Jump to content
Sign in to follow this  
Rezolles_Net

Customer Testimonials v1.0

Recommended Posts

I was looking through Supertracker logs and notice some attempted hacking against my testimonials page so i would love to see the results of your tests asap :)

 

I was able to get this fixed with the help from Navyhost. here is what I did

 

 

On the testimonials.php (or testimonials.tpl.php) there is a line of code on line 19 (in my testimonails.tpl.php page)

 

WHERE testimonials_id = $testimonial_id");

 

 

I changed it to

 

WHERE testimonials_id = ". ((int)$testimonial_id) );

 

 

this allowed our site to pass the hackersafe certification.

 

My question however, is are we still vulnerable or does this resolve the problem? I had assumed that since hackersafe scanned this and no longer flagged it as a potential vulnerability that we were ok.

 

Let me know what everyone thinks?

Share this post


Link to post
Share on other sites

I have just done the commands against my site after your changes and they appear to resolve the attacks i was getting, anyone else ?

Share this post


Link to post
Share on other sites
Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access.

Hi Mike

 

I have found your code in catalog/customer_testimonials.php from v3

 

Is it right that I make that change too?

 

Thanks

Julie

Share this post


Link to post
Share on other sites
Hi Mike

 

I have found your code in catalog/customer_testimonials.php from v3

 

Is it right that I make that change too?

 

Thanks

Julie

 

 

Julie,

 

I am no programmer nor am I familiar with version 3 testimonials...

 

However, I believe that function addition in the code is universal through out os commerce

Share this post


Link to post
Share on other sites
Julie,

 

I am no programmer nor am I familiar with version 3 testimonials...

 

However, I believe that function addition in the code is universal through out os commerce

Hi Mike

 

Me too :blush:

 

As you said to change this piece of code & it appears to have fixed a security issue with the customer testimonial contribution (& one other has agreed it worked for them) I was wondering if I should make the change too, as I have found it in the new file that was added. :huh:

 

I'm sure version 3 can't be too different as it was based on version 1, which has had a lot of additions.

 

I'm just hoping to learn what the fix is, as I am unable to understand the full implications of this myself. I can change it but I wouldn't know how to test it.

 

Thanks :thumbsup:

Julie

Share this post


Link to post
Share on other sites

all the code you have does is validate the input and also prevent injections by limiting with the use of the ' symbol as far as i know :)

Share this post


Link to post
Share on other sites

Not sure the version but I changed the line in my customers site to ..

 

catalog/customer_testimonials.php

 

$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()");

 

I believe it started as ..

 

$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = $testimonial_id ORDER BY RAND()");

Share this post


Link to post
Share on other sites

Here this will make you all feel better. :D

 

At the bottom of the customer_testimonials page add the following function

 

<?php

function ct_sanitise($vartosanitise) {

$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);

return $vartosanitise;

}

?>

 

In my version, just before the DB input there is a line like ..

 

$testimonial_id = $HTTP_GET_VARS['testimonial_id'];

 

Where (and this is the important bit) $testimonial_id is the variable that we are going to apply to the SELECT statement.

 

Add below this line (or whatever similar one you have)

 

$testimonial_id = ct_sanitise($testimonial_id);

 

This allows integers only .. hack that yer gits!!!

Edited by Babygurgles

Share this post


Link to post
Share on other sites
Here this will make you all feel better. :D

 

At the bottom of the customer_testimonials page add the following function

 

<?php

function ct_sanitise($vartosanitise) {

$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);

return $vartosanitise;

}

?>

 

In my version, just before the DB input there is a line like ..

 

$testimonial_id = $HTTP_GET_VARS['testimonial_id'];

 

Where (and this is the important bit) $testimonial_id is the variable that we are going to apply to the SELECT statement.

 

Add below this line (or whatever similar one you have)

 

$testimonial_id = ct_sanitise($testimonial_id);

 

This allows integers only .. hack that yer gits!!!

