking against my testimonials page so i would love to see the results of your tests asap :) I was able to get this fixed with the help from Navyhost. here is what I did On the testimonials.php (or testimonials.tpl.php) there is a line of code on line 19 (in my testimonails.tpl.php page) WHERE testimonials_id = $testimonial_id"); I changed it to WHERE testimonials_id = ". ((int)$testimonial_id) ); this allowed our site to pass the hackersafe certification. My question however, is are we still vulnerable or does this resolve the problem? I had assumed that since hackersafe scanned this and no longer flagged it as a potential vulnerability that we were ok. Let me know what everyone thinks? Quote Link to comment Share on other sites More sharing options...
Guest Posted February 7, 2008 Share Posted February 7, 2008 I have just done the commands against my site after your changes and they appear to resolve the attacks i was getting, anyone else ? Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted February 7, 2008 Share Posted February 7, 2008 Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access. Hi Mike I have found your code in catalog/customer_testimonials.php from v3 Is it right that I make that change too? Thanks Julie Quote Link to comment Share on other sites More sharing options...
mblyman Posted February 7, 2008 Share Posted February 7, 2008 Hi Mike I have found your code in catalog/customer_testimonials.php from v3 Is it right that I make that change too? Thanks Julie Julie, I am no programmer nor am I familiar with version 3 testimonials... However, I believe that function addition in the code is universal through out os commerce Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted February 7, 2008 Share Posted February 7, 2008 Julie, I am no programmer nor am I familiar with version 3 testimonials... However, I believe that function addition in the code is universal through out os commerce Hi Mike Me too :blush: As you said to change this piece of code & it appears to have fixed a security issue with the customer testimonial contribution (& one other has agreed it worked for them) I was wondering if I should make the change too, as I have found it in the new file that was added. :huh: I'm sure version 3 can't be too different as it was based on version 1, which has had a lot of additions. I'm just hoping to learn what the fix is, as I am unable to understand the full implications of this myself. I can change it but I wouldn't know how to test it. Thanks :thumbsup: Julie Quote Link to comment Share on other sites More sharing options...
Guest Posted February 7, 2008 Share Posted February 7, 2008 all the code you have does is validate the input and also prevent injections by limiting with the use of the ' symbol as far as i know :) Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 7, 2008 Share Posted February 7, 2008 Not sure the version but I changed the line in my customers site to .. catalog/customer_testimonials.php $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()"); I believe it started as .. $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = $testimonial_id ORDER BY RAND()"); Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 7, 2008 Share Posted February 7, 2008 (edited) Here this will make you all feel better. :D At the bottom of the customer_testimonials page add the following function <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> In my version, just before the DB input there is a line like .. $testimonial_id = $HTTP_GET_VARS['testimonial_id']; Where (and this is the important bit) $testimonial_id is the variable that we are going to apply to the SELECT statement. Add below this line (or whatever similar one you have) $testimonial_id = ct_sanitise($testimonial_id); This allows integers only .. hack that yer gits!!! Edited February 7, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
warrenerjm Posted February 7, 2008 Share Posted February 7, 2008 Here this will make you all feel better. :D At the bottom of the customer_testimonials page add the following function <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> In my version, just before the DB input there is a line like .. $testimonial_id = $HTTP_GET_VARS['testimonial_id']; Where (and this is the important bit) $testimonial_id is the variable that we are going to apply to the SELECT statement. Add below this line (or whatever similar one you have) $testimonial_id = ct_sanitise($testimonial_id); This allows integers only .. hack that yer gits!!! Hi Robert I now have: <?php if ($testimonial_id != '') { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()"); } else { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()"); } while ($testimonials = tep_db_fetch_array($full_testimonial)) { $testimonial_array[] = array('id' => $testimonials['testimonials_id'], 'author' => $testimonials['testimonials_name'], 'title' => $testimonials['testimonials_title'], 'testimonial' => $testimonials['testimonials_html_text'], 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' ')); } require(DIR_WS_MODULES . 'customer_testimonials.php'); ?> so do I put your line as below? <?php if ($testimonial_id != '') { $testimonial_id = ct_sanitise($testimonial_id); $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()"); } else { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()"); } while ($testimonials = tep_db_fetch_array($full_testimonial)) { $testimonial_array[] = array('id' => $testimonials['testimonials_id'], 'author' => $testimonials['testimonials_name'], 'title' => $testimonials['testimonials_title'], 'testimonial' => $testimonials['testimonials_html_text'], 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' ')); } require(DIR_WS_MODULES . 