Post by straightlight » Sun Dec 11, 2011 11:48 am

Several users has reported problems when adding products from the admin and stating that when they do, the products doesn't get added - including the images uploading on the first time it works but starting from the 2nd time - the thumbnail is empty.

The obvious has now been tracked down; another INSERT INTO with SET. Due to the filesize, I have decided to share as an attachment file rather than correcting each lines due to the mass codes to edit. This definitely has to be fixed for the next release. Otherwise, a merchant owns a store without being able to manage products.

Note: This topic may change ZIP file from time-to-time due to the number of bug-fixes found. Simply re-uploading the files should be done in matter of secs.

[Edit: 12-11-2011]
- Entire OC model files (catalog and admin files) regarding SQL injections.

Attachments

Bug fixes on SQL injections.

Last edited by straightlight on Mon Dec 12, 2011 5:07 am, edited 4 times in total.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by chiris » Sun Dec 11, 2011 11:44 pm

i change that files!

Nothing change! The same things! The - options work and the + options not work!

I not understand what happen!

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by straightlight » Sun Dec 11, 2011 11:48 pm

I'm currently working on the options as we speak. Hold on. An update will come in about 10 mins.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Sun Dec 11, 2011 11:54 pm

Done. Make sure to delete previous options and to try again noticing if the same results does get back without / with these fixes.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by chiris » Mon Dec 12, 2011 12:13 am

i change all the files in the Admin/model/catalog!
I delete all the options and create it again from start but again nothing happen!
Again the - work and the + not work!

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by chiris » Mon Dec 12, 2011 12:26 am

Maybe you must check the files in catalog/controller/product ?

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by straightlight » Mon Dec 12, 2011 12:28 am

I'm currently patching the whole model folders for the next update. It should be ready in 30 mins or so.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Mon Dec 12, 2011 1:39 am

Done. All models under the admin has been fixed regarding new values.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by chiris » Mon Dec 12, 2011 1:49 am

i try it and i tell you!

Thanks for all!

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by chiris » Mon Dec 12, 2011 1:55 am

i Change all file and nothing!

Again the (+) in options not work and the (-) work!

I do something wrong? if i do something wrong nothing work but the (-) in options work!

maybe you check something in the catalog files and not in admin?

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by straightlight » Mon Dec 12, 2011 1:57 am

That means even though the SQL injections has now been fixed, there might be something wrong with the condition of this Ajax code from the catalog's end. Are you using a contribution for this ?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by chiris » Mon Dec 12, 2011 2:06 am

i not use something!

i have send you in Im the url to check it online in the site! maybe you understand better what happen!

Newbie

Posts

Joined
Sat Dec 10, 2011 5:58 am

Post by straightlight » Mon Dec 12, 2011 3:40 am


Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Mon Dec 12, 2011 5:08 am

Update from first post. Now, all models (admin and catalog folder) has been patched for future SQL injections (including the checkout orders which was recently reported as no results under the admin after a completed order).

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Daniel » Mon Dec 12, 2011 9:57 am

there is not an sql injection problem you clown!

sql injection would mean you are actually injecting sql via the some unescaped variable.


the problem is (if there is one) a bug with mysql.

this threads like the blind leading the blind.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Mon Dec 12, 2011 10:00 am

infact you all you have done is put the insert values on a different line. its not even changed anything apart from the coding style!

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Mon Dec 12, 2011 11:02 pm

I really don't understand this change. You are just changing:
insert into ... SET
to
insert into .... values (....)
??

Insert into --- SET is perfectly valid:
http://dev.mysql.com/doc/refman/5.5/en/insert.html

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by straightlight » Mon Dec 12, 2011 11:04 pm

Qphoria wrote:I really don't understand this change. You are just changing:
insert into ... SET
to
insert into .... values (....)
??

Insert into --- SET is perfectly valid:
http://dev.mysql.com/doc/refman/5.5/en/insert.html
All the details on why these changes was due are explained on my first post.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by JAY6390 » Mon Dec 12, 2011 11:13 pm

This is total bullshit. MySQL doesn't differentiate between SET and the VALUES clause, and change the content depending on which it is. Where is your documentation stating this from MySQL? In fact any links? Also, MySQL injection has nothing to do with this

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by straightlight » Mon Dec 12, 2011 11:18 pm

JAY6390 wrote:This is total bullshit. MySQL doesn't differentiate between SET and the VALUES clause, and change the content depending on which it is. Where is your documentation stating this from MySQL? In fact any links? Also, MySQL injection has nothing to do with this
Beg to differ. If you google on this subject, numerous websites will return that the INSERT INTO with SET cannot be used over auto-incremented fields which OpenCart entirely does right now and the reason why products and orders may not be created.

Granted, I did changed all the insert queries even on those that does not necessarily relies on auto-incremented fields but that injection method is supported for both - incremented / not incremented period.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 40 guests