Hi Robert

 

I now have:

 

			<?php
		if ($testimonial_id != '') {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()");
		}
		else {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()");
		}
		while ($testimonials = tep_db_fetch_array($full_testimonial)) {
			$testimonial_array[] = array('id' => $testimonials['testimonials_id'],
										 'author' => $testimonials['testimonials_name'],
										 'title' => $testimonials['testimonials_title'],
										 'testimonial' => $testimonials['testimonials_html_text'],
										 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' '));

			}
		require(DIR_WS_MODULES  . 'customer_testimonials.php');
		?>

 

so do I put your line as below?

 

			<?php
		if ($testimonial_id != '') {
			$testimonial_id = ct_sanitise($testimonial_id);
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()");
		}
		else {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()");
		}
		while ($testimonials = tep_db_fetch_array($full_testimonial)) {
			$testimonial_array[] = array('id' => $testimonials['testimonials_id'],
										 'author' => $testimonials['testimonials_name'],
										 'title' => $testimonials['testimonials_title'],
										 'testimonial' => $testimonials['testimonials_html_text'],
										 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' '));

			}
		require(DIR_WS_MODULES  . 'customer_testimonials.php');
		?>

 

and does the bottom mean after the footer code or at the end of the body?

 

I'm not blonde but you can tell I don't get the joke! :lol:

ps catalog/customer_testimonial.php is where I'm looking.

 

Thank you

Julie :blush:

Share this post


Link to post
Share on other sites
Hi Robert

 

I now have:

 

			<?php
		if ($testimonial_id != '') {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()");
		}
		else {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()");
		}
		while ($testimonials = tep_db_fetch_array($full_testimonial)) {
			$testimonial_array[] = array('id' => $testimonials['testimonials_id'],
										 'author' => $testimonials['testimonials_name'],
										 'title' => $testimonials['testimonials_title'],
										 'testimonial' => $testimonials['testimonials_html_text'],
										 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' '));

			}
		require(DIR_WS_MODULES  . 'customer_testimonials.php');
		?>

 

so do I put your line as below?

 

			<?php
		if ($testimonial_id != '') {
			$testimonial_id = ct_sanitise($testimonial_id);
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = " . ((int)$testimonial_id) . " ORDER BY RAND()");
		}
		else {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()");
		}
		while ($testimonials = tep_db_fetch_array($full_testimonial)) {
			$testimonial_array[] = array('id' => $testimonials['testimonials_id'],
										 'author' => $testimonials['testimonials_name'],
										 'title' => $testimonials['testimonials_title'],
										 'testimonial' => $testimonials['testimonials_html_text'],
										 'word_count' => tep_word_count($testimonials['testimonials_html_text'], ' '));

			}
		require(DIR_WS_MODULES  . 'customer_testimonials.php');
		?>

 

and does the bottom mean after the footer code or at the end of the body?

 

I'm not blonde but you can tell I don't get the joke! :lol:

ps catalog/customer_testimonial.php is where I'm looking.

 

Thank you

Julie :blush:

 

Code looks perfect

 

regarding the function ..

 

If at the bottom of your file (The very bottom) you have ..

 

?>

 

Then replace that with ..

 

<?php
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

 

If you don't have an ?> at the bottom just plonk it at the bottom as is.

Share this post


Link to post
Share on other sites
Code looks perfect

 

regarding the function ..

 

If at the bottom of your file (The very bottom) you have ..

 

?>

 

Then replace that with ..

 

<?php
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

 

If you don't have an ?> at the bottom just plonk it at the bottom as is.

Hi Robert

 

My bottom :blush: now looks like this!!

 

<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

<?php
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

 

ie I added it complete

Hope that's ok? :)

 

thanks

Julie

Share this post


Link to post
Share on other sites
My bottom :blush: now looks like this!!

[/code]

 

Sighs .. your bottom doesn't look big at all in that dear.

