Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Do The Built In Database Queries In Cs-Cart (Db_Query, Db_Get_Row, Etc.) Automatically Escape Special Characters In The Statements, For Security? Rate Topic   - - - - -

 
  • bebopboy
  • Advanced Member
  • Trial users
  • Join Date: 04-Feb 20
  • 102 posts

Posted 11 August 2020 - 02:36 AM #1

Hi, so you know how you're supposed to not allow characters such as ';' into database queries so that people won't be able to insert an additional statement into your query.

 

For example

$string = 'value; DROP TABLE ?: table ';

db_queury("SELECT * FROM ?:table WHERE field = ?s", $string);

Do the db functions of CS-Cart automatically filter out those characters so that this won't happen?



 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 20934 posts

Posted 11 August 2020 - 06:27 AM #2

Sure, placeholders are used for this feature


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    Multi-Vendor PLUS           USD 3100 (2775)
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      Multi-Vendor Ultimate       USD 7500 (6000)

 
  • bebopboy
  • Advanced Member
  • Trial users
  • Join Date: 04-Feb 20
  • 102 posts

Posted 11 August 2020 - 06:30 AM #3

Thank you, I just wanted to know whether or not the functions already take care of this, or if I'd have to do it myself.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11762 posts

Posted 11 August 2020 - 05:37 PM #4

Your example will fail because the '?s' parameter will set your statement to read:

SELECT * FROM ?:table WHERE field ='value; DROP TABLE ?: table '

which will simply set 'field' to the full string you set it to.  If your '$string' were set to 

$string ='value\'; DROP TABLE ?: table '

Then it might have the effect you fear.  I do believe (though never tired it) that db_query() will accept compound statements.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.