Terminum Posted November 20, 2009 Share Posted November 20, 2009 I'm looking for an add-on that will prevent XSS attacks without diminishing functionality of the Administration Tool. I've read their are problems with Anti XSS, so I was considering [TiM's] Safer Database Input Method. But this says that it filters all html, and I would like to enter HTML in product descriptions through the administration tool. [TiM's] Safer Database Input Method changes the following code from /catalog/includes/functions/database.php: function tep_db_input($string, $link = 'db_link') { global $$link; if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); }: Replaced with: function tep_db_input($string, $link = 'db_link', $skip_stripping = false) { global $$link; // Strip HTML and PHP tags from string if (!$skip_stripping) $string = strip_tags($string); if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } The README says: If you for any reason want to store HTML in the database, make sure you manipulate the tep_db_input() command with the third optional parameter like the following. This... $example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;"); Becomes... $example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;"); I'm not very familiar with sql and I don't know what this means. I just want to be able to use HTML in product descriptions in the admin tool. Any ideas for what I should do? Quote Link to comment Share on other sites More sharing options...
spooks Posted November 20, 2009 Share Posted November 20, 2009 If you make code changes on the catalog side they do not apply to admin. But I would use the htacess method detailed in the contrib linked in this thread. And make sure you add the other security changes too. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Terminum Posted November 20, 2009 Author Share Posted November 20, 2009 If you make code changes on the catalog side they do not apply to admin. Ha, thanks that's great. I'm working my way through your other post right now! Thanks for the help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.