 

Wait a minute! she's not my wife!!! :D

 

Back to reality ..

 

<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

<?php
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

 

works but

 

<!-- footer_eof //-->
<br>
</body>
</html>
<?php
require(DIR_WS_INCLUDES . 'application_bottom.php');
// Get rid of the nasty people (how does my bottom look?)
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

 

Is cleaner (or not) remove at least a part of the // comment ofc

Edited by Babygurgles

Share this post


Link to post
Share on other sites

well i was lucky enough to be running 1.3 and they popped me twice, but all they got were COUNTRY and 1234XXXXXXXX7890 (our cc info gets X'd out immeditely) numbers, nothing more.

 

babygurgles, with all the changes you have made, it works now, they just get a message "no testimonials"

 

can you add a little extra something to where when they try it again, they get the same message along with us being able to add an image of our choice "like a FU finger" or a message just stating to 'FO'

 

:D No seriously, it would be nice to be able to add a message of warning of some sorts.

 

FYI, both IPs ran from russia.

Edited by Young Tae Byun

Remember what the Bible says: He who is without sin, cast the first rock. And I shall smoketh it.

Share this post


Link to post
Share on other sites
well i was lucky enough to be running 1.3 and they popped me twice, but all they got were COUNTRY and 1234XXXXXXXX7890 (our cc info gets X'd out immeditely) numbers, nothing more.

 

babygurgles, with all the changes you have made, it works now, they just get a message "no testimonials"

 

can you add a little extra something to where when they try it again, they get the same message along with us being able to add an image of our choice "like a FU finger" or a message just stating to 'FO'

 

:D No seriously, it would be nice to be able to add a message of warning of some sorts.

 

FYI, both IPs ran from russia.

 

Put something like this at the top of the customer_testimonials file (Obviously don't use the php tags if already being parsed by php)

 

<?php
#### FWR Media Deal with hackers
( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true)  ? deal_with_hacker() : NULL );
function deal_with_hacker() {
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
die('<div align="center" style="width: 80%; border: 1px solid red; color: red; background-color: #ffffcc; padding: 10px; font-size: 10pt;">
	<b>HACKING ATTEMPT ON QUERYSTRING!</b><p />Logging IP ... ' . $_SERVER['REMOTE_ADDR'] . '<br />Logging host ... ' . $hostname . '<br />
	</div>');
}
### End deal with hackers
?>

 

This is actually a simpler method of what we did before.

Edited by Babygurgles

Share this post


Link to post
Share on other sites

Here's a one liner ..

 

( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true)  ? die('<h1 style="color: red;">HACKING ATTEMPT!!</h1>') : NULL );

Edited by Babygurgles

Share this post


Link to post
Share on other sites

Hi,

I'm using Customer Testimonials 3.1 Id like to say thanks very much for the useful info I have implemented the various fixes and your code and it works great!

 

Does anyone know how to get captcha to work with this contribution?

 

I managed to get the captcha box and code working ok and placed correctly within the catalog/customer_testimonials_write.php which is easy.

 

 

Theres a simple tutorial here:

 

http://www.white-hat-web-design.co.uk/arti...php-captcha.php

 

But the part i cant figure out is the code to submit the testimonial:

 

<?php 
  session_start();
  if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
  // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. 
  unset($_SESSION['security_code']);
  } else {
  // Insert your code for showing an error message here
  }
?>

 

If i try to paste the below button submit code into the above code it chucks out a unexpected < error, I am not a programmer of php so this is most likely easy.

 

						<td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td>

 

 

Can anyone figure this out ?

 

Kind Regards

Chris

Edited by chrish123

Share this post


Link to post
Share on other sites
Sighs .. your bottom doesn't look big at all in that dear.

 

Wait a minute! she's not my wife!!! :D

:lol: I never ask & my husbands never brave enough to say :lol:

<!-- footer_eof //-->
<br>
</body>
</html>
<?php
require(DIR_WS_INCLUDES . 'application_bottom.php');
// Get rid of the nasty people (how does my bottom look?)
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

Now I have a neater one thanks :thumbsup:

Are the other pieces of code optional if you want the hackers to know what you think, or should I add these too?