'customer_testimonials.php'); ?> and does the bottom mean after the footer code or at the end of the body? I'm not blonde but you can tell I don't get the joke! :lol: ps catalog/customer_testimonial.php is where I'm looking. Thank you Julie :blush: Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 7, 2008 Share Posted February 7, 2008 Hi Robert I now have: <?php if ($testimonial_id != '') { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()"); } else { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()"); } while ($testimonials = tep_db_fetch_array($full_testimonial)) { $testimonial_array[] = array('id' => $testimonials['testimonials_id'], 'author' => $testimonials['testimonials_name'], 'title' => $testimonials['testimonials_title'], 'testimonial' => $testimonials['testimonials_html_text'], 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' ')); } require(DIR_WS_MODULES . 'customer_testimonials.php'); ?> so do I put your line as below? <?php if ($testimonial_id != '') { $testimonial_id = ct_sanitise($testimonial_id); $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()"); } else { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()"); } while ($testimonials = tep_db_fetch_array($full_testimonial)) { $testimonial_array[] = array('id' => $testimonials['testimonials_id'], 'author' => $testimonials['testimonials_name'], 'title' => $testimonials['testimonials_title'], 'testimonial' => $testimonials['testimonials_html_text'], 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' ')); } require(DIR_WS_MODULES . 'customer_testimonials.php'); ?> and does the bottom mean after the footer code or at the end of the body? I'm not blonde but you can tell I don't get the joke! :lol: ps catalog/customer_testimonial.php is where I'm looking. Thank you Julie :blush: Code looks perfect regarding the function .. If at the bottom of your file (The very bottom) you have .. ?> Then replace that with .. <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> If you don't have an ?> at the bottom just plonk it at the bottom as is. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
warrenerjm Posted February 7, 2008 Share Posted February 7, 2008 Code looks perfect regarding the function .. If at the bottom of your file (The very bottom) you have .. ?> Then replace that with .. <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> If you don't have an ?> at the bottom just plonk it at the bottom as is. Hi Robert My bottom :blush: now looks like this!! <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> ie I added it complete Hope that's ok? :) thanks Julie Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 7, 2008 Share Posted February 7, 2008 (edited) My bottom :blush: now looks like this!![/code] Sighs .. your bottom doesn't look big at all in that dear. Wait a minute! she's not my wife!!! :D Back to reality .. <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> <?php function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> works but <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); // Get rid of the nasty people (how does my bottom look?) function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> Is cleaner (or not) remove at least a part of the // comment ofc Edited February 7, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
AWWWW.WAHWAH Posted February 8, 2008 Share Posted February 8, 2008 (edited) well i was lucky enough to be running 1.3 and they popped me twice, but all they got were COUNTRY and 1234XXXXXXXX7890 (our cc info gets X'd out immeditely) numbers, nothing more. babygurgles, with all the changes you have made, it works now, they just get a message "no testimonials" can you add a little extra something to where when they try it again, they get the same message along with us being able to add an image of our choice "like a FU finger" or a message just stating to 'FO' :D No seriously, it would be nice to be able to add a message of warning of some sorts. FYI, both IPs ran from russia. Edited February 8, 2008 by Young Tae Byun Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 8, 2008 Share Posted February 8, 2008 (edited) well i was lucky enough to be running 1.3 and they popped me twice, but all they got were COUNTRY and 1234XXXXXXXX7890 (our cc info gets X'd out immeditely) numbers, nothing more. babygurgles, with all the changes you have made, it works now, they just get a message "no testimonials" can you add a little extra something to where when they try it again, they get the same message along with us being able to add an image of our choice "like a FU finger" or a message just stating to 'FO' :D No seriously, it would be nice to be able to add a message of warning of some sorts. FYI, both IPs ran from russia. Put something like this at the top of the customer_testimonials file (Obviously don't use the php tags if already being parsed by php) <?php #### FWR Media Deal with hackers ( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true) ? deal_with_hacker() : NULL ); function deal_with_hacker() { $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']); die('<div align="center" style="width: 80%; border: 1px solid red; color: red; background-color: #ffffcc; padding: 10px; font-size: 10pt;"> <b>HACKING ATTEMPT ON QUERYSTRING!</b><p />Logging IP ... ' . $_SERVER['REMOTE_ADDR'] . '<br />Logging host ... ' . $hostname . '<br /> </div>'); } ### End deal with hackers ?> This is actually a simpler method of what we did before. Edited February 8, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 8, 2008 Share Posted February 8, 2008 (edited) Here's a one liner .. ( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true) ? die('<h1 style="color: red;">HACKING ATTEMPT!!</h1>') : NULL ); Edited February 8, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
