Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Preventing XSS Attacks

Terminum

By Terminum
in General Add-Ons Support

 Share

Recommended Posts

Terminum

Terminum

Posted
Posted

I'm looking for an add-on that will prevent XSS attacks without diminishing functionality of the Administration Tool. I've read their are problems with Anti XSS, so I was considering [TiM's] Safer Database Input Method. But this says that it filters all html, and I would like to enter HTML in product descriptions through the administration tool.

 

 

 

[TiM's] Safer Database Input Method changes the following code from /catalog/includes/functions/database.php:

 

 function tep_db_input($string, $link = 'db_link') {
   global $$link;

   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }

   return addslashes($string);
 }:

 

Replaced with:

 

function tep_db_input($string, $link = 'db_link', $skip_stripping = false) {
   global $$link;

   // Strip HTML and PHP tags from string
   if (!$skip_stripping) $string = strip_tags($string);

   if (function_exists('mysql_real_escape_string')) {
     return mysql_real_escape_string($string, $$link);
   } elseif (function_exists('mysql_escape_string')) {
     return mysql_escape_string($string);
   }

   return addslashes($string);
 }

 

 

 

The README says:

 

 

If you for any reason want to store HTML in the database, make sure you

manipulate the tep_db_input() command with the third optional parameter

like the following.

 

This...

 

$example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");

 

Becomes...

 

$example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");

 

I'm not very familiar with sql and I don't know what this means. I just want to be able to use HTML in product descriptions in the admin tool. Any ideas for what I should do?

Link to comment
Share on other sites
spooks

spooks

Posted
Posted

 

If you make code changes on the catalog side they do not apply to admin.

 

 

But I would use the htacess method detailed in the contrib linked in this thread. And make sure you add the other security changes too. smile.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...