 

Thanks

Julie

Share this post


Link to post
Share on other sites
:lol: I never ask & my husbands never brave enough to say :lol:

<!-- footer_eof //-->
<br>
</body>
</html>
<?php
require(DIR_WS_INCLUDES . 'application_bottom.php');
// Get rid of the nasty people (how does my bottom look?)
function ct_sanitise($vartosanitise) {
$vartosanitise = preg_replace("/[^0-9]/i", "", $vartosanitise);
return $vartosanitise;
}
?>

Now I have a neater one thanks :thumbsup:

Are the other pieces of code optional if you want the hackers to know what you think, or should I add these too?

 

Thanks

Julie

 

 

Pure choice.

Share this post


Link to post
Share on other sites
Hi,

I'm using Customer Testimonials 3.1 Id like to say thanks very much for the useful info I have implemented the various fixes and your code and it works great!

 

Does anyone know how to get captcha to work with this contribution?

 

I managed to get the captcha box and code working ok and placed correctly within the catalog/customer_testimonials_write.php which is easy.

Theres a simple tutorial here:

 

http://www.white-hat-web-design.co.uk/arti...php-captcha.php

 

But the part i cant figure out is the code to submit the testimonial:

 

<?php 
  session_start();
  if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
  // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. 
  unset($_SESSION['security_code']);
  } else {
  // Insert your code for showing an error message here
  }
?>

 

If i try to paste the below button submit code into the above code it chucks out a unexpected < error, I am not a programmer of php so this is most likely easy.

 

						<td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td>

Can anyone figure this out ?

 

Kind Regards

Chris

 

EDIT:

 

I forgot to add, surely this contribution is an exploit within itself really, as without image validation this can be effectively be a target of a Denial Of Service attack, imagine loads of threads submitting to the database filling it up with crap, you dont even need be registered or have to enter a valid email address, theres no checking at all to be able to submit!

 

 

Is there any way round this, before this contribution gets removed?

Edited by chrish123

Share this post


Link to post
Share on other sites
EDIT:

 

I forgot to add, surely this contribution is an exploit within itself really, as without image validation this can be effectively be a target of a Denial Of Service attack, imagine loads of threads submitting to the database filling it up with crap, you dont even need be registered or have to enter a valid email address, theres no checking at all to be able to submit!

Is there any way round this, before this contribution gets removed?

 

I don't use "customer added" testimonials so can't really comment. I add mine via admin.

 

If I were to have a customer added form for this I would ..

 

1) Use a capcha

2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form)

3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form

Share this post


Link to post
Share on other sites

 

If you are just copy and pasting then you will get the error for < as that is the beginning of your html tagging which you are pasting into the middle of php tagging thus breaking the php.

 

You would need to post more of the code to see whether or not the HTML tagging is required for positioning, if not then you could use

<?php 
  session_start();
  if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
  // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. 
echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL');
  unset($_SESSION['security_code']);
  } else {
  // Insert your code for showing an error message here
  }
?>


No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P


Support The Project
Documentation/Knowledgebase/Discussions
 

Share this post


Link to post
Share on other sites
I don't use "customer added" testimonials so can't really comment. I add mine via admin.

 

If I were to have a customer added form for this I would ..

 

1) Use a capcha

2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form)

3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form

version 3 allows customers to add their own but they have to be agreed by admin before they are made live. This doesn't stop someone overloading it. :angry: Is the above possible for someone like me? :lol: :blush:

 

Thanks

Julie

Share this post


Link to post
Share on other sites

Hi, I tried your method, but it does not show the button image so you cannot submit.

