douxian8883 2012-08-24 12:01
浏览 21
已采纳

禁用购物车输入过滤的Magento核心修改的效果?

I'm currently working on an already modified version of magento (v 1.6.1). The previous developers have modified the app/core itself, what if I upgrade to the 1.7? It would restore original app/core, am I right? (because I know every mod should be placed under app/local)

Then I noticed, by running diff on the ecommerce and a clean 1.6.1 installation that the developers have applied this modification (lines marked with "<" was the original content and ">" the edited one)

diff app/code/core/Mage/Checkout/controllers/CartController.php
169c169,170
<                 $params['qty'] = $filter->filter($params['qty']);
---
>                 #$params['qty'] = $filter->filter($params['qty']);
>                 $params['qty'] = $params['qty'];
311c312,313
<                 $params['qty'] = $filter->filter($params['qty']);
---
>                 #$params['qty'] = $filter->filter($params['qty']);
>                 $params['qty'] = $params['qty'];
383c385,386
<                         $cartData[$index]['qty'] = $filter->filter(trim($data['qty']));
---
>                         //$cartData[$index]['qty'] = $filter->filter(trim($data['qty']));
>                         $cartData[$index]['qty'] = $data['qty'];

As you may notice they disabled $filter->filter and trim.

Doesn't this expose the e-store to SQLInjections or similiar arbitrary code execution? Is there another check that magento performs before to store this data inside the database?

  • 写回答

1条回答 默认 最新

  • doulou1989 2012-08-26 16:28
    关注

    The filter functions that the previous developers removed are not used to filter input for SQL injection or other security risks. They are used for converting localized input to a standard form that can be processed regardless of locale. Here's the expanded context for the first diff:

    $filter = new Zend_Filter_LocalizedToNormalized(
    array('locale' => Mage::app()->getLocale()->getLocaleCode())
);
$params['qty'] = $filter->filter($params['qty']);

    See the Zend documentation for details on what LocalizedToNormal does.

    Magento has built-in safeguards to prevent SQL injection by using standard database classes that filter all data before constructing a query. That logic is located in the Mage_Core_Model_Resource_* classes as well as the Zend libraries stored in /lib/Zend. As long as the previous developers didn't modify those classes, there shouldn't be additional SQL risk.

    Cross-site scripting is always a potential issue, of course, but the risk there typically lies more at the View layer (PHTML & Block classes) than at the Controller or Model layers.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看