How secure virtuemart latest version in terms of sql injection

Started by myplace2100, May 20, 2014, 23:41:59 PM

Previous topic - Next topic

myplace2100

I was examining vm version 2.6.0a codes about how it handles security risks like sql injection as previous version like 2.0.22 was not secured. In administrator side model "orders.php" file this function gets order by id and pass -
public function getOrderIdByOrderPass($orderNumber,$orderPass){
      $db = JFactory::getDBO();
      $q = 'SELECT `virtuemart_order_id` FROM `#__virtuemart_orders` WHERE `order_pass`="'.$db->getEscaped($orderPass).'" AND `order_number`="'.$db->getEscaped($orderNumber).'"';
.......................
   }

Although $db->getEscaped() was used to check variable in url instead $db->quote(), but they did not verify the max length of the variable string like order_pass. Could a hacker still put another sql statement to harm database or do such kinds of attacks?? and does vm latest versions checked all these things about sql injection attacks?
joomla & wordpress extension developer

balai

I agree that $db->quote is better than $db->escape ($db->getEscaped() is deprecated) because it calls the escape internally and also quotes the output.
But i don't think that there is any risk.

$db->escape is calling the php's mysql_real_escape_string
http://php.net/mysql_real_escape_string

Which escapes any dangerous character.
Actually $db->escape is doing the dirty job in both cases