chrish123 Posted February 8, 2008 Share Posted February 8, 2008 (edited) Hi, I'm using Customer Testimonials 3.1 Id like to say thanks very much for the useful info I have implemented the various fixes and your code and it works great! Does anyone know how to get captcha to work with this contribution? I managed to get the captcha box and code working ok and placed correctly within the catalog/customer_testimonials_write.php which is easy. Theres a simple tutorial here: http://www.white-hat-web-design.co.uk/arti...php-captcha.php But the part i cant figure out is the code to submit the testimonial: <?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?> If i try to paste the below button submit code into the above code it chucks out a unexpected < error, I am not a programmer of php so this is most likely easy. <td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td> Can anyone figure this out ? Kind Regards Chris Edited February 8, 2008 by chrish123 Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted February 8, 2008 Share Posted February 8, 2008 Sighs .. your bottom doesn't look big at all in that dear. Wait a minute! she's not my wife!!! :D :lol: I never ask & my husbands never brave enough to say :lol: <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); // Get rid of the nasty people (how does my bottom look?) function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> Now I have a neater one thanks :thumbsup: Are the other pieces of code optional if you want the hackers to know what you think, or should I add these too? Thanks Julie Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 8, 2008 Share Posted February 8, 2008 :lol: I never ask & my husbands never brave enough to say :lol: <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); // Get rid of the nasty people (how does my bottom look?) function ct_sanitise($vartosanitise) { $vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise); return $vartosanitise; } ?> Now I have a neater one thanks :thumbsup: Are the other pieces of code optional if you want the hackers to know what you think, or should I add these too? Thanks Julie Pure choice. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
chrish123 Posted February 8, 2008 Share Posted February 8, 2008 (edited) Hi, I'm using Customer Testimonials 3.1 Id like to say thanks very much for the useful info I have implemented the various fixes and your code and it works great! Does anyone know how to get captcha to work with this contribution? I managed to get the captcha box and code working ok and placed correctly within the catalog/customer_testimonials_write.php which is easy. Theres a simple tutorial here: http://www.white-hat-web-design.co.uk/arti...php-captcha.php But the part i cant figure out is the code to submit the testimonial: <?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?> If i try to paste the below button submit code into the above code it chucks out a unexpected < error, I am not a programmer of php so this is most likely easy. <td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td> Can anyone figure this out ? Kind Regards Chris EDIT: I forgot to add, surely this contribution is an exploit within itself really, as without image validation this can be effectively be a target of a Denial Of Service attack, imagine loads of threads submitting to the database filling it up with crap, you dont even need be registered or have to enter a valid email address, theres no checking at all to be able to submit! Is there any way round this, before this contribution gets removed? Edited February 8, 2008 by chrish123 Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 8, 2008 Share Posted February 8, 2008 EDIT: I forgot to add, surely this contribution is an exploit within itself really, as without image validation this can be effectively be a target of a Denial Of Service attack, imagine loads of threads submitting to the database filling it up with crap, you dont even need be registered or have to enter a valid email address, theres no checking at all to be able to submit! Is there any way round this, before this contribution gets removed? I don't use "customer added" testimonials so can't really comment. I add mine via admin. If I were to have a customer added form for this I would .. 1) Use a capcha 2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form) 3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
241 Posted February 8, 2008 Share Posted February 8, 2008 If you are just copy and pasting then you will get the error for < as that is the beginning of your html tagging which you are pasting into the middle of php tagging thus breaking the php. You would need to post more of the code to see whether or not the HTML tagging is required for positioning, if not then you could use <?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?> Quote No longer giving free advice. Please place deposit in meter slot provided. Individual: [=] SME: [==] Corporation: [===] If deposit does not fit one of the slots provided then you are asking too much! Is your Osc dated try Phoenix raising oscommerce from the ashes. Link to comment Share on other sites More sharing options...
