douxian8883 2012-08-24 12:01
浏览 21
已采纳

禁用购物车输入过滤的Magento核心修改的效果?

I'm currently working on an already modified version of magento (v 1.6.1). The previous developers have modified the app/core itself, what if I upgrade to the 1.7? It would restore original app/core, am I right? (because I know every mod should be placed under app/local)

Then I noticed, by running diff on the ecommerce and a clean 1.6.1 installation that the developers have applied this modification (lines marked with "<" was the original content and ">" the edited one)

diff app/code/core/Mage/Checkout/controllers/CartController.php
169c169,170
<                 $params['qty'] = $filter->filter($params['qty']);
---
>                 #$params['qty'] = $filter->filter($params['qty']);
>                 $params['qty'] = $params['qty'];
311c312,313
<                 $params['qty'] = $filter->filter($params['qty']);
---
>                 #$params['qty'] = $filter->filter($params['qty']);
>                 $params['qty'] = $params['qty'];
383c385,386
<                         $cartData[$index]['qty'] = $filter->filter(trim($data['qty']));
---
>                         //$cartData[$index]['qty'] = $filter->filter(trim($data['qty']));
>                         $cartData[$index]['qty'] = $data['qty'];

As you may notice they disabled $filter->filter and trim.

Doesn't this expose the e-store to SQLInjections or similiar arbitrary code execution? Is there another check that magento performs before to store this data inside the database?

  • 写回答

1条回答 默认 最新

  • doulou1989 2012-08-26 16:28
    关注

    The filter functions that the previous developers removed are not used to filter input for SQL injection or other security risks. They are used for converting localized input to a standard form that can be processed regardless of locale. Here's the expanded context for the first diff:

    $filter = new Zend_Filter_LocalizedToNormalized(
    array('locale' => Mage::app()->getLocale()->getLocaleCode())
);
$params['qty'] = $filter->filter($params['qty']);

    See the Zend documentation for details on what LocalizedToNormal does.

    Magento has built-in safeguards to prevent SQL injection by using standard database classes that filter all data before constructing a query. That logic is located in the Mage_Core_Model_Resource_* classes as well as the Zend libraries stored in /lib/Zend. As long as the previous developers didn't modify those classes, there shouldn't be additional SQL risk.

    Cross-site scripting is always a potential issue, of course, but the risk there typically lies more at the View layer (PHTML & Block classes) than at the Controller or Model layers.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 求螺旋焊缝的图像处理
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?
  • ¥15 网络通信安全解决方案
  • ¥50 yalmip+Gurobi
  • ¥20 win10修改放大文本以及缩放与布局后蓝屏无法正常进入桌面
  • ¥15 itunes恢复数据最后一步发生错误
  • ¥15 关于#windows#的问题:2024年5月15日的win11更新后资源管理器没有地址栏了顶部的地址栏和文件搜索都消失了