 

I've added my customer_testimonials_write.php with only the captcha code unmodified and with comments in code tags below:

 

<?php
/*
 $Id: customer_testimonials.php,v 2 10/17/2007 Exp $
 Released under the GNU General Public License
 Contributed by http://www.nxlcart.com
*/


 require('includes/application_top.php');

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CUSTOMER_TESTIMONIALS);

 $location = ' » <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL') . '" class="headerNavigation">' . NAVBAR_TITLE . '</a>';
$breadcrumb->add(NAVBAR_TITLE2, tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->
<!-- body //-->
<table border="0" width="100%" cellspacing="3" cellpadding="3">
 <tr>
<td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- left_navigation //-->
<!-- < ?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
</table></td>
<!-- body_text //-->
<td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
  <tr>
	<td width="100%"><table border="0" width="100%" cellspacing="0" cellpadding="0">
	  <tr>
		<td class="pageHeading" colspan="2"><?php echo TEXT_TESTIMONIALS_WRITE; ?></td>
	  </tr>
	</table></td>
  </tr>
  <tr>
	<td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
  </tr>

<?php

if ($HTTP_GET_VARS['action']) {
switch ($HTTP_GET_VARS['action']) {
  case 'insert':
	$testimonials_id = tep_db_prepare_input($HTTP_POST_VARS['testimonials_id']);
	$testimonials_title = tep_db_prepare_input($HTTP_POST_VARS['testimonials_title']);
	$testimonials_name = tep_db_prepare_input($HTTP_POST_VARS['testimonials_name']);
	$testimonials_email = tep_db_prepare_input($HTTP_POST_VARS['testimonials_email']);
	$html_text = tep_db_prepare_input($HTTP_POST_VARS['html_text']);

	$testimonials_error = false;
	$messageStack = ERROR_HEADER;
	if (empty($testimonials_title)) {
	  $messageStack .= '['.ERROR_TESTIMONIALS_TITLE_REQUIRED.']';
	  $testimonials_error = true;
	}
	if (empty($testimonials_name)) {
	  $messageStack .= '['.ERROR_TESTIMONIALS_NAME_REQUIRED.']';
	  $testimonials_error = true;
	}
	 if (empty($testimonials_email)) {
	  $messageStack .= '['.ERROR_TESTIMONIALS_EMAIL_REQUIRED.']';
	  $testimonials_error = true;
	}
	if (empty($html_text)) {
	  $messageStack.= '['.ERROR_TESTIMONIALS_DESCRIPTION_REQUIRED.']';
	  $testimonials_error = true;
	}

	if (!$testimonials_error) {
	  $sql_data_array = array('testimonials_title' => $testimonials_title,						 
							  'testimonials_name' => $testimonials_name,
							  'testimonials_email' => $testimonials_email,
							  'testimonials_html_text' => $html_text);
	 if ($HTTP_GET_VARS['action'] == 'insert') {
	   $insert_sql_data = array('date_added' => 'now()',
								 'status' => '0');
		$sql_data_array = array_merge($sql_data_array, $insert_sql_data);
		tep_db_perform(TABLE_CUSTOMER_TESTIMONIALS, $sql_data_array);
		$testimonials_id = tep_db_insert_id();
	  }
	  echo '<tr><td colspan="2">' . tep_draw_separator('pixel_trans.gif', '1', '10') .' </td></tr>';
	  echo '<tr><td class="main">'. TEXT_TESTIMONIALS_SUCCESSFUL .'</td><td class="main"><a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a></td></tr>';
	  $testimonials_id = '';
	   $testimonials_title = '';
	   $testimonials_name = '';
	   $testimonials_email = '';
	   $html_text = '';
	} else {
	   echo '<tr><td colspan="2">' . tep_draw_separator('pixel_trans.gif', '1', '10') .' </td></tr>';
	   echo '<tr><td class="main">'. $messageStack .'</td><td class="main"></td></tr>';