warrenerjm Posted February 8, 2008 Share Posted February 8, 2008 I don't use "customer added" testimonials so can't really comment. I add mine via admin. If I were to have a customer added form for this I would .. 1) Use a capcha 2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form) 3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form version 3 allows customers to add their own but they have to be agreed by admin before they are made live. This doesn't stop someone overloading it. :angry: Is the above possible for someone like me? :lol: :blush: Thanks Julie Quote Link to comment Share on other sites More sharing options...
chrish123 Posted February 8, 2008 Share Posted February 8, 2008 (edited) Hi, I tried your method, but it does not show the button image so you cannot submit. I've added my customer_testimonials_write.php with only the captcha code unmodified and with comments in code tags below: <?php /* $Id: customer_testimonials.php,v 2 10/17/2007 Exp $ Released under the GNU General Public License Contributed by http://www.nxlcart.com */ require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CUSTOMER_TESTIMONIALS); $location = ' » <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL') . '" class="headerNavigation">' . NAVBAR_TITLE . '</a>'; $breadcrumb->add(NAVBAR_TITLE2, tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE)); ?> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html <?php echo HTML_PARAMS; ?>> <head> <meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"> <title><?php echo TITLE; ?></title> <base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> <link rel="stylesheet" type="text/css" href="stylesheet.css"> </head> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> <!-- body //--> <table border="0" width="100%" cellspacing="3" cellpadding="3"> <tr> <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2"> <!-- left_navigation //--> <!-- < ?php require(DIR_WS_INCLUDES . 'column_left.php'); ?> <!-- left_navigation_eof //--> </table></td> <!-- body_text //--> <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td width="100%"><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading" colspan="2"><?php echo TEXT_TESTIMONIALS_WRITE; ?></td> </tr> </table></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <?php if ($HTTP_GET_VARS['action']) { switch ($HTTP_GET_VARS['action']) { case 'insert': $testimonials_id = tep_db_prepare_input($HTTP_POST_VARS['testimonials_id']); $testimonials_title = tep_db_prepare_input($HTTP_POST_VARS['testimonials_title']); $testimonials_name = tep_db_prepare_input($HTTP_POST_VARS['testimonials_name']); $testimonials_email = tep_db_prepare_input($HTTP_POST_VARS['testimonials_email']); $html_text = tep_db_prepare_input($HTTP_POST_VARS['html_text']); $testimonials_error = false; $messageStack = ERROR_HEADER; if (empty($testimonials_title)) { $messageStack .= '['.ERROR_TESTIMONIALS_TITLE_REQUIRED.']'; $testimonials_error = true; } if (empty($testimonials_name)) { $messageStack .= '['.ERROR_TESTIMONIALS_NAME_REQUIRED.']'; $testimonials_error = true; } if (empty($testimonials_email)) { $messageStack .= '['.ERROR_TESTIMONIALS_EMAIL_REQUIRED.']'; $testimonials_error = true; } if (empty($html_text)) { $messageStack.= '['.ERROR_TESTIMONIALS_DESCRIPTION_REQUIRED.']'; $testimonials_error = true; } if (!$testimonials_error) { $sql_data_array = array('testimonials_title' => $testimonials_title, 'testimonials_name' => $testimonials_name, 'testimonials_email' => $testimonials_email, 'testimonials_html_text' => $html_text); if ($HTTP_GET_VARS['action'] == 'insert') { $insert_sql_data = array('date_added' => 'now()', 'status' => '0'); $sql_data_array = array_merge($sql_data_array, $insert_sql_data); tep_db_perform(TABLE_CUSTOMER_TESTIMONIALS, $sql_data_array); $testimonials_id = tep_db_insert_id(); } echo '<tr><td colspan="2">' . tep_draw_separator('pixel_trans.gif', '1', '10') .' </td></tr>'; echo '<tr><td class="main">'. TEXT_TESTIMONIALS_SUCCESSFUL .'</td><td class="main"><a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a></td></tr>'; $testimonials_id = ''; $testimonials_title = ''; $testimonials_name = ''; $testimonials_email = ''; $html_text = ''; } else { echo '<tr><td colspan="2">' . tep_draw_separator('pixel_trans.gif', '1', '10') .' </td></tr>'; echo '<tr><td class="main">'. $messageStack .'