Hi Today I have realized that OB 2.4 allows SQL Injections...how is it possible. What do you think is the best place to add a function like : function escapeString($string) { return $string; And OB 2.4 allows HTML injections so if you fill an input field with <script>alert('spam');</script> it will show up to other users when listing objects in grid or editing that object :) Thomaz
|
|||
 |
OpenBiz & Cubi |
|
|
| Copyright © 2003-2010 by PHP OpenBiz. |
thanks for your solution i
thanks for your solution
i have some point for SQL Injection:
1. this isue is urgent
2. phpOpenBiz designed to support any database type, and use Zend_Db as backend library
3. solution must for all database type too
4. the security code stored on database layer (BizDataObj)
based on the above criteria, in my opinion,
better to use the features of Zend_Db,
Zend_Db have quoteXXX and other method for this case fulfilled
ref:
http://wiki.ekini.net/main/Zend_db#Writing_Custom_SQL_Queries
http://www.phpframeworks.com/php-frameworks-news/index.php?id=1
Agus Suhartono | ThePhpEnterprise.Com
Can we conclude that - To
Can we conclude that
- To avoid SQL Injection, we can use Zend_DB quoteXXX method
So the SQL Injection would
So the SQL Injection would be averted somewhere in the BizDataObj code and the HTML injection at ClientProxy:GetFormInputs?
Also, I vote that we back port this bug fix to the 2.3 as well.
Yes you are right, the
Yes you are right, the solution should not depend on DB type. It works fine after fixing the bug posted before :)
Thomaz
Many thanks to thomaz for
Many thanks to thomaz for pointing this out. We will definitely do more research and get it fixed soon.
- support
Ok I guess there is a
Ok I guess there is a HUGE bug in that code:
public function GetFormInputs ($ctrlName = null, $toString = TRUE)
{
if ($ctrlName) {
if (isset($_REQUEST[$ctrlName])) {
if (is_array($_REQUEST[$ctrlName]) and $toString == TRUE) {
$array_string = '';
foreach ($_REQUEST[$ctrlName] as $rec) {
$array_string .= $rec . ",";
}
$result = substr($array_string, 0, strlen($array_string) - 1);
} else {
$result = $_REQUEST[$ctrlName];
}
if (get_magic_quotes_gpc() == 0)
$result = addslashes($result);
return $result;
} else {
return null;
}
} else {
return $_REQUEST;
}
}
[ OH god - missplaced reply again! :) ]
I can confirm the
Compare mysql_real_escape_string() vs addslashes() vs addcslashes()
http://cognifty.com/index.php/blog.entry/id=6/addslashes_dont_call_it_a_...
This guys favors mysql_real_escape_string, but we'll need to write this to fall back if another Database is being used.
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-st...
It might be best to apply a check like this in ClientProxy:GetFormInputs() which does addslashes.
/**
* ClientProxy::GetFormInputs() - get form all inputs or one input if ctrlName is given
*
* @param string $ctrlName
* @param boolean $toString - Convert array oriented form controls to string
* @return array or string
*/
public function GetFormInputs ($ctrlName = null, $toString = TRUE)
{
if ($ctrlName) {
if (isset($_REQUEST[$ctrlName])) {
if (is_array($_REQUEST[$ctrlName]) and $toString == TRUE) {
$array_string = '';
foreach ($_REQUEST[$ctrlName] as $rec) {
$array_string .= $rec . ",";
}
$result = substr($array_string, 0, strlen($array_string) - 1);
} else {
$result = $_REQUEST[$ctrlName];
}
if (get_magic_quotes_gpc() == 0)
addslashes($result);
return $result;
} else {
return null;
}
} else {
return $_REQUEST;
}
}