opencart - PHP SQL Injection Possibility -


i've been looking opencart, written in php.

if take @ following php file,

https://github.com/opencart/opencart/blob/master/upload/admin/model/customer/customer.php

the sql statement looks this

$this->db->query("insert " . db_prefix . "customer  set customer_group_id = '" . (int)$data['customer_group_id'] . "',  firstname = '" . $this->db->escape($data['firstname']) . "',  lastname = '" . $this->db->escape($data['lastname']) . "',  email = '" . $this->db->escape($data['email']) . "',  telephone = '" . $this->db->escape($data['telephone']) . "',  custom_field = '" . $this->db->escape(isset($data['custom_field']) ? json_encode($data['custom_field']) : json_encode(array())) . "',  newsletter = '" . (int)$data['newsletter'] . "',  salt = '',  password = '" . $this->db->escape(password_hash($data['password'], password_default)) . "',  status = '" . (int)$data['status'] . "',  safe = '" . (int)$data['safe'] . "',  date_added = now()");

the recommended way avoid php sql injection use prepared statements.

my question considering how particular code isn't using prepared statements, code vulnerable sql injection?

i'm not a php expert might missing obvious here.

edit:

let me list reasons i'm bit apprehensive accept code vulnerable.

  1. opencart (https://github.com/opencart/opencart) popular open source project on 200 forks.

  2. it's shopping cart (e-commerce) solution, developer would've put thought security, , sql injections 1 of first things would've checked.

  3. it kind of escaping done using $this->db->escape($data['telephone'])

as either escaped or converted integer not vulnerable sql injection.

of course qirel right in comments using prepared statements better solution in imaginable ways. harder read , can made vulnerable mistake when modifying code in future.

edit: after bit of research seem true under assumption database character set has been set correctly. otherwise it might still vulnerable to multi-byte attacks.

opencart seems vulnerable when using mysql if improper character set set @ server level uses set character set query instead of mysql_real_escape_string. can see in latest v3.0.2.0 on github. details see mysql character sets in php manual.

i suggested fix of particular issue in !5812.


Comments

Post a Comment

Popular posts from this blog

javascript - Create a stacked percentage column -

i have collection of data : var data = [ {"p301a":"10","p301b":"7","p301c":"7","p301d":"3","p301e":"8","p301f":"8","p301g":"8","p301h":"8","p301i":"8","p301j":"8","p301k":"8","p301l":"8","p301m":"8","p301n":"8","p301o":"8","age":"31-40 years","profesion":"2","position":"2"}, {"p301a":"5","p301b":"4","p301c":"4","p301d":"4","p301e":"4","p301f":"4","p301g":"4","p301h":"4","p301i":"4","p301j":"4","p301k":"4...
Read more

Optimising Firebase database by automatically overwriting data -

in firebase app have following structure: posts latest all users can write posts > latest . want limit entries 20 posts save space in database. , posts beyond 20 unnecessary never shown on homepage. how can limit posts 20, when user writes posts > latest posts @ end drop off (be deleted) automatically? this sample should you. you need : const max_log_count = 20; exports.removeold = functions.database.ref('/posts/latest/{postid}').oncreate(event => { const parentref = event.data.ref.parent; return parentref.once('value').then(snapshot => { if (snapshot.numchildren() >= max_log_count) { let childcount = 0; const updates = {}; snapshot.foreach(function(child) { if (++childcount <= snapshot.numchildren() - max_log_count) { updates[child.key] = null; } }); // update parent. removes children. ...
Read more

javascript - Angular UI-Grid customTemplate directive causing rows to load slowly/? -

Image
each grid cell can have more 1 customtemplate loaded. have directive holds watcher on model_col_field listen cell updates on scroll when dom rows updated , recompile celltemplate . without watcher , $compile rows repeat on scroll, showing same set of rows. is there more angular way of approaching or way improve performance? relevant controller code: create gridoptions.data & gridoptions.columndefs : var customtemp = '<div ng-repeat="opt in grid.appscope.colvalueoptionsmodel" ng-init="tempstring=model_col_field.clazz+opt.key;"><comparison-directive dbo="model_col_field" attobj="opt" fff="grid.appscope.getattributetemplate(tempstring)" /></div>'; $scope.gridoptions.columndefs = [ { name:'yindex',pinnedleft:true,celltemplate: customtemp, displayname:'index'}, { name:'col1',celltemplate: customtemp}, { name:'col2',celltemplate: c...
Read more