	   $testimonials_id = tep_db_prepare_input($HTTP_POST_VARS['testimonials_id']);
	   $testimonials_title = tep_db_prepare_input($HTTP_POST_VARS['testimonials_title']);		  
	   $testimonials_name = tep_db_prepare_input($HTTP_POST_VARS['testimonials_name']);
	   $testimonials_email = tep_db_prepare_input($HTTP_POST_VARS['testimonials_email']);
	   $html_text = tep_db_prepare_input($HTTP_POST_VARS['html_text']);
	}
	break;
}
 }

?>
<?php
if (tep_session_is_registered('customer_id')) {
$account_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'");
$account = tep_db_fetch_array($account_query);

$testimonials_name = $account['customers_firstname'] . ' ' . $account['customers_lastname'];
$testimonials_email = $account['customers_email_address'];
 }
?>  



<!-- BEFORE Captcha Validation function//-->
<?php 
  session_start();
  if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
  // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. 
  unset($_SESSION['security_code']);
  } else {
  // Insert your code for showing an error message here
  }
?>
<!-- BEFORE Captcha Validation function//-->


<tr><form name="customer_testimonial" method="post" action="<?php echo tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, 'action=insert', 'NONSSL'); ?>"  >
	<td><table align="center" width="100%" border="0" cellspacing="0" cellpadding="2">
	  <tr>
		<td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
	  </tr>
	  <tr>
		<td class="main"><?php echo TEXT_TESTIMONIALS_INTRO; ?></td>
	   </tr>

	   <tr>
		<td><table align="center" width="100%" border="0" cellspacing="0" cellpadding="0"><tr>
		<td class="main"><?php echo TEXT_TESTIMONIALS_TITLE; ?><br>
		<?php echo tep_draw_input_field('testimonials_title',  $testimonials_title, '', true); ?><span class="inputRequirement">*</span></td>
	  </tr>
	  <tr>
		<td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
	  </tr>
	  <tr>
		<td class="main"><?php echo TEXT_TESTIMONIALS_NAME; ?><br>
		<?php echo tep_draw_input_field('testimonials_name', $testimonials_name, '', true); ?><span class="inputRequirement">*</span></td>
	  <tr>
		<td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
	  </tr>
	  <tr> 
		<td class="main">
			<?php echo TEXT_TESTIMONIALS_EMAIL; ?><br>
		<?php echo tep_draw_input_field('testimonials_email'); ?> <span class="inputRequirement">*</span>
		</td> 
	</tr>
	<tr>
		<td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
	  </tr>
	  <tr>
		<td valign="top" class="main"><?php echo TEXT_BANNERS_HTML_TEXT; ?></td>
		<tr class="infoBoxContents">
			<td><?php echo tep_draw_textarea_field('html_text', 'soft', '130', '5', $html_text); ?></td>
		  </tr>

  <tr>
	<td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
  </tr>
  <tr>
			<td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
			  <tr class="infoBoxContents">
				<td><table border="0" width="100%" cellspacing="0" cellpadding="2">
				  <tr>
					<td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
		   <td class="main"><?php echo '<a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS) . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>
				   <td class="main" align="right"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); ?></td> <!--This is the line to fix //-->
	   <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
				  </tr>
				  <!--BEFORE -- Displays the Captcha Image box and entry box from captchasecurityimages.php-->
				  <img src="CaptchaSecurityImages.php" />
Security Code: 
<input id="security_code" name="security_code" type="text" />
<!--End OF -- Displays the Captcha Image box and entry box from captchasecurityimages.php-->
				</table></td>

<!-- body_text_eof //-->
<td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- right_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>
<!-- right_navigation_eof //-->
</table></td>
 </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Edited by chrish123

Share this post


Link to post
Share on other sites

Hi everyone,

 

 

Can anyone make a new notepad ONLY for security issue?I'm getting confused here whether to make change with codes..

 

THX

Share this post


Link to post
Share on other sites

Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.


No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P


Support The Project
Documentation/Knowledgebase/Discussions
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×