Code injection

D

davidtrancart

New Member
Hi,
I am new to Fabrik an am working on a project currently where there are some calc elements.
Inside those calc elements in php, we are using {placeholder}s which are, for the most some, user input string, from forms.
If a quote is inside those placeholder, it causes problems in the php code of the calc element as it is not htmlspecialchars()ed.

$int1 = '{placeholder};

What is the correct way to use those placeholders in the calc php code to avoid code injection by user input text.

Thanks for knowledge.
 
You could use the methods "quote" and "quoteName" from the Joomla API.

For example:
PHP: 
$db = JFactory::getDBO();
$query = 'SELECT * FROM someTable WHERE ' . $db->quoteName($fieldName) . '=' . $db->quote('{someTable___someField}');

You can read some guidelines here: LINK.
 
Hello mauro, thanks for answer.
I have tried without success $int1=htmlspecialchars({placeholder}) but without the quotes.
I will try tomorrow with quote , as your method too, but i am a little disapointed to have to get the DB object to do that :)
 
You can use
$data['table___element']
(and watch {table___element} if you have ajax calc enabled).
 
Thanks troester.
That was exactly what i needed.
The problem using {placeholder} is to have to quote before using.
I used the nowdoc way to ensure user data could not enforce the end of the string but the $data array give you back all the power :)
I should have better read the documentation.
Thanks again anyway.
 
Placeholders don't play well with quotes. The reason being that placeholders aren't variables. Fabrik literally substitutes the value in the text of code you provide, then passes that to PHP to evaluate. So ...

Code: 
$foo = '{table___element}';

... if the value of table___element is O'Reilly, then after substitution, the code we pass to PHP will be ...

Code: 
$foo = 'O'Reilly';

... which is obviously a syntax error.

There is no way round it, really. You can't defend against it using any kind of quote handling in your code. You can use " instead of ', but then that just means a value with " in it will cause the problem.

So yes, the only way round it is not to use placeholders, and reference the data array directly, for data where you may get quotes.

-- hugh
 
Thanks for precision cheesegrits.
I used nowdoc syntax because the user input are on some protected and identifed version of the site, i don't think we could get brute force attack from there.
The $_data seems obviously more secure but more complex in case of lists.
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 81 (members: 3, guests: 78)
    Back
    Top