Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 General help me questions
 SQL Injection Follow Up
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Steve2507
VP-CART Expert

590 Posts

Posted - January 02 2010 :  16:24:30  Show Profile  Reply with Quote
There was recently a question on here about sql injection and about request calls being cleansed (http://www.vpasp.com/virtprog/vpaspforum/topic.asp?TOPIC_ID=13223).

I have a follow up question about this.

I am just doing a double check of all code and have found some instances in byz add ons where the requests are not cleansed, for instance:
tfieldval=Request(tfieldname)
would this be better written as
tfieldval=cleanchars(Request(tfieldname))
There are also some instances such as
instr(lcase(request.ServerVariables("SCRIPT_NAME"))
would this be better as
cleanchars(instr(lcase(request.ServerVariables("SCRIPT_NAME")))
Finally in some of the admin pages there are entries such as
which=request("which")
and
addcategory=request("addcategory")
would these be better as
which=cleanchars(request("which"))
and
addcategory=cleanchars(request("addcategory"))


Thanks








Steve
Sex toys from a UK sex shop including vibrators and dildos.

devshb
Senior Member

United Kingdom
1904 Posts

Posted - January 03 2010 :  05:58:56  Show Profile  Visit devshb's Homepage  Reply with Quote
It depends on the nature/context of the request; for example, if a given argument type (eg catalogid) is expected to be an int by the code then it's cleaned and checked as a numeric. The bits which check/clean the variables aren't necessarily in exactly the same place that the field/argument gets requested, they often come a couple of lines afterwards (get the raw value, and then clean/check/translate it afterwards) and it needs to make sure that things like single quotes can still work in the context of a search but without being usable as an injection technique.

For example, our byz116 addon works differently to normal vpasp, but still cleans/translates things at the relevant times. eg the bit which gets the filtering values does do a clean on the corresponding value that it tries to request, and it will only use that code's value if there's a configured filter code (type) which matches what's been requested on the url. So the cleaning aspect is a bit more complex than it first appears, because it depends on the context of which bit you're looking at.

In fact, in theory byz116 should be even more safe than standard vpasp because you configure only specific searches/filters; people can only search using criteria that you specify in the byz116 configuration files.

Admin pages don't matter so much because all the admin pages would have a shopcheckadmin function before it does the requests/processing, so hackers won't get as far as being able to inject anything on the admin side.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00