OSCommerce Product Manager

OSCommerce Product Manager for Windows
Tasklist

FS#261 - Over filtering of user input.

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 04:41 GMT-6
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 05 September 2005, 02:09 GMT-6
Task Type Bug Report
Category Backend / Core
Status Closed
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Low
Priority Immediate
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

User input is being overfiltered.

One user reported that double-quotes were being replaced by single-quotes, causing the HTML of his store to break.

Even if the problem is in the HTML coding of his store, the application should not replace blindly all user input. Brute-force filtering to avoid SQL injection is not good idea.

Also, the filtering routines in the application code do not filter the SQL comment sign (double-dash).

We should only do what mysql_real_escape_string do.


This is a Major severity bug.
This task depends upon

Closed by  Mario A. Valdez-Ramirez (mvaldez)
Monday, 05 September 2005, 02:09 GMT-6
Reason for closing:  
Comment by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 04:51 GMT-6


According to the docs here:
http://dev.mysql.com/doc/mysql/en/mysql-real-escape-string.html

we only need to escape backslash and single quotes.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 04:51 GMT-6


Maybe the double dash also should be filtered.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Monday, 05 September 2005, 02:09 GMT-6

Ok, we are filtering:

Double-dash (SQL comment), converted to single-dash.
Backslash (escaping), converted to double-backslash.
Single-quote, converted to escaped single-quote.
Carriage-return, converted to escape-r.
Linefeed, converted to escape-n.
EOF, deleted.
Backspace, deleted.
Tab, converted to single-space.


If we are searching, we also escape:

Percent (SQL wildcard), escaped.
Underline, escaped.

Loading...