</td><td class="main"></td></tr>'; $testimonials_id = tep_db_prepare_input($HTTP_POST_VARS['testimonials_id']); $testimonials_title = tep_db_prepare_input($HTTP_POST_VARS['testimonials_title']); $testimonials_name = tep_db_prepare_input($HTTP_POST_VARS['testimonials_name']); $testimonials_email = tep_db_prepare_input($HTTP_POST_VARS['testimonials_email']); $html_text = tep_db_prepare_input($HTTP_POST_VARS['html_text']); } break; } } ?> <?php if (tep_session_is_registered('customer_id')) { $account_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'"); $account = tep_db_fetch_array($account_query); $testimonials_name = $account['customers_firstname'] . ' ' . $account['customers_lastname']; $testimonials_email = $account['customers_email_address']; } ?> <!-- BEFORE Captcha Validation function//--> <?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?> <!-- BEFORE Captcha Validation function//--> <tr><form name="customer_testimonial" method="post" action="<?php echo tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, 'action=insert', 'NONSSL'); ?>" > <td><table align="center" width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> <tr> <td class="main"><?php echo TEXT_TESTIMONIALS_INTRO; ?></td> </tr> <tr> <td><table align="center" width="100%" border="0" cellspacing="0" cellpadding="0"><tr> <td class="main"><?php echo TEXT_TESTIMONIALS_TITLE; ?><br> <?php echo tep_draw_input_field('testimonials_title', $testimonials_title, '', true); ?><span class="inputRequirement">*</span></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> <tr> <td class="main"><?php echo TEXT_TESTIMONIALS_NAME; ?><br> <?php echo tep_draw_input_field('testimonials_name', $testimonials_name, '', true); ?><span class="inputRequirement">*</span></td> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> <tr> <td class="main"> <?php echo TEXT_TESTIMONIALS_EMAIL; ?><br> <?php echo tep_draw_input_field('testimonials_email'); ?> <span class="inputRequirement">*</span> </td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> <tr> <td valign="top" class="main"><?php echo TEXT_BANNERS_HTML_TEXT; ?></td> <tr class="infoBoxContents"> <td><?php echo tep_draw_textarea_field('html_text', 'soft', '130', '5', $html_text); ?></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo '<a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS) . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td> <td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td> <!--This is the line to fix //--> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> </tr> <!--BEFORE -- Displays the Captcha Image box and entry box from captchasecurityimages.php--> <img src="CaptchaSecurityImages.php" /> Security Code: <input id="security_code" name="security_code" type="text" /> <!--End OF -- Displays the Captcha Image box and entry box from captchasecurityimages.php--> </table></td> <!-- body_text_eof //--> <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2"> <!-- right_navigation //--> <?php require(DIR_WS_INCLUDES . 'column_right.php'); ?> <!-- right_navigation_eof //--> </table></td> </tr> </table> <!-- body_eof //--> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> Edited February 8, 2008 by chrish123 Quote Link to comment Share on other sites More sharing options...
Rezolles_Net Posted February 8, 2008 Author Share Posted February 8, 2008 Hi everyone, Can anyone make a new notepad ONLY for security issue?I'm getting confused here whether to make change with codes.. THX Quote Link to comment Share on other sites More sharing options...
241 Posted February 8, 2008 Share Posted February 8, 2008 Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string. Quote No longer giving free advice. Please place deposit in meter slot provided. Individual: [=] SME: [==] Corporation: [===] If deposit does not fit one of the slots provided then you are asking too much! Is your Osc dated try Phoenix raising oscommerce from the ashes. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.