Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

SQL escaping for queries using x-cart's db functions
 
Reply
   X-Cart forums > X-Cart 4 > Changing and adding new features
 
Thread Tools Search this Thread
  #1  
Old 05-19-2014, 12:01 PM
 
bbrewer bbrewer is offline
 

Newbie
  
Join Date: Feb 2014
Posts: 2
 

Default SQL escaping for queries using x-cart's db functions

I was just working on a mod for Xcart 4.6.1 and was under the impression that all the db functions do proper automatic escaping to prevent sql injection, but then I was using db_query() to insert a name with an apostrophe and it wasn't working so I looked at the function and it doesn't escape anything. So, what function should I be using to handle insert queries with automatic escaping of values? Should I not use db_query for anything anymore?
__________________
X-Cart 4.6.1 GoldPlus
Reply With Quote
  #2  
Old 05-19-2014, 01:18 PM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: SQL escaping for queries using x-cart's db functions

I think you want to look at include/func/func.db.php

I believe these are the functions that you want to use, possibly func_array2insert
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote
  #3  
Old 05-19-2014, 01:42 PM
 
bbrewer bbrewer is offline
 

Newbie
  
Join Date: Feb 2014
Posts: 2
 

Default Re: SQL escaping for queries using x-cart's db functions

Quote:
Originally Posted by totaltec
I think you want to look at include/func/func.db.php

I believe these are the functions that you want to use, possibly func_array2insert


Thanks for your reply. I'm pretty well acquainted with that func.db.php file and the functions, but I was under the impression that these functions had all been tweaked over the years to prevent sql injection and handle automatic escaping. But, after further digging, it looks like this is not the case. I guess I've been spoiled by working with nice php frameworks the past few years where I don't have to worry about escaping as long as I use the frameworks' db functions. Looks like maybe there's some other code somewhere in xcart that handles escaping/sanitizing request vars, but it's not built into the actual db functions from what I can see. So, I've switched to using func_array2insert and passing the values array to it with func_addslashes. Now I've gotta go back through my code now and remove all the db_query stuff or make sure to run func_addslashes on all the vars first.
__________________
X-Cart 4.6.1 GoldPlus
Reply With Quote
  #4  
Old 05-20-2014, 07:33 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,615
 

Default Re: SQL escaping for queries using x-cart's db functions

Start with /auth.php and follow the includes, first few. I think most of the prep work is done in /prepare.php.

If your script starts with

PHP Code:
require './auth.php'

you should be good and not needing to do any extra work unless you want to
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
Reply
   X-Cart forums > X-Cart 4 > Changing and adding new features


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:46 PM.

   

 
X-Cart forums © 2001-2018