The obvious has now been tracked down; another INSERT INTO with SET. Due to the filesize, I have decided to share as an attachment file rather than correcting each lines due to the mass codes to edit. This definitely has to be fixed for the next release. Otherwise, a merchant owns a store without being able to manage products.
Note: This topic may change ZIP file from time-to-time due to the number of bug-fixes found. Simply re-uploading the files should be done in matter of secs.
[Edit: 12-11-2011]
- Entire OC model files (catalog and admin files) regarding SQL injections.
Attachments
Bug fixes on SQL injections.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Again the (+) in options not work and the (-) work!
I do something wrong? if i do something wrong nothing work but the (-) in options work!
maybe you check something in the catalog files and not in admin?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
sql injection would mean you are actually injecting sql via the some unescaped variable.
the problem is (if there is one) a bug with mysql.
this threads like the blind leading the blind.
OpenCart®
Project Owner & Developer.
insert into ... SET
to
insert into .... values (....)
??
Insert into --- SET is perfectly valid:
http://dev.mysql.com/doc/refman/5.5/en/insert.html
All the details on why these changes was due are explained on my first post.Qphoria wrote:I really don't understand this change. You are just changing:
insert into ... SET
to
insert into .... values (....)
??
Insert into --- SET is perfectly valid:
http://dev.mysql.com/doc/refman/5.5/en/insert.html
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Beg to differ. If you google on this subject, numerous websites will return that the INSERT INTO with SET cannot be used over auto-incremented fields which OpenCart entirely does right now and the reason why products and orders may not be created.JAY6390 wrote:This is total bullshit. MySQL doesn't differentiate between SET and the VALUES clause, and change the content depending on which it is. Where is your documentation stating this from MySQL? In fact any links? Also, MySQL injection has nothing to do with this
Granted, I did changed all the insert queries even on those that does not necessarily relies on auto-incremented fields but that injection method is supported for both - incremented / not incremented period.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Users browsing this forum: No registered users and 40 guests